Note
Access to this page requires authorization. You can try signing in or changing directories.
Access to this page requires authorization. You can try changing directories.
This article lists the anomalies that Microsoft Sentinel detects using different machine learning models.
Anomaly detection works by analyzing the behavior of users in an environment over a period of time and constructing a baseline of legitimate activity. Once the baseline is established, any activity outside the normal parameters is considered anomalous and therefore suspicious.
Microsoft Sentinel uses two different models to create baselines and detect anomalies.
Note
The following anomaly detections are discontinued as of March 26, 2024, due to low quality of results:
- Domain Reputation Palo Alto anomaly
- Multi-region logins in a single day via Palo Alto GlobalProtect
Important
Microsoft Sentinel is generally available in the Microsoft Defender portal, including for customers without Microsoft Defender XDR or an E5 license.
Starting in July 2026, Microsoft Sentinel will be supported in the Defender portal only, and any remaining customers using the Azure portal will be automatically redirected.
We recommend that any customers using Microsoft Sentinel in Azure start planning the transition to the Defender portal for the full unified security operations experience offered by Microsoft Defender. For more information, see Planning your move to Microsoft Defender portal for all Microsoft Sentinel customers.
UEBA anomalies
Sentinel UEBA detects anomalies based on dynamic baselines created for each entity across various data inputs. Each entity's baseline behavior is set according to its own historical activities, those of its peers, and those of the organization as a whole. Anomalies can be triggered by the correlation of different attributes such as action type, geo-location, device, resource, ISP, and more.
You must enable the UEBA feature for UEBA anomalies to be detected.
- Anomalous Account Access Removal
- Anomalous Account Creation
- Anomalous Account Deletion
- Anomalous Account Manipulation
- Anomalous Code Execution (UEBA)
- Anomalous Data Destruction
- Anomalous Defensive Mechanism Modification
- Anomalous Failed Sign-in
- Anomalous Password Reset
- Anomalous Privilege Granted
- Anomalous Sign-in
Anomalous Account Access Removal
Description: An attacker may interrupt the availability of system and network resources by blocking access to accounts used by legitimate users. The attacker might delete, lock, or manipulate an account (for example, by changing its credentials) to remove access to it.
| Attribute | Value |
|---|---|
| Anomaly type: | UEBA |
| Data sources: | Azure Activity logs |
| MITRE ATT&CK tactics: | Impact |
| MITRE ATT&CK techniques: | T1531 - Account Access Removal |
| Activity: | Microsoft.Authorization/roleAssignments/delete Log Out |
Back to UEBA anomalies list | Back to top
Anomalous Account Creation
Description: Adversaries may create an account to maintain access to targeted systems. With a sufficient level of access, creating such accounts may be used to establish secondary credentialed access without requiring persistent remote access tools to be deployed on the system.
| Attribute | Value |
|---|---|
| Anomaly type: | UEBA |
| Data sources: | Microsoft Entra audit logs |
| MITRE ATT&CK tactics: | Persistence |
| MITRE ATT&CK techniques: | T1136 - Create Account |
| MITRE ATT&CK sub-techniques: | Cloud Account |
| Activity: | Core Directory/UserManagement/Add user |
Back to UEBA anomalies list | Back to top
Anomalous Account Deletion
Description: Adversaries may interrupt availability of system and network resources by inhibiting access to accounts utilized by legitimate users. Accounts may be deleted, locked, or manipulated (ex: changed credentials) to remove access to accounts.
| Attribute | Value |
|---|---|
| Anomaly type: | UEBA |
| Data sources: | Microsoft Entra audit logs |
| MITRE ATT&CK tactics: | Impact |
| MITRE ATT&CK techniques: | T1531 - Account Access Removal |
| Activity: | Core Directory/UserManagement/Delete user Core Directory/Device/Delete user Core Directory/UserManagement/Delete user |
Back to UEBA anomalies list | Back to top
Anomalous Account Manipulation
Description: Adversaries may manipulate accounts to maintain access to target systems. These actions include adding new accounts to high-privileged groups. Dragonfly 2.0, for example, added newly created accounts to the administrators group to maintain elevated access. The query below generates an output of all high-Blast Radius users performing "Update user" (name change) to privileged role, or ones that changed users for the first time.
| Attribute | Value |
|---|---|
| Anomaly type: | UEBA |
| Data sources: | Microsoft Entra audit logs |
| MITRE ATT&CK tactics: | Persistence |
| MITRE ATT&CK techniques: | T1098 - Account Manipulation |
| Activity: | Core Directory/UserManagement/Update user |
Back to UEBA anomalies list | Back to top
Anomalous Code Execution (UEBA)
Description: Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries. These interfaces and languages provide ways of interacting with computer systems and are a common feature across many different platforms.
| Attribute | Value |
|---|---|
| Anomaly type: | UEBA |
| Data sources: | Azure Activity logs |
| MITRE ATT&CK tactics: | Execution |
| MITRE ATT&CK techniques: | T1059 - Command and Scripting Interpreter |
| MITRE ATT&CK sub-techniques: | PowerShell |
| Activity: | Microsoft.Compute/virtualMachines/runCommand/action |
Back to UEBA anomalies list | Back to top
Anomalous Data Destruction
Description: Adversaries may destroy data and files on specific systems or in large numbers on a network to interrupt availability to systems, services, and network resources. Data destruction is likely to render stored data irrecoverable by forensic techniques through overwriting files or data on local and remote drives.
| Attribute | Value |
|---|---|
| Anomaly type: | UEBA |
| Data sources: | Azure Activity logs |
| MITRE ATT&CK tactics: | Impact |
| MITRE ATT&CK techniques: | T1485 - Data Destruction |
| Activity: | Microsoft.Compute/disks/delete Microsoft.Compute/galleries/images/delete Microsoft.Compute/hostGroups/delete Microsoft.Compute/hostGroups/hosts/delete Microsoft.Compute/images/delete Microsoft.Compute/virtualMachines/delete Microsoft.Compute/virtualMachineScaleSets/delete Microsoft.Compute/virtualMachineScaleSets/virtualMachines/delete Microsoft.Devices/digitalTwins/Delete Microsoft.Devices/iotHubs/Delete Microsoft.KeyVault/vaults/delete Microsoft.Logic/integrationAccounts/delete Microsoft.Logic/integrationAccounts/maps/delete Microsoft.Logic/integrationAccounts/schemas/delete Microsoft.Logic/integrationAccounts/partners/delete Microsoft.Logic/integrationServiceEnvironments/delete Microsoft.Logic/workflows/delete Microsoft.Resources/subscriptions/resourceGroups/delete Microsoft.Sql/instancePools/delete Microsoft.Sql/managedInstances/delete Microsoft.Sql/managedInstances/administrators/delete Microsoft.Sql/managedInstances/databases/delete Microsoft.Storage/storageAccounts/delete Microsoft.Storage/storageAccounts/blobServices/containers/blobs/delete Microsoft.Storage/storageAccounts/fileServices/fileshares/files/delete Microsoft.Storage/storageAccounts/blobServices/containers/delete Microsoft.AAD/domainServices/delete |
Back to UEBA anomalies list | Back to top
Anomalous Defensive Mechanism Modification
Description: Adversaries may disable security tools to avoid possible detection of their tools and activities.
| Attribute | Value |
|---|---|
| Anomaly type: | UEBA |
| Data sources: | Azure Activity logs |
| MITRE ATT&CK tactics: | Defense Evasion |
| MITRE ATT&CK techniques: | T1562 - Impair Defenses |
| MITRE ATT&CK sub-techniques: | Disable or Modify Tools Disable or Modify Cloud Firewall |
| Activity: | Microsoft.Sql/managedInstances/databases/vulnerabilityAssessments/rules/baselines/delete Microsoft.Sql/managedInstances/databases/vulnerabilityAssessments/delete Microsoft.Network/networkSecurityGroups/securityRules/delete Microsoft.Network/networkSecurityGroups/delete Microsoft.Network/ddosProtectionPlans/delete Microsoft.Network/ApplicationGatewayWebApplicationFirewallPolicies/delete Microsoft.Network/applicationSecurityGroups/delete Microsoft.Authorization/policyAssignments/delete Microsoft.Sql/servers/firewallRules/delete Microsoft.Network/firewallPolicies/delete Microsoft.Network/azurefirewalls/delete |
Back to UEBA anomalies list | Back to top
Anomalous Failed Sign-in
Description: Adversaries with no prior knowledge of legitimate credentials within the system or environment may guess passwords to attempt access to accounts.
| Attribute | Value |
|---|---|
| Anomaly type: | UEBA |
| Data sources: | Microsoft Entra sign-in logs Windows Security logs |
| MITRE ATT&CK tactics: | Credential Access |
| MITRE ATT&CK techniques: | T1110 - Brute Force |
| Activity: | Microsoft Entra ID: Sign-in activity Windows Security: Failed login (Event ID 4625) |
Back to UEBA anomalies list | Back to top
Anomalous Password Reset
Description: Adversaries may interrupt availability of system and network resources by inhibiting access to accounts utilized by legitimate users. Accounts may be deleted, locked, or manipulated (ex: changed credentials) to remove access to accounts.
| Attribute | Value |
|---|---|
| Anomaly type: | UEBA |
| Data sources: | Microsoft Entra audit logs |
| MITRE ATT&CK tactics: | Impact |
| MITRE ATT&CK techniques: | T1531 - Account Access Removal |
| Activity: | Core Directory/UserManagement/User password reset |
Back to UEBA anomalies list | Back to top
Anomalous Privilege Granted
Description: Adversaries may add adversary-controlled credentials for Azure Service Principals in addition to existing legitimate credentials to maintain persistent access to victim Azure accounts.
| Attribute | Value |
|---|---|
| Anomaly type: | UEBA |
| Data sources: | Microsoft Entra audit logs |
| MITRE ATT&CK tactics: | Persistence |
| MITRE ATT&CK techniques: | T1098 - Account Manipulation |
| MITRE ATT&CK sub-techniques: | Additional Azure Service Principal Credentials |
| Activity: | Account provisioning/Application Management/Add app role assignment to service principal |
Back to UEBA anomalies list | Back to top
Anomalous Sign-in
Description: Adversaries may steal the credentials of a specific user or service account using Credential Access techniques or capture credentials earlier in their reconnaissance process through social engineering for means of gaining Persistence.
| Attribute | Value |
|---|---|
| Anomaly type: | UEBA |
| Data sources: | Microsoft Entra sign-in logs Windows Security logs |
| MITRE ATT&CK tactics: | Persistence |
| MITRE ATT&CK techniques: | T1078 - Valid Accounts |
| Activity: | Microsoft Entra ID: Sign-in activity Windows Security: Successful login (Event ID 4624) |
Back to UEBA anomalies list | Back to top
Machine learning-based anomalies
Microsoft Sentinel's customizable, machine learning-based anomalies can identify anomalous behavior with analytics rule templates that can be put to work right out of the box. While anomalies don't necessarily indicate malicious or even suspicious behavior by themselves, they can be used to improve detections, investigations, and threat hunting.
- Anomalous Azure operations
- Anomalous Code Execution
- Anomalous local account creation
- Anomalous user activities in Office Exchange
- Attempted computer brute force
- Attempted user account brute force
- Attempted user account brute force per login type
- Attempted user account brute force per failure reason
- Detect machine generated network beaconing behavior
- Domain generation algorithm (DGA) on DNS domains
- Excessive Downloads via Palo Alto GlobalProtect
- Excessive uploads via Palo Alto GlobalProtect
- Potential domain generation algorithm (DGA) on next-level DNS Domains
- Suspicious volume of AWS API calls from Non-AWS source IP address
- Suspicious volume of AWS write API calls from a user account
- Suspicious volume of logins to computer
- Suspicious volume of logins to computer with elevated token
- Suspicious volume of logins to user account
- Suspicious volume of logins to user account by logon types
- Suspicious volume of logins to user account with elevated token
Anomalous Azure operations
Description: This detection algorithm collects 21 days' worth of data on Azure operations grouped by user to train this ML model. The algorithm then generates anomalies in the case of users who performed sequences of operations uncommon in their workspaces. The trained ML model scores the operations performed by the user and considers anomalous those whose score is greater than the defined threshold.
| Attribute | Value |
|---|---|
| Anomaly type: | Customizable machine learning |
| Data sources: | Azure Activity logs |
| MITRE ATT&CK tactics: | Initial Access |
| MITRE ATT&CK techniques: | T1190 - Exploit Public-Facing Application |
Back to Machine learning-based anomalies list | Back to top
Anomalous Code Execution
Description: Attackers may abuse command and script interpreters to execute commands, scripts, or binaries. These interfaces and languages provide ways of interacting with computer systems and are a common feature across many different platforms.
| Attribute | Value |
|---|---|
| Anomaly type: | Customizable machine learning |
| Data sources: | Azure Activity logs |
| MITRE ATT&CK tactics: | Execution |
| MITRE ATT&CK techniques: | T1059 - Command and Scripting Interpreter |
Back to Machine learning-based anomalies list | Back to top
Anomalous local account creation
Description: This algorithm detects anomalous local account creation on Windows systems. Attackers may create local accounts to maintain access to targeted systems. This algorithm analyzes local account creation activity over the prior 14 days by users. It looks for similar activity on the current day from users who were not previously seen in historical activity. You can specify an allowlist to filter known users from triggering this anomaly.
| Attribute | Value |
|---|---|
| Anomaly type: | Customizable machine learning |
| Data sources: | Windows Security logs |
| MITRE ATT&CK tactics: | Persistence |
| MITRE ATT&CK techniques: | T1136 - Create Account |
Back to Machine learning-based anomalies list | Back to top
Anomalous user activities in Office Exchange
Description: This machine learning model groups the Office Exchange logs on a per-user basis into hourly buckets. We define one hour as a session. The model is trained on the previous 7 days of behavior across all regular (non-admin) users. It indicates anomalous user Office Exchange sessions in the last day.
| Attribute | Value |
|---|---|
| Anomaly type: | Customizable machine learning |
| Data sources: | Office Activity log (Exchange) |
| MITRE ATT&CK tactics: | Persistence Collection |
| MITRE ATT&CK techniques: | Collection: T1114 - Email Collection T1213 - Data from Information Repositories Persistence: T1098 - Account Manipulation T1136 - Create Account T1137 - Office Application Startup T1505 - Server Software Component |
Back to Machine learning-based anomalies list | Back to top
Attempted computer brute force
Description: This algorithm detects an unusually high volume of failed login attempts (security event ID 4625) per computer over the past day. The model is trained on the previous 21 days of Windows security event logs.
| Attribute | Value |
|---|---|
| Anomaly type: | Customizable machine learning |
| Data sources: | Windows Security logs |
| MITRE ATT&CK tactics: | Credential Access |
| MITRE ATT&CK techniques: | T1110 - Brute Force |
Back to Machine learning-based anomalies list | Back to top
Attempted user account brute force
Description: This algorithm detects an unusually high volume of failed login attempts (security event ID 4625) per user account over the past day. The model is trained on the previous 21 days of Windows security event logs.
| Attribute | Value |
|---|---|
| Anomaly type: | Customizable machine learning |
| Data sources: | Windows Security logs |
| MITRE ATT&CK tactics: | Credential Access |
| MITRE ATT&CK techniques: | T1110 - Brute Force |
Back to Machine learning-based anomalies list | Back to top
Attempted user account brute force per login type
Description: This algorithm detects an unusually high volume of failed login attempts (security event ID 4625) per user account per logon type over the past day. The model is trained on the previous 21 days of Windows security event logs.
| Attribute | Value |
|---|---|
| Anomaly type: | Customizable machine learning |
| Data sources: | Windows Security logs |
| MITRE ATT&CK tactics: | Credential Access |
| MITRE ATT&CK techniques: | T1110 - Brute Force |
Back to Machine learning-based anomalies list | Back to top
Attempted user account brute force per failure reason
Description: This algorithm detects an unusually high volume of failed login attempts (security event ID 4625) per user account per failure reason over the past day. The model is trained on the previous 21 days of Windows security event logs.
| Attribute | Value |
|---|---|
| Anomaly type: | Customizable machine learning |
| Data sources: | Windows Security logs |
| MITRE ATT&CK tactics: | Credential Access |
| MITRE ATT&CK techniques: | T1110 - Brute Force |
Back to Machine learning-based anomalies list | Back to top
Detect machine generated network beaconing behavior
Description: This algorithm identifies beaconing patterns from network traffic connection logs based on recurrent time delta patterns. Any network connection towards untrusted public networks at repetitive time deltas is an indication of malware callbacks or data exfiltration attempts. The algorithm will calculate the time delta between consecutive network connections between the same source IP and destination IP, as well as the number of connections in a time-delta sequence between the same sources and destinations. The percentage of beaconing is calculated as the connections in time-delta sequence against total connections in a day.
| Attribute | Value |
|---|---|
| Anomaly type: | Customizable machine learning |
| Data sources: | CommonSecurityLog (PAN) |
| MITRE ATT&CK tactics: | Command and Control |
| MITRE ATT&CK techniques: | T1071 - Application Layer Protocol T1132 - Data Encoding T1001 - Data Obfuscation T1568 - Dynamic Resolution T1573 - Encrypted Channel T1008 - Fallback Channels T1104 - Multi-Stage Channels T1095 - Non-Application Layer Protocol T1571 - Non-Standard Port T1572 - Protocol Tunneling T1090 - Proxy T1205 - Traffic Signaling T1102 - Web Service |
Back to Machine learning-based anomalies list | Back to top
Domain generation algorithm (DGA) on DNS domains
Description: This machine learning model indicates potential DGA domains from the past day in the DNS logs. The algorithm applies to DNS records that resolve to IPv4 and IPv6 addresses.
| Attribute | Value |
|---|---|
| Anomaly type: | Customizable machine learning |
| Data sources: | DNS Events |
| MITRE ATT&CK tactics: | Command and Control |
| MITRE ATT&CK techniques: | T1568 - Dynamic Resolution |
Back to Machine learning-based anomalies list | Back to top
Excessive Downloads via Palo Alto GlobalProtect
Description: This algorithm detects unusually high volume of download per user account through the Palo Alto VPN solution. The model is trained on the previous 14 days of the VPN logs. It indicates anomalous high volume of downloads in the past day.
| Attribute | Value |
|---|---|
| Anomaly type: | Customizable machine learning |
| Data sources: | CommonSecurityLog (PAN VPN) |
| MITRE ATT&CK tactics: | Exfiltration |
| MITRE ATT&CK techniques: | T1030 - Data Transfer Size Limits T1041 - Exfiltration Over C2 Channel T1011 - Exfiltration Over Other Network Medium T1567 - Exfiltration Over Web Service T1029 - Scheduled Transfer T1537 - Transfer Data to Cloud Account |
Back to Machine learning-based anomalies list | Back to top
Excessive uploads via Palo Alto GlobalProtect
Description: This algorithm detects unusually high volume of upload per user account through the Palo Alto VPN solution. The model is trained on the previous 14 days of the VPN logs. It indicates anomalous high volume of upload in the past day.
| Attribute | Value |
|---|---|
| Anomaly type: | Customizable machine learning |
| Data sources: | CommonSecurityLog (PAN VPN) |
| MITRE ATT&CK tactics: | Exfiltration |
| MITRE ATT&CK techniques: | T1030 - Data Transfer Size Limits T1041 - Exfiltration Over C2 Channel T1011 - Exfiltration Over Other Network Medium T1567 - Exfiltration Over Web Service T1029 - Scheduled Transfer T1537 - Transfer Data to Cloud Account |
Back to Machine learning-based anomalies list | Back to top
Potential domain generation algorithm (DGA) on next-level DNS Domains
Description: This machine learning model indicates the next-level domains (third-level and up) of the domain names from the last day of DNS logs that are unusual. They could potentially be the output of a domain generation algorithm (DGA). The anomaly applies to the DNS records that resolve to IPv4 and IPv6 addresses.
| Attribute | Value |
|---|---|
| Anomaly type: | Customizable machine learning |
| Data sources: | DNS Events |
| MITRE ATT&CK tactics: | Command and Control |
| MITRE ATT&CK techniques: | T1568 - Dynamic Resolution |
Back to Machine learning-based anomalies list | Back to top
Suspicious volume of AWS API calls from Non-AWS source IP address
Description: This algorithm detects an unusually high volume of AWS API calls per user account per workspace, from source IP addresses outside of AWS's source IP ranges, within the last day. The model is trained on the previous 21 days of AWS CloudTrail log events by source IP address. This activity may indicate that the user account is compromised.
| Attribute | Value |
|---|---|
| Anomaly type: | Customizable machine learning |
| Data sources: | AWS CloudTrail logs |
| MITRE ATT&CK tactics: | Initial Access |
| MITRE ATT&CK techniques: | T1078 - Valid Accounts |
Back to Machine learning-based anomalies list | Back to top
Suspicious volume of AWS write API calls from a user account
Description: This algorithm detects an unusually high volume of AWS write API calls per user account within the last day. The model is trained on the previous 21 days of AWS CloudTrail log events by user account. This activity may indicate that the account is compromised.
| Attribute | Value |
|---|---|
| Anomaly type: | Customizable machine learning |
| Data sources: | AWS CloudTrail logs |
| MITRE ATT&CK tactics: | Initial Access |
| MITRE ATT&CK techniques: | T1078 - Valid Accounts |
Back to Machine learning-based anomalies list | Back to top
Suspicious volume of logins to computer
Description: This algorithm detects an unusually high volume of successful logins (security event ID 4624) per computer over the past day. The model is trained on the previous 21 days of Windows Security event logs.
| Attribute | Value |
|---|---|
| Anomaly type: | Customizable machine learning |
| Data sources: | Windows Security logs |
| MITRE ATT&CK tactics: | Initial Access |
| MITRE ATT&CK techniques: | T1078 - Valid Accounts |
Back to Machine learning-based anomalies list | Back to top
Suspicious volume of logins to computer with elevated token
Description: This algorithm detects an unusually high volume of successful logins (security event ID 4624) with administrative privileges, per computer, over the last day. The model is trained on the previous 21 days of Windows Security event logs.
| Attribute | Value |
|---|---|
| Anomaly type: | Customizable machine learning |
| Data sources: | Windows Security logs |
| MITRE ATT&CK tactics: | Initial Access |
| MITRE ATT&CK techniques: | T1078 - Valid Accounts |
Back to Machine learning-based anomalies list | Back to top
Suspicious volume of logins to user account
Description: This algorithm detects an unusually high volume of successful logins (security event ID 4624) per user account over the past day. The model is trained on the previous 21 days of Windows Security event logs.
| Attribute | Value |
|---|---|
| Anomaly type: | Customizable machine learning |
| Data sources: | Windows Security logs |
| MITRE ATT&CK tactics: | Initial Access |
| MITRE ATT&CK techniques: | T1078 - Valid Accounts |
Back to Machine learning-based anomalies list | Back to top
Suspicious volume of logins to user account by logon types
Description: This algorithm detects an unusually high volume of successful logins (security event ID 4624) per user account, by different logon types, over the past day. The model is trained on the previous 21 days of Windows Security event logs.
| Attribute | Value |
|---|---|
| Anomaly type: | Customizable machine learning |
| Data sources: | Windows Security logs |
| MITRE ATT&CK tactics: | Initial Access |
| MITRE ATT&CK techniques: | T1078 - Valid Accounts |
Back to Machine learning-based anomalies list | Back to top
Suspicious volume of logins to user account with elevated token
Description: This algorithm detects an unusually high volume of successful logins (security event ID 4624) with administrative privileges, per user account, over the last day. The model is trained on the previous 21 days of Windows Security event logs.
| Attribute | Value |
|---|---|
| Anomaly type: | Customizable machine learning |
| Data sources: | Windows Security logs |
| MITRE ATT&CK tactics: | Initial Access |
| MITRE ATT&CK techniques: | T1078 - Valid Accounts |
Back to Machine learning-based anomalies list | Back to top
Next steps
Learn about machine learning-generated anomalies in Microsoft Sentinel.
Learn how to work with anomaly rules.
Investigate incidents with Microsoft Sentinel.