Microsoft Sentinel Analytic Rules
cloudbrothers.infoAzure Sentinel RepoToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeBack to homepage

Collection

Overview

Rule NameidRequired data connectors
API - API Scrapingd944d564-b6fa-470d-b5ab-41b341878c5e42CrunchAPIProtection
Jira - Workflow scheme copied398aa0ca-45a2-4f79-bc21-ee583bbb63bcJiraAuditAPI
Powershell Empire Cmdlets Executed in Command Lineef88eb96-861c-43a0-ab16-f3835a97c928SecurityEvents
WindowsSecurityEvents
WindowsForwardedEvents
Azure DevOps Audit Detection for known malicious toolingbc71cf84-c02c-4c0a-a64c-306d84f9ff89
Box - Abmormal user activity1139230c-cf10-45db-b616-fed0d1415c05BoxDataConnector
Suspicious access of BEC related documentscd8d946d-10a4-40a9-bac1-6d0a6c847d65
Suspicious access of BEC related documents in AWS S3 bucketsf3e2d35f-1202-4215-995c-4654ef07d1d8AWS
Cognni Incidents for Highly Sensitive Business Information44e80f00-b4f5-486b-a57d-4073746276dfCognniSentinelDataConnector
Cognni Incidents for Highly Sensitive Financial Information7ebb7386-6c99-4331-aab1-a185a603eb47CognniSentinelDataConnector
Cognni Incidents for Highly Sensitive Governance Information2926ce29-08d2-4654-b2e8-7d8df70095d9CognniSentinelDataConnector
Cognni Incidents for Highly Sensitive HR Informationf68846cf-ec99-497d-9ce1-80a9441564fbCognniSentinelDataConnector
Cognni Incidents for Highly Sensitive Legal Information4f45f43b-3a4b-491b-9cbe-d649603384aaCognniSentinelDataConnector
Cognni Incidents for Low Sensitivity Business Informationa0647a60-16f9-4175-b344-5cdd2934413fCognniSentinelDataConnector
Cognni Incidents for Low Sensitivity Financial Information77171efa-4502-4ab7-9d23-d12305ff5a5eCognniSentinelDataConnector
Cognni Incidents for Low Sensitivity Governance Informationd2e40c79-fe8c-428e-8cb9-0e2282d4558cCognniSentinelDataConnector
Cognni Incidents for Low Sensitivity HR Informationef8654b1-b2cf-4f6c-ae5c-eca635a764e8CognniSentinelDataConnector
Cognni Incidents for Low Sensitivity Legal Information8374ec0f-d857-4c17-b1e7-93d11800f8fbCognniSentinelDataConnector
Cognni Incidents for Medium Sensitivity Business Information2c286288-3756-4824-b599-d3c499836c11CognniSentinelDataConnector
Cognni Incidents for Medium Sensitivity Financial Informationd29b1d66-d4d9-4be2-b607-63278fc4fe6bCognniSentinelDataConnector
Cognni Incidents for Medium Sensitivity Governance Informationc1d4a005-e220-4d06-9e53-7326a22b8fe4CognniSentinelDataConnector
Cognni Incidents for Medium Sensitivity HR Information75ff4f7d-0564-4a55-8b25-a75be951cde3CognniSentinelDataConnector
Cognni Incidents for Medium Sensitivity Legal Informationdb750607-d48f-4aef-b238-085f4a9882f1CognniSentinelDataConnector
DMARC Not Configuredc2b123c3-e909-4c2e-bd4a-92b7055cf7e0HVPollingIDAzureFunctions
Excessive share permissionsaba0b08c-aace-40c5-a21d-39153023dcaaSecurityEvents
GitLab - Personal Access Tokens creation over time4d6d8b0e-6d9a-4857-a141-f5d89393cddbSyslog
GWorkspace - Multiple user agents for single source6ff0e16e-5999-11ec-bf63-0242ac130002GoogleWorkspaceReportsAPI
GWorkspace - An Outbound Relay has been added to a G Suite Domainead87cd6-5da7-11ec-bf63-0242ac130002GoogleWorkspaceReportsAPI
[Deprecated] - Known Manganese IP and UserAgent activitya04cf847-a832-4c60-b687-b0b6147da219Office365
[Deprecated] - Midnight Blizzard IOCs related to FoggyWeb backdoorc37711a4-5f44-4472-8afc-0679bc0ef966F5
CiscoASA
PaloAltoNetworks
Fortinet
CheckPoint
CEF
MicrosoftThreatProtection
SecurityEvents
WindowsSecurityEvents
AzureMonitor(IIS)
WindowsForwardedEvents
Mail redirect via ExO transport rule500415fb-bba7-4227-a08a-9857fb61b6a7Office365
Exchange workflow MailItemsAccessed operation anomalyb4ceb583-4c44-4555-8ecf-39f572e827baOffice365
Multiple users email forwarded to same destination871ba14c-88ef-48aa-ad38-810f26760ca3Office365
Rare and potentially high-risk Office operations957cb240-f45d-4491-9ba5-93430a3c08beOffice365
Multiple users email forwarded to same destinationa1551ae4-f61c-4bca-9c57-4d0d681db2e9Office365
Deimos Component Executionc25a8cd4-5b4a-45a8-9ba0-3b753a652f6bMicrosoftThreatProtection
Office Apps Launching Wscipt174de33b-107b-4cd8-a85d-b4025a35453fMicrosoftThreatProtection
VIP Mailbox manipulation5170c3c4-b8c9-485c-910d-a21d965ee181ESI-ExchangeAdminAuditLogEvents
Server Oriented Cmdlet And User Oriented Cmdlet used7bce901b-9bc8-4948-8dfc-8f68878092d5ESI-ExchangeAdminAuditLogEvents
Mimecast Secure Email Gateway - Attachment Protect72264f4f-61fb-4f4f-96c4-635571a376c2MimecastSIEMAPI
Mimecast Secure Email Gateway - Impersonation Protect7034abc9-6b66-4533-9bf3-056672fd9d9eMimecastSIEMAPI
Mimecast Targeted Threat Protection - Impersonation Protectd8e7eca6-4b59-4069-a31e-a022b2a12ea4MimecastTTPAPI
OracleDBAudit - Connection to database from external IP54aa2c17-acfd-4e3a-a1c4-99c88cf34ebeOracleDatabaseAudit
OracleDBAudit - Query on Sensitive Tabled7fdcad5-ce96-4db6-9a5e-4a86a5166e5eOracleDatabaseAudit
OracleDBAudit - Unusual user activity on multiple tables75024e1c-26e7-4e73-821d-95e5decdd8dbOracleDatabaseAudit
Red Canary Threat Detection6d263abb-6445-45cc-93e9-c593d3d77b89RedCanaryDataConnector
SailPointIdentityNowAlertForTriggers08330c3d-487e-4f5e-a539-1e7d06dea786SailPointIdentityNow
Threat Essentials - Mail redirect via ExO transport ruled7c575b2-84f5-48cb-92c5-70d7e8246284Office365
Snowflake - Query on sensitive or restricted tablef258fa0c-e26c-4e2b-94fb-88b6cef0ca6eSnowflake
Snowflake - Unusual query1dd1d9e5-3ebf-43cb-be07-6082d5eabe79Snowflake
Vectra AI Detect - Suspected Compromised Account321f9dbd-64b7-4541-81dc-08cf7732ccb0AIVectraDetect
AIVectraDetectAma
Vectra Account’s Behaviorsce54b5d3-4c31-4eaf-a73e-31412270b6abAIVectraDetect
AIVectraDetectAma
Vectra AI Detect - Detections with High Severity39e48890-2c02-487e-aa9e-3ba494061798AIVectraDetect
AIVectraDetectAma
Vectra AI Detect - Suspected Compromised Host60eb6cf0-3fa1-44c1-b1fe-220fbee23d63AIVectraDetect
AIVectraDetectAma
Vectra Host’s Behaviors33e3b6da-2660-4cd7-9032-11be76db88d2AIVectraDetect
AIVectraDetectAma
Vectra AI Detect - Suspicious Behaviors by Category6cb75f65-231f-46c4-a0b3-50ff21ee6ed3AIVectraDetect
AIVectraDetectAma
ADFS Database Named Pipe Connectiondcdf9bfc-c239-4764-a9f9-3612e6dff49cSecurityEvents
WindowsSecurityEvents
AD FS Remote Auth Sync Connection2f4165a6-c4fb-4e94-861e-37f1b4d6c0e6SecurityEvents
WindowsSecurityEvents
AD FS Remote HTTP Network Connectiond57c33a9-76b9-40e0-9dfa-ff0404546410SecurityEvents
WindowsSecurityEvents
Users searching for VIP user activityf7f4a77e-f68f-4b56-9aaf-a0c9d87d7a8e
ADFS DKM Master Key Export18e6a87e-9d06-4a4e-8b59-3469cd49552dSecurityEvents
MicrosoftThreatProtection
WindowsSecurityEvents
WindowsForwardedEvents
High risk Office operation conducted by IP Address that recently attempted to log into a disabled account9adbd1c3-a4be-44ef-ac2f-503fd25692eeAzureActiveDirectory
Office365
NRT Multiple users email forwarded to same destination3b05727d-a8d1-477d-bbdd-d957da96ac7bOffice365
Microsoft Entra ID Health Monitoring Agent Registry Keys Accessf819c592-c5f9-4d5c-a79f-1e6819863533SecurityEvents
WindowsSecurityEvents
WindowsForwardedEvents
Microsoft Entra ID Health Service Agents Registry Keys Access06bbf969-fcbe-43fa-bac2-b2fa131d113aSecurityEvents
WindowsSecurityEvents
WindowsForwardedEvents