Command and Control
| Rule Name | id | Required data connectors |
|---|---|---|
| Log4j vulnerability exploit aka Log4Shell IP IOC | 6e575295-a7e6-464c-8192-3e1d8fd6a990 | Office365 DNS AzureMonitor(VMInsights) CiscoASA PaloAltoNetworks SecurityEvents AzureActiveDirectory AzureMonitor(WireData) AzureMonitor(IIS) AzureActivity AWS MicrosoftThreatProtection AzureFirewall |
| Powershell Empire Cmdlets Executed in Command Line | ef88eb96-861c-43a0-ab16-f3835a97c928 | SecurityEvents WindowsSecurityEvents WindowsForwardedEvents |
| Abnormal Deny Rate for Source IP | d36bb1e3-5abc-4037-ad9a-24ba3469819e | AzureFirewall |
| Abnormal Port to Protocol | 826f930c-2f25-4508-8e75-a95b809a4e15 | AzureFirewall |
| Multiple Sources Affected by the Same TI Destination | 4644baf7-3464-45dd-bd9d-e07687e25f81 | AzureFirewall |
| Several deny actions registered | f8dad4e9-3f19-4d70-ab7f-8f19ccd43a3e | AzureFirewall |
| BitSight - drop in company ratings | d8844f11-3a36-4b97-9062-1e6d57c00e37 | BitSight |
| BitSight - drop in the headline rating | b11fdc35-6368-4cc0-8128-52cd2e2cdda0 | BitSight |
| Cisco SE - Connection to known C2 server | 0f788a93-dc88-4f80-89ef-bef7cd0fef05 | CiscoSecureEndpoint |
| Cisco SE - Possible webshell | d2c97cc9-1ccc-494d-bad4-564700451a2b | CiscoSecureEndpoint |
| Cisco Umbrella - Connection to non-corporate private network | c9b6d281-b96b-4763-b728-9a04b9fe1246 | CiscoUmbrellaDataConnector |
| Cisco Umbrella - Connection to Unpopular Website Detected | 75297f62-10a8-4fc1-9b2a-12f25c6f05a7 | CiscoUmbrellaDataConnector |
| Cisco Umbrella - Crypto Miner User-Agent Detected | b619d1f1-7f39-4c7e-bf9e-afbb46457997 | CiscoUmbrellaDataConnector |
| Cisco Umbrella - Empty User Agent Detected | 2b328487-162d-4034-b472-59f1d53684a1 | CiscoUmbrellaDataConnector |
| Cisco Umbrella - Hack Tool User-Agent Detected | 8d537f3c-094f-430c-a588-8a87da36ee3a | CiscoUmbrellaDataConnector |
| Cisco Umbrella - Windows PowerShell User-Agent Detected | b12b3dab-d973-45af-b07e-e29bb34d8db9 | CiscoUmbrellaDataConnector |
| Cisco Umbrella - Rare User Agent Detected | 8c8de3fa-6425-4623-9cd9-45de1dd0569a | CiscoUmbrellaDataConnector |
| Cisco Umbrella - Request Allowed to harmful/malicious URI category | d6bf1931-b1eb-448d-90b2-de118559c7ce | CiscoUmbrellaDataConnector |
| Cisco Umbrella - URI contains IP address | ee1818ec-5f65-4991-b711-bcf2ab7e36c3 | CiscoUmbrellaDataConnector |
| Cisco WSA - Multiple errors to resource from risky category | ebf9db0c-ba7b-4249-b9ec-50a05fa7c7c9 | CiscoWSA |
| Cisco WSA - Multiple errors to URL | 1db49647-435c-41ad-bf8c-7130ba75429d | CiscoWSA |
| Cisco WSA - Unexpected URL | 010644fd-2830-4451-9e0e-606cc192f2e7 | CiscoWSA |
| Cloudflare - Unexpected POST requests | 7313352a-09f6-4a84-88bd-6f17f1cbeb8f | CloudflareDataConnector |
| Corelight - C2 DGA Detected Via Repetitive Failures | 8eaa2268-74ee-492c-b869-450eff707fef | Corelight |
| Corelight - External Proxy Detected | 05850746-9ae4-412f-838b-844f0903f4a9 | Corelight |
| CyberArkEPM - Uncommon process Internet access | 9d0d44ab-54dc-472a-9931-53521e888932 | CyberArkEPM |
| Detect excessive NXDOMAIN DNS queries - Anomaly based (ASIM DNS Solution) | 02f23312-1a33-4390-8b80-f7cd4df4dea0 | |
| Detect excessive NXDOMAIN DNS queries - Static threshold based (ASIM DNS Solution) | 4ab8b09e-3c23-4974-afbe-7e653779eb2b | |
| Detect DNS queries reporting multiple errors from different clients - Anomaly Based (ASIM DNS Solution) | cf687598-5a2c-46f8-81c8-06b15ed489b1 | |
| Detect DNS queries reporting multiple errors from different clients - Static threshold based (ASIM DNS Solution) | 5b8344eb-fa28-4ac3-bcff-bc19d5d63089 | |
| Potential DGA(Domain Generation Algorithm) detected via Repetitive Failures - Anomaly based (ASIM DNS Solution) | 01191239-274e-43c9-b154-3a042692af06 | |
| Potential DGA(Domain Generation Algorithm) detected via Repetitive Failures - Static threshold based (ASIM DNS Solution) | 89ba52fa-96a7-4653-829a-ca49bb13336c | |
| Potential Remote Desktop Tunneling | d2e8fd50-8d66-11ec-b909-0242ac120002 | SecurityEvents |
| Web sites blocked by Eset | 84ad2f8a-b64c-49bc-b669-bdb4fd3071e9 | EsetSMC |
| Website blocked by ESET | 7b84fc5b-9ffb-4e9b-945b-5d480e330b3f | ESETPROTECT |
| Ingress Tool Transfer - Certutil | f0be11a9-ec48-4df6-801d-479556044d4e | MicrosoftThreatProtection |
| Beacon Traffic Based on Common User Agents Visiting Limited Number of Domains | 6345c923-99eb-4a83-b11d-7af0ffa75577 | Zscaler |
| Google DNS - IP check activity | 35221a58-cacb-4174-9bb4-ee777784fbce | GCPDNSDataConnector |
| Google DNS - Request to dynamic DNS service | 09fc03e0-daec-4b22-8afa-4bba30d7e909 | GCPDNSDataConnector |
| Google DNS - Multiple errors for source | 7e81a935-5e91-45a5-92fd-3b58c180513b | GCPDNSDataConnector |
| Google DNS - Multiple errors to same domain | da04a5d6-e2be-4cba-8cdb-a3f2efa87e9e | GCPDNSDataConnector |
| Google DNS - UNC2452 (Nobelium) APT Group activity | 22a613ea-c338-4f91-bbd3-3be97b00ebf9 | GCPDNSDataConnector |
| Excessive NXDOMAIN DNS Queries | b8266f81-2715-41a6-9062-42486cbc9c73 | InfobloxNIOS |
| [Deprecated] - Known Barium domains | 70b12a3b-4899-42cb-910c-5ffaf9d7997d | SquidProxy DNS AzureMonitor(VMInsights) CiscoASA PaloAltoNetworks MicrosoftThreatProtection AzureFirewall Zscaler InfobloxNIOS GCPDNSDataConnector NXLogDnsLogs CiscoUmbrellaDataConnector Corelight |
| [Deprecated] -Known Barium IP | 6ee72a9e-2e54-459c-bc9a-9c09a6502a63 | AWSS3 WindowsForwardedEvents MicrosoftSysmonForLinux Office365 DNS AzureMonitor(VMInsights) CiscoASA PaloAltoNetworks SecurityEvents AzureActiveDirectory AzureMonitor(WireData) AzureMonitor(IIS) AzureActivity AWS MicrosoftThreatProtection AzureFirewall Zscaler InfobloxNIOS GCPDNSDataConnector NXLogDnsLogs CiscoUmbrellaDataConnector Corelight |
| [Deprecated] - Denim Tsunami C2 Domains July 2022 | ce02935c-cc67-4b77-9b96-93d9947e119a | AzureMonitor(VMInsights) DNS MicrosoftThreatProtection |
| [Deprecated] - Known Diamond Sleet Comebacker and Klackring malware hashes | 09551db0-e147-4a0c-9e7b-918f88847605 | DNS AzureMonitor(VMInsights) CiscoASA PaloAltoNetworks SecurityEvents MicrosoftThreatProtection AzureFirewall Zscaler InfobloxNIOS GCPDNSDataConnector NXLogDnsLogs CiscoUmbrellaDataConnector Corelight WindowsForwardedEvents |
| [Deprecated] - Known Diamond Sleet related maldoc hash | 3174a9ec-d0ad-4152-8307-94ed04fa450a | CiscoASA PaloAltoNetworks SecurityEvents |
| [Deprecated] - Emerald Sleet domains included in DCU takedown | 70b12a3b-4896-42cb-910c-5ffaf8d7987d | DNS AzureMonitor(VMInsights) CiscoASA PaloAltoNetworks AzureFirewall Zscaler InfobloxNIOS GCPDNSDataConnector NXLogDnsLogs CiscoUmbrellaDataConnector Corelight |
| [Deprecated] - Known Granite Typhoon domains and hashes | 26a3b261-b997-4374-94ea-6c37f67f4f39 | DNS AzureMonitor(VMInsights) CiscoASA PaloAltoNetworks SecurityEvents AzureFirewall Zscaler InfobloxNIOS GCPDNSDataConnector NXLogDnsLogs CiscoUmbrellaDataConnector Corelight |
| [Deprecated] - Known Mint Sandstorm group domains/IP - October 2020 | 7249500f-3038-4b83-8549-9cd8dfa2d498 | DNS AzureMonitor(VMInsights) CiscoASA PaloAltoNetworks Zscaler Fortinet OfficeATP AzureFirewall |
| [Deprecated] - Midnight Blizzard - Domain and IP IOCs - March 2021 | bb8a3481-dd14-4e76-8dcc-bbec8776d695 | SquidProxy DNS AzureMonitor(VMInsights) CiscoASA PaloAltoNetworks MicrosoftThreatProtection Office365 AzureFirewall Zscaler InfobloxNIOS GCPDNSDataConnector NXLogDnsLogs CiscoUmbrellaDataConnector Corelight |
| [Deprecated] - Midnight Blizzard - Domain, Hash and IP IOCs - May 2021 | 677da133-e487-4108-a150-5b926591a92b | AWSS3 WindowsForwardedEvents SquidProxy MicrosoftSysmonForLinux DNS AzureMonitor(VMInsights) F5 CiscoASA PaloAltoNetworks Fortinet CheckPoint CEF MicrosoftThreatProtection SecurityEvents Office365 AzureFirewall WindowsFirewall Zscaler InfobloxNIOS GCPDNSDataConnector NXLogDnsLogs CiscoUmbrellaDataConnector Corelight |
| [Deprecated] - Known Nylon Typhoon domains and hashes | 9122a9cb-916b-4d98-a199-1b7b0af8d598 | SquidProxy DNS AzureMonitor(VMInsights) CiscoASA PaloAltoNetworks MicrosoftThreatProtection SecurityEvents AzureFirewall Zscaler InfobloxNIOS GCPDNSDataConnector NXLogDnsLogs CiscoUmbrellaDataConnector Corelight |
| [Deprecated] - Known Phosphorus group domains/IP | 155f40c6-610d-497d-85fc-3cf06ec13256 | SquidProxy DNS AzureMonitor(VMInsights) CiscoASA PaloAltoNetworks Office365 AzureFirewall Zscaler InfobloxNIOS GCPDNSDataConnector NXLogDnsLogs CiscoUmbrellaDataConnector Corelight |
| [Deprecated] - Known Plaid Rain IP | 95407904-0131-4918-bc49-ebf282ce149a | AWSS3 WindowsForwardedEvents MicrosoftSysmonForLinux Office365 DNS AzureMonitor(VMInsights) CiscoASA PaloAltoNetworks SecurityEvents AzureActiveDirectory AzureMonitor(WireData) AzureMonitor(IIS) AzureActivity AWS MicrosoftThreatProtection AzureFirewall Zscaler InfobloxNIOS GCPDNSDataConnector NXLogDnsLogs CiscoUmbrellaDataConnector Corelight |
| [Deprecated] - Known Ruby Sleet domains and hashes | c87fb346-ea3a-4c64-ba92-3dd383e0f0b5 | SquidProxy DNS AzureMonitor(VMInsights) CiscoASA PaloAltoNetworks AzureFirewall Zscaler InfobloxNIOS GCPDNSDataConnector NXLogDnsLogs CiscoUmbrellaDataConnector Corelight |
| [Deprecated] - Known Seashell Blizzard IP | 7ee72a9e-2e54-459c-bc8a-8c08a6532a63 | AWSS3 WindowsForwardedEvents SquidProxy MicrosoftThreatProtection SecurityEvents MicrosoftSysmonForLinux Office365 DNS AzureMonitor(VMInsights) CiscoASA PaloAltoNetworks AzureActiveDirectory AzureMonitor(IIS) AzureActivity AWS AzureFirewall Zscaler InfobloxNIOS GCPDNSDataConnector NXLogDnsLogs CiscoUmbrellaDataConnector Corelight |
| [Deprecated] - Solorigate Network Beacon | cecdbd4c-4902-403c-8d4b-32eb1efe460b | DNS AzureMonitor(VMInsights) CiscoASA PaloAltoNetworks MicrosoftThreatProtection AzureFirewall Zscaler InfobloxNIOS GCPDNSDataConnector NXLogDnsLogs CiscoUmbrellaDataConnector Corelight |
| [Deprecated] - Solorigate Domains Found in VM Insights | ab4b6944-a20d-42ab-8b63-238426525801 | AzureMonitor(VMInsights) |
| McAfee ePO - Firewall disabled | bd3cedc3-efba-455a-85bd-0cf9ac1b0727 | McAfeeePO |
| New executable via Office FileUploaded Operation | d722831e-88f5-4e25-b106-4ef6e29f8c13 | Office365 |
| Possible Phishing with CSL and Network Sessions | 6c3a1258-bcdd-4fcd-b753-1a9bc826ce12 | MicrosoftThreatProtection Zscaler Fortinet CheckPoint PaloAltoNetworks AWSS3 WindowsForwardedEvents SecurityEvents MicrosoftSysmonForLinux AzureNSG AzureMonitor(VMInsights) AIVectraStream |
| Linked Malicious Storage Artifacts | b9e3b9f8-a406-4151-9891-e5ff1ddd8c1d | MicrosoftCloudAppSecurity |
| Anomaly found in Network Session Traffic (ASIM Network Session schema) | cd6def0d-3ef0-4d55-a7e3-faa96c46ba12 | AWSS3 MicrosoftThreatProtection SecurityEvents WindowsForwardedEvents Zscaler MicrosoftSysmonForLinux PaloAltoNetworks AzureMonitor(VMInsights) AzureFirewall AzureNSG CiscoASA Corelight AIVectraStream CheckPoint Fortinet CiscoMeraki |
| Detect port misuse by anomaly based detection (ASIM Network Session schema) | cbf07406-fa2a-48b0-82b8-efad58db14ec | AWSS3 MicrosoftThreatProtection SecurityEvents WindowsForwardedEvents Zscaler MicrosoftSysmonForLinux PaloAltoNetworks AzureMonitor(VMInsights) AzureFirewall AzureNSG CiscoASA Corelight AIVectraStream CheckPoint Fortinet CiscoMeraki |
| Detect port misuse by static threshold (ASIM Network Session schema) | 156997bd-da0f-4729-b47a-0a3e02dd50c8 | AWSS3 MicrosoftThreatProtection SecurityEvents WindowsForwardedEvents Zscaler MicrosoftSysmonForLinux PaloAltoNetworks AzureMonitor(VMInsights) AzureFirewall AzureNSG CiscoASA Corelight AIVectraStream CheckPoint Fortinet CiscoMeraki |
| Potential beaconing activity (ASIM Network Session schema) | fcb9d75c-c3c1-4910-8697-f136bfef2363 | AWSS3 MicrosoftThreatProtection SecurityEvents WindowsForwardedEvents Zscaler MicrosoftSysmonForLinux PaloAltoNetworks AzureMonitor(VMInsights) AzureFirewall AzureNSG CiscoASA Corelight AIVectraStream CheckPoint Fortinet CiscoMeraki |
| New UserAgent observed in last 24 hours | b725d62c-eb77-42ff-96f6-bdc6745fc6e0 | AWS Office365 AzureMonitor(IIS) |
| Palo Alto - potential beaconing detected | f0be259a-34ac-4946-aa15-ca2b115d5feb | PaloAltoNetworks |
| Palo Alto Threat signatures from Unusual IP addresses | 89a86f70-615f-4a79-9621-6f68c50f365f | PaloAltoNetworks |
| Palo Alto - potential beaconing detected | 2f8522fc-7807-4f0a-b53d-458296edab8d | PaloAltoNetworks |
| ProofpointPOD - Weak ciphers | 56b0a0cd-894e-4b38-a0a1-c41d9f96649a | ProofpointPOD |
| Detection of Malware C2 Domains in DNS Events | a1c02815-4248-4728-a9ae-dac73c67db23 | DNS |
| Detection of Malware C2 Domains in Syslog Events | dffd068f-fdab-440e-bbc0-34c14b623c89 | Syslog |
| Detection of Malware C2 IPs in Azure Act. Events | 588dc717-7583-452c-a743-dee96705898e | AzureActivity |
| Detection of Malware C2 IPs in DNS Events | 22cc1dff-14ad-481d-97e1-0602895e429e | DNS |
| Red Canary Threat Detection | 6d263abb-6445-45cc-93e9-c593d3d77b89 | RedCanaryDataConnector |
| NRT Squid proxy events related to mining pools | dd03057e-4347-4853-bf1e-2b2d21eb4e59 | Syslog |
| Squid proxy events related to mining pools | 80733eb7-35b2-45b6-b2b8-3c51df258206 | Syslog |
| Squid proxy events for ToR proxies | 90d3f6ec-80fb-48e0-9937-2c70c9df9bad | Syslog |
| ApexOne - C&C callback events | 1a87cd10-67b7-11ec-90d6-0242ac120003 | TrendMicroApexOne TrendMicroApexOneAma |
| ApexOne - Suspicious connections | 9e3dc038-67b7-11ec-90d6-0242ac120003 | TrendMicroApexOne TrendMicroApexOneAma |
| Ubiquiti - Possible connection to cryptominning pool | 7feb3c32-2a11-4eb8-a2d7-e3792b31cb80 | UbiquitiUnifi |
| Ubiquiti - Connection to known malicious IP or C2 | db60ca0b-b668-439b-b889-b63b57ef20fb | UbiquitiUnifi |
| Ubiquiti - Large ICMP to external server | 6df85d74-e32f-4b71-80e5-bfe2af00be1c | UbiquitiUnifi |
| Ubiquiti - connection to non-corporate DNS server | fe232837-9bdc-4e2b-8c08-cdac2610eed3 | UbiquitiUnifi |
| Ubiquiti - Unusual DNS connection | 14a23ded-7fb9-48ee-ba39-859517a49b51 | UbiquitiUnifi |
| Vectra AI Detect - Suspected Compromised Account | 321f9dbd-64b7-4541-81dc-08cf7732ccb0 | AIVectraDetect |
| Vectra Account’s Behaviors | ce54b5d3-4c31-4eaf-a73e-31412270b6ab | AIVectraDetect |
| Vectra AI Detect - Detections with High Severity | 39e48890-2c02-487e-aa9e-3ba494061798 | AIVectraDetect |
| Vectra AI Detect - Suspected Compromised Host | 60eb6cf0-3fa1-44c1-b1fe-220fbee23d63 | AIVectraDetect |
| Vectra Host’s Behaviors | 33e3b6da-2660-4cd7-9032-11be76db88d2 | AIVectraDetect |
| Vectra AI Detect - New Campaign Detected | a34d0338-eda0-42b5-8b93-32aae0d7a501 | AIVectraDetect |
| Vectra AI Detect - Suspicious Behaviors by Category | 6cb75f65-231f-46c4-a0b3-50ff21ee6ed3 | AIVectraDetect |
| Votiro - File Blocked in Email | 0b8b91de-c63e-4bc2-b5f4-b15d3b379ec9 | Votiro |
| Detect URLs containing known malicious keywords or commands (ASIM Web Session) | 32c08696-2e37-4730-86f8-97d9c8b184c9 | |
| The download of potentially risky files from the Discord Content Delivery Network (CDN) (ASIM Web Session) | b7fe8f27-7010-404b-aec5-6e5245cea580 | |
| Detect known risky user agents (ASIM Web Session) | 6a4dbcf8-f5e2-4b33-b34f-2db6487613f0 | |
| Detect instances of multiple client errors occurring within a brief period of time (ASIM Web Session) | faa40333-1e8b-40cc-a003-51ae41fa886f | |
| Detect potential presence of a malicious file with a double extension (ASIM Web Session) | 6a71687f-00cf-44d3-93fc-8cbacc7b5615 | |
| Detect potential file enumeration activity (ASIM Web Session) | b3731ce1-1f04-47c4-95c2-9827408c4375 | |
| Detect presence of private IP addresses in URLs (ASIM Web Session) | e3a7722a-e099-45a9-9afb-6618e8f05405 | |
| Detect requests for an uncommon resources on the web (ASIM Web Session) | c99cf650-c53b-4c4c-9671-7d7500191a10 | |
| SUPERNOVA webshell | 2acc91c3-17c2-4388-938e-4eac2d5894e8 | AzureMonitor(IIS) |
| Potential DGA detected | a0907abe-6925-4d90-af2b-c7e89dc201a6 | DNS |
| Discord CDN Risky File Download | 010bd98c-a6be-498c-bdcd-502308c0fdae | Zscaler |
| Request for single resource on domain | 4d500e6d-c984-43a3-9f39-7edec8dcc04d | Zscaler |
| Excessive NXDOMAIN DNS Queries (ASIM DNS Schema) | c3b11fb2-9201-4844-b7b9-6b7bf6d9b851 | DNS AzureFirewall Zscaler InfobloxNIOS GCPDNSDataConnector NXLogDnsLogs CiscoUmbrellaDataConnector Corelight |
| Potential DGA detected (ASIM DNS Schema) | 983a6922-894d-413c-9f04-d7add0ecc307 | DNS AzureFirewall Zscaler InfobloxNIOS GCPDNSDataConnector NXLogDnsLogs CiscoUmbrellaDataConnector Corelight |
| Discord CDN Risky File Download (ASIM Web Session Schema) | 01e8ffff-dc0c-43fe-aa22-d459c4204553 | SquidProxy Zscaler |
| Potential communication with a Domain Generation Algorithm (DGA) based hostname (ASIM Web Session schema) | 9176b18f-a946-42c6-a2f6-0f6d17cd6a8a | SquidProxy Zscaler |
| A host is potentially running a crypto miner (ASIM Web Session schema) | 8cbc3215-fa58-4bd6-aaaa-f0029c351730 | SquidProxy Zscaler |
| A host is potentially running a hacking tool (ASIM Web Session schema) | 3f0c20d5-6228-48ef-92f3-9ff7822c1954 | SquidProxy Zscaler |
| A host is potentially running PowerShell to send HTTP(S) requests (ASIM Web Session schema) | 42436753-9944-4d70-801c-daaa4d19ddd2 | SquidProxy Zscaler |
| Cisco Umbrella - Connection to non-corporate private network | c9b6d281-b96b-4763-b728-9a04b9fe1246 | CiscoUmbrellaDataConnector |
| Cisco Umbrella - Connection to Unpopular Website Detected | 75297f62-10a8-4fc1-9b2a-12f25c6f05a7 | CiscoUmbrellaDataConnector |
| Cisco Umbrella - Crypto Miner User-Agent Detected | b619d1f1-7f39-4c7e-bf9e-afbb46457997 | CiscoUmbrellaDataConnector |
| Cisco Umbrella - Empty User Agent Detected | 2b328487-162d-4034-b472-59f1d53684a1 | CiscoUmbrellaDataConnector |
| Cisco Umbrella - Hack Tool User-Agent Detected | 8d537f3c-094f-430c-a588-8a87da36ee3a | CiscoUmbrellaDataConnector |
| Cisco Umbrella - Windows PowerShell User-Agent Detected | b12b3dab-d973-45af-b07e-e29bb34d8db9 | CiscoUmbrellaDataConnector |
| Cisco Umbrella - Rare User Agent Detected | 8c8de3fa-6425-4623-9cd9-45de1dd0569a | CiscoUmbrellaDataConnector |
| Cisco Umbrella - Request Allowed to harmful/malicious URI category | d6bf1931-b1eb-448d-90b2-de118559c7ce | CiscoUmbrellaDataConnector |
| Cisco Umbrella - URI contains IP address | ee1818ec-5f65-4991-b711-bcf2ab7e36c3 | CiscoUmbrellaDataConnector |
| CreepyDrive request URL sequence | eda260eb-f4a1-4379-ad98-452604da9b3e | Zscaler Fortinet CheckPoint PaloAltoNetworks |
| CreepyDrive URLs | b6d03b88-4d27-49a2-9c1c-29f1ad2842dc | Zscaler Fortinet CheckPoint PaloAltoNetworks |
| RunningRAT request parameters | baedfdf4-7cc8-45a1-81a9-065821628b83 | Zscaler Fortinet CheckPoint PaloAltoNetworks |
| Fortinet - Beacon pattern detected | 3255ec41-6bd6-4f35-84b1-c032b18bbfcb | Fortinet |
| Possible contact with a domain generated by a DGA | 4acd3a04-2fad-4efc-8a4b-51476594cec4 | Zscaler Barracuda CEF CheckPoint CiscoASA F5 Fortinet PaloAltoNetworks |
| IP address of Windows host encoded in web request | a4ce20ae-a2e4-4d50-b40d-d49f1353b6cc | Zscaler Fortinet CheckPoint PaloAltoNetworks MicrosoftThreatProtection |
| Windows host username encoded in base64 web request | 6e715730-82c0-496c-983b-7a20c4590bd9 | Zscaler Fortinet CheckPoint PaloAltoNetworks MicrosoftThreatProtection |
| Europium - Hash and IP IOCs - September 2022 | 9d8b5a18-b7db-4c23-84a6-95febaf7e1e4 | DNS AzureMonitor(VMInsights) F5 CiscoASA PaloAltoNetworks Fortinet CheckPoint CEF MicrosoftThreatProtection Office365 AzureFirewall WindowsFirewall |
| Known Forest Blizzard group domains - July 2019 | 074ce265-f684-41cd-af07-613c5f3e6d0d | DNS AzureMonitor(VMInsights) CiscoASA PaloAltoNetworks AzureFirewall Zscaler InfobloxNIOS GCPDNSDataConnector NXLogDnsLogs CiscoUmbrellaDataConnector Corelight |
| Malformed user agent | a357535e-f722-4afe-b375-cff362b2b376 | WAF Office365 AzureActiveDirectory AWS AzureMonitor(IIS) |
| Mercury - Domain, Hash and IP IOCs - August 2022 | ae10c588-7ff7-486c-9920-ab8b0bdb6ede | DNS AzureMonitor(VMInsights) F5 CiscoASA PaloAltoNetworks Fortinet CheckPoint CEF MicrosoftThreatProtection Office365 AzureFirewall WindowsFirewall |
| Risky user signin observed in non-Microsoft network device | 042f2801-a375-4cfd-bd29-041fc7ed88a0 | AzureActiveDirectory PaloAltoNetworks Fortinet CheckPoint Zscaler |