Microsoft Sentinel Analytic Rules
cloudbrothers.infoAzure Sentinel RepoToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeBack to homepage

Data connectors



Analytic Rules

[Deprecated] - Alert for IOCs related to WindowsELF malware - IP Hash IOCs - September 2021

Azure Firewall Cef Check Point Cisco Asa F5 Fortinet Microsoft Threat Protection Palo Alto Networks Security Events Windows Firewall Windows Forwarded Events Windows Security Events
Impact
T1496

[Deprecated] - Aqua Blizzard Actor IOCs - Feb 2022

Azure Firewall Azure Monitor( Vminsights) Cef Check Point Cisco Asa DNS F5 Fortinet Microsoft Threat Protection Palo Alto Networks Security Events
Persistence
T1137

[Deprecated] - Cadet Blizzard Actor IOC - January 2022

Cisco Asa Microsoft Threat Protection Palo Alto Networks Security Events Windows Security Events
Impact
T1561

[Deprecated] - Caramel Tsunami Actor IOC - July 2021

Azure Firewall Azure Monitor( Vminsights) Cef Check Point Cisco Asa DNS F5 Fortinet Microsoft Threat Protection Office365 Palo Alto Networks Security Events Windows Firewall Windows Forwarded Events Windows Security Events
Persistence
T1546

[Deprecated] - Chia_Crypto_Mining - Domain Process Hash and IP IOCs - June 2021

Azure Firewall Azure Monitor( Vminsights) Cef Check Point Cisco Asa DNS F5 Fortinet Microsoft Threat Protection Office365 Palo Alto Networks Security Events Windows Firewall
Impact
T1496

[Deprecated] - Denim Tsunami AV Detection

Microsoft Threat Protection Security Events
Execution
T1203

[Deprecated] - Denim Tsunami C2 Domains July 2022

Azure Monitor( Vminsights) DNS Microsoft Threat Protection
Command and Control
T1071

[Deprecated] - Denim Tsunami File Hashes July 2022

Microsoft Threat Protection Security Events Windows Firewall
Execution
T1203

[Deprecated] - DEV-0322 Serv-U related IOCs - July 2021

Azure Firewall Azure Monitor( Vminsights) Cef Check Point Cisco Asa DNS F5 Fortinet Microsoft Threat Protection Office365 Palo Alto Networks Security Events Windows Firewall
Initial Access
T1190

[Deprecated] - Dev-0530 IOC - July 2022

Aws Azure Active Directory Azure Activity Azure Firewall Azure Monitor( Iis) Cisco Asa Microsoft Threat Protection Office365 Palo Alto Networks Security Events
Impact
T1486

[Deprecated] - Emerald Sleet domains included in DCU takedown

Azure Firewall Azure Monitor( Vminsights) Cisco Asa Cisco Umbrella Data Connector Corelight DNS Gcpdnsdata Connector Infoblox Nios Nxlog DNS Logs Palo Alto Networks Zscaler
Command and Control Credential Access

[Deprecated] - Exchange Server Vulnerabilities Disclosed March 2021 IoC Match

Awss3 Azure Monitor( Iis) Azure Monitor( Wire Data) Cef Check Point Cisco Asa Cisco Umbrella Data Connector Corelight DNS F5 Fortinet Gcpdnsdata Connector Infoblox Nios Microsoft Sysmon for Linux Nxlog DNS Logs Palo Alto Networks Security Events Windows Firewall Windows Forwarded Events Zscaler
Initial Access
T1190

[Deprecated] - Hive Ransomware IOC - July 2022

Cisco Asa Microsoft Threat Protection Palo Alto Networks Security Events
Impact
T1486

[Deprecated] - Known Barium domains

Azure Firewall Azure Monitor( Vminsights) Cisco Asa Cisco Umbrella Data Connector Corelight DNS Gcpdnsdata Connector Infoblox Nios Microsoft Threat Protection Nxlog DNS Logs Palo Alto Networks Squid Proxy Zscaler
Command and Control

[Deprecated] - Known Diamond Sleet Comebacker and Klackring malware hashes

Azure Firewall Azure Monitor( Vminsights) Cisco Asa Cisco Umbrella Data Connector Corelight DNS Gcpdnsdata Connector Infoblox Nios Microsoft Threat Protection Nxlog DNS Logs Palo Alto Networks Security Events Windows Forwarded Events Zscaler
Command and Control Execution
T1071 T1204

[Deprecated] - Known Diamond Sleet related maldoc hash

Cisco Asa Palo Alto Networks Security Events
Command and Control Credential Access

[Deprecated] - Known Granite Typhoon domains and hashes

Azure Firewall Azure Monitor( Vminsights) Cisco Asa Cisco Umbrella Data Connector Corelight DNS Gcpdnsdata Connector Infoblox Nios Nxlog DNS Logs Palo Alto Networks Security Events Zscaler
Command and Control Credential Access

[Deprecated] - Known Manganese IP and UserAgent activity

Office365
Initial Access Collection
T1133 T1114

[Deprecated] - Known Mint Sandstorm group domainsIP - October 2020

Azure Firewall Azure Monitor( Vminsights) Cisco Asa DNS Fortinet Office Atp Palo Alto Networks Zscaler
Command and Control Initial Access
T1071 T1566

[Deprecated] - Known Nylon Typhoon domains and hashes

Azure Firewall Azure Monitor( Vminsights) Cisco Asa Cisco Umbrella Data Connector Corelight DNS Gcpdnsdata Connector Infoblox Nios Microsoft Threat Protection Nxlog DNS Logs Palo Alto Networks Security Events Squid Proxy Zscaler
Command and Control
T1071

[Deprecated] - Known Phosphorus group domainsIP

Azure Firewall Azure Monitor( Vminsights) Cisco Asa Cisco Umbrella Data Connector Corelight DNS Gcpdnsdata Connector Infoblox Nios Nxlog DNS Logs Office365 Palo Alto Networks Squid Proxy Zscaler
Command and Control
T1071

[Deprecated] - Known Plaid Rain IP

Aws Awss3 Azure Active Directory Azure Activity Azure Firewall Azure Monitor( Iis) Azure Monitor( Vminsights) Azure Monitor( Wire Data) Cisco Asa Cisco Umbrella Data Connector Corelight DNS Gcpdnsdata Connector Infoblox Nios Microsoft Sysmon for Linux Microsoft Threat Protection Nxlog DNS Logs Office365 Palo Alto Networks Security Events Windows Forwarded Events Zscaler
Command and Control

[Deprecated] - Known Ruby Sleet domains and hashes

Azure Firewall Azure Monitor( Vminsights) Cisco Asa Cisco Umbrella Data Connector Corelight DNS Gcpdnsdata Connector Infoblox Nios Nxlog DNS Logs Palo Alto Networks Squid Proxy Zscaler
Command and Control Credential Access

[Deprecated] - Known Seashell Blizzard IP

Aws Awss3 Azure Active Directory Azure Activity Azure Firewall Azure Monitor( Iis) Azure Monitor( Vminsights) Cisco Asa Cisco Umbrella Data Connector Corelight DNS Gcpdnsdata Connector Infoblox Nios Microsoft Sysmon for Linux Microsoft Threat Protection Nxlog DNS Logs Office365 Palo Alto Networks Security Events Squid Proxy Windows Forwarded Events Zscaler
Command and Control

[Deprecated] - Midnight Blizzard - Domain and IP IOCs - March 2021

Azure Firewall Azure Monitor( Vminsights) Cisco Asa Cisco Umbrella Data Connector Corelight DNS Gcpdnsdata Connector Infoblox Nios Microsoft Threat Protection Nxlog DNS Logs Office365 Palo Alto Networks Squid Proxy Zscaler
Command and Control
T1102

[Deprecated] - Midnight Blizzard - Domain Hash and IP IOCs - May 2021

Awss3 Azure Firewall Azure Monitor( Vminsights) Cef Check Point Cisco Asa Cisco Umbrella Data Connector Corelight DNS F5 Fortinet Gcpdnsdata Connector Infoblox Nios Microsoft Sysmon for Linux Microsoft Threat Protection Nxlog DNS Logs Office365 Palo Alto Networks Security Events Squid Proxy Windows Firewall Windows Forwarded Events Zscaler
Command and Control Execution
T1102 T1204

[Deprecated] - Midnight Blizzard IOCs related to FoggyWeb backdoor

Azure Monitor( Iis) Cef Check Point Cisco Asa F5 Fortinet Microsoft Threat Protection Palo Alto Networks Security Events Windows Forwarded Events Windows Security Events
Collection
T1005

[Deprecated] - MSHTML vulnerability CVE-2021-40444 attack

Microsoft Threat Protection Security Events
Execution
T1203

[Deprecated] - Silk Typhoon UM Service writing suspicious file

Microsoft Threat Protection Security Events Windows Forwarded Events Windows Security Events
Initial Access
T1190

[Deprecated] - Solorigate Domains Found in VM Insights

Azure Monitor( Vminsights)
Command and Control
T1102

[Deprecated] - Solorigate Network Beacon

Azure Firewall Azure Monitor( Vminsights) Cisco Asa Cisco Umbrella Data Connector Corelight DNS Gcpdnsdata Connector Infoblox Nios Microsoft Threat Protection Nxlog DNS Logs Palo Alto Networks Zscaler
Command and Control
T1102

[Deprecated] - SUNSPOT log file creation

Microsoft Threat Protection Security Events Windows Forwarded Events Windows Security Events
Persistence
T1554

[Deprecated] - Tarrask malware IOC - April 2022

Cisco Asa Microsoft Threat Protection Palo Alto Networks Security Events
Persistence
T1053

[Deprecated] - Zinc Actor IOCs domains hashes IPs and useragent - October 2022

Azure Firewall Azure Monitor( Vminsights) Cef Cef Ama Check Point Cisco Asa Cisco Asa Ama DNS F5 Fortinet Microsoft Threat Protection Office365 Palo Alto Networks Security Events Windows Firewall Windows Firewall Ama Windows Forwarded Events Windows Security Events
Persistence
T1546

[Deprecated] -Known Barium IP

Aws Awss3 Azure Active Directory Azure Activity Azure Firewall Azure Monitor( Iis) Azure Monitor( Vminsights) Azure Monitor( Wire Data) Cisco Asa Cisco Umbrella Data Connector Corelight DNS Gcpdnsdata Connector Infoblox Nios Microsoft Sysmon for Linux Microsoft Threat Protection Nxlog DNS Logs Office365 Palo Alto Networks Security Events Windows Forwarded Events Zscaler
Command and Control

[Deprecated] Explicit MFA Deny

Azure Active Directory Microsoft Threat Protection
Credential Access
T1110

1Password - Changes to firewall rules

1 Password
Defense Evasion
T1562

1Password - Log Ingestion Failure

1 Password
Defense Evasion
T1562

1Password - Manual account creation

1 Password
Persistence
T1136

1Password - Successful anomalous sign-in

1 Password
Initial Access
T1078

1Password - User account MFA settings changed

1 Password
Persistence Defense Evasion
T1556

1Password - Vault export

1 Password
Credential Access
T1555

1Password - Vault export post account creation

1 Password
Credential Access Persistence
T1555 T1136

A host is potentially running a hacking tool ASIM Web Session schema

Squid Proxy Zscaler
Execution Discovery Lateral Movement Collection Command and Control Exfiltration
T1059 T1046 T1021 T1557 T1102 T1020

A host is potentially running PowerShell to send HTTPS requests ASIM Web Session schema

Squid Proxy Zscaler
Command and Control Defense Evasion Execution
T1132 T1140 T1059

Abnormal Deny Rate for Source IP

Azure Firewall
Initial Access Exfiltration Command and Control
T1190 T1041 T1568

Abnormal Port to Protocol

Azure Firewall
Exfiltration Command and Control
T1041 T1571

Access to AWS without MFA

Authomize
Initial Access
T1078

Access Token Manipulation - Create Process with Token

Microsoft Threat Protection
Privilege Escalation Defense Evasion
T1134

Account added and removed from privileged groups

Security Events Windows Forwarded Events Windows Security Events
Persistence Privilege Escalation
T1098 T1078

Account Created and Deleted in Short Timeframe

Azure Active Directory
Initial Access
T1078

Account created from non-approved sources

Azure Active Directory
Persistence
T1136

Account created or deleted by non-approved user

Azure Active Directory
Initial Access
T1078

Account Creation

Microsoft Threat Protection
Persistence
T1136

Account Elevated to New Role

Azure Active Directory
Persistence
T1078

AD account with Dont Expire Password

Security Events Windows Forwarded Events Windows Security Events
Persistence
T1098

AD FS Abnormal EKU object identifier attribute

Security Events
Credential Access
T1552

AD FS Remote Auth Sync Connection

Security Events Windows Security Events
Collection
T1005

AD FS Remote HTTP Network Connection

Security Events Windows Security Events
Collection
T1005

AD user enabled and password not set within 48 hours

Security Events Windows Security Events
Persistence
T1098

Addition of a Temporary Access Pass to a Privileged Account

Azure Active Directory Behavior Analytics
Persistence
T1078

ADFS Database Named Pipe Connection

Security Events Windows Security Events
Collection
T1005

ADFS DKM Master Key Export

Microsoft Threat Protection Security Events Windows Forwarded Events Windows Security Events
Collection
T1005

Admin password not updated in 30 days

Authomize
Initial Access
T1078

Admin promotion after Role Management Application Permission Grant

Azure Active Directory
Privilege Escalation Persistence
T1098 T1078

Admin SaaS account detected

Authomize
Initial Access Privilege Escalation
T1078

AdminSDHolder Modifications

Security Events
Persistence
T1078

AFD WAF - Code Injection

Waf
Defense Evasion Execution Initial Access Privilege Escalation
T1548 T1203 T1190

AFD WAF - Path Traversal Attack

Waf
Defense Evasion Execution Initial Access Privilege Escalation Discovery
T1548 T1203 T1190 T1087

Affected rows stateful anomaly on database

Azure SQL
Impact
T1485 T1565 T1491

Alsid Active Directory attacks pathways

Alsid for Ad
Credential Access
T1110

Alsid DCShadow

Alsid for Ad
Defense Evasion
T1207

Alsid DCSync

Alsid for Ad
Credential Access
T1003

Alsid Golden Ticket

Alsid for Ad
Credential Access
T1558

Alsid Indicators of Attack

Alsid for Ad
Credential Access
T1110

Alsid Indicators of Exposures

Alsid for Ad
Credential Access
T1110

Alsid LSASS Memory

Alsid for Ad
Credential Access
T1003

Alsid Password Guessing

Alsid for Ad
Credential Access
T1110

Alsid Password issues

Alsid for Ad
Credential Access
T1110

Alsid Password Spraying

Alsid for Ad
Credential Access
T1110

Alsid privileged accounts issues

Alsid for Ad
Credential Access
T1110

Alsid user accounts issues

Alsid for Ad
Credential Access
T1110

Anomalous login followed by Teams action

Azure Active Directory Office365
Initial Access Persistence
T1199 T1136 T1078 T1098

Anomalous Single Factor Signin

Azure Active Directory
Initial Access
T1078

Anomalous User Agent connection attempt

Azure Monitor( Iis)
Initial Access
T1190

Anomaly found in Network Session Traffic ASIM Network Session schema

Aivectra Stream Awss3 Azure Firewall Azure Monitor( Vminsights) Azure Nsg Check Point Cisco Asa Cisco Asa Ama Cisco Meraki Corelight Fortinet Microsoft Sysmon for Linux Microsoft Threat Protection Palo Alto Networks Security Events Windows Forwarded Events Windows Security Events Zscaler
Command and Control Discovery Exfiltration Lateral Movement
T1095 T1071 T1046 T1030 T1210

Anomaly Sign In Event from an IP

Azure Active Directory
Initial Access
T1078

Apache - Apache 2449 flaw CVE-2021-41773

Apache HTTP Server Custom Logs Ama
Initial Access Lateral Movement
T1190 T1133 T1210

Apache - Command in URI

Apache HTTP Server Custom Logs Ama
Initial Access
T1190 T1133

Apache - Known malicious user agent

Apache HTTP Server Custom Logs Ama
Initial Access
T1190 T1133

Apache - Multiple client errors from single IP

Apache HTTP Server Custom Logs Ama
Initial Access
T1190 T1133

Apache - Multiple server errors from single IP

Apache HTTP Server Custom Logs Ama
Impact Initial Access
T1498 T1190 T1133

Apache - Private IP in URL

Apache HTTP Server Custom Logs Ama
Initial Access
T1190 T1133

Apache - Put suspicious file

Apache HTTP Server Custom Logs Ama
Initial Access Exfiltration
T1190 T1133 T1048

Apache - Request from private IP

Apache HTTP Server Custom Logs Ama
Impact Initial Access
T1498 T1190 T1133

Apache - Request to sensitive files

Apache HTTP Server Custom Logs Ama
Initial Access
T1189

Apache - Requests to rare files

Apache HTTP Server Custom Logs Ama
Initial Access
T1190 T1133

ApexOne - Attack Discovery Detection

Cef Ama Trend Micro Apex One Trend Micro Apex One Ama
Initial Access
T1190

ApexOne - CC callback events

Cef Ama Trend Micro Apex One Trend Micro Apex One Ama
Command and Control
T1071

ApexOne - Commands in Url

Cef Ama Trend Micro Apex One Trend Micro Apex One Ama
Initial Access
T1190 T1133

ApexOne - Device access permissions was changed

Cef Ama Trend Micro Apex One Trend Micro Apex One Ama
Privilege Escalation
T1078

ApexOne - Inbound remote access connection

Cef Ama Trend Micro Apex One Trend Micro Apex One Ama
Lateral Movement
T1021

ApexOne - Multiple deny or terminate actions on single IP

Cef Ama Trend Micro Apex One Trend Micro Apex One Ama
Initial Access
T1190

ApexOne - Possible exploit or execute operation

Cef Ama Trend Micro Apex One Trend Micro Apex One Ama
Privilege Escalation Persistence
T1546

ApexOne - Spyware with failed response

Cef Ama Trend Micro Apex One Trend Micro Apex One Ama
Initial Access
T1190

ApexOne - Suspicious commandline arguments

Cef Ama Trend Micro Apex One Trend Micro Apex One Ama
Execution
T1059

ApexOne - Suspicious connections

Cef Ama Trend Micro Apex One Trend Micro Apex One Ama
Command and Control
T1102

API - Account Takeover

42 Crunch API Protection
Credential Access Discovery
T1110 T1087

API - Anomaly Detection

42 Crunch API Protection
Reconnaissance
T1593 T1589

API - API Scraping

42 Crunch API Protection
Reconnaissance Collection
T1593 T1119

API - BOLA

42 Crunch API Protection
Exfiltration
T1020

API - Invalid host access

42 Crunch API Protection
Reconnaissance
T1592

API - JWT validation

42 Crunch API Protection
Initial Access Credential Access
T1190 T1528

API - Kiterunner detection

42 Crunch API Protection
Reconnaissance Discovery
T1595 T1580 T1083

API - Password Cracking

42 Crunch API Protection
Credential Access
T1110 T1555 T1187

API - Rate limiting

42 Crunch API Protection
Impact
T1499

API - Rate limiting

42 Crunch API Protection
Discovery Initial Access
T1087 T1190

API - Suspicious Login

42 Crunch API Protection
Credential Access Initial Access
T1110 T1190

App Gateway WAF - Scanner Detection

Waf
Defense Evasion Execution Initial Access Reconnaissance Discovery
T1548 T1203 T1190 T1595 T1046

App Gateway WAF - SQLi Detection

Waf
Defense Evasion Execution Initial Access Privilege Escalation
T1211 T1059 T1190 T0890

App Gateway WAF - XSS Detection

Waf
Initial Access Execution
T1189 T1203 T0853

App GW WAF - Code Injection

Waf
Defense Evasion Execution Initial Access Privilege Escalation
T1548 T1203 T1190

App GW WAF - Path Traversal Attack

Waf
Defense Evasion Execution Initial Access Privilege Escalation Discovery
T1548 T1203 T1190 T1087

Application Gateway WAF - SQLi Detection

Waf
Defense Evasion Execution Initial Access Privilege Escalation
T1211 T1059 T1190 T0890

Application Gateway WAF - XSS Detection

Waf
Initial Access Execution
T1189 T1203 T0853

Application ID URI Changed

Azure Active Directory
Persistence Privilege Escalation
T1078

Application Redirect URL Update

Azure Active Directory
Persistence Privilege Escalation
T1078

Aqua Blizzard AV hits - Feb 2022

Microsoft Defender Advanced Threat Protection
Persistence
T1137

ARGOS Cloud Security - Exploitable Cloud Resources

Argoscloud Security
Initial Access
T1190

ASR Bypassing Writing Executable Content

Microsoft Threat Protection
Defense Evasion
T1211

Atlassian Beacon Alert

Atlassian Beacon Alerts

Attempt to bypass conditional access rule in Microsoft Entra ID

Azure Active Directory
Initial Access Persistence
T1078 T1098

Attempts to sign in to disabled accounts

Azure Active Directory
Initial Access
T1078

Audit policy manipulation using auditpol utility

Microsoft Threat Protection Security Events
Execution
T1204

Authentication Attempt from New Country

Azure Active Directory
Initial Access
T1078

Authentication Method Changed for Privileged Account

Azure Active Directory Behavior Analytics
Persistence
T1098

Authentication Methods Changed for Privileged Account

Azure Active Directory Behavior Analytics
Persistence
T1098

Authentications of Privileged Accounts Outside of Expected Controls

Azure Active Directory Behavior Analytics
Initial Access
T1078

Auto Generated Page

Cbspolling ID Azure Functions
Initial Access
T1566

AV detections related to Dev-0530 actors

Microsoft Threat Protection
Impact
T1486

AV detections related to Europium actors

Microsoft Threat Protection
Impact
T1486

AV detections related to Hive Ransomware

Microsoft Threat Protection
Impact
T1486

AV detections related to SpringShell Vulnerability

Microsoft Threat Protection
Initial Access
T1190

AV detections related to Tarrask malware

Microsoft Threat Protection
Persistence
T1053

AV detections related to Ukraine threats

Microsoft Threat Protection
Impact
T1485

AV detections related to Zinc actors

Microsoft Threat Protection
Impact
T1486

AWS Config Service Resource Deletion Attempts

Aws Awss3
Defense Evasion
T1562 T1562

AWS role with admin privileges

Authomize
Initial Access
T1078

AWS role with shadow admin privileges

Authomize
Initial Access
T1078

Azure DevOps Pipeline modified by a new user

Execution Defense Evasion
T1578 T1569

Azure DevOps Retention Reduced

Defense Evasion
T1564

Azure DevOps Service Connection Abuse

Persistence Impact
T1098 T1496

Azure Diagnostic settings removed from a resource

Azure Activity
Defense Evasion
T1562

Azure Key Vault access TimeSeries anomaly

Azure Key Vault
Credential Access
T1003

Azure Portal sign in from another Azure Tenant

Azure Active Directory
Initial Access
T1199

Azure secure score admin MFA

Senserva Pro
Impact
T1529 T1498

Azure secure score block legacy authentication

Senserva Pro
Credential Access
T1212 T1556

Azure secure score MFA registration V2

Senserva Pro
Credential Access
T1056

Azure secure score one admin

Senserva Pro
Impact
T1529

Azure secure score PW age policy new

Senserva Pro
Credential Access
T1555 T1606 T1040

Azure secure score role overlap

Senserva Pro
Impact
T1529

Azure VM Run Command operation executed during suspicious login window

Azure Activity Behavior Analytics
Lateral Movement Credential Access
T1570 T1212

Azure VM Run Command operations executing a unique PowerShell script

Azure Activity Microsoft Threat Protection
Lateral Movement Execution
T1570 T1059

Base64 encoded Windows process command-lines

Security Events Windows Forwarded Events Windows Security Events
Execution Defense Evasion
T1059 T1027 T1140

Bitglass - Impossible travel distance

Bitglass
Initial Access
T1078

Bitglass - Login from new device

Bitglass
Initial Access
T1078

Bitglass - Multiple failed logins

Bitglass
Credential Access
T1110

Bitglass - New admin user

Bitglass
Privilege Escalation
T1078

Bitglass - New risky user

Bitglass
Initial Access
T1078

Bitglass - Suspicious file uploads

Bitglass
Exfiltration
T1567

Bitsadmin Activity

Microsoft Threat Protection
Persistence Command and Control Exfiltration
T1197 T1105 T1048

BitSight - diligence risk category detected

Bit Sight
Execution Reconnaissance

BitSight - drop in company ratings

Bit Sight
Reconnaissance Command and Control

BitSight - drop in the headline rating

Bit Sight
Reconnaissance Command and Control

BitSight - new alert found

Bit Sight
Impact Initial Access
T1491 T1190

BitSight - new breach found

Bit Sight
Impact Initial Access
T1491 T1190

Box - Abmormal user activity

Box Data Connector
Collection
T1530

Box - Executable file in folder

Box Data Connector
Initial Access
T1189

Box - File containing sensitive data

Box Data Connector
Exfiltration
T1048

Box - Forbidden file type downloaded

Box Data Connector
Initial Access
T1189

Box - Inactive user login

Box Data Connector
Initial Access
T1078

Box - Item shared to external entity

Box Data Connector
Exfiltration
T1537

Box - Many items deleted by user

Box Data Connector
Impact
T1485

Box - New external user

Box Data Connector
Initial Access Persistence
T1078

Box - User logged in as admin

Box Data Connector
Privilege Escalation
T1078

Box - User role changed to owner

Box Data Connector
Privilege Escalation
T1078

Brand Abuse

Cbspolling ID Azure Functions
Resource Development Initial Access
T1583 T1566

Brand Impersonation - HIGH

Cbspolling ID Azure Functions
Resource Development Initial Access
T1583 T1566

Brand Impersonation - INFO

Cbspolling ID Azure Functions
Resource Development Initial Access
T1583 T1566

Brute force attack against a Cloud PC

Azure Active Directory
Credential Access
T1110

Brute force attack against Azure Portal

Azure Active Directory
Credential Access
T1110

Brute Force Attack against GitHub Account

Azure Active Directory
Credential Access
T1110

Brute force attack against user credentials

Salesforce Service Cloud
Credential Access
T1110

Bulk Changes to Privileged Account Permissions

Azure Active Directory
Privilege Escalation
T1078

C2-NamedPipe

Microsoft Threat Protection
Command and Control
T1105

Caramel Tsunami Actor IOC - July 2021

Windows Forwarded Events
Persistence
T1546

Certified Pre-Owned - backup of CA private key - rule 1

Security Events Windows Security Events
Defense Evasion
T1036

Certified Pre-Owned - backup of CA private key - rule 2

Security Events Windows Security Events
Defense Evasion
T1036

Certified Pre-Owned - TGTs requested with certificate authentication

Security Events Windows Security Events
Defense Evasion
T1036

Changes made to AWS CloudTrail logs

Aws Awss3
Defense Evasion
T1070

Changes to Amazon VPC settings

Aws Awss3
Privilege Escalation Lateral Movement
T1078 T1563

Changes to Application Logout URL

Azure Active Directory
Persistence Privilege Escalation
T1078

Changes to Application Ownership

Azure Active Directory
Persistence Privilege Escalation
T1078

Changes to PIM Settings

Azure Active Directory
Privilege Escalation
T1078

Chia_Crypto_Mining IOC - June 2021

Windows Forwarded Events
Impact
T1496

Cisco - firewall block but success logon to Microsoft Entra ID

Azure Active Directory Cisco Asa
Initial Access
T1078

Cisco ASA - average attack detection rate increase

Cisco Asa
Discovery Impact
T1046 T1498

Cisco ASA - threat detection message fired

Cisco Asa
Discovery Impact
T1046 T1498

Cisco Duo - AD sync failed

Cisco Duo Security
Impact
T1489

Cisco Duo - Admin password reset

Cisco Duo Security
Persistence
T1078

Cisco Duo - Admin user created

Cisco Duo Security
Persistence Privilege Escalation
T1078

Cisco Duo - Admin user deleted

Cisco Duo Security
Impact
T1531

Cisco Duo - Authentication device new location

Cisco Duo Security
Initial Access
T1078

Cisco Duo - Multiple admin 2FA failures

Cisco Duo Security
Initial Access
T1078

Cisco Duo - Multiple user login failures

Cisco Duo Security
Initial Access
T1078

Cisco Duo - Multiple users deleted

Cisco Duo Security
Impact
T1531

Cisco Duo - New access device

Cisco Duo Security
Initial Access
T1078

Cisco Duo - Unexpected authentication factor

Cisco Duo Security
Initial Access
T1078

Cisco SDWAN - Intrusion Events

Cisco Sdwan
Initial Access
T1190 T1189

Cisco SDWAN - IPS Event Threshold

Cisco Sdwan
Initial Access
T1190 T1189

Cisco SDWAN - Maleware Events

Cisco Sdwan
Resource Development
T1587

Cisco SDWAN - Monitor Critical IPs

Cisco Sdwan
Command and Control
T1071

Cisco SE - Connection to known C2 server

Cisco Secure Endpoint
Command and Control
T1071

Cisco SE - Dropper activity on host

Cisco Secure Endpoint
Execution
T1204

Cisco SE - Generic IOC

Cisco Secure Endpoint
Execution
T1204

Cisco SE - Malware execusion on host

Cisco Secure Endpoint
Execution
T1204

Cisco SE - Malware outbreak

Cisco Secure Endpoint
Initial Access
T1190 T1133

Cisco SE - Multiple malware on host

Cisco Secure Endpoint
Initial Access
T1190 T1133

Cisco SE - Policy update failure

Cisco Secure Endpoint
Defense Evasion
T1562

Cisco SE - Possible webshell

Cisco Secure Endpoint
Command and Control
T1102

Cisco SE - Ransomware Activity

Cisco Secure Endpoint
Impact
T1486

Cisco SE - Unexpected binary file

Cisco Secure Endpoint
Initial Access
T1190 T1133

Cisco SE High Events Last Hour

Cisco Secure Endpoint
Execution Initial Access
T1204 T1190

Cisco SEG - DLP policy violation

Cef Ama Cisco Seg Cisco Segama
Exfiltration
T1030

Cisco SEG - Malicious attachment not blocked

Cef Ama Cisco Seg Cisco Segama
Initial Access
T1566

Cisco SEG - Multiple large emails sent to external recipient

Cef Ama Cisco Seg Cisco Segama
Exfiltration
T1030

Cisco SEG - Multiple suspiciuos attachments received

Cef Ama Cisco Seg Cisco Segama
Initial Access
T1566

Cisco SEG - Possible outbreak

Cef Ama Cisco Seg Cisco Segama
Initial Access
T1566

Cisco SEG - Potential phishing link

Cef Ama Cisco Seg Cisco Segama
Initial Access
T1566

Cisco SEG - Suspicious link

Cef Ama Cisco Seg Cisco Segama
Initial Access
T1566

Cisco SEG - Suspicious sender domain

Cef Ama Cisco Seg Cisco Segama
Initial Access
T1566

Cisco SEG - Unexpected attachment

Cef Ama Cisco Seg Cisco Segama
Initial Access
T1566

Cisco SEG - Unexpected link

Cef Ama Cisco Seg Cisco Segama
Initial Access
T1566

Cisco SEG - Unscannable attacment

Cef Ama Cisco Seg Cisco Segama
Initial Access
T1566

Cisco Umbrella - Connection to non-corporate private network

Cisco Umbrella Data Connector
Command and Control Exfiltration

Cisco Umbrella - Connection to Unpopular Website Detected

Cisco Umbrella Data Connector
Command and Control

Cisco Umbrella - Crypto Miner User-Agent Detected

Cisco Umbrella Data Connector
Command and Control

Cisco Umbrella - Empty User Agent Detected

Cisco Umbrella Data Connector
Command and Control

Cisco Umbrella - Hack Tool User-Agent Detected

Cisco Umbrella Data Connector
Command and Control

Cisco Umbrella - Rare User Agent Detected

Cisco Umbrella Data Connector
Command and Control

Cisco Umbrella - Request Allowed to harmfulmalicious URI category

Cisco Umbrella Data Connector
Command and Control Initial Access

Cisco Umbrella - Request to blocklisted file type

Cisco Umbrella Data Connector
Initial Access

Cisco Umbrella - URI contains IP address

Cisco Umbrella Data Connector
Command and Control

Cisco Umbrella - Windows PowerShell User-Agent Detected

Cisco Umbrella Data Connector
Command and Control Defense Evasion

Cisco WSA - Access to unwanted site

Cisco Wsa Syslog Ama
Initial Access
T1566

Cisco WSA - Internet access from public IP

Cisco Wsa Syslog Ama
Initial Access
T1189

Cisco WSA - Multiple attempts to download unwanted file

Cisco Wsa Syslog Ama
Initial Access
T1189

Cisco WSA - Multiple errors to resource from risky category

Cisco Wsa Syslog Ama
Initial Access Command and Control
T1189 T1102

Cisco WSA - Multiple errors to URL

Cisco Wsa Syslog Ama
Command and Control
T1102

Cisco WSA - Multiple infected files

Cisco Wsa Syslog Ama
Initial Access
T1189

Cisco WSA - Suspected protocol abuse

Cisco Wsa Syslog Ama
Exfiltration
T1048

Cisco WSA - Unexpected file type

Cisco Wsa Syslog Ama
Initial Access
T1189

Cisco WSA - Unexpected uploads

Cisco Wsa Syslog Ama
Exfiltration
T1567

Cisco WSA - Unexpected URL

Cisco Wsa Syslog Ama
Command and Control
T1102

Cisco WSA - Unscannable file or scan error

Cisco Wsa Syslog Ama
Initial Access
T1189

CiscoISE - Command executed with the highest privileges from new IP

Cisco Ise Syslog Ama
Initial Access Persistence Privilege Escalation Defense Evasion Execution
T1133 T1548 T1059

CiscoISE - Attempt to delete local store logs

Cisco Ise Syslog Ama
Defense Evasion
T1070

CiscoISE - Backup failed

Cisco Ise Syslog Ama
Impact
T1490

CiscoISE - Certificate has expired

Cisco Ise Syslog Ama
Credential Access
T1552

CiscoISE - Command executed with the highest privileges by new user

Cisco Ise Syslog Ama
Initial Access Persistence Privilege Escalation Defense Evasion Execution
T1133 T1548 T1059

CiscoISE - Device changed IP in last 24 hours

Cisco Ise Syslog Ama
Command and Control
T1568

CiscoISE - Device PostureStatus changed to non-compliant

Cisco Ise Syslog Ama
Privilege Escalation Persistence
T1098

CiscoISE - ISE administrator password has been reset

Cisco Ise Syslog Ama
Persistence Privilege Escalation
T1098

CiscoISE - Log collector was suspended

Cisco Ise Syslog Ama
Defense Evasion
T1562

CiscoISE - Log files deleted

Cisco Ise Syslog Ama
Defense Evasion
T1070

Claroty - Asset Down

Cef Ama Claroty Claroty Ama
Impact
T1529

Claroty - Critical baseline deviation

Cef Ama Claroty Claroty Ama
Impact
T1529

Claroty - Login to uncommon location

Cef Ama Claroty Claroty Ama
Initial Access
T1190 T1133

Claroty - Multiple failed logins by user

Cef Ama Claroty Claroty Ama
Initial Access
T1190 T1133

Claroty - Multiple failed logins to same destinations

Cef Ama Claroty Claroty Ama
Initial Access
T1190 T1133

Claroty - New Asset

Cef Ama Claroty Claroty Ama
Initial Access
T1190 T1133

Claroty - Policy violation

Cef Ama Claroty Claroty Ama
Discovery
T1018

Claroty - Suspicious activity

Cef Ama Claroty Claroty Ama
Discovery
T1018

Claroty - Suspicious file transfer

Cef Ama Claroty Claroty Ama
Discovery
T1018

Claroty - Treat detected

Cef Ama Claroty Claroty Ama
Discovery
T1018

Clearing of forensic evidence from event logs using wevtutil

Microsoft Threat Protection
Defense Evasion
T1070

ClientDeniedAccess

Symantec Vip Syslog Ama
Credential Access
T1110

Cloudflare - Bad client IP

Cloudflare Data Connector
Initial Access
T1190 T1133

Cloudflare - Client request from country in blocklist

Cloudflare Data Connector
Initial Access
T1190 T1133

Cloudflare - Empty user agent

Cloudflare Data Connector
Initial Access
T1190 T1133

Cloudflare - Multiple error requests from single source

Cloudflare Data Connector
Initial Access
T1190 T1133

Cloudflare - Multiple user agents for single source

Cloudflare Data Connector
Initial Access
T1190 T1133

Cloudflare - Unexpected client request

Cloudflare Data Connector
Initial Access
T1190 T1133

Cloudflare - Unexpected POST requests

Cloudflare Data Connector
Persistence Command and Control
T1505 T1071

Cloudflare - Unexpected URI

Cloudflare Data Connector
Initial Access
T1190 T1133

Cloudflare - WAF Allowed threat

Cloudflare Data Connector
Initial Access
T1190 T1133

Cloudflare - XSS probing pattern in request

Cloudflare Data Connector
Initial Access
T1190 T1133

Code Repository

Cbspolling ID Azure Functions
Initial Access
T1195

Cognni Incidents for Highly Sensitive Business Information

Cognni Sentinel Data Connector
Collection
T1530

Cognni Incidents for Highly Sensitive Financial Information

Cognni Sentinel Data Connector
Collection
T1530

Cognni Incidents for Highly Sensitive Governance Information

Cognni Sentinel Data Connector
Collection
T1530

Cognni Incidents for Highly Sensitive HR Information

Cognni Sentinel Data Connector
Collection
T1530

Cognni Incidents for Highly Sensitive Legal Information

Cognni Sentinel Data Connector
Collection
T1530

Cognni Incidents for Low Sensitivity Business Information

Cognni Sentinel Data Connector
Collection
T1530

Cognni Incidents for Low Sensitivity Financial Information

Cognni Sentinel Data Connector
Collection
T1530

Cognni Incidents for Low Sensitivity Governance Information

Cognni Sentinel Data Connector
Collection
T1530

Cognni Incidents for Low Sensitivity HR Information

Cognni Sentinel Data Connector
Collection
T1530

Cognni Incidents for Low Sensitivity Legal Information

Cognni Sentinel Data Connector
Collection
T1530

Cognni Incidents for Medium Sensitivity Business Information

Cognni Sentinel Data Connector
Collection
T1530

Cognni Incidents for Medium Sensitivity Financial Information

Cognni Sentinel Data Connector
Collection
T1530

Cognni Incidents for Medium Sensitivity Governance Information

Cognni Sentinel Data Connector
Collection
T1530

Cognni Incidents for Medium Sensitivity HR Information

Cognni Sentinel Data Connector
Collection
T1530

Cognni Incidents for Medium Sensitivity Legal Information

Cognni Sentinel Data Connector
Collection
T1530

COM Event System Loading New DLL

Security Events
Privilege Escalation
T1543

COM Registry Key Modified to Point to File in Color Profile Folder

Microsoft Threat Protection Security Events
Persistence
T1574

CommvaultSecurityIQ Alert

Defense Evasion Impact
T1578 T1531

Component Object Model Hijacking - Vault7 trick

Microsoft Threat Protection
Persistence Privilege Escalation
T1546

Compromised Cards

Cbspolling ID Azure Functions
Reconnaissance
T1589

Conditional Access Policy Modified by New User

Azure Active Directory
Defense Evasion
T1078

Contrast Blocks

Cef Ama Contrast Protect Contrast Protect Ama
Initial Access Exfiltration
T1566

Contrast Exploits

Cef Ama Contrast Protect Contrast Protect Ama
Initial Access Exfiltration
T1566

Contrast Probes

Cef Ama Contrast Protect Contrast Protect Ama
Initial Access Exfiltration
T1566

Contrast Suspicious

Cef Ama Contrast Protect Contrast Protect Ama
Initial Access Exfiltration
T1566

Cookies HttpOnly Flag Not Used

Hvpolling ID Azure Functions
Credential Access
T1606

Cookies SameSite Flag Not Used

Hvpolling ID Azure Functions
Initial Access
T1190 T1566

Cookies Secure Flag Not Used

Hvpolling ID Azure Functions
Credential Access
T1539

Corelight - External Proxy Detected

Corelight
Defense Evasion Command and Control
T1090

Corelight - Forced External Outbound SMB

Corelight
Credential Access
T1187

Corelight - Possible Webshell

Corelight
Persistence
T1505

Correlate Unfamiliar sign-in properties atypical travel alerts

Azure Active Directory Identity Protection Behavior Analytics
Initial Access
T1078

Creation of expensive computes in Azure

Azure Activity
Defense Evasion
T1578

Credential added after admin consented to Application

Azure Active Directory
Credential Access Persistence Privilege Escalation
T1555 T1098

Credential Dumping Tools - File Artifacts

Security Events Windows Security Events
Credential Access
T1003

Credential Dumping Tools - Service Installation

Security Events Windows Security Events
Credential Access
T1003

CreepyDrive request URL sequence

Check Point Fortinet Palo Alto Networks Zscaler
Exfiltration Command and Control
T1567 T1102

CreepyDrive URLs

Check Point Fortinet Palo Alto Networks Zscaler
Exfiltration Command and Control
T1567 T1102

Critical or High Severity Detections by User

Cef Ama Crowd Strike Falcon Endpoint Protection Crowd Strike Falcon Endpoint Protection Ama

Critical Risks

Cef Ama Ridge Bot Data Connector
Execution Initial Access Privilege Escalation
T1189 T1059 T1053 T1548

Critical Severity Detection

Cef Ama Crowd Strike Falcon Endpoint Protection Crowd Strike Falcon Endpoint Protection Ama

Critical Threat Detected

Vmware Carbon Black
Lateral Movement
T1210

Cross-Cloud Password Spray detection

Aws Azure Active Directory Behavior Analytics Microsoft Threat Protection
Credential Access
T1110

Cross-Cloud Suspicious Compute resource creation in GCP

Awss3 Gcpaudit Logs Definition
Initial Access Execution Persistence Privilege Escalation Credential Access Discovery Lateral Movement
T1566 T1059 T1078 T1547 T1548 T1069 T1552

Cross-Cloud Suspicious user activity observed in GCP Envourment

Azure Active Directory Identity Protection Gcpaudit Logs Definition Microsoft Cloud App Security Microsoft Defender Advanced Threat Protection Microsoft Threat Protection
Initial Access Execution Persistence Privilege Escalation Credential Access Discovery
T1566 T1059 T1078 T1046 T1547 T1548 T1069 T1552

Cross-Cloud Unauthorized Credential Access Detection From AWS RDS Login

Awss3 Azure Active Directory
Credential Access Initial Access
T1557 T1110 T1110 T1110 T1606 T1556 T1133

Cross-tenant Access Settings Organization Added

Azure Active Directory
Initial Access Persistence Discovery
T1078 T1136 T1087

Cross-tenant Access Settings Organization Deleted

Azure Active Directory
Initial Access Persistence Discovery
T1078 T1136 T1087

Cross-tenant Access Settings Organization Inbound Collaboration Settings Changed

Azure Active Directory
Initial Access Persistence Discovery
T1078 T1136 T1087

Cross-tenant Access Settings Organization Inbound Direct Settings Changed

Azure Active Directory
Initial Access Persistence Discovery
T1078 T1136 T1087

Cross-tenant Access Settings Organization Outbound Collaboration Settings Changed

Azure Active Directory
Initial Access Persistence Discovery
T1078 T1136 T1087

Cross-tenant Access Settings Organization Outbound Direct Settings Changed

Azure Active Directory
Initial Access Persistence Discovery
T1078 T1136 T1087

CyberArkEPM - Attack attempt not blocked

Cyber Ark Epm
Execution
T1204

CyberArkEPM - MSBuild usage as LOLBin

Cyber Ark Epm
Defense Evasion
T1127

CyberArkEPM - Multiple attack types

Cyber Ark Epm
Execution
T1204

CyberArkEPM - Process started from different locations

Cyber Ark Epm
Execution Defense Evasion
T1204 T1036

CyberArkEPM - Renamed Windows binary

Cyber Ark Epm
Execution Defense Evasion
T1204 T1036

CyberArkEPM - Uncommon process Internet access

Cyber Ark Epm
Execution Defense Evasion Command and Control
T1204 T1036 T1095

CyberArkEPM - Uncommon Windows process started from System folder

Cyber Ark Epm
Execution Defense Evasion
T1204 T1036

CyberArkEPM - Unexpected executable extension

Cyber Ark Epm
Execution Defense Evasion
T1204 T1036

CyberArkEPM - Unexpected executable location

Cyber Ark Epm
Execution Defense Evasion
T1204 T1036

Cynerio - Exploitation Attempt of IoT device

Cynerio Security Events
Lateral Movement
T0866

Cynerio - IoT - Default password

Cynerio Security Events
Credential Access
T1552

Cynerio - IoT - Weak password

Cynerio Security Events
Credential Access
T1552

Cynerio - Medical device scanning

Cynerio Security Events
Lateral Movement
T0866

Cynerio - Suspicious Connection to External Address

Cynerio Security Events
Lateral Movement
T0866

Darktrace AI Analyst

Darktrace Restconnector

Darktrace Model Breach

Darktrace Restconnector

Darktrace System Status

Darktrace Restconnector

Data Alert

Defense Evasion Impact
T1578 T1531

Dataminr - urgent alerts detected

Dataminr Pulse Alerts
Persistence
T1546

DCOM Lateral Movement

Microsoft Threat Protection
Lateral Movement
T1021

Decoy User Account Authentication Attempt

Security Events Windows Security Events
Lateral Movement
T1021

Deimos Component Execution

Microsoft Threat Protection
Execution Collection Exfiltration
T1059 T1005 T1020

Deletion of data on multiple drives using cipher exe

Microsoft Threat Protection
Impact
T1485

Denial of Service Microsoft Defender for IoT

Io T
Inhibit Response Function
T0814

Detect Abnormal Deny Rate for Source to Destination IP

Azure Active Directory
Initial Access Exfiltration Command and Control

Detect AWS IAM Users

Authomize
Privilege Escalation
T1078

Detect Connections Outside Operational Hours

Azure Active Directory
Initial Access
T1078 T1133

Detect CoreBackUp Deletion Activity from related Security Alerts

Azure Security Center Microsoft Defender for Cloud Tenant Based
Impact
T1496

Detect IP Address Changes and Overlapping Sessions

Azure Active Directory
Initial Access
T1078 T1133

Detect known risky user agents ASIM Web Session

Initial Access Command and Control
T1190 T1133 T1071

Detect Malicious Usage of Recovery Tools to Delete Backup Files

Cisco Secure Endpoint Crowd Strike Falcon Endpoint Protection Microsoft Threat Protection Sentinel One Trend Micro Apex One Trend Micro Apex One Ama Vmware Carbon Black
Impact
T1490

Detect NET runtime being loaded in JScript for code execution

Microsoft Threat Protection
Execution
T1204

Detect PIM Alert Disabling activity

Azure Active Directory
Persistence Privilege Escalation
T1098 T1078

Detect port misuse by anomaly based detection ASIM Network Session schema

Aivectra Stream Awss3 Azure Firewall Azure Monitor( Vminsights) Azure Nsg Check Point Cisco Asa Cisco Asa Ama Cisco Meraki Corelight Fortinet Microsoft Sysmon for Linux Microsoft Threat Protection Palo Alto Networks Security Events Windows Forwarded Events Windows Security Events Zscaler
Command and Control Lateral Movement Execution Initial Access
T1095 T1059 T1203 T1190

Detect port misuse by static threshold ASIM Network Session schema

Aivectra Stream Awss3 Azure Firewall Azure Monitor( Vminsights) Azure Nsg Check Point Cisco Asa Cisco Asa Ama Cisco Meraki Corelight Fortinet Microsoft Sysmon for Linux Microsoft Threat Protection Palo Alto Networks Security Events Windows Forwarded Events Windows Security Events Zscaler
Command and Control Execution Initial Access
T1095 T1059 T1203 T1190

Detect potential file enumeration activity ASIM Web Session

Discovery Command and Control Credential Access
T1083 T1071 T1110

Detect Potential Kerberoast Activities

Microsoft Threat Protection
Credential Access
T1558

Detect potential presence of a malicious file with a double extension ASIM Web Session

Defense Evasion Persistence Command and Control
T1036 T1505 T1071

Detect presence of private IP addresses in URLs ASIM Web Session

Exfiltration Command and Control
T1041 T1071 T1001

Detect Print Processors Registry Driver Key CreationModification

Cisco Secure Endpoint Crowd Strike Falcon Endpoint Protection Microsoft Threat Protection Sentinel One Trend Micro Apex One Trend Micro Apex One Ama Vmware Carbon Black
Persistence Privilege Escalation
T1547

Detect Protocol Changes for Destination Ports

Azure Active Directory
Defense Evasion Exfiltration Command and Control

Detect Registry Run Key CreationModification

Cisco Secure Endpoint Crowd Strike Falcon Endpoint Protection Microsoft Threat Protection Sentinel One Trend Micro Apex One Trend Micro Apex One Ama Vmware Carbon Black
Persistence Privilege Escalation Defense Evasion
T1547 T1112

Detect Source IP Scanning Multiple Open Ports

Azure Active Directory
Discovery
T1046

Detect Suspicious Commands Initiated by Webserver Processes

Microsoft Threat Protection
Execution Defense Evasion Discovery
T1059 T1574 T1087 T1082

Detect URLs containing known malicious keywords or commands ASIM Web Session

Initial Access Command and Control
T1190 T1133 T1071

Detect web requests to potentially harmful files ASIM Web Session

Initial Access Persistence Execution
T1133 T1203 T1566

Detect Windows Allow Firewall Rule AdditionModification

Cisco Secure Endpoint Crowd Strike Falcon Endpoint Protection Microsoft Threat Protection Sentinel One Trend Micro Apex One Trend Micro Apex One Ama Vmware Carbon Black
Defense Evasion
T1562

Detect Windows Update Disabled from Registry

Cisco Secure Endpoint Crowd Strike Falcon Endpoint Protection Microsoft Threat Protection Sentinel One Trend Micro Apex One Trend Micro Apex One Ama Vmware Carbon Black
Defense Evasion
T1562

Detecting Impossible travel with mailbox permission tampering Privilege Escalation attempt

Azure Active Directory Azure Activity Azure Security Center Office365
Initial Access Privilege Escalation
T1078 T1548

Detecting Macro Invoking ShellBrowserWindow COM Objects

Security Events Windows Security Events
Lateral Movement
T1021

Detecting UAC bypass - elevated COM interface

Microsoft Threat Protection
Impact
T1490

Detecting UAC bypass - modify Windows Store settings

Microsoft Threat Protection
Impact
T1490

Detection of Malicious URLs in Syslog Events

Syslog Syslog Ama
Lateral Movement Execution
T1072

Detection of Malware C2 Domains in DNS Events

Asim DNS Activity Logs DNS
Command and Control
T1071

Detection of Malware C2 Domains in Syslog Events

Syslog Syslog Ama
Command and Control
T1071

Detection of Malware C2 IPs in Azure Act Events

Azure Activity
Command and Control
T1071

Detection of Malware C2 IPs in DNS Events

Asim DNS Activity Logs DNS
Command and Control
T1071

Detection of Specific Hashes in CommonSecurityLog

Cef Cef Ama
Resource Development
T1587

Dev-0228 File Path Hashes November 2021

Microsoft Defender Advanced Threat Protection Microsoft Threat Protection
Credential Access Execution
T1569 T1003

Dev-0228 File Path Hashes November 2021 ASIM Version

Credential Access Execution
T1569 T1003

Dev-0270 Malicious Powershell usage

Microsoft Threat Protection Security Events Windows Security Events
Exfiltration Defense Evasion
T1048 T1562

DEV-0270 New User Creation

Microsoft Threat Protection Security Events Windows Security Events
Persistence
T1098

Dev-0270 Registry IOC - September 2022

Microsoft Threat Protection Security Events Windows Security Events
Impact
T1486

Dev-0270 WMIC Discovery

Microsoft Threat Protection Security Events Windows Security Events
Discovery
T1482

Dev-0530 File Extension Rename

Microsoft Threat Protection
Impact
T1486

Device Registration from Malicious IP

Okta Sso Okta Ssov2
Persistence
T1098

Digital Guardian - Bulk exfiltration to external domain

Digital Guardian Dlp Syslog Ama
Exfiltration
T1048

Digital Guardian - Exfiltration to external domain

Digital Guardian Dlp Syslog Ama
Exfiltration
T1048

Digital Guardian - Exfiltration to online fileshare

Digital Guardian Dlp Syslog Ama
Exfiltration
T1048

Digital Guardian - Exfiltration to private email

Digital Guardian Dlp Syslog Ama
Exfiltration
T1048

Digital Guardian - Exfiltration using DNS protocol

Digital Guardian Dlp Syslog Ama
Exfiltration
T1048

Digital Guardian - Incident with not blocked action

Digital Guardian Dlp Syslog Ama
Exfiltration
T1048

Digital Guardian - Multiple incidents from user

Digital Guardian Dlp Syslog Ama
Exfiltration
T1048

Digital Guardian - Possible SMTP protocol abuse

Digital Guardian Dlp Syslog Ama
Exfiltration
T1048

Digital Guardian - Sensitive data transfer over insecure channel

Digital Guardian Dlp Syslog Ama
Exfiltration
T1048

Digital Guardian - Unexpected protocol

Digital Guardian Dlp Syslog Ama
Exfiltration
T1048

Disable or Modify Windows Defender

Microsoft Threat Protection
Defense Evasion
T1562

Disabling Security Services via Registry

Microsoft Threat Protection
Defense Evasion
T1562

Discord CDN Risky File Download

Cef Ama Zscaler Zscaler Ama
Command and Control
T1071

Discord CDN Risky File Download ASIM Web Session Schema

Squid Proxy Zscaler
Command and Control
T1071

Disks Alerts From Prancer

Prancer Log Data
Reconnaissance
T1595

Distributed Password cracking attempts in Microsoft Entra ID

Azure Active Directory
Credential Access
T1110

DMARC Not Configured

Hvpolling ID Azure Functions
Collection
T1114

DNS events related to mining pools ASIM DNS Schema

Azure Firewall Cisco Umbrella Data Connector Corelight DNS Gcpdnsdata Connector Infoblox Nios Nxlog DNS Logs Windows Forwarded Events Zscaler
Impact
T1496

DNS events related to ToR proxies ASIM DNS Schema

Azure Firewall Cisco Umbrella Data Connector Corelight DNS Gcpdnsdata Connector Infoblox Nios Nxlog DNS Logs Zscaler
Exfiltration
T1048

Domain Infringement

Cbspolling ID Azure Functions
Reconnaissance Initial Access
T1590 T1566

Doppelpaymer Stop Services

Microsoft Threat Protection
Execution Defense Evasion
T1059 T1562

DopplePaymer Procdump

Microsoft Threat Protection
Credential Access
T1003

Drop attempts stateful anomaly on database

Azure SQL
Initial Access
T1190

DSRM Account Abuse

Security Events
Persistence
T1098

Dumping LSASS Process Into a File

Security Events Windows Security Events
Credential Access
T1003

Dynatrace - Problem detection

Dynatrace Problems
Defense Evasion Execution Impact Initial Access Lateral Movement Persistence Privilege Escalation

Dynatrace Application Security - Attack detection

Dynatrace Attacks
Execution Impact Initial Access Privilege Escalation
T1059 T1565 T1190 T1068

Dynatrace Application Security - Code-Level runtime vulnerability detection

Dynatrace Runtime Vulnerabilities
Defense Evasion Execution Impact Initial Access Lateral Movement Persistence Privilege Escalation

Dynatrace Application Security - Non-critical runtime vulnerability detection

Dynatrace Runtime Vulnerabilities
Defense Evasion Execution Impact Initial Access Lateral Movement Persistence Privilege Escalation

Dynatrace Application Security - Third-Party runtime vulnerability detection

Dynatrace Runtime Vulnerabilities
Defense Evasion Execution Impact Initial Access Lateral Movement Persistence Privilege Escalation

EatonForeseer - Unauthorized Logins

Windows Security Events
Initial Access
T1078

Egress Defend - Dangerous Attachment Detected

Egress Defend
Execution Initial Access Persistence Privilege Escalation
T1204 T0853 T0863 T1566 T1546

Egress Defend - Dangerous Link Click

Egress Defend
Execution
T1204 T0853

Email access via active sync

Microsoft Threat Protection Security Events Windows Forwarded Events Windows Security Events
Privilege Escalation
T1068 T1078

Employee account deleted

Last Pass
Impact
T1485

Empty group with entitlements

Authomize
Privilege Escalation Persistence
T1098

End-user consent stopped due to risk-based consent

Azure Active Directory
Persistence Privilege Escalation
T1078

Europium - Hash and IP IOCs - September 2022

Azure Firewall Azure Monitor( Vminsights) Cef Check Point Cisco Asa DNS F5 Fortinet Microsoft Threat Protection Office365 Palo Alto Networks Windows Firewall
Command and Control Credential Access
T1071 T1003

Excessive Blocked Traffic Events Generated by User

Symantec Endpoint Protection Syslog Ama
Exfiltration Command and Control Lateral Movement
T1041 T1132 T1001 T1021

Excessive Denied Proxy Traffic

Symantec Proxy Sg Syslog Ama
Defense Evasion Command and Control
T1090 T1562

Excessive Failed Authentication from Invalid Inputs

Symantec Vip Syslog Ama
Credential Access
T1110

Excessive number of failed connections from a single source ASIM Network Session schema

Aivectra Stream Awss3 Azure Firewall Azure Monitor( Vminsights) Azure Nsg Check Point Cisco Asa Cisco Asa Ama Cisco Meraki Corelight Fortinet Microsoft Sysmon for Linux Microsoft Threat Protection Palo Alto Networks Security Events Windows Forwarded Events Windows Security Events Zscaler
Impact
T1499

Excessive number of HTTP authentication failures from a source ASIM Web Session schema

Squid Proxy Zscaler
Persistence Credential Access
T1110 T1556

Excessive NXDOMAIN DNS Queries

Infoblox Nios Syslog Ama
Command and Control
T1568 T1008

Excessive NXDOMAIN DNS Queries ASIM DNS Schema

Azure Firewall Cisco Umbrella Data Connector Corelight DNS Gcpdnsdata Connector Infoblox Nios Nxlog DNS Logs Zscaler
Command and Control
T1568 T1008

Excessive share permissions

Security Events Windows Security Events
Collection Discovery
T1039 T1135

Excessive Windows Logon Failures

Security Events Windows Security Events
Credential Access
T1110

Exchange AuditLog Disabled

Office365
Defense Evasion
T1562

Exchange OAB Virtual Directory Attribute Containing Potential Webshell

Security Events Windows Security Events
Initial Access
T1190

Exchange SSRF Autodiscover ProxyShell - Detection

Azure Monitor( Iis)
Initial Access
T1190

Exchange Worker Process Making Remote Call

Azure Monitor( Iis) Microsoft Threat Protection
Execution
T1059 T1059

Executive Impersonation

Cbspolling ID Azure Functions
Initial Access
T1566

Exes with double file extension and access summary

Azure Active Directory
Defense Evasion
T1036

Expired access credentials being used in Azure

Azure Active Directory
Credential Access
T1528

Exposed Admin Login Page

Hvpolling ID Azure Functions
Initial Access
T1190

Exposed Email Address

Cbspolling ID Azure Functions
Resource Development
T1586

Exposed User List

Hvpolling ID Azure Functions
Resource Development
T1586

External guest invitation followed by Microsoft Entra ID PowerShell signin

Azure Active Directory
Initial Access Persistence Discovery
T1078 T1136 T1087

External User Access Enabled

Credential Access Persistence
T1098 T1556

External User Added and Removed in a Short Timeframe

Azure Active Directory
Persistence
T1136

Failed AWS Console logons but success logon to AzureAD

Aws Azure Active Directory
Initial Access Credential Access
T1078 T1110

Failed AzureAD logons but success logon to AWS Console

Aws Azure Active Directory
Initial Access Credential Access
T1078 T1110

Failed AzureAD logons but success logon to host

Azure Active Directory Security Events Syslog Windows Forwarded Events Windows Security Events
Initial Access Credential Access
T1078 T1110

Failed host logons but success logon to AzureAD

Azure Active Directory Security Events Syslog Windows Forwarded Events Windows Security Events
Initial Access Credential Access
T1078 T1110

Failed login attempts to Azure Portal

Azure Active Directory
Credential Access
T1110

Failed Logins from Unknown or Invalid User

Okta Sso Okta Ssov2
Credential Access
T1110

Failed logon attempts by valid accounts within 10 mins

Security Events Windows Forwarded Events Windows Security Events
Credential Access
T1110

Failed logon attempts in authpriv

Syslog Syslog Ama
Credential Access
T1110

Failed sign-ins into LastPass due to MFA

Azure Active Directory Last Pass
Initial Access
T1078 T1190

Fake computer account created

Security Events
Defense Evasion
T1564

Files Copied to USB Drives

Microsoft Threat Protection
Exfiltration
T1041

Flare Cloud bucket result

Flare
Reconnaissance
T1593

Flare Darkweb result

Flare
Reconnaissance
T1597

Flare Google Dork result found

Flare
Reconnaissance
T1593

Flare Host result

Flare
Reconnaissance
T1596

Flare Infected Device

Flare
Credential Access
T1555

Flare Leaked Credentials

Flare
Credential Access
T1110

Flare Paste result

Flare
Reconnaissance
T1593

Flare Source Code found

Flare
Reconnaissance
T1593

Flare SSL Certificate result

Flare
Resource Development
T1583

Flow Logs Alerts for Prancer

Prancer Log Data
Reconnaissance
T1595

Fortinet - Beacon pattern detected

Fortinet
Command and Control
T1071 T1571

Fortiweb - WAF Allowed threat

Fortinet Forti Web Ama Forti Web
Initial Access
T1190 T1133

Front Door Premium WAF - SQLi Detection

Waf
Defense Evasion Execution Initial Access Privilege Escalation
T1211 T1059 T1190 T0890

Front Door Premium WAF - XSS Detection

Waf
Initial Access Execution
T1189 T1203 T0853

Full Admin policy created and then attached to Roles Users or Groups

Aws Awss3
Privilege Escalation Defense Evasion
T1484

full_access_as_app Granted To Application

Azure Active Directory
Defense Evasion
T1550

Gain Code Execution on ADFS Server via Remote WMI Execution

Security Events Windows Forwarded Events Windows Security Events
Lateral Movement
T1210

Gain Code Execution on ADFS Server via SMB Remote Service or Scheduled Task

Security Events Windows Security Events
Lateral Movement
T1210

GCP IAM - Disable Data Access Logging

Gcpiamdata Connector
Defense Evasion
T1562

GCP IAM - Empty user agent

Gcpiamdata Connector
Defense Evasion
T1550

GCP IAM - High privileged role added to service account

Gcpiamdata Connector
Privilege Escalation
T1078

GCP IAM - New Authentication Token for Service Account

Gcpiamdata Connector
Lateral Movement
T1550

GCP IAM - New Service Account

Gcpiamdata Connector
Persistence
T1136

GCP IAM - New Service Account Key

Gcpiamdata Connector
Lateral Movement
T1550

GCP IAM - Privileges Enumeration

Gcpiamdata Connector
Discovery
T1069

GCP IAM - Publicly exposed storage bucket

Gcpiamdata Connector
Discovery
T1069

GCP IAM - Service Account Enumeration

Gcpiamdata Connector
Discovery
T1087

GCP IAM - Service Account Keys Enumeration

Gcpiamdata Connector
Discovery
T1069

GitHub Security Vulnerability in Repository

Initial Access Execution Privilege Escalation Defense Evasion Credential Access Lateral Movement
T1190 T1203 T1068 T1211 T1212 T1210

GitHub Signin Burst from Multiple Locations

Azure Active Directory
Credential Access
T1110

GitHub Two Factor Auth Disable

Defense Evasion
T1562

GitLab - Brute-force Attempts

Syslog
Credential Access
T1110

GitLab - Local Auth - No MFA

Syslog
Credential Access
T1110

GitLab - Repository visibility to Public

Syslog
Persistence Defense Evasion Credential Access
T1556

GitLab - SSO - Sign-Ins Burst

Azure Active Directory
Credential Access
T1110

GitLab - TI - Connection from Malicious IP

Syslog Threat Intelligence Threat Intelligence Taxii
Initial Access
T1078

GitLab - User Impersonation

Syslog
Persistence
T1078

Google DNS - CVE-2020-1350 SIGRED exploitation pattern

Gcpdnsdata Connector
Privilege Escalation
T1068

Google DNS - CVE-2021-34527 PrintNightmare external exploit

Gcpdnsdata Connector
Privilege Escalation
T1068

Google DNS - CVE-2021-40444 exploitation

Gcpdnsdata Connector
Privilege Escalation
T1068

Google DNS - Exchange online autodiscover abuse

Gcpdnsdata Connector
Initial Access Credential Access
T1566 T1187

Google DNS - IP check activity

Gcpdnsdata Connector
Command and Control
T1095

Google DNS - Malicous Python packages

Gcpdnsdata Connector
Initial Access
T1195

Google DNS - Multiple errors for source

Gcpdnsdata Connector
Command and Control
T1095

Google DNS - Multiple errors to same domain

Gcpdnsdata Connector
Command and Control
T1095

Google DNS - Possible data exfiltration

Gcpdnsdata Connector
Exfiltration
T1567

Google DNS - Request to dynamic DNS service

Gcpdnsdata Connector
Command and Control
T1095

Google DNS - UNC2452 Nobelium APT Group activity

Gcpdnsdata Connector
Command and Control
T1095

GreyNoise TI Map IP Entity to CommonSecurityLog

Cef Cef Ama Grey Noise2 Sentinel API Threat Intelligence
Command and Control
T1071

GreyNoise TI Map IP Entity to DnsEvents

Asim DNS Activity Logs DNS Grey Noise2 Sentinel API Threat Intelligence Threat Intelligence Taxii
Command and Control
T1071

GreyNoise TI map IP entity to Network Session Events ASIM Network Session schema

Aivectra Stream Awss3 Azure Firewall Azure Monitor( Vminsights) Azure Nsg Check Point Cisco Asa Cisco Asa Ama Cisco Meraki Corelight Fortinet Grey Noise2 Sentinel API Microsoft Defender Threat Intelligence Microsoft Sysmon for Linux Microsoft Threat Protection Palo Alto Networks Security Events Windows Forwarded Events Windows Security Events Zscaler
Command and Control
T1071

GreyNoise TI map IP entity to OfficeActivity

Grey Noise2 Sentinel API Microsoft Defender Threat Intelligence Office365 Threat Intelligence Threat Intelligence Taxii
Command and Control
T1071

GreyNoise TI Map IP Entity to SigninLogs

Azure Active Directory Grey Noise2 Sentinel API Microsoft Defender Threat Intelligence Threat Intelligence Threat Intelligence Taxii
Command and Control
T1071

Group created then added to built in domain local or global group

Security Events Windows Forwarded Events Windows Security Events
Persistence Privilege Escalation
T1098 T1078

GSA Enriched Office 365 - Accessed files shared by temporary external user

Azure Active Directory Office365
Initial Access
T1566

GSA Enriched Office 365 - Exchange AuditLog Disabled

Azure Active Directory Office365
Defense Evasion
T1562

GSA Enriched Office 365 - Mail Redirect via ExO Transport Rule

Azure Active Directory Office365
Collection Exfiltration
T1114 T1020

GSA Enriched Office 365 - Malicious Inbox Rule

Azure Active Directory Office365
Persistence Defense Evasion
T1098 T1078

GSA Enriched Office 365 - Multiple Teams deleted by a single user

Azure Active Directory Office365
Impact
T1485 T1489

GSA Enriched Office 365 - Multiple Users Email Forwarded to Same Destination

Azure Active Directory Office365
Collection Exfiltration
T1114 T1020

GSA Enriched Office 365 - New Executable via Office FileUploaded Operation

Azure Active Directory Office365
Command and Control Lateral Movement
T1105 T1570

GSA Enriched Office 365 - Office Mail Forwarding - Hunting Version

Azure Active Directory
Collection Exfiltration
T1114 T1020

GSA Enriched Office 365 - Office Policy Tampering

Azure Active Directory Office365
Persistence Defense Evasion
T1098 T1562

GSA Enriched Office 365 - PowerShell or non-browser mailbox login activity

Azure Active Directory
Execution Persistence Collection
T1059 T1098 T1114

GSA Enriched Office 365 - Rare and Potentially High-Risk Office Operations

Azure Active Directory Office365
Persistence Collection
T1098 T1114

GSA Enriched Office 365 - Sharepoint File Transfer Above Threshold

Azure Active Directory Office365
Exfiltration
T1020

GSA Enriched Office 365 - Sharepoint File Transfer Above Threshold

Azure Active Directory Office365
Exfiltration
T1020

GSA Enriched Office 365 - User made Owner of multiple teams

Azure Active Directory
Privilege Escalation
T1078

Guest accounts added in Entra ID Groups other than the ones specified

Azure Active Directory
Initial Access Persistence Discovery
T1078 T1136 T1087

Guest Users Invited to Tenant by New Inviters

Azure Active Directory
Persistence
T1078

GWorkspace - Admin permissions granted

Google Workspace Reports API
Persistence
T1098

GWorkspace - Alert events

Google Workspace Reports API
Initial Access
T1190 T1133

GWorkspace - API Access Granted

Google Workspace Reports API
Defense Evasion Lateral Movement
T1550

GWorkspace - Multiple user agents for single source

Google Workspace Reports API
Persistence Collection
T1185 T1176

GWorkspace - Possible brute force attack

Google Workspace Reports API
Credential Access
T1110

GWorkspace - Possible maldoc file name in Google drive

Google Workspace Reports API
Initial Access
T1566

GWorkspace - Two-step authentification disabled for a user

Google Workspace Reports API
Credential Access
T1111

GWorkspace - Unexpected OS update

Google Workspace Reports API
Defense Evasion Persistence
T1036 T1554

GWorkspace - User access has been changed

Google Workspace Reports API
Persistence
T1098

Header Content Security Policy Missing

Hvpolling ID Azure Functions
Initial Access
T1190 T1566

Header HTTP Strict Transport Security Missing

Hvpolling ID Azure Functions
Credential Access Collection
T1557

Header Referrer-Policy Missing

Hvpolling ID Azure Functions
Credential Access Collection
T1557

Header Web Server Exposed

Hvpolling ID Azure Functions
Reconnaissance
T1592

Header X-Frame-Options Missing - Informational

Hvpolling ID Azure Functions
Initial Access
T1189

Header X-Frame-Options Missing - Low

Hvpolling ID Azure Functions
Initial Access
T1189

Header X-Frame-Options Missing - Medium

Hvpolling ID Azure Functions
Initial Access
T1189

Header X-XSS-Protection Missing

Hvpolling ID Azure Functions
Initial Access
T1189

High count of connections by client IP on many ports

Azure Monitor( Iis)
Initial Access
T1190

High count of failed attempts from same client IP

Azure Monitor( Iis)
Credential Access
T1110

High count of failed logons by a user

Azure Monitor( Iis)
Credential Access
T1110

High Number of Urgent Vulnerabilities Detected

Qualys Vulnerability Management
Initial Access
T1190

High risk Office operation conducted by IP Address that recently attempted to log into a disabled account

Azure Active Directory Office365
Initial Access Persistence Collection
T1078 T1098 T1114

High Urgency IONIX Action Items

Cyberpion Security Logs
Initial Access
T1190 T1195

High-Risk Admin Activity

Okta Sso Okta Ssov2
Persistence
T1098

High-Risk Cross-Cloud User Impersonation

Aws Azure Active Directory
Privilege Escalation
T1134 T1078 T1078

Highly Sensitive Password Accessed

Last Pass
Credential Access Discovery
T1555 T1087

Hijack Execution Flow - DLL Side-Loading

Microsoft Threat Protection
Persistence Privilege Escalation Defense Evasion
T1574

IaaS admin detected

Authomize
Initial Access
T1078

IaaS policy not attached to any identity

Authomize
Privilege Escalation Persistence
T1098

IaaS shadow admin detected

Authomize
Initial Access
T1078

Identify Mango Sandstorm powershell commands

Microsoft Threat Protection Security Events
Lateral Movement
T1570

Identify SysAid Server web shell creation

Microsoft Threat Protection Security Events Windows Security Events
Initial Access
T1190

IDP Alert

Defense Evasion Impact
T1578 T1531

Illumio Enforcement Change Analytic Rule

Illumio Saa Sdata Connector
Defense Evasion
T1562

Illumio Firewall Tampering Analytic Rule

Illumio Saa Sdata Connector
Defense Evasion
T1562

Illumio VEN Clone Detection Rule

Illumio Saa Sdata Connector
Defense Evasion
T1562

Illumio VEN Deactivated Detection Rule

Illumio Saa Sdata Connector
Defense Evasion
T1562

Illumio VEN Offline Detection Rule

Illumio Saa Sdata Connector
Defense Evasion
T1562

Illumio VEN Suspend Detection Rule

Illumio Saa Sdata Connector
Defense Evasion
T1562

Illusive Incidents Analytic Rule

Cef Ama Illusive Illusive Attack Management System Ama
Persistence Privilege Escalation Defense Evasion Credential Access Lateral Movement
T1078 T1098 T1548 T1021

Imminent Ransomware

Defense Evasion Persistence
T1562 T1547

Imperva - Abnormal protocol usage

Imperva Wafcloud API
Initial Access
T1190 T1133

Imperva - Critical severity event not blocked

Imperva Wafcloud API
Initial Access
T1190 T1133

Imperva - Forbidden HTTP request method in request

Imperva Wafcloud API
Initial Access
T1190 T1133

Imperva - Malicious Client

Imperva Wafcloud API
Initial Access
T1190 T1133

Imperva - Malicious user agent

Imperva Wafcloud API
Initial Access
T1190 T1133

Imperva - Multiple user agents from same source

Imperva Wafcloud API
Initial Access
T1190 T1133

Imperva - Possible command injection

Imperva Wafcloud API
Initial Access
T1190 T1133

Imperva - Request from unexpected countries

Imperva Wafcloud API
Initial Access
T1190 T1133

Imperva - Request from unexpected IP address to admin panel

Imperva Wafcloud API
Initial Access
T1190 T1133

Imperva - Request to unexpected destination port

Imperva Wafcloud API
Initial Access
T1190 T1133

Infoblox - Data Exfiltration Attack

Cef Ama Infoblox Cloud Data Connector Infoblox Cloud Data Connector Ama
Impact
T1498 T1565

Infoblox - High Threat Level Query Not Blocked Detected

Cef Ama Infoblox Cloud Data Connector Infoblox Cloud Data Connector Ama
Impact
T1498 T1565

Infoblox - Many High Threat Level Queries From Single Host Detected

Cef Ama Infoblox Cloud Data Connector Infoblox Cloud Data Connector Ama
Impact
T1498 T1565

Infoblox - Many High Threat Level Single Query Detected

Cef Ama Infoblox Cloud Data Connector Infoblox Cloud Data Connector Ama
Impact
T1498 T1565

Infoblox - Many NXDOMAIN DNS Responses Detected

Cef Ama Infoblox Cloud Data Connector Infoblox Cloud Data Connector Ama
Impact
T1498 T1565

Infoblox - SOC Insight Detected - API Source

Infoblox Socinsights Data Connector API
Impact
T1498 T1565

Infoblox - SOC Insight Detected - API Source

Infoblox Socinsights Data Connector API
Impact
T1498 T1565

Infoblox - SOC Insight Detected - CDC Source

Cef Ama Infoblox Socinsights Data Connector Ama Infoblox Socinsights Data Connector Legacy
Impact
T1498 T1565

Infoblox - SOC Insight Detected - CDC Source

Infoblox Socinsights Data Connector Ama Infoblox Socinsights Data Connector Legacy
Impact
T1498 T1565

Infoblox - TI - CommonSecurityLog Match Found - MalwareC2

Cef Cef Ama Infoblox Cloud Data Connector Infoblox Cloud Data Connector Ama Threat Intelligence
Impact
T1498 T1565

Infoblox - TI - InfobloxCDC Match Found - Lookalike Domains

Cef Ama Infoblox Cloud Data Connector Infoblox Cloud Data Connector Ama Threat Intelligence
Impact
T1498 T1565

Infoblox - TI - Syslog Match Found - URL

Cef Ama Infoblox Cloud Data Connector Infoblox Cloud Data Connector Ama Syslog Threat Intelligence
Impact
T1498 T1565

Ingress Tool Transfer - Certutil

Microsoft Threat Protection
Command and Control Defense Evasion
T1105 T1564 T1027 T1140

Insider Risk_High User Security Alert Correlations

Azure Active Directory Identity Protection Azure Security Center Io T Microsoft Cloud App Security Microsoft Defender Advanced Threat Protection Office Atp
Execution
T1204

Insider Risk_High User Security Incidents Correlation

Azure Active Directory Identity Protection Azure Security Center Io T Microsoft Cloud App Security Microsoft Defender Advanced Threat Protection Office Atp
Execution
T1204

Insider Risk_Risky User Access By Application

Azure Active Directory
Execution
T1204

Insider Risk_Sensitive Data Access Outside Organizational Geo-location

Azure Active Directory Azure Information Protection
Exfiltration
T1567

IP address of Windows host encoded in web request

Check Point Fortinet Microsoft Threat Protection Palo Alto Networks Zscaler
Exfiltration Command and Control
T1041 T1071

IP with multiple failed Microsoft Entra ID logins successfully logs in to Palo Alto VPN

Azure Active Directory Palo Alto Networks
Initial Access Credential Access
T1078 T1110

Jamf Protect - Network Threats

Jamf Protect
Initial Access
T1133

Java Executing cmd to run Powershell

Microsoft Threat Protection
Execution
T1059

Jira - Global permission added

Jira Audit API
Privilege Escalation
T1078

Jira - New site admin user

Jira Audit API
Initial Access
T1078

Jira - New site admin user

Jira Audit API
Persistence Privilege Escalation
T1078

Jira - New user created

Jira Audit API
Persistence
T1078

Jira - Permission scheme updated

Jira Audit API
Impact
T1531

Jira - Project roles changed

Jira Audit API
Impact
T1531

Jira - User removed from group

Jira Audit API
Impact
T1531

Jira - User removed from project

Jira Audit API
Impact
T1531

Jira - Users password changed multiple times

Jira Audit API
Persistence
T1078

Jira - Workflow scheme copied

Jira Audit API
Collection
T1213

Known Forest Blizzard group domains - July 2019

Azure Firewall Azure Monitor( Vminsights) Cisco Asa Cisco Umbrella Data Connector Corelight DNS Gcpdnsdata Connector Infoblox Nios Nxlog DNS Logs Palo Alto Networks Zscaler
Command and Control
T1071

Known Malware Detected

Vmware Carbon Black
Execution
T1204

Lateral Movement Risk - Role Chain Length

Authomize
Privilege Escalation Persistence
T1098

Lateral Movement via DCOM

Security Events Windows Security Events
Lateral Movement
T1021

LaZagne Credential Theft

Microsoft Threat Protection
Credential Access
T1003

Leaked Credential

Cbspolling ID Azure Functions
Credential Access Resource Development

Linked Malicious Storage Artifacts

Microsoft Cloud App Security
Command and Control Exfiltration
T1071 T1567

Local Admin Group Changes

Microsoft Threat Protection
Persistence
T1098

Log4j vulnerability exploit aka Log4Shell IP IOC

Aws Azure Active Directory Azure Activity Azure Firewall Azure Monitor( Iis) Azure Monitor( Vminsights) Azure Monitor( Wire Data) Cisco Asa Cisco Asa Ama DNS Microsoft Threat Protection Office365 Palo Alto Networks Security Events
Command and Control
T1071

Login to AWS Management Console without MFA

Aws Awss3
Defense Evasion Privilege Escalation Persistence Initial Access
T1078

Lookout - New Threat events found

Lookout API
Discovery
T1057

LSASS Credential Dumping with Procdump

Microsoft Threat Protection
Credential Access
T1003

M365D Alerts Correlation to non-Microsoft Network device network activity involved in successful sign-in Activity

Check Point Fortinet Office Atp Palo Alto Networks Zscaler
Privilege Escalation
T1078

Mail redirect via ExO transport rule

Office365
Collection Exfiltration
T1114 T1020

MailRead Permissions Granted to Application

Azure Active Directory
Persistence
T1098

Malformed user agent

Aws Azure Active Directory Azure Monitor( Iis) Office365 Waf
Initial Access Command and Control Execution
T1189 T1071 T1203

Malicious BEC Inbox Rule

Office365
Persistence Defense Evasion
T1098 T1078

Malicious Inbox Rule

Office365
Persistence Defense Evasion
T1098 T1078

Malicious web application requests linked with Microsoft Defender for Endpoint formerly Microsoft Defender ATP alerts

Azure Monitor( Iis) Microsoft Defender Advanced Threat Protection
Persistence
T1505

Malware attachment delivered

Proofpoint Tap
Initial Access
T1566

Malware Detected

Symantec Endpoint Protection Syslog Ama
Execution
T1204

Malware in the recycle bin

Security Events Windows Forwarded Events Windows Security Events
Defense Evasion
T1564

Malware Link Clicked

Proofpoint Tap
Initial Access
T1566

Mass Download copy to USB device by single user

Microsoft Cloud App Security Microsoft Threat Protection
Exfiltration
T1052

Mass secret retrieval from Azure Key Vault

Azure Key Vault
Credential Access
T1003

Match Legitimate Name or Location - 2

Microsoft Threat Protection
Defense Evasion
T1036

McAfee ePO - Agent Handler down

MC Afeee Po Syslog Ama
Defense Evasion
T1562

McAfee ePO - Attempt uninstall McAfee agent

MC Afeee Po Syslog Ama
Defense Evasion
T1562 T1070

McAfee ePO - Deployment failed

MC Afeee Po Syslog Ama
Defense Evasion
T1562

McAfee ePO - Error sending alert

MC Afeee Po Syslog Ama
Defense Evasion
T1562 T1070

McAfee ePO - File added to exceptions

MC Afeee Po Syslog Ama
Defense Evasion
T1562 T1070

McAfee ePO - Firewall disabled

MC Afeee Po Syslog Ama
Defense Evasion Command and Control
T1562 T1071

McAfee ePO - Logging error occurred

MC Afeee Po Syslog Ama
Defense Evasion
T1562 T1070

McAfee ePO - Multiple threats on same host

MC Afeee Po Syslog Ama
Initial Access Persistence Defense Evasion Privilege Escalation
T1562 T1070 T1189 T1195 T1543 T1055

McAfee ePO - Scanning engine disabled

MC Afeee Po Syslog Ama
Defense Evasion
T1562 T1070

McAfee ePO - Spam Email detected

MC Afeee Po Syslog Ama
Initial Access
T1566

McAfee ePO - Task error

MC Afeee Po Syslog Ama
Defense Evasion
T1562 T1070

McAfee ePO - Threat was not blocked

MC Afeee Po Syslog Ama
Initial Access Privilege Escalation Defense Evasion
T1562 T1070 T1068 T1189 T1195

McAfee ePO - Unable to clean or delete infected file

MC Afeee Po Syslog Ama
Defense Evasion
T1562 T1070

McAfee ePO - Update failed

MC Afeee Po Syslog Ama
Defense Evasion
T1562 T1070

Mercury - Domain Hash and IP IOCs - August 2022

Azure Firewall Azure Monitor( Vminsights) Cef Check Point Cisco Asa DNS F5 Fortinet Microsoft Threat Protection Office365 Palo Alto Networks Windows Firewall
Command and Control
T1071

MFA Fatigue OKTA

Okta Sso Okta Ssov2
Credential Access
T1621

MFA Rejected by User

Azure Active Directory Behavior Analytics
Initial Access
T1078

MFA Spamming followed by Successful login

Azure Active Directory
Credential Access
T1110

Microsoft COVID-19 file hash indicator matches

Cef Ama Palo Alto Networks Palo Alto Networks Ama
Execution
T1204

Microsoft Entra ID Health Monitoring Agent Registry Keys Access

Security Events Windows Forwarded Events Windows Security Events
Collection
T1005

Microsoft Entra ID Health Service Agents Registry Keys Access

Security Events Windows Forwarded Events Windows Security Events
Collection
T1005

Microsoft Entra ID Hybrid Health AD FS New Server

Azure Activity
Defense Evasion
T1578

Microsoft Entra ID Hybrid Health AD FS Suspicious Application

Azure Activity
Credential Access Defense Evasion
T1528 T1550

Microsoft Entra ID Rare UserAgent App Sign-in

Azure Active Directory
Defense Evasion
T1036

Microsoft Entra ID Role Management Permission Grant

Azure Active Directory
Persistence Impact
T1098 T1078

Microsoft Entra ID UserAgent OS Missmatch

Azure Active Directory
Defense Evasion
T1036

Midnight Blizzard - Script payload stored in Registry

Security Events Windows Forwarded Events Windows Security Events
Execution
T1059

Midnight Blizzard - suspicious rundll32exe execution of vbscript

Security Events Windows Forwarded Events Windows Security Events
Persistence
T1547

Mimecast Audit - Logon Authentication Failed

Mimecast Audit API
Discovery Initial Access Credential Access
T1110

Mimecast Audit - Logon Authentication Failed

Mimecast Audit API
Discovery Initial Access Credential Access
T1110

Mimecast Data Leak Prevention - Hold

Mimecast Siemapi
Exfiltration
T1030

Mimecast Data Leak Prevention - Hold

Mimecast Segapi
Exfiltration
T1030

Mimecast Data Leak Prevention - Notifications

Mimecast Siemapi
Exfiltration
T1030

Mimecast Data Leak Prevention - Notifications

Mimecast Segapi
Exfiltration
T1030

Mimecast Secure Email Gateway - Attachment Protect

Mimecast Siemapi
Collection Exfiltration Discovery Initial Access Execution
T1114 T1566 T0865

Mimecast Secure Email Gateway - Attachment Protect

Mimecast Segapi
Collection Exfiltration Discovery Initial Access Execution
T1114 T1566 T0865

Mimecast Secure Email Gateway - AV

Mimecast Siemapi
Execution
T1053

Mimecast Secure Email Gateway - AV

Mimecast Segapi
Execution
T1053

Mimecast Secure Email Gateway - Impersonation Protect

Mimecast Segapi
Discovery Lateral Movement Collection
T1114

Mimecast Secure Email Gateway - Impersonation Protect

Mimecast Siemapi
Discovery Lateral Movement Collection
T1114

Mimecast Secure Email Gateway - Internal Email Protect

Mimecast Siemapi
Lateral Movement Persistence Exfiltration
T1534 T1546

Mimecast Secure Email Gateway - Internal Email Protect

Mimecast Segapi
Lateral Movement Persistence Exfiltration
T1534 T1546

Mimecast Secure Email Gateway - URL Protect

Mimecast Segapi
Initial Access Discovery Execution
T1566

Mimecast Secure Email Gateway - URL Protect

Mimecast Siemapi
Initial Access Discovery Execution
T1566

Mimecast Secure Email Gateway - Virus

Mimecast Siemapi
Execution
T1053

Mimecast Secure Email Gateway - Virus

Mimecast Segapi
Execution
T1053

Mimecast Targeted Threat Protection - Attachment Protect

Mimecast Ttpapi
Initial Access Discovery
T0865

Mimecast Targeted Threat Protection - Attachment Protect

Mimecast Ttpapi
Initial Access Discovery
T0865

Mimecast Targeted Threat Protection - Impersonation Protect

Mimecast Ttpapi
Exfiltration Collection Discovery
T1114

Mimecast Targeted Threat Protection - Impersonation Protect

Mimecast Ttpapi
Exfiltration Collection Discovery
T1114

Mimecast Targeted Threat Protection - URL Protect

Mimecast Ttpapi
Initial Access Discovery
T0865

Mimecast Targeted Threat Protection - URL Protect

Mimecast Ttpapi
Initial Access Discovery
T0865

Missing Domain Controller Heartbeat

Impact Defense Evasion
T1499 T1564

Modification of Accessibility Features

Security Events
Persistence
T1546

Modified domain federation trust settings

Azure Active Directory
Credential Access Persistence Privilege Escalation
T1555 T1098

MosaicLoader

Microsoft Threat Protection
Defense Evasion
T1562

Multi-Factor Authentication Disabled for a User

Aws Azure Active Directory
Credential Access Persistence
T1098 T1556

Multiple failed attempts of NetBackup login

Credential Access Discovery
T1110 T1212

Multiple Password Reset by user

Azure Active Directory Office365 Security Events Syslog Windows Forwarded Events Windows Security Events
Initial Access Credential Access
T1078 T1110

Multiple RDP connections from Single System

Security Events Windows Forwarded Events Windows Security Events
Lateral Movement
T1021

Multiple Sources Affected by the Same TI Destination

Azure Firewall
Exfiltration Command and Control
T1041 T1071

Multiple Teams deleted by a single user

Office365
Impact
T1485 T1489

Multiple users email forwarded to same destination

Office365
Collection Exfiltration
T1114 T1020

Multiple users email forwarded to same destination

Office365
Collection Exfiltration
T1114 T1020

NetClean ProActive Incidents

Netclean Pro Active Incidents
Discovery
T1083

Netskope - WebTransaction Error Detection

Netskope Data Connector
Execution
T1204

Network endpoint to host executable correlation

Security Events Trend Micro Windows Forwarded Events Windows Security Events
Execution
T1204

Network Port Sweep from External Network ASIM Network Session schema

Aivectra Stream Awss3 Azure Firewall Azure Monitor( Vminsights) Azure Nsg Check Point Cisco Asa Cisco Asa Ama Cisco Meraki Corelight Fortinet Microsoft Sysmon for Linux Microsoft Threat Protection Palo Alto Networks Security Events Windows Forwarded Events Windows Security Events Zscaler
Reconnaissance Discovery
T1590 T1046

NetworkSecurityGroups Alert From Prancer

Prancer Log Data
Reconnaissance
T1595

New access credential added to Application or Service Principal

Azure Active Directory
Defense Evasion
T1550

New CloudShell User

Azure Activity
Execution
T1059

New country signIn with correct password

Azure Active Directory
Initial Access Credential Access
T1078 T1110

New DeviceLocation sign-in along with critical operation

Okta Sso Okta Ssov2
Initial Access Persistence
T1078 T1556

New direct access policy was granted against organizational policy

Authomize
Initial Access Privilege Escalation
T1078

New EXE deployed via Default Domain or Default Domain Controller Policies

Security Events Windows Security Events
Execution Lateral Movement
T1072 T1570

New executable via Office FileUploaded Operation

Office365
Command and Control Lateral Movement
T1105 T1570

New External User Granted Admin Role

Azure Active Directory
Persistence
T1098

New High Severity Vulnerability Detected Across Multiple Hosts

Qualys Vulnerability Management
Initial Access
T1190

New onmicrosoft domain added to tenant

Azure Active Directory
Resource Development
T1585

New Sonrai Ticket

Sonrai Data Connector
Collection Command and Control Credential Access Defense Evasion Discovery Execution Exfiltration Impact Initial Access Lateral Movement Persistence Privilege Escalation
T1566 T1059 T1547 T1548 T1562 T1003 T1087 T1021 T1119 T1071 T1041 T1499

New User Assigned to Privileged Role

Azure Active Directory
Persistence
T1078

New user created and added to the built-in administrators group

Security Events Windows Forwarded Events Windows Security Events
Persistence Privilege Escalation
T1098 T1078

New UserAgent observed in last 24 hours

Aws Azure Monitor( Iis) Office365
Initial Access Command and Control Execution
T1189 T1071 T1203

NGINX - Command in URI

Custom Logs Ama Nginxhttpserver
Initial Access
T1190 T1133

NGINX - Core Dump

Custom Logs Ama Nginxhttpserver
Impact
T1499

NGINX - Known malicious user agent

Custom Logs Ama Nginxhttpserver
Initial Access
T1190 T1133

NGINX - Multiple client errors from single IP address

Custom Logs Ama Nginxhttpserver
Initial Access
T1190 T1133

NGINX - Multiple server errors from single IP address

Custom Logs Ama Nginxhttpserver
Impact Initial Access
T1498 T1190 T1133

NGINX - Multiple user agents for single source

Custom Logs Ama Nginxhttpserver
Initial Access
T1190 T1133

NGINX - Private IP address in URL

Custom Logs Ama Nginxhttpserver
Initial Access
T1190 T1133

NGINX - Put file and get file from same IP address

Custom Logs Ama Nginxhttpserver
Initial Access
T1190 T1133

NGINX - Request to sensitive files

Custom Logs Ama Nginxhttpserver
Initial Access
T1189

NGINX - Sql injection patterns

Custom Logs Ama Nginxhttpserver
Initial Access
T1190

Ngrok Reverse Proxy on Network ASIM DNS Solution

Command and Control
T1572 T1090 T1102

Non Domain Controller Active Directory Replication

Security Events Windows Security Events
Credential Access
T1003

Non-admin guest

Senserva Pro
Initial Access
T1078

NRT Authentication Methods Changed for VIP Users

Azure Active Directory
Persistence
T1098

NRT Base64 Encoded Windows Process Command-lines

Security Events Windows Security Events
Execution Defense Evasion
T1059 T1027 T1140

NRT Creation of expensive computes in Azure

Azure Activity
Defense Evasion
T1578

NRT Login to AWS Management Console without MFA

Aws Awss3
Defense Evasion Privilege Escalation Persistence Initial Access
T1078

NRT Malicious Inbox Rule

Office365
Persistence Defense Evasion
T1098 T1078

NRT Modified domain federation trust settings

Azure Active Directory
Credential Access Persistence Privilege Escalation
T1555 T1098

NRT Multiple users email forwarded to same destination

Office365
Collection Exfiltration
T1114 T1020

NRT PIM Elevation Request Rejected

Azure Active Directory
Persistence
T1078

NRT Privileged Role Assigned Outside PIM

Azure Active Directory
Privilege Escalation
T1078

NRT Process executed from binary hidden in Base64 encoded file

Security Events Windows Security Events
Execution Defense Evasion
T1059 T1027 T1140

NRT Security Event log cleared

Security Events Windows Security Events
Defense Evasion
T1070

NRT Squid proxy events related to mining pools

Syslog Syslog Ama
Command and Control
T1102

NRT User added to Microsoft Entra ID Privileged Groups

Azure Active Directory
Persistence Privilege Escalation
T1098 T1078

OCI - Discovery activity

Oracle Cloud Infrastructure Logs Connector
Discovery
T1580

OCI - Event rule deleted

Oracle Cloud Infrastructure Logs Connector
Defense Evasion
T1070

OCI - Inbound SSH connection

Oracle Cloud Infrastructure Logs Connector
Initial Access
T1190

OCI - Insecure metadata endpoint

Oracle Cloud Infrastructure Logs Connector
Discovery
T1069

OCI - Instance metadata access

Oracle Cloud Infrastructure Logs Connector
Discovery
T1069

OCI - Multiple instances launched

Oracle Cloud Infrastructure Logs Connector
Impact
T1496

OCI - Multiple instances terminated

Oracle Cloud Infrastructure Logs Connector
Impact
T1529

OCI - Multiple rejects on rare ports

Oracle Cloud Infrastructure Logs Connector
Reconnaissance
T1595

OCI - SSH scanner

Oracle Cloud Infrastructure Logs Connector
Reconnaissance
T1595

OCI - Unexpected user agent

Oracle Cloud Infrastructure Logs Connector
Initial Access
T1190

Office Apps Launching Wscipt

Microsoft Threat Protection
Execution Collection Command and Control
T1059 T1105 T1203

Office ASR rule triggered from browser spawned office process

Microsoft Threat Protection
Initial Access
T1566

Office Policy Tampering

Office365
Persistence Defense Evasion
T1098 T1562

Okta Fast Pass phishing Detection

Okta Sso Okta Ssov2
Initial Access
T1566

Oracle - Command in URI

Custom Logs Ama Oracle Web Logic Server
Initial Access
T1190 T1133

Oracle - Malicious user agent

Custom Logs Ama Oracle Web Logic Server
Initial Access
T1190 T1133

Oracle - Multiple client errors from single IP

Custom Logs Ama Oracle Web Logic Server
Initial Access
T1190 T1133

Oracle - Multiple server errors from single IP

Custom Logs Ama Oracle Web Logic Server
Impact Initial Access
T1498 T1190 T1133

Oracle - Multiple user agents for single source

Custom Logs Ama Oracle Web Logic Server
Initial Access
T1190 T1133

Oracle - Oracle WebLogic Exploit CVE-2021-2109

Custom Logs Ama Oracle Web Logic Server
Initial Access
T1190

Oracle - Private IP in URL

Custom Logs Ama Oracle Web Logic Server
Initial Access
T1190 T1133

Oracle - Put file and get file from same IP address

Custom Logs Ama Oracle Web Logic Server
Initial Access
T1190 T1133

Oracle - Put suspicious file

Custom Logs Ama Oracle Web Logic Server
Initial Access Exfiltration
T1190 T1133 T1048

Oracle - Request to sensitive files

Custom Logs Ama Oracle Web Logic Server
Initial Access
T1189

Oracle suspicious command execution

Microsoft Threat Protection
Lateral Movement Privilege Escalation
T1210 T1611

OracleDBAudit - Connection to database from external IP

Oracle Database Audit Syslog Ama
Initial Access Collection Exfiltration
T1190 T1133 T1078 T1119 T1029

OracleDBAudit - Connection to database from unknown IP

Oracle Database Audit Syslog Ama
Initial Access
T1078

OracleDBAudit - Multiple tables dropped in short time

Oracle Database Audit Syslog Ama
Impact
T1485

OracleDBAudit - New user account

Oracle Database Audit Syslog Ama
Initial Access Persistence
T1078

OracleDBAudit - Query on Sensitive Table

Oracle Database Audit Syslog Ama
Collection
T1005

OracleDBAudit - Shutdown Server

Oracle Database Audit Syslog Ama
Impact
T1529

OracleDBAudit - SQL injection patterns

Oracle Database Audit Syslog Ama
Initial Access
T1190

OracleDBAudit - Unusual user activity on multiple tables

Oracle Database Audit Syslog Ama
Collection
T1119

OracleDBAudit - User activity after long inactivity time

Oracle Database Audit Syslog Ama
Initial Access Persistence
T1078

OracleDBAudit - User connected to database from new IP

Oracle Database Audit Syslog Ama
Initial Access
T1078

PAC high severity

Prancer Log Data
Reconnaissance
T1595

Palo Alto - possible internal to external port scanning

Cef Ama Palo Alto Networks Palo Alto Networks Ama
Discovery
T1046

Palo Alto - potential beaconing detected

Cloud Ngfw by Pan
Command and Control
T1071 T1571

Palo Alto - potential beaconing detected

Cef Ama Palo Alto Networks Palo Alto Networks Ama
Command and Control
T1071 T1571

Palo Alto Prevention alert

Palo Alto Networks Cortex
Defense Evasion
T1562

Palo Alto Prisma Cloud - Anomalous access key usage

Palo Alto Prisma Cloud
Initial Access
T1078

Palo Alto Prisma Cloud - High risk score alert

Palo Alto Prisma Cloud
Initial Access
T1133

Palo Alto Prisma Cloud - Inactive user

Palo Alto Prisma Cloud
Initial Access
T1078

Palo Alto Prisma Cloud - Maximum risk score alert

Palo Alto Prisma Cloud
Initial Access
T1133

Palo Alto Prisma Cloud - Multiple failed logins for user

Palo Alto Prisma Cloud
Credential Access
T1110

Palo Alto Threat signatures from Unusual IP addresses

Cef Ama Palo Alto Networks Palo Alto Networks Ama
Discovery Exfiltration Command and Control
T1046 T1030 T1071

Palo Alto WildFire Malware Detection

Palo Alto Networks Cortex
Defense Evasion
T1562

PaloAlto - Dropping or denying session with traffic

Cef Ama Palo Alto Cdl Palo Alto Cdlama
Initial Access
T1190 T1133

PaloAlto - File type changed

Cef Ama Palo Alto Cdl Palo Alto Cdlama
Initial Access
T1190 T1133

PaloAlto - Forbidden countries

Cef Ama Palo Alto Cdl Palo Alto Cdlama
Initial Access
T1190 T1133

PaloAlto - Inbound connection to high risk ports

Cef Ama Palo Alto Cdl Palo Alto Cdlama
Initial Access
T1190 T1133

PaloAlto - MAC address conflict

Cef Ama Palo Alto Cdl Palo Alto Cdlama
Initial Access
T1190 T1133

PaloAlto - Possible attack without response

Cef Ama Palo Alto Cdl Palo Alto Cdlama
Initial Access
T1190 T1133

PaloAlto - Possible flooding

Cef Ama Palo Alto Cdl Palo Alto Cdlama
Initial Access
T1190 T1133

PaloAlto - Possible port scan

Cef Ama Palo Alto Cdl Palo Alto Cdlama
Reconnaissance
T1595

PaloAlto - Put and post method request in high risk file type

Cef Ama Palo Alto Cdl Palo Alto Cdlama
Initial Access
T1190 T1133

PaloAlto - User privileges was changed

Cef Ama Palo Alto Cdl Palo Alto Cdlama
Initial Access
T1190 T1133

Password Exfiltration over SCIM application

Authomize
Credential Access Initial Access
T1555 T1040 T1552

Password spray attack against ADFSSignInLogs

Azure Active Directory
Credential Access
T1110

Password spray attack against Microsoft Entra ID application

Azure Active Directory
Credential Access
T1110

Password spray attack against Microsoft Entra ID Seamless SSO

Azure Active Directory
Credential Access
T1110

Password Spraying

Microsoft Threat Protection
Credential Access
T1110

PE file dropped in Color Profile Folder

Microsoft Threat Protection
Execution
T1203

Phishing

Cbspolling ID Azure Functions
Initial Access Reconnaissance

Phishing link click observed in Network Traffic

Check Point Fortinet Office Atp Palo Alto Networks Zscaler
Initial Access
T1566

PIM Elevation Request Rejected

Azure Active Directory
Persistence
T1078

Ping Federate - Abnormal password reset attempts

Cef Ama Ping Federate Ping Federate Ama
Credential Access
T1110

Ping Federate - Abnormal password resets for user

Cef Ama Ping Federate Ping Federate Ama
Initial Access Persistence Privilege Escalation
T1078 T1098 T1134

Ping Federate - Authentication from new IP

Cef Ama Ping Federate Ping Federate Ama
Initial Access
T1078

Ping Federate - Forbidden country

Cef Ama Ping Federate Ping Federate Ama
Initial Access
T1078

Ping Federate - New user SSO success login

Cef Ama Ping Federate Ping Federate Ama
Initial Access Persistence
T1078 T1136

Ping Federate - OAuth old version

Cef Ama Ping Federate Ping Federate Ama
Initial Access
T1190

Ping Federate - Password reset request from unexpected source IP address

Cef Ama Ping Federate Ping Federate Ama
Initial Access
T1078

Ping Federate - SAML old version

Cef Ama Ping Federate Ping Federate Ama
Initial Access
T1190

Ping Federate - Unexpected authentication URL

Cef Ama Ping Federate Ping Federate Ama
Initial Access
T1078

Ping Federate - Unexpected country for user

Cef Ama Ping Federate Ping Federate Ama
Initial Access
T1078

Ping Federate - Unusual mail domain

Cef Ama Ping Federate Ping Federate Ama
Initial Access
T1078

Policy version set to default

Aws
Initial Access
T1078

Port Scan

Azure Firewall
Discovery
T1046

Port Scan Detected

Sophos Xgfirewall Syslog Ama
Discovery
T1046

Port scan detected ASIM Network Session schema

Aivectra Stream Awss3 Azure Firewall Azure Monitor( Vminsights) Azure Nsg Check Point Cisco Asa Cisco Asa Ama Cisco Meraki Corelight Fortinet Microsoft Sysmon for Linux Microsoft Threat Protection Palo Alto Networks Security Events Windows Forwarded Events Windows Security Events Zscaler
Discovery
T1046

Port Sweep

Azure Firewall
Discovery
T1046

Possible AiTM Phishing Attempt Against Microsoft Entra ID

Azure Active Directory Zscaler
Initial Access Defense Evasion Credential Access
T1078 T1557 T1111

Possible contact with a domain generated by a DGA

Barracuda Cef Check Point Cisco Asa F5 Fortinet Palo Alto Networks Zscaler
Command and Control
T1568

Possible Phishing with CSL and Network Sessions

Aivectra Stream Awss3 Azure Monitor( Vminsights) Azure Nsg Check Point Fortinet Microsoft Sysmon for Linux Microsoft Threat Protection Palo Alto Networks Security Events Windows Forwarded Events Windows Security Events Zscaler
Initial Access Command and Control
T1566 T1102

Possible Resource-Based Constrained Delegation Abuse

Security Events
Privilege Escalation
T1134

Possible SignIn from Azure Backdoor

Azure Active Directory
Persistence
T1098

Potential beaconing activity ASIM Network Session schema

Aivectra Stream Awss3 Azure Firewall Azure Monitor( Vminsights) Azure Nsg Check Point Cisco Asa Cisco Asa Ama Cisco Meraki Corelight Fortinet Microsoft Sysmon for Linux Microsoft Threat Protection Palo Alto Networks Security Events Windows Forwarded Events Windows Security Events Zscaler
Command and Control
T1071 T1571

Potential Build Process Compromise

Security Events Windows Forwarded Events Windows Security Events
Persistence
T1554

Potential Build Process Compromise - MDE

Microsoft Threat Protection
Persistence
T1554

Potential DGA detected

DNS
Command and Control
T1568 T1008

Potential DGA detected ASIM DNS Schema

Azure Firewall Cisco Umbrella Data Connector Corelight DNS Gcpdnsdata Connector Infoblox Nios Nxlog DNS Logs Zscaler
Command and Control
T1568 T1008

Potential DHCP Starvation Attack

Infoblox Nios Syslog Ama
Initial Access
T1200

Potential Fodhelper UAC Bypass

Security Events Windows Security Events
Privilege Escalation
T1548

Potential Kerberoasting

Security Events Windows Forwarded Events Windows Security Events
Credential Access
T1558

Potential Password Spray Attack

Salesforce Service Cloud
Credential Access
T1110

Potential Password Spray Attack

Okta Sso Okta Ssov2
Credential Access
T1110

Potential Ransomware activity related to Cobalt Strike

Microsoft Threat Protection
Execution Persistence Defense Evasion Impact
T1059 T1078 T1070 T1490

Potential re-named sdelete usage

Security Events Windows Security Events
Defense Evasion Impact
T1485 T1036

Potential re-named sdelete usage ASIM Version

Defense Evasion Impact
T1485 T1036

Potential Remote Desktop Tunneling

Security Events Windows Security Events
Command and Control
T1572

Powershell Empire Cmdlets Executed in Command Line

Security Events Windows Forwarded Events Windows Security Events
Collection Command and Control Credential Access Defense Evasion Discovery Execution Exfiltration Lateral Movement Persistence Privilege Escalation
T1548 T1134 T1134 T1134 T1087 T1087 T1557 T1071 T1560 T1547 T1547 T1547 T1217 T1115 T1059 T1059 T1059 T1136 T1136 T1543 T1555 T1484 T1482 T1114 T1573 T1546 T1041 T1567 T1567 T1068 T1210 T1083 T1615 T1574 T1574 T1574 T1574 T1574 T1070 T1105 T1056 T1056 T1106 T1046 T1135 T1040 T1027 T1003 T1057 T1055 T1021 T1021 T1053 T1113 T1518 T1558 T1558 T1082 T1016 T1049 T1569 T1127 T1552 T1552 T1550 T1125 T1102 T1047

Prestige ransomware IOCs Oct 2022

Microsoft Threat Protection Security Events
Execution
T1203

Preview - TI map Domain entity to Cloud App Events

Microsoft Defender Threat Intelligence Microsoft Threat Protection
Command and Control
T1071

Preview - TI map Email entity to Cloud App Events

Microsoft Defender Threat Intelligence Microsoft Threat Protection
Initial Access
T1566

Preview - TI map File Hash entity to Cloud App Events

Microsoft Defender Threat Intelligence Microsoft Threat Protection
Command and Control
T1071

Preview - TI map IP entity to Cloud App Events

Microsoft Defender Threat Intelligence Microsoft Threat Protection
Command and Control
T1071

Preview - TI map URL entity to Cloud App Events

Microsoft Defender Threat Intelligence Microsoft Threat Protection
Command and Control
T1071

Privilege escalation via CRUD IAM policy

Aws
Privilege Escalation
T1484

Privilege escalation via CRUD KMS policy

Aws
Privilege Escalation
T1484

Privilege escalation via CRUD S3 policy

Aws
Privilege Escalation
T1484

Privilege escalation via EC2 policy

Aws
Privilege Escalation
T1484

Privilege escalation via Glue policy

Aws
Privilege Escalation
T1484

Privilege escalation via Lambda policy

Aws
Privilege Escalation
T1484

Privilege escalation via SSM policy

Aws
Privilege Escalation
T1484

Privileged Account Permissions Changed

Azure Active Directory Behavior Analytics
Privilege Escalation
T1078

Privileged Accounts - Sign in Failure Spikes

Azure Active Directory Behavior Analytics
Initial Access
T1078

Privileged Machines Exposed to the Internet

Authomize
Discovery Impact
T1580

Privileged Role Assigned Outside PIM

Azure Active Directory
Privilege Escalation
T1078

Privileged User Logon from new ASN

Azure Active Directory Behavior Analytics
Defense Evasion
T1078

Probable AdFind Recon Tool Usage

Microsoft Threat Protection
Discovery
T1016 T1018 T1069 T1087 T1482

Process Creation with Suspicious CommandLine Arguments

Cisco Secure Endpoint Crowd Strike Falcon Endpoint Protection Microsoft Threat Protection Sentinel One Trend Micro Apex One Trend Micro Apex One Ama Vmware Carbon Black
Execution Defense Evasion
T1059 T1027

Process executed from binary hidden in Base64 encoded file

Security Events Windows Forwarded Events Windows Security Events
Execution Defense Evasion
T1059 T1027 T1140

Process Execution Frequency Anomaly

Security Events Windows Security Events
Execution
T1059

Progress MOVEIt File transfer above threshold

Windows Forwarded Events
Exfiltration
T1020

Progress MOVEIt File transfer folder count above threshold

Windows Forwarded Events
Exfiltration
T1020

ProofpointPOD - Binary file in attachment

Proofpoint Pod
Initial Access
T1078

ProofpointPOD - Email sender in TI list

Proofpoint Pod Threat Intelligence Threat Intelligence Taxii
Exfiltration Initial Access
T1078 T1567

ProofpointPOD - Email sender IP in TI list

Proofpoint Pod Threat Intelligence Threat Intelligence Taxii
Exfiltration Initial Access
T1078 T1567

ProofpointPOD - High risk message not discarded

Proofpoint Pod
Initial Access
T1566

ProofpointPOD - Suspicious attachment

Proofpoint Pod
Initial Access
T1566

ProofpointPOD - Weak ciphers

Proofpoint Pod
Commandand Control
T1573

PulseConnectSecure - Large Number of Distinct Failed User Logins

Pulse Connect Secure Syslog Ama
Credential Access
T1110

PulseConnectSecure - Potential Brute Force Attempts

Pulse Connect Secure Syslog Ama
Credential Access
T1110

Pure Failed Login

Credential Access
T1212

Qakbot Campaign Self Deletion

Microsoft Threat Protection
Defense Evasion
T1070

Qakbot Discovery Activies

Microsoft Threat Protection
Defense Evasion Discovery Execution
T1140 T1010 T1059

Radiflow - Exploit Detected

Radiflow Isid
Initial Access Privilege Escalation Lateral Movement
T0819 T0866 T0890

Radiflow - Network Scanning Detected

Radiflow Isid
Discovery
T0840 T0846 T0888

Radiflow - New Activity Detected

Radiflow Isid
Initial Access
T1133 T0848

Radiflow - Platform Alert

Radiflow Isid
Privilege Escalation Execution Command and Control Exfiltration Lateral Movement Impair Process Control Inhibit Response Function Initial Access

Radiflow - Policy Violation Detected

Radiflow Isid
Lateral Movement Impair Process Control Execution Collection Persistence
T0886 T0855 T0858 T0845 T0889 T0843

Radiflow - Suspicious Malicious Activity Detected

Radiflow Isid
Defense Evasion Inhibit Response Function
T0851

Radiflow - Unauthorized Command in Operational Device

Radiflow Isid
Execution Lateral Movement Inhibit Response Function Impair Process Control
T0858 T0843 T0816 T0857 T0836 T0855

Radiflow - Unauthorized Internet Access

Radiflow Isid
Initial Access Impact
T0822 T0883 T0882

Ransomware Attack Detected

Nasuni Edge Appliance Syslog Ama
Impact
T1486

Ransomware Client Blocked

Nasuni Edge Appliance Syslog Ama
Impact
T1486

Rare and potentially high-risk Office operations

Office365
Persistence Collection
T1098 T1114

Rare application consent

Azure Active Directory
Persistence Privilege Escalation
T1136 T1068

Rare Process as a Service

Microsoft Threat Protection
Persistence
T1543 T1543

Rare RDP Connections

Security Events Windows Forwarded Events Windows Security Events
Lateral Movement
T1021

Rare subscription-level operations in Azure

Azure Activity
Credential Access Persistence
T1003 T1098

RDP Nesting

Security Events Windows Forwarded Events Windows Security Events
Lateral Movement
T1021

RDS instance publicly exposed

Aws
Exfiltration
T1537

RecordedFuture Threat Hunting Domain All Actors

Threat Intelligence Upload Indicators API
Initial Access Command and Control
T1566 T1568

RecordedFuture Threat Hunting Hash All Actors

Threat Intelligence Upload Indicators API
Initial Access Execution Persistence
T1189 T1059 T1554

RecordedFuture Threat Hunting IP All Actors

Threat Intelligence Upload Indicators API
Exfiltration Command and Control
T1041 T1568

RecordedFuture Threat Hunting Url All Actors

Threat Intelligence Upload Indicators API
Persistence Privilege Escalation Defense Evasion
T1098 T1078

Red Canary Threat Detection

Red Canary Data Connector
Collection Command and Control Credential Access Defense Evasion Discovery Execution Exfiltration Impact Initial Access Lateral Movement Persistence Privilege Escalation
T1566 T1059 T1547 T1548 T1562 T1003 T1087 T1021 T1119 T1071 T1041 T1499

Registries Alerts for Prancer

Prancer Log Data
Reconnaissance
T1595

Registry Persistence via AppCert DLL Modification

Security Events Windows Security Events
Persistence
T1546

Registry Persistence via AppInit DLLs Modification

Security Events Windows Security Events
Persistence
T1546

Regsvr32 Rundll32 Image Loads Abnormal Extension

Microsoft Threat Protection
Defense Evasion
T1218 T1218

Regsvr32 Rundll32 with Anomalous Parent Process

Microsoft Threat Protection
Defense Evasion
T1218 T1218

Remote Desktop Protocol - SharpRDP

Microsoft Threat Protection
Lateral Movement
T1021

Remote File Creation with PsExec

Microsoft Threat Protection
Lateral Movement
T1570

Rename System Utilities

Microsoft Threat Protection
Defense Evasion
T1036

Request for single resource on domain

Cef Ama Zscaler Zscaler Ama
Command and Control
T1102 T1071

Response rows stateful anomaly on database

Azure SQL
Exfiltration
T1537 T1567

Risky user signin observed in non-Microsoft network device

Azure Active Directory Check Point Fortinet Palo Alto Networks Zscaler
Command and Control
T1071

RunningRAT request parameters

Check Point Fortinet Palo Alto Networks Zscaler
Exfiltration Command and Control
T1041 T1071

S3 bucket exposed via ACL

Aws
Exfiltration
T1537

S3 bucket exposed via policy

Aws
Exfiltration
T1537

S3 object publicly exposed

Aws
Exfiltration
T1537

SailPointIdentityNowAlertForTriggers

Sail Point Identity Now
Initial Access Collection
T1133 T1005

SailPointIdentityNowEventType

Sail Point Identity Now
Initial Access
T1133

SailPointIdentityNowEventTypeTechnicalName

Sail Point Identity Now
Initial Access
T1133

SailPointIdentityNowFailedEvents

Sail Point Identity Now
Initial Access
T1133

SailPointIdentityNowFailedEventsBasedOnTime

Sail Point Identity Now
Initial Access
T1133

SailPointIdentityNowUserWithFailedEvent

Sail Point Identity Now
Initial Access
T1133

Scheduled Task Hide

Security Events Windows Security Events
Defense Evasion
T1562

Sdelete deployed via GPO and run recursively

Security Events Windows Security Events
Impact
T1485

Security Event log cleared

Security Events Windows Forwarded Events Windows Security Events
Defense Evasion
T1070

Security Service Registry ACL Modification

Microsoft Threat Protection Security Events Windows Forwarded Events Windows Security Events
Defense Evasion
T1562

SecurityBridge A critical event occured

Custom Logs Ama Security Bridge Sap
Initial Access
T1189

SecurityEvent - Multiple authentication failures followed by a success

Security Events Windows Security Events
Credential Access
T1110

Semperis DSP Failed Logons

Semperis Dsp
Initial Access Credential Access
T1078 T1110

Semperis DSP Mimikatzs DCShadow Alert

Semperis Dsp
Defense Evasion
T1207

Semperis DSP Operations Critical Notifications

Semperis Dsp
Initial Access Credential Access Resource Development
T1133 T1110 T1584

Semperis DSP RBAC Changes

Semperis Dsp
Privilege Escalation Persistence
T1548 T1098

Semperis DSP Recent sIDHistory changes on AD objects

Semperis Dsp
Privilege Escalation Persistence
T1098

Semperis DSP Well-known privileged SIDs in sIDHistory

Semperis Dsp
Privilege Escalation Defense Evasion
T1134

Semperis DSP Zerologon vulnerability

Semperis Dsp
Privilege Escalation
T1068

Sensitive Azure Key Vault operations

Azure Key Vault
Impact
T1485

Sensitive Data Discovered in the Last 24 Hours

Microsoft Azure Purview
Discovery
T1087

Sentinel One - Admin login from new location

Sentinel One
Initial Access Privilege Escalation
T1078

Sentinel One - Alert from custom rule

Sentinel One
Initial Access
T1190

Sentinel One - Blacklist hash deleted

Sentinel One
Defense Evasion
T1070

Sentinel One - Exclusion added

Sentinel One
Defense Evasion
T1070

Sentinel One - Multiple alerts on host

Sentinel One
Initial Access
T1190

Sentinel One - New admin created

Sentinel One
Privilege Escalation
T1078

Sentinel One - Rule deleted

Sentinel One
Defense Evasion
T1070

Sentinel One - Rule disabled

Sentinel One
Defense Evasion
T1070

Sentinel One - Same custom rule triggered on different hosts

Sentinel One
Initial Access Lateral Movement
T1190 T1210

Sentinel One - User viewed agents passphrase

Sentinel One
Credential Access
T1555

Server Oriented Cmdlet And User Oriented Cmdlet used

Esi Exchange Admin Audit Log Events
Exfiltration Persistence Collection
T1020 T1098 T1114

Service Accounts Performing Remote PS

Microsoft Threat Protection
Lateral Movement
T1210

Service Principal Assigned App Role With Sensitive Access

Azure Active Directory
Privilege Escalation
T1078

Service Principal Assigned Privileged Role

Azure Active Directory
Privilege Escalation
T1078

Service Principal Authentication Attempt from New Country

Azure Active Directory
Initial Access
T1078

Service Principal Name SPN Assigned to User Account

Security Events
Privilege Escalation
T1134

Service principal not using client credentials

Senserva Pro
Initial Access
T1078

Several deny actions registered

Azure Firewall
Discovery Lateral Movement Command and Control
T1046 T1071 T1210

SFTP File transfer above threshold

Syslog Syslog Ama
Exfiltration
T1020

SFTP File transfer folder count above threshold

Syslog Syslog Ama
Exfiltration
T1020

Shadow Copy Deletions

Microsoft Threat Protection
Impact
T1490

Sign-ins from IPs that attempt sign-ins to disabled accounts

Azure Active Directory Behavior Analytics
Initial Access Persistence
T1078 T1098

Silk Typhoon New UM Service Child Process

Security Events Windows Forwarded Events Windows Security Events
Initial Access
T1190

Silk Typhoon Suspicious Exchange Request

Azure Monitor( Iis)
Initial Access
T1190

Silverfort - Certifried Incident

Silverfort Ama
Privilege Escalation
T1068

Silverfort - Log4Shell Incident

Silverfort Ama
Initial Access
T1190

Silverfort - NoPacBreach Incident

Silverfort Ama
Privilege Escalation
T1068 T1548

Silverfort - UserBruteForce Incident

Silverfort Ama
Credential Access
T1110

Sites Alerts for Prancer

Prancer Log Data
Reconnaissance
T1595

SlackAudit - Empty User Agent

Slack Audit API
Initial Access
T1133

SlackAudit - Multiple failed logins for user

Slack Audit API
Credential Access
T1110

SlackAudit - Suspicious file downloaded

Slack Audit API
Initial Access
T1189

SlackAudit - Unknown User Agent

Slack Audit API
Command and Control
T1071

SlackAudit - User email linked to account changed

Slack Audit API
Initial Access
T1078

SlackAudit - User login after deactivated

Slack Audit API
Initial Access Persistence Privilege Escalation
T1078

SlackAudit - User role changed to admin or owner

Slack Audit API
Persistence Privilege Escalation
T1098 T1078

SMBWindows Admin Shares

Microsoft Threat Protection
Lateral Movement
T1021

Snowflake - Multiple failed queries

Snowflake
Discovery
T1518 T1082

Snowflake - Unusual query

Snowflake
Collection
T1119

Snowflake - User granted admin privileges

Snowflake
Privilege Escalation
T1078

Solorigate Defender Detections

Microsoft Defender Advanced Threat Protection Microsoft Threat Protection
Initial Access
T1195

Solorigate Named Pipe

Security Events Windows Forwarded Events Windows Security Events
Defense Evasion Privilege Escalation
T1055

SonicWall - Allowed SSH Telnet and RDP Connections

Cef Cef Ama Sonic Wall Firewall
Initial Access Execution Persistence Credential Access Discovery Lateral Movement Collection Exfiltration Impact
T1190 T1133 T1059 T1110 T1003 T1087 T1018 T1021 T1005 T1048 T1041 T1011 T1567 T1490

SonicWall - Capture ATP Malicious File Detection

Cef Cef Ama Sonic Wall Firewall
Execution
T1204

Sonrai Ticket Assigned

Sonrai Data Connector
Collection Command and Control Credential Access Defense Evasion Discovery Execution Exfiltration Impact Initial Access Lateral Movement Persistence Privilege Escalation
T1566 T1059 T1547 T1548 T1562 T1003 T1087 T1021 T1119 T1071 T1041 T1499

Sonrai Ticket Closed

Sonrai Data Connector
Collection Command and Control Credential Access Defense Evasion Discovery Execution Exfiltration Impact Initial Access Lateral Movement Persistence Privilege Escalation
T1566 T1059 T1547 T1548 T1562 T1003 T1087 T1021 T1119 T1071 T1041 T1499

Sonrai Ticket Escalation Executed

Sonrai Data Connector
Collection Command and Control Credential Access Defense Evasion Discovery Execution Exfiltration Impact Initial Access Lateral Movement Persistence Privilege Escalation
T1566 T1059 T1547 T1548 T1562 T1003 T1087 T1021 T1119 T1071 T1041 T1499

Sonrai Ticket Escalation Executed

Sonrai Data Connector
Collection Command and Control Credential Access Defense Evasion Discovery Execution Exfiltration Impact Initial Access Lateral Movement Persistence Privilege Escalation
T1566 T1059 T1547 T1548 T1562 T1003 T1087 T1021 T1119 T1071 T1041 T1499

Sonrai Ticket Reopened

Sonrai Data Connector
Collection Command and Control Credential Access Defense Evasion Discovery Execution Exfiltration Impact Initial Access Lateral Movement Persistence Privilege Escalation
T1566 T1059 T1547 T1548 T1562 T1003 T1087 T1021 T1119 T1071 T1041 T1499

Sonrai Ticket Risk Accepted

Sonrai Data Connector
Collection Command and Control Credential Access Defense Evasion Discovery Execution Exfiltration Impact Initial Access Lateral Movement Persistence Privilege Escalation
T1566 T1059 T1547 T1548 T1562 T1003 T1087 T1021 T1119 T1071 T1041 T1499

Sonrai Ticket Snoozed

Sonrai Data Connector
Collection Command and Control Credential Access Defense Evasion Discovery Execution Exfiltration Impact Initial Access Lateral Movement Persistence Privilege Escalation
T1566 T1059 T1547 T1548 T1562 T1003 T1087 T1021 T1119 T1071 T1041 T1499

Sonrai Ticket Updated

Sonrai Data Connector
Collection Command and Control Credential Access Defense Evasion Discovery Execution Exfiltration Impact Initial Access Lateral Movement Persistence Privilege Escalation
T1566 T1059 T1547 T1548 T1562 T1003 T1087 T1021 T1119 T1071 T1041 T1499

SPF Not Configured

Hvpolling ID Azure Functions
Initial Access Reconnaissance

SPF Policy Set to Soft Fail

Hvpolling ID Azure Functions
Initial Access Reconnaissance

Squid proxy events for ToR proxies

Syslog Syslog Ama
Command and Control
T1090 T1008

Squid proxy events related to mining pools

Syslog Syslog Ama
Command and Control
T1102

SSH - Potential Brute Force

Syslog Syslog Ama
Credential Access
T1110

Stale AWS policy attachment to identity

Authomize
Initial Access
T1078

Stale IAAS policy attachment to role

Authomize
Privilege Escalation Persistence
T1098

Stale last password change

Senserva Pro
Initial Access
T1566

Star Blizzard C2 Domains August 2022

Azure Firewall Azure Monitor( Vminsights) Cisco Asa Microsoft Threat Protection Palo Alto Networks
Initial Access
T1566

Starting or Stopping HealthService to Avoid Detection

Security Events Windows Security Events
Defense Evasion
T1562

Stopping multiple processes using taskkill

Microsoft Threat Protection
Defense Evasion
T1562

Storage Accounts Alerts From Prancer

Prancer Log Data
Reconnaissance
T1595

Subdomain Infringement

Cbspolling ID Azure Functions
Reconnaissance Initial Access
T1590 T1566

Subnets Alerts for Prancer

Prancer Log Data
Reconnaissance
T1595

Subresource Integrity SRI Not Implemented

Hvpolling ID Azure Functions
Initial Access
T1189

Subscription moved to another tenant

Azure Activity
Impact
T1496

Successful AWS Console Login from IP Address Observed Conducting Password Spray

Aws Azure Active Directory Identity Protection Behavior Analytics Microsoft Defender Advanced Threat Protection Microsoft Threat Protection
Initial Access Credential Access
T1110 T1078

Successful logon from IP and failure from a different IP

Azure Active Directory Behavior Analytics
Credential Access Initial Access
T1110 T1078

SUNBURST and SUPERNOVA backdoor hashes

Microsoft Threat Protection
Execution Persistence Initial Access
T1195 T1059 T1546

SUNBURST and SUPERNOVA backdoor hashes Normalized File Events

Execution Persistence Initial Access
T1195 T1059 T1546

SUNBURST network beacons

Microsoft Threat Protection
Execution Persistence Initial Access
T1195 T1059 T1546

SUNBURST suspicious SolarWinds child processes

Microsoft Threat Protection
Execution Persistence

SUNSPOT malware hashes

Microsoft Threat Protection
Persistence
T1554

SUPERNOVA webshell

Azure Monitor( Iis)
Persistence Command and Control
T1505 T1071

Suspicious application consent for offline access

Azure Active Directory
Credential Access
T1528

Suspicious application consent similar to O365 Attack Toolkit

Azure Active Directory
Credential Access Defense Evasion
T1528 T1550

Suspicious application consent similar to PwnAuth

Azure Active Directory
Credential Access Defense Evasion
T1528 T1550

Suspicious AWS CLI Command Execution

Aws
Reconnaissance
T1595 T1592 T1589 T1589 T1590 T1591 T1596

Suspicious AWS console logins by credential access alerts

Aws Azure Active Directory Identity Protection Behavior Analytics Microsoft Defender Advanced Threat Protection Microsoft Threat Protection Office Atp
Initial Access Credential Access
T1078

Suspicious Entra ID Joined Device Update

Azure Active Directory
Credential Access
T1528

Suspicious granting of permissions to an account

Azure Activity Behavior Analytics
Persistence Privilege Escalation
T1098 T1548

Suspicious linking of existing user to external User

Azure Active Directory
Privilege Escalation
T1078

Suspicious Login from deleted guest account

Azure Active Directory
Privilege Escalation
T1078

Suspicious Mobile App High

Cbspolling ID Azure Functions
Resource Development
T1587 T1588

Suspicious Mobile App INFO

Cbspolling ID Azure Functions
Resource Development
T1587 T1588

Suspicious modification of Global Administrator user properties

Azure Active Directory Behavior Analytics
Privilege Escalation
T1078

Suspicious named pipes

Microsoft Threat Protection
Execution Defense Evasion
T1559 T1055

Suspicious parentprocess relationship - Office child processes

Microsoft Threat Protection
Initial Access
T1566

Suspicious Powershell Commandlet Executed

Microsoft Threat Protection
Execution
T1059

Suspicious Process Injection from Office application

Microsoft Threat Protection
Execution
T1204

Suspicious Resource deployment

Azure Activity
Impact
T1496

Suspicious Service Principal creation activity

Azure Active Directory
Credential Access Privilege Escalation Initial Access
T1078 T1528

Suspicious Sign In by Entra ID Connect Sync Account

Behavior Analytics
Initial Access
T1078

Suspicious Sign In Followed by MFA Modification

Azure Active Directory Behavior Analytics
Initial Access Defense Evasion
T1078 T1556

Suspicious VM Instance Creation Activity Detected

Azure Active Directory Identity Protection Behavior Analytics Gcpaudit Logs Definition Microsoft Cloud App Security Microsoft Defender Advanced Threat Protection Microsoft Threat Protection
Initial Access Execution Discovery
T1078 T1106 T1526

Syntax errors stateful anomaly on database

Azure SQL
Initial Access
T1190

TEARDROP memory-only dropper

Microsoft Threat Protection
Execution Persistence Defense Evasion
T1543 T1059 T1027

Tenablead Active Directory attacks pathways

Tenable Ad
Credential Access
T1110

Tenablead DCShadow

Tenable Ad
Defense Evasion
T1207

Tenablead DCSync

Tenable Ad
Credential Access
T1003

Tenablead Golden Ticket

Tenable Ad
Credential Access
T1558

Tenablead Indicators of Attack

Tenable Ad
Credential Access
T1110

Tenablead Indicators of Exposures

Tenable Ad
Credential Access
T1110

Tenablead LSASS Memory

Tenable Ad
Credential Access
T1003

Tenablead Password Guessing

Tenable Ad
Credential Access
T1110

Tenablead Password issues

Tenable Ad
Credential Access
T1110

Tenablead Password Spraying

Tenable Ad
Credential Access
T1110

Tenablead privileged accounts issues

Tenable Ad
Credential Access
T1110

Tenablead user accounts issues

Tenable Ad
Credential Access
T1110

Theom - Dark Data with large fin value

Theom
Collection
T1560 T1530

Theom - Dev secrets exposed

Theom
Collection
T1213 T1530

Theom - Dev secrets unencrypted

Theom
Credential Access
T1552

Theom - Financial data exposed

Theom
Collection
T1213 T1530

Theom - Financial data unencrypted

Theom
Collection
T1213 T1530

Theom - Healthcare data exposed

Theom
Collection
T1213 T1530

Theom - Healthcare data unencrypted

Theom
Collection
T1213 T1530

Theom - National IDs exposed

Theom
Collection
T1213 T1530

Theom - National IDs unencrypted

Theom
Collection
T1213 T1530

Theom - Overprovisioned Roles Shadow DB

Theom
Collection Privilege Escalation
T1560 T1530 T1078

Theom - Shadow DB large datastore value

Theom
Collection
T1560 T1530

Theom - Shadow DB with atypical accesses

Theom
Collection Privilege Escalation
T1560 T1530 T1078

Theom - Unencrypted public data stores

Theom
Collection
T1213 T1530

Theom Critical Risks

Theom
Collection Command and Control Credential Access Defense Evasion Discovery Exfiltration Impact Reconnaissance
T1592 T1589 T1070 T1552 T1619 T1119 T1560 T1530 T1213 T1001 T1041 T1537 T1485 T1486 T1565

Theom High Risks

Theom
Collection Command and Control Credential Access Defense Evasion Discovery Exfiltration Impact Reconnaissance
T1592 T1589 T1070 T1552 T1619 T1119 T1560 T1530 T1213 T1001 T1041 T1537 T1485 T1486 T1565

Theom Insights

Theom
Collection Command and Control Credential Access Defense Evasion Discovery Exfiltration Impact Reconnaissance
T1592 T1589 T1070 T1552 T1619 T1119 T1560 T1530 T1213 T1001 T1041 T1537 T1485 T1486 T1565

Theom Low Risks

Theom
Collection Command and Control Credential Access Defense Evasion Discovery Exfiltration Impact Reconnaissance
T1592 T1589 T1070 T1552 T1619 T1119 T1560 T1530 T1213 T1001 T1041 T1537 T1485 T1486 T1565

Theom Medium Risks

Theom
Collection Command and Control Credential Access Defense Evasion Discovery Exfiltration Impact Reconnaissance
T1592 T1589 T1070 T1552 T1619 T1119 T1560 T1530 T1213 T1001 T1041 T1537 T1485 T1486 T1565

Third party integrated apps

Senserva Pro
Exfiltration
T1020

Threat Connect TI map Domain entity to DnsEvents

Asim DNS Activity Logs DNS Microsoft Defender Threat Intelligence Threat Intelligence Threat Intelligence Taxii
Command and Control
T1071

Threat Essentials - Mail redirect via ExO transport rule

Office365
Collection Exfiltration
T1114 T1020

Threat Essentials - NRT User added to Microsoft Entra ID Privileged Groups

Azure Active Directory
Persistence Privilege Escalation
T1098 T1078

Threat Essentials - Time series anomaly for data size transferred to public internet

Azure Monitor( Vminsights) Cisco Asa Cisco Asa Ama Palo Alto Networks
Exfiltration
T1030

Threat Essentials - User Assigned Privileged Role

Azure Active Directory
Persistence
T1078

ThreatConnect TI map Email entity to OfficeActivity

Microsoft Defender Threat Intelligence Office365 Threat Intelligence Threat Intelligence Taxii
Command and Control
T1071

ThreatConnect TI map Email entity to SigninLogs

Azure Active Directory Microsoft Defender Threat Intelligence Threat Intelligence Threat Intelligence Taxii
Command and Control
T1071

ThreatConnect TI Map URL Entity to OfficeActivity Data

Microsoft Defender Threat Intelligence Office365 Threat Intelligence
Command and Control
T1071

Threats detected by Eset

Eset Smc
Execution Credential Access Privilege Escalation
T1204 T1212 T1548

Threats detected by ESET

Esetprotect Syslog Ama
Execution
T1204

TI Map Domain Entity to DeviceNetworkEvents

Microsoft Defender Threat Intelligence Microsoft Threat Protection Threat Intelligence Threat Intelligence Taxii
Command and Control
T1071

TI map Domain entity to Dns Events ASIM DNS Schema

Azure Firewall Cisco Umbrella Data Connector Corelight DNS Gcpdnsdata Connector Infoblox Nios Microsoft Defender Threat Intelligence Nxlog DNS Logs Threat Intelligence Threat Intelligence Taxii Zscaler
Command and Control
T1071

TI map Domain entity to DnsEvents

DNS Microsoft Defender Threat Intelligence Threat Intelligence Threat Intelligence Taxii
Command and Control
T1071

TI map Domain entity to EmailEvents

Microsoft Defender Threat Intelligence Office365 Threat Intelligence Threat Intelligence Taxii
Initial Access
T1566

TI map Domain entity to EmailUrlInfo

Microsoft Defender Threat Intelligence Office365 Threat Intelligence Threat Intelligence Taxii
Initial Access
T1566

TI map Domain entity to PaloAlto

Microsoft Defender Threat Intelligence Palo Alto Networks Threat Intelligence Threat Intelligence Taxii
Command and Control
T1071

TI map Domain entity to PaloAlto CommonSecurityLog

Microsoft Defender Threat Intelligence Threat Intelligence Threat Intelligence Taxii
Command and Control
T1071

TI map Domain entity to SecurityAlert

Azure Security Center Microsoft Cloud App Security Microsoft Defender Threat Intelligence Threat Intelligence Threat Intelligence Taxii
Command and Control
T1071

TI map Domain entity to Syslog

Microsoft Defender Threat Intelligence Syslog Threat Intelligence Threat Intelligence Taxii
Command and Control
T1071

TI map Domain entity to Web Session Events ASIM Web Session schema

Microsoft Defender Threat Intelligence Squid Proxy Threat Intelligence Threat Intelligence Taxii Zscaler
Command and Control
T1071

TI map Email entity to AzureActivity

Azure Activity Microsoft Defender Threat Intelligence Threat Intelligence Threat Intelligence Taxii
Initial Access
T1566

TI map Email entity to EmailEvents

Microsoft Defender Threat Intelligence Office365 Threat Intelligence Threat Intelligence Taxii
Initial Access
T1566

TI map Email entity to OfficeActivity

Microsoft Defender Threat Intelligence Office365 Threat Intelligence Threat Intelligence Taxii
Initial Access
T1566

TI map Email entity to PaloAlto CommonSecurityLog

Microsoft Defender Threat Intelligence Palo Alto Networks Threat Intelligence Threat Intelligence Taxii
Initial Access
T1566

TI map Email entity to SecurityAlert

Azure Security Center Microsoft Defender Threat Intelligence Threat Intelligence Threat Intelligence Taxii
Initial Access
T1566

TI map Email entity to SecurityEvent

Microsoft Defender Threat Intelligence Security Events Threat Intelligence Threat Intelligence Taxii Windows Forwarded Events Windows Security Events
Initial Access
T1566

TI map Email entity to SigninLogs

Azure Active Directory Microsoft Defender Threat Intelligence Threat Intelligence Threat Intelligence Taxii
Initial Access
T1566

TI map File Hash to CommonSecurityLog Event

Microsoft Defender Threat Intelligence Palo Alto Networks Threat Intelligence Threat Intelligence Taxii
Command and Control
T1071

TI map File Hash to DeviceFileEvents Event

Microsoft Defender Threat Intelligence Microsoft Threat Protection Threat Intelligence Threat Intelligence Taxii
Command and Control
T1071

TI map File Hash to Security Event

Microsoft Defender Threat Intelligence Security Events Threat Intelligence Threat Intelligence Taxii Windows Forwarded Events Windows Security Events
Command and Control
T1071

TI map IP entity to AppServiceHTTPLogs

Microsoft Defender Threat Intelligence Threat Intelligence Threat Intelligence Taxii
Command and Control
T1071

TI map IP entity to AWSCloudTrail

Aws Microsoft Defender Threat Intelligence Threat Intelligence Threat Intelligence Taxii
Command and Control
T1071

TI map IP entity to Azure Key Vault logs

Azure Key Vault Microsoft Defender Threat Intelligence Threat Intelligence Threat Intelligence Taxii
Command and Control
T1071

TI Map IP Entity to Azure SQL Security Audit Events

Azure SQL Microsoft Defender Threat Intelligence Threat Intelligence Threat Intelligence Taxii
Command and Control
T1071

TI Map IP Entity to AzureActivity

Azure Activity Microsoft Defender Threat Intelligence Threat Intelligence Threat Intelligence Taxii
Command and Control
T1071

TI map IP entity to AzureFirewall

Azure Firewall Microsoft Defender Threat Intelligence Threat Intelligence Threat Intelligence Taxii
Command and Control
T1071

TI map IP entity to AzureNetworkAnalytics_CL NSG Flow Logs

Microsoft Defender Threat Intelligence Threat Intelligence Threat Intelligence Taxii
Command and Control
T1071

TI Map IP Entity to CommonSecurityLog

Cef Microsoft Defender Threat Intelligence Threat Intelligence Threat Intelligence Taxii
Command and Control
T1071

TI Map IP Entity to DeviceNetworkEvents

Microsoft Defender Threat Intelligence Microsoft Threat Protection Threat Intelligence Threat Intelligence Taxii
Command and Control
T1071

TI map IP entity to DNS Events ASIM DNS schema

Azure Firewall Cisco Umbrella Data Connector Corelight DNS Gcpdnsdata Connector Infoblox Nios Microsoft Defender Threat Intelligence Nxlog DNS Logs Threat Intelligence Threat Intelligence Taxii Zscaler
Command and Control
T1071

TI Map IP Entity to DnsEvents

DNS Microsoft Defender Threat Intelligence Threat Intelligence Threat Intelligence Taxii
Command and Control
T1071

TI Map IP Entity to Duo Security

Cisco Duo Security Microsoft Defender Threat Intelligence Threat Intelligence Threat Intelligence Taxii
Command and Control
T1071

TI map IP entity to GitHub_CL

Microsoft Defender Threat Intelligence Threat Intelligence Threat Intelligence Taxii
Command and Control
T1071

TI map IP entity to LastPass data

Last Pass Threat Intelligence
Impact
T1485

TI map IP entity to Network Session Events ASIM Network Session schema

Aivectra Stream Awss3 Azure Firewall Azure Monitor( Vminsights) Azure Nsg Check Point Cisco Asa Cisco Meraki Corelight Fortinet Microsoft Defender Threat Intelligence Microsoft Sysmon for Linux Microsoft Threat Protection Palo Alto Networks Security Events Threat Intelligence Taxii Windows Forwarded Events Zscaler
Command and Control
T1071

TI map IP entity to OfficeActivity

Microsoft Defender Threat Intelligence Office365 Threat Intelligence Threat Intelligence Taxii
Command and Control
T1071

TI Map IP Entity to SigninLogs

Azure Active Directory Microsoft Defender Threat Intelligence Threat Intelligence Threat Intelligence Taxii
Command and Control
T1071

TI Map IP Entity to VMConnection

Azure Monitor( Vminsights) Microsoft Defender Threat Intelligence Threat Intelligence Threat Intelligence Taxii
Command and Control
T1071

TI Map IP Entity to W3CIISLog

Azure Monitor( Iis) Microsoft Defender Threat Intelligence Threat Intelligence Threat Intelligence Taxii
Command and Control
T1071

TI map IP entity to Web Session Events ASIM Web Session schema

Microsoft Defender Threat Intelligence Squid Proxy Threat Intelligence Threat Intelligence Taxii Zscaler
Command and Control
T1071

TI Map URL Entity to AuditLogs

Azure Active Directory Microsoft Defender Threat Intelligence Threat Intelligence Threat Intelligence Taxii
Command and Control
T1071

TI Map URL Entity to DeviceNetworkEvents

Microsoft Defender Threat Intelligence Microsoft Threat Protection Threat Intelligence Threat Intelligence Taxii
Command and Control
T1071

TI Map URL Entity to EmailUrlInfo

Azure Active Directory Microsoft Defender Threat Intelligence Threat Intelligence Threat Intelligence Taxii
Command and Control
T1071

TI Map URL Entity to OfficeActivity Data [Deprecated]

Microsoft Defender Threat Intelligence Office365 Threat Intelligence Threat Intelligence Taxii
Command and Control
T1071

TI Map URL Entity to PaloAlto Data

Microsoft Defender Threat Intelligence Palo Alto Networks Threat Intelligence Threat Intelligence Taxii
Command and Control
T1071

TI Map URL Entity to SecurityAlert Data

Azure Security Center Microsoft Cloud App Security Microsoft Defender Threat Intelligence Threat Intelligence Threat Intelligence Taxii
Command and Control
T1071

TI Map URL Entity to Syslog Data

Microsoft Defender Threat Intelligence Syslog Threat Intelligence Threat Intelligence Taxii
Command and Control
T1071

TI Map URL Entity to UrlClickEvents

Microsoft Defender Threat Intelligence Microsoft Threat Protection Threat Intelligence Threat Intelligence Taxii
Command and Control
T1071

TIE Active Directory attacks pathways

Tenable Ie
Credential Access
T1110

TIE DCShadow

Tenable Ie
Defense Evasion
T1207

TIE DCSync

Tenable Ie
Credential Access
T1003

TIE Golden Ticket

Tenable Ie
Credential Access
T1558

TIE Indicators of Attack

Tenable Ie
Credential Access
T1110

TIE Indicators of Exposures

Tenable Ie
Credential Access
T1110

TIE LSASS Memory

Tenable Ie
Credential Access
T1003

TIE Password Guessing

Tenable Ie
Credential Access
T1110

TIE Password issues

Tenable Ie
Credential Access
T1110

TIE Password Spraying

Tenable Ie
Credential Access
T1110

TIE privileged accounts issues

Tenable Ie
Credential Access
T1110

TIE user accounts issues

Tenable Ie
Credential Access
T1110

Time series anomaly detection for total volume of traffic

Barracuda Cef Check Point Cisco Asa F5 Fortinet Palo Alto Networks
Exfiltration
T1030

Time series anomaly for data size transferred to public internet

Azure Monitor( Vminsights) Cisco Asa Palo Alto Networks
Exfiltration
T1030

TLS Certificate Hostname Mismatch

Hvpolling ID Azure Functions
Credential Access Defense Evasion Persistence
T1556

TLS Certificate Using Weak Cipher - Informational

Hvpolling ID Azure Functions
Credential Access Lateral Movement Defense Evasion Persistence
T1556 T1210 T1212

TLS Certificate Using Weak Cipher - Medium

Hvpolling ID Azure Functions
Credential Access Lateral Movement Defense Evasion Persistence
T1556 T1210 T1212

TLSv1 in Use - Low

Hvpolling ID Azure Functions
Credential Access Lateral Movement Defense Evasion Persistence
T1556 T1210 T1212

TLSv1 in Use - Medium

Hvpolling ID Azure Functions
Credential Access Lateral Movement Defense Evasion Persistence
T1556 T1210 T1212

TLSv11 in Use - info

Hvpolling ID Azure Functions
Credential Access Lateral Movement Defense Evasion Persistence
T1556 T1210 T1212

TLSv11 in Use - Medium

Hvpolling ID Azure Functions
Credential Access Lateral Movement Defense Evasion Persistence
T1556 T1210 T1212

Tomcat - Commands in URI

Apache Tomcat Custom Logs Ama
Initial Access
T1190 T1133

Tomcat - Known malicious user agent

Apache Tomcat Custom Logs Ama
Initial Access
T1190 T1133

Tomcat - Multiple client errors from single IP address

Apache Tomcat Custom Logs Ama
Initial Access
T1190 T1133

Tomcat - Multiple empty requests from same IP

Apache Tomcat Custom Logs Ama
Initial Access Impact
T1190 T1133 T1499

Tomcat - Multiple server errors from single IP address

Apache Tomcat Custom Logs Ama
Impact Initial Access
T1498 T1190 T1133

Tomcat - Put file and get file from same IP address

Apache Tomcat Custom Logs Ama
Initial Access
T1190 T1133

Tomcat - Request from localhost IP address

Apache Tomcat Custom Logs Ama
Initial Access
T1190 T1133

Tomcat - Request to sensitive files

Apache Tomcat Custom Logs Ama
Initial Access
T1189

Tomcat - Server errors after multiple requests from same IP

Apache Tomcat Custom Logs Ama
Impact Initial Access
T1498 T1190 T1133

Tomcat - Sql injection patterns

Apache Tomcat Custom Logs Ama
Initial Access
T1190

Trend Micro CAS - DLP violation

Trend Micro Cas
Exfiltration
T1048

Trend Micro CAS - Infected user

Trend Micro Cas
Initial Access
T1566

Trend Micro CAS - Multiple infected users

Trend Micro Cas
Initial Access
T1566

Trend Micro CAS - Possible phishing mail

Trend Micro Cas
Initial Access
T1566

Trend Micro CAS - Ransomware infection

Trend Micro Cas
Impact
T1486

Trend Micro CAS - Ransomware outbreak

Trend Micro Cas
Impact
T1486

Trend Micro CAS - Suspicious filename

Trend Micro Cas
Initial Access
T1566

Trend Micro CAS - Threat detected and not blocked

Trend Micro Cas
Defense Evasion
T1562

Trend Micro CAS - Unexpected file on file share

Trend Micro Cas
Initial Access
T1566

Trend Micro CAS - Unexpected file via mail

Trend Micro Cas
Initial Access
T1566

Trust Monitor Event

Credential Access
T1528 T1555

Trusted Developer Utilities Proxy Execution

Microsoft Threat Protection
Defense Evasion
T1127

Ubiquiti - Connection to known malicious IP or C2

Custom Logs Ama Ubiquiti Unifi
Exfiltration Command and Control
T1071 T1571 T1572

Ubiquiti - connection to non-corporate DNS server

Custom Logs Ama Ubiquiti Unifi
Command and Control Exfiltration
T1572 T1041

Ubiquiti - Large ICMP to external server

Custom Logs Ama Ubiquiti Unifi
Exfiltration Command and Control
T1041 T1572

Ubiquiti - Possible connection to cryptominning pool

Custom Logs Ama Ubiquiti Unifi
Command and Control
T1071 T1095 T1571

Ubiquiti - RDP from external source

Custom Logs Ama Ubiquiti Unifi
Initial Access
T1133

Ubiquiti - SSH from external source

Custom Logs Ama Ubiquiti Unifi
Initial Access
T1133

Ubiquiti - Unknown MAC Joined AP

Custom Logs Ama Ubiquiti Unifi
Initial Access
T1133

Ubiquiti - Unusual DNS connection

Custom Logs Ama Ubiquiti Unifi
Command and Control
T1090 T1572

Ubiquiti - Unusual FTP connection to external server

Custom Logs Ama Ubiquiti Unifi
Exfiltration Command and Control
T1048 T1071

Ubiquiti - Unusual traffic

Custom Logs Ama Ubiquiti Unifi
Command and Control
T1573

Unauthorized user access across AWS and Azure

Awss3 Azure Active Directory
Credential Access Exfiltration Discovery
T1557 T1110 T1110 T1110 T1212 T1048 T1087 T1580

Unused IaaS Policy

Authomize
Initial Access Privilege Escalation
T1078 T1068

Unusual identity creation using exchange powershell

Microsoft Threat Protection Security Events
Persistence
T1136

Unusual Volume of file deletion by users

Microsoft Threat Protection
Impact
T1485

URL Added to Application from Unknown Domain

Azure Active Directory
Persistence Privilege Escalation
T1078

User Accessed Suspicious URL Categories

Symantec Proxy Sg Syslog Ama
Initial Access Command and Control
T1566 T1071

User account added to built in domain local or global group

Security Events Windows Forwarded Events Windows Security Events
Persistence Privilege Escalation
T1098 T1078

User account created and deleted within 10 mins

Security Events Windows Forwarded Events Windows Security Events
Persistence Privilege Escalation
T1098 T1078

User Account Created Using Incorrect Naming Format

Azure Active Directory
Persistence
T1136

User account created without expected attributes defined

Azure Active Directory
Persistence
T1136

User account enabled and disabled within 10 mins

Security Events Windows Forwarded Events Windows Security Events
Persistence Privilege Escalation
T1098 T1078

User Accounts - Sign in Failure due to CA Spikes

Azure Active Directory Behavior Analytics
Initial Access
T1078

User Added to Admin Role

Azure Active Directory
Privilege Escalation
T1078

User added to Microsoft Entra ID Privileged Groups

Azure Active Directory
Persistence Privilege Escalation
T1098 T1078

User agent search for log4j exploitation attempt

Aws Azure Active Directory Azure Monitor( Iis) Office365 Squid Proxy Waf Zscaler
Initial Access
T1190

User Alert

Defense Evasion Impact
T1578 T1531

User Assigned New Privileged Role

Azure Active Directory
Persistence
T1078

User assigned to a default admin role

Authomize
Initial Access
T1078

User impersonation by Identity Protection alerts

Aws Azure Active Directory Identity Protection
Privilege Escalation
T1134

User joining Zoom meeting from suspicious timezone

Initial Access Privilege Escalation
T1078

User Login from Different Countries within 3 hours

Okta Sso Okta Ssov2
Initial Access
T1078

User Session ImpersonationOkta

Okta Sso Okta Ssov2
Privilege Escalation
T1134 T1134

User Sign in from different countries

Salesforce Service Cloud
Initial Access
T1078

User State changed from Guest to Member

Azure Active Directory
Persistence
T1098

User without MFA

Authomize
Initial Access
T1078

UserAccountDisabled

Senserva Pro
Initial Access
T1078

Users searching for VIP user activity

Collection Exfiltration
T1530 T1213 T1020

Valence Security Alerts

Valence Security

vArmour AppController - SMB Realm Traversal

Cef Ama V Armour Ac V Armour Acama
Discovery Lateral Movement
T1135 T1570

Vaults Alerts for Prancer

Prancer Log Data
Reconnaissance
T1595

vCenter - Root impersonation

Custom Logs Ama V Center
Privilege Escalation
T1078

Vectra Accounts Behaviors

Aivectra Detect Aivectra Detect Ama Cef Ama
Credential Access Discovery Lateral Movement Collection Command and Control Exfiltration Impact
T1003 T1087 T1021 T1119 T1071 T1041 T1499

Vectra AI Detect - Detections with High Severity

Aivectra Detect Aivectra Detect Ama Cef Ama
Credential Access Discovery Lateral Movement Collection Command and Control Exfiltration Impact
T1003 T1087 T1021 T1119 T1071 T1041 T1499

Vectra AI Detect - New Campaign Detected

Aivectra Detect Aivectra Detect Ama Cef Ama
Lateral Movement Command and Control
T1021 T1071

Vectra AI Detect - Suspected Compromised Account

Aivectra Detect Aivectra Detect Ama Cef Ama
Credential Access Discovery Lateral Movement Collection Command and Control Exfiltration Impact
T1003 T1087 T1021 T1119 T1071 T1041 T1499

Vectra AI Detect - Suspected Compromised Host

Aivectra Detect Aivectra Detect Ama Cef Ama
Credential Access Discovery Lateral Movement Collection Command and Control Exfiltration Impact
T1003 T1087 T1021 T1119 T1071 T1041 T1499

Vectra AI Detect - Suspicious Behaviors by Category

Aivectra Detect Aivectra Detect Ama Cef Ama
Credential Access Discovery Lateral Movement Collection Command and Control Exfiltration Impact
T1003 T1087 T1021 T1119 T1071 T1041 T1499

Vectra Create Detection Alert for Hosts

Vectra Xdr
Persistence
T1546

Vectra Hosts Behaviors

Aivectra Detect Aivectra Detect Ama Cef Ama
Credential Access Discovery Lateral Movement Collection Command and Control Exfiltration Impact
T1003 T1087 T1021 T1119 T1071 T1041 T1499

VIP Mailbox manipulation

Esi Exchange Admin Audit Log Events
Exfiltration Persistence Collection
T1020 T1098 T1114

Virtual Machines Alerts for Prancer

Prancer Log Data
Reconnaissance
T1595

VirtualNetworkPeerings Alerts From Prancer

Prancer Log Data
Reconnaissance
T1595

VMware ESXi - Dormant VM started

Syslog Ama Vmware Esxi
Initial Access
T1190

VMware ESXi - Low patch disk space

Syslog Ama Vmware Esxi
Impact
T1529

VMware ESXi - Low temp directory space

Syslog Ama Vmware Esxi
Impact
T1529

VMware ESXi - Multiple new VMs started

Syslog Ama Vmware Esxi
Initial Access
T1078

VMware ESXi - Multiple VMs stopped

Syslog Ama Vmware Esxi
Impact
T1529

VMware ESXi - New VM started

Syslog Ama Vmware Esxi
Initial Access
T1078

VMware ESXi - Root impersonation

Syslog Ama Vmware Esxi
Privilege Escalation
T1078

VMware ESXi - Root login

Syslog Ama Vmware Esxi
Initial Access Privilege Escalation
T1078

VMware ESXi - Shared or stolen root account

Syslog Ama Vmware Esxi
Initial Access Privilege Escalation
T1078

VMware ESXi - Unexpected disk image

Syslog Ama Vmware Esxi
Impact
T1496

VMware ESXi - VM stopped

Syslog Ama Vmware Esxi
Impact
T1529

VMware vCenter - Root login

Custom Logs Ama V Center
Initial Access Privilege Escalation
T1078

Votiro - File Blocked from Connector

Cef Ama Votiro
Defense Evasion Discovery Impact
T1036 T1083 T1057 T1082 T1565 T1498 T0837

Votiro - File Blocked in Email

Cef Ama Votiro
Command and Control Defense Evasion Impact Initial Access
T0885 T1036 T1027 T1486 T1566

Vulerabilities

Cef Ama Ridge Bot Data Connector
Execution Initial Access Privilege Escalation
T1189 T1059 T1053 T1548

Vulnerable Machines related to log4j CVE-2021-44228

Initial Access Execution
T1190 T1203

Vulnerable Machines related to OMIGOD CVE-2021-38647

Initial Access Execution
T1190 T1203

WDigest downgrade attack

Security Events Windows Security Events
Credential Access
T1003

Web sites blocked by Eset

Eset Smc
Exfiltration Command and Control Initial Access
T1189 T1567 T1071

Website blocked by ESET

Esetprotect Syslog Ama
Exfiltration Command and Control Initial Access
T1041 T1071 T1189 T1566

Windows Binaries Executed from Non-Default Directory

Security Events Windows Security Events
Execution
T1059

Windows Binaries Lolbins Renamed

Security Events Windows Security Events
Execution
T1059

Windows host username encoded in base64 web request

Check Point Fortinet Microsoft Threat Protection Palo Alto Networks Zscaler
Exfiltration Command and Control
T1041 T1071

Workspace deletion activity from an infected device

Azure Active Directory Identity Protection Azure Activity Behavior Analytics
Initial Access Impact
T1078 T1489

Zero Networks Segement - Machine Removed from protection

Zero Networks Segment Audit Function Zero Networks Segment Audit Native Poller
Defense Evasion
T1562

Zero Networks Segment - New API Token created

Zero Networks Segment Audit Function Zero Networks Segment Audit Native Poller
Credential Access
T1528

Zero Networks Segment - Rare JIT Rule Creation

Zero Networks Segment Audit Function Zero Networks Segment Audit Native Poller
Lateral Movement
T1021

ZeroFox Alerts - High Severity Alerts

Zero Fox Alert Polling
Resource Development Initial Access
T1583 T1586 T1566

ZeroFox Alerts - Informational Severity Alerts

Zero Fox Alert Polling
Resource Development Initial Access
T1583 T1586 T1566

ZeroFox Alerts - Low Severity Alerts

Zero Fox Alert Polling
Resource Development Initial Access
T1583 T1586 T1566

ZeroFox Alerts - Medium Severity Alerts

Zero Fox Alert Polling
Resource Development Initial Access
T1583 T1586 T1566

Zinc Actor IOCs files - October 2022

Microsoft Threat Protection Security Events Windows Security Events
Persistence
T1546

Zoom E2E Encryption Disabled

Credential Access Discovery
T1040

Zscaler - Connections by dormant user

Custom Logs Ama Zscaler Private Access
Persistence
T1078

Zscaler - Forbidden countries

Custom Logs Ama Zscaler Private Access
Initial Access
T1190 T1133

Zscaler - Shared ZPA session

Custom Logs Ama Zscaler Private Access
Initial Access
T1078 T1133

Zscaler - Unexpected event count of rejects by policy

Custom Logs Ama Zscaler Private Access
Initial Access
T1078 T1133

Zscaler - Unexpected update operation

Custom Logs Ama Zscaler Private Access
Initial Access
T1190 T1133

Zscaler - Unexpected ZPA session duration

Custom Logs Ama Zscaler Private Access
Initial Access
T1078 T1133

Zscaler - ZPA connections by new user

Custom Logs Ama Zscaler Private Access
Persistence
T1078

Zscaler - ZPA connections from new country

Custom Logs Ama Zscaler Private Access
Initial Access
T1190 T1133

Zscaler - ZPA connections from new IP

Custom Logs Ama Zscaler Private Access
Initial Access
T1078 T1133

Zscaler - ZPA connections outside operational hours

Custom Logs Ama Zscaler Private Access
Initial Access
T1190 T1133