Security Indicators: History of Changes

Package Version Indicator Version Release Date Indicator Name Target Platform Required Permissions Update Type
4.0.380469 1.310.0 2025/06/10 Zerologon vulnerability AD Updated
4.0.380469 1.312.0 2025/06/10 Users or devices inactive for at least 90 days AAD User.Read.All, Device.Read.All Updated
4.0.380469 1.319.0 2025/06/10 MFA not configured for privileged accounts AAD RoleManagement.Read.Directory, Reports.Read.All Updated
4.0.380469 1.317.0 2025/06/10 MFA bombing attack occurred in the past day AAD AuditLog.Read.All, Directory.Read.All, RoleManagement.Read.All Updated
4.0.380469 1.313.0 2025/06/10 Detect MFA policy changes for groups and users AAD AuditLog.Read.All, Policy.Read.All, GroupMember.Read.All, Reports.Read.All Updated
4.0.380469 1.311.0 2025/06/10 Privileged accounts with mailbox AAD RoleManagement.Read.All, RoleManagement.Read.Directory, Directory.Read.All, MailboxSettings.Read Updated
4.0.380469 1.313.0 2025/06/10 Conditional Access Policy does not require MFA on privileged accounts AAD Policy.Read.All Updated
4.0.380469 1.313.0 2025/06/10 Conditional Access Policy that does not require MFA when sign-in risk has been identified AAD Policy.Read.All Updated
4.0.380469 1.316.0 2025/06/10 Permission changes on AdminSDHolder object AD Updated
4.0.380469 1.314.0 2025/06/10 Accounts with altSecurityIdentities configured AD Updated
4.0.380469 1.310.0 2025/06/10 Print spooler service is enabled on a DC AD Updated
4.0.380469 1.310.0 2025/06/10 Unsecured DNS configuration AD Updated
4.0.380469 1.310.0 2025/06/10 Non-default access to DPAPI key AD Updated
4.0.380469 1.310.0 2025/06/10 Dangerous user rights granted by GPO AD Updated
4.0.380469 1.310.0 2025/06/10 LDAP signing is not required on Domain Controllers AD Updated
4.0.380469 1.315.0 2025/06/10 Users and computers with non-default Primary Group IDs AD Updated
4.0.380469 1.318.0 2025/06/10 Objects with Reanimate-Tombstones extended right AD New Indicator
4.0.380469 1.322.0 2025/06/10 Shadow Credentials on privileged objects AD Updated
4.0.380469 1.310.0 2025/06/10 SMB Signing is not required on Domain Controllers AD Updated
4.0.380469 1.310.0 2025/06/10 SMBv1 is enabled on Domain Controllers AD Updated
4.0.372460 1.295.0 2025/05/28 Check for risky API permissions granted to application service principals AAD Application.Read.All, AuditLog.Read.All Updated
4.0.372460 1.300.0 2025/05/28 SSO computer account with password last set over 90 days ago AAD, AD Updated
4.0.372460 1.300.0 2025/05/28 Built-in domain Administrator account with old password (180 days) AD Updated
4.0.372460 1.300.0 2025/05/28 Permission changes on AdminSDHolder object AD Updated
4.0.372460 1.300.0 2025/05/28 Accounts with altSecurityIdentities configured AD Updated
4.0.372460 1.300.0 2025/05/28 Anonymous access to Active Directory enabled AD Updated
4.0.372460 1.300.0 2025/05/28 Anonymous NSPI access to AD enabled AD Updated
4.0.372460 1.300.0 2025/05/28 Dangerous control paths expose certificate containers AD Updated
4.0.372460 1.300.0 2025/05/28 Certificate templates with 3 or more insecure configurations AD Updated
4.0.372460 1.300.0 2025/05/28 Dangerous control paths expose certificate templates AD Updated
4.0.372460 1.300.0 2025/05/28 Certificate templates that allow requesters to specify a subjectAltName AD Updated
4.0.372460 1.300.0 2025/05/28 Computers with password last set over 90 days ago AD Updated
4.0.372460 1.300.0 2025/05/28 Domain Controllers with old passwords AD Updated
4.0.372460 1.300.0 2025/05/28 Computer or user accounts with SPN that have unconstrained delegation AD Updated
4.0.372460 1.300.0 2025/05/28 Accounts with Constrained Delegation configured to krbtgt AD Updated
4.0.372460 1.300.0 2025/05/28 Dangerous Trust Attribute Set AD Updated
4.0.372460 1.295.0 2025/05/28 Print spooler service is enabled on a DC AD Updated
4.0.372460 1.300.0 2025/05/28 Accounts with Constrained Delegation configured to ghost SPN AD Updated
4.0.372460 1.309.0 2025/05/28 OU permissions enabling BadSuccessor dMSA escalation AD New Indicator
4.0.372460 1.300.0 2025/05/28 Unsecured DNS configuration AD Updated
4.0.372460 1.300.0 2025/05/28 Domain Controllers in inconsistent state AD Updated
4.0.372460 1.300.0 2025/05/28 Domain Controller owner is not an administrator AD Updated
4.0.372460 1.300.0 2025/05/28 Domains with obsolete functional levels AD Updated
4.0.372460 1.300.0 2025/05/28 Non-default access to DPAPI key AD Updated
4.0.372460 1.300.0 2025/05/28 Operator groups no longer protected by AdminSDHolder and SDProp AD Updated
4.0.372460 1.300.0 2025/05/28 Enabled admin accounts that are inactive AD Updated
4.0.372460 1.300.0 2025/05/28 Enterprise Key Admins with full access to domain AD Updated
4.0.372460 1.300.0 2025/05/28 Smart card password rotation disabled AD Updated
4.0.372460 1.300.0 2025/05/28 Non-privileged users with access to gMSA passwords AD Updated
4.0.372460 1.301.0 2025/05/28 Writable shortcuts found in GPO AD Updated
4.0.372460 1.300.0 2025/05/28 Built-in guest account is enabled AD Updated
4.0.372460 1.300.0 2025/05/28 Domain Controllers that have not authenticated to the domain for more than 45 days AD Updated
4.0.372460 1.300.0 2025/05/28 Kerberos KRBTGT account with old password AD Updated
4.0.372460 1.300.0 2025/05/28 Forest contains more than 50 privileged accounts AD Updated
4.0.372460 1.300.0 2025/05/28 Users and computers with non-default Primary Group IDs AD Updated
4.0.372460 1.301.0 2025/05/28 Non-standard schema permissions AD Updated
4.0.372460 1.300.0 2025/05/28 NTFRS SYSVOL Replication AD Updated
4.0.372460 1.300.0 2025/05/28 Principals with constrained delegation using protocol transition enabled for a DC service AD Updated
4.0.372460 1.300.0 2025/05/28 Admins with old passwords AD Updated
4.0.372460 1.300.0 2025/05/28 Outbound forest trust with SID History enabled AD Updated
4.0.372460 1.300.0 2025/05/28 Domain trust to a third-party domain without quarantine AD Updated
4.0.372460 1.300.0 2025/05/28 Primary users with SPN not supporting AES encryption on Kerberos AD Updated
4.0.372460 1.300.0 2025/05/28 Privileged users with SPN defined AD Updated
4.0.372460 1.300.0 2025/05/28 Privileged Users with Weak Password Policy AD Updated
4.0.372460 1.300.0 2025/05/28 Protected Users group not in use AD Updated
4.0.372460 1.300.0 2025/05/28 Domain Controllers with Resource-Based Constrained Delegation (RBCD) enabled AD Updated
4.0.372460 1.300.0 2025/05/28 krbtgt account with Resource-Based Constrained Delegation (RBCD) enabled AD Updated
4.0.372460 1.300.0 2025/05/28 RC4 or DES encryption type are supported by Domain Controllers AD Updated
4.0.372460 1.300.0 2025/05/28 Recent SIDHistory changes on objects AD Updated
4.0.372460 1.300.0 2025/05/28 Non-default principals with DC Sync rights on the domain AD Updated
4.0.372460 1.300.0 2025/05/28 Risky RODC credential caching AD Updated
4.0.372460 1.300.0 2025/05/28 Well-known privileged SIDs in SIDHistory AD Updated
4.0.372460 1.300.0 2025/05/28 Trust accounts with old passwords AD Updated
4.0.372460 1.300.0 2025/05/28 Unprivileged principals as DNS Admins AD Updated
4.0.372460 1.300.0 2025/05/28 Privileged objects with unprivileged owners AD Updated
4.0.372460 1.300.0 2025/05/28 Unprivileged users can add computer accounts to the domain AD Updated
4.0.372460 1.300.0 2025/05/28 User accounts that use DES encryption AD Updated
4.0.372460 1.300.0 2025/05/28 Users with Password Never Expires flag set AD Updated
4.0.372460 1.300.0 2025/05/28 Privileged accounts with a password that never expires AD Updated
4.0.372460 1.300.0 2025/05/28 User accounts that store passwords with reversible encryption AD Updated
4.0.372460 1.300.0 2025/05/28 Users with Kerberos pre-authentication disabled AD Updated
4.0.372460 1.300.0 2025/05/28 Weak certificate cipher AD Updated
4.0.372460 1.300.0 2025/05/28 GPO linking delegation at the AD Site level AD Updated
4.0.372460 1.300.0 2025/05/28 GPO linking delegation at the domain controller OU level AD Updated
4.0.372460 1.300.0 2025/05/28 GPO linking delegation at the domain level AD Updated
4.0.364185 1.291.0 2025/05/15 Non-synced Entra user that is eligible for a privileged role AAD User.Read.All, RoleManagement.Read.Directory, Directory.Read.All, Organization.Read.All Updated
4.0.364185 1.291.0 2025/05/15 Application expired secrets and certificates AAD Application.Read.All Updated
4.0.364185 1.291.0 2025/05/15 Entra tenant is susceptible to Hidden Consent Grant attack AAD Directory.Read.All, Policy.Read.All Updated
4.0.364185 1.294.0 2025/05/15 Prohibited Entra ID Roles Assigned AAD RoleManagement.Read.Directory, RoleManagement.Read.All, Directory.Read.All Updated
4.0.364185 1.291.0 2025/05/15 Suspicious Directory Synchronization Accounts role member AAD Directory.Read.All, RoleManagement.Read.Directory, AuditLog.Read.All Updated
4.0.364185 1.291.0 2025/05/15 Unprivileged owner of a privileged group AAD RoleManagement.Read.Directory, Directory.Read.All, GroupMember.Read.All, PrivilegedEligibilitySchedule.Read.AzureADGroup Updated
4.0.364185 1.291.0 2025/05/15 Users are not using their privileged roles AAD RoleEligibilitySchedule.Read.Directory, GroupMember.Read.All, Directory.Read.All Updated
4.0.364185 1.291.0 2025/05/15 Non-admin users can create tenants AAD Policy.Read.All Updated
4.0.364185 1.291.0 2025/05/15 Ensure all non-privileged users can complete MFA AAD AuditLog.Read.All, User.Read.All Updated
4.0.364185 1.293.0 2025/05/15 Print spooler service is enabled on a DC AD Updated
4.0.364185 1.291.0 2025/05/15 Unresolved Entra ID privileged role members AAD RoleManagement.Read.All, Directory.Read.All Updated
4.0.364185 1.291.0 2025/05/15 AD Certificate Authority with Web Enrollment - ESC8 AD Updated
4.0.364185 1.291.0 2025/05/15 Outbound forest trust with SID History enabled AD Updated
4.0.364185 1.291.0 2025/05/15 Domain trust to a third-party domain without quarantine AD Updated
4.0.364185 1.291.0 2025/05/15 Protected Users group not in use AD Updated
4.0.364185 1.291.0 2025/05/15 Privileged user credentials cached on RODC AD Updated
4.0.364185 1.291.0 2025/05/15 User accounts using Smart Card authentication with old password AD Updated
4.0.364185 1.291.0 2025/05/15 SMB Signing is not required on Domain Controllers AD Updated
4.0.364185 1.291.0 2025/05/15 SMBv1 is enabled on Domain Controllers AD Updated
4.0.364185 1.291.0 2025/05/15 Trust accounts with old passwords AD Updated
4.0.364185 1.291.0 2025/05/15 Unprivileged principals as DNS Admins AD Updated
4.0.364185 1.291.0 2025/05/15 Users with the attribute userPassword set AD Updated
4.0.364185 1.291.0 2025/05/15 Users with Password Never Expires flag set AD Updated
4.0.364185 1.291.0 2025/05/15 Privileged accounts with a password that never expires AD Updated
4.0.364185 1.291.0 2025/05/15 User accounts with password not required AD Updated
4.0.364185 1.291.0 2025/05/15 User accounts that store passwords with reversible encryption AD Updated
4.0.364185 1.291.0 2025/05/15 Users with Kerberos pre-authentication disabled AD Updated
4.0.362949 1.290.0 2025/05/13 Changes to AD Display Specifiers in the past 90 days AD Updated
4.0.362949 1.290.0 2025/05/13 Zerologon vulnerability AD Updated
4.0.362949 1.290.0 2025/05/13 Application instance property lock disabled AAD Application.Read.All Updated
4.0.362949 1.290.0 2025/05/13 User consent is allowed for risky applications AAD Policy.Read.All Updated
4.0.362949 1.290.0 2025/05/13 Application name and geographic location additional contexts are disabled on MFA AAD Policy.Read.All Updated
4.0.362949 1.290.0 2025/05/13 Conditional Access policy with Continuous Access Evaluation disabled AAD Policy.Read.All, AuditLog.Read.All Updated
4.0.362949 1.290.0 2025/05/13 Certificate-Based Authentication Persistence AAD RoleManagement.Read.Directory, RoleManagement.Read.All, Directory.Read.All, Application.Read.All Updated
4.0.362949 1.290.0 2025/05/13 Administrative units are not being used AAD AdministrativeUnit.Read.All Updated
4.0.362949 1.290.0 2025/05/13 Conditional Access policies contain private IP addresses AAD Policy.Read.All, AuditLog.Read.All Updated
4.0.362949 1.290.0 2025/05/13 Check for guests having permission to invite other guests AAD Policy.Read.All, AuditLog.Read.All Updated
4.0.362949 1.290.0 2025/05/13 Users or devices inactive for at least 90 days AAD User.Read.All, Device.Read.All Updated
4.0.362949 1.290.0 2025/05/13 Check if legacy authentication is allowed AAD Policy.Read.All Updated
4.0.362949 1.290.0 2025/05/13 Conditional Access policies that contain MFA Trusted IPs AAD Policy.Read.All, AuditLog.Read.All Updated
4.0.362949 1.290.0 2025/05/13 Privileged group contains guest account AAD User.Read.All, RoleManagement.Read.Directory, AuditLog.Read.All Updated
4.0.362949 1.290.0 2025/05/13 MFA not configured for privileged accounts AAD RoleManagement.Read.Directory, Reports.Read.All Updated
4.0.362949 1.290.0 2025/05/13 Check for risky API permissions granted to application service principals AAD Application.Read.All, AuditLog.Read.All Updated
4.0.362949 1.290.0 2025/05/13 Check for users with weak or no MFA AAD Reports.Read.All Updated
4.0.362949 1.290.0 2025/05/13 Security defaults not enabled AAD Policy.Read.All Updated
4.0.362949 1.290.0 2025/05/13 Non-synced Entra user that is eligible for a privileged role AAD User.Read.All, RoleManagement.Read.Directory, Directory.Read.All, Organization.Read.All Updated
4.0.362949 1.290.0 2025/05/13 Unrestricted user consent allowed AAD Policy.Read.All, AuditLog.Read.All Updated
4.0.362949 1.290.0 2025/05/13 Custom banned password protection not in use AAD Directory.Read.All Updated
4.0.362949 1.290.0 2025/05/13 Conditional Access Policy that disable admin token persistence AAD Policy.Read.All Updated
4.0.362949 1.290.0 2025/05/13 Application expired secrets and certificates AAD Application.Read.All Updated
4.0.362949 1.290.0 2025/05/13 FIDO2 Attestation is not enforced AAD Policy.Read.All Updated
4.0.362949 1.290.0 2025/05/13 Entra Connect sync account password reset AAD AuditLog.Read.All, Directory.Read.All, User.Read.All, RoleManagement.Read.Directory Updated
4.0.362949 1.290.0 2025/05/13 Global Administrators that signed in during the last 14 days AAD RoleManagement.Read.All, User.Read.All, AuditLog.Read.All Updated
4.0.362949 1.290.0 2025/05/13 Guest users are not restricted AAD Policy.Read.All Updated
4.0.362949 1.290.0 2025/05/13 Entra tenant is susceptible to Hidden Consent Grant attack AAD Directory.Read.All, Policy.Read.All Updated
4.0.362949 1.290.0 2025/05/13 Guest accounts that were inactive for more than 30 days AAD User.Read.All, AuditLog.Read.All Updated
4.0.362949 1.290.0 2025/05/13 Less than 2 Global Administrators exist AAD RoleManagement.Read.Directory, RoleManagement.Read.All, Directory.Read.All Updated
4.0.362949 1.290.0 2025/05/13 MFA bombing attack occurred in the past day AAD AuditLog.Read.All, Directory.Read.All, RoleManagement.Read.All Updated
4.0.362949 1.290.0 2025/05/13 Detect MFA policy changes for groups and users AAD AuditLog.Read.All, Policy.Read.All, GroupMember.Read.All, Reports.Read.All Updated
4.0.362949 1.290.0 2025/05/13 More than 10 Privileged Administrators exist AAD RoleManagement.Read.Directory, RoleManagement.Read.All, Directory.Read.All Updated
4.0.362949 1.290.0 2025/05/13 More than 5 Global Administrators exist AAD RoleManagement.Read.Directory, RoleManagement.Read.All, Directory.Read.All Updated
4.0.362949 1.290.0 2025/05/13 Password hash synchronization is not enabled AAD OnPremDirectorySynchronization.Read.All Updated
4.0.362949 1.290.0 2025/05/13 Permanent Active Privileged Role Assignment AAD RoleManagement.Read.Directory, RoleEligibilitySchedule.Read.Directory, Directory.Read.All, Application.Read.All, GroupMember.Read.All, User.Read.All Updated
4.0.362949 1.290.0 2025/05/13 Privileged accounts with mailbox AAD RoleManagement.Read.All, RoleManagement.Read.Directory, Directory.Read.All, MailboxSettings.Read Updated
4.0.362949 1.290.0 2025/05/13 Entra ID privileged users that are also privileged in AD AAD, AD RoleManagement.Read.Directory, Directory.Read.All, RoleManagement.Read.All Updated
4.0.362949 1.290.0 2025/05/13 AD privileged users that are synced to Entra ID AAD, AD User.Read.All Updated
4.0.362949 1.290.0 2025/05/13 Prohibited Entra ID Roles Assigned AAD RoleManagement.Read.Directory, RoleManagement.Read.All, Directory.Read.All Updated
4.0.362949 1.290.0 2025/05/13 Resource Based Constrained Delegation applied to AZUREADSSOACC account AAD, AD Updated
4.0.362949 1.290.0 2025/05/13 Report suspicious MFA activity disabled AAD Policy.Read.All, GroupMember.Read.All Updated
4.0.362949 1.290.0 2025/05/13 Conditional Access Policy does not require MFA on privileged accounts AAD Policy.Read.All Updated
4.0.362949 1.290.0 2025/05/13 Conditional Access Policy that does not require MFA when sign-in risk has been identified AAD Policy.Read.All Updated
4.0.362949 1.290.0 2025/05/13 Conditional Access Policy that does not require a password change from high risk users AAD Policy.Read.All Updated
4.0.362949 1.290.0 2025/05/13 Entra custom Roles with risky permissions AAD RoleManagement.Read.Directory Updated
4.0.362949 1.290.0 2025/05/13 List of Risky users (medium or high level) AAD IdentityRiskyUser.Read.All, Organization.Read.All Updated
4.0.362949 1.290.0 2025/05/13 Security questions are in use AAD Reports.Read.All Updated
4.0.362949 1.290.0 2025/05/13 Enterprise applications using SAML for SSO AAD Application.Read.All Updated
4.0.362949 1.290.0 2025/05/13 SSO computer account with password last set over 90 days ago AAD, AD Updated
4.0.362949 1.290.0 2025/05/13 Self-service password reset enabled for privileged roles AAD Policy.Read.All Updated
4.0.362949 1.290.0 2025/05/13 Guest invites not accepted in last 30 day AAD User.Read.All Updated
4.0.362949 1.290.0 2025/05/13 Suspicious Directory Synchronization Accounts role member AAD Directory.Read.All, RoleManagement.Read.Directory, AuditLog.Read.All Updated
4.0.362949 1.290.0 2025/05/13 Unprivileged owner of a privileged group AAD RoleManagement.Read.Directory, Directory.Read.All, GroupMember.Read.All, PrivilegedEligibilitySchedule.Read.AzureADGroup Updated
4.0.362949 1.290.0 2025/05/13 Users are not using their privileged roles AAD RoleEligibilitySchedule.Read.Directory, GroupMember.Read.All, Directory.Read.All Updated
4.0.362949 1.290.0 2025/05/13 Users can create security groups AAD Policy.Read.All Updated
4.0.362949 1.290.0 2025/05/13 Non-admin users can create tenants AAD Policy.Read.All Updated
4.0.362949 1.290.0 2025/05/13 Non-admin users can register custom applications AAD Policy.Read.All Updated
4.0.362949 1.290.0 2025/05/13 Ensure all non-privileged users can complete MFA AAD AuditLog.Read.All, User.Read.All Updated
4.0.362949 1.290.0 2025/05/13 Built-in domain Administrator account with old password (180 days) AD Updated
4.0.362949 1.290.0 2025/05/13 Inheritance enabled on AdminSDHolder object AD Updated
4.0.362949 1.290.0 2025/05/13 Permission changes on AdminSDHolder object AD Updated
4.0.362949 1.290.0 2025/05/13 Anonymous access to Active Directory enabled AD Updated
4.0.362949 1.290.0 2025/05/13 Anonymous NSPI access to AD enabled AD Updated
4.0.362949 1.290.0 2025/05/13 Certificate templates with 3 or more insecure configurations AD Updated
4.0.362949 1.290.0 2025/05/13 Dangerous control paths expose certificate templates AD Updated
4.0.362949 1.290.0 2025/05/13 Certificate templates that allow requesters to specify a subjectAltName AD Updated
4.0.362949 1.290.0 2025/05/13 Changes to default security descriptor schema in the last 90 days AD Updated
4.0.362949 1.290.0 2025/05/13 Computers with older OS versions AD Updated
4.0.362949 1.290.0 2025/05/13 Computers with password last set over 90 days ago AD Updated
4.0.362949 1.290.0 2025/05/13 Domain Controllers with old passwords AD Updated
4.0.362949 1.290.0 2025/05/13 Computer or user accounts with SPN that have unconstrained delegation AD Updated
4.0.362949 1.290.0 2025/05/13 Accounts with Constrained Delegation configured to krbtgt AD Updated
4.0.362949 1.283.0 2025/05/13 Print spooler service is enabled on a DC AD Updated
4.0.362949 1.290.0 2025/05/13 Evidence of Mimikatz DCShadow attack AD Updated
4.0.362949 1.280.1 2025/05/13 Unsecured DNS configuration AD Updated
4.0.362949 1.290.0 2025/05/13 Domain Controllers in inconsistent state AD Updated
4.0.362949 1.290.0 2025/05/13 Domains with obsolete functional levels AD Updated
4.0.362949 1.290.0 2025/05/13 Operator groups no longer protected by AdminSDHolder and SDProp AD Updated
4.0.362949 1.290.0 2025/05/13 Suspicious credentials on Microsoft service principals AAD Application.Read.All Updated
4.0.362949 1.290.0 2025/05/13 Unresolved Entra ID privileged role members AAD RoleManagement.Read.All, Directory.Read.All Updated
4.0.362949 1.290.0 2025/05/13 AD Certificate Authority with Web Enrollment - ESC8 AD Updated
4.0.362949 1.290.0 2025/05/13 Smart card password rotation disabled AD New Indicator
4.0.362949 1.290.0 2025/05/13 FGPP not applied to Global group AD Updated
4.0.362949 1.290.0 2025/05/13 Foreign Security Principals in Privileged Group AD Updated
4.0.362949 1.290.0 2025/05/13 gMSA not in use AD Updated
4.0.362949 1.281.0 2025/05/13 Non-privileged users with access to gMSA passwords AD Updated
4.0.362949 1.290.0 2025/05/13 Writable shortcuts found in GPO AD Updated
4.0.362949 1.290.0 2025/05/13 GPO with Scheduled Tasks configured AD Updated
4.0.362949 1.290.0 2025/05/13 Dangerous user rights granted by GPO AD Updated
4.0.362949 1.290.0 2025/05/13 GPO Weak LM Hash storage enabled AD Updated
4.0.362949 1.278.0 2025/05/13 Domain Controllers that have not authenticated to the domain for more than 45 days AD Updated
4.0.362949 1.290.0 2025/05/13 Kerberos KRBTGT account with old password AD Updated
4.0.362949 1.290.0 2025/05/13 Query policies that have the attribute of LDAP deny list set AD Updated
4.0.362949 1.290.0 2025/05/13 LDAP signing is not required on Domain Controllers AD Updated
4.0.362949 1.290.0 2025/05/13 Forest contains more than 50 privileged accounts AD Updated
4.0.362949 1.290.0 2025/05/13 AD objects created within the last 10 days AD Updated
4.0.362949 1.290.0 2025/05/13 Recent privileged account creation activity AD Updated
4.0.362949 1.290.0 2025/05/13 Distributed COM Users group or Performance Log Users group are not empty AD Updated
4.0.362949 1.290.0 2025/05/13 Non-standard schema permissions AD Updated
4.0.362949 1.290.0 2025/05/13 NTFRS SYSVOL Replication AD Updated
4.0.362949 1.290.0 2025/05/13 Objects in privileged groups without adminCount=1 (SDProp) AD Updated
4.0.362949 1.290.0 2025/05/13 Objects with constrained delegation configured AD Updated
4.0.362949 1.290.0 2025/05/13 Principals with constrained authentication delegation enabled for a DC service AD Updated
4.0.362949 1.290.0 2025/05/13 Changes to MS LAPS read permissions AD Updated
4.0.362949 1.290.0 2025/05/13 High-privileged custom roles Okta Updated
4.0.362949 1.290.0 2025/05/13 Password policy check Okta Updated
4.0.362949 1.290.0 2025/05/13 Users with old passwords AD Updated
4.0.362949 1.290.0 2025/05/13 Admins with old passwords AD Updated
4.0.362949 1.290.0 2025/05/13 Operators Groups that are not empty AD Updated
4.0.362949 1.290.0 2025/05/13 Outbound forest trust with SID History enabled AD Updated
4.0.362949 1.290.0 2025/05/13 Domain trust to a third-party domain without quarantine AD Updated
4.0.362949 1.290.0 2025/05/13 Changes to Pre-Windows 2000 Compatible Access Group membership AD Updated
4.0.362949 1.290.0 2025/05/13 Users with SPN defined AD Updated
4.0.362949 1.290.0 2025/05/13 Primary users with SPN not supporting AES encryption on Kerberos AD Updated
4.0.362949 1.277.0 2025/05/13 Privileged Users with Weak Password Policy AD Updated
4.0.362949 1.290.0 2025/05/13 Protected Users group not in use AD Updated
4.0.362949 1.290.0 2025/05/13 krbtgt account with Resource-Based Constrained Delegation (RBCD) enabled AD Updated
4.0.362949 1.290.0 2025/05/13 RC4 or DES encryption type are supported by Domain Controllers AD Updated
4.0.362949 1.290.0 2025/05/13 Recent SIDHistory changes on objects AD Updated
4.0.362949 1.290.0 2025/05/13 Risky RODC credential caching AD Updated
4.0.362949 1.290.0 2025/05/13 Privileged user credentials cached on RODC AD Updated
4.0.362949 1.290.0 2025/05/13 Well-known privileged SIDs in SIDHistory AD Updated
4.0.362949 1.290.0 2025/05/13 User accounts using Smart Card authentication with old password AD Updated
4.0.362949 1.290.0 2025/05/13 SMB Signing is not required on Domain Controllers AD Updated
4.0.353464 1.271.0 2025/04/29 Dangerous Trust Attribute Set AD Updated
4.0.353464 1.272.0 2025/04/29 Non-default principals with DC Sync rights on the domain AD Updated
4.0.353464 1.271.0 2025/04/29 Users with Kerberos pre-authentication disabled AD Updated
4.0.345541 1.270.0 2025/04/16 Print spooler service is enabled on a DC AD Updated
4.0.345541 1.270.0 2025/04/16 Ephemeral Admins AD Updated
4.0.345541 1.270.0 2025/04/16 Non-privileged users with access to gMSA passwords AD Updated
4.0.345541 1.270.0 2025/04/16 Users with permissions to set Server Trust Account AD Updated
4.0.345190 1.268.0 2025/04/16 Changes to AD Display Specifiers in the past 90 days AD Updated
4.0.345190 1.240.0 2025/04/16 Changes to Default Domain Policy or Default Domain Controllers Policy in the last 7 days AD Updated
4.0.345190 1.240.0 2025/04/16 Zerologon vulnerability AD Updated
4.0.345190 1.260.0 2025/04/16 Application instance property lock disabled AAD Application.Read.All Updated
4.0.345190 1.260.0 2025/04/16 User consent is allowed for risky applications AAD Policy.Read.All Updated
4.0.345190 1.260.0 2025/04/16 Application name and geographic location additional contexts are disabled on MFA AAD Policy.Read.All Updated
4.0.345190 1.260.0 2025/04/16 Conditional Access policy with Continuous Access Evaluation disabled AAD Policy.Read.All, AuditLog.Read.All Updated
4.0.345190 1.260.0 2025/04/16 Certificate-Based Authentication Persistence AAD RoleManagement.Read.Directory, RoleManagement.Read.All, Directory.Read.All, Application.Read.All Updated
4.0.345190 1.268.0 2025/04/16 Administrative units are not being used AAD AdministrativeUnit.Read.All Updated
4.0.345190 1.268.0 2025/04/16 Conditional Access policies contain private IP addresses AAD Policy.Read.All, AuditLog.Read.All Updated
4.0.345190 1.268.0 2025/04/16 Check for guests having permission to invite other guests AAD Policy.Read.All, AuditLog.Read.All Updated
4.0.345190 1.260.0 2025/04/16 Users or devices inactive for at least 90 days AAD User.Read.All, Device.Read.All Updated
4.0.345190 1.268.0 2025/04/16 Check if legacy authentication is allowed AAD Policy.Read.All Updated
4.0.345190 1.268.0 2025/04/16 Conditional Access policies that contain MFA Trusted IPs AAD Policy.Read.All, AuditLog.Read.All Updated
4.0.345190 1.268.0 2025/04/16 Privileged group contains guest account AAD User.Read.All, RoleManagement.Read.Directory, AuditLog.Read.All Updated
4.0.345190 1.268.0 2025/04/16 MFA not configured for privileged accounts AAD RoleManagement.Read.Directory, Reports.Read.All Updated
4.0.345190 1.268.0 2025/04/16 Check for risky API permissions granted to application service principals AAD Application.Read.All, AuditLog.Read.All Updated
4.0.345190 1.268.0 2025/04/16 Check for users with weak or no MFA AAD Reports.Read.All Updated
4.0.345190 1.268.0 2025/04/16 Security defaults not enabled AAD Policy.Read.All Updated
4.0.345190 1.268.0 2025/04/16 Non-synced Entra user that is eligible for a privileged role AAD User.Read.All, RoleManagement.Read.Directory, Directory.Read.All, Organization.Read.All Updated
4.0.345190 1.268.0 2025/04/16 Unrestricted user consent allowed AAD Policy.Read.All, AuditLog.Read.All Updated
4.0.345190 1.268.0 2025/04/16 Custom banned password protection not in use AAD Directory.Read.All Updated
4.0.345190 1.260.0 2025/04/16 Conditional Access Policy that disable admin token persistence AAD Policy.Read.All Updated
4.0.345190 1.260.0 2025/04/16 Application expired secrets and certificates AAD Application.Read.All Updated
4.0.345190 1.268.0 2025/04/16 FIDO2 Attestation is not enforced AAD Policy.Read.All Updated
4.0.345190 1.268.0 2025/04/16 Entra Connect sync account password reset AAD AuditLog.Read.All, Directory.Read.All, User.Read.All, RoleManagement.Read.Directory Updated
4.0.345190 1.268.0 2025/04/16 Global Administrators that signed in during the last 14 days AAD RoleManagement.Read.All, User.Read.All, AuditLog.Read.All Updated
4.0.345190 1.268.0 2025/04/16 Guest users are not restricted AAD Policy.Read.All Updated
4.0.345190 1.260.0 2025/04/16 Entra tenant is susceptible to Hidden Consent Grant attack AAD Directory.Read.All, Policy.Read.All Updated
4.0.345190 1.260.0 2025/04/16 Guest accounts that were inactive for more than 30 days AAD User.Read.All, AuditLog.Read.All Updated
4.0.345190 1.260.0 2025/04/16 Less than 2 Global Administrators exist AAD RoleManagement.Read.Directory, RoleManagement.Read.All, Directory.Read.All Updated
4.0.345190 1.260.0 2025/04/16 MFA bombing attack occurred in the past day AAD AuditLog.Read.All, Directory.Read.All, RoleManagement.Read.All Updated
4.0.345190 1.261.0 2025/04/16 Detect MFA policy changes for groups and users AAD AuditLog.Read.All, Policy.Read.All, GroupMember.Read.All, Reports.Read.All Updated
4.0.345190 1.260.0 2025/04/16 More than 10 Privileged Administrators exist AAD RoleManagement.Read.Directory, RoleManagement.Read.All, Directory.Read.All Updated
4.0.345190 1.268.0 2025/04/16 More than 5 Global Administrators exist AAD RoleManagement.Read.Directory, RoleManagement.Read.All, Directory.Read.All Updated
4.0.345190 1.260.0 2025/04/16 Password hash synchronization is not enabled AAD OnPremDirectorySynchronization.Read.All Updated
4.0.345190 1.260.0 2025/04/16 Permanent Active Privileged Role Assignment AAD RoleManagement.Read.Directory, RoleEligibilitySchedule.Read.Directory, Directory.Read.All, Application.Read.All, GroupMember.Read.All, User.Read.All Updated
4.0.345190 1.260.0 2025/04/16 Privileged accounts with mailbox AAD RoleManagement.Read.All, RoleManagement.Read.Directory, Directory.Read.All, MailboxSettings.Read Updated
4.0.345190 1.268.0 2025/04/16 Entra ID privileged users that are also privileged in AD AAD, AD RoleManagement.Read.Directory, Directory.Read.All, RoleManagement.Read.All Updated
4.0.345190 1.268.0 2025/04/16 AD privileged users that are synced to Entra ID AAD, AD User.Read.All Updated
4.0.345190 1.260.0 2025/04/16 Prohibited Entra ID Roles Assigned AAD RoleManagement.Read.Directory, RoleManagement.Read.All, Directory.Read.All Updated
4.0.345190 1.260.0 2025/04/16 Resource Based Constrained Delegation applied to AZUREADSSOACC account AAD, AD Updated
4.0.345190 1.269.0 2025/04/16 Report suspicious MFA activity disabled AAD Policy.Read.All, GroupMember.Read.All Updated
4.0.345190 1.268.0 2025/04/16 Conditional Access Policy does not require MFA on privileged accounts AAD Policy.Read.All Updated
4.0.345190 1.268.0 2025/04/16 Conditional Access Policy that does not require MFA when sign-in risk has been identified AAD Policy.Read.All Updated
4.0.345190 1.268.0 2025/04/16 Conditional Access Policy that does not require a password change from high risk users AAD Policy.Read.All Updated
4.0.345190 1.260.0 2025/04/16 Entra custom Roles with risky permissions AAD RoleManagement.Read.Directory Updated
4.0.345190 1.260.0 2025/04/16 List of Risky users (medium or high level) AAD IdentityRiskyUser.Read.All, Organization.Read.All Updated
4.0.345190 1.260.0 2025/04/16 Security questions are in use AAD Reports.Read.All Updated
4.0.345190 1.268.0 2025/04/16 Enterprise applications using SAML for SSO AAD Application.Read.All Updated
4.0.345190 1.268.0 2025/04/16 SSO computer account with password last set over 90 days ago AAD, AD Updated
4.0.345190 1.260.0 2025/04/16 Self-service password reset enabled for privileged roles AAD Policy.Read.All Updated
4.0.345190 1.260.0 2025/04/16 Guest invites not accepted in last 30 day AAD User.Read.All Updated
4.0.345190 1.260.0 2025/04/16 Suspicious Directory Synchronization Accounts role member AAD Directory.Read.All, RoleManagement.Read.Directory, AuditLog.Read.All Updated
4.0.345190 1.260.0 2025/04/16 Unprivileged owner of a privileged group AAD RoleManagement.Read.Directory, Directory.Read.All, GroupMember.Read.All, PrivilegedEligibilitySchedule.Read.AzureADGroup Updated
4.0.345190 1.260.0 2025/04/16 Users are not using their privileged roles AAD RoleEligibilitySchedule.Read.Directory, GroupMember.Read.All, Directory.Read.All Updated
4.0.345190 1.268.0 2025/04/16 Users can create security groups AAD Policy.Read.All Updated
4.0.345190 1.260.0 2025/04/16 Non-admin users can create tenants AAD Policy.Read.All Updated
4.0.345190 1.268.0 2025/04/16 Non-admin users can register custom applications AAD Policy.Read.All Updated
4.0.345190 1.260.0 2025/04/16 Ensure all non-privileged users can complete MFA AAD AuditLog.Read.All, User.Read.All Updated
4.0.345190 1.240.0 2025/04/16 Abnormal Password Refresh AD Updated
4.0.345190 1.240.0 2025/04/16 Unexpected accounts in Cert Publishers Group AD Updated
4.0.345190 1.240.0 2025/04/16 Built-in domain Administrator account with old password (180 days) AD Updated
4.0.345190 1.240.0 2025/04/16 Inheritance enabled on AdminSDHolder object AD Updated
4.0.345190 1.240.0 2025/04/16 Permission changes on AdminSDHolder object AD Updated
4.0.345190 1.240.0 2025/04/16 Built-in domain Administrator account used within the last two weeks AD Updated
4.0.345190 1.240.0 2025/04/16 Accounts with altSecurityIdentities configured AD Updated
4.0.345190 1.268.0 2025/04/16 Anonymous access to Active Directory enabled AD Updated
4.0.345190 1.268.0 2025/04/16 Anonymous NSPI access to AD enabled AD Updated
4.0.345190 1.240.0 2025/04/16 Dangerous control paths expose certificate containers AD Updated
4.0.345190 1.268.0 2025/04/16 Certificate templates with 3 or more insecure configurations AD Updated
4.0.345190 1.268.0 2025/04/16 Dangerous control paths expose certificate templates AD Updated
4.0.345190 1.268.0 2025/04/16 Certificate templates that allow requesters to specify a subjectAltName AD Updated
4.0.345190 1.268.0 2025/04/16 Changes to default security descriptor schema in the last 90 days AD Updated
4.0.345190 1.240.0 2025/04/16 Computers with older OS versions AD Updated
4.0.345190 1.240.0 2025/04/16 Computers with password last set over 90 days ago AD Updated
4.0.345190 1.252.0 2025/04/16 Domain Controllers with old passwords AD Updated
4.0.345190 1.240.0 2025/04/16 Computer Accounts in Privileged Groups AD Updated
4.0.345190 1.268.0 2025/04/16 Computer or user accounts with SPN that have unconstrained delegation AD Updated
4.0.345190 1.240.0 2025/04/16 Accounts with Constrained Delegation configured to krbtgt AD Updated
4.0.345190 1.240.0 2025/04/16 Dangerous Trust Attribute Set AD Updated
4.0.345190 1.252.0 2025/04/16 Print spooler service is enabled on a DC AD Updated
4.0.345190 1.240.0 2025/04/16 Evidence of Mimikatz DCShadow attack AD Updated
4.0.345190 1.240.0 2025/04/16 Accounts with Constrained Delegation configured to ghost SPN AD Updated
4.0.345190 1.240.0 2025/04/16 Privileged users that are disabled AD Updated
4.0.345190 1.240.0 2025/04/16 Unsecured DNS configuration AD Updated
4.0.345190 1.240.0 2025/04/16 Domain Controllers in inconsistent state AD Updated
4.0.345190 1.240.0 2025/04/16 Domain Controller owner is not an administrator AD Updated
4.0.345190 1.268.0 2025/04/16 Domains with obsolete functional levels AD Updated
4.0.345190 1.252.0 2025/04/16 Non-default access to DPAPI key AD Updated
4.0.345190 1.268.0 2025/04/16 Operator groups no longer protected by AdminSDHolder and SDProp AD Updated
4.0.345190 1.260.0 2025/04/16 Suspicious credentials on Microsoft service principals AAD Application.Read.All Updated
4.0.345190 1.260.0 2025/04/16 Unresolved Entra ID privileged role members AAD RoleManagement.Read.All, Directory.Read.All Updated
4.0.345190 1.240.0 2025/04/16 Enabled admin accounts that are inactive AD Updated
4.0.345190 1.268.0 2025/04/16 AD Certificate Authority with Web Enrollment - ESC8 AD Updated
4.0.345190 1.240.0 2025/04/16 Enterprise Key Admins with full access to domain AD Updated
4.0.345190 1.240.0 2025/04/16 Ephemeral Admins AD Updated
4.0.345190 1.240.0 2025/04/16 FGPP not applied to Global group AD Updated
4.0.345190 1.268.0 2025/04/16 Foreign Security Principals in Privileged Group AD Updated
4.0.345190 1.268.0 2025/04/16 gMSA not in use AD Updated
4.0.345190 1.240.0 2025/04/16 gMSA objects with old passwords AD Updated
4.0.345190 1.244.0 2025/04/16 Non-privileged users with access to gMSA passwords AD Updated
4.0.345190 1.240.0 2025/04/16 Writable shortcuts found in GPO AD Updated
4.0.345190 1.240.0 2025/04/16 Dangerous GPO logon script path AD Updated
4.0.345190 1.240.0 2025/04/16 GPO with Scheduled Tasks configured AD Updated
4.0.345190 1.268.0 2025/04/16 Dangerous user rights granted by GPO AD Updated
4.0.345190 1.268.0 2025/04/16 GPO Weak LM Hash storage enabled AD Updated
4.0.345190 1.240.0 2025/04/16 Reversible passwords found in GPOs AD Updated
4.0.345190 1.240.0 2025/04/16 Built-in guest account is enabled AD Updated
4.0.345190 1.240.0 2025/04/16 Domain Controllers that have not authenticated to the domain for more than 45 days AD Updated
4.0.345190 1.268.0 2025/04/16 Users with permissions to set Server Trust Account AD Updated
4.0.345190 1.268.0 2025/04/16 Kerberos KRBTGT account with old password AD Updated
4.0.345190 1.240.0 2025/04/16 Query policies that have the attribute of LDAP deny list set AD Updated
4.0.345190 1.268.0 2025/04/16 LDAP signing is not required on Domain Controllers AD Updated
4.0.345190 1.268.0 2025/04/16 Forest contains more than 50 privileged accounts AD Updated
4.0.345190 1.268.0 2025/04/16 AD objects created within the last 10 days AD Updated
4.0.345190 1.268.0 2025/04/16 Recent privileged account creation activity AD Updated
4.0.345190 1.240.0 2025/04/16 Distributed COM Users group or Performance Log Users group are not empty AD Updated
4.0.345190 1.240.0 2025/04/16 Unprivileged accounts with adminCount=1 AD Updated
4.0.345190 1.240.0 2025/04/16 Users and computers with non-default Primary Group IDs AD Updated
4.0.345190 1.238.0 2025/04/16 Non-standard schema permissions AD Updated
4.0.345190 1.240.0 2025/04/16 Users and computers without readable PGID AD Updated
4.0.345190 1.268.0 2025/04/16 NTFRS SYSVOL Replication AD Updated
4.0.345190 1.268.0 2025/04/16 Objects in privileged groups without adminCount=1 (SDProp) AD Updated
4.0.345190 1.268.0 2025/04/16 Objects with constrained delegation configured AD Updated
4.0.345190 1.268.0 2025/04/16 Principals with constrained authentication delegation enabled for a DC service AD Updated
4.0.345190 1.240.0 2025/04/16 Changes to MS LAPS read permissions AD Updated
4.0.345190 1.240.0 2025/04/16 Kerberos protocol transition delegation configured AD Updated
4.0.345190 1.240.0 2025/04/16 Principals with constrained delegation using protocol transition enabled for a DC service AD Updated
4.0.345190 1.240.0 2025/04/16 Users with old passwords AD Updated
4.0.345190 1.240.0 2025/04/16 Admins with old passwords AD Updated
4.0.345190 1.240.0 2025/04/16 Operators Groups that are not empty AD Updated
4.0.345190 1.240.0 2025/04/16 Outbound forest trust with SID History enabled AD Updated
4.0.345190 1.240.0 2025/04/16 Domain trust to a third-party domain without quarantine AD Updated
4.0.345190 1.240.0 2025/04/16 Changes to Pre-Windows 2000 Compatible Access Group membership AD Updated
4.0.345190 1.268.0 2025/04/16 Users with SPN defined AD Updated
4.0.345190 1.268.0 2025/04/16 Primary users with SPN not supporting AES encryption on Kerberos AD Updated
4.0.345190 1.240.0 2025/04/16 Changes to privileged group membership in the last 7 days AD Updated
4.0.345190 1.240.0 2025/04/16 Privileged users with SPN defined AD Updated
4.0.345190 1.240.0 2025/04/16 Privileged Users with Weak Password Policy AD Updated
4.0.345190 1.240.0 2025/04/16 Protected Users group not in use AD Updated
4.0.345190 1.240.0 2025/04/16 Computer account takeover through Kerberos Resource-Based Constrained Delegation (RBCD) AD Updated
4.0.345190 1.240.0 2025/04/16 Domain Controllers with Resource-Based Constrained Delegation (RBCD) enabled AD Updated
4.0.345190 1.240.0 2025/04/16 krbtgt account with Resource-Based Constrained Delegation (RBCD) enabled AD Updated
4.0.345190 1.240.0 2025/04/16 Write access to RBCD on DC AD Updated
4.0.345190 1.240.0 2025/04/16 Write access to RBCD on krbtgt account AD Updated
4.0.345190 1.262.0 2025/04/16 RC4 or DES encryption type are supported by Domain Controllers AD Updated
4.0.345190 1.240.0 2025/04/16 Recent SIDHistory changes on objects AD Updated
4.0.345190 1.240.0 2025/04/16 Non-default principals with DC Sync rights on the domain AD Updated
4.0.345190 1.240.0 2025/04/16 Risky RODC credential caching AD Updated
4.0.345190 1.240.0 2025/04/16 Privileged user credentials cached on RODC AD Updated
4.0.345190 1.240.0 2025/04/16 Shadow Credentials on privileged objects AD Updated
4.0.345190 1.240.0 2025/04/16 Well-known privileged SIDs in SIDHistory AD Updated
4.0.345190 1.240.0 2025/04/16 User accounts using Smart Card authentication with old password AD New Indicator
4.0.345190 1.268.0 2025/04/16 SMB Signing is not required on Domain Controllers AD Updated
4.0.345190 1.268.0 2025/04/16 SMBv1 is enabled on Domain Controllers AD Updated
4.0.345190 1.240.0 2025/04/16 SYSVOL Executable Changes AD Updated
4.0.345190 1.240.0 2025/04/16 Trust accounts with old passwords AD Updated
4.0.345190 1.240.0 2025/04/16 Unprivileged principals as DNS Admins AD Updated
4.0.345190 1.240.0 2025/04/16 Privileged objects with unprivileged owners AD Updated
4.0.345190 1.240.0 2025/04/16 Users with the attribute userPassword set AD Updated
4.0.345190 1.240.0 2025/04/16 Unprivileged users can add computer accounts to the domain AD Updated
4.0.345190 1.240.0 2025/04/16 User accounts that use DES encryption AD Updated
4.0.345190 1.240.0 2025/04/16 Users with Password Never Expires flag set AD Updated
4.0.345190 1.240.0 2025/04/16 Privileged accounts with a password that never expires AD Updated
4.0.345190 1.240.0 2025/04/16 User accounts with password not required AD Updated
4.0.345190 1.240.0 2025/04/16 User accounts that store passwords with reversible encryption AD Updated
4.0.345190 1.268.0 2025/04/16 Users with Kerberos pre-authentication disabled AD Updated
4.0.345190 1.240.0 2025/04/16 GPO linking delegation at the AD Site level AD Updated
4.0.345190 1.240.0 2025/04/16 GPO linking delegation at the domain controller OU level AD Updated
4.0.345190 1.240.0 2025/04/16 GPO linking delegation at the domain level AD Updated
4.0.325842 1.226.0 2025/03/10 Application instance property lock disabled AAD Application.Read.All New Indicator
4.0.325842 1.229.0 2025/03/10 Certificate-Based Authentication Persistence AAD RoleManagement.Read.Directory, RoleManagement.Read.All, Directory.Read.All, Application.Read.All Updated
4.0.325842 1.229.0 2025/03/10 Less than 2 Global Administrators exist AAD RoleManagement.Read.Directory, RoleManagement.Read.All, Directory.Read.All Updated
4.0.325842 1.230.0 2025/03/10 MFA bombing attack occurred in the past day AAD AuditLog.Read.All, Directory.Read.All, RoleManagement.Read.All Updated
4.0.325842 1.228.0 2025/03/10 Detect MFA policy changes for groups and users AAD AuditLog.Read.All, Policy.Read.All, GroupMember.Read.All, Reports.Read.All New Indicator
4.0.325842 1.229.0 2025/03/10 Entra ID privileged users that are also privileged in AD AAD, AD RoleManagement.Read.Directory, Directory.Read.All, RoleManagement.Read.All Updated
4.0.325842 1.232.0 2025/03/10 Report suspicious MFA activity disabled AAD Policy.Read.All, GroupMember.Read.All New Indicator
4.0.325842 1.231.0 2025/03/10 Writable shortcuts found in GPO AD Updated
4.0.325842 1.231.0 2025/03/10 Dangerous GPO logon script path AD Updated
4.0.325842 1.231.0 2025/03/10 GPO with Scheduled Tasks configured AD Updated
4.0.325842 1.231.0 2025/03/10 Dangerous user rights granted by GPO AD Updated
4.0.289828 1.219.0 2025/02/12 Changes to AD Display Specifiers in the past 90 days AD Updated
4.0.289828 1.219.0 2025/02/12 Changes to Default Domain Policy or Default Domain Controllers Policy in the last 7 days AD Updated
4.0.289828 1.219.0 2025/02/12 Zerologon vulnerability AD Updated
4.0.289828 1.215.0 2025/02/12 User consent is allowed for risky applications AAD Policy.Read.All Updated
4.0.289828 1.215.0 2025/02/12 Application name and geographic location additional contexts are disabled on MFA AAD Policy.Read.All Updated
4.0.289828 1.219.0 2025/02/12 Conditional Access policy with Continuous Access Evaluation disabled AAD Policy.Read.All, AuditLog.Read.All Updated
4.0.289828 1.219.0 2025/02/12 Certificate-Based Authentication Persistence AAD RoleManagement.Read.Directory, RoleManagement.Read.All, Directory.Read.All, Application.Read.All Updated
4.0.289828 1.215.0 2025/02/12 Administrative units are not being used AAD AdministrativeUnit.Read.All Updated
4.0.289828 1.219.0 2025/02/12 Conditional Access policies contain private IP addresses AAD Policy.Read.All, AuditLog.Read.All Updated
4.0.289828 1.215.0 2025/02/12 Check for guests having permission to invite other guests AAD Policy.Read.All, AuditLog.Read.All Updated
4.0.289828 1.219.0 2025/02/12 Users or devices inactive for at least 90 days AAD User.Read.All, Device.Read.All Updated
4.0.289828 1.215.0 2025/02/12 Check if legacy authentication is allowed AAD Policy.Read.All Updated
4.0.289828 1.219.0 2025/02/12 Conditional Access policies that contain MFA Trusted IPs AAD Policy.Read.All, AuditLog.Read.All Updated
4.0.289828 1.219.0 2025/02/12 Privileged group contains guest account AAD User.Read.All, RoleManagement.Read.Directory, AuditLog.Read.All Updated
4.0.289828 1.219.0 2025/02/12 MFA not configured for privileged accounts AAD RoleManagement.Read.Directory, Reports.Read.All Updated
4.0.289828 1.219.0 2025/02/12 Check for risky API permissions granted to application service principals AAD Application.Read.All, AuditLog.Read.All Updated
4.0.289828 1.219.0 2025/02/12 Check for users with weak or no MFA AAD Reports.Read.All Updated
4.0.289828 1.215.0 2025/02/12 Security defaults not enabled AAD Policy.Read.All Updated
4.0.289828 1.219.0 2025/02/12 Non-synced Entra user that is eligible for a privileged role AAD User.Read.All, RoleManagement.Read.Directory, Directory.Read.All, Organization.Read.All Updated
4.0.289828 1.215.0 2025/02/12 Unrestricted user consent allowed AAD Policy.Read.All, AuditLog.Read.All Updated
4.0.289828 1.215.0 2025/02/12 Custom banned password protection not in use AAD Directory.Read.All Updated
4.0.289828 1.215.0 2025/02/12 Conditional Access Policy that disable admin token persistence AAD Policy.Read.All Updated
4.0.289828 1.219.0 2025/02/12 Application expired secrets and certificates AAD Application.Read.All Updated
4.0.289828 1.215.0 2025/02/12 FIDO2 Attestation is not enforced AAD Policy.Read.All Updated
4.0.289828 1.219.0 2025/02/12 Entra Connect sync account password reset AAD AuditLog.Read.All, Directory.Read.All, User.Read.All, RoleManagement.Read.Directory Updated
4.0.289828 1.219.0 2025/02/12 Global Administrators that signed in during the last 14 days AAD RoleManagement.Read.All, User.Read.All, AuditLog.Read.All Updated
4.0.289828 1.215.0 2025/02/12 Guest users are not restricted AAD Policy.Read.All Updated
4.0.289828 1.219.0 2025/02/12 Entra tenant is susceptible to Hidden Consent Grant attack AAD Directory.Read.All, Policy.Read.All Updated
4.0.289828 1.219.0 2025/02/12 Guest accounts that were inactive for more than 30 days AAD User.Read.All, AuditLog.Read.All Updated
4.0.289828 1.219.0 2025/02/12 Less than 2 Global Administrators exist AAD RoleManagement.Read.Directory, RoleManagement.Read.All, Directory.Read.All Updated
4.0.289828 1.219.0 2025/02/12 MFA bombing attack occurred in the past day AAD AuditLog.Read.All, Directory.Read.All, RoleManagement.Read.All Updated
4.0.289828 1.219.0 2025/02/12 More than 10 Privileged Administrators exist AAD RoleManagement.Read.Directory, RoleManagement.Read.All, Directory.Read.All Updated
4.0.289828 1.219.0 2025/02/12 More than 5 Global Administrators exist AAD RoleManagement.Read.Directory, RoleManagement.Read.All, Directory.Read.All Updated
4.0.289828 1.220.0 2025/02/12 Permanent Active Privileged Role Assignment AAD RoleManagement.Read.Directory, RoleEligibilitySchedule.Read.Directory, Directory.Read.All, Application.Read.All, GroupMember.Read.All, User.Read.All Updated
4.0.289828 1.219.0 2025/02/12 Privileged accounts with mailbox AAD RoleManagement.Read.All, RoleManagement.Read.Directory, Directory.Read.All, MailboxSettings.Read Updated
4.0.289828 1.219.0 2025/02/12 Entra ID privileged users that are also privileged in AD AAD, AD RoleManagement.Read.Directory, Directory.Read.All, RoleManagement.Read.All Updated
4.0.289828 1.219.0 2025/02/12 AD privileged users that are synced to Entra ID AAD, AD User.Read.All Updated
4.0.289828 1.224.0 2025/02/12 Prohibited Entra ID Roles Assigned AAD RoleManagement.Read.Directory, RoleManagement.Read.All, Directory.Read.All Updated
4.0.289828 1.219.0 2025/02/12 Resource Based Constrained Delegation applied to AZUREADSSOACC account AAD, AD Updated
4.0.289828 1.215.0 2025/02/12 Conditional Access Policy does not require MFA on privileged accounts AAD Policy.Read.All Updated
4.0.289828 1.215.0 2025/02/12 Conditional Access Policy that does not require MFA when sign-in risk has been identified AAD Policy.Read.All Updated
4.0.289828 1.215.0 2025/02/12 Conditional Access Policy that does not require a password change from high risk users AAD Policy.Read.All Updated
4.0.289828 1.219.0 2025/02/12 Entra custom Roles with risky permissions AAD RoleManagement.Read.Directory Updated
4.0.289828 1.219.0 2025/02/12 List of Risky users (medium or high level) AAD IdentityRiskyUser.Read.All, Organization.Read.All Updated
4.0.289828 1.219.0 2025/02/12 Security questions are in use AAD Reports.Read.All Updated
4.0.289828 1.219.0 2025/02/12 Enterprise applications using SAML for SSO AAD Application.Read.All Updated
4.0.289828 1.219.0 2025/02/12 SSO computer account with password last set over 90 days ago AAD, AD Updated
4.0.289828 1.219.0 2025/02/12 Self-service password reset enabled for privileged roles AAD Policy.Read.All Updated
4.0.289828 1.219.0 2025/02/12 Guest invites not accepted in last 30 day AAD User.Read.All Updated
4.0.289828 1.219.0 2025/02/12 Suspicious Directory Synchronization Accounts role member AAD Directory.Read.All, RoleManagement.Read.Directory, AuditLog.Read.All Updated
4.0.289828 1.219.0 2025/02/12 Unprivileged owner of a privileged group AAD RoleManagement.Read.Directory, Directory.Read.All, GroupMember.Read.All, PrivilegedEligibilitySchedule.Read.AzureADGroup Updated
4.0.289828 1.219.0 2025/02/12 Users are not using their privileged roles AAD RoleEligibilitySchedule.Read.Directory, GroupMember.Read.All, Directory.Read.All Updated
4.0.289828 1.215.0 2025/02/12 Users can create security groups AAD Policy.Read.All Updated
4.0.289828 1.215.0 2025/02/12 Non-admin users can create tenants AAD Policy.Read.All Updated
4.0.289828 1.215.0 2025/02/12 Non-admin users can register custom applications AAD Policy.Read.All Updated
4.0.289828 1.223.0 2025/02/12 Ensure all non-privileged users can complete MFA AAD AuditLog.Read.All, User.Read.All Updated
4.0.289828 1.219.0 2025/02/12 Abnormal Password Refresh AD Updated
4.0.289828 1.222.0 2025/02/12 Unexpected accounts in Cert Publishers Group AD Updated
4.0.289828 1.219.0 2025/02/12 Built-in domain Administrator account with old password (180 days) AD Updated
4.0.289828 1.219.0 2025/02/12 Inheritance enabled on AdminSDHolder object AD Updated
4.0.289828 1.219.0 2025/02/12 Permission changes on AdminSDHolder object AD Updated
4.0.289828 1.219.0 2025/02/12 Built-in domain Administrator account used within the last two weeks AD Updated
4.0.289828 1.219.0 2025/02/12 Accounts with altSecurityIdentities configured AD Updated
4.0.289828 1.219.0 2025/02/12 Anonymous access to Active Directory enabled AD Updated
4.0.289828 1.219.0 2025/02/12 Anonymous NSPI access to AD enabled AD Updated
4.0.289828 1.219.0 2025/02/12 Dangerous control paths expose certificate containers AD Updated
4.0.289828 1.219.0 2025/02/12 Certificate templates with 3 or more insecure configurations AD Updated
4.0.289828 1.219.0 2025/02/12 Dangerous control paths expose certificate templates AD Updated
4.0.289828 1.219.0 2025/02/12 Certificate templates that allow requesters to specify a subjectAltName AD Updated
4.0.289828 1.219.0 2025/02/12 Changes to default security descriptor schema in the last 90 days AD Updated
4.0.289828 1.219.0 2025/02/12 Computers with older OS versions AD Updated
4.0.289828 1.219.0 2025/02/12 Computers with password last set over 90 days ago AD Updated
4.0.289828 1.219.0 2025/02/12 Domain Controllers with old passwords AD Updated
4.0.289828 1.222.0 2025/02/12 Computer Accounts in Privileged Groups AD Updated
4.0.289828 1.219.0 2025/02/12 Computer or user accounts with SPN that have unconstrained delegation AD Updated
4.0.289828 1.219.0 2025/02/12 Accounts with Constrained Delegation configured to krbtgt AD Updated
4.0.289828 1.219.0 2025/02/12 Dangerous Trust Attribute Set AD Updated
4.0.289828 1.219.0 2025/02/12 Print spooler service is enabled on a DC AD Updated
4.0.289828 1.219.0 2025/02/12 Evidence of Mimikatz DCShadow attack AD Updated
4.0.289828 1.219.0 2025/02/12 Accounts with Constrained Delegation configured to ghost SPN AD Updated
4.0.289828 1.219.0 2025/02/12 Privileged users that are disabled AD Updated
4.0.289828 1.219.0 2025/02/12 Unsecured DNS configuration AD Updated
4.0.289828 1.219.0 2025/02/12 Domain Controllers in inconsistent state AD Updated
4.0.289828 1.219.0 2025/02/12 Domain Controller owner is not an administrator AD Updated
4.0.289828 1.219.0 2025/02/12 Domains with obsolete functional levels AD Updated
4.0.289828 1.219.0 2025/02/12 Non-default access to DPAPI key AD Updated
4.0.289828 1.219.0 2025/02/12 Operator groups no longer protected by AdminSDHolder and SDProp AD Updated
4.0.289828 1.219.0 2025/02/12 Suspicious credentials on Microsoft service principals AAD Application.Read.All Updated
4.0.289828 1.219.0 2025/02/12 Unresolved Entra ID privileged role members AAD RoleManagement.Read.All, Directory.Read.All Updated
4.0.289828 1.219.0 2025/02/12 Enabled admin accounts that are inactive AD Updated
4.0.289828 1.219.0 2025/02/12 AD Certificate Authority with Web Enrollment - ESC8 AD Updated
4.0.289828 1.219.0 2025/02/12 Enterprise Key Admins with full access to domain AD Updated
4.0.289828 1.219.0 2025/02/12 Ephemeral Admins AD Updated
4.0.289828 1.219.0 2025/02/12 FGPP not applied to Global group AD Updated
4.0.289828 1.219.0 2025/02/12 Foreign Security Principals in Privileged Group AD Updated
4.0.289828 1.219.0 2025/02/12 gMSA objects with old passwords AD Updated
4.0.289828 1.219.0 2025/02/12 Non-privileged users with access to gMSA passwords AD Updated
4.0.289828 1.219.0 2025/02/12 Writable shortcuts found in GPO AD Updated
4.0.289828 1.219.0 2025/02/12 Dangerous GPO logon script path AD Updated
4.0.289828 1.219.0 2025/02/12 GPO with Scheduled Tasks configured AD Updated
4.0.289828 1.219.0 2025/02/12 Dangerous user rights granted by GPO AD Updated
4.0.289828 1.219.0 2025/02/12 GPO Weak LM Hash storage enabled AD Updated
4.0.289828 1.219.0 2025/02/12 Reversible passwords found in GPOs AD Updated
4.0.289828 1.219.0 2025/02/12 Built-in guest account is enabled AD Updated
4.0.289828 1.219.0 2025/02/12 Domain Controllers that have not authenticated to the domain for more than 45 days AD Updated
4.0.289828 1.219.0 2025/02/12 Users with permissions to set Server Trust Account AD Updated
4.0.289828 1.219.0 2025/02/12 Kerberos KRBTGT account with old password AD Updated
4.0.289828 1.219.0 2025/02/12 Non default value on ms-Mcs-AdmPwd SearchFlags AD Updated
4.0.289828 1.219.0 2025/02/12 Query policies that have the attribute of LDAP deny list set AD Updated
4.0.289828 1.219.0 2025/02/12 LDAP signing is not required on Domain Controllers AD Updated
4.0.289828 1.219.0 2025/02/12 Forest contains more than 50 privileged accounts AD Updated
4.0.289828 1.219.0 2025/02/12 AD objects created within the last 10 days AD Updated
4.0.289828 1.219.0 2025/02/12 Recent privileged account creation activity AD Updated
4.0.289828 1.222.0 2025/02/12 Distributed COM Users group or Performance Log Users group are not empty AD Updated
4.0.289828 1.219.0 2025/02/12 Unprivileged accounts with adminCount=1 AD Updated
4.0.289828 1.219.0 2025/02/12 Users and computers with non-default Primary Group IDs AD Updated
4.0.289828 1.219.0 2025/02/12 Non-standard schema permissions AD Updated
4.0.289828 1.219.0 2025/02/12 Users and computers without readable PGID AD Updated
4.0.289828 1.222.0 2025/02/12 Objects in privileged groups without adminCount=1 (SDProp) AD Updated
4.0.289828 1.219.0 2025/02/12 Objects with constrained delegation configured AD Updated
4.0.289828 1.219.0 2025/02/12 Principals with constrained authentication delegation enabled for a DC service AD Updated
4.0.289828 1.219.0 2025/02/12 Changes to MS LAPS read permissions AD Updated
4.0.289828 1.219.0 2025/02/12 Kerberos protocol transition delegation configured AD Updated
4.0.289828 1.219.0 2025/02/12 Principals with constrained delegation using protocol transition enabled for a DC service AD Updated
4.0.289828 1.219.0 2025/02/12 High-privileged custom roles Okta Updated
4.0.289828 1.219.0 2025/02/12 New permission has been granted to a group Okta Updated
4.0.289828 1.219.0 2025/02/12 New permission has been granted to a user Okta Updated
4.0.289828 1.219.0 2025/02/12 New API token was created Okta Updated
4.0.289828 1.219.0 2025/02/12 New Super Admin permission has been granted to a group Okta Updated
4.0.289828 1.219.0 2025/02/12 New Super Admin permission has been granted to a user Okta Updated
4.0.289828 1.219.0 2025/02/12 Password policy check Okta Updated
4.0.289828 1.219.0 2025/02/12 User activation in the last 7 days Okta Updated
4.0.289828 1.219.0 2025/02/12 User deactivation in the last 7 days Okta Updated
4.0.289828 1.219.0 2025/02/12 Users without Multi-Factor Authentication (MFA) Okta Updated
4.0.289828 1.219.0 2025/02/12 Users with old passwords AD Updated
4.0.289828 1.219.0 2025/02/12 Admins with old passwords AD Updated
4.0.289828 1.222.0 2025/02/12 Operators Groups that are not empty AD Updated
4.0.289828 1.219.0 2025/02/12 Outbound forest trust with SID History enabled AD Updated
4.0.289828 1.219.0 2025/02/12 Domain trust to a third-party domain without quarantine AD Updated
4.0.289828 1.222.0 2025/02/12 Changes to Pre-Windows 2000 Compatible Access Group membership AD Updated
4.0.289828 1.219.0 2025/02/12 Users with SPN defined AD Updated
4.0.289828 1.219.0 2025/02/12 Primary users with SPN not supporting AES encryption on Kerberos AD Updated
4.0.289828 1.222.0 2025/02/12 Changes to privileged group membership in the last 7 days AD Updated
4.0.289828 1.219.0 2025/02/12 Privileged users with SPN defined AD Updated
4.0.289828 1.219.0 2025/02/12 Privileged Users with Weak Password Policy AD Updated
4.0.289828 1.219.0 2025/02/12 Protected Users group not in use AD Updated
4.0.289828 1.219.0 2025/02/12 Computer account takeover through Kerberos Resource-Based Constrained Delegation (RBCD) AD Updated
4.0.289828 1.219.0 2025/02/12 Domain Controllers with Resource-Based Constrained Delegation (RBCD) enabled AD Updated
4.0.289828 1.219.0 2025/02/12 krbtgt account with Resource-Based Constrained Delegation (RBCD) enabled AD Updated
4.0.289828 1.219.0 2025/02/12 Write access to RBCD on DC AD Updated
4.0.289828 1.219.0 2025/02/12 Write access to RBCD on krbtgt account AD Updated
4.0.289828 1.219.0 2025/02/12 RC4 or DES encryption type are supported by Domain Controllers AD Updated
4.0.289828 1.219.0 2025/02/12 Recent SIDHistory changes on objects AD Updated
4.0.289828 1.219.0 2025/02/12 Non-default principals with DC Sync rights on the domain AD Updated
4.0.289828 1.219.0 2025/02/12 Risky RODC credential caching AD Updated
4.0.289828 1.219.0 2025/02/12 Privileged user credentials cached on RODC AD Updated
4.0.289828 1.219.0 2025/02/12 Shadow Credentials on privileged objects AD Updated
4.0.289828 1.219.0 2025/02/12 Well-known privileged SIDs in SIDHistory AD Updated
4.0.289828 1.219.0 2025/02/12 SMB Signing is not required on Domain Controllers AD Updated
4.0.289828 1.219.0 2025/02/12 SMBv1 is enabled on Domain Controllers AD Updated
4.0.289828 1.219.0 2025/02/12 SYSVOL Executable Changes AD Updated
4.0.289828 1.219.0 2025/02/12 Trust accounts with old passwords AD Updated
4.0.289828 1.219.0 2025/02/12 Unprivileged principals as DNS Admins AD Updated
4.0.289828 1.219.0 2025/02/12 Privileged objects with unprivileged owners AD Updated
4.0.289828 1.219.0 2025/02/12 Users with the attribute userPassword set AD Updated
4.0.289828 1.219.0 2025/02/12 Unprivileged users can add computer accounts to the domain AD Updated
4.0.289828 1.219.0 2025/02/12 User accounts that use DES encryption AD Updated
4.0.289828 1.219.0 2025/02/12 Users with Password Never Expires flag set AD Updated
4.0.289828 1.219.0 2025/02/12 Privileged accounts with a password that never expires AD Updated
4.0.289828 1.219.0 2025/02/12 User accounts with password not required AD Updated
4.0.289828 1.219.0 2025/02/12 User accounts that store passwords with reversible encryption AD Updated
4.0.289828 1.219.0 2025/02/12 Users with Kerberos pre-authentication disabled AD Updated
4.0.289828 1.219.0 2025/02/12 Weak certificate cipher AD Updated
4.0.289828 1.219.0 2025/02/12 GPO linking delegation at the AD Site level AD Updated
4.0.289828 1.219.0 2025/02/12 GPO linking delegation at the domain controller OU level AD Updated
4.0.289828 1.219.0 2025/02/12 GPO linking delegation at the domain level AD Updated
4.0.273013 1.208.0 2025/01/16 Zerologon vulnerability AD Updated
4.0.273013 1.189.0 2025/01/16 Application instance property lock disabled AAD Application.Read.All Removed
4.0.273013 1.211.0 2025/01/16 Certificate-Based Authentication Persistence AAD RoleManagement.Read.Directory, RoleManagement.Read.All, Directory.Read.All, Application.Read.All Updated
4.0.273013 1.210.0 2025/01/16 Users or devices inactive for at least 90 days AAD User.Read.All, Device.Read.All Updated
4.0.273013 1.211.0 2025/01/16 Non-synced Entra user that is eligible for a privileged role AAD User.Read.All, RoleManagement.Read.Directory, Directory.Read.All, Organization.Read.All Updated
4.0.273013 1.211.0 2025/01/16 Less than 2 Global Administrators exist AAD RoleManagement.Read.Directory, RoleManagement.Read.All, Directory.Read.All Updated
4.0.273013 1.211.0 2025/01/16 MFA bombing attack occurred in the past day AAD AuditLog.Read.All, Directory.Read.All, RoleManagement.Read.All Updated
4.0.273013 1.211.0 2025/01/16 More than 10 Privileged Administrators exist AAD RoleManagement.Read.Directory, RoleManagement.Read.All, Directory.Read.All Updated
4.0.273013 1.211.0 2025/01/16 More than 5 Global Administrators exist AAD RoleManagement.Read.Directory, RoleManagement.Read.All, Directory.Read.All Updated
4.0.273013 1.210.0 2025/01/16 Password hash synchronization is not enabled AAD OnPremDirectorySynchronization.Read.All Updated
4.0.273013 1.211.0 2025/01/16 Privileged accounts with mailbox AAD RoleManagement.Read.All, RoleManagement.Read.Directory, Directory.Read.All, MailboxSettings.Read Updated
4.0.273013 1.211.0 2025/01/16 Entra ID privileged users that are also privileged in AD AAD, AD RoleManagement.Read.Directory, Directory.Read.All, RoleManagement.Read.All Updated
4.0.273013 1.211.0 2025/01/16 Unprivileged owner of a privileged group AAD RoleManagement.Read.Directory, Directory.Read.All, GroupMember.Read.All, PrivilegedEligibilitySchedule.Read.AzureADGroup Updated
4.0.273013 1.210.0 2025/01/16 Ensure all non-privileged users can complete MFA AAD AuditLog.Read.All, User.Read.All Updated
4.0.273013 1.207.0 2025/01/16 Permission changes on AdminSDHolder object AD Updated
4.0.273013 1.210.0 2025/01/16 Domain Controllers with old passwords AD Updated
4.0.273013 1.212.0 2025/01/16 Unresolved Entra ID privileged role members AAD RoleManagement.Read.All, Directory.Read.All New Indicator
4.0.273013 1.200.0 2025/01/16 AD Certificate Authority with Web Enrollment - ESC8 AD Updated
4.0.273013 1.209.0 2025/01/16 FGPP not applied to Global group AD Updated
4.0.273013 1.213.0 2025/01/16 GPO with Scheduled Tasks configured AD Updated
4.0.273013 1.210.0 2025/01/16 Domain Controllers that have not authenticated to the domain for more than 45 days AD Updated
4.0.273013 1.210.0 2025/01/16 Query policies that have the attribute of LDAP deny list set AD Updated
4.0.273013 1.210.0 2025/01/16 LDAP signing is not required on Domain Controllers AD Updated
4.0.273013 1.202.0 2025/01/16 Distributed COM Users group or Performance Log Users group are not empty AD New Indicator
4.0.273013 1.210.0 2025/01/16 NTFRS SYSVOL Replication AD Updated
4.0.273013 1.210.0 2025/01/16 Operators Groups that are not empty AD Updated
4.0.273013 1.210.0 2025/01/16 Domain trust to a third-party domain without quarantine AD Updated
4.0.273013 1.210.0 2025/01/16 Domain Controllers with Resource-Based Constrained Delegation (RBCD) enabled AD Updated
4.0.273013 1.210.0 2025/01/16 Recent SIDHistory changes on objects AD Updated
4.0.273013 1.210.0 2025/01/16 Well-known privileged SIDs in SIDHistory AD Updated
4.0.273013 1.210.0 2025/01/16 Privileged objects with unprivileged owners AD Updated
4.0.259168 1.198.0 2024/12/12 Changes to AD Display Specifiers in the past 90 days AD Updated
4.0.259168 1.198.1 2024/12/12 Changes to Default Domain Policy or Default Domain Controllers Policy in the last 7 days AD Updated
4.0.259168 1.178.0 2024/12/12 Zerologon vulnerability AD Updated
4.0.259168 1.189.0 2024/12/12 Application instance property lock disabled AAD Application.Read.All New Indicator
4.0.259168 1.168.0 2024/12/12 Application name and geographic location additional contexts are disabled on MFA AAD Policy.Read.All Updated
4.0.259168 1.168.0 2024/12/12 Conditional Access policy with Continuous Access Evaluation disabled AAD Policy.Read.All, AuditLog.Read.All Updated
4.0.259168 1.168.0 2024/12/12 Certificate-Based Authentication Persistence AAD RoleManagement.Read.Directory, RoleManagement.Read.All, Directory.Read.All, Application.Read.All Updated
4.0.259168 1.168.0 2024/12/12 Administrative units are not being used AAD AdministrativeUnit.Read.All Updated
4.0.259168 1.168.0 2024/12/12 Conditional Access policies contain private IP addresses AAD Policy.Read.All, AuditLog.Read.All Updated
4.0.259168 1.168.0 2024/12/12 Check for guests having permission to invite other guests AAD Policy.Read.All, AuditLog.Read.All Updated
4.0.259168 1.160.0 2024/12/12 Users or devices inactive for at least 90 days AAD User.Read.All, Device.Read.All Updated
4.0.259168 1.168.0 2024/12/12 Check if legacy authentication is allowed AAD Policy.Read.All Updated
4.0.259168 1.168.0 2024/12/12 Conditional Access policies that contain MFA Trusted IPs AAD Policy.Read.All, AuditLog.Read.All Updated
4.0.259168 1.168.0 2024/12/12 Privileged group contains guest account AAD User.Read.All, RoleManagement.Read.Directory, AuditLog.Read.All Updated
4.0.259168 1.168.0 2024/12/12 MFA not configured for privileged accounts AAD RoleManagement.Read.Directory, Reports.Read.All Updated
4.0.259168 1.168.0 2024/12/12 Check for risky API permissions granted to application service principals AAD Application.Read.All, AuditLog.Read.All Updated
4.0.259168 1.168.0 2024/12/12 Check for users with weak or no MFA AAD Reports.Read.All Updated
4.0.259168 1.168.0 2024/12/12 Security defaults not enabled AAD Policy.Read.All Updated
4.0.259168 1.168.0 2024/12/12 Non-synced Entra user that is eligible for a privileged role AAD User.Read.All, RoleManagement.Read.Directory, Directory.Read.All, Organization.Read.All Updated
4.0.259168 1.168.0 2024/12/12 Unrestricted user consent allowed AAD Policy.Read.All, AuditLog.Read.All Updated
4.0.259168 1.168.0 2024/12/12 Custom banned password protection not in use AAD Directory.Read.All Updated
4.0.259168 1.168.0 2024/12/12 Conditional Access Policy that disable admin token persistence AAD Policy.Read.All Updated
4.0.259168 1.168.0 2024/12/12 Application expired secrets and certificates AAD Application.Read.All Updated
4.0.259168 1.168.0 2024/12/12 FIDO2 Attestation is not enforced AAD Policy.Read.All Updated
4.0.259168 1.168.0 2024/12/12 Entra Connect sync account password reset AAD AuditLog.Read.All, Directory.Read.All, User.Read.All, RoleManagement.Read.Directory Updated
4.0.259168 1.168.0 2024/12/12 Global Administrators that signed in during the last 14 days AAD RoleManagement.Read.All, User.Read.All, AuditLog.Read.All Updated
4.0.259168 1.168.0 2024/12/12 Guest users are not restricted AAD Policy.Read.All Updated
4.0.259168 1.168.0 2024/12/12 Entra tenant is susceptible to Hidden Consent Grant attack AAD Directory.Read.All, Policy.Read.All Updated
4.0.259168 1.168.0 2024/12/12 Guest accounts that were inactive for more than 30 days AAD User.Read.All, AuditLog.Read.All Updated
4.0.259168 1.168.0 2024/12/12 Less than 2 Global Administrators exist AAD RoleManagement.Read.Directory, RoleManagement.Read.All, Directory.Read.All Updated
4.0.259168 1.168.0 2024/12/12 MFA bombing attack occurred in the past day AAD AuditLog.Read.All, Directory.Read.All, RoleManagement.Read.All Updated
4.0.259168 1.168.0 2024/12/12 More than 10 Privileged Administrators exist AAD RoleManagement.Read.Directory, RoleManagement.Read.All, Directory.Read.All Updated
4.0.259168 1.171.0 2024/12/12 More than 5 Global Administrators exist AAD RoleManagement.Read.Directory, RoleManagement.Read.All, Directory.Read.All Updated
4.0.259168 1.176.0 2024/12/12 Password hash synchronization is not enabled AAD OnPremDirectorySynchronization.Read.All New Indicator
4.0.259168 1.168.0 2024/12/12 Permanent Active Privileged Role Assignment AAD RoleManagement.Read.Directory, RoleEligibilitySchedule.Read.Directory, Directory.Read.All, Application.Read.All, GroupMember.Read.All, User.Read.All New Indicator
4.0.259168 1.193.0 2024/12/12 Privileged accounts with mailbox AAD RoleManagement.Read.All, RoleManagement.Read.Directory, Directory.Read.All, MailboxSettings.Read New Indicator
4.0.259168 1.162.0 2024/12/12 Entra ID privileged users that are also privileged in AD AAD, AD RoleManagement.Read.Directory, Directory.Read.All, RoleManagement.Read.All Updated
4.0.259168 1.168.0 2024/12/12 Prohibited Entra ID Roles Assigned AAD RoleManagement.Read.Directory, RoleManagement.Read.All, Directory.Read.All Updated
4.0.259168 1.170.0 2024/12/12 Conditional Access Policy does not require MFA on privileged accounts AAD Policy.Read.All Updated
4.0.259168 1.168.0 2024/12/12 Conditional Access Policy that does not require MFA when sign-in risk has been identified AAD Policy.Read.All Updated
4.0.259168 1.168.0 2024/12/12 Conditional Access Policy that does not require a password change from high risk users AAD Policy.Read.All Updated
4.0.259168 1.168.0 2024/12/12 Entra custom Roles with risky permissions AAD RoleManagement.Read.Directory Updated
4.0.259168 1.182.0 2024/12/12 List of Risky users (medium or high level) AAD IdentityRiskyUser.Read.All, Organization.Read.All Updated
4.0.259168 1.168.0 2024/12/12 Security questions are in use AAD Reports.Read.All Updated
4.0.259168 1.168.0 2024/12/12 Enterprise applications using SAML for SSO AAD Application.Read.All Updated
4.0.259168 1.158.0 2024/12/12 SSO computer account with password last set over 90 days ago AAD, AD Updated
4.0.259168 1.168.0 2024/12/12 Self-service password reset enabled for privileged roles AAD Policy.Read.All Updated
4.0.259168 1.168.0 2024/12/12 Suspicious Directory Synchronization Accounts role member AAD Directory.Read.All, RoleManagement.Read.Directory, AuditLog.Read.All Updated
4.0.259168 1.168.0 2024/12/12 Unprivileged owner of a privileged group AAD RoleManagement.Read.Directory, Directory.Read.All, GroupMember.Read.All, PrivilegedEligibilitySchedule.Read.AzureADGroup New Indicator
4.0.259168 1.168.0 2024/12/12 Users are not using their privileged roles AAD RoleEligibilitySchedule.Read.Directory, GroupMember.Read.All, Directory.Read.All Updated
4.0.259168 1.168.0 2024/12/12 Users can create security groups AAD Policy.Read.All Updated
4.0.259168 1.168.0 2024/12/12 Non-admin users can create tenants AAD Policy.Read.All Updated
4.0.259168 1.168.0 2024/12/12 Non-admin users can register custom applications AAD Policy.Read.All Updated
4.0.259168 1.188.0 2024/12/12 Ensure all non-privileged users can complete MFA AAD AuditLog.Read.All, User.Read.All New Indicator
4.0.259168 1.158.0 2024/12/12 Abnormal Password Refresh AD Updated
4.0.259168 1.180.0 2024/12/12 Unexpected accounts in Cert Publishers Group AD Updated
4.0.259168 1.158.0 2024/12/12 Built-in domain Administrator account with old password (180 days) AD Updated
4.0.259168 1.186.0 2024/12/12 Inheritance enabled on AdminSDHolder object AD Updated
4.0.259168 1.158.0 2024/12/12 Permission changes on AdminSDHolder object AD Updated
4.0.259168 1.158.0 2024/12/12 Built-in domain Administrator account used within the last two weeks AD Updated
4.0.259168 1.158.0 2024/12/12 Changes to default security descriptor schema in the last 90 days AD Updated
4.0.259168 1.158.0 2024/12/12 Computers with older OS versions AD Updated
4.0.259168 1.158.0 2024/12/12 Computers with password last set over 90 days ago AD Updated
4.0.259168 1.158.0 2024/12/12 Domain Controllers with old passwords AD Updated
4.0.259168 1.164.0 2024/12/12 Print spooler service is enabled on a DC AD Updated
4.0.259168 1.186.0 2024/12/12 Domain Controller owner is not an administrator AD Updated
4.0.259168 1.168.0 2024/12/12 Suspicious credentials on Microsoft service principals AAD Application.Read.All Updated
4.0.259168 1.158.0 2024/12/12 Enabled admin accounts that are inactive AD Updated
4.0.259168 1.186.0 2024/12/12 Enterprise Key Admins with full access to domain AD Updated
4.0.259168 1.158.0 2024/12/12 Ephemeral Admins AD Updated
4.0.259168 1.152.0 2024/12/12 FGPP not applied to Global group AD Updated
4.0.259168 1.158.0 2024/12/12 gMSA objects with old passwords AD Updated
4.0.259168 1.161.0 2024/12/12 Non-privileged users with access to gMSA passwords AD Updated
4.0.259168 1.183.0 2024/12/12 GPO Weak LM Hash storage enabled AD Updated
4.0.259168 1.158.0 2024/12/12 Domain Controllers that have not authenticated to the domain for more than 45 days AD Updated
4.0.259168 1.158.0 2024/12/12 Kerberos KRBTGT account with old password AD Updated
4.0.259168 1.158.0 2024/12/12 AD objects created within the last 10 days AD Updated
4.0.259168 1.158.0 2024/12/12 Recent privileged account creation activity AD Updated
4.0.259168 1.186.0 2024/12/12 Non-standard schema permissions AD Updated
4.0.259168 1.158.0 2024/12/12 Users with old passwords AD Updated
4.0.259168 1.158.0 2024/12/12 Admins with old passwords AD Updated
4.0.259168 1.156.0 2024/12/12 Changes to privileged group membership in the last 7 days AD Updated
4.0.259168 1.158.0 2024/12/12 Recent SIDHistory changes on objects AD Updated
4.0.259168 1.167.0 2024/12/12 Shadow Credentials on privileged objects AD Updated
4.0.259168 1.158.0 2024/12/12 SYSVOL Executable Changes AD Updated
4.0.259168 1.158.0 2024/12/12 Trust accounts with old passwords AD Updated
4.0.259168 1.186.0 2024/12/12 Privileged objects with unprivileged owners AD Updated
4.0.220574 1.129.0 2024/09/10 Certificate-Based Authentication Persistence AAD RoleManagement.Read.Directory, RoleManagement.Read.All, Directory.Read.All, Application.Read.All Updated
4.0.220574 1.128.0 2024/09/10 MFA not configured for privileged accounts AAD RoleManagement.Read.Directory, Reports.Read.All Updated
4.0.220574 1.130.0 2024/09/10 Non-synced Entra user that is eligible for a privileged role AAD User.Read.All, RoleManagement.Read.Directory, Directory.Read.All, Organization.Read.All Updated
4.0.220574 1.139.0 2024/09/10 Entra tenant is susceptible to Hidden Consent Grant attack AAD Directory.Read.All, Policy.Read.All New Indicator
4.0.220574 1.143.0 2024/09/10 Entra ID privileged users that are also privileged in AD AAD, AD RoleManagement.Read.Directory, Directory.Read.All, RoleManagement.Read.All Updated
4.0.220574 1.143.0 2024/09/10 AD privileged users that are synced to Entra ID AAD, AD User.Read.All Updated
4.0.220574 1.147.0 2024/09/10 Prohibited Entra ID Roles Assigned AAD RoleManagement.Read.Directory, RoleManagement.Read.All, Directory.Read.All New Indicator
4.0.220574 1.143.0 2024/09/10 Resource Based Constrained Delegation applied to AZUREADSSOACC account AAD, AD Updated
4.0.220574 1.135.0 2024/09/10 Entra custom Roles with risky permissions AAD RoleManagement.Read.Directory Updated
4.0.220574 1.132.0 2024/09/10 List of Risky users (medium or high level) AAD IdentityRiskyUser.Read.All, Organization.Read.All Updated
4.0.220574 1.143.0 2024/09/10 SSO computer account with password last set over 90 days ago AAD, AD Updated
4.0.220574 1.143.0 2024/09/10 Abnormal Password Refresh AD Updated
4.0.220574 1.143.0 2024/09/10 Unexpected accounts in Cert Publishers Group AD Updated
4.0.220574 1.143.0 2024/09/10 Built-in domain Administrator account with old password (180 days) AD Updated
4.0.220574 1.143.0 2024/09/10 Inheritance enabled on AdminSDHolder object AD Updated
4.0.220574 1.143.0 2024/09/10 Permission changes on AdminSDHolder object AD Updated
4.0.220574 1.143.0 2024/09/10 Built-in domain Administrator account used within the last two weeks AD Updated
4.0.220574 1.143.0 2024/09/10 Accounts with altSecurityIdentities configured AD Updated
4.0.220574 1.143.0 2024/09/10 Computers with older OS versions AD Updated
4.0.220574 1.143.0 2024/09/10 Computers with password last set over 90 days ago AD Updated
4.0.220574 1.143.0 2024/09/10 Domain Controllers with old passwords AD Updated
4.0.220574 1.143.0 2024/09/10 Computer Accounts in Privileged Groups AD Updated
4.0.220574 1.143.0 2024/09/10 Computer or user accounts with SPN that have unconstrained delegation AD Updated
4.0.220574 1.143.0 2024/09/10 Accounts with Constrained Delegation configured to krbtgt AD Updated
4.0.220574 1.143.0 2024/09/10 Dangerous Trust Attribute Set AD Updated
4.0.220574 1.143.0 2024/09/10 Print spooler service is enabled on a DC AD Updated
4.0.220574 1.143.0 2024/09/10 Evidence of Mimikatz DCShadow attack AD Updated
4.0.220574 1.143.0 2024/09/10 Accounts with Constrained Delegation configured to ghost SPN AD Updated
4.0.220574 1.143.0 2024/09/10 Privileged users that are disabled AD Updated
4.0.220574 1.143.0 2024/09/10 Unsecured DNS configuration AD Updated
4.0.220574 1.143.0 2024/09/10 Domain Controllers in inconsistent state AD Updated
4.0.220574 1.143.0 2024/09/10 Domain Controller owner is not an administrator AD Updated
4.0.220574 1.143.0 2024/09/10 Domains with obsolete functional levels AD Updated
4.0.220574 1.143.0 2024/09/10 Non-default access to DPAPI key AD Updated
4.0.220574 1.131.0 2024/09/10 Suspicious credentials on Microsoft service principals AAD Application.Read.All New Indicator
4.0.220574 1.143.0 2024/09/10 Enabled admin accounts that are inactive AD Updated
4.0.220574 1.143.0 2024/09/10 Enterprise Key Admins with full access to domain AD Updated
4.0.220574 1.143.0 2024/09/10 Ephemeral Admins AD Updated
4.0.220574 1.143.0 2024/09/10 FGPP not applied to Global group AD Updated
4.0.220574 1.143.0 2024/09/10 Foreign Security Principals in Privileged Group AD Updated
4.0.220574 1.143.0 2024/09/10 gMSA not in use AD Updated
4.0.220574 1.143.0 2024/09/10 gMSA objects with old passwords AD Updated
4.0.220574 1.143.0 2024/09/10 Non-privileged users with access to gMSA passwords AD Updated
4.0.220574 1.143.0 2024/09/10 Writable shortcuts found in GPO AD Updated
4.0.220574 1.143.0 2024/09/10 Dangerous GPO logon script path AD Updated
4.0.220574 1.143.0 2024/09/10 GPO with Scheduled Tasks configured AD Updated
4.0.220574 1.143.0 2024/09/10 Dangerous user rights granted by GPO AD Updated
4.0.220574 1.143.0 2024/09/10 GPO Weak LM Hash storage enabled AD New Indicator
4.0.220574 1.143.0 2024/09/10 Reversible passwords found in GPOs AD Updated
4.0.220574 1.143.0 2024/09/10 Built-in guest account is enabled AD Updated
4.0.220574 1.143.0 2024/09/10 Domain Controllers that have not authenticated to the domain for more than 45 days AD Updated
4.0.220574 1.143.0 2024/09/10 Users with permissions to set Server Trust Account AD Updated
4.0.220574 1.143.0 2024/09/10 Kerberos KRBTGT account with old password AD Updated
4.0.220574 1.143.0 2024/09/10 Query policies that have the attribute of LDAP deny list set AD Updated
4.0.220574 1.143.0 2024/09/10 LDAP signing is not required on Domain Controllers AD Updated
4.0.220574 1.143.0 2024/09/10 Forest contains more than 50 privileged accounts AD Updated
4.0.220574 1.143.0 2024/09/10 AD objects created within the last 10 days AD Updated
4.0.220574 1.143.0 2024/09/10 Recent privileged account creation activity AD Updated
4.0.220574 1.143.0 2024/09/10 Unprivileged accounts with adminCount=1 AD Updated
4.0.220574 1.143.0 2024/09/10 Users and computers with non-default Primary Group IDs AD Updated
4.0.220574 1.143.0 2024/09/10 Users and computers without readable PGID AD Updated
4.0.220574 1.143.0 2024/09/10 NTFRS SYSVOL Replication AD Updated
4.0.220574 1.143.0 2024/09/10 Objects in privileged groups without adminCount=1 (SDProp) AD Updated
4.0.220574 1.143.0 2024/09/10 Objects with constrained delegation configured AD Updated
4.0.220574 1.143.0 2024/09/10 Principals with constrained authentication delegation enabled for a DC service AD Updated
4.0.220574 1.143.0 2024/09/10 Kerberos protocol transition delegation configured AD Updated
4.0.220574 1.143.0 2024/09/10 Principals with constrained delegation using protocol transition enabled for a DC service AD Updated
4.0.220574 1.143.0 2024/09/10 Users with old passwords AD Updated
4.0.220574 1.143.0 2024/09/10 Admins with old passwords AD Updated
4.0.220574 1.143.0 2024/09/10 Operators Groups that are not empty AD Updated
4.0.220574 1.143.0 2024/09/10 Outbound forest trust with SID History enabled AD Updated
4.0.220574 1.143.0 2024/09/10 Domain trust to a third-party domain without quarantine AD Updated
4.0.220574 1.143.0 2024/09/10 Changes to Pre-Windows 2000 Compatible Access Group membership AD Updated
4.0.220574 1.143.0 2024/09/10 Users with SPN defined AD Updated
4.0.220574 1.143.0 2024/09/10 Primary users with SPN not supporting AES encryption on Kerberos AD Updated
4.0.220574 1.143.0 2024/09/10 Changes to privileged group membership in the last 7 days AD Updated
4.0.220574 1.143.0 2024/09/10 Privileged users with SPN defined AD Updated
4.0.220574 1.143.0 2024/09/10 Protected Users group not in use AD Updated
4.0.220574 1.143.0 2024/09/10 Computer account takeover through Kerberos Resource-Based Constrained Delegation (RBCD) AD Updated
4.0.220574 1.143.0 2024/09/10 Domain Controllers with Resource-Based Constrained Delegation (RBCD) enabled AD Updated
4.0.220574 1.143.0 2024/09/10 krbtgt account with Resource-Based Constrained Delegation (RBCD) enabled AD Updated
4.0.220574 1.143.0 2024/09/10 Write access to RBCD on DC AD Updated
4.0.220574 1.143.0 2024/09/10 Write access to RBCD on krbtgt account AD Updated
4.0.220574 1.143.0 2024/09/10 RC4 or DES encryption type are supported by Domain Controllers AD Updated
4.0.220574 1.143.0 2024/09/10 Recent SIDHistory changes on objects AD Updated
4.0.220574 1.143.0 2024/09/10 Non-default principals with DC Sync rights on the domain AD Updated
4.0.220574 1.150.0 2024/09/10 Risky RODC credential caching AD Updated
4.0.220574 1.143.0 2024/09/10 Privileged user credentials cached on RODC AD Updated
4.0.220574 1.143.0 2024/09/10 Shadow Credentials on privileged objects AD Updated
4.0.220574 1.144.1 2024/09/10 Well-known privileged SIDs in SIDHistory AD Updated
4.0.220574 1.143.0 2024/09/10 SMB Signing is not required on Domain Controllers AD Updated
4.0.220574 1.143.0 2024/09/10 SMBv1 is enabled on Domain Controllers AD Updated
4.0.220574 1.143.0 2024/09/10 SYSVOL Executable Changes AD Updated
4.0.220574 1.143.0 2024/09/10 Trust accounts with old passwords AD Updated
4.0.220574 1.143.0 2024/09/10 Unprivileged principals as DNS Admins AD Updated
4.0.220574 1.143.0 2024/09/10 Privileged objects with unprivileged owners AD Updated
4.0.220574 1.148.0 2024/09/10 Users with the attribute userPassword set AD New Indicator
4.0.220574 1.143.0 2024/09/10 Unprivileged users can add computer accounts to the domain AD Updated
4.0.220574 1.143.0 2024/09/10 User accounts that use DES encryption AD Updated
4.0.220574 1.143.0 2024/09/10 Users with Password Never Expires flag set AD Updated
4.0.220574 1.143.0 2024/09/10 Privileged accounts with a password that never expires AD Updated
4.0.220574 1.143.0 2024/09/10 User accounts with password not required AD Updated
4.0.220574 1.143.0 2024/09/10 User accounts that store passwords with reversible encryption AD Updated
4.0.220574 1.143.0 2024/09/10 Users with Kerberos pre-authentication disabled AD Updated
4.0.220574 1.146.0 2024/09/10 GPO linking delegation at the AD Site level AD Updated
4.0.220574 1.146.0 2024/09/10 GPO linking delegation at the domain controller OU level AD Updated
4.0.220574 1.143.0 2024/09/10 GPO linking delegation at the domain level AD Updated
4.0.197307 1.290.0 2024/07/15 Application instance property lock disabled AAD Application.Read.All Removed
4.0.197307 1.291.0 2024/07/15 Entra tenant is susceptible to Hidden Consent Grant attack AAD Directory.Read.All, Policy.Read.All Removed
4.0.197307 1.290.0 2024/07/15 Detect MFA policy changes for groups and users AAD AuditLog.Read.All, Policy.Read.All, GroupMember.Read.All, Reports.Read.All Removed
4.0.197307 1.290.0 2024/07/15 Password hash synchronization is not enabled AAD OnPremDirectorySynchronization.Read.All Removed
4.0.197307 1.290.0 2024/07/15 Permanent Active Privileged Role Assignment AAD RoleManagement.Read.Directory, RoleEligibilitySchedule.Read.Directory, Directory.Read.All, Application.Read.All, GroupMember.Read.All, User.Read.All Removed
4.0.197307 1.290.0 2024/07/15 Privileged accounts with mailbox AAD RoleManagement.Read.All, RoleManagement.Read.Directory, Directory.Read.All, MailboxSettings.Read Removed
4.0.197307 1.294.0 2024/07/15 Prohibited Entra ID Roles Assigned AAD RoleManagement.Read.Directory, RoleManagement.Read.All, Directory.Read.All Removed
4.0.197307 1.290.0 2024/07/15 Report suspicious MFA activity disabled AAD Policy.Read.All, GroupMember.Read.All Removed
4.0.197307 1.291.0 2024/07/15 Unprivileged owner of a privileged group AAD RoleManagement.Read.Directory, Directory.Read.All, GroupMember.Read.All, PrivilegedEligibilitySchedule.Read.AzureADGroup Removed
4.0.197307 1.291.0 2024/07/15 Ensure all non-privileged users can complete MFA AAD AuditLog.Read.All, User.Read.All Removed
4.0.197307 1.309.0 2024/07/15 OU permissions enabling BadSuccessor dMSA escalation AD Removed
4.0.197307 1.290.0 2024/07/15 Suspicious credentials on Microsoft service principals AAD Application.Read.All Removed
4.0.197307 1.291.0 2024/07/15 Unresolved Entra ID privileged role members AAD RoleManagement.Read.All, Directory.Read.All Removed
4.0.197307 1.300.0 2024/07/15 Smart card password rotation disabled AD Removed
4.0.197307 1.290.0 2024/07/15 GPO Weak LM Hash storage enabled AD Removed
4.0.197307 1.290.0 2024/07/15 Distributed COM Users group or Performance Log Users group are not empty AD Removed
4.0.197307 1.291.0 2024/07/15 User accounts using Smart Card authentication with old password AD Removed
4.0.197307 1.291.0 2024/07/15 Users with the attribute userPassword set AD Removed
4.0.372460 1.295.0 2025/05/28 Check for risky API permissions granted to application service principals AAD Application.Read.All, AuditLog.Read.All Updated
4.0.372460 1.300.0 2025/05/28 SSO computer account with password last set over 90 days ago AAD, AD Updated
4.0.372460 1.300.0 2025/05/28 Built-in domain Administrator account with old password (180 days) AD Updated
4.0.372460 1.300.0 2025/05/28 Permission changes on AdminSDHolder object AD Updated
4.0.372460 1.300.0 2025/05/28 Accounts with altSecurityIdentities configured AD Updated
4.0.372460 1.300.0 2025/05/28 Anonymous access to Active Directory enabled AD Updated
4.0.372460 1.300.0 2025/05/28 Anonymous NSPI access to AD enabled AD Updated
4.0.372460 1.300.0 2025/05/28 Dangerous control paths expose certificate containers AD Updated
4.0.372460 1.300.0 2025/05/28 Certificate templates with 3 or more insecure configurations AD Updated
4.0.372460 1.300.0 2025/05/28 Dangerous control paths expose certificate templates AD Updated
4.0.372460 1.300.0 2025/05/28 Certificate templates that allow requesters to specify a subjectAltName AD Updated
4.0.372460 1.300.0 2025/05/28 Computers with password last set over 90 days ago AD Updated
4.0.372460 1.300.0 2025/05/28 Domain Controllers with old passwords AD Updated
4.0.372460 1.300.0 2025/05/28 Computer or user accounts with SPN that have unconstrained delegation AD Updated
4.0.372460 1.300.0 2025/05/28 Accounts with Constrained Delegation configured to krbtgt AD Updated
4.0.372460 1.300.0 2025/05/28 Dangerous Trust Attribute Set AD Updated
4.0.372460 1.295.0 2025/05/28 Print spooler service is enabled on a DC AD Updated
4.0.372460 1.300.0 2025/05/28 Accounts with Constrained Delegation configured to ghost SPN AD Updated
4.0.372460 1.309.0 2025/05/28 OU permissions enabling BadSuccessor dMSA escalation AD New Indicator
4.0.372460 1.300.0 2025/05/28 Unsecured DNS configuration AD Updated
4.0.372460 1.300.0 2025/05/28 Domain Controllers in inconsistent state AD Updated
4.0.372460 1.300.0 2025/05/28 Domain Controller owner is not an administrator AD Updated
4.0.372460 1.300.0 2025/05/28 Domains with obsolete functional levels AD Updated
4.0.372460 1.300.0 2025/05/28 Non-default access to DPAPI key AD Updated
4.0.372460 1.300.0 2025/05/28 Operator groups no longer protected by AdminSDHolder and SDProp AD Updated
4.0.372460 1.300.0 2025/05/28 Enabled admin accounts that are inactive AD Updated
4.0.372460 1.300.0 2025/05/28 Enterprise Key Admins with full access to domain AD Updated
4.0.372460 1.300.0 2025/05/28 Smart card password rotation disabled AD Updated
4.0.372460 1.300.0 2025/05/28 Non-privileged users with access to gMSA passwords AD Updated
4.0.372460 1.301.0 2025/05/28 Writable shortcuts found in GPO AD Updated
4.0.372460 1.300.0 2025/05/28 Built-in guest account is enabled AD Updated
4.0.372460 1.300.0 2025/05/28 Domain Controllers that have not authenticated to the domain for more than 45 days AD Updated
4.0.372460 1.300.0 2025/05/28 Kerberos KRBTGT account with old password AD Updated
4.0.372460 1.300.0 2025/05/28 Forest contains more than 50 privileged accounts AD Updated
4.0.372460 1.300.0 2025/05/28 Users and computers with non-default Primary Group IDs AD Updated
4.0.372460 1.301.0 2025/05/28 Non-standard schema permissions AD Updated
4.0.372460 1.300.0 2025/05/28 NTFRS SYSVOL Replication AD Updated
4.0.372460 1.300.0 2025/05/28 Principals with constrained delegation using protocol transition enabled for a DC service AD Updated
4.0.372460 1.300.0 2025/05/28 Admins with old passwords AD Updated
4.0.372460 1.300.0 2025/05/28 Outbound forest trust with SID History enabled AD Updated
4.0.372460 1.300.0 2025/05/28 Domain trust to a third-party domain without quarantine AD Updated
4.0.372460 1.300.0 2025/05/28 Primary users with SPN not supporting AES encryption on Kerberos AD Updated
4.0.372460 1.300.0 2025/05/28 Privileged users with SPN defined AD Updated
4.0.372460 1.300.0 2025/05/28 Privileged Users with Weak Password Policy AD Updated
4.0.372460 1.300.0 2025/05/28 Protected Users group not in use AD Updated
4.0.372460 1.300.0 2025/05/28 Domain Controllers with Resource-Based Constrained Delegation (RBCD) enabled AD Updated
4.0.372460 1.300.0 2025/05/28 krbtgt account with Resource-Based Constrained Delegation (RBCD) enabled AD Updated
4.0.372460 1.300.0 2025/05/28 RC4 or DES encryption type are supported by Domain Controllers AD Updated
4.0.372460 1.300.0 2025/05/28 Recent SIDHistory changes on objects AD Updated
4.0.372460 1.300.0 2025/05/28 Non-default principals with DC Sync rights on the domain AD Updated
4.0.372460 1.300.0 2025/05/28 Risky RODC credential caching AD Updated
4.0.372460 1.300.0 2025/05/28 Well-known privileged SIDs in SIDHistory AD Updated
4.0.372460 1.300.0 2025/05/28 Trust accounts with old passwords AD Updated
4.0.372460 1.300.0 2025/05/28 Unprivileged principals as DNS Admins AD Updated
4.0.372460 1.300.0 2025/05/28 Privileged objects with unprivileged owners AD Updated
4.0.372460 1.300.0 2025/05/28 Unprivileged users can add computer accounts to the domain AD Updated
4.0.372460 1.300.0 2025/05/28 User accounts that use DES encryption AD Updated
4.0.372460 1.300.0 2025/05/28 Users with Password Never Expires flag set AD Updated
4.0.372460 1.300.0 2025/05/28 Privileged accounts with a password that never expires AD Updated
4.0.372460 1.300.0 2025/05/28 User accounts that store passwords with reversible encryption AD Updated
4.0.372460 1.300.0 2025/05/28 Users with Kerberos pre-authentication disabled AD Updated
4.0.372460 1.300.0 2025/05/28 Weak certificate cipher AD Updated
4.0.372460 1.300.0 2025/05/28 GPO linking delegation at the AD Site level AD Updated
4.0.372460 1.300.0 2025/05/28 GPO linking delegation at the domain controller OU level AD Updated
4.0.372460 1.300.0 2025/05/28 GPO linking delegation at the domain level AD Updated
4.0.364185 1.291.0 2025/05/15 Non-synced Entra user that is eligible for a privileged role AAD User.Read.All, RoleManagement.Read.Directory, Directory.Read.All, Organization.Read.All Updated
4.0.364185 1.291.0 2025/05/15 Application expired secrets and certificates AAD Application.Read.All Updated
4.0.364185 1.291.0 2025/05/15 Entra tenant is susceptible to Hidden Consent Grant attack AAD Directory.Read.All, Policy.Read.All Updated
4.0.364185 1.294.0 2025/05/15 Prohibited Entra ID Roles Assigned AAD RoleManagement.Read.Directory, RoleManagement.Read.All, Directory.Read.All Updated
4.0.364185 1.291.0 2025/05/15 Suspicious Directory Synchronization Accounts role member AAD Directory.Read.All, RoleManagement.Read.Directory, AuditLog.Read.All Updated
4.0.364185 1.291.0 2025/05/15 Unprivileged owner of a privileged group AAD RoleManagement.Read.Directory, Directory.Read.All, GroupMember.Read.All, PrivilegedEligibilitySchedule.Read.AzureADGroup Updated
4.0.364185 1.291.0 2025/05/15 Users are not using their privileged roles AAD RoleEligibilitySchedule.Read.Directory, GroupMember.Read.All, Directory.Read.All Updated
4.0.364185 1.291.0 2025/05/15 Non-admin users can create tenants AAD Policy.Read.All Updated
4.0.364185 1.291.0 2025/05/15 Ensure all non-privileged users can complete MFA AAD AuditLog.Read.All, User.Read.All Updated
4.0.364185 1.293.0 2025/05/15 Print spooler service is enabled on a DC AD Updated
4.0.364185 1.291.0 2025/05/15 Unresolved Entra ID privileged role members AAD RoleManagement.Read.All, Directory.Read.All Updated
4.0.364185 1.291.0 2025/05/15 AD Certificate Authority with Web Enrollment - ESC8 AD Updated
4.0.364185 1.291.0 2025/05/15 Outbound forest trust with SID History enabled AD Updated
4.0.364185 1.291.0 2025/05/15 Domain trust to a third-party domain without quarantine AD Updated
4.0.364185 1.291.0 2025/05/15 Protected Users group not in use AD Updated
4.0.364185 1.291.0 2025/05/15 Privileged user credentials cached on RODC AD Updated
4.0.364185 1.291.0 2025/05/15 User accounts using Smart Card authentication with old password AD Updated
4.0.364185 1.291.0 2025/05/15 SMB Signing is not required on Domain Controllers AD Updated
4.0.364185 1.291.0 2025/05/15 SMBv1 is enabled on Domain Controllers AD Updated
4.0.364185 1.291.0 2025/05/15 Trust accounts with old passwords AD Updated
4.0.364185 1.291.0 2025/05/15 Unprivileged principals as DNS Admins AD Updated
4.0.364185 1.291.0 2025/05/15 Users with the attribute userPassword set AD Updated
4.0.364185 1.291.0 2025/05/15 Users with Password Never Expires flag set AD Updated
4.0.364185 1.291.0 2025/05/15 Privileged accounts with a password that never expires AD Updated
4.0.364185 1.291.0 2025/05/15 User accounts with password not required AD Updated
4.0.364185 1.291.0 2025/05/15 User accounts that store passwords with reversible encryption AD Updated
4.0.364185 1.291.0 2025/05/15 Users with Kerberos pre-authentication disabled AD Updated
4.0.362949 1.290.0 2025/05/13 Changes to AD Display Specifiers in the past 90 days AD Updated
4.0.362949 1.290.0 2025/05/13 Zerologon vulnerability AD Updated
4.0.362949 1.290.0 2025/05/13 Application instance property lock disabled AAD Application.Read.All Updated
4.0.362949 1.290.0 2025/05/13 User consent is allowed for risky applications AAD Policy.Read.All Updated
4.0.362949 1.290.0 2025/05/13 Application name and geographic location additional contexts are disabled on MFA AAD Policy.Read.All Updated
4.0.362949 1.290.0 2025/05/13 Conditional Access policy with Continuous Access Evaluation disabled AAD Policy.Read.All, AuditLog.Read.All Updated
4.0.362949 1.290.0 2025/05/13 Certificate-Based Authentication Persistence AAD RoleManagement.Read.Directory, RoleManagement.Read.All, Directory.Read.All, Application.Read.All Updated
4.0.362949 1.290.0 2025/05/13 Administrative units are not being used AAD AdministrativeUnit.Read.All Updated
4.0.362949 1.290.0 2025/05/13 Conditional Access policies contain private IP addresses AAD Policy.Read.All, AuditLog.Read.All Updated
4.0.362949 1.290.0 2025/05/13 Check for guests having permission to invite other guests AAD Policy.Read.All, AuditLog.Read.All Updated
4.0.362949 1.290.0 2025/05/13 Users or devices inactive for at least 90 days AAD User.Read.All, Device.Read.All Updated
4.0.362949 1.290.0 2025/05/13 Check if legacy authentication is allowed AAD Policy.Read.All Updated
4.0.362949 1.290.0 2025/05/13 Conditional Access policies that contain MFA Trusted IPs AAD Policy.Read.All, AuditLog.Read.All Updated
4.0.362949 1.290.0 2025/05/13 Privileged group contains guest account AAD User.Read.All, RoleManagement.Read.Directory, AuditLog.Read.All Updated
4.0.362949 1.290.0 2025/05/13 MFA not configured for privileged accounts AAD RoleManagement.Read.Directory, Reports.Read.All Updated
4.0.362949 1.290.0 2025/05/13 Check for risky API permissions granted to application service principals AAD Application.Read.All, AuditLog.Read.All Updated
4.0.362949 1.290.0 2025/05/13 Check for users with weak or no MFA AAD Reports.Read.All Updated
4.0.362949 1.290.0 2025/05/13 Security defaults not enabled AAD Policy.Read.All Updated
4.0.362949 1.290.0 2025/05/13 Non-synced Entra user that is eligible for a privileged role AAD User.Read.All, RoleManagement.Read.Directory, Directory.Read.All, Organization.Read.All Updated
4.0.362949 1.290.0 2025/05/13 Unrestricted user consent allowed AAD Policy.Read.All, AuditLog.Read.All Updated
4.0.362949 1.290.0 2025/05/13 Custom banned password protection not in use AAD Directory.Read.All Updated
4.0.362949 1.290.0 2025/05/13 Conditional Access Policy that disable admin token persistence AAD Policy.Read.All Updated
4.0.362949 1.290.0 2025/05/13 Application expired secrets and certificates AAD Application.Read.All Updated
4.0.362949 1.290.0 2025/05/13 FIDO2 Attestation is not enforced AAD Policy.Read.All Updated
4.0.362949 1.290.0 2025/05/13 Entra Connect sync account password reset AAD AuditLog.Read.All, Directory.Read.All, User.Read.All, RoleManagement.Read.Directory Updated
4.0.362949 1.290.0 2025/05/13 Global Administrators that signed in during the last 14 days AAD RoleManagement.Read.All, User.Read.All, AuditLog.Read.All Updated
4.0.362949 1.290.0 2025/05/13 Guest users are not restricted AAD Policy.Read.All Updated
4.0.362949 1.290.0 2025/05/13 Entra tenant is susceptible to Hidden Consent Grant attack AAD Directory.Read.All, Policy.Read.All Updated
4.0.362949 1.290.0 2025/05/13 Guest accounts that were inactive for more than 30 days AAD User.Read.All, AuditLog.Read.All Updated
4.0.362949 1.290.0 2025/05/13 Less than 2 Global Administrators exist AAD RoleManagement.Read.Directory, RoleManagement.Read.All, Directory.Read.All Updated
4.0.362949 1.290.0 2025/05/13 MFA bombing attack occurred in the past day AAD AuditLog.Read.All, Directory.Read.All, RoleManagement.Read.All Updated
4.0.362949 1.290.0 2025/05/13 Detect MFA policy changes for groups and users AAD AuditLog.Read.All, Policy.Read.All, GroupMember.Read.All, Reports.Read.All Updated
4.0.362949 1.290.0 2025/05/13 More than 10 Privileged Administrators exist AAD RoleManagement.Read.Directory, RoleManagement.Read.All, Directory.Read.All Updated
4.0.362949 1.290.0 2025/05/13 More than 5 Global Administrators exist AAD RoleManagement.Read.Directory, RoleManagement.Read.All, Directory.Read.All Updated
4.0.362949 1.290.0 2025/05/13 Password hash synchronization is not enabled AAD OnPremDirectorySynchronization.Read.All Updated
4.0.362949 1.290.0 2025/05/13 Permanent Active Privileged Role Assignment AAD RoleManagement.Read.Directory, RoleEligibilitySchedule.Read.Directory, Directory.Read.All, Application.Read.All, GroupMember.Read.All, User.Read.All Updated
4.0.362949 1.290.0 2025/05/13 Privileged accounts with mailbox AAD RoleManagement.Read.All, RoleManagement.Read.Directory, Directory.Read.All, MailboxSettings.Read Updated
4.0.362949 1.290.0 2025/05/13 Entra ID privileged users that are also privileged in AD AAD, AD RoleManagement.Read.Directory, Directory.Read.All, RoleManagement.Read.All Updated
4.0.362949 1.290.0 2025/05/13 AD privileged users that are synced to Entra ID AAD, AD User.Read.All Updated
4.0.362949 1.290.0 2025/05/13 Prohibited Entra ID Roles Assigned AAD RoleManagement.Read.Directory, RoleManagement.Read.All, Directory.Read.All Updated
4.0.362949 1.290.0 2025/05/13 Resource Based Constrained Delegation applied to AZUREADSSOACC account AAD, AD Updated
4.0.362949 1.290.0 2025/05/13 Report suspicious MFA activity disabled AAD Policy.Read.All, GroupMember.Read.All Updated
4.0.362949 1.290.0 2025/05/13 Conditional Access Policy does not require MFA on privileged accounts AAD Policy.Read.All Updated
4.0.362949 1.290.0 2025/05/13 Conditional Access Policy that does not require MFA when sign-in risk has been identified AAD Policy.Read.All Updated
4.0.362949 1.290.0 2025/05/13 Conditional Access Policy that does not require a password change from high risk users AAD Policy.Read.All Updated
4.0.362949 1.290.0 2025/05/13 Entra custom Roles with risky permissions AAD RoleManagement.Read.Directory Updated
4.0.362949 1.290.0 2025/05/13 List of Risky users (medium or high level) AAD IdentityRiskyUser.Read.All, Organization.Read.All Updated
4.0.362949 1.290.0 2025/05/13 Security questions are in use AAD Reports.Read.All Updated
4.0.362949 1.290.0 2025/05/13 Enterprise applications using SAML for SSO AAD Application.Read.All Updated
4.0.362949 1.290.0 2025/05/13 SSO computer account with password last set over 90 days ago AAD, AD Updated
4.0.362949 1.290.0 2025/05/13 Self-service password reset enabled for privileged roles AAD Policy.Read.All Updated
4.0.362949 1.290.0 2025/05/13 Guest invites not accepted in last 30 day AAD User.Read.All Updated
4.0.362949 1.290.0 2025/05/13 Suspicious Directory Synchronization Accounts role member AAD Directory.Read.All, RoleManagement.Read.Directory, AuditLog.Read.All Updated
4.0.362949 1.290.0 2025/05/13 Unprivileged owner of a privileged group AAD RoleManagement.Read.Directory, Directory.Read.All, GroupMember.Read.All, PrivilegedEligibilitySchedule.Read.AzureADGroup Updated
4.0.362949 1.290.0 2025/05/13 Users are not using their privileged roles AAD RoleEligibilitySchedule.Read.Directory, GroupMember.Read.All, Directory.Read.All Updated
4.0.362949 1.290.0 2025/05/13 Users can create security groups AAD Policy.Read.All Updated
4.0.362949 1.290.0 2025/05/13 Non-admin users can create tenants AAD Policy.Read.All Updated
4.0.362949 1.290.0 2025/05/13 Non-admin users can register custom applications AAD Policy.Read.All Updated
4.0.362949 1.290.0 2025/05/13 Ensure all non-privileged users can complete MFA AAD AuditLog.Read.All, User.Read.All Updated
4.0.362949 1.290.0 2025/05/13 Built-in domain Administrator account with old password (180 days) AD Updated
4.0.362949 1.290.0 2025/05/13 Inheritance enabled on AdminSDHolder object AD Updated
4.0.362949 1.290.0 2025/05/13 Permission changes on AdminSDHolder object AD Updated
4.0.362949 1.290.0 2025/05/13 Anonymous access to Active Directory enabled AD Updated
4.0.362949 1.290.0 2025/05/13 Anonymous NSPI access to AD enabled AD Updated
4.0.362949 1.290.0 2025/05/13 Certificate templates with 3 or more insecure configurations AD Updated
4.0.362949 1.290.0 2025/05/13 Dangerous control paths expose certificate templates AD Updated
4.0.362949 1.290.0 2025/05/13 Certificate templates that allow requesters to specify a subjectAltName AD Updated
4.0.362949 1.290.0 2025/05/13 Changes to default security descriptor schema in the last 90 days AD Updated
4.0.362949 1.290.0 2025/05/13 Computers with older OS versions AD Updated
4.0.362949 1.290.0 2025/05/13 Computers with password last set over 90 days ago AD Updated
4.0.362949 1.290.0 2025/05/13 Domain Controllers with old passwords AD Updated
4.0.362949 1.290.0 2025/05/13 Computer or user accounts with SPN that have unconstrained delegation AD Updated
4.0.362949 1.290.0 2025/05/13 Accounts with Constrained Delegation configured to krbtgt AD Updated
4.0.362949 1.283.0 2025/05/13 Print spooler service is enabled on a DC AD Updated
4.0.362949 1.290.0 2025/05/13 Evidence of Mimikatz DCShadow attack AD Updated
4.0.362949 1.280.1 2025/05/13 Unsecured DNS configuration AD Updated
4.0.362949 1.290.0 2025/05/13 Domain Controllers in inconsistent state AD Updated
4.0.362949 1.290.0 2025/05/13 Domains with obsolete functional levels AD Updated
4.0.362949 1.290.0 2025/05/13 Operator groups no longer protected by AdminSDHolder and SDProp AD Updated
4.0.362949 1.290.0 2025/05/13 Suspicious credentials on Microsoft service principals AAD Application.Read.All Updated
4.0.362949 1.290.0 2025/05/13 Unresolved Entra ID privileged role members AAD RoleManagement.Read.All, Directory.Read.All Updated
4.0.362949 1.290.0 2025/05/13 AD Certificate Authority with Web Enrollment - ESC8 AD Updated
4.0.362949 1.290.0 2025/05/13 Smart card password rotation disabled AD New Indicator
4.0.362949 1.290.0 2025/05/13 FGPP not applied to Global group AD Updated
4.0.362949 1.290.0 2025/05/13 Foreign Security Principals in Privileged Group AD Updated
4.0.362949 1.290.0 2025/05/13 gMSA not in use AD Updated
4.0.362949 1.281.0 2025/05/13 Non-privileged users with access to gMSA passwords AD Updated
4.0.362949 1.290.0 2025/05/13 Writable shortcuts found in GPO AD Updated
4.0.362949 1.290.0 2025/05/13 GPO with Scheduled Tasks configured AD Updated
4.0.362949 1.290.0 2025/05/13 Dangerous user rights granted by GPO AD Updated
4.0.362949 1.290.0 2025/05/13 GPO Weak LM Hash storage enabled AD Updated
4.0.362949 1.278.0 2025/05/13 Domain Controllers that have not authenticated to the domain for more than 45 days AD Updated
4.0.362949 1.290.0 2025/05/13 Kerberos KRBTGT account with old password AD Updated
4.0.362949 1.290.0 2025/05/13 Query policies that have the attribute of LDAP deny list set AD Updated
4.0.362949 1.290.0 2025/05/13 LDAP signing is not required on Domain Controllers AD Updated
4.0.362949 1.290.0 2025/05/13 Forest contains more than 50 privileged accounts AD Updated
4.0.362949 1.290.0 2025/05/13 AD objects created within the last 10 days AD Updated
4.0.362949 1.290.0 2025/05/13 Recent privileged account creation activity AD Updated
4.0.362949 1.290.0 2025/05/13 Distributed COM Users group or Performance Log Users group are not empty AD Updated
4.0.362949 1.290.0 2025/05/13 Non-standard schema permissions AD Updated
4.0.362949 1.290.0 2025/05/13 NTFRS SYSVOL Replication AD Updated
4.0.362949 1.290.0 2025/05/13 Objects in privileged groups without adminCount=1 (SDProp) AD Updated
4.0.362949 1.290.0 2025/05/13 Objects with constrained delegation configured AD Updated
4.0.362949 1.290.0 2025/05/13 Principals with constrained authentication delegation enabled for a DC service AD Updated
4.0.362949 1.290.0 2025/05/13 Changes to MS LAPS read permissions AD Updated
4.0.362949 1.290.0 2025/05/13 High-privileged custom roles Okta Updated
4.0.362949 1.290.0 2025/05/13 Password policy check Okta Updated
4.0.362949 1.290.0 2025/05/13 Users with old passwords AD Updated
4.0.362949 1.290.0 2025/05/13 Admins with old passwords AD Updated
4.0.362949 1.290.0 2025/05/13 Operators Groups that are not empty AD Updated
4.0.362949 1.290.0 2025/05/13 Outbound forest trust with SID History enabled AD Updated
4.0.362949 1.290.0 2025/05/13 Domain trust to a third-party domain without quarantine AD Updated
4.0.362949 1.290.0 2025/05/13 Changes to Pre-Windows 2000 Compatible Access Group membership AD Updated
4.0.362949 1.290.0 2025/05/13 Users with SPN defined AD Updated
4.0.362949 1.290.0 2025/05/13 Primary users with SPN not supporting AES encryption on Kerberos AD Updated
4.0.362949 1.277.0 2025/05/13 Privileged Users with Weak Password Policy AD Updated
4.0.362949 1.290.0 2025/05/13 Protected Users group not in use AD Updated
4.0.362949 1.290.0 2025/05/13 krbtgt account with Resource-Based Constrained Delegation (RBCD) enabled AD Updated
4.0.362949 1.290.0 2025/05/13 RC4 or DES encryption type are supported by Domain Controllers AD Updated
4.0.362949 1.290.0 2025/05/13 Recent SIDHistory changes on objects AD Updated
4.0.362949 1.290.0 2025/05/13 Risky RODC credential caching AD Updated
4.0.362949 1.290.0 2025/05/13 Privileged user credentials cached on RODC AD Updated
4.0.362949 1.290.0 2025/05/13 Well-known privileged SIDs in SIDHistory AD Updated
4.0.362949 1.290.0 2025/05/13 User accounts using Smart Card authentication with old password AD Updated
4.0.362949 1.290.0 2025/05/13 SMB Signing is not required on Domain Controllers AD Updated
4.0.353464 1.271.0 2025/04/29 Dangerous Trust Attribute Set AD Updated
4.0.353464 1.272.0 2025/04/29 Non-default principals with DC Sync rights on the domain AD Updated
4.0.353464 1.271.0 2025/04/29 Users with Kerberos pre-authentication disabled AD Updated
4.0.345541 1.270.0 2025/04/16 Print spooler service is enabled on a DC AD Updated
4.0.345541 1.270.0 2025/04/16 Ephemeral Admins AD Updated
4.0.345541 1.270.0 2025/04/16 Non-privileged users with access to gMSA passwords AD Updated
4.0.345541 1.270.0 2025/04/16 Users with permissions to set Server Trust Account AD Updated
4.0.345190 1.268.0 2025/04/16 Changes to AD Display Specifiers in the past 90 days AD Updated
4.0.345190 1.240.0 2025/04/16 Changes to Default Domain Policy or Default Domain Controllers Policy in the last 7 days AD Updated
4.0.345190 1.240.0 2025/04/16 Zerologon vulnerability AD Updated
4.0.345190 1.260.0 2025/04/16 Application instance property lock disabled AAD Application.Read.All Updated
4.0.345190 1.260.0 2025/04/16 User consent is allowed for risky applications AAD Policy.Read.All Updated
4.0.345190 1.260.0 2025/04/16 Application name and geographic location additional contexts are disabled on MFA AAD Policy.Read.All Updated
4.0.345190 1.260.0 2025/04/16 Conditional Access policy with Continuous Access Evaluation disabled AAD Policy.Read.All, AuditLog.Read.All Updated
4.0.345190 1.260.0 2025/04/16 Certificate-Based Authentication Persistence AAD RoleManagement.Read.Directory, RoleManagement.Read.All, Directory.Read.All, Application.Read.All Updated
4.0.345190 1.268.0 2025/04/16 Administrative units are not being used AAD AdministrativeUnit.Read.All Updated
4.0.345190 1.268.0 2025/04/16 Conditional Access policies contain private IP addresses AAD Policy.Read.All, AuditLog.Read.All Updated
4.0.345190 1.268.0 2025/04/16 Check for guests having permission to invite other guests AAD Policy.Read.All, AuditLog.Read.All Updated
4.0.345190 1.260.0 2025/04/16 Users or devices inactive for at least 90 days AAD User.Read.All, Device.Read.All Updated
4.0.345190 1.268.0 2025/04/16 Check if legacy authentication is allowed AAD Policy.Read.All Updated
4.0.345190 1.268.0 2025/04/16 Conditional Access policies that contain MFA Trusted IPs AAD Policy.Read.All, AuditLog.Read.All Updated
4.0.345190 1.268.0 2025/04/16 Privileged group contains guest account AAD User.Read.All, RoleManagement.Read.Directory, AuditLog.Read.All Updated
4.0.345190 1.268.0 2025/04/16 MFA not configured for privileged accounts AAD RoleManagement.Read.Directory, Reports.Read.All Updated
4.0.345190 1.268.0 2025/04/16 Check for risky API permissions granted to application service principals AAD Application.Read.All, AuditLog.Read.All Updated
4.0.345190 1.268.0 2025/04/16 Check for users with weak or no MFA AAD Reports.Read.All Updated
4.0.345190 1.268.0 2025/04/16 Security defaults not enabled AAD Policy.Read.All Updated
4.0.345190 1.268.0 2025/04/16 Non-synced Entra user that is eligible for a privileged role AAD User.Read.All, RoleManagement.Read.Directory, Directory.Read.All, Organization.Read.All Updated
4.0.345190 1.268.0 2025/04/16 Unrestricted user consent allowed AAD Policy.Read.All, AuditLog.Read.All Updated
4.0.345190 1.268.0 2025/04/16 Custom banned password protection not in use AAD Directory.Read.All Updated
4.0.345190 1.260.0 2025/04/16 Conditional Access Policy that disable admin token persistence AAD Policy.Read.All Updated
4.0.345190 1.260.0 2025/04/16 Application expired secrets and certificates AAD Application.Read.All Updated
4.0.345190 1.268.0 2025/04/16 FIDO2 Attestation is not enforced AAD Policy.Read.All Updated
4.0.345190 1.268.0 2025/04/16 Entra Connect sync account password reset AAD AuditLog.Read.All, Directory.Read.All, User.Read.All, RoleManagement.Read.Directory Updated
4.0.345190 1.268.0 2025/04/16 Global Administrators that signed in during the last 14 days AAD RoleManagement.Read.All, User.Read.All, AuditLog.Read.All Updated
4.0.345190 1.268.0 2025/04/16 Guest users are not restricted AAD Policy.Read.All Updated
4.0.345190 1.260.0 2025/04/16 Entra tenant is susceptible to Hidden Consent Grant attack AAD Directory.Read.All, Policy.Read.All Updated
4.0.345190 1.260.0 2025/04/16 Guest accounts that were inactive for more than 30 days AAD User.Read.All, AuditLog.Read.All Updated
4.0.345190 1.260.0 2025/04/16 Less than 2 Global Administrators exist AAD RoleManagement.Read.Directory, RoleManagement.Read.All, Directory.Read.All Updated
4.0.345190 1.260.0 2025/04/16 MFA bombing attack occurred in the past day AAD AuditLog.Read.All, Directory.Read.All, RoleManagement.Read.All Updated
4.0.345190 1.261.0 2025/04/16 Detect MFA policy changes for groups and users AAD AuditLog.Read.All, Policy.Read.All, GroupMember.Read.All, Reports.Read.All Updated
4.0.345190 1.260.0 2025/04/16 More than 10 Privileged Administrators exist AAD RoleManagement.Read.Directory, RoleManagement.Read.All, Directory.Read.All Updated
4.0.345190 1.268.0 2025/04/16 More than 5 Global Administrators exist AAD RoleManagement.Read.Directory, RoleManagement.Read.All, Directory.Read.All Updated
4.0.345190 1.260.0 2025/04/16 Password hash synchronization is not enabled AAD OnPremDirectorySynchronization.Read.All Updated
4.0.345190 1.260.0 2025/04/16 Permanent Active Privileged Role Assignment AAD RoleManagement.Read.Directory, RoleEligibilitySchedule.Read.Directory, Directory.Read.All, Application.Read.All, GroupMember.Read.All, User.Read.All Updated
4.0.345190 1.260.0 2025/04/16 Privileged accounts with mailbox AAD RoleManagement.Read.All, RoleManagement.Read.Directory, Directory.Read.All, MailboxSettings.Read Updated
4.0.345190 1.268.0 2025/04/16 Entra ID privileged users that are also privileged in AD AAD, AD RoleManagement.Read.Directory, Directory.Read.All, RoleManagement.Read.All Updated
4.0.345190 1.268.0 2025/04/16 AD privileged users that are synced to Entra ID AAD, AD User.Read.All Updated
4.0.345190 1.260.0 2025/04/16 Prohibited Entra ID Roles Assigned AAD RoleManagement.Read.Directory, RoleManagement.Read.All, Directory.Read.All Updated
4.0.345190 1.260.0 2025/04/16 Resource Based Constrained Delegation applied to AZUREADSSOACC account AAD, AD Updated
4.0.345190 1.269.0 2025/04/16 Report suspicious MFA activity disabled AAD Policy.Read.All, GroupMember.Read.All Updated
4.0.345190 1.268.0 2025/04/16 Conditional Access Policy does not require MFA on privileged accounts AAD Policy.Read.All Updated
4.0.345190 1.268.0 2025/04/16 Conditional Access Policy that does not require MFA when sign-in risk has been identified AAD Policy.Read.All Updated
4.0.345190 1.268.0 2025/04/16 Conditional Access Policy that does not require a password change from high risk users AAD Policy.Read.All Updated
4.0.345190 1.260.0 2025/04/16 Entra custom Roles with risky permissions AAD RoleManagement.Read.Directory Updated
4.0.345190 1.260.0 2025/04/16 List of Risky users (medium or high level) AAD IdentityRiskyUser.Read.All, Organization.Read.All Updated
4.0.345190 1.260.0 2025/04/16 Security questions are in use AAD Reports.Read.All Updated
4.0.345190 1.268.0 2025/04/16 Enterprise applications using SAML for SSO AAD Application.Read.All Updated
4.0.345190 1.268.0 2025/04/16 SSO computer account with password last set over 90 days ago AAD, AD Updated
4.0.345190 1.260.0 2025/04/16 Self-service password reset enabled for privileged roles AAD Policy.Read.All Updated
4.0.345190 1.260.0 2025/04/16 Guest invites not accepted in last 30 day AAD User.Read.All Updated
4.0.345190 1.260.0 2025/04/16 Suspicious Directory Synchronization Accounts role member AAD Directory.Read.All, RoleManagement.Read.Directory, AuditLog.Read.All Updated
4.0.345190 1.260.0 2025/04/16 Unprivileged owner of a privileged group AAD RoleManagement.Read.Directory, Directory.Read.All, GroupMember.Read.All, PrivilegedEligibilitySchedule.Read.AzureADGroup Updated
4.0.345190 1.260.0 2025/04/16 Users are not using their privileged roles AAD RoleEligibilitySchedule.Read.Directory, GroupMember.Read.All, Directory.Read.All Updated
4.0.345190 1.268.0 2025/04/16 Users can create security groups AAD Policy.Read.All Updated
4.0.345190 1.260.0 2025/04/16 Non-admin users can create tenants AAD Policy.Read.All Updated
4.0.345190 1.268.0 2025/04/16 Non-admin users can register custom applications AAD Policy.Read.All Updated
4.0.345190 1.260.0 2025/04/16 Ensure all non-privileged users can complete MFA AAD AuditLog.Read.All, User.Read.All Updated
4.0.345190 1.240.0 2025/04/16 Abnormal Password Refresh AD Updated
4.0.345190 1.240.0 2025/04/16 Unexpected accounts in Cert Publishers Group AD Updated
4.0.345190 1.240.0 2025/04/16 Built-in domain Administrator account with old password (180 days) AD Updated
4.0.345190 1.240.0 2025/04/16 Inheritance enabled on AdminSDHolder object AD Updated
4.0.345190 1.240.0 2025/04/16 Permission changes on AdminSDHolder object AD Updated
4.0.345190 1.240.0 2025/04/16 Built-in domain Administrator account used within the last two weeks AD Updated
4.0.345190 1.240.0 2025/04/16 Accounts with altSecurityIdentities configured AD Updated
4.0.345190 1.268.0 2025/04/16 Anonymous access to Active Directory enabled AD Updated
4.0.345190 1.268.0 2025/04/16 Anonymous NSPI access to AD enabled AD Updated
4.0.345190 1.240.0 2025/04/16 Dangerous control paths expose certificate containers AD Updated
4.0.345190 1.268.0 2025/04/16 Certificate templates with 3 or more insecure configurations AD Updated
4.0.345190 1.268.0 2025/04/16 Dangerous control paths expose certificate templates AD Updated
4.0.345190 1.268.0 2025/04/16 Certificate templates that allow requesters to specify a subjectAltName AD Updated
4.0.345190 1.268.0 2025/04/16 Changes to default security descriptor schema in the last 90 days AD Updated
4.0.345190 1.240.0 2025/04/16 Computers with older OS versions AD Updated
4.0.345190 1.240.0 2025/04/16 Computers with password last set over 90 days ago AD Updated
4.0.345190 1.252.0 2025/04/16 Domain Controllers with old passwords AD Updated
4.0.345190 1.240.0 2025/04/16 Computer Accounts in Privileged Groups AD Updated
4.0.345190 1.268.0 2025/04/16 Computer or user accounts with SPN that have unconstrained delegation AD Updated
4.0.345190 1.240.0 2025/04/16 Accounts with Constrained Delegation configured to krbtgt AD Updated
4.0.345190 1.240.0 2025/04/16 Dangerous Trust Attribute Set AD Updated
4.0.345190 1.252.0 2025/04/16 Print spooler service is enabled on a DC AD Updated
4.0.345190 1.240.0 2025/04/16 Evidence of Mimikatz DCShadow attack AD Updated
4.0.345190 1.240.0 2025/04/16 Accounts with Constrained Delegation configured to ghost SPN AD Updated
4.0.345190 1.240.0 2025/04/16 Privileged users that are disabled AD Updated
4.0.345190 1.240.0 2025/04/16 Unsecured DNS configuration AD Updated
4.0.345190 1.240.0 2025/04/16 Domain Controllers in inconsistent state AD Updated
4.0.345190 1.240.0 2025/04/16 Domain Controller owner is not an administrator AD Updated
4.0.345190 1.268.0 2025/04/16 Domains with obsolete functional levels AD Updated
4.0.345190 1.252.0 2025/04/16 Non-default access to DPAPI key AD Updated
4.0.345190 1.268.0 2025/04/16 Operator groups no longer protected by AdminSDHolder and SDProp AD Updated
4.0.345190 1.260.0 2025/04/16 Suspicious credentials on Microsoft service principals AAD Application.Read.All Updated
4.0.345190 1.260.0 2025/04/16 Unresolved Entra ID privileged role members AAD RoleManagement.Read.All, Directory.Read.All Updated
4.0.345190 1.240.0 2025/04/16 Enabled admin accounts that are inactive AD Updated
4.0.345190 1.268.0 2025/04/16 AD Certificate Authority with Web Enrollment - ESC8 AD Updated
4.0.345190 1.240.0 2025/04/16 Enterprise Key Admins with full access to domain AD Updated
4.0.345190 1.240.0 2025/04/16 Ephemeral Admins AD Updated
4.0.345190 1.240.0 2025/04/16 FGPP not applied to Global group AD Updated
4.0.345190 1.268.0 2025/04/16 Foreign Security Principals in Privileged Group AD Updated
4.0.345190 1.268.0 2025/04/16 gMSA not in use AD Updated
4.0.345190 1.240.0 2025/04/16 gMSA objects with old passwords AD Updated
4.0.345190 1.244.0 2025/04/16 Non-privileged users with access to gMSA passwords AD Updated
4.0.345190 1.240.0 2025/04/16 Writable shortcuts found in GPO AD Updated
4.0.345190 1.240.0 2025/04/16 Dangerous GPO logon script path AD Updated
4.0.345190 1.240.0 2025/04/16 GPO with Scheduled Tasks configured AD Updated
4.0.345190 1.268.0 2025/04/16 Dangerous user rights granted by GPO AD Updated
4.0.345190 1.268.0 2025/04/16 GPO Weak LM Hash storage enabled AD Updated
4.0.345190 1.240.0 2025/04/16 Reversible passwords found in GPOs AD Updated
4.0.345190 1.240.0 2025/04/16 Built-in guest account is enabled AD Updated
4.0.345190 1.240.0 2025/04/16 Domain Controllers that have not authenticated to the domain for more than 45 days AD Updated
4.0.345190 1.268.0 2025/04/16 Users with permissions to set Server Trust Account AD Updated
4.0.345190 1.268.0 2025/04/16 Kerberos KRBTGT account with old password AD Updated
4.0.345190 1.240.0 2025/04/16 Query policies that have the attribute of LDAP deny list set AD Updated
4.0.345190 1.268.0 2025/04/16 LDAP signing is not required on Domain Controllers AD Updated
4.0.345190 1.268.0 2025/04/16 Forest contains more than 50 privileged accounts AD Updated
4.0.345190 1.268.0 2025/04/16 AD objects created within the last 10 days AD Updated
4.0.345190 1.268.0 2025/04/16 Recent privileged account creation activity AD Updated
4.0.345190 1.240.0 2025/04/16 Distributed COM Users group or Performance Log Users group are not empty AD Updated
4.0.345190 1.240.0 2025/04/16 Unprivileged accounts with adminCount=1 AD Updated
4.0.345190 1.240.0 2025/04/16 Users and computers with non-default Primary Group IDs AD Updated
4.0.345190 1.238.0 2025/04/16 Non-standard schema permissions AD Updated
4.0.345190 1.240.0 2025/04/16 Users and computers without readable PGID AD Updated
4.0.345190 1.268.0 2025/04/16 NTFRS SYSVOL Replication AD Updated
4.0.345190 1.268.0 2025/04/16 Objects in privileged groups without adminCount=1 (SDProp) AD Updated
4.0.345190 1.268.0 2025/04/16 Objects with constrained delegation configured AD Updated
4.0.345190 1.268.0 2025/04/16 Principals with constrained authentication delegation enabled for a DC service AD Updated
4.0.345190 1.240.0 2025/04/16 Changes to MS LAPS read permissions AD Updated
4.0.345190 1.240.0 2025/04/16 Kerberos protocol transition delegation configured AD Updated
4.0.345190 1.240.0 2025/04/16 Principals with constrained delegation using protocol transition enabled for a DC service AD Updated
4.0.345190 1.240.0 2025/04/16 Users with old passwords AD Updated
4.0.345190 1.240.0 2025/04/16 Admins with old passwords AD Updated
4.0.345190 1.240.0 2025/04/16 Operators Groups that are not empty AD Updated
4.0.345190 1.240.0 2025/04/16 Outbound forest trust with SID History enabled AD Updated
4.0.345190 1.240.0 2025/04/16 Domain trust to a third-party domain without quarantine AD Updated
4.0.345190 1.240.0 2025/04/16 Changes to Pre-Windows 2000 Compatible Access Group membership AD Updated
4.0.345190 1.268.0 2025/04/16 Users with SPN defined AD Updated
4.0.345190 1.268.0 2025/04/16 Primary users with SPN not supporting AES encryption on Kerberos AD Updated
4.0.345190 1.240.0 2025/04/16 Changes to privileged group membership in the last 7 days AD Updated
4.0.345190 1.240.0 2025/04/16 Privileged users with SPN defined AD Updated
4.0.345190 1.240.0 2025/04/16 Privileged Users with Weak Password Policy AD Updated
4.0.345190 1.240.0 2025/04/16 Protected Users group not in use AD Updated
4.0.345190 1.240.0 2025/04/16 Computer account takeover through Kerberos Resource-Based Constrained Delegation (RBCD) AD Updated
4.0.345190 1.240.0 2025/04/16 Domain Controllers with Resource-Based Constrained Delegation (RBCD) enabled AD Updated
4.0.345190 1.240.0 2025/04/16 krbtgt account with Resource-Based Constrained Delegation (RBCD) enabled AD Updated
4.0.345190 1.240.0 2025/04/16 Write access to RBCD on DC AD Updated
4.0.345190 1.240.0 2025/04/16 Write access to RBCD on krbtgt account AD Updated
4.0.345190 1.262.0 2025/04/16 RC4 or DES encryption type are supported by Domain Controllers AD Updated
4.0.345190 1.240.0 2025/04/16 Recent SIDHistory changes on objects AD Updated
4.0.345190 1.240.0 2025/04/16 Non-default principals with DC Sync rights on the domain AD Updated
4.0.345190 1.240.0 2025/04/16 Risky RODC credential caching AD Updated
4.0.345190 1.240.0 2025/04/16 Privileged user credentials cached on RODC AD Updated
4.0.345190 1.240.0 2025/04/16 Shadow Credentials on privileged objects AD Updated
4.0.345190 1.240.0 2025/04/16 Well-known privileged SIDs in SIDHistory AD Updated
4.0.345190 1.240.0 2025/04/16 User accounts using Smart Card authentication with old password AD New Indicator
4.0.345190 1.268.0 2025/04/16 SMB Signing is not required on Domain Controllers AD Updated
4.0.345190 1.268.0 2025/04/16 SMBv1 is enabled on Domain Controllers AD Updated
4.0.345190 1.240.0 2025/04/16 SYSVOL Executable Changes AD Updated
4.0.345190 1.240.0 2025/04/16 Trust accounts with old passwords AD Updated
4.0.345190 1.240.0 2025/04/16 Unprivileged principals as DNS Admins AD Updated
4.0.345190 1.240.0 2025/04/16 Privileged objects with unprivileged owners AD Updated
4.0.345190 1.240.0 2025/04/16 Users with the attribute userPassword set AD Updated
4.0.345190 1.240.0 2025/04/16 Unprivileged users can add computer accounts to the domain AD Updated
4.0.345190 1.240.0 2025/04/16 User accounts that use DES encryption AD Updated
4.0.345190 1.240.0 2025/04/16 Users with Password Never Expires flag set AD Updated
4.0.345190 1.240.0 2025/04/16 Privileged accounts with a password that never expires AD Updated
4.0.345190 1.240.0 2025/04/16 User accounts with password not required AD Updated
4.0.345190 1.240.0 2025/04/16 User accounts that store passwords with reversible encryption AD Updated
4.0.345190 1.268.0 2025/04/16 Users with Kerberos pre-authentication disabled AD Updated
4.0.345190 1.240.0 2025/04/16 GPO linking delegation at the AD Site level AD Updated
4.0.345190 1.240.0 2025/04/16 GPO linking delegation at the domain controller OU level AD Updated
4.0.345190 1.240.0 2025/04/16 GPO linking delegation at the domain level AD Updated
4.0.325842 1.226.0 2025/03/10 Application instance property lock disabled AAD Application.Read.All New Indicator
4.0.325842 1.229.0 2025/03/10 Certificate-Based Authentication Persistence AAD RoleManagement.Read.Directory, RoleManagement.Read.All, Directory.Read.All, Application.Read.All Updated
4.0.325842 1.229.0 2025/03/10 Less than 2 Global Administrators exist AAD RoleManagement.Read.Directory, RoleManagement.Read.All, Directory.Read.All Updated
4.0.325842 1.230.0 2025/03/10 MFA bombing attack occurred in the past day AAD AuditLog.Read.All, Directory.Read.All, RoleManagement.Read.All Updated
4.0.325842 1.228.0 2025/03/10 Detect MFA policy changes for groups and users AAD AuditLog.Read.All, Policy.Read.All, GroupMember.Read.All, Reports.Read.All New Indicator
4.0.325842 1.229.0 2025/03/10 Entra ID privileged users that are also privileged in AD AAD, AD RoleManagement.Read.Directory, Directory.Read.All, RoleManagement.Read.All Updated
4.0.325842 1.232.0 2025/03/10 Report suspicious MFA activity disabled AAD Policy.Read.All, GroupMember.Read.All New Indicator
4.0.325842 1.231.0 2025/03/10 Writable shortcuts found in GPO AD Updated
4.0.325842 1.231.0 2025/03/10 Dangerous GPO logon script path AD Updated
4.0.325842 1.231.0 2025/03/10 GPO with Scheduled Tasks configured AD Updated
4.0.325842 1.231.0 2025/03/10 Dangerous user rights granted by GPO AD Updated
4.0.289828 1.219.0 2025/02/12 Changes to AD Display Specifiers in the past 90 days AD Updated
4.0.289828 1.219.0 2025/02/12 Changes to Default Domain Policy or Default Domain Controllers Policy in the last 7 days AD Updated
4.0.289828 1.219.0 2025/02/12 Zerologon vulnerability AD Updated
4.0.289828 1.215.0 2025/02/12 User consent is allowed for risky applications AAD Policy.Read.All Updated
4.0.289828 1.215.0 2025/02/12 Application name and geographic location additional contexts are disabled on MFA AAD Policy.Read.All Updated
4.0.289828 1.219.0 2025/02/12 Conditional Access policy with Continuous Access Evaluation disabled AAD Policy.Read.All, AuditLog.Read.All Updated
4.0.289828 1.219.0 2025/02/12 Certificate-Based Authentication Persistence AAD RoleManagement.Read.Directory, RoleManagement.Read.All, Directory.Read.All, Application.Read.All Updated
4.0.289828 1.215.0 2025/02/12 Administrative units are not being used AAD AdministrativeUnit.Read.All Updated
4.0.289828 1.219.0 2025/02/12 Conditional Access policies contain private IP addresses AAD Policy.Read.All, AuditLog.Read.All Updated
4.0.289828 1.215.0 2025/02/12 Check for guests having permission to invite other guests AAD Policy.Read.All, AuditLog.Read.All Updated
4.0.289828 1.219.0 2025/02/12 Users or devices inactive for at least 90 days AAD User.Read.All, Device.Read.All Updated
4.0.289828 1.215.0 2025/02/12 Check if legacy authentication is allowed AAD Policy.Read.All Updated
4.0.289828 1.219.0 2025/02/12 Conditional Access policies that contain MFA Trusted IPs AAD Policy.Read.All, AuditLog.Read.All Updated
4.0.289828 1.219.0 2025/02/12 Privileged group contains guest account AAD User.Read.All, RoleManagement.Read.Directory, AuditLog.Read.All Updated
4.0.289828 1.219.0 2025/02/12 MFA not configured for privileged accounts AAD RoleManagement.Read.Directory, Reports.Read.All Updated
4.0.289828 1.219.0 2025/02/12 Check for risky API permissions granted to application service principals AAD Application.Read.All, AuditLog.Read.All Updated
4.0.289828 1.219.0 2025/02/12 Check for users with weak or no MFA AAD Reports.Read.All Updated
4.0.289828 1.215.0 2025/02/12 Security defaults not enabled AAD Policy.Read.All Updated
4.0.289828 1.219.0 2025/02/12 Non-synced Entra user that is eligible for a privileged role AAD User.Read.All, RoleManagement.Read.Directory, Directory.Read.All, Organization.Read.All Updated
4.0.289828 1.215.0 2025/02/12 Unrestricted user consent allowed AAD Policy.Read.All, AuditLog.Read.All Updated
4.0.289828 1.215.0 2025/02/12 Custom banned password protection not in use AAD Directory.Read.All Updated
4.0.289828 1.215.0 2025/02/12 Conditional Access Policy that disable admin token persistence AAD Policy.Read.All Updated
4.0.289828 1.219.0 2025/02/12 Application expired secrets and certificates AAD Application.Read.All Updated
4.0.289828 1.215.0 2025/02/12 FIDO2 Attestation is not enforced AAD Policy.Read.All Updated
4.0.289828 1.219.0 2025/02/12 Entra Connect sync account password reset AAD AuditLog.Read.All, Directory.Read.All, User.Read.All, RoleManagement.Read.Directory Updated
4.0.289828 1.219.0 2025/02/12 Global Administrators that signed in during the last 14 days AAD RoleManagement.Read.All, User.Read.All, AuditLog.Read.All Updated
4.0.289828 1.215.0 2025/02/12 Guest users are not restricted AAD Policy.Read.All Updated
4.0.289828 1.219.0 2025/02/12 Entra tenant is susceptible to Hidden Consent Grant attack AAD Directory.Read.All, Policy.Read.All Updated
4.0.289828 1.219.0 2025/02/12 Guest accounts that were inactive for more than 30 days AAD User.Read.All, AuditLog.Read.All Updated
4.0.289828 1.219.0 2025/02/12 Less than 2 Global Administrators exist AAD RoleManagement.Read.Directory, RoleManagement.Read.All, Directory.Read.All Updated
4.0.289828 1.219.0 2025/02/12 MFA bombing attack occurred in the past day AAD AuditLog.Read.All, Directory.Read.All, RoleManagement.Read.All Updated
4.0.289828 1.219.0 2025/02/12 More than 10 Privileged Administrators exist AAD RoleManagement.Read.Directory, RoleManagement.Read.All, Directory.Read.All Updated
4.0.289828 1.219.0 2025/02/12 More than 5 Global Administrators exist AAD RoleManagement.Read.Directory, RoleManagement.Read.All, Directory.Read.All Updated
4.0.289828 1.220.0 2025/02/12 Permanent Active Privileged Role Assignment AAD RoleManagement.Read.Directory, RoleEligibilitySchedule.Read.Directory, Directory.Read.All, Application.Read.All, GroupMember.Read.All, User.Read.All Updated
4.0.289828 1.219.0 2025/02/12 Privileged accounts with mailbox AAD RoleManagement.Read.All, RoleManagement.Read.Directory, Directory.Read.All, MailboxSettings.Read Updated
4.0.289828 1.219.0 2025/02/12 Entra ID privileged users that are also privileged in AD AAD, AD RoleManagement.Read.Directory, Directory.Read.All, RoleManagement.Read.All Updated
4.0.289828 1.219.0 2025/02/12 AD privileged users that are synced to Entra ID AAD, AD User.Read.All Updated
4.0.289828 1.224.0 2025/02/12 Prohibited Entra ID Roles Assigned AAD RoleManagement.Read.Directory, RoleManagement.Read.All, Directory.Read.All Updated
4.0.289828 1.219.0 2025/02/12 Resource Based Constrained Delegation applied to AZUREADSSOACC account AAD, AD Updated
4.0.289828 1.215.0 2025/02/12 Conditional Access Policy does not require MFA on privileged accounts AAD Policy.Read.All Updated
4.0.289828 1.215.0 2025/02/12 Conditional Access Policy that does not require MFA when sign-in risk has been identified AAD Policy.Read.All Updated
4.0.289828 1.215.0 2025/02/12 Conditional Access Policy that does not require a password change from high risk users AAD Policy.Read.All Updated
4.0.289828 1.219.0 2025/02/12 Entra custom Roles with risky permissions AAD RoleManagement.Read.Directory Updated
4.0.289828 1.219.0 2025/02/12 List of Risky users (medium or high level) AAD IdentityRiskyUser.Read.All, Organization.Read.All Updated
4.0.289828 1.219.0 2025/02/12 Security questions are in use AAD Reports.Read.All Updated
4.0.289828 1.219.0 2025/02/12 Enterprise applications using SAML for SSO AAD Application.Read.All Updated
4.0.289828 1.219.0 2025/02/12 SSO computer account with password last set over 90 days ago AAD, AD Updated
4.0.289828 1.219.0 2025/02/12 Self-service password reset enabled for privileged roles AAD Policy.Read.All Updated
4.0.289828 1.219.0 2025/02/12 Guest invites not accepted in last 30 day AAD User.Read.All Updated
4.0.289828 1.219.0 2025/02/12 Suspicious Directory Synchronization Accounts role member AAD Directory.Read.All, RoleManagement.Read.Directory, AuditLog.Read.All Updated
4.0.289828 1.219.0 2025/02/12 Unprivileged owner of a privileged group AAD RoleManagement.Read.Directory, Directory.Read.All, GroupMember.Read.All, PrivilegedEligibilitySchedule.Read.AzureADGroup Updated
4.0.289828 1.219.0 2025/02/12 Users are not using their privileged roles AAD RoleEligibilitySchedule.Read.Directory, GroupMember.Read.All, Directory.Read.All Updated
4.0.289828 1.215.0 2025/02/12 Users can create security groups AAD Policy.Read.All Updated
4.0.289828 1.215.0 2025/02/12 Non-admin users can create tenants AAD Policy.Read.All Updated
4.0.289828 1.215.0 2025/02/12 Non-admin users can register custom applications AAD Policy.Read.All Updated
4.0.289828 1.223.0 2025/02/12 Ensure all non-privileged users can complete MFA AAD AuditLog.Read.All, User.Read.All Updated
4.0.289828 1.219.0 2025/02/12 Abnormal Password Refresh AD Updated
4.0.289828 1.222.0 2025/02/12 Unexpected accounts in Cert Publishers Group AD Updated
4.0.289828 1.219.0 2025/02/12 Built-in domain Administrator account with old password (180 days) AD Updated
4.0.289828 1.219.0 2025/02/12 Inheritance enabled on AdminSDHolder object AD Updated
4.0.289828 1.219.0 2025/02/12 Permission changes on AdminSDHolder object AD Updated
4.0.289828 1.219.0 2025/02/12 Built-in domain Administrator account used within the last two weeks AD Updated
4.0.289828 1.219.0 2025/02/12 Accounts with altSecurityIdentities configured AD Updated
4.0.289828 1.219.0 2025/02/12 Anonymous access to Active Directory enabled AD Updated
4.0.289828 1.219.0 2025/02/12 Anonymous NSPI access to AD enabled AD Updated
4.0.289828 1.219.0 2025/02/12 Dangerous control paths expose certificate containers AD Updated
4.0.289828 1.219.0 2025/02/12 Certificate templates with 3 or more insecure configurations AD Updated
4.0.289828 1.219.0 2025/02/12 Dangerous control paths expose certificate templates AD Updated
4.0.289828 1.219.0 2025/02/12 Certificate templates that allow requesters to specify a subjectAltName AD Updated
4.0.289828 1.219.0 2025/02/12 Changes to default security descriptor schema in the last 90 days AD Updated
4.0.289828 1.219.0 2025/02/12 Computers with older OS versions AD Updated
4.0.289828 1.219.0 2025/02/12 Computers with password last set over 90 days ago AD Updated
4.0.289828 1.219.0 2025/02/12 Domain Controllers with old passwords AD Updated
4.0.289828 1.222.0 2025/02/12 Computer Accounts in Privileged Groups AD Updated
4.0.289828 1.219.0 2025/02/12 Computer or user accounts with SPN that have unconstrained delegation AD Updated
4.0.289828 1.219.0 2025/02/12 Accounts with Constrained Delegation configured to krbtgt AD Updated
4.0.289828 1.219.0 2025/02/12 Dangerous Trust Attribute Set AD Updated
4.0.289828 1.219.0 2025/02/12 Print spooler service is enabled on a DC AD Updated
4.0.289828 1.219.0 2025/02/12 Evidence of Mimikatz DCShadow attack AD Updated
4.0.289828 1.219.0 2025/02/12 Accounts with Constrained Delegation configured to ghost SPN AD Updated
4.0.289828 1.219.0 2025/02/12 Privileged users that are disabled AD Updated
4.0.289828 1.219.0 2025/02/12 Unsecured DNS configuration AD Updated
4.0.289828 1.219.0 2025/02/12 Domain Controllers in inconsistent state AD Updated
4.0.289828 1.219.0 2025/02/12 Domain Controller owner is not an administrator AD Updated
4.0.289828 1.219.0 2025/02/12 Domains with obsolete functional levels AD Updated
4.0.289828 1.219.0 2025/02/12 Non-default access to DPAPI key AD Updated
4.0.289828 1.219.0 2025/02/12 Operator groups no longer protected by AdminSDHolder and SDProp AD Updated
4.0.289828 1.219.0 2025/02/12 Suspicious credentials on Microsoft service principals AAD Application.Read.All Updated
4.0.289828 1.219.0 2025/02/12 Unresolved Entra ID privileged role members AAD RoleManagement.Read.All, Directory.Read.All Updated
4.0.289828 1.219.0 2025/02/12 Enabled admin accounts that are inactive AD Updated
4.0.289828 1.219.0 2025/02/12 AD Certificate Authority with Web Enrollment - ESC8 AD Updated
4.0.289828 1.219.0 2025/02/12 Enterprise Key Admins with full access to domain AD Updated
4.0.289828 1.219.0 2025/02/12 Ephemeral Admins AD Updated
4.0.289828 1.219.0 2025/02/12 FGPP not applied to Global group AD Updated
4.0.289828 1.219.0 2025/02/12 Foreign Security Principals in Privileged Group AD Updated
4.0.289828 1.219.0 2025/02/12 gMSA objects with old passwords AD Updated
4.0.289828 1.219.0 2025/02/12 Non-privileged users with access to gMSA passwords AD Updated
4.0.289828 1.219.0 2025/02/12 Writable shortcuts found in GPO AD Updated
4.0.289828 1.219.0 2025/02/12 Dangerous GPO logon script path AD Updated
4.0.289828 1.219.0 2025/02/12 GPO with Scheduled Tasks configured AD Updated
4.0.289828 1.219.0 2025/02/12 Dangerous user rights granted by GPO AD Updated
4.0.289828 1.219.0 2025/02/12 GPO Weak LM Hash storage enabled AD Updated
4.0.289828 1.219.0 2025/02/12 Reversible passwords found in GPOs AD Updated
4.0.289828 1.219.0 2025/02/12 Built-in guest account is enabled AD Updated
4.0.289828 1.219.0 2025/02/12 Domain Controllers that have not authenticated to the domain for more than 45 days AD Updated
4.0.289828 1.219.0 2025/02/12 Users with permissions to set Server Trust Account AD Updated
4.0.289828 1.219.0 2025/02/12 Kerberos KRBTGT account with old password AD Updated
4.0.289828 1.219.0 2025/02/12 Non default value on ms-Mcs-AdmPwd SearchFlags AD Updated
4.0.289828 1.219.0 2025/02/12 Query policies that have the attribute of LDAP deny list set AD Updated
4.0.289828 1.219.0 2025/02/12 LDAP signing is not required on Domain Controllers AD Updated
4.0.289828 1.219.0 2025/02/12 Forest contains more than 50 privileged accounts AD Updated
4.0.289828 1.219.0 2025/02/12 AD objects created within the last 10 days AD Updated
4.0.289828 1.219.0 2025/02/12 Recent privileged account creation activity AD Updated
4.0.289828 1.222.0 2025/02/12 Distributed COM Users group or Performance Log Users group are not empty AD Updated
4.0.289828 1.219.0 2025/02/12 Unprivileged accounts with adminCount=1 AD Updated
4.0.289828 1.219.0 2025/02/12 Users and computers with non-default Primary Group IDs AD Updated
4.0.289828 1.219.0 2025/02/12 Non-standard schema permissions AD Updated
4.0.289828 1.219.0 2025/02/12 Users and computers without readable PGID AD Updated
4.0.289828 1.222.0 2025/02/12 Objects in privileged groups without adminCount=1 (SDProp) AD Updated
4.0.289828 1.219.0 2025/02/12 Objects with constrained delegation configured AD Updated
4.0.289828 1.219.0 2025/02/12 Principals with constrained authentication delegation enabled for a DC service AD Updated
4.0.289828 1.219.0 2025/02/12 Changes to MS LAPS read permissions AD Updated
4.0.289828 1.219.0 2025/02/12 Kerberos protocol transition delegation configured AD Updated
4.0.289828 1.219.0 2025/02/12 Principals with constrained delegation using protocol transition enabled for a DC service AD Updated
4.0.289828 1.219.0 2025/02/12 High-privileged custom roles Okta Updated
4.0.289828 1.219.0 2025/02/12 New permission has been granted to a group Okta Updated
4.0.289828 1.219.0 2025/02/12 New permission has been granted to a user Okta Updated
4.0.289828 1.219.0 2025/02/12 New API token was created Okta Updated
4.0.289828 1.219.0 2025/02/12 New Super Admin permission has been granted to a group Okta Updated
4.0.289828 1.219.0 2025/02/12 New Super Admin permission has been granted to a user Okta Updated
4.0.289828 1.219.0 2025/02/12 Password policy check Okta Updated
4.0.289828 1.219.0 2025/02/12 User activation in the last 7 days Okta Updated
4.0.289828 1.219.0 2025/02/12 User deactivation in the last 7 days Okta Updated
4.0.289828 1.219.0 2025/02/12 Users without Multi-Factor Authentication (MFA) Okta Updated
4.0.289828 1.219.0 2025/02/12 Users with old passwords AD Updated
4.0.289828 1.219.0 2025/02/12 Admins with old passwords AD Updated
4.0.289828 1.222.0 2025/02/12 Operators Groups that are not empty AD Updated
4.0.289828 1.219.0 2025/02/12 Outbound forest trust with SID History enabled AD Updated
4.0.289828 1.219.0 2025/02/12 Domain trust to a third-party domain without quarantine AD Updated
4.0.289828 1.222.0 2025/02/12 Changes to Pre-Windows 2000 Compatible Access Group membership AD Updated
4.0.289828 1.219.0 2025/02/12 Users with SPN defined AD Updated
4.0.289828 1.219.0 2025/02/12 Primary users with SPN not supporting AES encryption on Kerberos AD Updated
4.0.289828 1.222.0 2025/02/12 Changes to privileged group membership in the last 7 days AD Updated
4.0.289828 1.219.0 2025/02/12 Privileged users with SPN defined AD Updated
4.0.289828 1.219.0 2025/02/12 Privileged Users with Weak Password Policy AD Updated
4.0.289828 1.219.0 2025/02/12 Protected Users group not in use AD Updated
4.0.289828 1.219.0 2025/02/12 Computer account takeover through Kerberos Resource-Based Constrained Delegation (RBCD) AD Updated
4.0.289828 1.219.0 2025/02/12 Domain Controllers with Resource-Based Constrained Delegation (RBCD) enabled AD Updated
4.0.289828 1.219.0 2025/02/12 krbtgt account with Resource-Based Constrained Delegation (RBCD) enabled AD Updated
4.0.289828 1.219.0 2025/02/12 Write access to RBCD on DC AD Updated
4.0.289828 1.219.0 2025/02/12 Write access to RBCD on krbtgt account AD Updated
4.0.289828 1.219.0 2025/02/12 RC4 or DES encryption type are supported by Domain Controllers AD Updated
4.0.289828 1.219.0 2025/02/12 Recent SIDHistory changes on objects AD Updated
4.0.289828 1.219.0 2025/02/12 Non-default principals with DC Sync rights on the domain AD Updated
4.0.289828 1.219.0 2025/02/12 Risky RODC credential caching AD Updated
4.0.289828 1.219.0 2025/02/12 Privileged user credentials cached on RODC AD Updated
4.0.289828 1.219.0 2025/02/12 Shadow Credentials on privileged objects AD Updated
4.0.289828 1.219.0 2025/02/12 Well-known privileged SIDs in SIDHistory AD Updated
4.0.289828 1.219.0 2025/02/12 SMB Signing is not required on Domain Controllers AD Updated
4.0.289828 1.219.0 2025/02/12 SMBv1 is enabled on Domain Controllers AD Updated
4.0.289828 1.219.0 2025/02/12 SYSVOL Executable Changes AD Updated
4.0.289828 1.219.0 2025/02/12 Trust accounts with old passwords AD Updated
4.0.289828 1.219.0 2025/02/12 Unprivileged principals as DNS Admins AD Updated
4.0.289828 1.219.0 2025/02/12 Privileged objects with unprivileged owners AD Updated
4.0.289828 1.219.0 2025/02/12 Users with the attribute userPassword set AD Updated
4.0.289828 1.219.0 2025/02/12 Unprivileged users can add computer accounts to the domain AD Updated
4.0.289828 1.219.0 2025/02/12 User accounts that use DES encryption AD Updated
4.0.289828 1.219.0 2025/02/12 Users with Password Never Expires flag set AD Updated
4.0.289828 1.219.0 2025/02/12 Privileged accounts with a password that never expires AD Updated
4.0.289828 1.219.0 2025/02/12 User accounts with password not required AD Updated
4.0.289828 1.219.0 2025/02/12 User accounts that store passwords with reversible encryption AD Updated
4.0.289828 1.219.0 2025/02/12 Users with Kerberos pre-authentication disabled AD Updated
4.0.289828 1.219.0 2025/02/12 Weak certificate cipher AD Updated
4.0.289828 1.219.0 2025/02/12 GPO linking delegation at the AD Site level AD Updated
4.0.289828 1.219.0 2025/02/12 GPO linking delegation at the domain controller OU level AD Updated
4.0.289828 1.219.0 2025/02/12 GPO linking delegation at the domain level AD Updated
4.0.273013 1.208.0 2025/01/16 Zerologon vulnerability AD Updated
4.0.273013 1.189.0 2025/01/16 Application instance property lock disabled AAD Application.Read.All Removed
4.0.273013 1.211.0 2025/01/16 Certificate-Based Authentication Persistence AAD RoleManagement.Read.Directory, RoleManagement.Read.All, Directory.Read.All, Application.Read.All Updated
4.0.273013 1.210.0 2025/01/16 Users or devices inactive for at least 90 days AAD User.Read.All, Device.Read.All Updated
4.0.273013 1.211.0 2025/01/16 Non-synced Entra user that is eligible for a privileged role AAD User.Read.All, RoleManagement.Read.Directory, Directory.Read.All, Organization.Read.All Updated
4.0.273013 1.211.0 2025/01/16 Less than 2 Global Administrators exist AAD RoleManagement.Read.Directory, RoleManagement.Read.All, Directory.Read.All Updated
4.0.273013 1.211.0 2025/01/16 MFA bombing attack occurred in the past day AAD AuditLog.Read.All, Directory.Read.All, RoleManagement.Read.All Updated
4.0.273013 1.211.0 2025/01/16 More than 10 Privileged Administrators exist AAD RoleManagement.Read.Directory, RoleManagement.Read.All, Directory.Read.All Updated
4.0.273013 1.211.0 2025/01/16 More than 5 Global Administrators exist AAD RoleManagement.Read.Directory, RoleManagement.Read.All, Directory.Read.All Updated
4.0.273013 1.210.0 2025/01/16 Password hash synchronization is not enabled AAD OnPremDirectorySynchronization.Read.All Updated
4.0.273013 1.211.0 2025/01/16 Privileged accounts with mailbox AAD RoleManagement.Read.All, RoleManagement.Read.Directory, Directory.Read.All, MailboxSettings.Read Updated
4.0.273013 1.211.0 2025/01/16 Entra ID privileged users that are also privileged in AD AAD, AD RoleManagement.Read.Directory, Directory.Read.All, RoleManagement.Read.All Updated
4.0.273013 1.211.0 2025/01/16 Unprivileged owner of a privileged group AAD RoleManagement.Read.Directory, Directory.Read.All, GroupMember.Read.All, PrivilegedEligibilitySchedule.Read.AzureADGroup Updated
4.0.273013 1.210.0 2025/01/16 Ensure all non-privileged users can complete MFA AAD AuditLog.Read.All, User.Read.All Updated
4.0.273013 1.207.0 2025/01/16 Permission changes on AdminSDHolder object AD Updated
4.0.273013 1.210.0 2025/01/16 Domain Controllers with old passwords AD Updated
4.0.273013 1.212.0 2025/01/16 Unresolved Entra ID privileged role members AAD RoleManagement.Read.All, Directory.Read.All New Indicator
4.0.273013 1.200.0 2025/01/16 AD Certificate Authority with Web Enrollment - ESC8 AD Updated
4.0.273013 1.209.0 2025/01/16 FGPP not applied to Global group AD Updated
4.0.273013 1.213.0 2025/01/16 GPO with Scheduled Tasks configured AD Updated
4.0.273013 1.210.0 2025/01/16 Domain Controllers that have not authenticated to the domain for more than 45 days AD Updated
4.0.273013 1.210.0 2025/01/16 Query policies that have the attribute of LDAP deny list set AD Updated
4.0.273013 1.210.0 2025/01/16 LDAP signing is not required on Domain Controllers AD Updated
4.0.273013 1.202.0 2025/01/16 Distributed COM Users group or Performance Log Users group are not empty AD New Indicator
4.0.273013 1.210.0 2025/01/16 NTFRS SYSVOL Replication AD Updated
4.0.273013 1.210.0 2025/01/16 Operators Groups that are not empty AD Updated
4.0.273013 1.210.0 2025/01/16 Domain trust to a third-party domain without quarantine AD Updated
4.0.273013 1.210.0 2025/01/16 Domain Controllers with Resource-Based Constrained Delegation (RBCD) enabled AD Updated
4.0.273013 1.210.0 2025/01/16 Recent SIDHistory changes on objects AD Updated
4.0.273013 1.210.0 2025/01/16 Well-known privileged SIDs in SIDHistory AD Updated
4.0.273013 1.210.0 2025/01/16 Privileged objects with unprivileged owners AD Updated
4.0.259168 1.198.0 2024/12/12 Changes to AD Display Specifiers in the past 90 days AD Updated
4.0.259168 1.198.1 2024/12/12 Changes to Default Domain Policy or Default Domain Controllers Policy in the last 7 days AD Updated
4.0.259168 1.178.0 2024/12/12 Zerologon vulnerability AD Updated
4.0.259168 1.189.0 2024/12/12 Application instance property lock disabled AAD Application.Read.All New Indicator
4.0.259168 1.168.0 2024/12/12 Application name and geographic location additional contexts are disabled on MFA AAD Policy.Read.All Updated
4.0.259168 1.168.0 2024/12/12 Conditional Access policy with Continuous Access Evaluation disabled AAD Policy.Read.All, AuditLog.Read.All Updated
4.0.259168 1.168.0 2024/12/12 Certificate-Based Authentication Persistence AAD RoleManagement.Read.Directory, RoleManagement.Read.All, Directory.Read.All, Application.Read.All Updated
4.0.259168 1.168.0 2024/12/12 Administrative units are not being used AAD AdministrativeUnit.Read.All Updated
4.0.259168 1.168.0 2024/12/12 Conditional Access policies contain private IP addresses AAD Policy.Read.All, AuditLog.Read.All Updated
4.0.259168 1.168.0 2024/12/12 Check for guests having permission to invite other guests AAD Policy.Read.All, AuditLog.Read.All Updated
4.0.259168 1.160.0 2024/12/12 Users or devices inactive for at least 90 days AAD User.Read.All, Device.Read.All Updated
4.0.259168 1.168.0 2024/12/12 Check if legacy authentication is allowed AAD Policy.Read.All Updated
4.0.259168 1.168.0 2024/12/12 Conditional Access policies that contain MFA Trusted IPs AAD Policy.Read.All, AuditLog.Read.All Updated
4.0.259168 1.168.0 2024/12/12 Privileged group contains guest account AAD User.Read.All, RoleManagement.Read.Directory, AuditLog.Read.All Updated
4.0.259168 1.168.0 2024/12/12 MFA not configured for privileged accounts AAD RoleManagement.Read.Directory, Reports.Read.All Updated
4.0.259168 1.168.0 2024/12/12 Check for risky API permissions granted to application service principals AAD Application.Read.All, AuditLog.Read.All Updated
4.0.259168 1.168.0 2024/12/12 Check for users with weak or no MFA AAD Reports.Read.All Updated
4.0.259168 1.168.0 2024/12/12 Security defaults not enabled AAD Policy.Read.All Updated
4.0.259168 1.168.0 2024/12/12 Non-synced Entra user that is eligible for a privileged role AAD User.Read.All, RoleManagement.Read.Directory, Directory.Read.All, Organization.Read.All Updated
4.0.259168 1.168.0 2024/12/12 Unrestricted user consent allowed AAD Policy.Read.All, AuditLog.Read.All Updated
4.0.259168 1.168.0 2024/12/12 Custom banned password protection not in use AAD Directory.Read.All Updated
4.0.259168 1.168.0 2024/12/12 Conditional Access Policy that disable admin token persistence AAD Policy.Read.All Updated
4.0.259168 1.168.0 2024/12/12 Application expired secrets and certificates AAD Application.Read.All Updated
4.0.259168 1.168.0 2024/12/12 FIDO2 Attestation is not enforced AAD Policy.Read.All Updated
4.0.259168 1.168.0 2024/12/12 Entra Connect sync account password reset AAD AuditLog.Read.All, Directory.Read.All, User.Read.All, RoleManagement.Read.Directory Updated
4.0.259168 1.168.0 2024/12/12 Global Administrators that signed in during the last 14 days AAD RoleManagement.Read.All, User.Read.All, AuditLog.Read.All Updated
4.0.259168 1.168.0 2024/12/12 Guest users are not restricted AAD Policy.Read.All Updated
4.0.259168 1.168.0 2024/12/12 Entra tenant is susceptible to Hidden Consent Grant attack AAD Directory.Read.All, Policy.Read.All Updated
4.0.259168 1.168.0 2024/12/12 Guest accounts that were inactive for more than 30 days AAD User.Read.All, AuditLog.Read.All Updated
4.0.259168 1.168.0 2024/12/12 Less than 2 Global Administrators exist AAD RoleManagement.Read.Directory, RoleManagement.Read.All, Directory.Read.All Updated
4.0.259168 1.168.0 2024/12/12 MFA bombing attack occurred in the past day AAD AuditLog.Read.All, Directory.Read.All, RoleManagement.Read.All Updated
4.0.259168 1.168.0 2024/12/12 More than 10 Privileged Administrators exist AAD RoleManagement.Read.Directory, RoleManagement.Read.All, Directory.Read.All Updated
4.0.259168 1.171.0 2024/12/12 More than 5 Global Administrators exist AAD RoleManagement.Read.Directory, RoleManagement.Read.All, Directory.Read.All Updated
4.0.259168 1.176.0 2024/12/12 Password hash synchronization is not enabled AAD OnPremDirectorySynchronization.Read.All New Indicator
4.0.259168 1.168.0 2024/12/12 Permanent Active Privileged Role Assignment AAD RoleManagement.Read.Directory, RoleEligibilitySchedule.Read.Directory, Directory.Read.All, Application.Read.All, GroupMember.Read.All, User.Read.All New Indicator
4.0.259168 1.193.0 2024/12/12 Privileged accounts with mailbox AAD RoleManagement.Read.All, RoleManagement.Read.Directory, Directory.Read.All, MailboxSettings.Read New Indicator
4.0.259168 1.162.0 2024/12/12 Entra ID privileged users that are also privileged in AD AAD, AD RoleManagement.Read.Directory, Directory.Read.All, RoleManagement.Read.All Updated
4.0.259168 1.168.0 2024/12/12 Prohibited Entra ID Roles Assigned AAD RoleManagement.Read.Directory, RoleManagement.Read.All, Directory.Read.All Updated
4.0.259168 1.170.0 2024/12/12 Conditional Access Policy does not require MFA on privileged accounts AAD Policy.Read.All Updated
4.0.259168 1.168.0 2024/12/12 Conditional Access Policy that does not require MFA when sign-in risk has been identified AAD Policy.Read.All Updated
4.0.259168 1.168.0 2024/12/12 Conditional Access Policy that does not require a password change from high risk users AAD Policy.Read.All Updated
4.0.259168 1.168.0 2024/12/12 Entra custom Roles with risky permissions AAD RoleManagement.Read.Directory Updated
4.0.259168 1.182.0 2024/12/12 List of Risky users (medium or high level) AAD IdentityRiskyUser.Read.All, Organization.Read.All Updated
4.0.259168 1.168.0 2024/12/12 Security questions are in use AAD Reports.Read.All Updated
4.0.259168 1.168.0 2024/12/12 Enterprise applications using SAML for SSO AAD Application.Read.All Updated
4.0.259168 1.158.0 2024/12/12 SSO computer account with password last set over 90 days ago AAD, AD Updated
4.0.259168 1.168.0 2024/12/12 Self-service password reset enabled for privileged roles AAD Policy.Read.All Updated
4.0.259168 1.168.0 2024/12/12 Suspicious Directory Synchronization Accounts role member AAD Directory.Read.All, RoleManagement.Read.Directory, AuditLog.Read.All Updated
4.0.259168 1.168.0 2024/12/12 Unprivileged owner of a privileged group AAD RoleManagement.Read.Directory, Directory.Read.All, GroupMember.Read.All, PrivilegedEligibilitySchedule.Read.AzureADGroup New Indicator
4.0.259168 1.168.0 2024/12/12 Users are not using their privileged roles AAD RoleEligibilitySchedule.Read.Directory, GroupMember.Read.All, Directory.Read.All Updated
4.0.259168 1.168.0 2024/12/12 Users can create security groups AAD Policy.Read.All Updated
4.0.259168 1.168.0 2024/12/12 Non-admin users can create tenants AAD Policy.Read.All Updated
4.0.259168 1.168.0 2024/12/12 Non-admin users can register custom applications AAD Policy.Read.All Updated
4.0.259168 1.188.0 2024/12/12 Ensure all non-privileged users can complete MFA AAD AuditLog.Read.All, User.Read.All New Indicator
4.0.259168 1.158.0 2024/12/12 Abnormal Password Refresh AD Updated
4.0.259168 1.180.0 2024/12/12 Unexpected accounts in Cert Publishers Group AD Updated
4.0.259168 1.158.0 2024/12/12 Built-in domain Administrator account with old password (180 days) AD Updated
4.0.259168 1.186.0 2024/12/12 Inheritance enabled on AdminSDHolder object AD Updated
4.0.259168 1.158.0 2024/12/12 Permission changes on AdminSDHolder object AD Updated
4.0.259168 1.158.0 2024/12/12 Built-in domain Administrator account used within the last two weeks AD Updated
4.0.259168 1.158.0 2024/12/12 Changes to default security descriptor schema in the last 90 days AD Updated
4.0.259168 1.158.0 2024/12/12 Computers with older OS versions AD Updated
4.0.259168 1.158.0 2024/12/12 Computers with password last set over 90 days ago AD Updated
4.0.259168 1.158.0 2024/12/12 Domain Controllers with old passwords AD Updated
4.0.259168 1.164.0 2024/12/12 Print spooler service is enabled on a DC AD Updated
4.0.259168 1.186.0 2024/12/12 Domain Controller owner is not an administrator AD Updated
4.0.259168 1.168.0 2024/12/12 Suspicious credentials on Microsoft service principals AAD Application.Read.All Updated
4.0.259168 1.158.0 2024/12/12 Enabled admin accounts that are inactive AD Updated
4.0.259168 1.186.0 2024/12/12 Enterprise Key Admins with full access to domain AD Updated
4.0.259168 1.158.0 2024/12/12 Ephemeral Admins AD Updated
4.0.259168 1.152.0 2024/12/12 FGPP not applied to Global group AD Updated
4.0.259168 1.158.0 2024/12/12 gMSA objects with old passwords AD Updated
4.0.259168 1.161.0 2024/12/12 Non-privileged users with access to gMSA passwords AD Updated
4.0.259168 1.183.0 2024/12/12 GPO Weak LM Hash storage enabled AD Updated
4.0.259168 1.158.0 2024/12/12 Domain Controllers that have not authenticated to the domain for more than 45 days AD Updated
4.0.259168 1.158.0 2024/12/12 Kerberos KRBTGT account with old password AD Updated
4.0.259168 1.158.0 2024/12/12 AD objects created within the last 10 days AD Updated
4.0.259168 1.158.0 2024/12/12 Recent privileged account creation activity AD Updated
4.0.259168 1.186.0 2024/12/12 Non-standard schema permissions AD Updated
4.0.259168 1.158.0 2024/12/12 Users with old passwords AD Updated
4.0.259168 1.158.0 2024/12/12 Admins with old passwords AD Updated
4.0.259168 1.156.0 2024/12/12 Changes to privileged group membership in the last 7 days AD Updated
4.0.259168 1.158.0 2024/12/12 Recent SIDHistory changes on objects AD Updated
4.0.259168 1.167.0 2024/12/12 Shadow Credentials on privileged objects AD Updated
4.0.259168 1.158.0 2024/12/12 SYSVOL Executable Changes AD Updated
4.0.259168 1.158.0 2024/12/12 Trust accounts with old passwords AD Updated
4.0.259168 1.186.0 2024/12/12 Privileged objects with unprivileged owners AD Updated
4.0.220574 1.129.0 2024/09/10 Certificate-Based Authentication Persistence AAD RoleManagement.Read.Directory, RoleManagement.Read.All, Directory.Read.All, Application.Read.All Updated
4.0.220574 1.128.0 2024/09/10 MFA not configured for privileged accounts AAD RoleManagement.Read.Directory, Reports.Read.All Updated
4.0.220574 1.130.0 2024/09/10 Non-synced Entra user that is eligible for a privileged role AAD User.Read.All, RoleManagement.Read.Directory, Directory.Read.All, Organization.Read.All Updated
4.0.220574 1.139.0 2024/09/10 Entra tenant is susceptible to Hidden Consent Grant attack AAD Directory.Read.All, Policy.Read.All New Indicator
4.0.220574 1.143.0 2024/09/10 Entra ID privileged users that are also privileged in AD AAD, AD RoleManagement.Read.Directory, Directory.Read.All, RoleManagement.Read.All Updated
4.0.220574 1.143.0 2024/09/10 AD privileged users that are synced to Entra ID AAD, AD User.Read.All Updated
4.0.220574 1.147.0 2024/09/10 Prohibited Entra ID Roles Assigned AAD RoleManagement.Read.Directory, RoleManagement.Read.All, Directory.Read.All New Indicator
4.0.220574 1.143.0 2024/09/10 Resource Based Constrained Delegation applied to AZUREADSSOACC account AAD, AD Updated
4.0.220574 1.135.0 2024/09/10 Entra custom Roles with risky permissions AAD RoleManagement.Read.Directory Updated
4.0.220574 1.132.0 2024/09/10 List of Risky users (medium or high level) AAD IdentityRiskyUser.Read.All, Organization.Read.All Updated
4.0.220574 1.143.0 2024/09/10 SSO computer account with password last set over 90 days ago AAD, AD Updated
4.0.220574 1.143.0 2024/09/10 Abnormal Password Refresh AD Updated
4.0.220574 1.143.0 2024/09/10 Unexpected accounts in Cert Publishers Group AD Updated
4.0.220574 1.143.0 2024/09/10 Built-in domain Administrator account with old password (180 days) AD Updated
4.0.220574 1.143.0 2024/09/10 Inheritance enabled on AdminSDHolder object AD Updated
4.0.220574 1.143.0 2024/09/10 Permission changes on AdminSDHolder object AD Updated
4.0.220574 1.143.0 2024/09/10 Built-in domain Administrator account used within the last two weeks AD Updated
4.0.220574 1.143.0 2024/09/10 Accounts with altSecurityIdentities configured AD Updated
4.0.220574 1.143.0 2024/09/10 Computers with older OS versions AD Updated
4.0.220574 1.143.0 2024/09/10 Computers with password last set over 90 days ago AD Updated
4.0.220574 1.143.0 2024/09/10 Domain Controllers with old passwords AD Updated
4.0.220574 1.143.0 2024/09/10 Computer Accounts in Privileged Groups AD Updated
4.0.220574 1.143.0 2024/09/10 Computer or user accounts with SPN that have unconstrained delegation AD Updated
4.0.220574 1.143.0 2024/09/10 Accounts with Constrained Delegation configured to krbtgt AD Updated
4.0.220574 1.143.0 2024/09/10 Dangerous Trust Attribute Set AD Updated
4.0.220574 1.143.0 2024/09/10 Print spooler service is enabled on a DC AD Updated
4.0.220574 1.143.0 2024/09/10 Evidence of Mimikatz DCShadow attack AD Updated
4.0.220574 1.143.0 2024/09/10 Accounts with Constrained Delegation configured to ghost SPN AD Updated
4.0.220574 1.143.0 2024/09/10 Privileged users that are disabled AD Updated
4.0.220574 1.143.0 2024/09/10 Unsecured DNS configuration AD Updated
4.0.220574 1.143.0 2024/09/10 Domain Controllers in inconsistent state AD Updated
4.0.220574 1.143.0 2024/09/10 Domain Controller owner is not an administrator AD Updated
4.0.220574 1.143.0 2024/09/10 Domains with obsolete functional levels AD Updated
4.0.220574 1.143.0 2024/09/10 Non-default access to DPAPI key AD Updated
4.0.220574 1.131.0 2024/09/10 Suspicious credentials on Microsoft service principals AAD Application.Read.All New Indicator
4.0.220574 1.143.0 2024/09/10 Enabled admin accounts that are inactive AD Updated
4.0.220574 1.143.0 2024/09/10 Enterprise Key Admins with full access to domain AD Updated
4.0.220574 1.143.0 2024/09/10 Ephemeral Admins AD Updated
4.0.220574 1.143.0 2024/09/10 FGPP not applied to Global group AD Updated
4.0.220574 1.143.0 2024/09/10 Foreign Security Principals in Privileged Group AD Updated
4.0.220574 1.143.0 2024/09/10 gMSA not in use AD Updated
4.0.220574 1.143.0 2024/09/10 gMSA objects with old passwords AD Updated
4.0.220574 1.143.0 2024/09/10 Non-privileged users with access to gMSA passwords AD Updated
4.0.220574 1.143.0 2024/09/10 Writable shortcuts found in GPO AD Updated
4.0.220574 1.143.0 2024/09/10 Dangerous GPO logon script path AD Updated
4.0.220574 1.143.0 2024/09/10 GPO with Scheduled Tasks configured AD Updated
4.0.220574 1.143.0 2024/09/10 Dangerous user rights granted by GPO AD Updated
4.0.220574 1.143.0 2024/09/10 GPO Weak LM Hash storage enabled AD New Indicator
4.0.220574 1.143.0 2024/09/10 Reversible passwords found in GPOs AD Updated
4.0.220574 1.143.0 2024/09/10 Built-in guest account is enabled AD Updated
4.0.220574 1.143.0 2024/09/10 Domain Controllers that have not authenticated to the domain for more than 45 days AD Updated
4.0.220574 1.143.0 2024/09/10 Users with permissions to set Server Trust Account AD Updated
4.0.220574 1.143.0 2024/09/10 Kerberos KRBTGT account with old password AD Updated
4.0.220574 1.143.0 2024/09/10 Query policies that have the attribute of LDAP deny list set AD Updated
4.0.220574 1.143.0 2024/09/10 LDAP signing is not required on Domain Controllers AD Updated
4.0.220574 1.143.0 2024/09/10 Forest contains more than 50 privileged accounts AD Updated
4.0.220574 1.143.0 2024/09/10 AD objects created within the last 10 days AD Updated
4.0.220574 1.143.0 2024/09/10 Recent privileged account creation activity AD Updated
4.0.220574 1.143.0 2024/09/10 Unprivileged accounts with adminCount=1 AD Updated
4.0.220574 1.143.0 2024/09/10 Users and computers with non-default Primary Group IDs AD Updated
4.0.220574 1.143.0 2024/09/10 Users and computers without readable PGID AD Updated
4.0.220574 1.143.0 2024/09/10 NTFRS SYSVOL Replication AD Updated
4.0.220574 1.143.0 2024/09/10 Objects in privileged groups without adminCount=1 (SDProp) AD Updated
4.0.220574 1.143.0 2024/09/10 Objects with constrained delegation configured AD Updated
4.0.220574 1.143.0 2024/09/10 Principals with constrained authentication delegation enabled for a DC service AD Updated
4.0.220574 1.143.0 2024/09/10 Kerberos protocol transition delegation configured AD Updated
4.0.220574 1.143.0 2024/09/10 Principals with constrained delegation using protocol transition enabled for a DC service AD Updated
4.0.220574 1.143.0 2024/09/10 Users with old passwords AD Updated
4.0.220574 1.143.0 2024/09/10 Admins with old passwords AD Updated
4.0.220574 1.143.0 2024/09/10 Operators Groups that are not empty AD Updated
4.0.220574 1.143.0 2024/09/10 Outbound forest trust with SID History enabled AD Updated
4.0.220574 1.143.0 2024/09/10 Domain trust to a third-party domain without quarantine AD Updated
4.0.220574 1.143.0 2024/09/10 Changes to Pre-Windows 2000 Compatible Access Group membership AD Updated
4.0.220574 1.143.0 2024/09/10 Users with SPN defined AD Updated
4.0.220574 1.143.0 2024/09/10 Primary users with SPN not supporting AES encryption on Kerberos AD Updated
4.0.220574 1.143.0 2024/09/10 Changes to privileged group membership in the last 7 days AD Updated
4.0.220574 1.143.0 2024/09/10 Privileged users with SPN defined AD Updated
4.0.220574 1.143.0 2024/09/10 Protected Users group not in use AD Updated
4.0.220574 1.143.0 2024/09/10 Computer account takeover through Kerberos Resource-Based Constrained Delegation (RBCD) AD Updated
4.0.220574 1.143.0 2024/09/10 Domain Controllers with Resource-Based Constrained Delegation (RBCD) enabled AD Updated
4.0.220574 1.143.0 2024/09/10 krbtgt account with Resource-Based Constrained Delegation (RBCD) enabled AD Updated
4.0.220574 1.143.0 2024/09/10 Write access to RBCD on DC AD Updated
4.0.220574 1.143.0 2024/09/10 Write access to RBCD on krbtgt account AD Updated
4.0.220574 1.143.0 2024/09/10 RC4 or DES encryption type are supported by Domain Controllers AD Updated
4.0.220574 1.143.0 2024/09/10 Recent SIDHistory changes on objects AD Updated
4.0.220574 1.143.0 2024/09/10 Non-default principals with DC Sync rights on the domain AD Updated
4.0.220574 1.150.0 2024/09/10 Risky RODC credential caching AD Updated
4.0.220574 1.143.0 2024/09/10 Privileged user credentials cached on RODC AD Updated
4.0.220574 1.143.0 2024/09/10 Shadow Credentials on privileged objects AD Updated
4.0.220574 1.144.1 2024/09/10 Well-known privileged SIDs in SIDHistory AD Updated
4.0.220574 1.143.0 2024/09/10 SMB Signing is not required on Domain Controllers AD Updated
4.0.220574 1.143.0 2024/09/10 SMBv1 is enabled on Domain Controllers AD Updated
4.0.220574 1.143.0 2024/09/10 SYSVOL Executable Changes AD Updated
4.0.220574 1.143.0 2024/09/10 Trust accounts with old passwords AD Updated
4.0.220574 1.143.0 2024/09/10 Unprivileged principals as DNS Admins AD Updated
4.0.220574 1.143.0 2024/09/10 Privileged objects with unprivileged owners AD Updated
4.0.220574 1.148.0 2024/09/10 Users with the attribute userPassword set AD New Indicator
4.0.220574 1.143.0 2024/09/10 Unprivileged users can add computer accounts to the domain AD Updated
4.0.220574 1.143.0 2024/09/10 User accounts that use DES encryption AD Updated
4.0.220574 1.143.0 2024/09/10 Users with Password Never Expires flag set AD Updated
4.0.220574 1.143.0 2024/09/10 Privileged accounts with a password that never expires AD Updated
4.0.220574 1.143.0 2024/09/10 User accounts with password not required AD Updated
4.0.220574 1.143.0 2024/09/10 User accounts that store passwords with reversible encryption AD Updated
4.0.220574 1.143.0 2024/09/10 Users with Kerberos pre-authentication disabled AD Updated
4.0.220574 1.146.0 2024/09/10 GPO linking delegation at the AD Site level AD Updated
4.0.220574 1.146.0 2024/09/10 GPO linking delegation at the domain controller OU level AD Updated
4.0.220574 1.143.0 2024/09/10 GPO linking delegation at the domain level AD Updated