Command and Control
| Rule Name | id | Required data connectors |
|---|---|---|
| Log4j vulnerability exploit aka Log4Shell IP IOC | 6e575295-a7e6-464c-8192-3e1d8fd6a990 | Office365 DNS AzureMonitor(VMInsights) CiscoASA CiscoAsaAma PaloAltoNetworks SecurityEvents AzureActiveDirectory AzureMonitor(WireData) AzureMonitor(IIS) AzureActivity AWS MicrosoftThreatProtection AzureFirewall |
| Powershell Empire Cmdlets Executed in Command Line | ef88eb96-861c-43a0-ab16-f3835a97c928 | SecurityEvents WindowsSecurityEvents WindowsForwardedEvents |
| Palo Alto - potential beaconing detected | f0be259a-34ac-4946-aa15-ca2b115d5feb | CloudNgfwByPAN |
| CloudNGFW By Palo Alto Networks - Threat signatures from Unusual IP addresses | 89a86f70-615f-4a79-9621-6f68c50f365f | CloudNgfwByPAN |
| Palo Alto - potential beaconing detected | 2f8522fc-7807-4f0a-b53d-458296edab8d | CloudNgfwByPAN |
| Abnormal Deny Rate for Source IP | d36bb1e3-5abc-4037-ad9a-24ba3469819e | AzureFirewall |
| Abnormal Port to Protocol | 826f930c-2f25-4508-8e75-a95b809a4e15 | AzureFirewall |
| Multiple Sources Affected by the Same TI Destination | 4644baf7-3464-45dd-bd9d-e07687e25f81 | AzureFirewall |
| Several deny actions registered | f8dad4e9-3f19-4d70-ab7f-8f19ccd43a3e | AzureFirewall |
| BitSight - drop in company ratings | d8844f11-3a36-4b97-9062-1e6d57c00e37 | BitSight |
| BitSight - drop in the headline rating | b11fdc35-6368-4cc0-8128-52cd2e2cdda0 | BitSight |
| CiscoISE - Device changed IP in last 24 hours | 0c509e9b-121e-4951-9f9b-43722e052b4f | CiscoISE SyslogAma |
| Cisco SDWAN - Monitor Critical IPs | a62a207e-62be-4a74-acab-4466d5b3854f | CiscoSDWAN |
| Cisco SE - Connection to known C2 server | 0f788a93-dc88-4f80-89ef-bef7cd0fef05 | CiscoSecureEndpoint |
| Cisco SE - Possible webshell | d2c97cc9-1ccc-494d-bad4-564700451a2b | CiscoSecureEndpoint |
| Cisco Umbrella - Connection to non-corporate private network | c9b6d281-b96b-4763-b728-9a04b9fe1246 | CiscoUmbrellaDataConnector |
| Cisco Umbrella - Connection to Unpopular Website Detected | 75297f62-10a8-4fc1-9b2a-12f25c6f05a7 | CiscoUmbrellaDataConnector |
| Cisco Umbrella - Crypto Miner User-Agent Detected | b619d1f1-7f39-4c7e-bf9e-afbb46457997 | CiscoUmbrellaDataConnector |
| Cisco Umbrella - Empty User Agent Detected | 2b328487-162d-4034-b472-59f1d53684a1 | CiscoUmbrellaDataConnector |
| Cisco Umbrella - Hack Tool User-Agent Detected | 8d537f3c-094f-430c-a588-8a87da36ee3a | CiscoUmbrellaDataConnector |
| Cisco Umbrella - Windows PowerShell User-Agent Detected | b12b3dab-d973-45af-b07e-e29bb34d8db9 | CiscoUmbrellaDataConnector |
| Cisco Umbrella - Rare User Agent Detected | 8c8de3fa-6425-4623-9cd9-45de1dd0569a | CiscoUmbrellaDataConnector |
| Cisco Umbrella - Request Allowed to harmful/malicious URI category | d6bf1931-b1eb-448d-90b2-de118559c7ce | CiscoUmbrellaDataConnector |
| Cisco Umbrella - Request to blocklisted file type | de58ee9e-b229-4252-8537-41a4c2f4045e | CiscoUmbrellaDataConnector |
| Cisco Umbrella - URI contains IP address | ee1818ec-5f65-4991-b711-bcf2ab7e36c3 | CiscoUmbrellaDataConnector |
| Cisco WSA - Multiple errors to resource from risky category | ebf9db0c-ba7b-4249-b9ec-50a05fa7c7c9 | CiscoWSA SyslogAma |
| Cisco WSA - Multiple errors to URL | 1db49647-435c-41ad-bf8c-7130ba75429d | CiscoWSA SyslogAma |
| Cisco WSA - Unexpected URL | 010644fd-2830-4451-9e0e-606cc192f2e7 | CiscoWSA SyslogAma |
| Cloudflare - Unexpected POST requests | 7313352a-09f6-4a84-88bd-6f17f1cbeb8f | CloudflareDataConnector |
| Corelight - C2 DGA Detected Via Repetitive Failures | 8eaa2268-74ee-492c-b869-450eff707fef | Corelight |
| Corelight - External Proxy Detected | 05850746-9ae4-412f-838b-844f0903f4a9 | Corelight |
| CyberArkEPM - Uncommon process Internet access | 9d0d44ab-54dc-472a-9931-53521e888932 | CyberArkEPM |
| Detect excessive NXDOMAIN DNS queries - Anomaly based (ASIM DNS Solution) | 02f23312-1a33-4390-8b80-f7cd4df4dea0 | |
| Detect excessive NXDOMAIN DNS queries - Static threshold based (ASIM DNS Solution) | 4ab8b09e-3c23-4974-afbe-7e653779eb2b | |
| Detect DNS queries reporting multiple errors from different clients - Anomaly Based (ASIM DNS Solution) | cf687598-5a2c-46f8-81c8-06b15ed489b1 | |
| Detect DNS queries reporting multiple errors from different clients - Static threshold based (ASIM DNS Solution) | 5b8344eb-fa28-4ac3-bcff-bc19d5d63089 | |
| Ngrok Reverse Proxy on Network (ASIM DNS Solution) | 50b0dfb7-2c94-4eaf-a332-a5936d78c263 | |
| Potential DGA(Domain Generation Algorithm) detected via Repetitive Failures - Anomaly based (ASIM DNS Solution) | 01191239-274e-43c9-b154-3a042692af06 | |
| Potential DGA(Domain Generation Algorithm) detected via Repetitive Failures - Static threshold based (ASIM DNS Solution) | 89ba52fa-96a7-4653-829a-ca49bb13336c | |
| Potential Remote Desktop Tunneling | d2e8fd50-8d66-11ec-b909-0242ac120002 | SecurityEvents WindowsSecurityEvents |
| Web sites blocked by Eset | 84ad2f8a-b64c-49bc-b669-bdb4fd3071e9 | EsetSMC |
| Website blocked by ESET | 7b84fc5b-9ffb-4e9b-945b-5d480e330b3f | ESETPROTECT SyslogAma |
| Ingress Tool Transfer - Certutil | f0be11a9-ec48-4df6-801d-479556044d4e | MicrosoftThreatProtection |
| Beacon Traffic Based on Common User Agents Visiting Limited Number of Domains | 6345c923-99eb-4a83-b11d-7af0ffa75577 | Zscaler |
| GSA Enriched Office 365 - New Executable via Office FileUploaded Operation | 178c62b4-d5e5-40f5-8eab-7fccd0051e7a | AzureActiveDirectory Office365 |
| GSA - Detect Abnormal Deny Rate for Source to Destination IP | e3b6a9e7-4c3a-45e6-8baf-1d3bfa8e0c2b | AzureActiveDirectory |
| GSA - Detect Protocol Changes for Destination Ports | f6a8d6a5-3e9f-47c8-a8d5-1b2b9d3b7d6a | AzureActiveDirectory |
| GSA Enriched Office 365 - New Windows Reserved Filenames staged on Office file services | 641ecd2d-27c9-4f05-8433-8205096b09fc | AzureActiveDirectory |
| Google DNS - IP check activity | 35221a58-cacb-4174-9bb4-ee777784fbce | GCPDNSDataConnector |
| Google DNS - Request to dynamic DNS service | 09fc03e0-daec-4b22-8afa-4bba30d7e909 | GCPDNSDataConnector |
| Google DNS - Multiple errors for source | 7e81a935-5e91-45a5-92fd-3b58c180513b | GCPDNSDataConnector |
| Google DNS - Multiple errors to same domain | da04a5d6-e2be-4cba-8cdb-a3f2efa87e9e | GCPDNSDataConnector |
| Google DNS - UNC2452 (Nobelium) APT Group activity | 22a613ea-c338-4f91-bbd3-3be97b00ebf9 | GCPDNSDataConnector |
| GreyNoise TI Map IP Entity to CommonSecurityLog | e50657d7-8bca-43ff-a647-d407fae440d6 | ThreatIntelligence CEF CefAma GreyNoise2SentinelAPI |
| GreyNoise TI Map IP Entity to DnsEvents | ddf47b6f-870c-5712-a296-1383acb13c82 | ThreatIntelligence ThreatIntelligenceTaxii DNS ASimDnsActivityLogs GreyNoise2SentinelAPI |
| GreyNoise TI map IP entity to Network Session Events (ASIM Network Session schema) | 536e8e5c-ce0e-575e-bcc9-aba8e7bf9316 | AWSS3 MicrosoftThreatProtection SecurityEvents WindowsSecurityEvents WindowsForwardedEvents Zscaler MicrosoftSysmonForLinux PaloAltoNetworks AzureMonitor(VMInsights) AzureFirewall AzureNSG CiscoASA CiscoAsaAma Corelight AIVectraStream CheckPoint Fortinet MicrosoftDefenderThreatIntelligence CiscoMeraki GreyNoise2SentinelAPI |
| GreyNoise TI map IP entity to OfficeActivity | c51628fe-999c-5150-9fd7-660fc4f58ed2 | ThreatIntelligence ThreatIntelligenceTaxii MicrosoftDefenderThreatIntelligence Office365 GreyNoise2SentinelAPI |
| GreyNoise TI Map IP Entity to SigninLogs | f6c76cc9-218c-5b76-9b82-8607f09ea1b4 | ThreatIntelligence ThreatIntelligenceTaxii AzureActiveDirectory MicrosoftDefenderThreatIntelligence GreyNoise2SentinelAPI |
| Excessive NXDOMAIN DNS Queries | b8266f81-2715-41a6-9062-42486cbc9c73 | InfobloxNIOS SyslogAma |
| [Deprecated] - Known Barium domains | 70b12a3b-4899-42cb-910c-5ffaf9d7997d | SquidProxy DNS AzureMonitor(VMInsights) CiscoASA PaloAltoNetworks MicrosoftThreatProtection AzureFirewall Zscaler InfobloxNIOS GCPDNSDataConnector NXLogDnsLogs CiscoUmbrellaDataConnector Corelight |
| [Deprecated] -Known Barium IP | 6ee72a9e-2e54-459c-bc9a-9c09a6502a63 | AWSS3 WindowsForwardedEvents MicrosoftSysmonForLinux Office365 DNS AzureMonitor(VMInsights) CiscoASA PaloAltoNetworks SecurityEvents AzureActiveDirectory AzureMonitor(WireData) AzureMonitor(IIS) AzureActivity AWS MicrosoftThreatProtection AzureFirewall Zscaler InfobloxNIOS GCPDNSDataConnector NXLogDnsLogs CiscoUmbrellaDataConnector Corelight |
| [Deprecated] - Denim Tsunami C2 Domains July 2022 | ce02935c-cc67-4b77-9b96-93d9947e119a | AzureMonitor(VMInsights) DNS MicrosoftThreatProtection |
| [Deprecated] - Known Diamond Sleet Comebacker and Klackring malware hashes | 09551db0-e147-4a0c-9e7b-918f88847605 | DNS AzureMonitor(VMInsights) CiscoASA PaloAltoNetworks SecurityEvents MicrosoftThreatProtection AzureFirewall Zscaler InfobloxNIOS GCPDNSDataConnector NXLogDnsLogs CiscoUmbrellaDataConnector Corelight WindowsForwardedEvents |
| [Deprecated] - Known Diamond Sleet related maldoc hash | 3174a9ec-d0ad-4152-8307-94ed04fa450a | CiscoASA PaloAltoNetworks SecurityEvents |
| [Deprecated] - Emerald Sleet domains included in DCU takedown | 70b12a3b-4896-42cb-910c-5ffaf8d7987d | DNS AzureMonitor(VMInsights) CiscoASA PaloAltoNetworks AzureFirewall Zscaler InfobloxNIOS GCPDNSDataConnector NXLogDnsLogs CiscoUmbrellaDataConnector Corelight |
| [Deprecated] - Known Granite Typhoon domains and hashes | 26a3b261-b997-4374-94ea-6c37f67f4f39 | DNS AzureMonitor(VMInsights) CiscoASA PaloAltoNetworks SecurityEvents AzureFirewall Zscaler InfobloxNIOS GCPDNSDataConnector NXLogDnsLogs CiscoUmbrellaDataConnector Corelight |
| [Deprecated] - Known Mint Sandstorm group domains/IP - October 2020 | 7249500f-3038-4b83-8549-9cd8dfa2d498 | DNS AzureMonitor(VMInsights) CiscoASA PaloAltoNetworks Zscaler Fortinet OfficeATP AzureFirewall |
| [Deprecated] - Midnight Blizzard - Domain and IP IOCs - March 2021 | bb8a3481-dd14-4e76-8dcc-bbec8776d695 | SquidProxy DNS AzureMonitor(VMInsights) CiscoASA PaloAltoNetworks MicrosoftThreatProtection Office365 AzureFirewall Zscaler InfobloxNIOS GCPDNSDataConnector NXLogDnsLogs CiscoUmbrellaDataConnector Corelight |
| [Deprecated] - Midnight Blizzard - Domain, Hash and IP IOCs - May 2021 | 677da133-e487-4108-a150-5b926591a92b | AWSS3 WindowsForwardedEvents SquidProxy MicrosoftSysmonForLinux DNS AzureMonitor(VMInsights) F5 CiscoASA PaloAltoNetworks Fortinet CheckPoint CEF MicrosoftThreatProtection SecurityEvents Office365 AzureFirewall WindowsFirewall Zscaler InfobloxNIOS GCPDNSDataConnector NXLogDnsLogs CiscoUmbrellaDataConnector Corelight |
| [Deprecated] - Known Nylon Typhoon domains and hashes | 9122a9cb-916b-4d98-a199-1b7b0af8d598 | SquidProxy DNS AzureMonitor(VMInsights) CiscoASA PaloAltoNetworks MicrosoftThreatProtection SecurityEvents AzureFirewall Zscaler InfobloxNIOS GCPDNSDataConnector NXLogDnsLogs CiscoUmbrellaDataConnector Corelight |
| [Deprecated] - Known Phosphorus group domains/IP | 155f40c6-610d-497d-85fc-3cf06ec13256 | SquidProxy DNS AzureMonitor(VMInsights) CiscoASA PaloAltoNetworks Office365 AzureFirewall Zscaler InfobloxNIOS GCPDNSDataConnector NXLogDnsLogs CiscoUmbrellaDataConnector Corelight |
| [Deprecated] - Known Plaid Rain IP | 95407904-0131-4918-bc49-ebf282ce149a | AWSS3 WindowsForwardedEvents MicrosoftSysmonForLinux Office365 DNS AzureMonitor(VMInsights) CiscoASA PaloAltoNetworks SecurityEvents AzureActiveDirectory AzureMonitor(WireData) AzureMonitor(IIS) AzureActivity AWS MicrosoftThreatProtection AzureFirewall Zscaler InfobloxNIOS GCPDNSDataConnector NXLogDnsLogs CiscoUmbrellaDataConnector Corelight |
| [Deprecated] - Known Ruby Sleet domains and hashes | c87fb346-ea3a-4c64-ba92-3dd383e0f0b5 | SquidProxy DNS AzureMonitor(VMInsights) CiscoASA PaloAltoNetworks AzureFirewall Zscaler InfobloxNIOS GCPDNSDataConnector NXLogDnsLogs CiscoUmbrellaDataConnector Corelight |
| [Deprecated] - Known Seashell Blizzard IP | 7ee72a9e-2e54-459c-bc8a-8c08a6532a63 | AWSS3 WindowsForwardedEvents SquidProxy MicrosoftThreatProtection SecurityEvents MicrosoftSysmonForLinux Office365 DNS AzureMonitor(VMInsights) CiscoASA PaloAltoNetworks AzureActiveDirectory AzureMonitor(IIS) AzureActivity AWS AzureFirewall Zscaler InfobloxNIOS GCPDNSDataConnector NXLogDnsLogs CiscoUmbrellaDataConnector Corelight |
| [Deprecated] - Solorigate Network Beacon | cecdbd4c-4902-403c-8d4b-32eb1efe460b | DNS AzureMonitor(VMInsights) CiscoASA PaloAltoNetworks MicrosoftThreatProtection AzureFirewall Zscaler InfobloxNIOS GCPDNSDataConnector NXLogDnsLogs CiscoUmbrellaDataConnector Corelight |
| [Deprecated] - Solorigate Domains Found in VM Insights | ab4b6944-a20d-42ab-8b63-238426525801 | AzureMonitor(VMInsights) |
| McAfee ePO - Firewall disabled | bd3cedc3-efba-455a-85bd-0cf9ac1b0727 | McAfeeePO SyslogAma |
| New executable via Office FileUploaded Operation | d722831e-88f5-4e25-b106-4ef6e29f8c13 | Office365 |
| Linked Malicious Storage Artifacts | b9e3b9f8-a406-4151-9891-e5ff1ddd8c1d | MicrosoftCloudAppSecurity |
| C2-NamedPipe | 7ce00cba-f76f-4026-ab7f-7e4f1b67bd18 | MicrosoftThreatProtection |
| Bitsadmin Activity | 2a1dc4c2-a8d6-4a0e-8539-9b971c851195 | MicrosoftThreatProtection |
| Office Apps Launching Wscipt | 174de33b-107b-4cd8-a85d-b4025a35453f | MicrosoftThreatProtection |
| Possible Phishing with CSL and Network Sessions | 6c3a1258-bcdd-4fcd-b753-1a9bc826ce12 | MicrosoftThreatProtection Zscaler Fortinet CheckPoint PaloAltoNetworks AWSS3 WindowsForwardedEvents SecurityEvents WindowsSecurityEvents MicrosoftSysmonForLinux AzureNSG AzureMonitor(VMInsights) AIVectraStream |
| Anomaly found in Network Session Traffic (ASIM Network Session schema) | cd6def0d-3ef0-4d55-a7e3-faa96c46ba12 | AWSS3 MicrosoftThreatProtection SecurityEvents WindowsSecurityEvents WindowsForwardedEvents Zscaler MicrosoftSysmonForLinux PaloAltoNetworks AzureMonitor(VMInsights) AzureFirewall AzureNSG CiscoASA CiscoAsaAma Corelight AIVectraStream CheckPoint Fortinet CiscoMeraki |
| Detect port misuse by anomaly based detection (ASIM Network Session schema) | cbf07406-fa2a-48b0-82b8-efad58db14ec | AWSS3 MicrosoftThreatProtection SecurityEvents WindowsSecurityEvents WindowsForwardedEvents Zscaler MicrosoftSysmonForLinux PaloAltoNetworks AzureMonitor(VMInsights) AzureFirewall AzureNSG CiscoASA CiscoAsaAma Corelight AIVectraStream CheckPoint Fortinet CiscoMeraki |
| Detect port misuse by static threshold (ASIM Network Session schema) | 156997bd-da0f-4729-b47a-0a3e02dd50c8 | AWSS3 MicrosoftThreatProtection SecurityEvents WindowsSecurityEvents WindowsForwardedEvents Zscaler MicrosoftSysmonForLinux PaloAltoNetworks AzureMonitor(VMInsights) AzureFirewall AzureNSG CiscoASA CiscoAsaAma Corelight AIVectraStream CheckPoint Fortinet CiscoMeraki |
| Potential beaconing activity (ASIM Network Session schema) | fcb9d75c-c3c1-4910-8697-f136bfef2363 | AWSS3 MicrosoftThreatProtection SecurityEvents WindowsSecurityEvents WindowsForwardedEvents Zscaler MicrosoftSysmonForLinux PaloAltoNetworks AzureMonitor(VMInsights) AzureFirewall AzureNSG CiscoASA CiscoAsaAma Corelight AIVectraStream CheckPoint Fortinet CiscoMeraki |
| New UserAgent observed in last 24 hours | b725d62c-eb77-42ff-96f6-bdc6745fc6e0 | AWS Office365 AzureMonitor(IIS) |
| Palo Alto - potential beaconing detected | f0be259a-34ac-4946-aa15-ca2b115d5feb | CefAma |
| Palo Alto Threat signatures from Unusual IP addresses | 89a86f70-615f-4a79-9621-6f68c50f365f | CefAma |
| ProofpointPOD - Weak ciphers | 56b0a0cd-894e-4b38-a0a1-c41d9f96649a | ProofpointPOD |
| Radiflow - Platform Alert | ff0c781a-b30f-4acf-9cf1-75d7383d66d1 | RadiflowIsid |
| RecordedFuture Threat Hunting Domain All Actors | acbf7ef6-f964-44c3-9031-7834ec68175f | ThreatIntelligenceUploadIndicatorsAPI |
| RecordedFuture Threat Hunting IP All Actors | e31bc14e-2b4c-42a4-af34-5bfd7d768aea | ThreatIntelligenceUploadIndicatorsAPI |
| Detection of Malware C2 Domains in DNS Events | a1c02815-4248-4728-a9ae-dac73c67db23 | DNS ASimDnsActivityLogs |
| Detection of Malware C2 Domains in Syslog Events | dffd068f-fdab-440e-bbc0-34c14b623c89 | Syslog SyslogAma |
| Detection of Malware C2 IPs in Azure Act. Events | 588dc717-7583-452c-a743-dee96705898e | AzureActivity |
| Detection of Malware C2 IPs in DNS Events | 22cc1dff-14ad-481d-97e1-0602895e429e | DNS ASimDnsActivityLogs |
| Red Canary Threat Detection | 6d263abb-6445-45cc-93e9-c593d3d77b89 | RedCanaryDataConnector |
| SlackAudit - Unknown User Agent | 3b11f06e-4afd-4ae6-8477-c61136619ac8 | SlackAuditAPI |
| New Sonrai Ticket | bcc3362d-b6f9-4de0-b41c-707fafd5a416 | SonraiDataConnector |
| Sonrai Ticket Assigned | 37a8d052-a3db-4dc6-9dca-9390cac6f486 | SonraiDataConnector |
| Sonrai Ticket Closed | f5d467de-b5a2-4b4f-96db-55e27c733594 | SonraiDataConnector |
| Sonrai Ticket Escalation Executed | 0d29c93e-b83f-4dfb-bbbb-76824b77eeca | SonraiDataConnector |
| Sonrai Ticket Escalation Executed | 822fff15-ea68-4d0f-94ee-b4482ddb6f3a | SonraiDataConnector |
| Sonrai Ticket Reopened | b60129ab-ce22-4b76-858d-3204932a13cc | SonraiDataConnector |
| Sonrai Ticket Risk Accepted | 080191e8-271d-4ae6-85ce-c7bcd4b06b40 | SonraiDataConnector |
| Sonrai Ticket Snoozed | 10e6c454-5cad-4f86-81ce-800235cb050a | SonraiDataConnector |
| Sonrai Ticket Updated | af9b8eb1-a8ef-40aa-92a4-1fc73a1479c7 | SonraiDataConnector |
| Excessive Blocked Traffic Events Generated by User | fa0ab69c-7124-4f62-acdd-61017cf6ce89 | SymantecEndpointProtection SyslogAma |
| Excessive Denied Proxy Traffic | 7a58b253-0ef2-4248-b4e5-c350f15a8346 | SymantecProxySG SyslogAma |
| User Accessed Suspicious URL Categories | fb0f4a93-d8ad-4b54-9931-85bdb7550f90 | SymantecProxySG SyslogAma |
| NRT Squid proxy events related to mining pools | dd03057e-4347-4853-bf1e-2b2d21eb4e59 | Syslog SyslogAma |
| Squid proxy events related to mining pools | 80733eb7-35b2-45b6-b2b8-3c51df258206 | Syslog SyslogAma |
| Squid proxy events for ToR proxies | 90d3f6ec-80fb-48e0-9937-2c70c9df9bad | Syslog SyslogAma |
| Theom Critical Risks | bb9051ef-0e72-4758-a143-80c25ee452f0 | Theom |
| Theom High Risks | 74b80987-0a62-448c-8779-47b02e17d3cf | Theom |
| Theom Insights | d200da84-0191-44ce-ad9e-b85e64c84c89 | Theom |
| Theom Low Risks | cf7fb616-ac80-40ce-ad18-aa18912811f8 | Theom |
| Theom Medium Risks | 4cb34832-f73a-49f2-8d38-c2d135c5440b | Theom |
| Preview - TI map Domain entity to Cloud App Events | b97e118c-b7fa-42a6-84de-2e13443fbb8f | MicrosoftThreatProtection MicrosoftDefenderThreatIntelligence |
| TI map Domain entity to PaloAlto CommonSecurityLog | dd0a6029-ecef-4507-89c4-fc355ac52111 | ThreatIntelligence ThreatIntelligenceTaxii MicrosoftDefenderThreatIntelligence |
| TI Map Domain Entity to DeviceNetworkEvents | c308b2f3-eebe-4a20-905c-cb8293b062db | MicrosoftThreatProtection ThreatIntelligence ThreatIntelligenceTaxii MicrosoftDefenderThreatIntelligence |
| TI map Domain entity to DnsEvents | 85aca4d1-5d15-4001-abd9-acb86ca1786a | DNS ThreatIntelligence ThreatIntelligenceTaxii MicrosoftDefenderThreatIntelligence |
| TI map Domain entity to Web Session Events (ASIM Web Session schema) | b1832f60-6c3d-4722-a0a5-3d564ee61a63 | SquidProxy Zscaler ThreatIntelligence ThreatIntelligenceTaxii MicrosoftDefenderThreatIntelligence |
| TI map Domain entity to PaloAlto | ec21493c-2684-4acd-9bc2-696dbad72426 | PaloAltoNetworks ThreatIntelligence ThreatIntelligenceTaxii MicrosoftDefenderThreatIntelligence |
| TI map Domain entity to SecurityAlert | 87890d78-3e05-43ec-9ab9-ba32f4e01250 | ThreatIntelligence ThreatIntelligenceTaxii MicrosoftCloudAppSecurity AzureSecurityCenter MicrosoftDefenderThreatIntelligence |
| TI map Domain entity to Syslog | 532f62c1-fba6-4baa-bbb6-4a32a4ef32fa | Syslog ThreatIntelligence ThreatIntelligenceTaxii MicrosoftDefenderThreatIntelligence |
| Preview - TI map File Hash entity to Cloud App Events | 2f6bbf88-f5b0-49a3-b2b5-97fc3664e4d4 | MicrosoftThreatProtection MicrosoftDefenderThreatIntelligence |
| TI map File Hash to CommonSecurityLog Event | 5d33fc63-b83b-4913-b95e-94d13f0d379f | PaloAltoNetworks ThreatIntelligence ThreatIntelligenceTaxii MicrosoftDefenderThreatIntelligence |
| TI map File Hash to DeviceFileEvents Event | bc0eca2e-db50-44e6-8fa3-b85f91ff5ee7 | MicrosoftThreatProtection ThreatIntelligence ThreatIntelligenceTaxii MicrosoftDefenderThreatIntelligence |
| TI map File Hash to Security Event | a7427ed7-04b4-4e3b-b323-08b981b9b4bf | SecurityEvents WindowsSecurityEvents WindowsForwardedEvents ThreatIntelligence ThreatIntelligenceTaxii MicrosoftDefenderThreatIntelligence |
| TI map Domain entity to Dns Events (ASIM DNS Schema) | 999e9f5d-db4a-4b07-a206-29c4e667b7e8 | ThreatIntelligence ThreatIntelligenceTaxii DNS AzureFirewall Zscaler InfobloxNIOS GCPDNSDataConnector NXLogDnsLogs MicrosoftDefenderThreatIntelligence CiscoUmbrellaDataConnector Corelight |
| TI map IP entity to DNS Events (ASIM DNS schema) | 67775878-7f8b-4380-ac54-115e1e828901 | ThreatIntelligence ThreatIntelligenceTaxii DNS AzureFirewall Zscaler InfobloxNIOS GCPDNSDataConnector NXLogDnsLogs CiscoUmbrellaDataConnector MicrosoftDefenderThreatIntelligence Corelight |
| TI map IP entity to AppServiceHTTPLogs | f9949656-473f-4503-bf43-a9d9890f7d08 | ThreatIntelligence ThreatIntelligenceTaxii MicrosoftDefenderThreatIntelligence |
| TI map IP entity to AWSCloudTrail | f110287e-1358-490d-8147-ed804b328514 | ThreatIntelligence ThreatIntelligenceTaxii AWS MicrosoftDefenderThreatIntelligence |
| TI Map IP Entity to AzureActivity | 2441bce9-02e4-407b-8cc7-7d597f38b8b0 | ThreatIntelligence ThreatIntelligenceTaxii AzureActivity MicrosoftDefenderThreatIntelligence |
| TI map IP entity to AzureFirewall | 0b904747-1336-4363-8d84-df2710bfe5e7 | ThreatIntelligence ThreatIntelligenceTaxii AzureFirewall MicrosoftDefenderThreatIntelligence |
| TI map IP entity to Azure Key Vault logs | 57c7e832-64eb-411f-8928-4133f01f4a25 | ThreatIntelligence ThreatIntelligenceTaxii AzureKeyVault MicrosoftDefenderThreatIntelligence |
| TI map IP entity to AzureNetworkAnalytics_CL (NSG Flow Logs) | a4025a76-6490-4e6b-bb69-d02be4b03f07 | ThreatIntelligence ThreatIntelligenceTaxii MicrosoftDefenderThreatIntelligence |
| TI Map IP Entity to Azure SQL Security Audit Events | d0aa8969-1bbe-4da3-9e76-09e5f67c9d85 | ThreatIntelligence ThreatIntelligenceTaxii AzureSql MicrosoftDefenderThreatIntelligence |
| Preview - TI map IP entity to Cloud App Events | 4e0a6fc8-697e-4455-be47-831b41ea91ac | MicrosoftThreatProtection MicrosoftDefenderThreatIntelligence |
| TI Map IP Entity to CommonSecurityLog | 66c81ae2-1f89-4433-be00-2fbbd9ba5ebe | ThreatIntelligence ThreatIntelligenceTaxii CEF MicrosoftDefenderThreatIntelligence |
| TI Map IP Entity to DeviceNetworkEvents | b2df4979-d34a-48b3-a7d9-f473a4bf8058 | MicrosoftThreatProtection ThreatIntelligence ThreatIntelligenceTaxii MicrosoftDefenderThreatIntelligence |
| TI Map IP Entity to DnsEvents | 69b7723c-2889-469f-8b55-a2d355ed9c87 | ThreatIntelligence ThreatIntelligenceTaxii DNS MicrosoftDefenderThreatIntelligence |
| TI Map IP Entity to Duo Security | d23ed927-5be3-4902-a9c1-85f841eb4fa1 | ThreatIntelligence ThreatIntelligenceTaxii CiscoDuoSecurity MicrosoftDefenderThreatIntelligence |
| TI map IP entity to Network Session Events (ASIM Network Session schema) | e2399891-383c-4caf-ae67-68a008b9f89e | AWSS3 MicrosoftThreatProtection SecurityEvents WindowsForwardedEvents Zscaler MicrosoftSysmonForLinux PaloAltoNetworks AzureMonitor(VMInsights) AzureFirewall AzureNSG CiscoASA Corelight AIVectraStream CheckPoint Fortinet MicrosoftDefenderThreatIntelligence CiscoMeraki ThreatIntelligenceTaxii |
| TI map IP entity to Web Session Events (ASIM Web Session schema) | e2559891-383c-4caf-ae67-55a008b9f89e | SquidProxy Zscaler ThreatIntelligence ThreatIntelligenceTaxii MicrosoftDefenderThreatIntelligence |
| TI map IP entity to OfficeActivity | f15370f4-c6fa-42c5-9be4-1d308f40284e | ThreatIntelligence ThreatIntelligenceTaxii MicrosoftDefenderThreatIntelligence Office365 |
| TI Map IP Entity to SigninLogs | f2eb15bd-8a88-4b24-9281-e133edfba315 | ThreatIntelligence ThreatIntelligenceTaxii AzureActiveDirectory MicrosoftDefenderThreatIntelligence |
| TI Map IP Entity to VMConnection | 9713e3c0-1410-468d-b79e-383448434b2d | ThreatIntelligence ThreatIntelligenceTaxii MicrosoftDefenderThreatIntelligence AzureMonitor(VMInsights) |
| TI Map IP Entity to W3CIISLog | 5e45930c-09b1-4430-b2d1-cc75ada0dc0f | ThreatIntelligence ThreatIntelligenceTaxii MicrosoftDefenderThreatIntelligence AzureMonitor(IIS) |
| TI map IP entity to GitHub_CL | aac495a9-feb1-446d-b08e-a1164a539452 | ThreatIntelligence ThreatIntelligenceTaxii MicrosoftDefenderThreatIntelligence |
| TI Map URL Entity to AuditLogs | 712fab52-2a7d-401e-a08c-ff939cc7c25e | AzureActiveDirectory ThreatIntelligence ThreatIntelligenceTaxii MicrosoftDefenderThreatIntelligence |
| Preview - TI map URL entity to Cloud App Events | e8ae92dd-1d41-4530-8be8-85c5014c7b47 | MicrosoftThreatProtection MicrosoftDefenderThreatIntelligence |
| TI Map URL Entity to DeviceNetworkEvents | 6ddbd892-a9be-47be-bab7-521241695bd6 | MicrosoftThreatProtection ThreatIntelligence ThreatIntelligenceTaxii MicrosoftDefenderThreatIntelligence |
| TI Map URL Entity to EmailUrlInfo | a0038239-72f4-4f7b-90ff-37f89f7881e0 | AzureActiveDirectory ThreatIntelligence ThreatIntelligenceTaxii MicrosoftDefenderThreatIntelligence |
| TI Map URL Entity to OfficeActivity Data [Deprecated] | 36a9c9e5-3dc1-4ed9-afaa-1d13617bfc2b | Office365 ThreatIntelligence MicrosoftDefenderThreatIntelligence ThreatIntelligenceTaxii |
| TI Map URL Entity to PaloAlto Data | 106813db-679e-4382-a51b-1bfc463befc3 | PaloAltoNetworks ThreatIntelligence ThreatIntelligenceTaxii MicrosoftDefenderThreatIntelligence |
| TI Map URL Entity to SecurityAlert Data | f30a47c1-65fb-42b1-a7f4-00941c12550b | MicrosoftCloudAppSecurity AzureSecurityCenter ThreatIntelligence ThreatIntelligenceTaxii MicrosoftDefenderThreatIntelligence |
| TI Map URL Entity to Syslog Data | b31037ea-6f68-4fbd-bab2-d0d0f44c2fcf | Syslog ThreatIntelligence ThreatIntelligenceTaxii MicrosoftDefenderThreatIntelligence |
| TI Map URL Entity to UrlClickEvents | 23391c84-87d8-452f-a84c-47a62f01e115 | MicrosoftThreatProtection ThreatIntelligence ThreatIntelligenceTaxii MicrosoftDefenderThreatIntelligence |
| Threat Connect TI map Domain entity to DnsEvents | f8960f1c-07d2-512b-9c41-952772d40c84 | DNS ASimDnsActivityLogs ThreatIntelligence ThreatIntelligenceTaxii MicrosoftDefenderThreatIntelligence |
| ThreatConnect TI map Email entity to OfficeActivity | 4f7ade3e-7121-5274-83ea-d7ed22a01fea | Office365 ThreatIntelligence ThreatIntelligenceTaxii MicrosoftDefenderThreatIntelligence |
| ThreatConnect TI map Email entity to SigninLogs | ecb68ce7-c309-59a7-a8de-07ccf2a0ea4f | ThreatIntelligence ThreatIntelligenceTaxii AzureActiveDirectory MicrosoftDefenderThreatIntelligence |
| ThreatConnect TI map IP entity to Network Session Events (ASIM Network Session schema) | ee1fd303-2081-47b7-8f02-e38bfd0868e6 | ThreatIntelligence |
| ThreatConnect TI Map URL Entity to OfficeActivity Data | 12c3b31b-66a6-53ff-b6ab-6ae45e56dc92 | Office365 ThreatIntelligence MicrosoftDefenderThreatIntelligence |
| ApexOne - C&C callback events | 1a87cd10-67b7-11ec-90d6-0242ac120003 | CefAma |
| ApexOne - Suspicious connections | 9e3dc038-67b7-11ec-90d6-0242ac120003 | CefAma |
| Ubiquiti - Possible connection to cryptominning pool | 7feb3c32-2a11-4eb8-a2d7-e3792b31cb80 | UbiquitiUnifi CustomLogsAma |
| Ubiquiti - Connection to known malicious IP or C2 | db60ca0b-b668-439b-b889-b63b57ef20fb | UbiquitiUnifi CustomLogsAma |
| Ubiquiti - Unusual FTP connection to external server | fd200125-9d57-4838-85ca-6430c63e4e5d | UbiquitiUnifi CustomLogsAma |
| Ubiquiti - Large ICMP to external server | 6df85d74-e32f-4b71-80e5-bfe2af00be1c | UbiquitiUnifi CustomLogsAma |
| Ubiquiti - connection to non-corporate DNS server | fe232837-9bdc-4e2b-8c08-cdac2610eed3 | UbiquitiUnifi CustomLogsAma |
| Ubiquiti - Unusual DNS connection | 14a23ded-7fb9-48ee-ba39-859517a49b51 | UbiquitiUnifi CustomLogsAma |
| Ubiquiti - Unusual traffic | 31e868c0-91d3-40eb-accc-3fa73aa96f8e | UbiquitiUnifi CustomLogsAma |
| Vectra AI Detect - Suspected Compromised Account | 321f9dbd-64b7-4541-81dc-08cf7732ccb0 | AIVectraDetect AIVectraDetectAma CefAma |
| Vectra Account’s Behaviors | ce54b5d3-4c31-4eaf-a73e-31412270b6ab | AIVectraDetect AIVectraDetectAma CefAma |
| Vectra AI Detect - Detections with High Severity | 39e48890-2c02-487e-aa9e-3ba494061798 | AIVectraDetect AIVectraDetectAma CefAma |
| Vectra AI Detect - Suspected Compromised Host | 60eb6cf0-3fa1-44c1-b1fe-220fbee23d63 | AIVectraDetect AIVectraDetectAma CefAma |
| Vectra Host’s Behaviors | 33e3b6da-2660-4cd7-9032-11be76db88d2 | AIVectraDetect AIVectraDetectAma CefAma |
| Vectra AI Detect - New Campaign Detected | a34d0338-eda0-42b5-8b93-32aae0d7a501 | AIVectraDetect AIVectraDetectAma CefAma |
| Vectra AI Detect - Suspicious Behaviors by Category | 6cb75f65-231f-46c4-a0b3-50ff21ee6ed3 | AIVectraDetect AIVectraDetectAma CefAma |
| Votiro - File Blocked in Email | 0b8b91de-c63e-4bc2-b5f4-b15d3b379ec9 | Votiro CefAma |
| Detect URLs containing known malicious keywords or commands (ASIM Web Session) | 32c08696-2e37-4730-86f8-97d9c8b184c9 | |
| The download of potentially risky files from the Discord Content Delivery Network (CDN) (ASIM Web Session) | b7fe8f27-7010-404b-aec5-6e5245cea580 | |
| Detect known risky user agents (ASIM Web Session) | 6a4dbcf8-f5e2-4b33-b34f-2db6487613f0 | |
| Detect instances of multiple client errors occurring within a brief period of time (ASIM Web Session) | faa40333-1e8b-40cc-a003-51ae41fa886f | |
| Detect potential presence of a malicious file with a double extension (ASIM Web Session) | 6a71687f-00cf-44d3-93fc-8cbacc7b5615 | |
| Detect potential file enumeration activity (ASIM Web Session) | b3731ce1-1f04-47c4-95c2-9827408c4375 | |
| Detect presence of private IP addresses in URLs (ASIM Web Session) | e3a7722a-e099-45a9-9afb-6618e8f05405 | |
| Detect requests for an uncommon resources on the web (ASIM Web Session) | c99cf650-c53b-4c4c-9671-7d7500191a10 | |
| SUPERNOVA webshell | 2acc91c3-17c2-4388-938e-4eac2d5894e8 | AzureMonitor(IIS) |
| Potential DGA detected | a0907abe-6925-4d90-af2b-c7e89dc201a6 | DNS |
| Discord CDN Risky File Download | 010bd98c-a6be-498c-bdcd-502308c0fdae | Zscaler ZscalerAma CefAma |
| Request for single resource on domain | 4d500e6d-c984-43a3-9f39-7edec8dcc04d | Zscaler ZscalerAma CefAma |
| Excessive NXDOMAIN DNS Queries (ASIM DNS Schema) | c3b11fb2-9201-4844-b7b9-6b7bf6d9b851 | DNS AzureFirewall Zscaler InfobloxNIOS GCPDNSDataConnector NXLogDnsLogs CiscoUmbrellaDataConnector Corelight |
| Potential DGA detected (ASIM DNS Schema) | 983a6922-894d-413c-9f04-d7add0ecc307 | DNS AzureFirewall Zscaler InfobloxNIOS GCPDNSDataConnector NXLogDnsLogs CiscoUmbrellaDataConnector Corelight |
| Discord CDN Risky File Download (ASIM Web Session Schema) | 01e8ffff-dc0c-43fe-aa22-d459c4204553 | SquidProxy Zscaler |
| Potential communication with a Domain Generation Algorithm (DGA) based hostname (ASIM Web Session schema) | 9176b18f-a946-42c6-a2f6-0f6d17cd6a8a | SquidProxy Zscaler |
| A host is potentially running a hacking tool (ASIM Web Session schema) | 3f0c20d5-6228-48ef-92f3-9ff7822c1954 | SquidProxy Zscaler |
| A host is potentially running PowerShell to send HTTP(S) requests (ASIM Web Session schema) | 42436753-9944-4d70-801c-daaa4d19ddd2 | SquidProxy Zscaler |
| Cisco Umbrella - Connection to non-corporate private network | c9b6d281-b96b-4763-b728-9a04b9fe1246 | CiscoUmbrellaDataConnector |
| Cisco Umbrella - Connection to Unpopular Website Detected | 75297f62-10a8-4fc1-9b2a-12f25c6f05a7 | CiscoUmbrellaDataConnector |
| Cisco Umbrella - Crypto Miner User-Agent Detected | b619d1f1-7f39-4c7e-bf9e-afbb46457997 | CiscoUmbrellaDataConnector |
| Cisco Umbrella - Empty User Agent Detected | 2b328487-162d-4034-b472-59f1d53684a1 | CiscoUmbrellaDataConnector |
| Cisco Umbrella - Hack Tool User-Agent Detected | 8d537f3c-094f-430c-a588-8a87da36ee3a | CiscoUmbrellaDataConnector |
| Cisco Umbrella - Windows PowerShell User-Agent Detected | b12b3dab-d973-45af-b07e-e29bb34d8db9 | CiscoUmbrellaDataConnector |
| Cisco Umbrella - Rare User Agent Detected | 8c8de3fa-6425-4623-9cd9-45de1dd0569a | CiscoUmbrellaDataConnector |
| Cisco Umbrella - Request Allowed to harmful/malicious URI category | d6bf1931-b1eb-448d-90b2-de118559c7ce | CiscoUmbrellaDataConnector |
| Cisco Umbrella - URI contains IP address | ee1818ec-5f65-4991-b711-bcf2ab7e36c3 | CiscoUmbrellaDataConnector |
| CreepyDrive request URL sequence | eda260eb-f4a1-4379-ad98-452604da9b3e | Zscaler Fortinet CheckPoint PaloAltoNetworks |
| CreepyDrive URLs | b6d03b88-4d27-49a2-9c1c-29f1ad2842dc | Zscaler Fortinet CheckPoint PaloAltoNetworks |
| RunningRAT request parameters | baedfdf4-7cc8-45a1-81a9-065821628b83 | Zscaler Fortinet CheckPoint PaloAltoNetworks |
| Fortinet - Beacon pattern detected | 3255ec41-6bd6-4f35-84b1-c032b18bbfcb | Fortinet |
| Possible contact with a domain generated by a DGA | 4acd3a04-2fad-4efc-8a4b-51476594cec4 | Zscaler Barracuda CEF CheckPoint CiscoASA F5 Fortinet PaloAltoNetworks |
| IP address of Windows host encoded in web request | a4ce20ae-a2e4-4d50-b40d-d49f1353b6cc | Zscaler Fortinet CheckPoint PaloAltoNetworks MicrosoftThreatProtection |
| Windows host username encoded in base64 web request | 6e715730-82c0-496c-983b-7a20c4590bd9 | Zscaler Fortinet CheckPoint PaloAltoNetworks MicrosoftThreatProtection |
| Europium - Hash and IP IOCs - September 2022 | 9d8b5a18-b7db-4c23-84a6-95febaf7e1e4 | DNS AzureMonitor(VMInsights) F5 CiscoASA PaloAltoNetworks Fortinet CheckPoint CEF MicrosoftThreatProtection Office365 AzureFirewall WindowsFirewall |
| Known Forest Blizzard group domains - July 2019 | 074ce265-f684-41cd-af07-613c5f3e6d0d | DNS AzureMonitor(VMInsights) CiscoASA PaloAltoNetworks AzureFirewall Zscaler InfobloxNIOS GCPDNSDataConnector NXLogDnsLogs CiscoUmbrellaDataConnector Corelight |
| Malformed user agent | a357535e-f722-4afe-b375-cff362b2b376 | WAF Office365 AzureActiveDirectory AWS AzureMonitor(IIS) |
| Mercury - Domain, Hash and IP IOCs - August 2022 | ae10c588-7ff7-486c-9920-ab8b0bdb6ede | DNS AzureMonitor(VMInsights) F5 CiscoASA PaloAltoNetworks Fortinet CheckPoint CEF MicrosoftThreatProtection Office365 AzureFirewall WindowsFirewall |
| Risky user signin observed in non-Microsoft network device | 042f2801-a375-4cfd-bd29-041fc7ed88a0 | AzureActiveDirectory PaloAltoNetworks Fortinet CheckPoint Zscaler |