Collection
| Rule Name | id | Required data connectors |
|---|---|---|
| API - API Scraping | d944d564-b6fa-470d-b5ab-41b341878c5e | 42CrunchAPIProtection |
| Jira - Workflow scheme copied | 398aa0ca-45a2-4f79-bc21-ee583bbb63bc | JiraAuditAPI |
| Powershell Empire Cmdlets Executed in Command Line | ef88eb96-861c-43a0-ab16-f3835a97c928 | SecurityEvents WindowsSecurityEvents WindowsForwardedEvents |
| Azure DevOps Audit Detection for known malicious tooling | bc71cf84-c02c-4c0a-a64c-306d84f9ff89 | |
| Box - Abmormal user activity | 1139230c-cf10-45db-b616-fed0d1415c05 | BoxDataConnector |
| Suspicious access of BEC related documents | cd8d946d-10a4-40a9-bac1-6d0a6c847d65 | |
| Suspicious access of BEC related documents in AWS S3 buckets | f3e2d35f-1202-4215-995c-4654ef07d1d8 | AWS |
| Cisco Umbrella - Hack Tool User-Agent Detected | 8d537f3c-094f-430c-a588-8a87da36ee3a | CiscoUmbrellaDataConnector |
| Cognni Incidents for Highly Sensitive Business Information | 44e80f00-b4f5-486b-a57d-4073746276df | CognniSentinelDataConnector |
| Cognni Incidents for Highly Sensitive Financial Information | 7ebb7386-6c99-4331-aab1-a185a603eb47 | CognniSentinelDataConnector |
| Cognni Incidents for Highly Sensitive Governance Information | 2926ce29-08d2-4654-b2e8-7d8df70095d9 | CognniSentinelDataConnector |
| Cognni Incidents for Highly Sensitive HR Information | f68846cf-ec99-497d-9ce1-80a9441564fb | CognniSentinelDataConnector |
| Cognni Incidents for Highly Sensitive Legal Information | 4f45f43b-3a4b-491b-9cbe-d649603384aa | CognniSentinelDataConnector |
| Cognni Incidents for Low Sensitivity Business Information | a0647a60-16f9-4175-b344-5cdd2934413f | CognniSentinelDataConnector |
| Cognni Incidents for Low Sensitivity Financial Information | 77171efa-4502-4ab7-9d23-d12305ff5a5e | CognniSentinelDataConnector |
| Cognni Incidents for Low Sensitivity Governance Information | d2e40c79-fe8c-428e-8cb9-0e2282d4558c | CognniSentinelDataConnector |
| Cognni Incidents for Low Sensitivity HR Information | ef8654b1-b2cf-4f6c-ae5c-eca635a764e8 | CognniSentinelDataConnector |
| Cognni Incidents for Low Sensitivity Legal Information | 8374ec0f-d857-4c17-b1e7-93d11800f8fb | CognniSentinelDataConnector |
| Cognni Incidents for Medium Sensitivity Business Information | 2c286288-3756-4824-b599-d3c499836c11 | CognniSentinelDataConnector |
| Cognni Incidents for Medium Sensitivity Financial Information | d29b1d66-d4d9-4be2-b607-63278fc4fe6b | CognniSentinelDataConnector |
| Cognni Incidents for Medium Sensitivity Governance Information | c1d4a005-e220-4d06-9e53-7326a22b8fe4 | CognniSentinelDataConnector |
| Cognni Incidents for Medium Sensitivity HR Information | 75ff4f7d-0564-4a55-8b25-a75be951cde3 | CognniSentinelDataConnector |
| Cognni Incidents for Medium Sensitivity Legal Information | db750607-d48f-4aef-b238-085f4a9882f1 | CognniSentinelDataConnector |
| DMARC Not Configured | c2b123c3-e909-4c2e-bd4a-92b7055cf7e0 | HVPollingIDAzureFunctions |
| Header: HTTP Strict Transport Security Missing | a3efb9ff-14a4-42ef-b019-0b9cbe5d3888 | HVPollingIDAzureFunctions |
| Header: Referrer-Policy Missing | 5ee7098a-f0d8-46bf-806d-25015145e24f | HVPollingIDAzureFunctions |
| Excessive share permissions | aba0b08c-aace-40c5-a21d-39153023dcaa | SecurityEvents WindowsSecurityEvents |
| GitLab - Personal Access Tokens creation over time | 4d6d8b0e-6d9a-4857-a141-f5d89393cddb | SyslogAma |
| GSA Enriched Office 365 - Mail Redirect via ExO Transport Rule | edcfc2e0-3134-434c-8074-9101c530d419 | Office365 AzureActiveDirectory |
| GSA Enriched Office 365 - Multiple Users Email Forwarded to Same Destination | d75e8289-d1cb-44d4-bd59-2f44a9172478 | AzureActiveDirectory Office365 |
| GSA Enriched Office 365 - Rare and Potentially High-Risk Office Operations | 433c254d-4b84-46f7-99ec-9dfefb5f6a7b | AzureActiveDirectory Office365 |
| GSA Enriched Office 365 - Multiple Users Email Forwarded to Same Destination | a1551ae4-f61c-4bca-9c57-4d0d681db2e9 | AzureActiveDirectory |
| GSA Enriched Office 365 - Office Mail Forwarding - Hunting Version | d49fc965-aef3-49f6-89ad-10cc4697eb5b | AzureActiveDirectory |
| GSA Enriched Office 365 - PowerShell or non-browser mailbox login activity | 49a4f65a-fe18-408e-afec-042fde93d3ce | AzureActiveDirectory |
| GWorkspace - Multiple user agents for single source | 6ff0e16e-5999-11ec-bf63-0242ac130002 | GoogleWorkspaceReportsAPI |
| GWorkspace - An Outbound Relay has been added to a G Suite Domain | ead87cd6-5da7-11ec-bf63-0242ac130002 | GoogleWorkspaceReportsAPI |
| [Deprecated] - Known Manganese IP and UserAgent activity | a04cf847-a832-4c60-b687-b0b6147da219 | Office365 |
| [Deprecated] - Midnight Blizzard IOCs related to FoggyWeb backdoor | c37711a4-5f44-4472-8afc-0679bc0ef966 | F5 CiscoASA PaloAltoNetworks Fortinet CheckPoint CEF MicrosoftThreatProtection SecurityEvents WindowsSecurityEvents AzureMonitor(IIS) WindowsForwardedEvents |
| Mail redirect via ExO transport rule | 500415fb-bba7-4227-a08a-9857fb61b6a7 | Office365 |
| Exchange workflow MailItemsAccessed operation anomaly | b4ceb583-4c44-4555-8ecf-39f572e827ba | Office365 |
| Multiple users email forwarded to same destination | 871ba14c-88ef-48aa-ad38-810f26760ca3 | Office365 |
| Rare and potentially high-risk Office operations | 957cb240-f45d-4491-9ba5-93430a3c08be | Office365 |
| Multiple users email forwarded to same destination | a1551ae4-f61c-4bca-9c57-4d0d681db2e9 | Office365 |
| Deimos Component Execution | c25a8cd4-5b4a-45a8-9ba0-3b753a652f6b | MicrosoftThreatProtection |
| Office Apps Launching Wscipt | 174de33b-107b-4cd8-a85d-b4025a35453f | MicrosoftThreatProtection |
| VIP Mailbox manipulation | 5170c3c4-b8c9-485c-910d-a21d965ee181 | ESI-ExchangeAdminAuditLogEvents |
| Server Oriented Cmdlet And User Oriented Cmdlet used | 7bce901b-9bc8-4948-8dfc-8f68878092d5 | ESI-ExchangeAdminAuditLogEvents |
| Mimecast Secure Email Gateway - Attachment Protect | 72bd7b0c-493c-4fa5-8a95-7f6376b6cfb2 | MimecastSEGAPI |
| Mimecast Secure Email Gateway - Impersonation Protect | 2ef77cef-439f-4d94-848f-3eca67510d2f | MimecastSEGAPI |
| Mimecast Targeted Threat Protection - Impersonation Protect | c048fa06-0d50-4626-ae82-a6cea812d9c4 | MimecastTTPAPI |
| Mimecast Secure Email Gateway - Attachment Protect | 72264f4f-61fb-4f4f-96c4-635571a376c2 | MimecastSIEMAPI |
| Mimecast Secure Email Gateway - Impersonation Protect | 7034abc9-6b66-4533-9bf3-056672fd9d9e | MimecastSIEMAPI |
| Mimecast Targeted Threat Protection - Impersonation Protect | d8e7eca6-4b59-4069-a31e-a022b2a12ea4 | MimecastTTPAPI |
| OracleDBAudit - Connection to database from external IP | 54aa2c17-acfd-4e3a-a1c4-99c88cf34ebe | SyslogAma |
| OracleDBAudit - Query on Sensitive Table | d7fdcad5-ce96-4db6-9a5e-4a86a5166e5e | SyslogAma |
| OracleDBAudit - Unusual user activity on multiple tables | 75024e1c-26e7-4e73-821d-95e5decdd8db | SyslogAma |
| Radiflow - Policy Violation Detected | a3f4cc3e-2403-4570-8d21-1dedd5632958 | RadiflowIsid |
| Red Canary Threat Detection | 6d263abb-6445-45cc-93e9-c593d3d77b89 | RedCanaryDataConnector |
| SailPointIdentityNowAlertForTriggers | 08330c3d-487e-4f5e-a539-1e7d06dea786 | SailPointIdentityNow |
| Threat Essentials - Mail redirect via ExO transport rule | d7c575b2-84f5-48cb-92c5-70d7e8246284 | Office365 |
| Snowflake - Query on sensitive or restricted table | f258fa0c-e26c-4e2b-94fb-88b6cef0ca6e | Snowflake |
| Snowflake - Unusual query | 1dd1d9e5-3ebf-43cb-be07-6082d5eabe79 | Snowflake |
| SonicWall - Allowed SSH, Telnet, and RDP Connections | 27f1a570-5f20-496b-88f6-a9aa2c5c9534 | CEF SonicWallFirewall CefAma |
| New Sonrai Ticket | bcc3362d-b6f9-4de0-b41c-707fafd5a416 | SonraiDataConnector |
| Sonrai Ticket Assigned | 37a8d052-a3db-4dc6-9dca-9390cac6f486 | SonraiDataConnector |
| Sonrai Ticket Closed | f5d467de-b5a2-4b4f-96db-55e27c733594 | SonraiDataConnector |
| Sonrai Ticket Escalation Executed | 0d29c93e-b83f-4dfb-bbbb-76824b77eeca | SonraiDataConnector |
| Sonrai Ticket Escalation Executed | 822fff15-ea68-4d0f-94ee-b4482ddb6f3a | SonraiDataConnector |
| Sonrai Ticket Reopened | b60129ab-ce22-4b76-858d-3204932a13cc | SonraiDataConnector |
| Sonrai Ticket Risk Accepted | 080191e8-271d-4ae6-85ce-c7bcd4b06b40 | SonraiDataConnector |
| Sonrai Ticket Snoozed | 10e6c454-5cad-4f86-81ce-800235cb050a | SonraiDataConnector |
| Sonrai Ticket Updated | af9b8eb1-a8ef-40aa-92a4-1fc73a1479c7 | SonraiDataConnector |
| Theom Critical Risks | bb9051ef-0e72-4758-a143-80c25ee452f0 | Theom |
| Theom High Risks | 74b80987-0a62-448c-8779-47b02e17d3cf | Theom |
| Theom Insights | d200da84-0191-44ce-ad9e-b85e64c84c89 | Theom |
| Theom Low Risks | cf7fb616-ac80-40ce-ad18-aa18912811f8 | Theom |
| Theom Medium Risks | 4cb34832-f73a-49f2-8d38-c2d135c5440b | Theom |
| Theom - National IDs unencrypted | a655f6d1-4ffa-4bc9-8b5d-2ec31cad09d4 | Theom |
| Theom - Financial data unencrypted | b568d2fb-b73c-4e6a-88db-2093457712af | Theom |
| Theom - Healthcare data unencrypted | fb1b0deb-2a8f-4d8d-8d9d-0a8d327442e7 | Theom |
| Theom - Unencrypted public data stores | 6b93d8b1-40cf-4973-adaa-6f240df21ff1 | Theom |
| Theom - Critical data in API headers or body | 2ef36aaa-ec4a-473a-9734-f364ce8868f8 | Theom |
| Theom - Dev secrets exposed | 65200844-e161-47a7-a103-f61f7e3afe30 | Theom |
| Theom - Healthcare data exposed | 078b5614-54c7-41a6-8289-5b5870e4c0f9 | Theom |
| Theom - National IDs exposed | db95655e-bf5c-4c38-9676-501ec1878d4e | Theom |
| Theom - Financial data exposed | 0cead100-f6ca-4cbb-989d-424d20705f30 | Theom |
| Theom - Dark Data with large fin value | 545fdcc7-2123-4b8a-baf6-409f29aad4b1 | Theom |
| Theom - Least priv large value shadow DB | 67b9ff50-5393-49d5-b66f-05b33e2f35d2 | Theom |
| Theom - Overprovisioned Roles Shadow DB | fb7769d0-e622-4479-95b4-f6266a5b41e2 | Theom |
| Theom - Shadow DB large datastore value | 7cf83fce-276a-4b12-a876-7b1bc0683cd6 | Theom |
| Theom - Shadow DB with atypical accesses | 02bff937-ca52-4f52-a9cd-b826f8602694 | Theom |
| Vectra AI Detect - Suspected Compromised Account | 321f9dbd-64b7-4541-81dc-08cf7732ccb0 | CefAma |
| Vectra Account’s Behaviors | ce54b5d3-4c31-4eaf-a73e-31412270b6ab | CefAma |
| Vectra AI Detect - Detections with High Severity | 39e48890-2c02-487e-aa9e-3ba494061798 | CefAma |
| Vectra AI Detect - Suspected Compromised Host | 60eb6cf0-3fa1-44c1-b1fe-220fbee23d63 | CefAma |
| Vectra Host’s Behaviors | 33e3b6da-2660-4cd7-9032-11be76db88d2 | CefAma |
| Vectra AI Detect - Suspicious Behaviors by Category | 6cb75f65-231f-46c4-a0b3-50ff21ee6ed3 | CefAma |
| ADFS Database Named Pipe Connection | dcdf9bfc-c239-4764-a9f9-3612e6dff49c | SecurityEvents WindowsSecurityEvents |
| AD FS Remote Auth Sync Connection | 2f4165a6-c4fb-4e94-861e-37f1b4d6c0e6 | SecurityEvents WindowsSecurityEvents |
| AD FS Remote HTTP Network Connection | d57c33a9-76b9-40e0-9dfa-ff0404546410 | SecurityEvents WindowsSecurityEvents |
| A host is potentially running a hacking tool (ASIM Web Session schema) | 3f0c20d5-6228-48ef-92f3-9ff7822c1954 | SquidProxy Zscaler |
| Users searching for VIP user activity | f7f4a77e-f68f-4b56-9aaf-a0c9d87d7a8e | |
| ADFS DKM Master Key Export | 18e6a87e-9d06-4a4e-8b59-3469cd49552d | SecurityEvents MicrosoftThreatProtection WindowsSecurityEvents WindowsForwardedEvents |
| High risk Office operation conducted by IP Address that recently attempted to log into a disabled account | 9adbd1c3-a4be-44ef-ac2f-503fd25692ee | AzureActiveDirectory Office365 |
| NRT Multiple users email forwarded to same destination | 3b05727d-a8d1-477d-bbdd-d957da96ac7b | Office365 |
| Microsoft Entra ID Health Monitoring Agent Registry Keys Access | f819c592-c5f9-4d5c-a79f-1e6819863533 | SecurityEvents WindowsSecurityEvents WindowsForwardedEvents |
| Microsoft Entra ID Health Service Agents Registry Keys Access | 06bbf969-fcbe-43fa-bac2-b2fa131d113a | SecurityEvents WindowsSecurityEvents WindowsForwardedEvents |