Security alerts in Microsoft Defender for Identity

Note

The experience described in this page can be accessed at https://security.microsoft.com as part of Microsoft Defender XDR.

Microsoft Defender for Identity security alerts explain the suspicious activities detected by Defender for Identity sensors on your network, and the actors and computers involved in each threat. Alert evidence lists contain direct links to the involved users and computers, to help make your investigations easy and direct.

Defender for Identity security alerts are divided into the following categories or phases, like the phases seen in a typical cyber-attack kill chain. Learn more about each phase, the alerts designed to detect each attack, and how to use the alerts to help protect your network using the following links:

  1. Reconnaissance and discovery alerts
  2. Persistence and privilege escalation alerts
  3. Credential access alerts
  4. Lateral movement alerts
  5. Other alerts

To learn more about the structure and common components of all Defender for Identity security alerts, see Understanding security alerts.

Security alert name mapping and unique external IDs

The following table lists the mapping between alert names, their corresponding unique external IDs, their severity, and their MITRE ATT&CK Matrix™ tactic. When used with scripts or automation, Microsoft recommends use of alert external IDs in place of alert names, as only security alert external IDs are permanent, and not subject to change.

External IDs

Security alert name Unique external ID Severity MITRE ATT&CK Matrix™
Suspected SID-History injection 1106 High Privilege Escalation
Suspected overpass-the-hash attack (Kerberos) 2002 Medium Lateral movement
Account enumeration reconnaissance 2003 Medium Discovery
Suspected Brute Force attack (LDAP) 2004 Medium Credential access
Suspected DCSync attack (replication of directory services) 2006 High Credential access, Persistence
Network mapping reconnaissance (DNS) 2007 Medium Discovery
Suspected over-pass-the-hash attack (forced encryption type) 2008 Medium Lateral movement
Suspected Golden Ticket usage (encryption downgrade) 2009 Medium Persistence, Privilege Escalation, Lateral movement
Suspected Skeleton Key attack (encryption downgrade) 2010 Medium Persistence, Lateral movement
User and IP address reconnaissance (SMB) 2012 Medium Discovery
Suspected Golden Ticket usage (forged authorization data) 2013 High Credential access
Honeytoken authentication activity 2014 Medium Credential access, Discovery
Suspected identity theft (pass-the-hash) 2017 High Lateral movement
Suspected identity theft (pass-the-ticket) 2018 High or Medium Lateral movement
Remote code execution attempt 2019 Medium Execution, Persistence, Privilege escalation, Defense evasion, Lateral movement
Malicious request of Data Protection API master key 2020 High Credential access
User and Group membership reconnaissance (SAMR) 2021 Medium Discovery
Suspected Golden Ticket usage (time anomaly) 2022 High Persistence, Privilege Escalation, Lateral movement
Suspected Brute Force attack (Kerberos, NTLM) 2023 Medium Credential access
Suspicious additions to sensitive groups 2024 Medium Persistence, Credential access,
Suspicious VPN connection 2025 Medium Defense evasion, Persistence
Suspicious service creation 2026 Medium Execution, Persistence, Privilege Escalation, Defense evasion, Lateral movement
Suspected Golden Ticket usage (nonexistent account) 2027 High Persistence, Privilege Escalation, Lateral movement
Suspected DCShadow attack (domain controller promotion) 2028 High Defense evasion
Suspected DCShadow attack (domain controller replication request) 2029 High Defense evasion
Data exfiltration over SMB 2030 High Exfiltration, Lateral movement, Command and control
Suspicious communication over DNS 2031 Medium Exfiltration
Suspected Golden Ticket usage (ticket anomaly) 2032 High Persistence, Privilege Escalation, Lateral movement
Suspected Brute Force attack (SMB) 2033 Medium Lateral movement
Suspected use of Metasploit hacking framework 2034 Medium Lateral movement
Suspected WannaCry ransomware attack 2035 Medium Lateral movement
Remote code execution over DNS 2036 Medium Lateral movement, Privilege escalation
Suspected NTLM relay attack 2037 Medium or Low if observed using signed NTLM v2 protocol Lateral movement, Privilege escalation
Security principal reconnaissance (LDAP) 2038 High (in case resolutions issues or Specific Tool detected) and Medium Credential access
Suspected NTLM authentication tampering 2039 Medium Lateral movement, Privilege escalation
Suspected Golden Ticket usage (ticket anomaly using RBCD) 2040 High Persistence
Suspected rogue Kerberos certificate usage 2047 High Lateral movement
Suspicious Kerberos delegation attempt using BronzeBit method (CVE-2020-17049 exploitation) 2048 Medium Credential access
Active Directory attributes reconnaissance (LDAP) 2210 Medium Discovery
Suspected SMB packet manipulation (CVE-2020-0796 exploitation) 2406 High Lateral movement
Suspected Kerberos SPN exposure 2410 High Credential access
Suspected Netlogon privilege elevation attempt (CVE-2020-1472 exploitation) 2411 High Privilege Escalation
Suspected AS-REP Roasting attack 2412 High Credential access
Suspected AD FS DKM key read 2413 High Credential access
Exchange Server Remote Code Execution (CVE-2021-26855) 2414 High Lateral movement
Suspected exploitation attempt on Windows Print Spooler service 2415 High or Medium Lateral movement
Suspicious network connection over Encrypting File System Remote Protocol 2416 High or Medium Lateral movement
Suspected suspicious Kerberos ticket request 2418 High Credential access
Suspicious modification of a sAMNameAccount attribute (CVE-2021-42278 and CVE-2021-42287 exploitation) 2419 High Credential access
Suspicious modification of the trust relationship of AD FS server 2420 Medium Privilege Escalation
Suspicious modification of a dNSHostName attribute (CVE-2022-26923) 2421 High Privilege Escalation
Suspicious Kerberos delegation attempt by a newly created computer 2422 High Privilege Escalation
Suspicious modification of the Resource Based Constrained Delegation attribute by a machine account 2423 High Privilege Escalation
Abnormal Active Directory Federation Services (AD FS) authentication using a suspicious certificate 2424 High Credential access
Suspicious certificate usage over Kerberos protocol (PKINIT) 2425 High Lateral movement
Suspected DFSCoerce attack using Distributed File System Protocol 2426 High Credential access
Honeytoken user attributes modified 2427 High Persistence
Honeytoken group membership changed 2428 High Persistence
Honeytoken was queried via LDAP 2429 Low Discovery
Suspicious modification of domain AdminSdHolder 2430 High Persistence
Suspected account takeover using shadow credentials 2431 High Credential access
Suspicious Domain Controller certificate request (ESC8) 2432 High Privilege escalation
Suspicious deletion of the certificate database entries 2433 Medium Defense evasion
Suspicious disable of audit filters of AD CS 2434 Medium Defense evasion
Suspicious modifications to the AD CS security permissions/settings 2435 Medium Privilege escalation
Account Enumeration reconnaissance (LDAP) (Preview) 2437 Medium Account Discovery, Domain Account
Directory Services Restore Mode Password Change 2438 Medium Persistence, Account Manipulation
Honeytoken was queried via SAM-R 2439 Low Discovery
Group Policy Tampering 2440 Medium Defense evasion

Note

To disable any security alert, contact support.

See Also