Security Operations Center (SOC) Guide Security Operations Center (SOC) Guide
Operativer Leitfaden für Security Operations in Microsoft 365, Defender XDR, Sentinel und Entra ID Protection. Operational guide for security operations in Microsoft 365, Defender XDR, Sentinel, and Entra ID Protection.
Betriebsmodell, Triage und Werkzeuge. Operating model, triage, and tools.
NIST-orientiertes Framework für M365. NIST-aligned framework for M365.
Playbook für Identitätsvorfälle. Playbook for identity incidents.
OAuth- und Service-Principal-Vorfälle. OAuth and service principal incidents.
Analyse und globale Bereinigung. Analysis and global cleanup.
Mailbox-Manipulation und Fraud-Szenarien. Mailbox manipulation and fraud scenarios.
Ready-to-use KQL queries. Ready-to-use KQL queries.
Playbooks und Guardrails. Playbooks and guardrails.
SOC Übersicht SOC overview
| Funktion Function | Typische Aufgabe Typical task | Werkzeugschwerpunkt Primary tool |
|---|---|---|
| Tier 1 Triage Tier 1 triage | Alarm prüfen, Schweregrad einordnen, Eskalationspfad starten Review alert, assess severity, start escalation path | Defender XDR incidents, Sentinel incidents Defender XDR incidents, Sentinel incidents |
| Tier 2 Investigation Tier 2 investigation | Scope, Root Cause, Blast Radius, Timeline analysieren Analyze scope, root cause, blast radius, and timeline | Advanced Hunting, Sign-in Logs, Audit Logs Advanced Hunting, sign-in logs, audit logs |
| Containment Owner Containment owner | Konten sperren, Sessions widerrufen, Geräte isolieren, Apps deaktivieren Block accounts, revoke sessions, isolate devices, disable apps | Entra, Defender, Exchange, Intune Entra, Defender, Exchange, Intune |
| SOC Lead SOC lead | Kommunikation, Freigaben, Eskalation, externe Meldungen Communications, approvals, escalation, external reporting | War room, incident record, compliance coordination War room, incident record, compliance coordination |
Normalisieren Sie Quelle, Kritikalität, betroffene Identität und Workload in einem Incident-Record. Normalize source, severity, affected identity, and workload inside an incident record.
Prüfen Sie innerhalb weniger Minuten, ob es sich um False Positive, Low Risk oder echten Incident handelt. Within minutes, determine whether the signal is a false positive, low risk, or a real incident.
Ermitteln Sie betroffene Benutzer, Apps, Geräte, Mails, Dateien, Tokens und administrative Änderungen. Determine affected users, apps, devices, emails, files, tokens, and administrative changes.
Wählen Sie die kleinste wirksame Maßnahme: Session widerrufen, Account blockieren, App deaktivieren, Gerät isolieren. Choose the smallest effective containment action: revoke session, block account, disable app, isolate device.
Schließen Sie Detection Gaps, passen Sie Conditional Access an und aktualisieren Sie Playbooks. Close detection gaps, adjust conditional access, and update playbooks.
Incident Response Framework Incident response framework
| NIST-Phase NIST phase | M365-spezifische Aktionen M365-specific actions | Nachweis Evidence |
|---|---|---|
| Preparation Preparation | Break-Glass-Konten, Rollenmodell, Logging, Playbooks, Lizenzdeckung und War-Room-Prozess vorbereiten Prepare break-glass accounts, role model, logging, playbooks, licensing coverage, and war room process | Übungen, Kontaktlisten, Dienstkonten-Inventar Exercises, contact lists, service account inventory |
| Detection & Analysis Detection & Analysis | Defender Alerts, Identity Risk, Sign-in Logs, Audit Logs, Threat Explorer und KQL-Hunting korrelieren Correlate Defender alerts, identity risk, sign-in logs, audit logs, Threat Explorer, and KQL hunting | Timeline, betroffene Objekte, IOC-Liste Timeline, affected objects, IOC list |
| Containment Containment | Sessions widerrufen, Konten blockieren, Geräte isolieren, Apps deaktivieren, Mails purgen Revoke sessions, block accounts, isolate devices, disable apps, purge emails | Containment-Record, Approval Trail Containment record, approval trail |
| Eradication & Recovery Eradication & Recovery | Mailbox-Regeln entfernen, Tokens neu aufbauen, MFA neu registrieren, Berechtigungen bereinigen, Systeme wiederherstellen Remove mailbox rules, rebuild tokens, re-register MFA, clean permissions, restore systems | Remediation-Plan, Wiederherstellungsnachweis Remediation plan, recovery evidence |
| Post-Incident Post-Incident | Root-Cause-Analyse, Detection-Tuning, Schulung, CA- und Hardening-Anpassungen Root cause analysis, detection tuning, training, and CA or hardening adjustments | Lessons Learned, Verbesserungsplan Lessons learned, improvement plan |
Containment darf nicht auf perfekte Root-Cause-Klarheit warten. Wenn das Risiko hoch ist, sind reversible Sicherheitsmaßnahmen besser als verspätete Reaktionen. Containment should not wait for perfect root cause clarity. When risk is high, reversible security actions are better than delayed response.
Compromised User Account Playbook Compromised user account playbook
| Erkennungsquelle Detection source | Signal Signal | Erste Aktion First action |
|---|---|---|
| Identity Protection Identity Protection | Risky user, impossible travel, unfamiliar sign-in properties Risky user, impossible travel, unfamiliar sign-in properties | Sign-in-Zeitachse und Risikoereignisse öffnen Open sign-in timeline and risk detections |
| Defender XDR Defender XDR | Phishing, token theft, suspicious mailbox activity Phishing, token theft, suspicious mailbox activity | Betroffene Identität im Incident zentrieren Center the affected identity inside the incident |
| Exchange / Audit Exchange / Audit | Inbox Rules, Forwarding, MailItemsAccessed Inbox rules, forwarding, MailItemsAccessed | Mailbox-Aktivität und Regeländerungen prüfen Review mailbox activity and rule changes |
| OAuth / Cloud Apps OAuth / Cloud Apps | Neue App-Consents, ungewöhnliche Graph-Aufrufe New app consents, unusual Graph calls | Delegierte Berechtigungen und App-Owner prüfen Review delegated permissions and app owners |
- Untersuchen Sie Sign-in-Logs mit Fokus auf ClientApp, Conditional-Access-Ergebnis, MFA-Anforderung, Gerätezustand und Token-Typ. Investigate sign-in logs with focus on client app, conditional access result, MFA requirement, device state, and token type.
- Prüfen Sie Audit-Logs und Exchange-Spuren auf Inbox Rules, Auto-Forwarding, Delegationsänderungen und Mailbox-Zugriffe. Review audit logs and Exchange traces for inbox rules, auto-forwarding, delegation changes, and mailbox access.
- Untersuchen Sie OAuth-Consents und Apps, die im gleichen Zeitfenster wie die verdächtigen Anmeldungen auftauchen. Review OAuth consents and apps that appear in the same timeframe as the suspicious sign-ins.
- Korrelieren Sie betroffene Geräte mit Defender-Signalen und prüfen Sie, ob Credentials oder Tokens dort kompromittiert wurden. Correlate affected devices with Defender signals and determine whether credentials or tokens were compromised there.
| Containment Containment | Wann einsetzen When to use | Kommentar Comment |
|---|---|---|
| Passwort zurücksetzen Reset password | Bei Passwortkompromittierung oder Credential Stuffing For password compromise or credential stuffing | Erzwingen Sie Kennwortänderung und prüfen Sie Hybrid-Quellen Force a password change and validate hybrid sources |
| Sessions widerrufen Revoke sessions | Bei tokenbasierten oder webbasierten Angriffen For token-based or web-based attacks | Unterbricht Refresh-Token-basierte Sessions Interrupts refresh token based sessions |
| Konto blockieren Disable account | Wenn Angreifer aktiv bleiben oder Fraud droht When attacker activity continues or fraud risk is high | Sollte mit Kommunikationsplan abgestimmt sein Should be aligned with communications |
| OAuth-Tokens und Consent entziehen Revoke OAuth tokens and consent | Bei verdächtigen App-Berechtigungen For suspicious app permissions | Auch delegierte Offline-Zugriffe beachten Include delegated offline access as well |
$UserUpn = "user@contoso.com"
Import-Module Microsoft.Graph.Users
Import-Module Microsoft.Graph.Identity.SignIns
Import-Module ExchangeOnlineManagement
Connect-MgGraph -Scopes "User.ReadWrite.All","AuditLog.Read.All","Directory.Read.All"
Connect-ExchangeOnline
Get-MgAuditLogSignIn -Filter "userPrincipalName eq '$UserUpn'" -All |
Select CreatedDateTime,AppDisplayName,IPAddress,ClientAppUsed,ConditionalAccessStatus,Status
Get-MgRiskyUser -Filter "userPrincipalName eq '$UserUpn'"
Get-MgIdentityProtectionRiskDetection -Filter "userPrincipalName eq '$UserUpn'" -All |
Select ActivityDateTime,RiskType,RiskLevel,RiskState,Location
Get-InboxRule -Mailbox $UserUpn |
Select Name,Enabled,Priority,ForwardTo,ForwardAsAttachmentTo,RedirectTo,DeleteMessage
Get-EXOMailbox -Identity $UserUpn |
Select UserPrincipalName,ForwardingSmtpAddress,DeliverToMailboxAndForward
Get-MailboxPermission -Identity $UserUpn |
Where-Object { -not $_.IsInherited } |
Select User,AccessRights,Deny,IsInherited
Get-RecipientPermission -Identity $UserUpn |
Select Trustee,AccessRights,IsInherited
Revoke-MgUserSignInSession -UserId $UserUpn
# Update-MgUser -UserId $UserUpn -AccountEnabled:$false
# Update-MgUser -UserId $UserUpn -PasswordProfile @{ ForceChangePasswordNextSignIn = $true; Password = 'Use-A-Secure-Temporary-Password!' }
# Remove-InboxRule -Mailbox $UserUpn -Identity "Suspicious Rule Name" -Confirm:$false
Get-MgUserAuthenticationMethod -UserId $UserUpn
[PSCustomObject]@{
User = $UserUpn
SessionRevoked = $true
MailboxRulesReviewed = $true
ForwardingReviewed = $true
}
Compromised Application Playbook Compromised application playbook
| Schritt Step | Prüfpunkt Checkpoint | Aktion Action |
|---|---|---|
| Detect Detect | Ungewöhnliche App-Consents oder Graph-Calls Unusual app consents or Graph calls | App-ID, Consent-Zeitpunkt und betroffene Benutzer ermitteln Identify app ID, consent timestamp, and affected users |
| Investigate Investigate | App permissions, Sign-ins des Service Principals, Audit Logs App permissions, service principal sign-ins, audit logs | Berechtigungsumfang und Blast Radius bestimmen Determine permission scope and blast radius |
| Contain Contain | Service Principal deaktivieren, Secrets/Zertifikate widerrufen Disable the service principal and revoke secrets or certs | Sofortigen Zugriff unterbrechen Stop access immediately |
| Remediate Remediate | Alle Consents prüfen und unnötige Delegationen entfernen Review all consents and remove unnecessary delegations | Consent-Richtlinien und Approval-Prozess verschärfen Tighten consent policies and approval workflow |
Phishing Incident Response Phishing incident response
Sichern Sie die gemeldete Nachricht inklusive Header, URL und Anhangskontext. Capture the reported message including headers, URL, and attachment context.
Suchen Sie nach derselben Kampagne, dem Absender, Betreff, Links und Attachments im gesamten Tenant. Search for the same campaign, sender, subject, URLs, and attachments across the tenant.
Blockieren Sie Absender, URLs und Dateihashes, bevor Sie die globale Bereinigung auslösen. Block sender, URLs, and file hashes before performing tenant-wide cleanup.
Entfernen Sie Nachrichten per Content Search und Purge und reichen Sie Sample und Findings an Microsoft weiter. Remove messages through content search and purge and submit the sample plus findings to Microsoft.
Informieren Sie Empfänger, die geklickt oder geantwortet haben, und verstärken Sie Awareness-Maßnahmen. Notify recipients who clicked or replied and reinforce awareness actions.
Business Email Compromise (BEC) Response Business Email Compromise (BEC) response
| Erkennung Detection | Beispiele Examples | Containment Containment |
|---|---|---|
| Inbox Rules Inbox rules | Versteckte Weiterleitungen, DeleteMessage, RSS-Ordner Hidden forwards, DeleteMessage, RSS folders | Regeln entfernen, Sessions widerrufen Remove rules and revoke sessions |
| Forwarding Forwarding | ForwardingSmtpAddress oder DeliverToMailboxAndForward ForwardingSmtpAddress or DeliverToMailboxAndForward | Forwarding deaktivieren und Audit sichern Disable forwarding and preserve audit evidence |
| Send-As / Delegation Send as and delegation | Neue Mailbox-Berechtigungen oder versteckte Delegationen New mailbox permissions or hidden delegations | Rechte zurücksetzen und Fraud-Kommunikation prüfen Reset permissions and check fraud-related communications |
$Mailbox = "user@contoso.com"
$StartDate = (Get-Date).AddDays(-14)
Import-Module ExchangeOnlineManagement
Import-Module Microsoft.Graph.Identity.SignIns
Connect-ExchangeOnline
Connect-MgGraph -Scopes "AuditLog.Read.All","User.Read.All"
Get-EXOMailbox -Identity $Mailbox |
Select UserPrincipalName,ForwardingSmtpAddress,DeliverToMailboxAndForward,AuditEnabled
Get-InboxRule -Mailbox $Mailbox |
Select Name,Enabled,Priority,ForwardTo,ForwardAsAttachmentTo,RedirectTo,MoveToFolder,DeleteMessage
Get-MailboxPermission -Identity $Mailbox |
Where-Object { -not $_.IsInherited } |
Select User,AccessRights,Deny,InheritanceType
Get-RecipientPermission -Identity $Mailbox |
Select Trustee,AccessRights,IsInherited
Search-UnifiedAuditLog -StartDate $StartDate -EndDate (Get-Date) -UserIds $Mailbox -RecordType ExchangeItem |
Select CreationDate,Operations,UserIds,AuditData -First 200
Get-MgAuditLogSignIn -Filter "userPrincipalName eq '$Mailbox'" -All |
Select CreatedDateTime,AppDisplayName,IPAddress,ClientAppUsed,ConditionalAccessStatus,Status
KQL Hunting Queries for Microsoft 365 KQL hunting queries for Microsoft 365
Fehlgeschlagene Anmeldungen nach Land Failed sign-ins by country
Zeigt fehlgeschlagene Anmeldungen nach Land und IP mit hohem Volumen. Show high-volume failures grouped by country and IP.
AADSignInEventsBeta
| where Timestamp > ago(24h)
| where ResultType != 0
| summarize Failed=count(), Users=dcount(AccountUpn) by Country=tostring(LocationDetails.countryOrRegion), IPAddress
| order by Failed desc
Impossible-Travel-Erkennung Impossible travel detections
Findet Benutzer mit Anmeldungen aus mehreren Ländern in kurzer Zeit. Find users signing in from multiple countries within a short window.
AADSignInEventsBeta
| where Timestamp > ago(24h)
| summarize FirstSeen=min(Timestamp), LastSeen=max(Timestamp), Countries=make_set(tostring(LocationDetails.countryOrRegion), 5) by AccountUpn
| where array_length(Countries) > 1 and datetime_diff('hour', LastSeen, FirstSeen) < 6
Neue Inbox-Weiterleitungsregeln New inbox forwarding rules
Kürzlich erstellte Inbox-Regeln mit Weiterleitungsaktionen. Recently created inbox rules with forwarding actions.
CloudAppEvents
| where Timestamp > ago(7d)
| where ActivityType in~ ('New-InboxRule','Set-InboxRule')
| where RawEventData has_any ('ForwardTo','RedirectTo','ForwardAsAttachmentTo')
| project Timestamp, AccountDisplayName, ActivityType, RawEventData
Verdächtige OAuth-Consents Suspicious OAuth application consents
Benutzer oder Admins, die riskante Berechtigungen an Apps vergeben. Users or admins granting risky permissions to applications.
CloudAppEvents
| where Timestamp > ago(7d)
| where ActivityType has_any ('Consent to application','Add delegated permission grant')
| where RawEventData has_any ('Mail.Read','Files.ReadWrite.All','offline_access','User.Read.All')
| project Timestamp, AccountDisplayName, ObjectName, RawEventData
Massen-Downloads aus SharePoint Mass file downloads from SharePoint
Hohe Downloadzahlen aus SharePoint oder OneDrive. High download volumes from SharePoint or OneDrive.
CloudAppEvents
| where Timestamp > ago(12h)
| where Application has_any ('SharePoint','OneDrive')
| where ActivityType has_any ('FileDownloaded','FileSyncDownloadedFull')
| summarize Downloads=count() by AccountDisplayName, bin(Timestamp, 30m)
| where Downloads > 100
Externe E-Mail-Weiterleitung External email forwarding
Mailbox-Weiterleitung an externe Domains. Mailbox forwarding to external domains.
CloudAppEvents
| where Timestamp > ago(7d)
| where ActivityType has_any ('Set-Mailbox','New-InboxRule','Set-InboxRule')
| where RawEventData has '@' and RawEventData !has 'contoso.com'
Änderungen an Admin-Rollen Admin role assignment changes
Neu hinzugefügte oder aktivierte Admin-Rollen. Newly added or activated admin roles.
IdentityDirectoryEvents
| where Timestamp > ago(7d)
| where ActionType has_any ('Add member to role','Add eligible member to role')
| project Timestamp, InitiatingAccountUpn, TargetAccountUpn, TargetRoleName, ActionType
Änderungen an Conditional Access Conditional Access policy changes
Create, Update oder Delete bei CA-Policies. Create, update, or delete operations on CA policies.
CloudAppEvents
| where Timestamp > ago(7d)
| where Application == 'Microsoft Entra admin center'
| where ActivityType has_any ('Add conditional access policy','Update conditional access policy','Delete conditional access policy')
Änderungen an MFA-Methoden MFA method changes
Registrierung oder Entfernung von Authentifizierungsmethoden. Registration or removal of authentication methods.
CloudAppEvents
| where Timestamp > ago(7d)
| where ActivityType has_any ('User registered security info','Delete authentication method','Update default authentication method')
| project Timestamp, AccountDisplayName, ActivityType, ObjectName, IPAddress
Anomaler Postfachzugriff Anomalous mailbox access
Spitzen bei MailItemsAccessed durch einen Benutzer. Bursts of MailItemsAccessed by a user.
CloudAppEvents
| where Timestamp > ago(12h)
| where ActivityType == 'MailItemsAccessed'
| summarize Events=count() by AccountDisplayName, bin(Timestamp, 30m)
| where Events > 500
Brute-Force-Angriffe Brute force attacks
Wiederholte Fehler gegen ein Konto von einer Quelle. Repeated failures against one account from one source.
AADSignInEventsBeta
| where Timestamp > ago(6h)
| where ResultType != 0
| summarize Failed=count() by AccountUpn, IPAddress
| where Failed > 20
Password-Spray nach Quell-IP Password spray detections
Viele Ziele mit vielen Fehlern von einer IP. Many targets with many failures from one IP.
AADSignInEventsBeta
| where Timestamp > ago(6h)
| where ResultType != 0
| summarize FailedAttempts=count(), TargetUsers=dcount(AccountUpn) by IPAddress
| where FailedAttempts > 25 and TargetUsers > 10
Token-Diebstahl-Indikatoren Token theft indicators
Erfolg nach Phishing-Klick mit neuem Gerät oder Ort. Success after a phishing click from a new device or location.
let clicks = UrlClickEvents | where Timestamp > ago(24h) | project AccountUpn, ClickTime=Timestamp, Url;
AADSignInEventsBeta
| where Timestamp > ago(24h)
| where ResultType == 0
| join kind=inner clicks on AccountUpn
| where Timestamp between (ClickTime .. ClickTime + 2h)
Verdächtige PowerShell-Ausführung Suspicious PowerShell execution
EncodedCommand oder DownloadString auf Endpunkten. EncodedCommand or DownloadString usage on endpoints.
DeviceProcessEvents
| where Timestamp > ago(24h)
| where FileName in~ ('powershell.exe','pwsh.exe')
| where ProcessCommandLine has_any ('-enc','EncodedCommand','DownloadString','Invoke-Expression')
Datenabfluss per E-Mail Data exfiltration via email
Große ausgehende Anhänge an externe Empfänger. Large outbound attachments to external recipients.
EmailAttachmentInfo
| where Timestamp > ago(24h)
| summarize Attachments=count(), Size=sum(FileSize) by SenderFromAddress, RecipientEmailAddress
| where Size > 100000000
Riskante Benutzer ohne MFA-Härtung Risky users without MFA hardening
Risky Users mit fehlender robuster MFA-Registrierung. Risky users without strong MFA registration.
AADSignInEventsBeta
| where Timestamp > ago(7d)
| where RiskLevelAggregated has_any ('high','medium')
| summarize Events=count() by AccountUpn, AuthenticationRequirement
Service-Principal-Anmeldungen aus neuem Land Service principal sign-ins from new country
Service Principals mit Aktivitäten aus mehreren Ländern. Service principals with activity from multiple countries.
AADSpnSignInEventsBeta
| where Timestamp > ago(14d)
| summarize Countries=make_set(tostring(LocationDetails.countryOrRegion), 10), Count=count() by ServicePrincipalName
| where array_length(Countries) > 1
Mehrere Benutzer akzeptieren dieselbe App Multiple users accepting same app consent
Viele Benutzer stimmen derselben App in kurzer Zeit zu. Many users consent to the same app within a short period.
CloudAppEvents
| where Timestamp > ago(7d)
| where ActivityType has_any ('Consent to application','Add delegated permission grant')
| summarize Users=dcount(AccountDisplayName) by ObjectName, bin(Timestamp, 1d)
| where Users > 5
Neue Mailbox-Delegationen Mailbox delegate additions
Neue FullAccess-, SendAs- oder SendOnBehalf-Rechte. New FullAccess, SendAs, or SendOnBehalf rights.
CloudAppEvents
| where Timestamp > ago(7d)
| where ActivityType has_any ('Add-MailboxPermission','Add-RecipientPermission','Set-Mailbox')
| project Timestamp, AccountDisplayName, ActivityType, ObjectName, RawEventData
Versuch, Audit zu umgehen Disable audit logging attempts
Änderungen an Audit- oder Überwachungsfunktionen. Changes to audit or monitoring capabilities.
CloudAppEvents
| where Timestamp > ago(14d)
| where ActivityType has_any ('Set-AdminAuditLogConfig','Disable mailbox auditing','Update audit settings')
Neue Transportregeln zur Umleitung New transport rules for redirection
Transportregeln, die umleiten oder blind kopieren. Transport rules that redirect or blind copy.
CloudAppEvents
| where Timestamp > ago(7d)
| where ActivityType has_any ('New-TransportRule','Set-TransportRule')
| where RawEventData has_any ('BlindCopyTo','RedirectMessageTo')
Safe-Links-Klicks nach Zustellung Safe Links clicks after delivery
Benutzer klicken auf URLs aus verdächtigen Nachrichten. Users click URLs from suspicious messages.
UrlClickEvents
| where Timestamp > ago(7d)
| summarize Clicks=count(), Users=dcount(AccountUpn) by Url, ActionType
| order by Clicks desc
Riskanter Sign-in gefolgt von Erfolg High-risk sign-ins followed by success
Erfolgreiche Anmeldungen kurz nach riskanten Sign-ins. Successful sign-ins shortly after risky sign-ins.
let risky = AADSignInEventsBeta | where Timestamp > ago(24h) | where RiskLevelAggregated has_any ('high','medium') | project AccountUpn, RiskTime=Timestamp;
AADSignInEventsBeta
| where Timestamp > ago(24h)
| where ResultType == 0
| join kind=inner risky on AccountUpn
| where Timestamp between (RiskTime .. RiskTime + 1h)
Nutzung ruhender Konten Dormant account activity
Konten, die nach langer Inaktivität wieder auftauchen. Accounts reappearing after inactivity.
AADSignInEventsBeta
| where Timestamp > ago(30d)
| summarize LastSeen=max(Timestamp) by AccountUpn
| where LastSeen > ago(1d)
Gastbenutzer greifen auf viele Sites zu Guest users accessing many sites
Gastkonten mit ungewöhnlich breitem SharePoint-Zugriff. Guest accounts with unusually broad SharePoint access.
CloudAppEvents
| where Timestamp > ago(7d)
| where AccountType =~ 'Guest' and Application has_any ('SharePoint','OneDrive')
| summarize Sites=dcount(ObjectName), Events=count() by AccountDisplayName
| where Sites > 20
Massenlöschungen Mass file deletions
Potenzielle destruktive Löschmuster auf Geräten. Potential destructive deletion patterns on devices.
DeviceFileEvents
| where Timestamp > ago(12h)
| where ActionType in~ ('FileDeleted','FileRemoved')
| summarize Deletes=count() by DeviceName, InitiatingProcessAccountName, bin(Timestamp, 30m)
| where Deletes > 200
Privilegierte Aktivierung außerhalb der Zeiten Privileged role activation outside hours
PIM- oder Rollenaktivität nachts oder am Wochenende. PIM or role activity at night or on weekends.
IdentityDirectoryEvents
| where Timestamp > ago(7d)
| where ActionType has_any ('Activate eligible assignment','Add member to role')
| extend Hour=datetime_part('hour', Timestamp)
| where Hour < 6 or Hour > 20
Mailbox-Forwarding durch Nicht-Admins Mailbox forwarding change by non-admin
Forwarding-Änderungen außerhalb des Admin-Kontexts. Forwarding changes outside of admin context.
CloudAppEvents
| where Timestamp > ago(7d)
| where ActivityType == 'Set-Mailbox'
| where RawEventData has 'ForwardingSmtpAddress'
| project Timestamp, AccountDisplayName, RawEventData
Legacy-Auth-Versuche Legacy auth attempts
IMAP, POP, SMTP oder ActiveSync weiterhin aktiv. IMAP, POP, SMTP, or ActiveSync still active.
AADSignInEventsBeta
| where Timestamp > ago(14d)
| where ClientAppUsed has_any ('IMAP','POP','SMTP','ActiveSync')
| summarize Attempts=count() by AccountUpn, ClientAppUsed
Ungewöhnlicher User-Agent-Wechsel Impossible device or user-agent changes
Schneller Wechsel von Browser- oder Gerätekontexten. Rapid changes in browser or device context.
AADSignInEventsBeta
| where Timestamp > ago(24h)
| summarize Agents=make_set(UserAgent, 10), Devices=make_set(DeviceName, 10) by AccountUpn
| where array_length(Agents) > 3 or array_length(Devices) > 3
App-Anmeldungen mit hoher Fehlerquote App sign-ins with high failure rate
Service Principals mit vielen fehlgeschlagenen Anmeldungen. Service principals with many failed sign-ins.
AADSpnSignInEventsBeta
| where Timestamp > ago(24h)
| summarize Failures=countif(ResultType != 0), Total=count() by ServicePrincipalName, AppId
| where Failures > 20
Security Automation Security automation
| Playbook Playbook | Trigger Trigger | Aktion Action | Guardrail Guardrail |
|---|---|---|---|
| Risky User Auto-Disable Risky user auto-disable | High-risk user event or Defender identity alert High-risk user event or Defender identity alert | Konto deaktivieren, SOC benachrichtigen, Incident anreichern Disable account, notify SOC, enrich incident | Nur bei Severity High und Break-Glass-Ausnahme Only for high severity and with break-glass exclusion |
| Auto Password Reset Auto password reset | Bestätigte Credential-Kompromittierung Confirmed credential compromise | Temporäres Passwort setzen und ForceChange aktivieren Set temporary password and force change | Nur für definierte Benutzergruppen und mit Manager-Kommunikation Only for defined user groups and with manager communication |
| Auto Block IP Auto block IP | Wiederholte brute-force oder Spray-Signale Repeated brute-force or spray signals | Named Location oder Firewall-Regel aktualisieren Update named location or firewall rule | Ausschlusslisten und Ablaufdatum hinterlegen Maintain allow lists and expiration |
| SOC High Severity Notify SOC high severity notify | New high severity incident New high severity incident | Teams/Email/PagerDuty Benachrichtigung mit Context Card Teams, email, or PagerDuty notification with context card | Deduplizierung und Incident-Link sicherstellen Ensure deduplication and incident link |
| Impossible Travel Auto-Revoke Impossible travel auto-revoke | Validated impossible travel or token theft signal Validated impossible travel or token theft signal | Sessions widerrufen und Benutzer in Watchlist aufnehmen Revoke sessions and add user to watch list | Nur nach zusätzlichem Confidence-Signal aus Defender oder URL-Klick Only after an additional confidence signal from Defender or URL clicks |