Security alerts in Microsoft Defender for Identity

What are Microsoft Defender for Identity security alerts?

Microsoft Defender for Identity security alerts provide information about the suspicious activities detected by Defender for Identity sensors on your network, and the actors and computers involved in each threat. Alert evidence lists contain direct links to the involved users and computers, to help make your investigations easy and direct.

Note

Defender for Identity isn't designed to serve as an auditing or logging solution that captures every single operation or activity on the servers where the sensor is installed. It only captures the data required for its detection and recommendation mechanisms.

The Identity alerts page gives you cross-domain signal enrichment and automated identity response capabilities. The benefit of investigating alerts with Microsoft Defender XDR is that Microsoft Defender for Identity alerts are correlated with information obtained from each of the other products in the suite. These enhanced alerts are consistent with the other Microsoft Defender XDR alert formats originating from Microsoft Defender for Office 365 and Microsoft Defender for Endpoint.

Alerts originating from Defender for Identity trigger Microsoft Defender XDR automated investigation and response (AIR) capabilities, including automatically remediating alerts and the mitigation of tools and processes that can contribute to the suspicious activity.

Microsoft Defender for Identity alerts currently appear in two different layouts in the Microsoft Defender XDR portal. While the alert views may show different information, all alerts are based on detections from Defender for Identity sensors. The differences in layout and information shown are part of an ongoing transition to a unified alerting experience across Microsoft Defender products.

For more information, see View and manage security alerts.

Alert categories

Defender for Identity security alerts are divided into the following categories or phases, like the phases seen in a typical cyber-attack kill chain. Learn more about each phase, the alerts designed to detect each attack, and how to use the alerts to help protect your network using the following links:

1. Reconnaissance and discovery alerts
2. Persistence and privilege escalation alerts
3. Credential access alerts
4. Lateral movement alerts
5. Other alerts

Map security alerts to unique external ID and MITRE ATT&CK Matrix tactics

The following table lists the mapping between alert names, their corresponding unique external IDs, their severity, and their MITRE ATT&CK Matrix™ tactic. When used with scripts or automation, Microsoft recommends use of alert external IDs in place of alert names, as only security alert external IDs are permanent, and not subject to change.

Security alert name	Unique external ID	Severity	MITRE ATT&CK Matrix™
Suspected SID-History injection	1106	High	Privilege Escalation
Suspected overpass-the-hash attack (Kerberos)	2002	Medium	Lateral movement
Account enumeration reconnaissance	2003	Medium	Discovery
Suspected Brute Force attack (LDAP)	2004	Medium	Credential access
Suspected DCSync attack (replication of directory services)	2006	High	Credential access, Persistence
Network mapping reconnaissance (DNS)	2007	Medium	Discovery
Suspected over-pass-the-hash attack (forced encryption type)	2008	Medium	Lateral movement
Suspected Golden Ticket usage (encryption downgrade)	2009	Medium	Persistence, Privilege Escalation, Lateral movement
Suspected Skeleton Key attack (encryption downgrade)	2010	Medium	Persistence, Lateral movement
User and IP address reconnaissance (SMB)	2012	Medium	Discovery
Suspected Golden Ticket usage (forged authorization data)	2013	High	Credential access
Honeytoken authentication activity	2014	Medium	Credential access, Discovery
Suspected identity theft (pass-the-hash)	2017	High	Lateral movement
Suspected identity theft (pass-the-ticket)	2018	High or Medium	Lateral movement
Remote code execution attempt	2019	Medium	Execution, Persistence, Privilege escalation, Defense evasion, Lateral movement
Malicious request of Data Protection API master key	2020	High	Credential access
User and Group membership reconnaissance (SAMR)	2021	Medium	Discovery
Suspected Golden Ticket usage (time anomaly)	2022	High	Persistence, Privilege Escalation, Lateral movement
Suspected Brute Force attack (Kerberos, NTLM)	2023	Medium	Credential access
Suspicious additions to sensitive groups	2024	Medium	Persistence, Credential access,
Suspicious VPN connection	2025	Medium	Defense evasion, Persistence
Suspicious service creation	2026	Medium	Execution, Persistence, Privilege Escalation, Defense evasion, Lateral movement
Suspected Golden Ticket usage (nonexistent account)	2027	High	Persistence, Privilege Escalation, Lateral movement
Suspected DCShadow attack (domain controller promotion)	2028	High	Defense evasion
Suspected DCShadow attack (domain controller replication request)	2029	High	Defense evasion
Data exfiltration over SMB	2030	High	Exfiltration, Lateral movement, Command, and control
Suspicious communication over DNS	2031	Medium	Exfiltration
Suspected Golden Ticket usage (ticket anomaly)	2032	High	Persistence, Privilege Escalation, Lateral movement
Suspected Brute Force attack (SMB)	2033	Medium	Lateral movement
Suspected use of Metasploit hacking framework	2034	Medium	Lateral movement
Suspected WannaCry ransomware attack	2035	Medium	Lateral movement
Remote code execution over DNS	2036	Medium	Lateral movement, Privilege escalation
Suspected NTLM relay attack	2037	Medium or Low if observed using signed NTLM v2 protocol	Lateral movement, Privilege escalation
Security principal reconnaissance (LDAP)	2038	High (in case resolutions issues or Specific Tool detected) and Medium	Credential access
Suspected NTLM authentication tampering	2039	Medium	Lateral movement, Privilege escalation
Suspected Golden Ticket usage (ticket anomaly using RBCD)	2040	High	Persistence
Suspected rogue Kerberos certificate usage	2047	High	Lateral movement
Suspicious Kerberos delegation attempt using BronzeBit method (CVE-2020-17049 exploitation)	2048	Medium	Credential access
Active Directory attributes reconnaissance (LDAP)	2210	Medium	Discovery
Suspected SMB packet manipulation (CVE-2020-0796 exploitation)	2406	High	Lateral movement
Suspected Kerberos SPN exposure	2410	High	Credential access
Suspected Netlogon privilege elevation attempt (CVE-2020-1472 exploitation)	2411	High	Privilege Escalation
Suspected AS-REP Roasting attack	2412	High	Credential access
Suspected AD FS DKM key read	2413	High	Credential access
Exchange Server Remote Code Execution (CVE-2021-26855)	2414	High	Lateral movement
Suspected exploitation attempt on Windows Print Spooler service	2415	High or Medium	Lateral movement
Suspicious network connection over Encrypting File System Remote Protocol	2416	High or Medium	Lateral movement
Suspected suspicious Kerberos ticket request	2418	High	Credential access
Suspicious modification of a sAMNameAccount attribute (CVE-2021-42278 and CVE-2021-42287 exploitation)	2419	High	Credential access
Suspicious modification of the trust relationship of AD FS server	2420	Medium	Privilege Escalation
Suspicious modification of a dNSHostName attribute (CVE-2022-26923)	2421	High	Privilege Escalation
Suspicious Kerberos delegation attempt by a newly created computer	2422	High	Privilege Escalation
Suspicious modification of the Resource Based Constrained Delegation attribute by a machine account	2423	High	Privilege Escalation
Abnormal Active Directory Federation Services (AD FS) authentication using a suspicious certificate	2424	High	Credential access
Suspicious certificate usage over Kerberos protocol (PKINIT)	2425	High	Lateral movement
Suspected DFSCoerce attack using Distributed File System Protocol	2426	High	Credential access
Honeytoken user attributes modified	2427	High	Persistence
Honeytoken group membership changed	2428	High	Persistence
Honeytoken was queried via LDAP	2429	Low	Discovery
Suspicious modification of domain AdminSdHolder	2430	High	Persistence
Suspected account takeover using shadow credentials	2431	High	Credential access
Suspicious Domain Controller certificate request (ESC8)	2432	High	Privilege escalation
Suspicious deletion of the certificate database entries	2433	Medium	Defense evasion
Suspicious disable of audit filters of AD CS	2434	Medium	Defense evasion
Suspicious modifications to the AD CS security permissions/settings	2435	Medium	Privilege escalation
Account Enumeration reconnaissance (LDAP) (Preview)	2437	Medium	Account Discovery, Domain Account
Directory Services Restore Mode Password Change	2438	Medium	Persistence, Account Manipulation
Group Policy Tampering	2440	Medium	Defense evasion

Note

Contact support to disable security alerts.

See Also

• View and manage security alerts
• Investigate security alerts
• Check out the Defender for Identity forum!