Detection rules › Kusto Query Language

Microsoft Entra ID Health Monitoring Agent Registry Keys Access

Author: Microsoft Security Research
Source: upstream

'This detection uses Windows security events to detect suspicious access attempts to the registry key of Microsoft Entra ID Health monitoring agent. This detection requires an access control entry (ACE) on the system access control list (SACL) of the following securable object HKLM\SOFTWARE\Microsoft\Microsoft Online\Reporting\MonitoringAgent. You can find more information in here https://github.com/OTRF/Set-AuditRule/blob/master/rules/registry/aad_connect_health_monitoring_agent.yml '

MITRE ATT&CK coverage

Tactic	Techniques
Collection	`T1005` Data from Local System

Event coverage

Provider	Event ID	Title
Security-Auditing	4656	A handle to an object was requested.
Security-Auditing	4663	An attempt was made to access an object.

Stages and Predicates

Stage 1: `source`

<union>

Stage 2: `union`

union of 4 branches

Microsoft Entra ID Health Monitoring Agent Registry Keys Access

MITRE ATT&CK coverage

Event coverage

Stages and Predicates

Stage 1: `source`

Stage 2: `union`

Stage 3: `extend`

Stage 4: `extend`

Stage 5: `extend`

Stage 6: `project-away`

Keyboard Shortcuts

Microsoft Entra ID Health Monitoring Agent Registry Keys Access

MITRE ATT&CK coverage

Event coverage

Stages and Predicates

Stage 1: source

Stage 2: union

Stage 3: extend

Stage 4: extend

Stage 5: extend

Stage 6: project-away

Stage 1: `source`

Stage 2: `union`

Stage 3: `extend`

Stage 4: `extend`

Stage 5: `extend`

Stage 6: `project-away`