Collection
Rule Name | id | Required data connectors |
---|---|---|
API - API Scraping | d944d564-b6fa-470d-b5ab-41b341878c5e | 42CrunchAPIProtection |
Jira - Workflow scheme copied | 398aa0ca-45a2-4f79-bc21-ee583bbb63bc | JiraAuditAPI |
Powershell Empire Cmdlets Executed in Command Line | ef88eb96-861c-43a0-ab16-f3835a97c928 | SecurityEvents WindowsSecurityEvents WindowsForwardedEvents |
Box - Abmormal user activity | 1139230c-cf10-45db-b616-fed0d1415c05 | BoxDataConnector |
Suspicious access of BEC related documents | cd8d946d-10a4-40a9-bac1-6d0a6c847d65 | |
Suspicious access of BEC related documents in AWS S3 buckets | f3e2d35f-1202-4215-995c-4654ef07d1d8 | AWS |
Cognni Incidents for Highly Sensitive Business Information | 44e80f00-b4f5-486b-a57d-4073746276df | CognniSentinelDataConnector |
Cognni Incidents for Highly Sensitive Financial Information | 7ebb7386-6c99-4331-aab1-a185a603eb47 | CognniSentinelDataConnector |
Cognni Incidents for Highly Sensitive Governance Information | 2926ce29-08d2-4654-b2e8-7d8df70095d9 | CognniSentinelDataConnector |
Cognni Incidents for Highly Sensitive HR Information | f68846cf-ec99-497d-9ce1-80a9441564fb | CognniSentinelDataConnector |
Cognni Incidents for Highly Sensitive Legal Information | 4f45f43b-3a4b-491b-9cbe-d649603384aa | CognniSentinelDataConnector |
Cognni Incidents for Low Sensitivity Business Information | a0647a60-16f9-4175-b344-5cdd2934413f | CognniSentinelDataConnector |
Cognni Incidents for Low Sensitivity Financial Information | 77171efa-4502-4ab7-9d23-d12305ff5a5e | CognniSentinelDataConnector |
Cognni Incidents for Low Sensitivity Governance Information | d2e40c79-fe8c-428e-8cb9-0e2282d4558c | CognniSentinelDataConnector |
Cognni Incidents for Low Sensitivity HR Information | ef8654b1-b2cf-4f6c-ae5c-eca635a764e8 | CognniSentinelDataConnector |
Cognni Incidents for Low Sensitivity Legal Information | 8374ec0f-d857-4c17-b1e7-93d11800f8fb | CognniSentinelDataConnector |
Cognni Incidents for Medium Sensitivity Business Information | 2c286288-3756-4824-b599-d3c499836c11 | CognniSentinelDataConnector |
Cognni Incidents for Medium Sensitivity Financial Information | d29b1d66-d4d9-4be2-b607-63278fc4fe6b | CognniSentinelDataConnector |
Cognni Incidents for Medium Sensitivity Governance Information | c1d4a005-e220-4d06-9e53-7326a22b8fe4 | CognniSentinelDataConnector |
Cognni Incidents for Medium Sensitivity HR Information | 75ff4f7d-0564-4a55-8b25-a75be951cde3 | CognniSentinelDataConnector |
Cognni Incidents for Medium Sensitivity Legal Information | db750607-d48f-4aef-b238-085f4a9882f1 | CognniSentinelDataConnector |
Excessive share permissions | aba0b08c-aace-40c5-a21d-39153023dcaa | SecurityEvents |
GitLab - Personal Access Tokens creation over time | 4d6d8b0e-6d9a-4857-a141-f5d89393cddb | Syslog |
GWorkspace - Multiple user agents for single source | 6ff0e16e-5999-11ec-bf63-0242ac130002 | GoogleWorkspaceReportsAPI |
GWorkspace - An Outbound Relay has been added to a G Suite Domain | ead87cd6-5da7-11ec-bf63-0242ac130002 | GoogleWorkspaceReportsAPI |
[Deprecated] - Known Manganese IP and UserAgent activity | a04cf847-a832-4c60-b687-b0b6147da219 | Office365 |
[Deprecated] - Midnight Blizzard IOCs related to FoggyWeb backdoor | c37711a4-5f44-4472-8afc-0679bc0ef966 | F5 CiscoASA PaloAltoNetworks Fortinet CheckPoint CEF MicrosoftThreatProtection SecurityEvents WindowsSecurityEvents AzureMonitor(IIS) WindowsForwardedEvents |
Mail redirect via ExO transport rule | 500415fb-bba7-4227-a08a-9857fb61b6a7 | Office365 |
Exchange workflow MailItemsAccessed operation anomaly | b4ceb583-4c44-4555-8ecf-39f572e827ba | Office365 |
Multiple users email forwarded to same destination | 871ba14c-88ef-48aa-ad38-810f26760ca3 | Office365 |
Rare and potentially high-risk Office operations | 957cb240-f45d-4491-9ba5-93430a3c08be | Office365 |
Multiple users email forwarded to same destination | a1551ae4-f61c-4bca-9c57-4d0d681db2e9 | Office365 |
VIP Mailbox manipulation | 5170c3c4-b8c9-485c-910d-a21d965ee181 | ESI-ExchangeAdminAuditLogEvents |
Server Oriented Cmdlet And User Oriented Cmdlet used | 7bce901b-9bc8-4948-8dfc-8f68878092d5 | ESI-ExchangeAdminAuditLogEvents |
Mimecast Targeted Threat Protection - Impersonation Protect | d8e7eca6-4b59-4069-a31e-a022b2a12ea4 | MimecastTTPAPI |
OracleDBAudit - Connection to database from external IP | 54aa2c17-acfd-4e3a-a1c4-99c88cf34ebe | OracleDatabaseAudit |
OracleDBAudit - Query on Sensitive Table | d7fdcad5-ce96-4db6-9a5e-4a86a5166e5e | OracleDatabaseAudit |
OracleDBAudit - Unusual user activity on multiple tables | 75024e1c-26e7-4e73-821d-95e5decdd8db | OracleDatabaseAudit |
Red Canary Threat Detection | 6d263abb-6445-45cc-93e9-c593d3d77b89 | RedCanaryDataConnector |
SailPointIdentityNowAlertForTriggers | 08330c3d-487e-4f5e-a539-1e7d06dea786 | SailPointIdentityNow |
Threat Essentials - Mail redirect via ExO transport rule | d7c575b2-84f5-48cb-92c5-70d7e8246284 | Office365 |
Snowflake - Query on sensitive or restricted table | f258fa0c-e26c-4e2b-94fb-88b6cef0ca6e | Snowflake |
Snowflake - Unusual query | 1dd1d9e5-3ebf-43cb-be07-6082d5eabe79 | Snowflake |
Vectra AI Detect - Suspected Compromised Account | 321f9dbd-64b7-4541-81dc-08cf7732ccb0 | AIVectraDetect |
Vectra Account’s Behaviors | ce54b5d3-4c31-4eaf-a73e-31412270b6ab | AIVectraDetect |
Vectra AI Detect - Detections with High Severity | 39e48890-2c02-487e-aa9e-3ba494061798 | AIVectraDetect |
Vectra AI Detect - Suspected Compromised Host | 60eb6cf0-3fa1-44c1-b1fe-220fbee23d63 | AIVectraDetect |
Vectra Host’s Behaviors | 33e3b6da-2660-4cd7-9032-11be76db88d2 | AIVectraDetect |
Vectra AI Detect - Suspicious Behaviors by Category | 6cb75f65-231f-46c4-a0b3-50ff21ee6ed3 | AIVectraDetect |
ADFS Database Named Pipe Connection | dcdf9bfc-c239-4764-a9f9-3612e6dff49c | SecurityEvents WindowsSecurityEvents |
AD FS Remote Auth Sync Connection | 2f4165a6-c4fb-4e94-861e-37f1b4d6c0e6 | SecurityEvents WindowsSecurityEvents |
AD FS Remote HTTP Network Connection | d57c33a9-76b9-40e0-9dfa-ff0404546410 | SecurityEvents WindowsSecurityEvents |
Users searching for VIP user activity | f7f4a77e-f68f-4b56-9aaf-a0c9d87d7a8e | |
ADFS DKM Master Key Export | 18e6a87e-9d06-4a4e-8b59-3469cd49552d | SecurityEvents MicrosoftThreatProtection WindowsSecurityEvents WindowsForwardedEvents |
NRT Multiple users email forwarded to same destination | 3b05727d-a8d1-477d-bbdd-d957da96ac7b | Office365 |
Azure AD Health Monitoring Agent Registry Keys Access | f819c592-c5f9-4d5c-a79f-1e6819863533 | SecurityEvents WindowsSecurityEvents WindowsForwardedEvents |
Azure AD Health Service Agents Registry Keys Access | 06bbf969-fcbe-43fa-bac2-b2fa131d113a | SecurityEvents WindowsSecurityEvents WindowsForwardedEvents |