Microsoft Sentinel Analytic Rules
cloudbrothers.infoAzure Sentinel RepoToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeBack to homepage

Collection

Overview

Rule NameidRequired data connectors
API - API Scrapingd944d564-b6fa-470d-b5ab-41b341878c5e42CrunchAPIProtection
Jira - Workflow scheme copied398aa0ca-45a2-4f79-bc21-ee583bbb63bcJiraAuditAPI
Powershell Empire Cmdlets Executed in Command Lineef88eb96-861c-43a0-ab16-f3835a97c928SecurityEvents
WindowsSecurityEvents
WindowsForwardedEvents
Azure DevOps Audit Detection for known malicious toolingbc71cf84-c02c-4c0a-a64c-306d84f9ff89
Box - Abmormal user activity1139230c-cf10-45db-b616-fed0d1415c05BoxDataConnector
Suspicious access of BEC related documentscd8d946d-10a4-40a9-bac1-6d0a6c847d65
Suspicious access of BEC related documents in AWS S3 bucketsf3e2d35f-1202-4215-995c-4654ef07d1d8AWS
Cisco Umbrella - Hack Tool User-Agent Detected8d537f3c-094f-430c-a588-8a87da36ee3aCiscoUmbrellaDataConnector
Cognni Incidents for Highly Sensitive Business Information44e80f00-b4f5-486b-a57d-4073746276dfCognniSentinelDataConnector
Cognni Incidents for Highly Sensitive Financial Information7ebb7386-6c99-4331-aab1-a185a603eb47CognniSentinelDataConnector
Cognni Incidents for Highly Sensitive Governance Information2926ce29-08d2-4654-b2e8-7d8df70095d9CognniSentinelDataConnector
Cognni Incidents for Highly Sensitive HR Informationf68846cf-ec99-497d-9ce1-80a9441564fbCognniSentinelDataConnector
Cognni Incidents for Highly Sensitive Legal Information4f45f43b-3a4b-491b-9cbe-d649603384aaCognniSentinelDataConnector
Cognni Incidents for Low Sensitivity Business Informationa0647a60-16f9-4175-b344-5cdd2934413fCognniSentinelDataConnector
Cognni Incidents for Low Sensitivity Financial Information77171efa-4502-4ab7-9d23-d12305ff5a5eCognniSentinelDataConnector
Cognni Incidents for Low Sensitivity Governance Informationd2e40c79-fe8c-428e-8cb9-0e2282d4558cCognniSentinelDataConnector
Cognni Incidents for Low Sensitivity HR Informationef8654b1-b2cf-4f6c-ae5c-eca635a764e8CognniSentinelDataConnector
Cognni Incidents for Low Sensitivity Legal Information8374ec0f-d857-4c17-b1e7-93d11800f8fbCognniSentinelDataConnector
Cognni Incidents for Medium Sensitivity Business Information2c286288-3756-4824-b599-d3c499836c11CognniSentinelDataConnector
Cognni Incidents for Medium Sensitivity Financial Informationd29b1d66-d4d9-4be2-b607-63278fc4fe6bCognniSentinelDataConnector
Cognni Incidents for Medium Sensitivity Governance Informationc1d4a005-e220-4d06-9e53-7326a22b8fe4CognniSentinelDataConnector
Cognni Incidents for Medium Sensitivity HR Information75ff4f7d-0564-4a55-8b25-a75be951cde3CognniSentinelDataConnector
Cognni Incidents for Medium Sensitivity Legal Informationdb750607-d48f-4aef-b238-085f4a9882f1CognniSentinelDataConnector
DMARC Not Configuredc2b123c3-e909-4c2e-bd4a-92b7055cf7e0HVPollingIDAzureFunctions
Header: HTTP Strict Transport Security Missinga3efb9ff-14a4-42ef-b019-0b9cbe5d3888HVPollingIDAzureFunctions
Header: Referrer-Policy Missing5ee7098a-f0d8-46bf-806d-25015145e24fHVPollingIDAzureFunctions
Excessive share permissionsaba0b08c-aace-40c5-a21d-39153023dcaaSecurityEvents
WindowsSecurityEvents
GitLab - Personal Access Tokens creation over time4d6d8b0e-6d9a-4857-a141-f5d89393cddbSyslog
GSA Enriched Office 365 - Mail Redirect via ExO Transport Ruleedcfc2e0-3134-434c-8074-9101c530d419Office365
AzureActiveDirectory
GSA Enriched Office 365 - Multiple Users Email Forwarded to Same Destinationd75e8289-d1cb-44d4-bd59-2f44a9172478AzureActiveDirectory
Office365
GSA Enriched Office 365 - Rare and Potentially High-Risk Office Operations433c254d-4b84-46f7-99ec-9dfefb5f6a7bAzureActiveDirectory
Office365
GSA Enriched Office 365 - Multiple Users Email Forwarded to Same Destinationa1551ae4-f61c-4bca-9c57-4d0d681db2e9AzureActiveDirectory
GSA Enriched Office 365 - Office Mail Forwarding - Hunting Versiond49fc965-aef3-49f6-89ad-10cc4697eb5bAzureActiveDirectory
GSA Enriched Office 365 - PowerShell or non-browser mailbox login activity49a4f65a-fe18-408e-afec-042fde93d3ceAzureActiveDirectory
GWorkspace - Multiple user agents for single source6ff0e16e-5999-11ec-bf63-0242ac130002GoogleWorkspaceReportsAPI
GWorkspace - An Outbound Relay has been added to a G Suite Domainead87cd6-5da7-11ec-bf63-0242ac130002GoogleWorkspaceReportsAPI
[Deprecated] - Known Manganese IP and UserAgent activitya04cf847-a832-4c60-b687-b0b6147da219Office365
[Deprecated] - Midnight Blizzard IOCs related to FoggyWeb backdoorc37711a4-5f44-4472-8afc-0679bc0ef966F5
CiscoASA
PaloAltoNetworks
Fortinet
CheckPoint
CEF
MicrosoftThreatProtection
SecurityEvents
WindowsSecurityEvents
AzureMonitor(IIS)
WindowsForwardedEvents
Mail redirect via ExO transport rule500415fb-bba7-4227-a08a-9857fb61b6a7Office365
Exchange workflow MailItemsAccessed operation anomalyb4ceb583-4c44-4555-8ecf-39f572e827baOffice365
Multiple users email forwarded to same destination871ba14c-88ef-48aa-ad38-810f26760ca3Office365
Rare and potentially high-risk Office operations957cb240-f45d-4491-9ba5-93430a3c08beOffice365
Multiple users email forwarded to same destinationa1551ae4-f61c-4bca-9c57-4d0d681db2e9Office365
Deimos Component Executionc25a8cd4-5b4a-45a8-9ba0-3b753a652f6bMicrosoftThreatProtection
Office Apps Launching Wscipt174de33b-107b-4cd8-a85d-b4025a35453fMicrosoftThreatProtection
VIP Mailbox manipulation5170c3c4-b8c9-485c-910d-a21d965ee181ESI-ExchangeAdminAuditLogEvents
Server Oriented Cmdlet And User Oriented Cmdlet used7bce901b-9bc8-4948-8dfc-8f68878092d5ESI-ExchangeAdminAuditLogEvents
Mimecast Secure Email Gateway - Attachment Protect72bd7b0c-493c-4fa5-8a95-7f6376b6cfb2MimecastSEGAPI
Mimecast Secure Email Gateway - Impersonation Protect2ef77cef-439f-4d94-848f-3eca67510d2fMimecastSEGAPI
Mimecast Targeted Threat Protection - Impersonation Protectc048fa06-0d50-4626-ae82-a6cea812d9c4MimecastTTPAPI
Mimecast Secure Email Gateway - Attachment Protect72264f4f-61fb-4f4f-96c4-635571a376c2MimecastSIEMAPI
Mimecast Secure Email Gateway - Impersonation Protect7034abc9-6b66-4533-9bf3-056672fd9d9eMimecastSIEMAPI
Mimecast Targeted Threat Protection - Impersonation Protectd8e7eca6-4b59-4069-a31e-a022b2a12ea4MimecastTTPAPI
OracleDBAudit - Connection to database from external IP54aa2c17-acfd-4e3a-a1c4-99c88cf34ebeOracleDatabaseAudit
SyslogAma
OracleDBAudit - Query on Sensitive Tabled7fdcad5-ce96-4db6-9a5e-4a86a5166e5eOracleDatabaseAudit
SyslogAma
OracleDBAudit - Unusual user activity on multiple tables75024e1c-26e7-4e73-821d-95e5decdd8dbOracleDatabaseAudit
SyslogAma
Radiflow - Policy Violation Detecteda3f4cc3e-2403-4570-8d21-1dedd5632958RadiflowIsid
Red Canary Threat Detection6d263abb-6445-45cc-93e9-c593d3d77b89RedCanaryDataConnector
SailPointIdentityNowAlertForTriggers08330c3d-487e-4f5e-a539-1e7d06dea786SailPointIdentityNow
Threat Essentials - Mail redirect via ExO transport ruled7c575b2-84f5-48cb-92c5-70d7e8246284Office365
Snowflake - Query on sensitive or restricted tablef258fa0c-e26c-4e2b-94fb-88b6cef0ca6eSnowflake
Snowflake - Unusual query1dd1d9e5-3ebf-43cb-be07-6082d5eabe79Snowflake
SonicWall - Allowed SSH, Telnet, and RDP Connections27f1a570-5f20-496b-88f6-a9aa2c5c9534CEF
SonicWallFirewall
CefAma
New Sonrai Ticketbcc3362d-b6f9-4de0-b41c-707fafd5a416SonraiDataConnector
Sonrai Ticket Assigned37a8d052-a3db-4dc6-9dca-9390cac6f486SonraiDataConnector
Sonrai Ticket Closedf5d467de-b5a2-4b4f-96db-55e27c733594SonraiDataConnector
Sonrai Ticket Escalation Executed0d29c93e-b83f-4dfb-bbbb-76824b77eecaSonraiDataConnector
Sonrai Ticket Escalation Executed822fff15-ea68-4d0f-94ee-b4482ddb6f3aSonraiDataConnector
Sonrai Ticket Reopenedb60129ab-ce22-4b76-858d-3204932a13ccSonraiDataConnector
Sonrai Ticket Risk Accepted080191e8-271d-4ae6-85ce-c7bcd4b06b40SonraiDataConnector
Sonrai Ticket Snoozed10e6c454-5cad-4f86-81ce-800235cb050aSonraiDataConnector
Sonrai Ticket Updatedaf9b8eb1-a8ef-40aa-92a4-1fc73a1479c7SonraiDataConnector
Theom Critical Risksbb9051ef-0e72-4758-a143-80c25ee452f0Theom
Theom High Risks74b80987-0a62-448c-8779-47b02e17d3cfTheom
Theom Insightsd200da84-0191-44ce-ad9e-b85e64c84c89Theom
Theom Low Riskscf7fb616-ac80-40ce-ad18-aa18912811f8Theom
Theom Medium Risks4cb34832-f73a-49f2-8d38-c2d135c5440bTheom
Theom - National IDs unencrypteda655f6d1-4ffa-4bc9-8b5d-2ec31cad09d4Theom
Theom - Financial data unencryptedb568d2fb-b73c-4e6a-88db-2093457712afTheom
Theom - Healthcare data unencryptedfb1b0deb-2a8f-4d8d-8d9d-0a8d327442e7Theom
Theom - Unencrypted public data stores6b93d8b1-40cf-4973-adaa-6f240df21ff1Theom
Theom - Critical data in API headers or body2ef36aaa-ec4a-473a-9734-f364ce8868f8Theom
Theom - Dev secrets exposed65200844-e161-47a7-a103-f61f7e3afe30Theom
Theom - Healthcare data exposed078b5614-54c7-41a6-8289-5b5870e4c0f9Theom
Theom - National IDs exposeddb95655e-bf5c-4c38-9676-501ec1878d4eTheom
Theom - Financial data exposed0cead100-f6ca-4cbb-989d-424d20705f30Theom
Theom - Dark Data with large fin value545fdcc7-2123-4b8a-baf6-409f29aad4b1Theom
Theom - Least priv large value shadow DB67b9ff50-5393-49d5-b66f-05b33e2f35d2Theom
Theom - Overprovisioned Roles Shadow DBfb7769d0-e622-4479-95b4-f6266a5b41e2Theom
Theom - Shadow DB large datastore value7cf83fce-276a-4b12-a876-7b1bc0683cd6Theom
Theom - Shadow DB with atypical accesses02bff937-ca52-4f52-a9cd-b826f8602694Theom
Vectra AI Detect - Suspected Compromised Account321f9dbd-64b7-4541-81dc-08cf7732ccb0AIVectraDetect
AIVectraDetectAma
CefAma
Vectra Account’s Behaviorsce54b5d3-4c31-4eaf-a73e-31412270b6abAIVectraDetect
AIVectraDetectAma
CefAma
Vectra AI Detect - Detections with High Severity39e48890-2c02-487e-aa9e-3ba494061798AIVectraDetect
AIVectraDetectAma
CefAma
Vectra AI Detect - Suspected Compromised Host60eb6cf0-3fa1-44c1-b1fe-220fbee23d63AIVectraDetect
AIVectraDetectAma
CefAma
Vectra Host’s Behaviors33e3b6da-2660-4cd7-9032-11be76db88d2AIVectraDetect
AIVectraDetectAma
CefAma
Vectra AI Detect - Suspicious Behaviors by Category6cb75f65-231f-46c4-a0b3-50ff21ee6ed3AIVectraDetect
AIVectraDetectAma
CefAma
ADFS Database Named Pipe Connectiondcdf9bfc-c239-4764-a9f9-3612e6dff49cSecurityEvents
WindowsSecurityEvents
AD FS Remote Auth Sync Connection2f4165a6-c4fb-4e94-861e-37f1b4d6c0e6SecurityEvents
WindowsSecurityEvents
AD FS Remote HTTP Network Connectiond57c33a9-76b9-40e0-9dfa-ff0404546410SecurityEvents
WindowsSecurityEvents
A host is potentially running a hacking tool (ASIM Web Session schema)3f0c20d5-6228-48ef-92f3-9ff7822c1954SquidProxy
Zscaler
Users searching for VIP user activityf7f4a77e-f68f-4b56-9aaf-a0c9d87d7a8e
ADFS DKM Master Key Export18e6a87e-9d06-4a4e-8b59-3469cd49552dSecurityEvents
MicrosoftThreatProtection
WindowsSecurityEvents
WindowsForwardedEvents
High risk Office operation conducted by IP Address that recently attempted to log into a disabled account9adbd1c3-a4be-44ef-ac2f-503fd25692eeAzureActiveDirectory
Office365
NRT Multiple users email forwarded to same destination3b05727d-a8d1-477d-bbdd-d957da96ac7bOffice365
Microsoft Entra ID Health Monitoring Agent Registry Keys Accessf819c592-c5f9-4d5c-a79f-1e6819863533SecurityEvents
WindowsSecurityEvents
WindowsForwardedEvents
Microsoft Entra ID Health Service Agents Registry Keys Access06bbf969-fcbe-43fa-bac2-b2fa131d113aSecurityEvents
WindowsSecurityEvents
WindowsForwardedEvents