Detection rules › By event
Entra-AuditLogs _catch_all
Elastic (2)
Kusto (27)
- Application ID URI Changed
- Bulk Changes to Privileged Account Permissions
- Changes to Application Logout URL
- Conditional Access Policy Modified by New User
- Cross-tenant Access Settings Organization Added
- Cross-tenant Access Settings Organization Deleted
- Cross-tenant Access Settings Organization Inbound Collaboration Settings Changed
- Cross-tenant Access Settings Organization Inbound Direct Settings Changed
- Cross-tenant Access Settings Organization Outbound Collaboration Settings Changed
- Cross-tenant Access Settings Organization Outbound Direct Settings Changed
- Detect changes to Connect Sync Application
- Detect credential add to Connect Sync Application
- Detect PIM Alert Disabling activity
- End-user consent stopped due to risk-based consent
- First access credential added to Application or Service Principal where no credential was present
- Mail.Read Permissions Granted to Application
- Multiple admin membership removals from newly created admin.
- New access credential added to Application or Service Principal
- NRT First access credential added to Application or Service Principal where no credential was present
- NRT New access credential added to Application or Service Principal
- Power Platform - Account added to privileged Microsoft Entra roles
- Privileged Account Permissions Changed
- Rare application consent
- Service Principal Assigned Privileged Role
- Threat Essentials - Multiple admin membership removals from newly created admin.
- Threat Essentials - User Assigned Privileged Role
- User Assigned New Privileged Role