Microsoft Sentinel Analytic Rules
cloudbrothers.infoAzure Sentinel RepoToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeBack to homepage

Categories

Analytic Rules

[Deprecated] - Alert for IOCs related to WindowsELF malware - IP Hash IOCs - September 2021

Impact
T1496

[Deprecated] - Aqua Blizzard Actor IOCs - Feb 2022

Persistence
T1137

[Deprecated] - Cadet Blizzard Actor IOC - January 2022

Impact
T1561

[Deprecated] - Caramel Tsunami Actor IOC - July 2021

Persistence
T1546

[Deprecated] - Chia_Crypto_Mining - Domain Process Hash and IP IOCs - June 2021

Impact
T1496

[Deprecated] - Denim Tsunami AV Detection

Execution
T1203

[Deprecated] - Denim Tsunami C2 Domains July 2022

Command and Control
T1071

[Deprecated] - Denim Tsunami File Hashes July 2022

Execution
T1203

[Deprecated] - DEV-0322 Serv-U related IOCs - July 2021

Initial Access
T1190

[Deprecated] - Dev-0530 IOC - July 2022

Impact
T1486

[Deprecated] - Emerald Sleet domains included in DCU takedown

Command and Control Credential Access

[Deprecated] - Exchange Server Vulnerabilities Disclosed March 2021 IoC Match

Initial Access
T1190

[Deprecated] - Hive Ransomware IOC - July 2022

Impact
T1486

[Deprecated] - Known Barium domains

Command and Control

[Deprecated] - Known Diamond Sleet Comebacker and Klackring malware hashes

Command and Control Execution
T1071 T1204

[Deprecated] - Known Diamond Sleet related maldoc hash

Command and Control Credential Access

[Deprecated] - Known Granite Typhoon domains and hashes

Command and Control Credential Access

[Deprecated] - Known Manganese IP and UserAgent activity

Initial Access Collection
T1133 T1114

[Deprecated] - Known Mint Sandstorm group domainsIP - October 2020

Command and Control Initial Access
T1071 T1566

[Deprecated] - Known Nylon Typhoon domains and hashes

Command and Control
T1071

[Deprecated] - Known Phosphorus group domainsIP

Command and Control
T1071

[Deprecated] - Known Plaid Rain IP

Command and Control

[Deprecated] - Known Ruby Sleet domains and hashes

Command and Control Credential Access

[Deprecated] - Known Seashell Blizzard IP

Command and Control

[Deprecated] - Midnight Blizzard - Domain and IP IOCs - March 2021

Command and Control
T1102

[Deprecated] - Midnight Blizzard - Domain Hash and IP IOCs - May 2021

Command and Control Execution
T1102 T1204

[Deprecated] - Midnight Blizzard IOCs related to FoggyWeb backdoor

Collection
T1005

[Deprecated] - MSHTML vulnerability CVE-2021-40444 attack

Execution
T1203

[Deprecated] - Possible Forest Blizzard attempted credential harvesting - Oct 2020

Credential Access
T1110

[Deprecated] - Silk Typhoon UM Service writing suspicious file

Initial Access
T1190

[Deprecated] - Solorigate Domains Found in VM Insights

Command and Control
T1102

[Deprecated] - Solorigate Network Beacon

Command and Control
T1102

[Deprecated] - SUNSPOT log file creation

Persistence
T1554

[Deprecated] - Tarrask malware IOC - April 2022

Persistence
T1053

[Deprecated] - Zinc Actor IOCs domains hashes IPs and useragent - October 2022

Persistence
T1546

[Deprecated] -Known Barium IP

Command and Control

[Deprecated] Explicit MFA Deny

Credential Access
T1110

1Password - Changes to firewall rules

Defense Evasion
T1562

1Password - Changes to SSO configuration

Persistence
T1556

1Password - Disable MFA factor or type for all user accounts

Defense Evasion
T1556

1Password - Log Ingestion Failure

Defense Evasion
T1562

1Password - Manual account creation

Persistence
T1136

1Password - New service account integration created

Persistence
T1136

1Password - Non-privileged vault user permission change

Persistence
T1098

1Password - Potential insider privilege escalation via group

Privilege Escalation
T1078

1Password - Potential insider privilege escalation via vault

Privilege Escalation
T1078

1Password - Privileged vault permission change

Persistence
T1098

1Password - Secret extraction post vault access change by administrator

Credential Access
T1555

1Password - Service account integration token adjustment

Defense Evasion
T1134

1Password - Successful anomalous sign-in

Initial Access
T1078

1Password - User account MFA settings changed

Persistence Defense Evasion
T1556

1Password - User added to privileged group

Persistence
T1098

1Password - Vault export

Credential Access
T1555

1Password - Vault export post account creation

Credential Access Persistence
T1555 T1136

1Password - Vault export prior to account suspension or deletion

Credential Access
T1555

A client made a web request to a potentially harmful file ASIM Web Session schema

Security Others
Initial Access
T1189

A host is potentially running a crypto miner ASIM Web Session schema

Security Threat Protection
Impact
T1496

A host is potentially running a hacking tool ASIM Web Session schema

Security Threat Protection
Execution Discovery Lateral Movement Collection Command and Control Exfiltration
T1059 T1046 T1021 T1557 T1102 T1020

A host is potentially running PowerShell to send HTTPS requests ASIM Web Session schema

Security Threat Protection
Command and Control Defense Evasion Execution
T1132 T1140 T1059

A potentially malicious web request was executed against a web server

Initial Access
T1190

Abnormal Deny Rate for Source IP

Initial Access Exfiltration Command and Control
T1190 T1041 T1568

Abnormal Port to Protocol

Exfiltration Command and Control
T1041 T1571

Access to AWS without MFA

Initial Access
T1078

Access Token Manipulation - Create Process with Token

Privilege Escalation Defense Evasion
T1134

Accessed files shared by temporary external user

Initial Access
T1566

Account added and removed from privileged groups

Security Others Identity
Persistence Privilege Escalation
T1098 T1078

Account Created and Deleted in Short Timeframe

Initial Access
T1078

Account created from non-approved sources

Security Others Identity
Persistence
T1136

Account created or deleted by non-approved user

Initial Access
T1078

Account Creation

Persistence
T1136

Account Elevated to New Role

Persistence
T1078

AD account with Dont Expire Password

Security Others Identity
Persistence
T1098

AD FS Abnormal EKU object identifier attribute

Security Others Identity
Credential Access
T1552

AD FS Remote Auth Sync Connection

Collection
T1005

AD FS Remote HTTP Network Connection

Collection
T1005

AD user enabled and password not set within 48 hours

Persistence
T1098

Addition of a Temporary Access Pass to a Privileged Account

Security Threat Protection Identity
Persistence
T1078

ADFS Database Named Pipe Connection

Collection
T1005

ADFS DKM Master Key Export

Security Others Identity
Collection
T1005

Admin password not updated in 30 days

Initial Access
T1078

Admin promotion after Role Management Application Permission Grant

Privilege Escalation Persistence
T1098 T1078

Admin SaaS account detected

Initial Access Privilege Escalation
T1078

AdminSDHolder Modifications

Security Others
Persistence
T1078

AFD WAF - Code Injection

Defense Evasion Execution Initial Access Privilege Escalation
T1548 T1203 T1190

AFD WAF - Path Traversal Attack

Defense Evasion Execution Initial Access Privilege Escalation Discovery
T1548 T1203 T1190 T1087

Affected rows stateful anomaly on database

Impact
T1485 T1565 T1491

AIShield - Image classification AI Model Evasion high suspicious vulnerability detection

AIShield - Image classification AI Model Evasion low suspicious vulnerability detection

AIShield - Image classification AI Model extraction high suspicious vulnerability detection

AIShield - Image Segmentation AI Model extraction high suspicious vulnerability detection

AIShield - Natural language processing AI model extraction high suspicious vulnerability detection

AIShield - Tabular classification AI Model Evasion high suspicious vulnerability detection

AIShield - Tabular classification AI Model Evasion low suspicious vulnerability detection

AIShield - Tabular classification AI Model extraction high suspicious vulnerability detection

AIShield - Timeseries Forecasting AI Model extraction high suspicious vulnerability detection

Alarming number of anomalies generated in NetBackup

Discovery Credential Access

Alsid Active Directory attacks pathways

Credential Access
T1110

Alsid DCShadow

Defense Evasion
T1207

Alsid DCSync

Credential Access
T1003

Alsid Golden Ticket

Credential Access
T1558

Alsid Indicators of Attack

Credential Access
T1110

Alsid Indicators of Exposures

Credential Access
T1110

Alsid LSASS Memory

Credential Access
T1003

Alsid Password Guessing

Credential Access
T1110

Alsid Password issues

Credential Access
T1110

Alsid Password Spraying

Credential Access
T1110

Alsid privileged accounts issues

Credential Access
T1110

Alsid user accounts issues

Credential Access
T1110

Anomalous login followed by Teams action

Security Others
Initial Access Persistence
T1199 T1136 T1078 T1098

Anomalous sign-in location by user account and authenticating application

Initial Access
T1078

Anomalous Single Factor Signin

Security Others
Initial Access
T1078

Anomalous User Agent connection attempt

Security Threat Protection
Initial Access
T1190

Anomaly found in Network Session Traffic ASIM Network Session schema

Command and Control Discovery Exfiltration Lateral Movement
T1095 T1071 T1046 T1030 T1210

Anomaly in SMB TrafficASIM Network Session schema

Lateral Movement
T1021 T1021

Anomaly Sign In Event from an IP

Identity
Initial Access
T1078

Antivirus Detected an Infected File

Impact
T1203

Apache - Apache 2449 flaw CVE-2021-41773

Initial Access Lateral Movement
T1190 T1133 T1210

Apache - Command in URI

Initial Access
T1190 T1133

Apache - Known malicious user agent

Initial Access
T1190 T1133

Apache - Multiple client errors from single IP

Initial Access
T1190 T1133

Apache - Multiple server errors from single IP

Impact Initial Access
T1498 T1190 T1133

Apache - Private IP in URL

Initial Access
T1190 T1133

Apache - Put suspicious file

Initial Access Exfiltration
T1190 T1133 T1048

Apache - Request from private IP

Impact Initial Access
T1498 T1190 T1133

Apache - Request to sensitive files

Initial Access
T1189

Apache - Requests to rare files

Initial Access
T1190 T1133

ApexOne - Attack Discovery Detection

Initial Access
T1190

ApexOne - CC callback events

Command and Control
T1071

ApexOne - Commands in Url

Initial Access
T1190 T1133

ApexOne - Device access permissions was changed

Privilege Escalation
T1078

ApexOne - Inbound remote access connection

Lateral Movement
T1021

ApexOne - Multiple deny or terminate actions on single IP

Initial Access
T1190

ApexOne - Possible exploit or execute operation

Privilege Escalation Persistence
T1546

ApexOne - Spyware with failed response

Initial Access
T1190

ApexOne - Suspicious commandline arguments

Execution
T1059

ApexOne - Suspicious connections

Command and Control
T1102

API - Account Takeover

Credential Access Discovery
T1110 T1087

API - Anomaly Detection

Reconnaissance
T1593 T1589

API - API Scraping

Reconnaissance Collection
T1593 T1119

API - BOLA

Exfiltration
T1020

API - Invalid host access

Reconnaissance
T1592

API - JWT validation

Initial Access Credential Access
T1190 T1528

API - Kiterunner detection

Reconnaissance Discovery
T1595 T1580 T1083

API - Password Cracking

Credential Access
T1110 T1555 T1187

API - Rate limiting

Impact
T1499

API - Rate limiting

Discovery Initial Access
T1087 T1190

API - Suspicious Login

Credential Access Initial Access
T1110 T1190

App Gateway WAF - Scanner Detection

Defense Evasion Execution Initial Access Reconnaissance Discovery
T1548 T1203 T1190 T1595 T1046

App Gateway WAF - SQLi Detection

Defense Evasion Execution Initial Access Privilege Escalation
T1211 T1059 T1190 T0890

App Gateway WAF - XSS Detection

Initial Access Execution
T1189 T1203 T0853

App GW WAF - Code Injection

Defense Evasion Execution Initial Access Privilege Escalation
T1548 T1203 T1190

App GW WAF - Path Traversal Attack

Defense Evasion Execution Initial Access Privilege Escalation Discovery
T1548 T1203 T1190 T1087

Application Gateway WAF - SQLi Detection

Security Threat Protection Platform
Defense Evasion Execution Initial Access Privilege Escalation
T1211 T1059 T1190 T0890

Application Gateway WAF - XSS Detection

Security Threat Protection Platform
Initial Access Execution
T1189 T1203 T0853

Application ID URI Changed

Security Others
Persistence Privilege Escalation
T1078

Application Redirect URL Update

Security Others
Persistence Privilege Escalation
T1078

AppServices AV Scan Failure

Security Others Platform

AppServices AV Scan with Infected Files

Security Others Platform

Aqua Blizzard AV hits - Feb 2022

Persistence
T1137

ARGOS Cloud Security - Exploitable Cloud Resources

Initial Access
T1190

Armorblox Needs Review Alert

ASR Bypassing Writing Executable Content

Defense Evasion
T1211

Atlassian Beacon Alert

Attempt to bypass conditional access rule in Microsoft Entra ID

Initial Access Persistence
T1078 T1098

Attempts to sign in to disabled accounts

Initial Access
T1078

Audit policy manipulation using auditpol utility

Security Others
Execution
T1204

Authentication Attempt from New Country

Security Others
Initial Access
T1078

Authentication Method Changed for Privileged Account

Persistence
T1098

Authentication Methods Changed for Privileged Account

Persistence
T1098

Authentications of Privileged Accounts Outside of Expected Controls

Security Others Identity
Initial Access
T1078

Auto Generated Page

Initial Access
T1566

Automatic image scanning disabled for ECR

Defense Evasion
T1562

AV detections related to Dev-0530 actors

Security Others
Impact
T1486

AV detections related to Europium actors

Security Threat Intelligence
Impact
T1486

AV detections related to Hive Ransomware

Security Others
Impact
T1486

AV detections related to SpringShell Vulnerability

Initial Access
T1190

AV detections related to Tarrask malware

Persistence
T1053

AV detections related to Ukraine threats

Impact
T1485

AV detections related to Zinc actors

Impact
T1486

Awake Security - High Match Counts By Device

Awake Security - High Severity Matches By Device

Awake Security - Model With Multiple Destinations

AWS Config Service Resource Deletion Attempts

Defense Evasion
T1562 T1562

AWS Guard Duty Alert

AWS role with admin privileges

Initial Access
T1078

AWS role with shadow admin privileges

Initial Access
T1078

Azure DevOps Administrator Group Monitoring

Persistence
T1098

Azure DevOps Agent Pool Created Then Deleted

Defense Evasion
T1578

Azure DevOps Audit Detection for known malicious tooling

Collection
T1119

Azure DevOps Audit Stream Disabled

Defense Evasion
T1562

Azure DevOps Build Variable Modified by New User

Defense Evasion
T1578

Azure DevOps New Extension Added

Persistence
T1505

Azure DevOps PAT used with Browser

Credential Access
T1528

Azure DevOps Personal Access Token PAT misuse

Execution Impact
T1496 T1559

Azure DevOps Pipeline Created and Deleted on the Same Day

Execution
T1072

Azure DevOps Pipeline modified by a new user

Execution Defense Evasion
T1578 T1569

Azure DevOps Pull Request Policy Bypassing - Historic allow list

Persistence
T1098

Azure DevOps Retention Reduced

Defense Evasion
T1564

Azure DevOps Service Connection Abuse

Persistence Impact
T1098 T1496

Azure DevOps Service Connection AdditionAbuse - Historic allow list

Persistence Impact
T1098 T1496

Azure DevOps Variable Secret Not Secured

Credential Access
T1552

Azure Diagnostic settings removed from a resource

Security Others Platform
Defense Evasion
T1562

Azure Key Vault access TimeSeries anomaly

Credential Access
T1003

Azure Machine Learning Write Operations

Initial Access Execution Impact
T1078 T1059 T1496

Azure Portal sign in from another Azure Tenant

Initial Access
T1199

Azure RBAC Elevate Access

Privilege Escalation
T1078

Azure secure score admin MFA

Impact
T1529 T1498

Azure secure score block legacy authentication

Credential Access
T1212 T1556

Azure secure score MFA registration V2

Credential Access
T1056

Azure secure score one admin

Impact
T1529

Azure secure score PW age policy new

Credential Access
T1555 T1606 T1040

Azure secure score role overlap

Impact
T1529

Azure Secure Score Self Service Password Reset

Impact
T1529

Azure secure score sign in risk policy

Impact
T1529

Azure secure score user risk policy

Impact
T1529

Azure Security Benchmark Posture Changed

Discovery
T1082

Azure VM Run Command operation executed during suspicious login window

Security Others Platform
Lateral Movement Credential Access
T1570 T1212

Azure VM Run Command operations executing a unique PowerShell script

Security Others Identity
Lateral Movement Execution
T1570 T1059

Azure WAF matching for Log4j vulnCVE-2021-44228

Initial Access
T1190

Base64 encoded Windows process command-lines

Execution Defense Evasion
T1059 T1027 T1140

Base64 encoded Windows process command-lines Normalized Process Events

Security Threat Protection
Execution Defense Evasion
T1059 T1027 T1140

Beacon Traffic Based on Common User Agents Visiting Limited Number of Domains

Command and Control
T1071

Bitglass - Impossible travel distance

Initial Access
T1078

Bitglass - Login from new device

Initial Access
T1078

Bitglass - Multiple failed logins

Credential Access
T1110

Bitglass - Multiple files shared with external entity

Exfiltration
T1567

Bitglass - New admin user

Privilege Escalation
T1078

Bitglass - New risky user

Initial Access
T1078

Bitglass - Suspicious file uploads

Exfiltration
T1567

Bitglass - The SmartEdge endpoint agent was uninstalled

Defense Evasion
T1070

Bitglass - User Agent string has changed for user

Initial Access
T1078

Bitglass - User login from new geo location

Initial Access
T1078

Bitsadmin Activity

Persistence Command and Control Exfiltration
T1197 T1105 T1048

BitSight - compromised systems detected

Execution

BitSight - diligence risk category detected

Execution Reconnaissance

BitSight - drop in company ratings

Reconnaissance Command and Control

BitSight - drop in the headline rating

Reconnaissance Command and Control

BitSight - new alert found

Impact Initial Access
T1491 T1190

BitSight - new breach found

Impact Initial Access
T1491 T1190

BloodHound Enterprise - Exposure increase

BloodHound Enterprise - Number of critical attack paths increase

BloodHound Enterprise - Number of Tier Zero assets increase

Box - Abmormal user activity

Collection
T1530

Box - Executable file in folder

Initial Access
T1189

Box - File containing sensitive data

Exfiltration
T1048

Box - Forbidden file type downloaded

Initial Access
T1189

Box - Inactive user login

Initial Access
T1078

Box - Item shared to external entity

Exfiltration
T1537

Box - Many items deleted by user

Impact
T1485

Box - New external user

Initial Access Persistence
T1078

Box - User logged in as admin

Privilege Escalation
T1078

Box - User role changed to owner

Privilege Escalation
T1078

Brand Abuse

Resource Development Initial Access
T1583 T1566

Brand Impersonation - HIGH

Resource Development Initial Access
T1583 T1566

Brand Impersonation - INFO

Resource Development Initial Access
T1583 T1566

Brute force attack against a Cloud PC

Credential Access
T1110

Brute force attack against Azure Portal

Credential Access
T1110

Brute Force Attack against GitHub Account

Credential Access
T1110

Brute force attack against user credentials

Credential Access
T1110

Brute force attack against user credentials Uses Authentication Normalization

Security Others Identity
Credential Access
T1110

BTP - Failed access attempts across multiple BAS subaccounts

Reconnaissance Discovery
T1595 T1526

BTP - Malware detected in BAS dev space

Resource Development Execution Persistence
T1584 T1072 T0873

BTP - Mass user deletion in a sub account

Impact
T1531 T1485 T1489 T0813 T0826 T0827

BTP - Trust and authorization Identity Provider monitor

Credential Access Privilege Escalation
T1606 T1556 T1134

BTP - User added to sensitive privileged role collection

Lateral Movement Privilege Escalation
T0859 T1078

Bulk Changes to Privileged Account Permissions

Privilege Escalation
T1078

C2-NamedPipe

Command and Control
T1105

Caramel Tsunami Actor IOC - July 2021

Persistence
T1546

CDM_ContinuousDiagnosticsMitigation_Posture

Discovery
T1082

CDM_ContinuousDiagnosticsMitigation_PostureChanged

Discovery
T1082

Certified Pre-Owned - backup of CA private key - rule 1

Defense Evasion
T1036

Certified Pre-Owned - backup of CA private key - rule 2

Defense Evasion
T1036

Certified Pre-Owned - TGTs requested with certificate authentication

Defense Evasion
T1036

Changes made to AWS CloudTrail logs

Defense Evasion
T1070

Changes to Amazon VPC settings

Privilege Escalation Lateral Movement
T1078 T1563

Changes to Application Logout URL

Security Others
Persistence Privilege Escalation
T1078

Changes to Application Ownership

Security Others
Persistence Privilege Escalation
T1078

Changes to AWS Elastic Load Balancer security groups

Persistence
T1098

Changes to AWS Security Group ingress and egress settings

Persistence
T1098

Changes to internet facing AWS RDS Database instances

Persistence
T1098

Changes to PIM Settings

Security Others Identity
Privilege Escalation
T1078

Chia_Crypto_Mining IOC - June 2021

Impact
T1496

Cisco - firewall block but success logon to Microsoft Entra ID

Security Network
Initial Access
T1078

Cisco ASA - average attack detection rate increase

Discovery Impact
T1046 T1498

Cisco ASA - threat detection message fired

Discovery Impact
T1046 T1498

Cisco Duo - AD sync failed

Impact
T1489

Cisco Duo - Admin password reset

Persistence
T1078

Cisco Duo - Admin user created

Persistence Privilege Escalation
T1078

Cisco Duo - Admin user deleted

Impact
T1531

Cisco Duo - Authentication device new location

Initial Access
T1078

Cisco Duo - Multiple admin 2FA failures

Initial Access
T1078

Cisco Duo - Multiple user login failures

Initial Access
T1078

Cisco Duo - Multiple users deleted

Impact
T1531

Cisco Duo - New access device

Initial Access
T1078

Cisco Duo - Unexpected authentication factor

Initial Access
T1078

Cisco SDWAN - Intrusion Events

Initial Access
T1190 T1189

Cisco SDWAN - IPS Event Threshold

Initial Access
T1190 T1189

Cisco SDWAN - Maleware Events

Resource Development
T1587

Cisco SDWAN - Monitor Critical IPs

Command and Control
T1071

Cisco SE - Connection to known C2 server

Command and Control
T1071

Cisco SE - Dropper activity on host

Execution
T1204

Cisco SE - Generic IOC

Execution
T1204

Cisco SE - Malware execusion on host

Execution
T1204

Cisco SE - Malware outbreak

Initial Access
T1190 T1133

Cisco SE - Multiple malware on host

Initial Access
T1190 T1133

Cisco SE - Policy update failure

Defense Evasion
T1562

Cisco SE - Possible webshell

Command and Control
T1102

Cisco SE - Ransomware Activity

Impact
T1486

Cisco SE - Unexpected binary file

Initial Access
T1190 T1133

Cisco SE High Events Last Hour

Execution Initial Access
T1204 T1190

Cisco SEG - DLP policy violation

Exfiltration
T1030

Cisco SEG - Malicious attachment not blocked

Initial Access
T1566

Cisco SEG - Multiple large emails sent to external recipient

Exfiltration
T1030

Cisco SEG - Multiple suspiciuos attachments received

Initial Access
T1566

Cisco SEG - Possible outbreak

Initial Access
T1566

Cisco SEG - Potential phishing link

Initial Access
T1566

Cisco SEG - Suspicious link

Initial Access
T1566

Cisco SEG - Suspicious sender domain

Initial Access
T1566

Cisco SEG - Unexpected attachment

Initial Access
T1566

Cisco SEG - Unexpected link

Initial Access
T1566

Cisco SEG - Unscannable attacment

Initial Access
T1566

Cisco Umbrella - Connection to non-corporate private network

Command and Control Exfiltration

Cisco Umbrella - Connection to Unpopular Website Detected

Command and Control

Cisco Umbrella - Crypto Miner User-Agent Detected

Command and Control

Cisco Umbrella - Empty User Agent Detected

Command and Control

Cisco Umbrella - Hack Tool User-Agent Detected

Command and Control

Cisco Umbrella - Rare User Agent Detected

Command and Control

Cisco Umbrella - Request Allowed to harmfulmalicious URI category

Command and Control Initial Access

Cisco Umbrella - Request to blocklisted file type

Initial Access

Cisco Umbrella - URI contains IP address

Command and Control

Cisco Umbrella - Windows PowerShell User-Agent Detected

Command and Control Defense Evasion

Cisco WSA - Access to unwanted site

Initial Access
T1566

Cisco WSA - Internet access from public IP

Initial Access
T1189

Cisco WSA - Multiple attempts to download unwanted file

Initial Access
T1189

Cisco WSA - Multiple errors to resource from risky category

Initial Access Command and Control
T1189 T1102

Cisco WSA - Multiple errors to URL

Command and Control
T1102

Cisco WSA - Multiple infected files

Initial Access
T1189

Cisco WSA - Suspected protocol abuse

Exfiltration
T1048

Cisco WSA - Unexpected file type

Initial Access
T1189

Cisco WSA - Unexpected uploads

Exfiltration
T1567

Cisco WSA - Unexpected URL

Command and Control
T1102

Cisco WSA - Unscannable file or scan error

Initial Access
T1189

CiscoISE - Command executed with the highest privileges from new IP

Initial Access Persistence Privilege Escalation Defense Evasion Execution
T1133 T1548 T1059

CiscoISE - Attempt to delete local store logs

Defense Evasion
T1070

CiscoISE - Backup failed

Impact
T1490

CiscoISE - Certificate has expired

Credential Access
T1552

CiscoISE - Command executed with the highest privileges by new user

Initial Access Persistence Privilege Escalation Defense Evasion Execution
T1133 T1548 T1059

CiscoISE - Device changed IP in last 24 hours

Command and Control
T1568

CiscoISE - Device PostureStatus changed to non-compliant

Privilege Escalation Persistence
T1098

CiscoISE - ISE administrator password has been reset

Persistence Privilege Escalation
T1098

CiscoISE - Log collector was suspended

Defense Evasion
T1562

CiscoISE - Log files deleted

Defense Evasion
T1070

Claroty - Asset Down

Impact
T1529

Claroty - Critical baseline deviation

Impact
T1529

Claroty - Login to uncommon location

Initial Access
T1190 T1133

Claroty - Multiple failed logins by user

Initial Access
T1190 T1133

Claroty - Multiple failed logins to same destinations

Initial Access
T1190 T1133

Claroty - New Asset

Initial Access
T1190 T1133

Claroty - Policy violation

Discovery
T1018

Claroty - Suspicious activity

Discovery
T1018

Claroty - Suspicious file transfer

Discovery
T1018

Claroty - Treat detected

Discovery
T1018

Clearing of forensic evidence from event logs using wevtutil

Defense Evasion
T1070

ClientDeniedAccess

Credential Access
T1110

Cloudflare - Bad client IP

Initial Access
T1190 T1133

Cloudflare - Client request from country in blocklist

Initial Access
T1190 T1133

Cloudflare - Empty user agent

Initial Access
T1190 T1133

Cloudflare - Multiple error requests from single source

Initial Access
T1190 T1133

Cloudflare - Multiple user agents for single source

Initial Access
T1190 T1133

Cloudflare - Unexpected client request

Initial Access
T1190 T1133

Cloudflare - Unexpected POST requests

Persistence Command and Control
T1505 T1071

Cloudflare - Unexpected URI

Initial Access
T1190 T1133

Cloudflare - WAF Allowed threat

Initial Access
T1190 T1133

Cloudflare - XSS probing pattern in request

Initial Access
T1190 T1133

CloudFormation policy created then used for privilege escalation

Privilege Escalation
T1484

CMMC 20 Level 1 Foundational Readiness Posture

Discovery
T1082

CMMC 20 Level 2 Advanced Readiness Posture

Discovery
T1082

Code Repository

Initial Access
T1195

Cognni Incidents for Highly Sensitive Business Information

Collection
T1530

Cognni Incidents for Highly Sensitive Financial Information

Collection
T1530

Cognni Incidents for Highly Sensitive Governance Information

Collection
T1530

Cognni Incidents for Highly Sensitive HR Information

Collection
T1530

Cognni Incidents for Highly Sensitive Legal Information

Collection
T1530

Cognni Incidents for Low Sensitivity Business Information

Collection
T1530

Cognni Incidents for Low Sensitivity Financial Information

Collection
T1530

Cognni Incidents for Low Sensitivity Governance Information

Collection
T1530

Cognni Incidents for Low Sensitivity HR Information

Collection
T1530

Cognni Incidents for Low Sensitivity Legal Information

Collection
T1530

Cognni Incidents for Medium Sensitivity Business Information

Collection
T1530

Cognni Incidents for Medium Sensitivity Financial Information

Collection
T1530

Cognni Incidents for Medium Sensitivity Governance Information

Collection
T1530

Cognni Incidents for Medium Sensitivity HR Information

Collection
T1530

Cognni Incidents for Medium Sensitivity Legal Information

Collection
T1530

COM Event System Loading New DLL

Security Others
Privilege Escalation
T1543

COM Registry Key Modified to Point to File in Color Profile Folder

Security Others
Persistence
T1574

Commvault Cloud Alert

Defense Evasion Impact
T1578 T1531

Component Object Model Hijacking - Vault7 trick

Persistence Privilege Escalation
T1546

Compromised Cards

Reconnaissance
T1589

Conditional Access Policy Modified by New User

Security Others
Defense Evasion
T1078

Contrast Blocks

Initial Access Exfiltration
T1566

Contrast Exploits

Initial Access Exfiltration
T1566

Contrast Probes

Initial Access Exfiltration
T1566

Contrast Suspicious

Initial Access Exfiltration
T1566

Cookies HttpOnly Flag Not Used

Credential Access
T1606

Cookies SameSite Flag Not Used

Initial Access
T1190 T1566

Cookies Secure Flag Not Used

Credential Access
T1539

Corelight - C2 DGA Detected Via Repetitive Failures

Command and Control
T1568

Corelight - External Proxy Detected

Defense Evasion Command and Control
T1090

Corelight - Forced External Outbound SMB

Credential Access
T1187

Corelight - Multiple Compressed Files Transferred over HTTP

Exfiltration
T1567

Corelight - Multiple files sent over HTTP with abnormal requests

Exfiltration
T1030

Corelight - Network Service Scanning Multiple IP Addresses

Initial Access
T1566

Corelight - Possible Typo Squatting or Punycode Phishing HTTP Request

Initial Access
T1566

Corelight - Possible Webshell

Persistence
T1505

Corelight - Possible Webshell Rare PUT or POST

Persistence
T1505

Corelight - SMTP Email containing NON Ascii Characters within the Subject

Initial Access
T1566

Correlate Unfamiliar sign-in properties atypical travel alerts

Initial Access
T1078

Cortex XDR Incident - High

Cortex XDR Incident - Low

Cortex XDR Incident - Medium

Create Incident for XDR Alerts

Create Incidents from IronDefense

Created CRUD S3 policy and then privilege escalation

Privilege Escalation
T1484

Creating keys with encrypt policy without MFA

Impact
T1485

Creation of CRUD DynamoDB policy and then privilege escalation

Privilege Escalation
T1484

Creation of CRUD KMS policy and then privilege escalation

Privilege Escalation
T1484

Creation of CRUD Lambda policy and then privilege escalation

Privilege Escalation
T1484

Creation of DataPipeline policy and then privilege escalation

Privilege Escalation
T1484

Creation of EC2 policy and then privilege escalation

Privilege Escalation
T1484

Creation of expensive computes in Azure

Defense Evasion
T1578

Creation of Glue policy and then privilege escalation

Privilege Escalation
T1484

Creation of Lambda policy and then privilege escalation

Privilege Escalation
T1484

Creation of new CRUD IAM policy and then privilege escalation

Privilege Escalation
T1484

Creation of SSM policy and then privilege escalation

Privilege Escalation
T1484

Credential added after admin consented to Application

Credential Access Persistence Privilege Escalation
T1555 T1098

Credential Dumping Tools - File Artifacts

Credential Access
T1003

Credential Dumping Tools - Service Installation

Credential Access
T1003

Credential errors stateful anomaly on database

Initial Access
T1190

CreepyDrive request URL sequence

Security Others
Exfiltration Command and Control
T1567 T1102

CreepyDrive URLs

Security Others
Exfiltration Command and Control
T1567 T1102

Critical or High Severity Detections by User

Critical Risks

Execution Initial Access Privilege Escalation
T1189 T1059 T1053 T1548

Critical Severity Detection

Critical Threat Detected

Lateral Movement
T1210

Cross-Cloud Password Spray detection

Credential Access
T1110

Cross-Cloud Suspicious Compute resource creation in GCP

Initial Access Execution Persistence Privilege Escalation Credential Access Discovery Lateral Movement
T1566 T1059 T1078 T1547 T1548 T1069 T1552

Cross-Cloud Suspicious user activity observed in GCP Envourment

Initial Access Execution Persistence Privilege Escalation Credential Access Discovery
T1566 T1059 T1078 T1046 T1547 T1548 T1069 T1552

Cross-Cloud Unauthorized Credential Access Detection From AWS RDS Login

Credential Access Initial Access
T1557 T1110 T1110 T1110 T1606 T1556 T1133

Cross-tenant Access Settings Organization Added

Cross-tenant Access Settings Organization Added

Initial Access Persistence Discovery
T1078 T1136 T1087

Cross-tenant Access Settings Organization Deleted

Cross-tenant Access Settings Organization Deleted

Initial Access Persistence Discovery
T1078 T1136 T1087

Cross-tenant Access Settings Organization Inbound Collaboration Settings Changed

Initial Access Persistence Discovery
T1078 T1136 T1087

Cross-tenant Access Settings Organization Inbound Collaboration Settings Changed

Cross-tenant Access Settings Organization Inbound Direct Settings Changed

Initial Access Persistence Discovery
T1078 T1136 T1087

Cross-tenant Access Settings Organization Inbound Direct Settings Changed

Cross-tenant Access Settings Organization Outbound Collaboration Settings Changed

Initial Access Persistence Discovery
T1078 T1136 T1087

Cross-tenant Access Settings Organization Outbound Collaboration Settings Changed

Cross-tenant Access Settings Organization Outbound Direct Settings Changed

Initial Access Persistence Discovery
T1078 T1136 T1087

Cross-tenant Access Settings Organization Outbound Direct Settings Changed

CTERA Mass Access Denied Detection Analytic

Defense Evasion
T1562

CTERA Mass Deletions Detection Analytic

Impact
T1485

CTERA Mass Permissions Changes Detection Analytic

Privilege Escalation
T1068

CyberArkEPM - Attack attempt not blocked

Execution
T1204

CyberArkEPM - MSBuild usage as LOLBin

Defense Evasion
T1127

CyberArkEPM - Multiple attack types

Execution
T1204

CyberArkEPM - Possible execution of Powershell Empire

Execution
T1204

CyberArkEPM - Process started from different locations

Execution Defense Evasion
T1204 T1036

CyberArkEPM - Renamed Windows binary

Execution Defense Evasion
T1204 T1036

CyberArkEPM - Uncommon process Internet access

Execution Defense Evasion Command and Control
T1204 T1036 T1095

CyberArkEPM - Uncommon Windows process started from System folder

Execution Defense Evasion
T1204 T1036

CyberArkEPM - Unexpected executable extension

Execution Defense Evasion
T1204 T1036

CyberArkEPM - Unexpected executable location

Execution Defense Evasion
T1204 T1036

Cynerio - Exploitation Attempt of IoT device

Lateral Movement
T0866

Cynerio - IoT - Default password

Credential Access
T1552

Cynerio - IoT - Weak password

Credential Access
T1552

Cynerio - Medical device scanning

Lateral Movement
T0866

Cynerio - Suspicious Connection to External Address

Lateral Movement
T0866

Darktrace AI Analyst

Darktrace Model Breach

Darktrace System Status

Dataminr - urgent alerts detected

Persistence
T1546

Dataverse - Anomalous application user activity

Credential Access Execution Persistence
T1528 T1569 T0871 T0834 T0859

Dataverse - Audit log data deletion

Defense Evasion
T1070

Dataverse - Audit logging disabled

Defense Evasion
T1562

Dataverse - Bulk record ownership re-assignment or sharing

Privilege Escalation
T1548

Dataverse - Executable uploaded to SharePoint document management site

Execution Persistence
T0863 T0873

Dataverse - Export activity from terminated or notified employee

Exfiltration
T1567 T1048

Dataverse - Guest user exfiltration following Power Platform defense impairment

Defense Evasion Exfiltration
T1629 T1567

Dataverse - Hierarchy security manipulation

Privilege Escalation
T1548 T1078

Dataverse - Honeypot instance activity

Discovery Exfiltration
T1538 T1526 T1567

Dataverse - Login by a sensitive privileged user

Initial Access Credential Access Privilege Escalation
T1133 T1190 T1078 T1212

Dataverse - Login from IP in the block list

Initial Access
T1190 T1133 T1078

Dataverse - Login from IP not in the allow list

Initial Access
T1078 T1190 T1133

Dataverse - Malware found in SharePoint document management site

Execution
T1204

Dataverse - Mass deletion of records

Impact
T1485

Dataverse - Mass download from SharePoint document management

Exfiltration
T1567

Dataverse - Mass export of records to Excel

Exfiltration
T1567

Dataverse - Mass record updates

Impact
T1641 T1485 T1565

Dataverse - New Dataverse application user activity type

Credential Access Execution Privilege Escalation
T1635 T0871 T1078

Dataverse - New non-interactive identity granted access

Persistence Lateral Movement Privilege Escalation
T1098 T0859 T1078

Dataverse - New sign-in from an unauthorized domain

Initial Access
T1078 T1190 T1133

Dataverse - New user agent type that was not used before

Initial Access Defense Evasion
T1078 T0866 T0819 T1036

Dataverse - New user agent type that was not used with Office 365

Initial Access
T1190 T1133

Dataverse - Organization settings modified

Persistence
T1078

Dataverse - Removal of blocked file extensions

Defense Evasion
T1629

Dataverse - SharePoint document management site added or updated

Exfiltration
T1567 T1537

Dataverse - Suspicious security role modifications

Privilege Escalation
T1404 T1626 T1548

Dataverse - Suspicious use of TDS endpoint

Exfiltration Initial Access
T1048 T1190

Dataverse - Suspicious use of Web API

Execution Exfiltration Reconnaissance Discovery
T1106 T1567 T1595 T1526 T1580

Dataverse - Terminated employee exfiltration over email

Exfiltration
T1639 T1567

Dataverse - Terminated employee exfiltration to USB drive

Exfiltration
T1052

Dataverse - TI map IP to DataverseActivity

Initial Access Lateral Movement Discovery
T1078 T1199 T1133 T0886 T0859 T1428 T1021 T1210 T1526 T1580

Dataverse - TI map URL to DataverseActivity

Initial Access Execution Persistence
T1566 T1456 T1474 T0819 T0865 T0862 T0863 T1204 T1574 T0873

Dataverse - Unusual sign-in following disabled IP address-based cookie binding protection

Defense Evasion
T1629

Dataverse - User bulk retrieval outside normal activity

Exfiltration
T1048

DCOM Lateral Movement

Lateral Movement
T1021

DDoS Attack IP Addresses - Percent Threshold

Impact
T1498

DDoS Attack IP Addresses - PPS Threshold

Impact
T1498

Decoy User Account Authentication Attempt

Lateral Movement
T1021

Deimos Component Execution

Execution Collection Exfiltration
T1059 T1005 T1020

Deletion of data on multiple drives using cipher exe

Impact
T1485

Denial of Service Microsoft Defender for IoT

Inhibit Response Function
T0814

Detect AWS IAM Users

Privilege Escalation
T1078

Detect CoreBackUp Deletion Activity from related Security Alerts

Impact
T1496

Detect DNS queries reporting multiple errors from different clients - Anomaly Based ASIM DNS Solution

Command and Control
T1568 T1573 T1008

Detect DNS queries reporting multiple errors from different clients - Static threshold based ASIM DNS Solution

Command and Control
T1568 T1573 T1008

Detect excessive NXDOMAIN DNS queries - Anomaly based ASIM DNS Solution

Command and Control
T1568 T1008

Detect excessive NXDOMAIN DNS queries - Static threshold based ASIM DNS Solution

Command and Control
T1568 T1008

Detect instances of multiple client errors occurring within a brief period of time ASIM Web Session

Initial Access Command and Control
T1190 T1133 T1071

Detect instances of multiple server errors occurring within a brief period of time ASIM Web Session

Initial Access Impact
T1190 T1133 T1498

Detect known risky user agents ASIM Web Session

Initial Access Command and Control
T1190 T1133 T1071

Detect Local File InclusionLFI in web requests ASIM Web Session

Initial Access Execution
T1190 T1133 T1059

Detect Malicious Usage of Recovery Tools to Delete Backup Files

Impact
T1490

Detect NET runtime being loaded in JScript for code execution

Execution
T1204

Detect PIM Alert Disabling activity

Security Others Identity
Persistence Privilege Escalation
T1098 T1078

Detect port misuse by anomaly based detection ASIM Network Session schema

Command and Control Lateral Movement Execution Initial Access
T1095 T1059 T1203 T1190

Detect port misuse by static threshold ASIM Network Session schema

Command and Control Execution Initial Access
T1095 T1059 T1203 T1190

Detect potential file enumeration activity ASIM Web Session

Discovery Command and Control Credential Access
T1083 T1071 T1110

Detect Potential Kerberoast Activities

Credential Access
T1558

Detect potential presence of a malicious file with a double extension ASIM Web Session

Defense Evasion Persistence Command and Control
T1036 T1505 T1071

Detect presence of private IP addresses in URLs ASIM Web Session

Exfiltration Command and Control
T1041 T1071 T1001

Detect presence of uncommon user agents in web requests ASIM Web Session

Initial Access
T1190 T1133

Detect Print Processors Registry Driver Key CreationModification

Persistence Privilege Escalation
T1547

Detect Registry Run Key CreationModification

Persistence Privilege Escalation Defense Evasion
T1547 T1112

Detect requests for an uncommon resources on the web ASIM Web Session

Command and Control
T1102 T1071

Detect Suspicious Commands Initiated by Webserver Processes

Execution Defense Evasion Discovery
T1059 T1574 T1087 T1082

Detect threat information in web requests ASIM Web Session

Initial Access
T1190 T1133

Detect unauthorized data transfers using timeseries anomaly ASIM Web Session

Exfiltration
T1030

Detect URLs containing known malicious keywords or commands ASIM Web Session

Initial Access Command and Control
T1190 T1133 T1071

Detect web requests to potentially harmful files ASIM Web Session

Initial Access Persistence Execution
T1133 T1203 T1566

Detect Windows Allow Firewall Rule AdditionModification

Defense Evasion
T1562

Detect Windows Update Disabled from Registry

Defense Evasion
T1562

Detecting Impossible travel with mailbox permission tampering Privilege Escalation attempt

Security Others Identity
Initial Access Privilege Escalation
T1078 T1548

Detecting Macro Invoking ShellBrowserWindow COM Objects

Lateral Movement
T1021

Detecting UAC bypass - ChangePK and SLUI registry tampering

Impact
T1490

Detecting UAC bypass - elevated COM interface

Impact
T1490

Detecting UAC bypass - modify Windows Store settings

Impact
T1490

Detection of Malicious URLs in Syslog Events

Lateral Movement Execution
T1072

Detection of Malware C2 Domains in DNS Events

Command and Control
T1071

Detection of Malware C2 Domains in Syslog Events

Command and Control
T1071

Detection of Malware C2 IPs in Azure Act Events

Command and Control
T1071

Detection of Malware C2 IPs in DNS Events

Command and Control
T1071

Detection of Specific Hashes in CommonSecurityLog

Resource Development
T1587

Dev-0228 File Path Hashes November 2021

Security 0 Day Vulnerability
Credential Access Execution
T1569 T1003

Dev-0228 File Path Hashes November 2021 ASIM Version

Security Threat Intelligence
Credential Access Execution
T1569 T1003

Dev-0270 Malicious Powershell usage

Exfiltration Defense Evasion
T1048 T1562

DEV-0270 New User Creation

Persistence
T1098

Dev-0270 Registry IOC - September 2022

Impact
T1486

Dev-0270 WMIC Discovery

Discovery
T1482

Dev-0530 File Extension Rename

Security Others
Impact
T1486

Device Registration from Malicious IP

Persistence
T1098

Digital Guardian - Bulk exfiltration to external domain

Exfiltration
T1048

Digital Guardian - Exfiltration to external domain

Exfiltration
T1048

Digital Guardian - Exfiltration to online fileshare

Exfiltration
T1048

Digital Guardian - Exfiltration to private email

Exfiltration
T1048

Digital Guardian - Exfiltration using DNS protocol

Exfiltration
T1048

Digital Guardian - Incident with not blocked action

Exfiltration
T1048

Digital Guardian - Multiple incidents from user

Exfiltration
T1048

Digital Guardian - Possible SMTP protocol abuse

Exfiltration
T1048

Digital Guardian - Sensitive data transfer over insecure channel

Exfiltration
T1048

Digital Guardian - Unexpected protocol

Exfiltration
T1048

Digital Shadows Incident Creation for exclude-app

Digital Shadows Incident Creation for include-app

Disable or Modify Windows Defender

Defense Evasion
T1562

Disabling Security Services via Registry

Defense Evasion
T1562

Discord CDN Risky File Download

Command and Control
T1071

Discord CDN Risky File Download ASIM Web Session Schema

Security Threat Protection
Command and Control
T1071

Disks Alerts From Prancer

Reconnaissance
T1595

Distributed Password cracking attempts in Microsoft Entra ID

Credential Access
T1110

DMARC Not Configured

Collection
T1114

DNS events related to mining pools

Impact
T1496

DNS events related to mining pools ASIM DNS Schema

Security Network
Impact
T1496

DNS events related to ToR proxies

Exfiltration
T1048

DNS events related to ToR proxies ASIM DNS Schema

Security Network
Exfiltration
T1048

Domain Infringement

Reconnaissance Initial Access
T1590 T1566

Doppelpaymer Stop Services

Execution Defense Evasion
T1059 T1562

DopplePaymer Procdump

Credential Access
T1003

Dragos Notifications

Drop attempts stateful anomaly on database

Initial Access
T1190

DSRM Account Abuse

Security Others
Persistence
T1098

Dumping LSASS Process Into a File

Credential Access
T1003

Dynatrace - Problem detection

Defense Evasion Execution Impact Initial Access Lateral Movement Persistence Privilege Escalation

Dynatrace Application Security - Attack detection

Execution Impact Initial Access Privilege Escalation
T1059 T1565 T1190 T1068

Dynatrace Application Security - Code-Level runtime vulnerability detection

Defense Evasion Execution Impact Initial Access Lateral Movement Persistence Privilege Escalation

Dynatrace Application Security - Non-critical runtime vulnerability detection

Defense Evasion Execution Impact Initial Access Lateral Movement Persistence Privilege Escalation

Dynatrace Application Security - Third-Party runtime vulnerability detection

Defense Evasion Execution Impact Initial Access Lateral Movement Persistence Privilege Escalation

EatonForeseer - Unauthorized Logins

Initial Access
T1078

ECR image scan findings high or critical

Execution
T1204

Egress Defend - Dangerous Attachment Detected

Execution Initial Access Persistence Privilege Escalation
T1204 T0853 T0863 T1566 T1546

Egress Defend - Dangerous Link Click

Execution
T1204 T0853

Email access via active sync

Security Threat Protection
Privilege Escalation
T1068 T1078

Employee account deleted

Impact
T1485

Empty group with entitlements

Privilege Escalation Persistence
T1098

End-user consent stopped due to risk-based consent

Security Others
Persistence Privilege Escalation
T1078

Europium - Hash and IP IOCs - September 2022

Security Threat Intelligence
Command and Control Credential Access
T1071 T1003

Excessive Amount of Denied Connections from a Single Source

Impact
T1499

Excessive Blocked Traffic Events Generated by User

Exfiltration Command and Control Lateral Movement
T1041 T1132 T1001 T1021

Excessive Denied Proxy Traffic

Defense Evasion Command and Control
T1090 T1562

Excessive Failed Authentication from Invalid Inputs

Credential Access
T1110

Excessive Login Attempts Microsoft Defender for IoT

Impair Process Control
T0806

Excessive number of failed connections from a single source ASIM Network Session schema

Impact
T1499

Excessive number of HTTP authentication failures from a source ASIM Web Session schema

Security Others
Persistence Credential Access
T1110 T1556

Excessive NXDOMAIN DNS Queries

Command and Control
T1568 T1008

Excessive NXDOMAIN DNS Queries ASIM DNS Schema

Security Network
Command and Control
T1568 T1008

Excessive share permissions

Collection Discovery
T1039 T1135

Excessive Windows Logon Failures

Credential Access
T1110

Exchange AuditLog Disabled

Defense Evasion
T1562

Exchange OAB Virtual Directory Attribute Containing Potential Webshell

Initial Access
T1190

Exchange Server Suspicious File Downloads

Application
Initial Access
T1190

Exchange SSRF Autodiscover ProxyShell - Detection

Security Others
Initial Access
T1190

Exchange Worker Process Making Remote Call

Application
Execution
T1059 T1059

Exchange workflow MailItemsAccessed operation anomaly

Collection
T1114

Execution attempts stateful anomaly on database

Initial Access
T1190

Execution of software vulnerable to webp buffer overflow of CVE-2023-4863

Execution
T1203

Executive Impersonation

Initial Access
T1566

Expired access credentials being used in Azure

Credential Access
T1528

Exposed Admin Login Page

Initial Access
T1190

Exposed Email Address

Resource Development
T1586

Exposed User List

Resource Development
T1586

External Fabric Module XFM1 is unhealthy

Execution
T0871

External guest invitation followed by Microsoft Entra ID PowerShell signin

Initial Access Persistence Discovery
T1078 T1136 T1087

External Upstream Source Added to Azure DevOps Feed

Initial Access
T1199

External User Access Enabled

Security Others Identity
Credential Access Persistence
T1098 T1556

External user added and removed in short timeframe

Persistence
T1136

Failed AWS Console logons but success logon to AzureAD

Security Others Identity
Initial Access Credential Access
T1078 T1110

Failed AzureAD logons but success logon to AWS Console

Security Others Identity
Initial Access Credential Access
T1078 T1110

Failed AzureAD logons but success logon to host

Security Others Identity
Initial Access Credential Access
T1078 T1110

Failed host logons but success logon to AzureAD

Security Others Identity
Initial Access Credential Access
T1078 T1110

Failed login attempts to Azure Portal

Credential Access
T1110

Failed Logins from Unknown or Invalid User

Credential Access
T1110

Failed logon attempts by valid accounts within 10 mins

Security Others Identity
Credential Access
T1110

Failed logon attempts in authpriv

Credential Access
T1110

Failed sign-ins into LastPass due to MFA

Initial Access
T1078 T1190

Fake computer account created

Security Others
Defense Evasion
T1564

Files Copied to USB Drives

Exfiltration
T1041

Firewall errors stateful anomaly on database

Initial Access
T1190

Firewall rule manipulation attempts stateful anomaly on database

Initial Access
T1190

Firmware Updates Microsoft Defender for IoT

Persistence
T0857

First access credential added to Application or Service Principal where no credential was present

Defense Evasion
T1550

Flare Cloud bucket result

Reconnaissance
T1593

Flare Darkweb result

Reconnaissance
T1597

Flare Google Dork result found

Reconnaissance
T1593

Flare Host result

Reconnaissance
T1596

Flare Infected Device

Credential Access
T1555

Flare Leaked Credentials

Credential Access
T1110

Flare Paste result

Reconnaissance
T1593

Flare Source Code found

Reconnaissance
T1593

Flare SSL Certificate result

Resource Development
T1583

Flow Logs Alerts for Prancer

Reconnaissance
T1595

FO - Bank account change following network alias reassignment

Credential Access Lateral Movement Privilege Escalation
T1556 T0859 T1078

FO - Mass update or deletion of user records

Impact
T1485 T1565 T1491

FO - Non-interactive account mapped to self or sensitive privileged user

Credential Access Persistence Privilege Escalation
T1556 T1098 T1136 T1078 T0859

FO - Reverted bank account number modifications

Impact
T1565 T1496 T0828 T0831

FO - Unusual sign-in activity using single factor authentication

Credential Access Initial Access
T1552 T1078

Forescout-DNS_Sniff_Event_Monitor

Fortinet - Beacon pattern detected

Security Network
Command and Control
T1071 T1571

Fortiweb - WAF Allowed threat

Initial Access
T1190 T1133

Front Door Premium WAF - SQLi Detection

Defense Evasion Execution Initial Access Privilege Escalation
T1211 T1059 T1190 T0890

Front Door Premium WAF - XSS Detection

Initial Access Execution
T1189 T1203 T0853

Full Admin policy created and then attached to Roles Users or Groups

Privilege Escalation Defense Evasion
T1484

full_access_as_app Granted To Application

Defense Evasion
T1550

Gain Code Execution on ADFS Server via Remote WMI Execution

Security Others Identity
Lateral Movement
T1210

Gain Code Execution on ADFS Server via SMB Remote Service or Scheduled Task

Lateral Movement
T1210

GCP IAM - Disable Data Access Logging

Defense Evasion
T1562

GCP IAM - Empty user agent

Defense Evasion
T1550

GCP IAM - High privileged role added to service account

Privilege Escalation
T1078

GCP IAM - New Authentication Token for Service Account

Lateral Movement
T1550

GCP IAM - New Service Account

Persistence
T1136

GCP IAM - New Service Account Key

Lateral Movement
T1550

GCP IAM - Privileges Enumeration

Discovery
T1069

GCP IAM - Publicly exposed storage bucket

Discovery
T1069

GCP IAM - Service Account Enumeration

Discovery
T1087

GCP IAM - Service Account Keys Enumeration

Discovery
T1069

Generate alerts based on ExtraHop detections recommended for triage

Persistence
T1546

GitHub Activites from a New Country

Initial Access
T1078

GitHub Security Vulnerability in Repository

Initial Access Execution Privilege Escalation Defense Evasion Credential Access Lateral Movement
T1190 T1203 T1068 T1211 T1212 T1210

GitHub Security Vulnerability in Repository

GitHub Signin Burst from Multiple Locations

Credential Access
T1110

GitHub Two Factor Auth Disable

Defense Evasion
T1562

GitLab - Abnormal number of repositories deleted

Impact
T1485

GitLab - Brute-force Attempts

Credential Access
T1110

GitLab - External User Added to GitLab

Persistence
T1136

GitLab - Local Auth - No MFA

Credential Access
T1110

GitLab - Personal Access Tokens creation over time

Collection
T1213

GitLab - Repository visibility to Public

Persistence Defense Evasion Credential Access
T1556

GitLab - SSO - Sign-Ins Burst

Credential Access
T1110

GitLab - TI - Connection from Malicious IP

Initial Access
T1078

GitLab - User Impersonation

Persistence
T1078

Google DNS - CVE-2020-1350 SIGRED exploitation pattern

Privilege Escalation
T1068

Google DNS - CVE-2021-34527 PrintNightmare external exploit

Privilege Escalation
T1068

Google DNS - CVE-2021-40444 exploitation

Privilege Escalation
T1068

Google DNS - Exchange online autodiscover abuse

Initial Access Credential Access
T1566 T1187

Google DNS - IP check activity

Command and Control
T1095

Google DNS - Malicous Python packages

Initial Access
T1195

Google DNS - Multiple errors for source

Command and Control
T1095

Google DNS - Multiple errors to same domain

Command and Control
T1095

Google DNS - Possible data exfiltration

Exfiltration
T1567

Google DNS - Request to dynamic DNS service

Command and Control
T1095

Google DNS - UNC2452 Nobelium APT Group activity

Command and Control
T1095

GreyNoise TI Map IP Entity to CommonSecurityLog

Command and Control
T1071

GreyNoise TI Map IP Entity to DnsEvents

Command and Control
T1071

GreyNoise TI map IP entity to Network Session Events ASIM Network Session schema

Command and Control
T1071

GreyNoise TI map IP entity to OfficeActivity

Command and Control
T1071

GreyNoise TI Map IP Entity to SigninLogs

Command and Control
T1071

Group created then added to built in domain local or global group

Security Others
Persistence Privilege Escalation
T1098 T1078

GSA - Detect Abnormal Deny Rate for Source to Destination IP

Initial Access Exfiltration Command and Control

GSA - Detect Connections Outside Operational Hours

Initial Access
T1078 T1133

GSA - Detect Protocol Changes for Destination Ports

Defense Evasion Exfiltration Command and Control

GSA - Detect Source IP Scanning Multiple Open Ports

Discovery
T1046

GuardDuty detector disabled or suspended

Defense Evasion
T1562

Guardian- Additional check JSON Policy Violation Detection

Guardian- Ban Topic Policy Violation Detection

Guardian- BII Detection Policy Violation Detection

Guardian- Block Competitor Policy Violation Detection

Guardian- Blocks specific strings of text Policy Violation Detection

Guardian- Code Detection Policy Violation Detection

Guardian- Content Access Control Allowed List Policy Violation Detection

Guardian- Content Access Control Blocked List Policy Violation Detection

Guardian- Content Safety Profanity Policy Violation Detection

Guardian- Content Safety Toxicity Policy Violation Detection

Guardian- Gender Bias Policy Violation Detection

Guardian- Input Output Relevance Policy Violation Detection

Guardian- Input Rate Limiter Policy Violation Detection

Guardian- Invisible Text Policy Violation Detection

Guardian- Language Detection Policy Violation Detection

Guardian- Malicious URL Policy Violation Detection

Guardian- No LLM Output Policy Violation Detection

Guardian- Not Safe For Work Policy Violation Detection

Guardian- Privacy Protection PII Policy Violation Detection

Guardian- Racial Bias Policy Violation Detection

Guardian- Regex Policy Violation Detection

Guardian- Same InputOutput Language Detection Policy Violation Detection

Guardian- Secrets Policy Violation Detection

Guardian- Security Integrity Checks Prompt Injection Policy Violation Detection

Guardian- Sentiment Policy Violation Detection

Guardian- Special PII Detection Policy Violation Detection

Guardian- Token Limit Policy Violation Detection

Guardian- URL Detection Policy Violation Detection

Guardian- URL Reachability Policy Violation Detection

Guest accounts added in Entra ID Groups other than the ones specified

Guest accounts added in Entra ID Groups other than the ones specified

Initial Access Persistence Discovery
T1078 T1136 T1087

Guest Users Invited to Tenant by New Inviters

Security Others Identity
Persistence
T1078

GWorkspace - Admin permissions granted

Persistence
T1098

GWorkspace - Alert events

Initial Access
T1190 T1133

GWorkspace - An Outbound Relay has been added to a G Suite Domain

Collection
T1114

GWorkspace - API Access Granted

Defense Evasion Lateral Movement
T1550

GWorkspace - Multiple user agents for single source

Persistence Collection
T1185 T1176

GWorkspace - Possible brute force attack

Credential Access
T1110

GWorkspace - Possible maldoc file name in Google drive

Initial Access
T1566

GWorkspace - Two-step authentification disabled for a user

Credential Access
T1111

GWorkspace - Unexpected OS update

Defense Evasion Persistence
T1036 T1554

GWorkspace - User access has been changed

Persistence
T1098

Header Content Security Policy Missing

Initial Access
T1190 T1566

Header HTTP Strict Transport Security Missing

Credential Access Collection
T1557

Header Referrer-Policy Missing

Credential Access Collection
T1557

Header Web Server Exposed

Reconnaissance
T1592

Header X-Frame-Options Missing - Informational

Initial Access
T1189

Header X-Frame-Options Missing - Low

Initial Access
T1189

Header X-Frame-Options Missing - Medium

Initial Access
T1189

Header X-XSS-Protection Missing

Initial Access
T1189

High bandwidth in the network Microsoft Defender for IoT

Discovery
T0842

High count of connections by client IP on many ports

Security Network
Initial Access
T1190

High count of failed attempts from same client IP

Security Network Identity
Credential Access
T1110

High count of failed logons by a user

Security Others
Credential Access
T1110

High Number of Urgent Vulnerabilities Detected

Initial Access
T1190

High risk Office operation conducted by IP Address that recently attempted to log into a disabled account

Security Threat Intelligence Security Others Identity
Initial Access Persistence Collection
T1078 T1098 T1114

High Urgency IONIX Action Items

Initial Access
T1190 T1195

High-Risk Admin Activity

Persistence
T1098

High-Risk Cross-Cloud User Impersonation

Privilege Escalation
T1134 T1078 T1078

Highly Sensitive Password Accessed

Credential Access Discovery
T1555 T1087

Hijack Execution Flow - DLL Side-Loading

Persistence Privilege Escalation Defense Evasion
T1574

IaaS admin detected

Initial Access
T1078

IaaS policy not attached to any identity

Privilege Escalation Persistence
T1098

IaaS shadow admin detected

Initial Access
T1078

Identify instances where a single source is observed using multiple user agents ASIM Web Session

Initial Access Credential Access
T1190 T1133 T1528

Identify Mango Sandstorm powershell commands

Security Threat Intelligence
Lateral Movement
T1570

Identify SysAid Server web shell creation

Identify SysAid Server web shell creation

Security Others
Initial Access
T1190

Illegal Function Codes for ICS traffic Microsoft Defender for IoT

Impair Process Control
T0855

Illumio Enforcement Change Analytic Rule

Defense Evasion
T1562

Illumio Firewall Tampering Analytic Rule

Defense Evasion
T1562

Illumio VEN Clone Detection Rule

Defense Evasion
T1562

Illumio VEN Deactivated Detection Rule

Defense Evasion
T1562

Illumio VEN Offline Detection Rule

Defense Evasion
T1562

Illumio VEN Suspend Detection Rule

Defense Evasion
T1562

Illusive Incidents Analytic Rule

Persistence Privilege Escalation Defense Evasion Credential Access Lateral Movement
T1078 T1098 T1548 T1021

Imminent Ransomware

Defense Evasion Persistence
T1562 T1547

Imperva - Abnormal protocol usage

Initial Access
T1190 T1133

Imperva - Critical severity event not blocked

Initial Access
T1190 T1133

Imperva - Forbidden HTTP request method in request

Initial Access
T1190 T1133

Imperva - Malicious Client

Initial Access
T1190 T1133

Imperva - Malicious user agent

Initial Access
T1190 T1133

Imperva - Multiple user agents from same source

Initial Access
T1190 T1133

Imperva - Possible command injection

Initial Access
T1190 T1133

Imperva - Request from unexpected countries

Initial Access
T1190 T1133

Imperva - Request from unexpected IP address to admin panel

Initial Access
T1190 T1133

Imperva - Request to unexpected destination port

Initial Access
T1190 T1133

Infoblox - Data Exfiltration Attack

Impact
T1498 T1565

Infoblox - High Threat Level Query Not Blocked Detected

Impact
T1498 T1565

Infoblox - Many High Threat Level Queries From Single Host Detected

Impact
T1498 T1565

Infoblox - Many High Threat Level Single Query Detected

Impact
T1498 T1565

Infoblox - Many NXDOMAIN DNS Responses Detected

Impact
T1498 T1565

Infoblox - SOC Insight Detected - API Source

Impact
T1498 T1565

Infoblox - SOC Insight Detected - API Source

Impact
T1498 T1565

Infoblox - SOC Insight Detected - CDC Source

Impact
T1498 T1565

Infoblox - SOC Insight Detected - CDC Source

Impact
T1498 T1565

Infoblox - TI - CommonSecurityLog Match Found - MalwareC2

Impact
T1498 T1565

Infoblox - TI - InfobloxCDC Match Found - Lookalike Domains

Impact
T1498 T1565

Infoblox - TI - Syslog Match Found - URL

Impact
T1498 T1565

Ingress Tool Transfer - Certutil

Command and Control Defense Evasion
T1105 T1564 T1027 T1140

Insider Risk_High User Security Alert Correlations

Execution
T1204

Insider Risk_High User Security Incidents Correlation

Execution
T1204

Insider Risk_Microsoft Purview Insider Risk Management Alert Observed

Execution
T1204

Insider Risk_Risky User Access By Application

Execution
T1204

Insider Risk_Sensitive Data Access Outside Organizational Geo-location

Exfiltration
T1567

Internet Access Microsoft Defender for IoT

Lateral Movement
T0886

IP address of Windows host encoded in web request

Security Others Networking
Exfiltration Command and Control
T1041 T1071

IP with multiple failed Microsoft Entra ID logins successfully logs in to Palo Alto VPN

Security Others Identity
Initial Access Credential Access
T1078 T1110

Jamf Protect - Alerts

Jamf Protect - Network Threats

Initial Access
T1133

Jamf Protect - Unified Logs

Java Executing cmd to run Powershell

Execution
T1059

Jira - Global permission added

Privilege Escalation
T1078

Jira - New site admin user

Initial Access
T1078

Jira - New site admin user

Persistence Privilege Escalation
T1078

Jira - New user created

Persistence
T1078

Jira - Permission scheme updated

Impact
T1531

Jira - Project roles changed

Impact
T1531

Jira - User removed from group

Impact
T1531

Jira - User removed from project

Impact
T1531

Jira - Users password changed multiple times

Persistence
T1078

Jira - Workflow scheme copied

Collection
T1213

Known Forest Blizzard group domains - July 2019

Security 0 Day Vulnerability
Command and Control
T1071

Known Malware Detected

Execution
T1204

Lateral Movement Risk - Role Chain Length

Privilege Escalation Persistence
T1098

Lateral Movement via DCOM

Lateral Movement
T1021

LaZagne Credential Theft

Credential Access
T1003

Leaked Credential

Credential Access Resource Development

Linked Malicious Storage Artifacts

Command and Control Exfiltration
T1071 T1567

Local Admin Group Changes

Persistence
T1098

Log4j vulnerability exploit aka Log4Shell IP IOC

Command and Control
T1071

Login to AWS Management Console without MFA

Defense Evasion Privilege Escalation Persistence Initial Access
T1078

Lookout - New Threat events found

Discovery
T1057

LSASS Credential Dumping with Procdump

Credential Access
T1003

M2131_AssetStoppedLogging

Discovery
T1082

M2131_DataConnectorAddedChangedRemoved

Discovery
T1082

M2131_EventLogManagementPostureChanged_EL0

Discovery
T1082

M2131_EventLogManagementPostureChanged_EL1

Discovery
T1082

M2131_EventLogManagementPostureChanged_EL2

Discovery
T1082

M2131_EventLogManagementPostureChanged_EL3

Discovery
T1082

M2131_LogRetentionLessThan1Year

Discovery
T1082

M2131_RecommendedDatatableNotLogged_EL0

Discovery
T1082

M2131_RecommendedDatatableNotLogged_EL1

Discovery
T1082

M2131_RecommendedDatatableNotLogged_EL2

Discovery
T1082

M2131_RecommendedDatatableNotLogged_EL3

Discovery
T1082

M2131_RecommendedDatatableUnhealthy

Discovery
T1082

M365D Alerts Correlation to non-Microsoft Network device network activity involved in successful sign-in Activity

Security Threat Protection
Privilege Escalation
T1078

Mail redirect via ExO transport rule

Collection Exfiltration
T1114 T1020

MailRead Permissions Granted to Application

Persistence
T1098

Malformed user agent

Security Threat Protection
Initial Access Command and Control Execution
T1189 T1071 T1203

Malicious BEC Inbox Rule

Persistence Defense Evasion
T1098 T1078

Malicious Inbox Rule

Persistence Defense Evasion
T1098 T1078

Malicious web application requests linked with Microsoft Defender for Endpoint formerly Microsoft Defender ATP alerts

Malicious web application requests linked with Microsoft Defender for Endpoint formerly Microsoft Defender ATP alerts

Security Others
Persistence
T1505

Malware attachment delivered

Initial Access
T1566

Malware Detected

Execution
T1204

Malware in the recycle bin

Defense Evasion
T1564

Malware in the recycle bin Normalized Process Events

Security Threat Protection
Defense Evasion
T1564

Malware Link Clicked

Initial Access
T1566

Mass Cloud resource deletions Time Series Anomaly

Impact
T1485

Mass Download copy to USB device by single user

Security Others
Exfiltration
T1052

Mass secret retrieval from Azure Key Vault

Credential Access
T1003

Match Legitimate Name or Location - 2

Defense Evasion
T1036

McAfee ePO - Agent Handler down

Defense Evasion
T1562

McAfee ePO - Attempt uninstall McAfee agent

Defense Evasion
T1562 T1070

McAfee ePO - Deployment failed

Defense Evasion
T1562

McAfee ePO - Error sending alert

Defense Evasion
T1562 T1070

McAfee ePO - File added to exceptions

Defense Evasion
T1562 T1070

McAfee ePO - Firewall disabled

Defense Evasion Command and Control
T1562 T1071

McAfee ePO - Logging error occurred

Defense Evasion
T1562 T1070

McAfee ePO - Multiple threats on same host

Initial Access Persistence Defense Evasion Privilege Escalation
T1562 T1070 T1189 T1195 T1543 T1055

McAfee ePO - Scanning engine disabled

Defense Evasion
T1562 T1070

McAfee ePO - Spam Email detected

Initial Access
T1566

McAfee ePO - Task error

Defense Evasion
T1562 T1070

McAfee ePO - Threat was not blocked

Initial Access Privilege Escalation Defense Evasion
T1562 T1070 T1068 T1189 T1195

McAfee ePO - Unable to clean or delete infected file

Defense Evasion
T1562 T1070

McAfee ePO - Update failed

Defense Evasion
T1562 T1070

Mercury - Domain Hash and IP IOCs - August 2022

Security Threat Intelligence
Command and Control
T1071

MFA Fatigue OKTA

Credential Access
T1621

MFA Rejected by User

Initial Access
T1078

MFA Spamming followed by Successful login

Credential Access
T1110

Microsoft COVID-19 file hash indicator matches

Execution
T1204

Microsoft Defender for Endpoint MDE signatures for Azure Synapse pipelines and Azure Data Factory

Security Threat Protection
Initial Access
T1190

Microsoft Entra ID Health Monitoring Agent Registry Keys Access

Security Others Identity
Collection
T1005

Microsoft Entra ID Health Service Agents Registry Keys Access

Security Others Identity
Collection
T1005

Microsoft Entra ID Hybrid Health AD FS New Server

Defense Evasion
T1578

Microsoft Entra ID Hybrid Health AD FS Service Delete

Defense Evasion
T1578

Microsoft Entra ID Hybrid Health AD FS Suspicious Application

Credential Access Defense Evasion
T1528 T1550

Microsoft Entra ID Local Device Join Information and Transport Key Registry Keys Access

Discovery
T1012

Microsoft Entra ID PowerShell accessing non-Entra ID resources

Initial Access
T1078

Microsoft Entra ID Rare UserAgent App Sign-in

Defense Evasion
T1036

Microsoft Entra ID Role Management Permission Grant

Persistence Impact
T1098 T1078

Microsoft Entra ID UserAgent OS Missmatch

Defense Evasion
T1036

Midnight Blizzard - Script payload stored in Registry

Security Threat Intelligence
Execution
T1059

Midnight Blizzard - suspicious rundll32exe execution of vbscript

Security Threat Intelligence
Persistence
T1547

Midnight Blizzard - suspicious rundll32exe execution of vbscript Normalized Process Events

Security Threat Protection
Persistence
T1547

Mimecast Audit - Logon Authentication Failed

Discovery Initial Access Credential Access
T1110

Mimecast Audit - Logon Authentication Failed

Discovery Initial Access Credential Access
T1110

Mimecast Data Leak Prevention - Hold

Exfiltration
T1030

Mimecast Data Leak Prevention - Hold

Exfiltration
T1030

Mimecast Data Leak Prevention - Notifications

Exfiltration
T1030

Mimecast Data Leak Prevention - Notifications

Exfiltration
T1030

Mimecast Secure Email Gateway - Attachment Protect

Collection Exfiltration Discovery Initial Access Execution
T1114 T1566 T0865

Mimecast Secure Email Gateway - Attachment Protect

Collection Exfiltration Discovery Initial Access Execution
T1114 T1566 T0865

Mimecast Secure Email Gateway - AV

Execution
T1053

Mimecast Secure Email Gateway - AV

Execution
T1053

Mimecast Secure Email Gateway - Impersonation Protect

Discovery Lateral Movement Collection
T1114

Mimecast Secure Email Gateway - Impersonation Protect

Discovery Lateral Movement Collection
T1114

Mimecast Secure Email Gateway - Internal Email Protect

Lateral Movement Persistence Exfiltration
T1534 T1546

Mimecast Secure Email Gateway - Internal Email Protect

Lateral Movement Persistence Exfiltration
T1534 T1546

Mimecast Secure Email Gateway - Spam Event Thread

Discovery
T1083

Mimecast Secure Email Gateway - Spam Event Thread

Discovery
T1083

Mimecast Secure Email Gateway - URL Protect

Initial Access Discovery Execution
T1566

Mimecast Secure Email Gateway - URL Protect

Initial Access Discovery Execution
T1566

Mimecast Secure Email Gateway - Virus

Execution
T1053

Mimecast Secure Email Gateway - Virus

Execution
T1053

Mimecast Targeted Threat Protection - Attachment Protect

Initial Access Discovery
T0865

Mimecast Targeted Threat Protection - Attachment Protect

Initial Access Discovery
T0865

Mimecast Targeted Threat Protection - Impersonation Protect

Exfiltration Collection Discovery
T1114

Mimecast Targeted Threat Protection - Impersonation Protect

Exfiltration Collection Discovery
T1114

Mimecast Targeted Threat Protection - URL Protect

Initial Access Discovery
T0865

Mimecast Targeted Threat Protection - URL Protect

Initial Access Discovery
T0865

Missing Domain Controller Heartbeat

Security Others
Impact Defense Evasion
T1499 T1564

Modification of Accessibility Features

Security Others
Persistence
T1546

Modified domain federation trust settings

Credential Access Persistence Privilege Escalation
T1555 T1098

Monitor AWS Credential abuse or hijacking

Discovery
T1087

MosaicLoader

Defense Evasion
T1562

Multi-Factor Authentication Disabled for a User

Credential Access Persistence
T1098 T1556

Multiple admin membership removals from newly created admin

Impact
T1531

Multiple failed attempts of NetBackup login

Credential Access Discovery
T1110 T1212

Multiple Password Reset by user

Security Others Identity
Initial Access Credential Access
T1078 T1110

Multiple RDP connections from Single System

Security Threat Protection
Lateral Movement
T1021

Multiple scans in the network Microsoft Defender for IoT

Discovery
T0842

Multiple Sources Affected by the Same TI Destination

Exfiltration Command and Control
T1041 T1071

Multiple Teams deleted by a single user

Impact
T1485 T1489

Multiple users email forwarded to same destination

Collection Exfiltration
T1114 T1020

Multiple users email forwarded to same destination

Collection Exfiltration
T1114 T1020

NetClean ProActive Incidents

Discovery
T1083

Netskope - WebTransaction Error Detection

Execution
T1204

Network ACL with all the open ports to a specified CIDR

Defense Evasion
T1562

Network endpoint to host executable correlation

Execution
T1204

Network Port Sweep from External Network ASIM Network Session schema

Reconnaissance Discovery
T1590 T1046

NetworkSecurityGroups Alert From Prancer

Reconnaissance
T1595

New access credential added to Application or Service Principal

Defense Evasion
T1550

New Agent Added to Pool by New User or Added to a New OS Type

Execution
T1053

New CloudShell User

Execution
T1059

New country signIn with correct password

Identity Security Threat Protection
Initial Access Credential Access
T1078 T1110

New DeviceLocation sign-in along with critical operation

Initial Access Persistence
T1078 T1556

New direct access policy was granted against organizational policy

Initial Access Privilege Escalation
T1078

New EXE deployed via Default Domain or Default Domain Controller Policies

Execution Lateral Movement
T1072 T1570

New EXE deployed via Default Domain or Default Domain Controller Policies ASIM Version

Security Threat Protection
Execution Lateral Movement
T1072 T1570

New executable via Office FileUploaded Operation

Command and Control Lateral Movement
T1105 T1570

New External User Granted Admin Role

Persistence
T1098

New High Severity Vulnerability Detected Across Multiple Hosts

Initial Access
T1190

New onmicrosoft domain added to tenant

Resource Development
T1585

New PA PCA or PCAS added to Azure DevOps

Initial Access
T1078

New service account gained access to IaaS resource

Initial Access
T1078

New Sonrai Ticket

Collection Command and Control Credential Access Defense Evasion Discovery Execution Exfiltration Impact Initial Access Lateral Movement Persistence Privilege Escalation
T1566 T1059 T1547 T1548 T1562 T1003 T1087 T1021 T1119 T1071 T1041 T1499

New User Assigned to Privileged Role

Persistence
T1078

New user created and added to the built-in administrators group

Security Others Identity
Persistence Privilege Escalation
T1098 T1078

New UserAgent observed in last 24 hours

Initial Access Command and Control Execution
T1189 T1071 T1203

NGINX - Command in URI

Initial Access
T1190 T1133

NGINX - Core Dump

Impact
T1499

NGINX - Known malicious user agent

Initial Access
T1190 T1133

NGINX - Multiple client errors from single IP address

Initial Access
T1190 T1133

NGINX - Multiple server errors from single IP address

Impact Initial Access
T1498 T1190 T1133

NGINX - Multiple user agents for single source

Initial Access
T1190 T1133

NGINX - Private IP address in URL

Initial Access
T1190 T1133

NGINX - Put file and get file from same IP address

Initial Access
T1190 T1133

NGINX - Request to sensitive files

Initial Access
T1189

NGINX - Sql injection patterns

Initial Access
T1190

Ngrok Reverse Proxy on Network ASIM DNS Solution

Command and Control
T1572 T1090 T1102

NIST SP 800-53 Posture Changed

Discovery
T1082

No traffic on Sensor Detected Microsoft Defender for IoT

Inhibit Response Function
T0881

Non Domain Controller Active Directory Replication

Credential Access
T1003

Non-admin guest

Initial Access
T1078

NRT Authentication Methods Changed for VIP Users

Persistence
T1098

NRT Authentication Methods Changed for VIP Users

NRT Azure DevOps Audit Stream Disabled

Defense Evasion
T1562

NRT Base64 Encoded Windows Process Command-lines

Execution Defense Evasion
T1059 T1027 T1140

NRT Creation of expensive computes in Azure

Defense Evasion
T1578

NRT DNS events related to mining pools

Impact
T1496

NRT First access credential added to Application or Service Principal where no credential was present

NRT First access credential added to Application or Service Principal where no credential was present

Defense Evasion
T1550

NRT GitHub Two Factor Auth Disable

NRT GitHub Two Factor Auth Disable

Defense Evasion
T1562

NRT Login to AWS Management Console without MFA

Defense Evasion Privilege Escalation Persistence Initial Access
T1078

NRT Malicious Inbox Rule

Security Threat Protection
Persistence Defense Evasion
T1098 T1078

NRT Microsoft Entra ID Hybrid Health AD FS New Server

Defense Evasion
T1578

NRT Modified domain federation trust settings

Credential Access Persistence Privilege Escalation
T1555 T1098

NRT Multiple users email forwarded to same destination

Security Threat Protection
Collection Exfiltration
T1114 T1020

NRT New access credential added to Application or Service Principal

Defense Evasion
T1550

NRT PIM Elevation Request Rejected

Persistence
T1078

NRT Privileged Role Assigned Outside PIM

Privilege Escalation
T1078

NRT Process executed from binary hidden in Base64 encoded file

Execution Defense Evasion
T1059 T1027 T1140

NRT Security Event log cleared

Defense Evasion
T1070

NRT Sensitive Azure Key Vault operations

Impact
T1485

NRT Squid proxy events related to mining pools

Command and Control
T1102

NRT User added to Microsoft Entra ID Privileged Groups

Persistence Privilege Escalation
T1098 T1078

OCI - Discovery activity

Discovery
T1580

OCI - Event rule deleted

Defense Evasion
T1070

OCI - Inbound SSH connection

Initial Access
T1190

OCI - Insecure metadata endpoint

Discovery
T1069

OCI - Instance metadata access

Discovery
T1069

OCI - Multiple instances launched

Impact
T1496

OCI - Multiple instances terminated

Impact
T1529

OCI - Multiple rejects on rare ports

Reconnaissance
T1595

OCI - SSH scanner

Reconnaissance
T1595

OCI - Unexpected user agent

Initial Access
T1190

Office Apps Launching Wscipt

Execution Collection Command and Control
T1059 T1105 T1203

Office ASR rule triggered from browser spawned office process

Initial Access
T1566

Office Policy Tampering

Persistence Defense Evasion
T1098 T1562

Office365 Sharepoint File transfer above threshold

Exfiltration
T1020

Office365 Sharepoint File transfer Folders above threshold

Exfiltration
T1020

Okta Fast Pass phishing Detection

Initial Access
T1566

OLE object manipulation attempts stateful anomaly on database

Initial Access
T1190

OMI Vulnerability Exploitation

Security Vulnerability Management
Initial Access
T1190

Oracle - Command in URI

Initial Access
T1190 T1133

Oracle - Malicious user agent

Initial Access
T1190 T1133

Oracle - Multiple client errors from single IP

Initial Access
T1190 T1133

Oracle - Multiple server errors from single IP

Impact Initial Access
T1498 T1190 T1133

Oracle - Multiple user agents for single source

Initial Access
T1190 T1133

Oracle - Oracle WebLogic Exploit CVE-2021-2109

Initial Access
T1190

Oracle - Private IP in URL

Initial Access
T1190 T1133

Oracle - Put file and get file from same IP address

Initial Access
T1190 T1133

Oracle - Put suspicious file

Initial Access Exfiltration
T1190 T1133 T1048

Oracle - Request to sensitive files

Initial Access
T1189

Oracle suspicious command execution

Lateral Movement Privilege Escalation
T1210 T1611

OracleDBAudit - Connection to database from external IP

Initial Access Collection Exfiltration
T1190 T1133 T1078 T1119 T1029

OracleDBAudit - Connection to database from unknown IP

Initial Access
T1078

OracleDBAudit - Multiple tables dropped in short time

Impact
T1485

OracleDBAudit - New user account

Initial Access Persistence
T1078

OracleDBAudit - Query on Sensitive Table

Collection
T1005

OracleDBAudit - Shutdown Server

Impact
T1529

OracleDBAudit - SQL injection patterns

Initial Access
T1190

OracleDBAudit - Unusual user activity on multiple tables

Collection
T1119

OracleDBAudit - User activity after long inactivity time

Initial Access Persistence
T1078

OracleDBAudit - User connected to database from new IP

Initial Access
T1078

Outgoing connection attempts stateful anomaly on database

Initial Access
T1190

PAC high severity

Reconnaissance
T1595

Palo Alto - possible internal to external port scanning

Discovery
T1046

Palo Alto - potential beaconing detected

Command and Control
T1071 T1571

Palo Alto - potential beaconing detected

Command and Control
T1071 T1571

Palo Alto Prevention alert

Defense Evasion
T1562

Palo Alto Prisma Cloud - Access keys are not rotated for 90 days

Initial Access
T1078

Palo Alto Prisma Cloud - Anomalous access key usage

Initial Access
T1078

Palo Alto Prisma Cloud - High risk score alert

Initial Access
T1133

Palo Alto Prisma Cloud - High severity alert opened for several days

Initial Access
T1133

Palo Alto Prisma Cloud - IAM Group with Administrator Access Permissions

Initial Access
T1078

Palo Alto Prisma Cloud - Inactive user

Initial Access
T1078

Palo Alto Prisma Cloud - Maximum risk score alert

Initial Access
T1133

Palo Alto Prisma Cloud - Multiple failed logins for user

Credential Access
T1110

Palo Alto Prisma Cloud - Network ACL allow all outbound traffic

Initial Access
T1133

Palo Alto Prisma Cloud - Network ACL allow ingress traffic to server administration ports

Initial Access
T1133

Palo Alto Prisma Cloud - Network ACLs Inbound rule to allow All Traffic

Initial Access
T1133

Palo Alto Threat signatures from Unusual IP addresses

Discovery Exfiltration Command and Control
T1046 T1030 T1071

Palo Alto WildFire Malware Detection

Defense Evasion
T1562

PaloAlto - Dropping or denying session with traffic

Initial Access
T1190 T1133

PaloAlto - File type changed

Initial Access
T1190 T1133

PaloAlto - Forbidden countries

Initial Access
T1190 T1133

PaloAlto - Inbound connection to high risk ports

Initial Access
T1190 T1133

PaloAlto - MAC address conflict

Initial Access
T1190 T1133

PaloAlto - Possible attack without response

Initial Access
T1190 T1133

PaloAlto - Possible flooding

Initial Access
T1190 T1133

PaloAlto - Possible port scan

Reconnaissance
T1595

PaloAlto - Put and post method request in high risk file type

Initial Access
T1190 T1133

PaloAlto - User privileges was changed

Initial Access
T1190 T1133

Password Exfiltration over SCIM application

Credential Access Initial Access
T1555 T1040 T1552

Password spray attack against ADFSSignInLogs

Credential Access
T1110

Password spray attack against Microsoft Entra ID application

Credential Access
T1110

Password spray attack against Microsoft Entra ID Seamless SSO

Credential Access
T1110

Password Spraying

Credential Access
T1110

PE file dropped in Color Profile Folder

Security Others
Execution
T1203

Phishing

Initial Access Reconnaissance

Phishing link click observed in Network Traffic

Security Threat Protection
Initial Access
T1566

PIM Elevation Request Rejected

Persistence
T1078

Ping Federate - Abnormal password reset attempts

Credential Access
T1110

Ping Federate - Abnormal password resets for user

Initial Access Persistence Privilege Escalation
T1078 T1098 T1134

Ping Federate - Authentication from new IP

Initial Access
T1078

Ping Federate - Forbidden country

Initial Access
T1078

Ping Federate - New user SSO success login

Initial Access Persistence
T1078 T1136

Ping Federate - OAuth old version

Initial Access
T1190

Ping Federate - Password reset request from unexpected source IP address

Initial Access
T1078

Ping Federate - SAML old version

Initial Access
T1190

Ping Federate - Unexpected authentication URL

Initial Access
T1078

Ping Federate - Unexpected country for user

Initial Access
T1078

Ping Federate - Unusual mail domain

Initial Access
T1078

PLC Stop Command Microsoft Defender for IoT

Defense Evasion
T0858

PLC unsecure key state Microsoft Defender for IoT

Execution
T0858

Policy version set to default

Initial Access
T1078

Port Scan

Discovery
T1046

Port Scan Detected

Discovery
T1046

Port scan detected ASIM Network Session schema

Discovery
T1046

Port Sweep

Discovery
T1046

Possible AiTM Phishing Attempt Against Microsoft Entra ID

Initial Access Defense Evasion Credential Access
T1078 T1557 T1111

Possible contact with a domain generated by a DGA

Security Others
Command and Control
T1568

Possible Phishing with CSL and Network Sessions

Initial Access Command and Control
T1566 T1102

Possible Resource-Based Constrained Delegation Abuse

Security Others Identity
Privilege Escalation
T1134

Possible SignIn from Azure Backdoor

Persistence
T1098

Potential beaconing activity ASIM Network Session schema

Command and Control
T1071 T1571

Potential Build Process Compromise

Security Others
Persistence
T1554

Potential Build Process Compromise - MDE

Persistence
T1554

Potential communication with a Domain Generation Algorithm DGA based hostname ASIM Web Session schema

Security Threat Protection
Command and Control
T1568

Potential DGA detected

Command and Control
T1568 T1008

Potential DGA detected ASIM DNS Schema

Security Network
Command and Control
T1568 T1008

Potential DGADomain Generation Algorithm detected via Repetitive Failures - Anomaly based ASIM DNS Solution

Command and Control
T1568 T1008

Potential DGADomain Generation Algorithm detected via Repetitive Failures - Static threshold based ASIM DNS Solution

Command and Control
T1568 T1008

Potential DHCP Starvation Attack

Initial Access
T1200

Potential Fodhelper UAC Bypass

Privilege Escalation
T1548

Potential Fodhelper UAC Bypass ASIM Version

Security Others
Privilege Escalation
T1548

Potential Kerberoasting

Security Others Identity
Credential Access
T1558

Potential Password Spray Attack

Credential Access
T1110

Potential Password Spray Attack

Credential Access
T1110

Potential Password Spray Attack Uses Authentication Normalization

Security Others Identity
Credential Access
T1110

Potential Ransomware activity related to Cobalt Strike

Execution Persistence Defense Evasion Impact
T1059 T1078 T1070 T1490

Potential re-named sdelete usage

Defense Evasion Impact
T1485 T1036

Potential re-named sdelete usage ASIM Version

Security Threat Protection
Defense Evasion Impact
T1485 T1036

Potential Remote Desktop Tunneling

Command and Control
T1572

Power Apps - App activity from unauthorized geo

Initial Access
T1078

Power Apps - Bulk sharing of Power Apps to newly created guest users

Resource Development Initial Access Lateral Movement
T1587 T1566 T1534

Power Apps - Multiple apps deleted

Impact
T1485 T0826

Power Apps - Multiple users access a malicious link after launching new app

Initial Access
T1189 T1566

Power Automate - Departing employee flow activity

Exfiltration Impact
T1567 T1485 T1491 T0813 T0879 T0826

Power Automate - Unusual bulk deletion of flow resources

Impact Defense Evasion
T1485 T0828 T1562

Power Platform - Account added to privileged Microsoft Entra roles

Privilege Escalation
T1078 T1068 T1548

Power Platform - Connector added to a sensitive environment

Execution Exfiltration
T0871 T1567 T1537

Power Platform - DLP policy updated or removed

Defense Evasion
T1480

Power Platform - Possibly compromised user accesses Power Platform services

Initial Access Lateral Movement
T1078 T1210

Powershell Empire Cmdlets Executed in Command Line

Collection Command and Control Credential Access Defense Evasion Discovery Execution Exfiltration Lateral Movement Persistence Privilege Escalation
T1548 T1134 T1134 T1134 T1087 T1087 T1557 T1071 T1560 T1547 T1547 T1547 T1217 T1115 T1059 T1059 T1059 T1136 T1136 T1543 T1555 T1484 T1482 T1114 T1573 T1546 T1041 T1567 T1567 T1068 T1210 T1083 T1615 T1574 T1574 T1574 T1574 T1574 T1070 T1105 T1056 T1056 T1106 T1046 T1135 T1040 T1027 T1003 T1057 T1055 T1021 T1021 T1053 T1113 T1518 T1558 T1558 T1082 T1016 T1049 T1569 T1127 T1552 T1552 T1550 T1125 T1102 T1047

Prestige ransomware IOCs Oct 2022

Security Others
Execution
T1203

Preview - TI map Domain entity to Cloud App Events

Command and Control
T1071

Preview - TI map Email entity to Cloud App Events

Initial Access
T1566

Preview - TI map IP entity to Cloud App Events

Command and Control
T1071

Preview - TI map URL entity to Cloud App Events

Command and Control
T1071

Preview GitHub - A payment method was removed

Initial Access
T1078

Preview GitHub - Oauth application - a client secret was removed

Initial Access
T1078

Preview GitHub - pull request was created

Initial Access
T1078

Preview GitHub - pull request was merged

Initial Access
T1078

Preview GitHub - Repository was created

Initial Access
T1078

Preview GitHub - Repository was destroyed

Initial Access
T1078

Preview GitHub - User visibility Was changed

Initial Access
T1078

Preview GitHub - User was added to the organization

Initial Access
T1078

Preview GitHub - User was blocked

Initial Access
T1078

Preview GitHub - User was invited to the repository

Initial Access
T1078

Privilege escalation via CloudFormation policy

Privilege Escalation
T1484

Privilege escalation via CRUD DynamoDB policy

Privilege Escalation
T1484

Privilege escalation via CRUD IAM policy

Privilege Escalation
T1484

Privilege escalation via CRUD KMS policy

Privilege Escalation
T1484

Privilege escalation via CRUD Lambda policy

Privilege Escalation
T1484

Privilege escalation via CRUD S3 policy

Privilege Escalation
T1484

Privilege escalation via DataPipeline policy

Privilege Escalation
T1484

Privilege escalation via EC2 policy

Privilege Escalation
T1484

Privilege escalation via Glue policy

Privilege Escalation
T1484

Privilege escalation via Lambda policy

Privilege Escalation
T1484

Privilege escalation via SSM policy

Privilege Escalation
T1484

Privilege escalation with admin managed policy

Privilege Escalation
T1484

Privilege escalation with AdministratorAccess managed policy

Privilege Escalation
T1484

Privilege escalation with FullAccess managed policy

Privilege Escalation
T1484

Privileged Account Permissions Changed

Privilege Escalation
T1078

Privileged Accounts - Sign in Failure Spikes

Initial Access
T1078

Privileged Machines Exposed to the Internet

Discovery Impact
T1580

Privileged Role Assigned Outside PIM

Privilege Escalation
T1078

Privileged User Logon from new ASN

Identity Security Others
Defense Evasion
T1078

Probable AdFind Recon Tool Usage

Discovery
T1016 T1018 T1069 T1087 T1482

Probable AdFind Recon Tool Usage Normalized Process Events

Security Threat Intelligence
Discovery
T1018

Process Creation with Suspicious CommandLine Arguments

Execution Defense Evasion
T1059 T1027

Process executed from binary hidden in Base64 encoded file

Execution Defense Evasion
T1059 T1027 T1140

Process Execution Frequency Anomaly

Execution
T1059

Progress MOVEIt File transfer above threshold

Exfiltration
T1020

Progress MOVEIt File transfer folder count above threshold

Exfiltration
T1020

ProofpointPOD - Binary file in attachment

Initial Access
T1078

ProofpointPOD - Email sender in TI list

Exfiltration Initial Access
T1078 T1567

ProofpointPOD - Email sender in TI list

ProofpointPOD - Email sender IP in TI list

ProofpointPOD - Email sender IP in TI list

Exfiltration Initial Access
T1078 T1567

ProofpointPOD - High risk message not discarded

Initial Access
T1566

ProofpointPOD - Multiple archived attachments to the same recipient

Exfiltration
T1567

ProofpointPOD - Multiple large emails to the same recipient

Exfiltration
T1567

ProofpointPOD - Multiple protected emails to unknown recipient

Exfiltration
T1567

ProofpointPOD - Possible data exfiltration to private email

Initial Access
T1078

ProofpointPOD - Suspicious attachment

Initial Access
T1566

ProofpointPOD - Weak ciphers

Commandand Control
T1573

PulseConnectSecure - CVE-2021-22893 Possible Pulse Connect Secure RCE Vulnerability Attack

Security Threat Intelligence
Initial Access
T1190

PulseConnectSecure - Large Number of Distinct Failed User Logins

Credential Access
T1110

PulseConnectSecure - Potential Brute Force Attempts

Credential Access
T1110

Pure Controller Failed

Execution
T0871

Pure Failed Login

Credential Access
T1212

Qakbot Campaign Self Deletion

Defense Evasion
T1070

Qakbot Discovery Activies

Defense Evasion Discovery Execution
T1140 T1010 T1059

Radiflow - Exploit Detected

Initial Access Privilege Escalation Lateral Movement
T0819 T0866 T0890

Radiflow - Network Scanning Detected

Discovery
T0840 T0846 T0888

Radiflow - New Activity Detected

Initial Access
T1133 T0848

Radiflow - Platform Alert

Privilege Escalation Execution Command and Control Exfiltration Lateral Movement Impair Process Control Inhibit Response Function Initial Access

Radiflow - Policy Violation Detected

Lateral Movement Impair Process Control Execution Collection Persistence
T0886 T0855 T0858 T0845 T0889 T0843

Radiflow - Suspicious Malicious Activity Detected

Defense Evasion Inhibit Response Function
T0851

Radiflow - Unauthorized Command in Operational Device

Execution Lateral Movement Inhibit Response Function Impair Process Control
T0858 T0843 T0816 T0857 T0836 T0855

Radiflow - Unauthorized Internet Access

Initial Access Impact
T0822 T0883 T0882

Ransom Protect Detected a Ransomware Attack

Impact
T1486

Ransom Protect User Blocked

Impact
T1486

Ransomware Attack Detected

Impact
T1486

Ransomware Client Blocked

Impact
T1486

Rare and potentially high-risk Office operations

Persistence Collection
T1098 T1114

Rare application consent

Persistence Privilege Escalation
T1136 T1068

Rare client observed with high reverse DNS lookup count

Discovery
T1046

Rare client observed with high reverse DNS lookup count - Anomaly based ASIM DNS Solution

Reconnaissance
T1590

Rare client observed with high reverse DNS lookup count - Static threshold based ASIM DNS Solution

Reconnaissance
T1590

Rare Process as a Service

Persistence
T1543 T1543

Rare RDP Connections

Security Threat Protection
Lateral Movement
T1021

Rare subscription-level operations in Azure

Credential Access Persistence
T1003 T1098

RDP Nesting

Security Threat Protection
Lateral Movement
T1021

RDS instance publicly exposed

Exfiltration
T1537

RecordedFuture Threat Hunting Domain All Actors

Initial Access Command and Control
T1566 T1568

RecordedFuture Threat Hunting Hash All Actors

Initial Access Execution Persistence
T1189 T1059 T1554

RecordedFuture Threat Hunting IP All Actors

Exfiltration Command and Control
T1041 T1568

RecordedFuture Threat Hunting Url All Actors

Persistence Privilege Escalation Defense Evasion
T1098 T1078

Red Canary Threat Detection

Collection Command and Control Credential Access Defense Evasion Discovery Execution Exfiltration Impact Initial Access Lateral Movement Persistence Privilege Escalation
T1566 T1059 T1547 T1548 T1562 T1003 T1087 T1021 T1119 T1071 T1041 T1499

Refactor AWS policy based on activities in the last 60 days

Privilege Escalation
T1078

Registries Alerts for Prancer

Reconnaissance
T1595

Registry Persistence via AppCert DLL Modification

Persistence
T1546

Registry Persistence via AppInit DLLs Modification

Persistence
T1546

Regsvr32 Rundll32 Image Loads Abnormal Extension

Defense Evasion
T1218 T1218

Regsvr32 Rundll32 with Anomalous Parent Process

Defense Evasion
T1218 T1218

Remote Desktop Network Brute force ASIM Network Session schema

Credential Access
T1110

Remote Desktop Protocol - SharpRDP

Lateral Movement
T1021

Remote File Creation with PsExec

Lateral Movement
T1570

Rename System Utilities

Defense Evasion
T1036

Request for single resource on domain

Command and Control
T1102 T1071

Response rows stateful anomaly on database

Exfiltration
T1537 T1567

Risky user signin observed in non-Microsoft network device

Security Threat Protection
Command and Control
T1071

RunningRAT request parameters

Security Others
Exfiltration Command and Control
T1041 T1071

S3 bucket access point publicly exposed

Exfiltration
T1537

S3 bucket exposed via ACL

Exfiltration
T1537

S3 bucket exposed via policy

Exfiltration
T1537

S3 bucket suspicious ransomware activity

Impact
T1486

S3 object publicly exposed

Exfiltration
T1537

SailPointIdentityNowAlertForTriggers

Initial Access Collection
T1133 T1005

SailPointIdentityNowEventType

Initial Access
T1133

SailPointIdentityNowEventTypeTechnicalName

Initial Access
T1133

SailPointIdentityNowFailedEvents

Initial Access
T1133

SailPointIdentityNowFailedEventsBasedOnTime

Initial Access
T1133

SailPointIdentityNowUserWithFailedEvent

Initial Access
T1133

SAML update identity provider

Persistence
T1078

Samsung Knox - Application Privilege Escalation or Change Events

Privilege Escalation
T1548

Samsung Knox - Keyguard Disabled Feature Set Events

Initial Access
T1461

Samsung Knox - Mobile Device Boot Compromise Events

Persistence
T1645

Samsung Knox - Password Lockout Events

Credential Access
T1110

Samsung Knox - Peripheral Access Detection with Camera Events

Samsung Knox - Peripheral Access Detection with Mic Events

Samsung Knox - Security Log Full Events

Samsung Knox - Suspicious URL Accessed Events

Initial Access
T1566

SAP ETD - Login from unexpected network

SAP ETD - Synch alerts

Scheduled Task Hide

Defense Evasion
T1562

Sdelete deployed via GPO and run recursively

Impact
T1485

Sdelete deployed via GPO and run recursively ASIM Version

Security Threat Protection
Impact
T1485

Security Event log cleared

Defense Evasion
T1070

Security Service Registry ACL Modification

Security Others
Defense Evasion
T1562

SecurityBridge A critical event occured

Initial Access
T1189

SecurityEvent - Multiple authentication failures followed by a success

Credential Access
T1110

Semperis DSP Failed Logons

Initial Access Credential Access
T1078 T1110

Semperis DSP Kerberos krbtgt account with old password

Credential Access
T1558

Semperis DSP Mimikatzs DCShadow Alert

Defense Evasion
T1207

Semperis DSP Operations Critical Notifications

Initial Access Credential Access Resource Development
T1133 T1110 T1584

Semperis DSP RBAC Changes

Privilege Escalation Persistence
T1548 T1098

Semperis DSP Recent sIDHistory changes on AD objects

Privilege Escalation Persistence
T1098

Semperis DSP Well-known privileged SIDs in sIDHistory

Privilege Escalation Defense Evasion
T1134

Semperis DSP Zerologon vulnerability

Privilege Escalation
T1068

SenservaPro AD Applications Not Using Client Credentials

Impact
T1529 T1485

Sensitive Azure Key Vault operations

Impact
T1485

Sensitive Data Discovered in the Last 24 Hours

Discovery
T1087

Sensitive Data Discovered in the Last 24 Hours - Customized

Discovery
T1087

Sentinel One - Admin login from new location

Initial Access Privilege Escalation
T1078

Sentinel One - Agent uninstalled from multiple hosts

Defense Evasion
T1070

Sentinel One - Alert from custom rule

Initial Access
T1190

Sentinel One - Blacklist hash deleted

Defense Evasion
T1070

Sentinel One - Exclusion added

Defense Evasion
T1070

Sentinel One - Multiple alerts on host

Initial Access
T1190

Sentinel One - New admin created

Privilege Escalation
T1078

Sentinel One - Rule deleted

Defense Evasion
T1070

Sentinel One - Rule disabled

Defense Evasion
T1070

Sentinel One - Same custom rule triggered on different hosts

Initial Access Lateral Movement
T1190 T1210

Sentinel One - User viewed agents passphrase

Credential Access
T1555

Server Oriented Cmdlet And User Oriented Cmdlet used

Exfiltration Persistence Collection
T1020 T1098 T1114

Service Accounts Performing Remote PS

Lateral Movement
T1210

Service Principal Assigned App Role With Sensitive Access

Security Others Identity
Privilege Escalation
T1078

Service Principal Assigned Privileged Role

Security Others Identity
Privilege Escalation
T1078

Service Principal Authentication Attempt from New Country

Security Others Identity
Initial Access
T1078

Service Principal Name SPN Assigned to User Account

Security Others Identity
Privilege Escalation
T1134

Service principal not using client credentials

Initial Access
T1078

Several deny actions registered

Discovery Lateral Movement Command and Control
T1046 T1071 T1210

SFTP File transfer above threshold

Exfiltration
T1020

SFTP File transfer folder count above threshold

Exfiltration
T1020

Shadow Copy Deletions

Impact
T1490

SharePointFileOperation via devices with previously unseen user agents

Exfiltration
T1030

SharePointFileOperation via previously unseen IPs

Exfiltration
T1030

Sign-ins from IPs that attempt sign-ins to disabled accounts

Initial Access Persistence
T1078 T1098

Sign-ins from IPs that attempt sign-ins to disabled accounts Uses Authentication Normalization

Initial Access Persistence
T1078 T1098

Silk Typhoon New UM Service Child Process

Security Threat Intelligence
Initial Access
T1190

Silk Typhoon Suspicious Exchange Request

Security Threat Intelligence
Initial Access
T1190

Silk Typhoon Suspicious File Downloads

Security 0 Day Vulnerability
Initial Access
T1190

Silk Typhoon Suspicious UM Service Error

Security Threat Intelligence
Initial Access
T1190

Silverfort - Certifried Incident

Privilege Escalation
T1068

Silverfort - Log4Shell Incident

Initial Access
T1190

Silverfort - NoPacBreach Incident

Privilege Escalation
T1068 T1548

Silverfort - UserBruteForce Incident

Credential Access
T1110

Sites Alerts for Prancer

Reconnaissance
T1595

SlackAudit - Empty User Agent

Initial Access
T1133

SlackAudit - Multiple archived files uploaded in short period of time

Exfiltration
T1567

SlackAudit - Multiple failed logins for user

Credential Access
T1110

SlackAudit - Public link created for file which can contain sensitive information

Exfiltration
T1048

SlackAudit - Suspicious file downloaded

Initial Access
T1189

SlackAudit - Unknown User Agent

Command and Control
T1071

SlackAudit - User email linked to account changed

Initial Access
T1078

SlackAudit - User login after deactivated

Initial Access Persistence Privilege Escalation
T1078

SlackAudit - User role changed to admin or owner

Persistence Privilege Escalation
T1098 T1078

SMBWindows Admin Shares

Lateral Movement
T1021

Snowflake - Abnormal query process time

Impact
T1499

Snowflake - Multiple failed queries

Discovery
T1518 T1082

Snowflake - Multiple login failures by user

Initial Access
T1078

Snowflake - Multiple login failures from single IP

Initial Access
T1078

Snowflake - Possible data destraction

Impact
T1485

Snowflake - Possible discovery activity

Discovery
T1526

Snowflake - Possible privileges discovery activity

Discovery
T1087

Snowflake - Query on sensitive or restricted table

Collection
T1119

Snowflake - Unusual query

Collection
T1119

Snowflake - User granted admin privileges

Privilege Escalation
T1078

Solorigate Defender Detections

Security 0 Day Vulnerability
Initial Access
T1195

Solorigate Named Pipe

Security 0 Day Vulnerability
Defense Evasion Privilege Escalation
T1055

SonicWall - Allowed SSH Telnet and RDP Connections

Initial Access Execution Persistence Credential Access Discovery Lateral Movement Collection Exfiltration Impact
T1190 T1133 T1059 T1110 T1003 T1087 T1018 T1021 T1005 T1048 T1041 T1011 T1567 T1490

SonicWall - Capture ATP Malicious File Detection

Execution
T1204

Sonrai Ticket Assigned

Collection Command and Control Credential Access Defense Evasion Discovery Execution Exfiltration Impact Initial Access Lateral Movement Persistence Privilege Escalation
T1566 T1059 T1547 T1548 T1562 T1003 T1087 T1021 T1119 T1071 T1041 T1499

Sonrai Ticket Closed

Collection Command and Control Credential Access Defense Evasion Discovery Execution Exfiltration Impact Initial Access Lateral Movement Persistence Privilege Escalation
T1566 T1059 T1547 T1548 T1562 T1003 T1087 T1021 T1119 T1071 T1041 T1499

Sonrai Ticket Escalation Executed

Collection Command and Control Credential Access Defense Evasion Discovery Execution Exfiltration Impact Initial Access Lateral Movement Persistence Privilege Escalation
T1566 T1059 T1547 T1548 T1562 T1003 T1087 T1021 T1119 T1071 T1041 T1499

Sonrai Ticket Escalation Executed

Collection Command and Control Credential Access Defense Evasion Discovery Execution Exfiltration Impact Initial Access Lateral Movement Persistence Privilege Escalation
T1566 T1059 T1547 T1548 T1562 T1003 T1087 T1021 T1119 T1071 T1041 T1499

Sonrai Ticket Reopened

Collection Command and Control Credential Access Defense Evasion Discovery Execution Exfiltration Impact Initial Access Lateral Movement Persistence Privilege Escalation
T1566 T1059 T1547 T1548 T1562 T1003 T1087 T1021 T1119 T1071 T1041 T1499

Sonrai Ticket Risk Accepted

Collection Command and Control Credential Access Defense Evasion Discovery Execution Exfiltration Impact Initial Access Lateral Movement Persistence Privilege Escalation
T1566 T1059 T1547 T1548 T1562 T1003 T1087 T1021 T1119 T1071 T1041 T1499

Sonrai Ticket Snoozed

Collection Command and Control Credential Access Defense Evasion Discovery Execution Exfiltration Impact Initial Access Lateral Movement Persistence Privilege Escalation
T1566 T1059 T1547 T1548 T1562 T1003 T1087 T1021 T1119 T1071 T1041 T1499

Sonrai Ticket Updated

Collection Command and Control Credential Access Defense Evasion Discovery Execution Exfiltration Impact Initial Access Lateral Movement Persistence Privilege Escalation
T1566 T1059 T1547 T1548 T1562 T1003 T1087 T1021 T1119 T1071 T1041 T1499

SPF Not Configured

Initial Access Reconnaissance

SPF Policy Set to Soft Fail

Initial Access Reconnaissance

SpyCloud Enterprise Breach Detection

Credential Access
T1555

SpyCloud Enterprise Malware Detection

Credential Access
T1555

Squid proxy events for ToR proxies

Command and Control
T1090 T1008

Squid proxy events related to mining pools

Command and Control
T1102

SSG_Security_Incidents

Impact
T1486

SSH - Potential Brute Force

Credential Access
T1110

SSM document is publicly exposed

Discovery
T1526

Stale AWS policy attachment to identity

Initial Access
T1078

Stale IAAS policy attachment to role

Privilege Escalation Persistence
T1098

Stale last password change

Initial Access
T1566

Star Blizzard C2 Domains August 2022

Security Threat Intelligence
Initial Access
T1566

Starting or Stopping HealthService to Avoid Detection

Defense Evasion
T1562

Stopping multiple processes using taskkill

Defense Evasion
T1562

Storage Accounts Alerts From Prancer

Reconnaissance
T1595

Subdomain Infringement

Reconnaissance Initial Access
T1590 T1566

Subnets Alerts for Prancer

Reconnaissance
T1595

Subresource Integrity SRI Not Implemented

Initial Access
T1189

Subscription moved to another tenant

Impact
T1496

Successful API executed from a Tor exit node

Execution
T1204

Successful AWS Console Login from IP Address Observed Conducting Password Spray

Initial Access Credential Access
T1110 T1078

Successful brute force attack on S3 Bucket

Defense Evasion
T1562

Successful logon from IP and failure from a different IP

Credential Access Initial Access
T1110 T1078

SUNBURST and SUPERNOVA backdoor hashes

Execution Persistence Initial Access
T1195 T1059 T1546

SUNBURST and SUPERNOVA backdoor hashes Normalized File Events

Security Threat Intelligence
Execution Persistence Initial Access
T1195 T1059 T1546

SUNBURST network beacons

Execution Persistence Initial Access
T1195 T1059 T1546

SUNBURST suspicious SolarWinds child processes

Security Threat Protection
Execution Persistence

SUNBURST suspicious SolarWinds child processes Normalized Process Events

Security 0 Day Vulnerability
Execution Persistence
T1059 T1543

SUNSPOT malware hashes

Persistence
T1554

SUPERNOVA webshell

Security Others
Persistence Command and Control
T1505 T1071

SUPERNOVA webshell

Suspicious access of BEC related documents

Collection
T1530

Suspicious access of BEC related documents in AWS S3 buckets

Collection
T1530

Suspicious application consent for offline access

Credential Access
T1528

Suspicious application consent similar to O365 Attack Toolkit

Credential Access Defense Evasion
T1528 T1550

Suspicious application consent similar to PwnAuth

Credential Access Defense Evasion
T1528 T1550

Suspicious AWS CLI Command Execution

Reconnaissance
T1595 T1592 T1589 T1589 T1590 T1591 T1596

Suspicious AWS console logins by credential access alerts

Initial Access Credential Access
T1078

Suspicious AWS EC2 Compute Resource Deployments

Impact
T1496

Suspicious command sent to EC2

Execution
T1204

Suspicious Entra ID Joined Device Update

Credential Access
T1528

Suspicious granting of permissions to an account

Persistence Privilege Escalation
T1098 T1548

Suspicious link sharing pattern

Security Others
Reconnaissance
T1598

Suspicious linking of existing user to external User

Security Others Identity
Privilege Escalation
T1078

Suspicious Login from deleted guest account

Security Others Identity
Privilege Escalation
T1078

Suspicious malware found in the network Microsoft Defender for IoT

Impact
T0882

Suspicious Mobile App High

Resource Development
T1587 T1588

Suspicious Mobile App INFO

Resource Development
T1587 T1588

Suspicious modification of Global Administrator user properties

Security Others Identity
Privilege Escalation
T1078

Suspicious named pipes

Execution Defense Evasion
T1559 T1055

Suspicious number of resource creation or deployment activities

Impact
T1496

Suspicious overly permissive KMS key policy created

Impact
T1486

Suspicious parentprocess relationship - Office child processes

Initial Access
T1566

Suspicious Powershell Commandlet Executed

Execution
T1059

Suspicious Process Injection from Office application

Execution
T1204

Suspicious Resource deployment

Impact
T1496

Suspicious Service Principal creation activity

Credential Access Privilege Escalation Initial Access
T1078 T1528

Suspicious Sign In by Entra ID Connect Sync Account

Identity Security Threat Protection
Initial Access
T1078

Suspicious Sign In Followed by MFA Modification

Initial Access Defense Evasion
T1078 T1556

Suspicious VM Instance Creation Activity Detected

Initial Access Execution Discovery
T1078 T1106 T1526

Syntax errors stateful anomaly on database

Initial Access
T1190

Tampering to AWS CloudTrail logs

Defense Evasion
T1070

Tanium Threat Response Alerts

TEARDROP memory-only dropper

Execution Persistence Defense Evasion
T1543 T1059 T1027

Tenablead Active Directory attacks pathways

Credential Access
T1110

Tenablead DCShadow

Defense Evasion
T1207

Tenablead DCSync

Credential Access
T1003

Tenablead Golden Ticket

Credential Access
T1558

Tenablead Indicators of Attack

Credential Access
T1110

Tenablead Indicators of Exposures

Credential Access
T1110

Tenablead LSASS Memory

Credential Access
T1003

Tenablead Password Guessing

Credential Access
T1110

Tenablead Password issues

Credential Access
T1110

Tenablead Password Spraying

Credential Access
T1110

Tenablead privileged accounts issues

Credential Access
T1110

Tenablead user accounts issues

Credential Access
T1110

The download of potentially risky files from the Discord Content Delivery Network CDN ASIM Web Session

Command and Control
T1071

Theom - Critical data in API headers or body

Collection
T1119

Theom - Dark Data with large fin value

Collection
T1560 T1530

Theom - Dev secrets exposed

Collection
T1213 T1530

Theom - Dev secrets unencrypted

Credential Access
T1552

Theom - Financial data exposed

Collection
T1213 T1530

Theom - Financial data unencrypted

Collection
T1213 T1530

Theom - Healthcare data exposed

Collection
T1213 T1530

Theom - Healthcare data unencrypted

Collection
T1213 T1530

Theom - Least priv large value shadow DB

Collection
T1560 T1530

Theom - National IDs exposed

Collection
T1213 T1530

Theom - National IDs unencrypted

Collection
T1213 T1530

Theom - Overprovisioned Roles Shadow DB

Collection Privilege Escalation
T1560 T1530 T1078

Theom - Shadow DB large datastore value

Collection
T1560 T1530

Theom - Shadow DB with atypical accesses

Collection Privilege Escalation
T1560 T1530 T1078

Theom - Unencrypted public data stores

Collection
T1213 T1530

Theom Critical Risks

Collection Command and Control Credential Access Defense Evasion Discovery Exfiltration Impact Reconnaissance
T1592 T1589 T1070 T1552 T1619 T1119 T1560 T1530 T1213 T1001 T1041 T1537 T1485 T1486 T1565

Theom High Risks

Collection Command and Control Credential Access Defense Evasion Discovery Exfiltration Impact Reconnaissance
T1592 T1589 T1070 T1552 T1619 T1119 T1560 T1530 T1213 T1001 T1041 T1537 T1485 T1486 T1565

Theom Insights

Collection Command and Control Credential Access Defense Evasion Discovery Exfiltration Impact Reconnaissance
T1592 T1589 T1070 T1552 T1619 T1119 T1560 T1530 T1213 T1001 T1041 T1537 T1485 T1486 T1565

Theom Low Risks

Collection Command and Control Credential Access Defense Evasion Discovery Exfiltration Impact Reconnaissance
T1592 T1589 T1070 T1552 T1619 T1119 T1560 T1530 T1213 T1001 T1041 T1537 T1485 T1486 T1565

Theom Medium Risks

Collection Command and Control Credential Access Defense Evasion Discovery Exfiltration Impact Reconnaissance
T1592 T1589 T1070 T1552 T1619 T1119 T1560 T1530 T1213 T1001 T1041 T1537 T1485 T1486 T1565

Third party integrated apps

Exfiltration
T1020

Threat Connect TI map Domain entity to DnsEvents

Command and Control
T1071

Threat Essentials - Mail redirect via ExO transport rule

Collection Exfiltration
T1114 T1020

Threat Essentials - Mass Cloud resource deletions Time Series Anomaly

Impact
T1485

Threat Essentials - Multiple admin membership removals from newly created admin

Impact
T1531

Threat Essentials - NRT User added to Microsoft Entra ID Privileged Groups

Persistence Privilege Escalation
T1098 T1078

Threat Essentials - Time series anomaly for data size transferred to public internet

Exfiltration
T1030

Threat Essentials - User Assigned Privileged Role

Persistence
T1078

ThreatConnect TI map Email entity to OfficeActivity

Command and Control
T1071

ThreatConnect TI map Email entity to SigninLogs

Command and Control
T1071

ThreatConnect TI map IP entity to Network Session Events ASIM Network Session schema

Command and Control
T1071

ThreatConnect TI Map URL Entity to OfficeActivity Data

Command and Control
T1071

Threats detected by Eset

Execution Credential Access Privilege Escalation
T1204 T1212 T1548

Threats detected by ESET

Execution
T1204

TI map Domain entity to Cloud App Events

Command and Control
T1071

TI Map Domain Entity to DeviceNetworkEvents

Command and Control
T1071

TI Map Domain Entity to DeviceNetworkEvents

Command and Control
T1071

TI map Domain entity to Dns Events ASIM DNS Schema

Command and Control
T1071

TI map Domain entity to Dns Events ASIM DNS Schema

Command and Control
T1071

TI map Domain entity to DnsEvents

Command and Control
T1071

TI map Domain entity to DnsEvents

Command and Control
T1071

TI map Domain entity to EmailEvents

Initial Access
T1566

TI map Domain entity to EmailEvents

Initial Access
T1566

TI map Domain entity to EmailUrlInfo

Initial Access
T1566

TI map Domain entity to EmailUrlInfo

Initial Access
T1566

TI map Domain entity to PaloAlto

Command and Control
T1071

TI map Domain entity to PaloAlto

Command and Control
T1071

TI map Domain entity to PaloAlto CommonSecurityLog

Command and Control
T1071

TI map Domain entity to PaloAlto CommonSecurityLog

Command and Control
T1071

TI map Domain entity to SecurityAlert

Command and Control
T1071

TI map Domain entity to SecurityAlert

Command and Control
T1071

TI map Domain entity to Syslog

Command and Control
T1071

TI map Domain entity to Syslog

Command and Control
T1071

TI map Domain entity to Web Session Events ASIM Web Session schema

Command and Control
T1071

TI map Domain entity to Web Session Events ASIM Web Session schema

Command and Control
T1071

TI map Email entity to AzureActivity

Initial Access
T1566

TI map Email entity to AzureActivity

Initial Access
T1566

TI map Email entity to Cloud App Events

Initial Access
T1566

TI map Email entity to EmailEvents

Initial Access
T1566

TI map Email entity to EmailEvents

Initial Access
T1566

TI map Email entity to OfficeActivity

Initial Access
T1566

TI map Email entity to OfficeActivity

Initial Access
T1566

TI map Email entity to PaloAlto CommonSecurityLog

Initial Access
T1566

TI map Email entity to PaloAlto CommonSecurityLog

Initial Access
T1566

TI map Email entity to SecurityAlert

Initial Access
T1566

TI map Email entity to SecurityAlert

Initial Access
T1566

TI map Email entity to SecurityEvent

Initial Access
T1566

TI map Email entity to SecurityEvent

Initial Access
T1566

TI map Email entity to SigninLogs

Initial Access
T1566

TI map Email entity to SigninLogs

Initial Access
T1566

TI map File Hash to CommonSecurityLog Event

Command and Control
T1071

TI map File Hash to CommonSecurityLog Event

Command and Control
T1071

TI map File Hash to DeviceFileEvents Event

Command and Control
T1071

TI map File Hash to DeviceFileEvents Event

Command and Control
T1071

TI map File Hash to Security Event

Command and Control
T1071

TI map File Hash to Security Event

Command and Control
T1071

TI map IP entity to AppServiceHTTPLogs

Command and Control
T1071

TI map IP entity to AppServiceHTTPLogs

Command and Control
T1071

TI map IP entity to AWSCloudTrail

Command and Control
T1071

TI map IP entity to AWSCloudTrail

Command and Control
T1071

TI map IP entity to Azure Key Vault logs

Command and Control
T1071

TI map IP entity to Azure Key Vault logs

Command and Control
T1071

TI Map IP Entity to Azure SQL Security Audit Events

Command and Control
T1071

TI Map IP Entity to Azure SQL Security Audit Events

Command and Control
T1071

TI Map IP Entity to AzureActivity

Command and Control
T1071

TI Map IP Entity to AzureActivity

Command and Control
T1071

TI map IP entity to AzureFirewall

Command and Control
T1071

TI map IP entity to AzureFirewall

Command and Control
T1071

TI map IP entity to AzureNetworkAnalytics_CL NSG Flow Logs

Command and Control
T1071

TI map IP entity to AzureNetworkAnalytics_CL NSG Flow Logs

Command and Control
T1071

TI map IP entity to Cloud App Events

Command and Control
T1071

TI Map IP Entity to CommonSecurityLog

Command and Control
T1071

TI Map IP Entity to CommonSecurityLog

Command and Control
T1071

TI Map IP Entity to DeviceNetworkEvents

Command and Control
T1071

TI Map IP Entity to DeviceNetworkEvents

Command and Control
T1071

TI map IP entity to DNS Events ASIM DNS schema

Command and Control
T1071

TI map IP entity to DNS Events ASIM DNS schema

Command and Control
T1071

TI Map IP Entity to DnsEvents

Command and Control
T1071

TI Map IP Entity to DnsEvents

Command and Control
T1071

TI Map IP Entity to Duo Security

Command and Control
T1071

TI Map IP Entity to Duo Security

Command and Control
T1071

TI map IP entity to GitHub_CL

Command and Control
T1071

TI map IP entity to GitHub_CL

Command and Control
T1071

TI map IP entity to LastPass data

Impact
T1485

TI map IP entity to Network Session Events ASIM Network Session schema

Command and Control
T1071

TI map IP entity to Network Session Events ASIM Network Session schema

Command and Control
T1071

TI map IP entity to OfficeActivity

Command and Control
T1071

TI map IP entity to OfficeActivity

Command and Control
T1071

TI Map IP Entity to SigninLogs

Command and Control
T1071

TI Map IP Entity to SigninLogs

Command and Control
T1071

TI Map IP Entity to VMConnection

Command and Control
T1071

TI Map IP Entity to VMConnection

Command and Control
T1071

TI Map IP Entity to W3CIISLog

Command and Control
T1071

TI Map IP Entity to W3CIISLog

Command and Control
T1071

TI map IP entity to Web Session Events ASIM Web Session schema

Command and Control
T1071

TI map IP entity to Web Session Events ASIM Web Session schema

Command and Control
T1071

TI map IP entity to WorkdayASimAuditEventLogs

Command and Control
T1071

TI map IP entity to WorkdayASimAuditEventLogs

Command and Control
T1071

TI Map URL Entity to AuditLogs

Command and Control
T1071

TI Map URL Entity to AuditLogs

Command and Control
T1071

TI map URL entity to Cloud App Events

Command and Control
T1071

TI Map URL Entity to DeviceNetworkEvents

Command and Control
T1071

TI Map URL Entity to DeviceNetworkEvents

Command and Control
T1071

TI Map URL Entity to EmailUrlInfo

Command and Control
T1071

TI Map URL Entity to EmailUrlInfo

Command and Control
T1071

TI Map URL Entity to OfficeActivity Data [Deprecated]

Command and Control
T1071

TI Map URL Entity to PaloAlto Data

Command and Control
T1071

TI Map URL Entity to PaloAlto Data

Command and Control
T1071

TI Map URL Entity to SecurityAlert Data

Command and Control
T1071

TI Map URL Entity to SecurityAlert Data

Command and Control
T1071

TI Map URL Entity to Syslog Data

Command and Control
T1071

TI Map URL Entity to Syslog Data

Command and Control
T1071

TI Map URL Entity to UrlClickEvents

Command and Control
T1071

TI Map URL Entity to UrlClickEvents

Command and Control
T1071

TIE Active Directory attacks pathways

Credential Access
T1110

TIE DCShadow

Defense Evasion
T1207

TIE DCSync

Credential Access
T1003

TIE Golden Ticket

Credential Access
T1558

TIE Indicators of Attack

Credential Access
T1110

TIE Indicators of Exposures

Credential Access
T1110

TIE LSASS Memory

Credential Access
T1003

TIE Password Guessing

Credential Access
T1110

TIE Password issues

Credential Access
T1110

TIE Password Spraying

Credential Access
T1110

TIE privileged accounts issues

Credential Access
T1110

TIE user accounts issues

Credential Access
T1110

Time series anomaly detection for total volume of traffic

Security Others
Exfiltration
T1030

Time series anomaly for data size transferred to public internet

Security Threat Protection
Exfiltration
T1030

TLS Certificate Hostname Mismatch

Credential Access Defense Evasion Persistence
T1556

TLS Certificate Using Weak Cipher - Informational

Credential Access Lateral Movement Defense Evasion Persistence
T1556 T1210 T1212

TLS Certificate Using Weak Cipher - Medium

Credential Access Lateral Movement Defense Evasion Persistence
T1556 T1210 T1212

TLSv1 in Use - Low

Credential Access Lateral Movement Defense Evasion Persistence
T1556 T1210 T1212

TLSv1 in Use - Medium

Credential Access Lateral Movement Defense Evasion Persistence
T1556 T1210 T1212

TLSv11 in Use - info

Credential Access Lateral Movement Defense Evasion Persistence
T1556 T1210 T1212

TLSv11 in Use - Medium

Credential Access Lateral Movement Defense Evasion Persistence
T1556 T1210 T1212

Tomcat - Commands in URI

Initial Access
T1190 T1133

Tomcat - Known malicious user agent

Initial Access
T1190 T1133

Tomcat - Multiple client errors from single IP address

Initial Access
T1190 T1133

Tomcat - Multiple empty requests from same IP

Initial Access Impact
T1190 T1133 T1499

Tomcat - Multiple server errors from single IP address

Impact Initial Access
T1498 T1190 T1133

Tomcat - Put file and get file from same IP address

Initial Access
T1190 T1133

Tomcat - Request from localhost IP address

Initial Access
T1190 T1133

Tomcat - Request to sensitive files

Initial Access
T1189

Tomcat - Server errors after multiple requests from same IP

Impact Initial Access
T1498 T1190 T1133

Tomcat - Sql injection patterns

Initial Access
T1190

Trend Micro CAS - DLP violation

Exfiltration
T1048

Trend Micro CAS - Infected user

Initial Access
T1566

Trend Micro CAS - Multiple infected users

Initial Access
T1566

Trend Micro CAS - Possible phishing mail

Initial Access
T1566

Trend Micro CAS - Ransomware infection

Impact
T1486

Trend Micro CAS - Ransomware outbreak

Impact
T1486

Trend Micro CAS - Suspicious filename

Initial Access
T1566

Trend Micro CAS - Threat detected and not blocked

Defense Evasion
T1562

Trend Micro CAS - Unexpected file on file share

Initial Access
T1566

Trend Micro CAS - Unexpected file via mail

Initial Access
T1566

Trust Monitor Event

Security Others
Credential Access
T1528 T1555

Trusted Developer Utilities Proxy Execution

Defense Evasion
T1127

Ubiquiti - Connection to known malicious IP or C2

Exfiltration Command and Control
T1071 T1571 T1572

Ubiquiti - connection to non-corporate DNS server

Command and Control Exfiltration
T1572 T1041

Ubiquiti - Large ICMP to external server

Exfiltration Command and Control
T1041 T1572

Ubiquiti - Possible connection to cryptominning pool

Command and Control
T1071 T1095 T1571

Ubiquiti - RDP from external source

Initial Access
T1133

Ubiquiti - SSH from external source

Initial Access
T1133

Ubiquiti - Unknown MAC Joined AP

Initial Access
T1133

Ubiquiti - Unusual DNS connection

Command and Control
T1090 T1572

Ubiquiti - Unusual FTP connection to external server

Exfiltration Command and Control
T1048 T1071

Ubiquiti - Unusual traffic

Command and Control
T1573

Unauthorized device in the network Microsoft Defender for IoT

Discovery
T0842

Unauthorized DHCP configuration in the network Microsoft Defender for IoT

Discovery
T0842

Unauthorized PLC changes Microsoft Defender for IoT

Persistence
T0839

Unauthorized remote access to the network Microsoft Defender for IoT

Initial Access
T0886

Unauthorized user access across AWS and Azure

Credential Access Exfiltration Discovery
T1557 T1110 T1110 T1110 T1212 T1048 T1087 T1580

Unused IaaS Policy

Initial Access Privilege Escalation
T1078 T1068

Unusual Anomaly

Unusual identity creation using exchange powershell

Security Threat Protection Identity
Persistence
T1136

Unusual Volume of file deletion by users

Impact
T1485

Unusual Volume of Password Updated or Removed

Impact
T1485

URL Added to Application from Unknown Domain

Security Others
Persistence Privilege Escalation
T1078

User Accessed Suspicious URL Categories

Initial Access Command and Control
T1566 T1071

User account added to built in domain local or global group

Security Others Identity
Persistence Privilege Escalation
T1098 T1078

User account created and deleted within 10 mins

Security Others Identity
Persistence Privilege Escalation
T1098 T1078

User Account Created Using Incorrect Naming Format

Security Others
Persistence
T1136

User account created without expected attributes defined

Security Others
Persistence
T1136

User account enabled and disabled within 10 mins

Security Others Identity
Persistence Privilege Escalation
T1098 T1078

User Accounts - Sign in Failure due to CA Spikes

Initial Access
T1078

User Added to Admin Role

Privilege Escalation
T1078

User added to Microsoft Entra ID Privileged Groups

Persistence Privilege Escalation
T1098 T1078

User agent search for log4j exploitation attempt

Initial Access
T1190

User Assigned New Privileged Role

Persistence
T1078

User assigned to a default admin role

Initial Access
T1078

User impersonation by Identity Protection alerts

Privilege Escalation
T1134

User joining Zoom meeting from suspicious timezone

Security Others
Initial Access Privilege Escalation
T1078

User Login from Different Countries within 3 hours

Initial Access
T1078

User login from different countries within 3 hours Uses Authentication Normalization

Security Network
Initial Access
T1078

User Session ImpersonationOkta

Privilege Escalation
T1134 T1134

User Sign in from different countries

Initial Access
T1078

User State changed from Guest to Member

Security Others Identity
Persistence
T1098

User without MFA

Initial Access
T1078

UserAccountDisabled

Initial Access
T1078

Users searching for VIP user activity

Security Others
Collection Exfiltration
T1530 T1213 T1020

Valence Security Alerts

vArmour AppController - SMB Realm Traversal

Discovery Lateral Movement
T1135 T1570

Vaults Alerts for Prancer

Reconnaissance
T1595

vCenter - Root impersonation

Privilege Escalation
T1078

Vectra Accounts Behaviors

Credential Access Discovery Lateral Movement Collection Command and Control Exfiltration Impact
T1003 T1087 T1021 T1119 T1071 T1041 T1499

Vectra AI Detect - Detections with High Severity

Credential Access Discovery Lateral Movement Collection Command and Control Exfiltration Impact
T1003 T1087 T1021 T1119 T1071 T1041 T1499

Vectra AI Detect - New Campaign Detected

Lateral Movement Command and Control
T1021 T1071

Vectra AI Detect - Suspected Compromised Account

Credential Access Discovery Lateral Movement Collection Command and Control Exfiltration Impact
T1003 T1087 T1021 T1119 T1071 T1041 T1499

Vectra AI Detect - Suspected Compromised Host

Credential Access Discovery Lateral Movement Collection Command and Control Exfiltration Impact
T1003 T1087 T1021 T1119 T1071 T1041 T1499

Vectra AI Detect - Suspicious Behaviors by Category

Credential Access Discovery Lateral Movement Collection Command and Control Exfiltration Impact
T1003 T1087 T1021 T1119 T1071 T1041 T1499

Vectra Create Detection Alert for Accounts

Persistence
T1546

Vectra Create Detection Alert for Hosts

Persistence
T1546

Vectra Create Incident Based on Priority for Accounts

Persistence
T1546

Vectra Create Incident Based on Priority for Hosts

Persistence
T1546

Vectra Create Incident Based on Tag for Accounts

Persistence
T1546

Vectra Create Incident Based on Tag for Hosts

Persistence
T1546

Vectra Hosts Behaviors

Credential Access Discovery Lateral Movement Collection Command and Control Exfiltration Impact
T1003 T1087 T1021 T1119 T1071 T1041 T1499

VIP Mailbox manipulation

Exfiltration Persistence Collection
T1020 T1098 T1114

Virtual Machines Alerts for Prancer

Reconnaissance
T1595

VirtualNetworkPeerings Alerts From Prancer

Reconnaissance
T1595

VMware Cloud Web Security - Data Loss Prevention Violation

VMware Cloud Web Security - Policy Change Detected

VMware Cloud Web Security - Policy Publish Event

VMware Cloud Web Security - Web Access Policy Violation

VMware Edge Cloud Orchestrator - New LAN-Side Client Device Detected

VMware ESXi - Dormant VM started

Initial Access
T1190

VMware ESXi - Low patch disk space

Impact
T1529

VMware ESXi - Low temp directory space

Impact
T1529

VMware ESXi - Multiple new VMs started

Initial Access
T1078

VMware ESXi - Multiple VMs stopped

Impact
T1529

VMware ESXi - New VM started

Initial Access
T1078

VMware ESXi - Root impersonation

Privilege Escalation
T1078

VMware ESXi - Root login

Initial Access Privilege Escalation
T1078

VMware ESXi - Shared or stolen root account

Initial Access Privilege Escalation
T1078

VMware ESXi - Unexpected disk image

Impact
T1496

VMware ESXi - VM stopped

Impact
T1529

VMware SD-WAN - Orchestrator Audit Event

VMware SD-WAN Edge - All Cloud Security Service Tunnels DOWN

VMware SD-WAN Edge - Device Congestion Alert - Packet Drops

Impact
T1498

VMware SD-WAN Edge - IDSIPS Alert triggered Search API

Lateral Movement
T1210

VMware SD-WAN Edge - IDSIPS Alert triggered Syslog

Lateral Movement
T1210

VMware SD-WAN Edge - IDSIPS Signature Update Failed

VMware SD-WAN Edge - IDSIPS Signature Update Succeeded

VMware SD-WAN Edge - Network Anomaly Detection - Potential Fragmentation Attack

Impact Defense Evasion
T1498 T1599

VMware SD-WAN Edge - Network Anomaly Detection - RPF Check Failure

Impact
T1498

VMware vCenter - Root login

Initial Access Privilege Escalation
T1078

Votiro - File Blocked from Connector

Defense Evasion Discovery Impact
T1036 T1083 T1057 T1082 T1565 T1498 T0837

Votiro - File Blocked in Email

Command and Control Defense Evasion Impact Initial Access
T0885 T1036 T1027 T1486 T1566

Vulerabilities

Execution Initial Access Privilege Escalation
T1189 T1059 T1053 T1548

Vulnerable Machines related to log4j CVE-2021-44228

Initial Access Execution
T1190 T1203

Vulnerable Machines related to OMIGOD CVE-2021-38647

Security Threat Protection
Initial Access Execution
T1190 T1203

Wazuh - Large Number of Web errors from an IP

Security Others Networking
Credential Access
T1110

WDigest downgrade attack

Credential Access
T1003

Web sites blocked by Eset

Exfiltration Command and Control Initial Access
T1189 T1567 T1071

Website blocked by ESET

Exfiltration Command and Control Initial Access
T1041 T1071 T1189 T1566

Windows Binaries Executed from Non-Default Directory

Execution
T1059

Windows Binaries Lolbins Renamed

Execution
T1059

Windows host username encoded in base64 web request

Security Others
Exfiltration Command and Control
T1041 T1071

Workspace deletion activity from an infected device

Security Threat Protection Platform
Initial Access Impact
T1078 T1489

Zero Networks Segement - Machine Removed from protection

Defense Evasion
T1562

Zero Networks Segment - New API Token created

Credential Access
T1528

Zero Networks Segment - Rare JIT Rule Creation

Lateral Movement
T1021

ZeroFox Alerts - High Severity Alerts

Resource Development Initial Access
T1583 T1586 T1566

ZeroFox Alerts - Informational Severity Alerts

Resource Development Initial Access
T1583 T1586 T1566

ZeroFox Alerts - Low Severity Alerts

Resource Development Initial Access
T1583 T1586 T1566

ZeroFox Alerts - Medium Severity Alerts

Resource Development Initial Access
T1583 T1586 T1566

ZeroTrustTIC30 Control Assessment Posture Change

Discovery
T1082

Zinc Actor IOCs files - October 2022

Persistence
T1546

Zoom E2E Encryption Disabled

Security Others
Credential Access Discovery
T1040

Zscaler - Connections by dormant user

Persistence
T1078

Zscaler - Forbidden countries

Initial Access
T1190 T1133

Zscaler - Shared ZPA session

Initial Access
T1078 T1133

Zscaler - Unexpected event count of rejects by policy

Initial Access
T1078 T1133

Zscaler - Unexpected update operation

Initial Access
T1190 T1133

Zscaler - Unexpected ZPA session duration

Initial Access
T1078 T1133

Zscaler - ZPA connections by new user

Persistence
T1078

Zscaler - ZPA connections from new country

Initial Access
T1190 T1133

Zscaler - ZPA connections from new IP

Initial Access
T1078 T1133

Zscaler - ZPA connections outside operational hours

Initial Access
T1190 T1133