1. Compute resource abuse
1.1. Multiple VM creation activities following suspicious Azure Active Directory sign-in
1.1.1. Sign-in event from an unfamiliar location leading to multiple VM creation activities
1.1.2. Impossible travel to an atypical location leading to multiple VM creation activities
1.1.3. Sign-in event from an infected device leading to multiple VM creation activities
1.1.4. Sign-in event from an anonymous IP address leading to multiple VM creation activities
1.1.5. Sign-in event from user with leaked credentials leading to multiple VM creation activities
2. Credential harvesting
2.1. Malicious credential theft tool execution following suspicious sign-in
2.1.1. Sign-in event from an unfamiliar location leading to malicious credential theft tool execution
2.1.2. Impossible travel to atypical locations leading to malicious credential theft tool execution
2.1.3. Sign-in event from an infected device leading to malicious credential theft tool execution
2.1.4. Sign-in event from an anonymous IP address leading to malicious credential theft tool execution
2.1.5. Sign-in event from user with leaked credentials leading to malicious credential theft tool execution
2.2. Suspected credential theft activity following suspicious sign-in
2.2.1. Impossible travel to atypical locations leading to suspected credential theft activity
2.2.2. Sign-in event from an unfamiliar location leading to suspected credential theft activity
2.2.3. Sign-in event from an infected device leading to suspected credential theft activity
2.2.4. Sign-in event from an anonymous IP address leading to suspected credential theft activity
2.2.5. Sign-in event from user with leaked credentials leading to suspected credential theft activity
3. Crypto-mining
3.1. Crypto-mining activity following suspicious sign-in
3.1.1. Impossible travel to atypical locations leading to crypto-mining activity
3.1.2. Sign-in event from an unfamiliar location leading to crypto-mining activity
3.1.3. Sign-in event from an infected device leading to crypto-mining activity
3.1.4. Sign-in event from an anonymous IP address leading to crypto-mining activity
3.1.5. Sign-in event from user with leaked credentials leading to crypto-mining activity
4. Data exfiltration
4.1. Office 365 mailbox exfiltration following a suspicious Azure AD sign-in
4.1.1. Impossible travel to an atypical location leading to Office 365 mailbox exfiltration
4.1.2. Sign-in event from an unfamiliar location leading to Office 365 mailbox exfiltration
4.1.3. Sign-in event from an infected device leading to Office 365 mailbox exfiltration
4.1.4. Sign-in event from an anonymous IP address leading to Office 365 mailbox exfiltration
4.1.5. Sign-in event from user with leaked credentials leading to Office 365 mailbox exfiltration
4.2. Mass file download following suspicious Azure AD sign-in
4.2.1. Impossible travel to an atypical location leading to mass file download
4.2.2. Sign-in event from an unfamiliar location leading to mass file download
4.2.3. Sign-in event from an infected device leading to mass file download
4.2.4. Sign-in event from an anonymous IP leading to mass file download
4.2.5. Sign-in event from user with leaked credentials leading to mass file download
4.3. Mass file sharing following suspicious Azure AD sign-in
4.3.1. Impossible travel to an atypical location leading to mass file sharing
4.3.2. Sign-in event from an unfamiliar location leading to mass file sharing
4.3.3. Sign-in event from an infected device leading to mass file sharing
4.3.4. Sign-in event from an anonymous IP address leading to mass file sharing
4.3.5. Sign-in event from user with leaked credentials leading to mass file sharing
4.4. Suspicious inbox manipulation rules set following suspicious Azure AD sign-in
4.4.1. Impossible travel to an atypical location leading to suspicious inbox manipulation rule
4.4.2. Sign-in event from an unfamiliar location leading to suspicious inbox manipulation rule
4.4.3. Sign-in event from an infected device leading to suspicious inbox manipulation rule
4.4.4. Sign-in event from an anonymous IP address leading to suspicious inbox manipulation rule
4.4.5. Sign-in event from user with leaked credentials leading to suspicious inbox manipulation rule
4.5. Multiple Power BI report sharing activities following suspicious Azure AD sign-in
4.5.1. Impossible travel to an atypical location leading to multiple Power BI report sharing activities
4.5.2. Sign-in event from an unfamiliar location leading to multiple Power BI report sharing activities
4.5.3. Sign-in event from an infected device leading to multiple Power BI report sharing activities
4.5.4. Sign-in event from an anonymous IP address leading to multiple Power BI report sharing activities
4.5.5. Sign-in event from user with leaked credentials leading to multiple Power BI report sharing activities
4.6. Suspicious Power BI report sharing following suspicious Azure AD sign-in
4.6.1. Impossible travel to an atypical location leading to suspicious Power BI report sharing
4.6.2. Sign-in event from an unfamiliar location leading to suspicious Power BI report sharing
4.6.3. Sign-in event from an infected device leading to suspicious Power BI report sharing
4.6.4. Sign-in event from an anonymous IP address leading to suspicious Power BI report sharing
4.6.5. Sign-in event from user with leaked credentials leading to suspicious Power BI report sharing
5. Data destruction
5.1. Mass file deletion following suspicious Azure AD sign-in
5.1.1. Impossible travel to an atypical location leading to mass file deletion
5.1.2. Sign-in event from an unfamiliar location leading to mass file deletion
5.1.3. Sign-in event from an infected device leading to mass file deletion
5.1.4. Sign-in event from an anonymous IP address leading to mass file deletion
5.1.5. Sign-in event from user with leaked credentials leading to mass file deletion
5.2. Suspicious email deletion activity following suspicious Azure AD sign-in
5.2.1. Impossible travel to an atypical location leading to suspicious email deletion activity
5.2.2. Sign-in event from an unfamiliar location leading to suspicious email deletion activity
5.2.3. Sign-in event from an infected device leading to suspicious email deletion activity
5.2.4. Sign-in event from an anonymous IP address leading to suspicious email deletion activity
5.2.5. Sign-in event from user with leaked credentials leading to suspicious email deletion activity
6. Denial of service
6.1. Multiple VM delete activities following suspicious Azure AD sign-in
6.1.1. Impossible travel to an atypical location leading to multiple VM delete activities
6.1.2. Sign-in event from an unfamiliar location leading to multiple VM delete activities
6.1.3. Sign-in event from an infected device leading to multiple VM delete activities
6.1.4. Sign-in event from an anonymous IP address leading to multiple VM delete activities
6.1.5. Sign-in event from user with leaked credentials leading to multiple VM delete activities
7. Lateral movement
7.1. Office 365 impersonation following suspicious Azure AD sign-in
7.1.1. Impossible travel to an atypical location leading to Office 365 impersonation
7.1.2. Sign-in event from an unfamiliar location leading to Office 365 impersonation
7.1.3. Sign-in event from an infected device leading to Office 365 impersonation
7.1.4. Sign-in event from an anonymous IP address leading to Office 365 impersonation
7.1.5. Sign-in event from user with leaked credentials leading to Office 365 impersonation
7.2. Suspicious inbox manipulation rules set following suspicious Azure AD sign-in
7.2.1. Impossible travel to an atypical location leading to suspicious inbox manipulation rule
7.2.2. Sign-in event from an unfamiliar location leading to suspicious inbox manipulation rule
7.2.3. Sign-in event from an infected device leading to suspicious inbox manipulation rule
7.2.4. Sign-in event from an anonymous IP address leading to suspicious inbox manipulation rule
7.2.5. Sign-in event from user with leaked credentials leading to suspicious inbox manipulation rule
8. Malicious administrative activity
8.1. Suspicious cloud app administrative activity following suspicious Azure AD sign-in
9. Malicious execution with legitimate process
9.1. PowerShell made a suspicious network connection, followed by anomalous traffic flagged by Palo Alto Networks firewall
9.2. Suspicious remote WMI execution followed by anomalous traffic flagged by Palo Alto Networks firewall
9.3. Suspicious PowerShell command line following suspicious sign-in
9.3.1. Impossible travel to atypical locations leading to suspicious PowerShell command line
9.3.2. Sign-in event from an unfamiliar location leading to suspicious PowerShell command line
9.3.3. Sign-in event from an infected device leading to suspicious PowerShell command line
9.3.4. Sign-in event from an anonymous IP address leading to suspicious PowerShell command line
9.3.5. Sign-in event from user with leaked credentials leading to suspicious PowerShell command line
10. Malware C2 or download
10.1. Network request to TOR anonymization service followed by anomalous traffic flagged by Palo Alto Networks firewall
10.2. Outbound connection to IP with a history of unauthorized access attempts followed by anomalous traffic flagged by Palo Alto Networks firewall
11. Ransomware
11.1. Ransomware execution following suspicious Azure AD sign-in
11.1.1. Impossible travel to an atypical location leading to ransomware in cloud app
11.1.2. Sign-in event from an unfamiliar location leading to ransomware in cloud app
11.1.3. Sign-in event from an infected device leading to ransomware in cloud app
11.1.4. Sign-in event from an anonymous IP address leading to ransomware in cloud app
11.1.5. Sign-in event from user with leaked credentials leading to ransomware in cloud app