Microsoft Sentinel Analytic Rules
cloudbrothers.infoAzure Sentinel RepoToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeBack to homepage

Command and Control

Overview

Rule NameidRequired data connectors
Log4j vulnerability exploit aka Log4Shell IP IOC6e575295-a7e6-464c-8192-3e1d8fd6a990Office365
DNS
AzureMonitor(VMInsights)
CiscoASA
CiscoAsaAma
PaloAltoNetworks
SecurityEvents
AzureActiveDirectory
AzureMonitor(WireData)
AzureMonitor(IIS)
AzureActivity
AWS
MicrosoftThreatProtection
AzureFirewall
Powershell Empire Cmdlets Executed in Command Lineef88eb96-861c-43a0-ab16-f3835a97c928SecurityEvents
WindowsSecurityEvents
WindowsForwardedEvents
Palo Alto - potential beaconing detectedf0be259a-34ac-4946-aa15-ca2b115d5febCloudNgfwByPAN
CloudNGFW By Palo Alto Networks - Threat signatures from Unusual IP addresses89a86f70-615f-4a79-9621-6f68c50f365fCloudNgfwByPAN
Palo Alto - potential beaconing detected2f8522fc-7807-4f0a-b53d-458296edab8dCloudNgfwByPAN
Abnormal Deny Rate for Source IPd36bb1e3-5abc-4037-ad9a-24ba3469819eAzureFirewall
Abnormal Port to Protocol826f930c-2f25-4508-8e75-a95b809a4e15AzureFirewall
Multiple Sources Affected by the Same TI Destination4644baf7-3464-45dd-bd9d-e07687e25f81AzureFirewall
Several deny actions registeredf8dad4e9-3f19-4d70-ab7f-8f19ccd43a3eAzureFirewall
BitSight - drop in company ratingsd8844f11-3a36-4b97-9062-1e6d57c00e37BitSight
BitSight - drop in the headline ratingb11fdc35-6368-4cc0-8128-52cd2e2cdda0BitSight
CiscoISE - Device changed IP in last 24 hours0c509e9b-121e-4951-9f9b-43722e052b4fCiscoISE
Cisco SDWAN - Monitor Critical IPsa62a207e-62be-4a74-acab-4466d5b3854fCiscoSDWAN
Cisco SE - Connection to known C2 server0f788a93-dc88-4f80-89ef-bef7cd0fef05CiscoSecureEndpoint
Cisco SE - Possible webshelld2c97cc9-1ccc-494d-bad4-564700451a2bCiscoSecureEndpoint
Cisco Umbrella - Connection to non-corporate private networkc9b6d281-b96b-4763-b728-9a04b9fe1246CiscoUmbrellaDataConnector
Cisco Umbrella - Connection to Unpopular Website Detected75297f62-10a8-4fc1-9b2a-12f25c6f05a7CiscoUmbrellaDataConnector
Cisco Umbrella - Crypto Miner User-Agent Detectedb619d1f1-7f39-4c7e-bf9e-afbb46457997CiscoUmbrellaDataConnector
Cisco Umbrella - Empty User Agent Detected2b328487-162d-4034-b472-59f1d53684a1CiscoUmbrellaDataConnector
Cisco Umbrella - Hack Tool User-Agent Detected8d537f3c-094f-430c-a588-8a87da36ee3aCiscoUmbrellaDataConnector
Cisco Umbrella - Windows PowerShell User-Agent Detectedb12b3dab-d973-45af-b07e-e29bb34d8db9CiscoUmbrellaDataConnector
Cisco Umbrella - Rare User Agent Detected8c8de3fa-6425-4623-9cd9-45de1dd0569aCiscoUmbrellaDataConnector
Cisco Umbrella - Request Allowed to harmful/malicious URI categoryd6bf1931-b1eb-448d-90b2-de118559c7ceCiscoUmbrellaDataConnector
Cisco Umbrella - Request to blocklisted file typede58ee9e-b229-4252-8537-41a4c2f4045eCiscoUmbrellaDataConnector
Cisco Umbrella - URI contains IP addressee1818ec-5f65-4991-b711-bcf2ab7e36c3CiscoUmbrellaDataConnector
Cisco WSA - Multiple errors to resource from risky categoryebf9db0c-ba7b-4249-b9ec-50a05fa7c7c9CiscoWSA
Cisco WSA - Multiple errors to URL1db49647-435c-41ad-bf8c-7130ba75429dCiscoWSA
Cisco WSA - Unexpected URL010644fd-2830-4451-9e0e-606cc192f2e7CiscoWSA
Cloudflare - Unexpected POST requests7313352a-09f6-4a84-88bd-6f17f1cbeb8fCloudflareDataConnector
Corelight - C2 DGA Detected Via Repetitive Failures8eaa2268-74ee-492c-b869-450eff707fefCorelight
Corelight - External Proxy Detected05850746-9ae4-412f-838b-844f0903f4a9Corelight
CyberArkEPM - Uncommon process Internet access9d0d44ab-54dc-472a-9931-53521e888932CyberArkEPM
Detect excessive NXDOMAIN DNS queries - Anomaly based (ASIM DNS Solution)02f23312-1a33-4390-8b80-f7cd4df4dea0
Detect excessive NXDOMAIN DNS queries - Static threshold based (ASIM DNS Solution)4ab8b09e-3c23-4974-afbe-7e653779eb2b
Detect DNS queries reporting multiple errors from different clients - Anomaly Based (ASIM DNS Solution)cf687598-5a2c-46f8-81c8-06b15ed489b1
Detect DNS queries reporting multiple errors from different clients - Static threshold based (ASIM DNS Solution)5b8344eb-fa28-4ac3-bcff-bc19d5d63089
Ngrok Reverse Proxy on Network (ASIM DNS Solution)50b0dfb7-2c94-4eaf-a332-a5936d78c263
Potential DGA(Domain Generation Algorithm) detected via Repetitive Failures - Anomaly based (ASIM DNS Solution)01191239-274e-43c9-b154-3a042692af06
Potential DGA(Domain Generation Algorithm) detected via Repetitive Failures - Static threshold based (ASIM DNS Solution)89ba52fa-96a7-4653-829a-ca49bb13336c
Potential Remote Desktop Tunnelingd2e8fd50-8d66-11ec-b909-0242ac120002SecurityEvents
WindowsSecurityEvents
Web sites blocked by Eset84ad2f8a-b64c-49bc-b669-bdb4fd3071e9EsetSMC
Website blocked by ESET7b84fc5b-9ffb-4e9b-945b-5d480e330b3fESETPROTECT
SyslogAma
Ingress Tool Transfer - Certutilf0be11a9-ec48-4df6-801d-479556044d4eMicrosoftThreatProtection
Beacon Traffic Based on Common User Agents Visiting Limited Number of Domains6345c923-99eb-4a83-b11d-7af0ffa75577Zscaler
Google DNS - IP check activity35221a58-cacb-4174-9bb4-ee777784fbceGCPDNSDataConnector
Google DNS - Request to dynamic DNS service09fc03e0-daec-4b22-8afa-4bba30d7e909GCPDNSDataConnector
Google DNS - Multiple errors for source7e81a935-5e91-45a5-92fd-3b58c180513bGCPDNSDataConnector
Google DNS - Multiple errors to same domainda04a5d6-e2be-4cba-8cdb-a3f2efa87e9eGCPDNSDataConnector
Google DNS - UNC2452 (Nobelium) APT Group activity22a613ea-c338-4f91-bbd3-3be97b00ebf9GCPDNSDataConnector
GreyNoise TI Map IP Entity to CommonSecurityLoge50657d7-8bca-43ff-a647-d407fae440d6ThreatIntelligence
CEF
CefAma
GreyNoise2SentinelAPI
GreyNoise TI Map IP Entity to DnsEventsddf47b6f-870c-5712-a296-1383acb13c82ThreatIntelligence
ThreatIntelligenceTaxii
DNS
ASimDnsActivityLogs
GreyNoise2SentinelAPI
GreyNoise TI map IP entity to Network Session Events (ASIM Network Session schema)536e8e5c-ce0e-575e-bcc9-aba8e7bf9316AWSS3
MicrosoftThreatProtection
SecurityEvents
WindowsSecurityEvents
WindowsForwardedEvents
Zscaler
MicrosoftSysmonForLinux
PaloAltoNetworks
AzureMonitor(VMInsights)
AzureFirewall
AzureNSG
CiscoASA
CiscoAsaAma
Corelight
AIVectraStream
CheckPoint
Fortinet
MicrosoftDefenderThreatIntelligence
CiscoMeraki
GreyNoise2SentinelAPI
GreyNoise TI map IP entity to OfficeActivityc51628fe-999c-5150-9fd7-660fc4f58ed2ThreatIntelligence
ThreatIntelligenceTaxii
MicrosoftDefenderThreatIntelligence
Office365
GreyNoise2SentinelAPI
GreyNoise TI Map IP Entity to SigninLogsf6c76cc9-218c-5b76-9b82-8607f09ea1b4ThreatIntelligence
ThreatIntelligenceTaxii
AzureActiveDirectory
MicrosoftDefenderThreatIntelligence
GreyNoise2SentinelAPI
Excessive NXDOMAIN DNS Queriesb8266f81-2715-41a6-9062-42486cbc9c73InfobloxNIOS
[Deprecated] - Known Barium domains70b12a3b-4899-42cb-910c-5ffaf9d7997dSquidProxy
DNS
AzureMonitor(VMInsights)
CiscoASA
PaloAltoNetworks
MicrosoftThreatProtection
AzureFirewall
Zscaler
InfobloxNIOS
GCPDNSDataConnector
NXLogDnsLogs
CiscoUmbrellaDataConnector
Corelight
[Deprecated] -Known Barium IP6ee72a9e-2e54-459c-bc9a-9c09a6502a63AWSS3
WindowsForwardedEvents
MicrosoftSysmonForLinux
Office365
DNS
AzureMonitor(VMInsights)
CiscoASA
PaloAltoNetworks
SecurityEvents
AzureActiveDirectory
AzureMonitor(WireData)
AzureMonitor(IIS)
AzureActivity
AWS
MicrosoftThreatProtection
AzureFirewall
Zscaler
InfobloxNIOS
GCPDNSDataConnector
NXLogDnsLogs
CiscoUmbrellaDataConnector
Corelight
[Deprecated] - Denim Tsunami C2 Domains July 2022ce02935c-cc67-4b77-9b96-93d9947e119aAzureMonitor(VMInsights)
DNS
MicrosoftThreatProtection
[Deprecated] - Known Diamond Sleet Comebacker and Klackring malware hashes09551db0-e147-4a0c-9e7b-918f88847605DNS
AzureMonitor(VMInsights)
CiscoASA
PaloAltoNetworks
SecurityEvents
MicrosoftThreatProtection
AzureFirewall
Zscaler
InfobloxNIOS
GCPDNSDataConnector
NXLogDnsLogs
CiscoUmbrellaDataConnector
Corelight
WindowsForwardedEvents
[Deprecated] - Known Diamond Sleet related maldoc hash3174a9ec-d0ad-4152-8307-94ed04fa450aCiscoASA
PaloAltoNetworks
SecurityEvents
[Deprecated] - Emerald Sleet domains included in DCU takedown70b12a3b-4896-42cb-910c-5ffaf8d7987dDNS
AzureMonitor(VMInsights)
CiscoASA
PaloAltoNetworks
AzureFirewall
Zscaler
InfobloxNIOS
GCPDNSDataConnector
NXLogDnsLogs
CiscoUmbrellaDataConnector
Corelight
[Deprecated] - Known Granite Typhoon domains and hashes26a3b261-b997-4374-94ea-6c37f67f4f39DNS
AzureMonitor(VMInsights)
CiscoASA
PaloAltoNetworks
SecurityEvents
AzureFirewall
Zscaler
InfobloxNIOS
GCPDNSDataConnector
NXLogDnsLogs
CiscoUmbrellaDataConnector
Corelight
[Deprecated] - Known Mint Sandstorm group domains/IP - October 20207249500f-3038-4b83-8549-9cd8dfa2d498DNS
AzureMonitor(VMInsights)
CiscoASA
PaloAltoNetworks
Zscaler
Fortinet
OfficeATP
AzureFirewall
[Deprecated] - Midnight Blizzard - Domain and IP IOCs - March 2021bb8a3481-dd14-4e76-8dcc-bbec8776d695SquidProxy
DNS
AzureMonitor(VMInsights)
CiscoASA
PaloAltoNetworks
MicrosoftThreatProtection
Office365
AzureFirewall
Zscaler
InfobloxNIOS
GCPDNSDataConnector
NXLogDnsLogs
CiscoUmbrellaDataConnector
Corelight
[Deprecated] - Midnight Blizzard - Domain, Hash and IP IOCs - May 2021677da133-e487-4108-a150-5b926591a92bAWSS3
WindowsForwardedEvents
SquidProxy
MicrosoftSysmonForLinux
DNS
AzureMonitor(VMInsights)
F5
CiscoASA
PaloAltoNetworks
Fortinet
CheckPoint
CEF
MicrosoftThreatProtection
SecurityEvents
Office365
AzureFirewall
WindowsFirewall
Zscaler
InfobloxNIOS
GCPDNSDataConnector
NXLogDnsLogs
CiscoUmbrellaDataConnector
Corelight
[Deprecated] - Known Nylon Typhoon domains and hashes9122a9cb-916b-4d98-a199-1b7b0af8d598SquidProxy
DNS
AzureMonitor(VMInsights)
CiscoASA
PaloAltoNetworks
MicrosoftThreatProtection
SecurityEvents
AzureFirewall
Zscaler
InfobloxNIOS
GCPDNSDataConnector
NXLogDnsLogs
CiscoUmbrellaDataConnector
Corelight
[Deprecated] - Known Phosphorus group domains/IP155f40c6-610d-497d-85fc-3cf06ec13256SquidProxy
DNS
AzureMonitor(VMInsights)
CiscoASA
PaloAltoNetworks
Office365
AzureFirewall
Zscaler
InfobloxNIOS
GCPDNSDataConnector
NXLogDnsLogs
CiscoUmbrellaDataConnector
Corelight
[Deprecated] - Known Plaid Rain IP95407904-0131-4918-bc49-ebf282ce149aAWSS3
WindowsForwardedEvents
MicrosoftSysmonForLinux
Office365
DNS
AzureMonitor(VMInsights)
CiscoASA
PaloAltoNetworks
SecurityEvents
AzureActiveDirectory
AzureMonitor(WireData)
AzureMonitor(IIS)
AzureActivity
AWS
MicrosoftThreatProtection
AzureFirewall
Zscaler
InfobloxNIOS
GCPDNSDataConnector
NXLogDnsLogs
CiscoUmbrellaDataConnector
Corelight
[Deprecated] - Known Ruby Sleet domains and hashesc87fb346-ea3a-4c64-ba92-3dd383e0f0b5SquidProxy
DNS
AzureMonitor(VMInsights)
CiscoASA
PaloAltoNetworks
AzureFirewall
Zscaler
InfobloxNIOS
GCPDNSDataConnector
NXLogDnsLogs
CiscoUmbrellaDataConnector
Corelight
[Deprecated] - Known Seashell Blizzard IP7ee72a9e-2e54-459c-bc8a-8c08a6532a63AWSS3
WindowsForwardedEvents
SquidProxy
MicrosoftThreatProtection
SecurityEvents
MicrosoftSysmonForLinux
Office365
DNS
AzureMonitor(VMInsights)
CiscoASA
PaloAltoNetworks
AzureActiveDirectory
AzureMonitor(IIS)
AzureActivity
AWS
AzureFirewall
Zscaler
InfobloxNIOS
GCPDNSDataConnector
NXLogDnsLogs
CiscoUmbrellaDataConnector
Corelight
[Deprecated] - Solorigate Network Beaconcecdbd4c-4902-403c-8d4b-32eb1efe460bDNS
AzureMonitor(VMInsights)
CiscoASA
PaloAltoNetworks
MicrosoftThreatProtection
AzureFirewall
Zscaler
InfobloxNIOS
GCPDNSDataConnector
NXLogDnsLogs
CiscoUmbrellaDataConnector
Corelight
[Deprecated] - Solorigate Domains Found in VM Insightsab4b6944-a20d-42ab-8b63-238426525801AzureMonitor(VMInsights)
McAfee ePO - Firewall disabledbd3cedc3-efba-455a-85bd-0cf9ac1b0727McAfeeePO
New executable via Office FileUploaded Operationd722831e-88f5-4e25-b106-4ef6e29f8c13Office365
Linked Malicious Storage Artifactsb9e3b9f8-a406-4151-9891-e5ff1ddd8c1dMicrosoftCloudAppSecurity
C2-NamedPipe7ce00cba-f76f-4026-ab7f-7e4f1b67bd18MicrosoftThreatProtection
Bitsadmin Activity2a1dc4c2-a8d6-4a0e-8539-9b971c851195MicrosoftThreatProtection
Office Apps Launching Wscipt174de33b-107b-4cd8-a85d-b4025a35453fMicrosoftThreatProtection
Possible Phishing with CSL and Network Sessions6c3a1258-bcdd-4fcd-b753-1a9bc826ce12MicrosoftThreatProtection
Zscaler
Fortinet
CheckPoint
PaloAltoNetworks
AWSS3
WindowsForwardedEvents
SecurityEvents
WindowsSecurityEvents
MicrosoftSysmonForLinux
AzureNSG
AzureMonitor(VMInsights)
AIVectraStream
Anomaly found in Network Session Traffic (ASIM Network Session schema)cd6def0d-3ef0-4d55-a7e3-faa96c46ba12AWSS3
MicrosoftThreatProtection
SecurityEvents
WindowsSecurityEvents
WindowsForwardedEvents
Zscaler
MicrosoftSysmonForLinux
PaloAltoNetworks
AzureMonitor(VMInsights)
AzureFirewall
AzureNSG
CiscoASA
CiscoAsaAma
Corelight
AIVectraStream
CheckPoint
Fortinet
CiscoMeraki
Detect port misuse by anomaly based detection (ASIM Network Session schema)cbf07406-fa2a-48b0-82b8-efad58db14ecAWSS3
MicrosoftThreatProtection
SecurityEvents
WindowsSecurityEvents
WindowsForwardedEvents
Zscaler
MicrosoftSysmonForLinux
PaloAltoNetworks
AzureMonitor(VMInsights)
AzureFirewall
AzureNSG
CiscoASA
CiscoAsaAma
Corelight
AIVectraStream
CheckPoint
Fortinet
CiscoMeraki
Detect port misuse by static threshold (ASIM Network Session schema)156997bd-da0f-4729-b47a-0a3e02dd50c8AWSS3
MicrosoftThreatProtection
SecurityEvents
WindowsSecurityEvents
WindowsForwardedEvents
Zscaler
MicrosoftSysmonForLinux
PaloAltoNetworks
AzureMonitor(VMInsights)
AzureFirewall
AzureNSG
CiscoASA
CiscoAsaAma
Corelight
AIVectraStream
CheckPoint
Fortinet
CiscoMeraki
Potential beaconing activity (ASIM Network Session schema)fcb9d75c-c3c1-4910-8697-f136bfef2363AWSS3
MicrosoftThreatProtection
SecurityEvents
WindowsSecurityEvents
WindowsForwardedEvents
Zscaler
MicrosoftSysmonForLinux
PaloAltoNetworks
AzureMonitor(VMInsights)
AzureFirewall
AzureNSG
CiscoASA
CiscoAsaAma
Corelight
AIVectraStream
CheckPoint
Fortinet
CiscoMeraki
New UserAgent observed in last 24 hoursb725d62c-eb77-42ff-96f6-bdc6745fc6e0AWS
Office365
AzureMonitor(IIS)
Palo Alto - potential beaconing detectedf0be259a-34ac-4946-aa15-ca2b115d5febPaloAltoNetworks
PaloAltoNetworksAma
CefAma
Palo Alto Threat signatures from Unusual IP addresses89a86f70-615f-4a79-9621-6f68c50f365fPaloAltoNetworks
PaloAltoNetworksAma
CefAma
ProofpointPOD - Weak ciphers56b0a0cd-894e-4b38-a0a1-c41d9f96649aProofpointPOD
Radiflow - Platform Alertff0c781a-b30f-4acf-9cf1-75d7383d66d1RadiflowIsid
RecordedFuture Threat Hunting Domain All Actorsacbf7ef6-f964-44c3-9031-7834ec68175fThreatIntelligenceUploadIndicatorsAPI
RecordedFuture Threat Hunting IP All Actorse31bc14e-2b4c-42a4-af34-5bfd7d768aeaThreatIntelligenceUploadIndicatorsAPI
Detection of Malware C2 Domains in DNS Eventsa1c02815-4248-4728-a9ae-dac73c67db23DNS
ASimDnsActivityLogs
Detection of Malware C2 Domains in Syslog Eventsdffd068f-fdab-440e-bbc0-34c14b623c89Syslog
SyslogAma
Detection of Malware C2 IPs in Azure Act. Events588dc717-7583-452c-a743-dee96705898eAzureActivity
Detection of Malware C2 IPs in DNS Events22cc1dff-14ad-481d-97e1-0602895e429eDNS
ASimDnsActivityLogs
Red Canary Threat Detection6d263abb-6445-45cc-93e9-c593d3d77b89RedCanaryDataConnector
SlackAudit - Unknown User Agent3b11f06e-4afd-4ae6-8477-c61136619ac8SlackAuditAPI
Excessive Denied Proxy Traffic7a58b253-0ef2-4248-b4e5-c350f15a8346SymantecProxySG
User Accessed Suspicious URL Categoriesfb0f4a93-d8ad-4b54-9931-85bdb7550f90SymantecProxySG
NRT Squid proxy events related to mining poolsdd03057e-4347-4853-bf1e-2b2d21eb4e59Syslog
SyslogAma
Squid proxy events related to mining pools80733eb7-35b2-45b6-b2b8-3c51df258206Syslog
SyslogAma
Squid proxy events for ToR proxies90d3f6ec-80fb-48e0-9937-2c70c9df9badSyslog
SyslogAma
Preview - TI map Domain entity to Cloud App Eventsb97e118c-b7fa-42a6-84de-2e13443fbb8fMicrosoftThreatProtection
MicrosoftDefenderThreatIntelligence
TI map Domain entity to PaloAlto CommonSecurityLogdd0a6029-ecef-4507-89c4-fc355ac52111ThreatIntelligence
ThreatIntelligenceTaxii
MicrosoftDefenderThreatIntelligence
TI Map Domain Entity to DeviceNetworkEventsc308b2f3-eebe-4a20-905c-cb8293b062dbMicrosoftThreatProtection
ThreatIntelligence
ThreatIntelligenceTaxii
MicrosoftDefenderThreatIntelligence
TI map Domain entity to DnsEvents85aca4d1-5d15-4001-abd9-acb86ca1786aDNS
ThreatIntelligence
ThreatIntelligenceTaxii
MicrosoftDefenderThreatIntelligence
TI map Domain entity to Web Session Events (ASIM Web Session schema)b1832f60-6c3d-4722-a0a5-3d564ee61a63SquidProxy
Zscaler
ThreatIntelligence
ThreatIntelligenceTaxii
MicrosoftDefenderThreatIntelligence
TI map Domain entity to PaloAltoec21493c-2684-4acd-9bc2-696dbad72426PaloAltoNetworks
ThreatIntelligence
ThreatIntelligenceTaxii
MicrosoftDefenderThreatIntelligence
TI map Domain entity to SecurityAlert87890d78-3e05-43ec-9ab9-ba32f4e01250ThreatIntelligence
ThreatIntelligenceTaxii
MicrosoftCloudAppSecurity
AzureSecurityCenter
MicrosoftDefenderThreatIntelligence
TI map Domain entity to Syslog532f62c1-fba6-4baa-bbb6-4a32a4ef32faSyslog
ThreatIntelligence
ThreatIntelligenceTaxii
MicrosoftDefenderThreatIntelligence
Preview - TI map File Hash entity to Cloud App Events2f6bbf88-f5b0-49a3-b2b5-97fc3664e4d4MicrosoftThreatProtection
MicrosoftDefenderThreatIntelligence
TI map File Hash to CommonSecurityLog Event5d33fc63-b83b-4913-b95e-94d13f0d379fPaloAltoNetworks
ThreatIntelligence
ThreatIntelligenceTaxii
MicrosoftDefenderThreatIntelligence
TI map File Hash to DeviceFileEvents Eventbc0eca2e-db50-44e6-8fa3-b85f91ff5ee7MicrosoftThreatProtection
ThreatIntelligence
ThreatIntelligenceTaxii
MicrosoftDefenderThreatIntelligence
TI map File Hash to Security Eventa7427ed7-04b4-4e3b-b323-08b981b9b4bfSecurityEvents
WindowsSecurityEvents
WindowsForwardedEvents
ThreatIntelligence
ThreatIntelligenceTaxii
MicrosoftDefenderThreatIntelligence
TI map Domain entity to Dns Events (ASIM DNS Schema)999e9f5d-db4a-4b07-a206-29c4e667b7e8ThreatIntelligence
ThreatIntelligenceTaxii
DNS
AzureFirewall
Zscaler
InfobloxNIOS
GCPDNSDataConnector
NXLogDnsLogs
MicrosoftDefenderThreatIntelligence
CiscoUmbrellaDataConnector
Corelight
TI map IP entity to DNS Events (ASIM DNS schema)67775878-7f8b-4380-ac54-115e1e828901ThreatIntelligence
ThreatIntelligenceTaxii
DNS
AzureFirewall
Zscaler
InfobloxNIOS
GCPDNSDataConnector
NXLogDnsLogs
CiscoUmbrellaDataConnector
MicrosoftDefenderThreatIntelligence
Corelight
TI map IP entity to AppServiceHTTPLogsf9949656-473f-4503-bf43-a9d9890f7d08ThreatIntelligence
ThreatIntelligenceTaxii
MicrosoftDefenderThreatIntelligence
TI map IP entity to AWSCloudTrailf110287e-1358-490d-8147-ed804b328514ThreatIntelligence
ThreatIntelligenceTaxii
AWS
MicrosoftDefenderThreatIntelligence
TI Map IP Entity to AzureActivity2441bce9-02e4-407b-8cc7-7d597f38b8b0ThreatIntelligence
ThreatIntelligenceTaxii
AzureActivity
MicrosoftDefenderThreatIntelligence
TI map IP entity to AzureFirewall0b904747-1336-4363-8d84-df2710bfe5e7ThreatIntelligence
ThreatIntelligenceTaxii
AzureFirewall
MicrosoftDefenderThreatIntelligence
TI map IP entity to Azure Key Vault logs57c7e832-64eb-411f-8928-4133f01f4a25ThreatIntelligence
ThreatIntelligenceTaxii
AzureKeyVault
MicrosoftDefenderThreatIntelligence
TI map IP entity to AzureNetworkAnalytics_CL (NSG Flow Logs)a4025a76-6490-4e6b-bb69-d02be4b03f07ThreatIntelligence
ThreatIntelligenceTaxii
MicrosoftDefenderThreatIntelligence
TI Map IP Entity to Azure SQL Security Audit Eventsd0aa8969-1bbe-4da3-9e76-09e5f67c9d85ThreatIntelligence
ThreatIntelligenceTaxii
AzureSql
MicrosoftDefenderThreatIntelligence
Preview - TI map IP entity to Cloud App Events4e0a6fc8-697e-4455-be47-831b41ea91acMicrosoftThreatProtection
MicrosoftDefenderThreatIntelligence
TI Map IP Entity to CommonSecurityLog66c81ae2-1f89-4433-be00-2fbbd9ba5ebeThreatIntelligence
ThreatIntelligenceTaxii
CEF
MicrosoftDefenderThreatIntelligence
TI Map IP Entity to DeviceNetworkEventsb2df4979-d34a-48b3-a7d9-f473a4bf8058MicrosoftThreatProtection
ThreatIntelligence
ThreatIntelligenceTaxii
MicrosoftDefenderThreatIntelligence
TI Map IP Entity to DnsEvents69b7723c-2889-469f-8b55-a2d355ed9c87ThreatIntelligence
ThreatIntelligenceTaxii
DNS
MicrosoftDefenderThreatIntelligence
TI Map IP Entity to Duo Securityd23ed927-5be3-4902-a9c1-85f841eb4fa1ThreatIntelligence
ThreatIntelligenceTaxii
CiscoDuoSecurity
MicrosoftDefenderThreatIntelligence
TI map IP entity to Network Session Events (ASIM Network Session schema)e2399891-383c-4caf-ae67-68a008b9f89eAWSS3
MicrosoftThreatProtection
SecurityEvents
WindowsForwardedEvents
Zscaler
MicrosoftSysmonForLinux
PaloAltoNetworks
AzureMonitor(VMInsights)
AzureFirewall
AzureNSG
CiscoASA
Corelight
AIVectraStream
CheckPoint
Fortinet
MicrosoftDefenderThreatIntelligence
CiscoMeraki
ThreatIntelligenceTaxii
TI map IP entity to Web Session Events (ASIM Web Session schema)e2559891-383c-4caf-ae67-55a008b9f89eSquidProxy
Zscaler
ThreatIntelligence
ThreatIntelligenceTaxii
MicrosoftDefenderThreatIntelligence
TI map IP entity to OfficeActivityf15370f4-c6fa-42c5-9be4-1d308f40284eThreatIntelligence
ThreatIntelligenceTaxii
MicrosoftDefenderThreatIntelligence
Office365
TI Map IP Entity to SigninLogsf2eb15bd-8a88-4b24-9281-e133edfba315ThreatIntelligence
ThreatIntelligenceTaxii
AzureActiveDirectory
MicrosoftDefenderThreatIntelligence
TI Map IP Entity to VMConnection9713e3c0-1410-468d-b79e-383448434b2dThreatIntelligence
ThreatIntelligenceTaxii
MicrosoftDefenderThreatIntelligence
AzureMonitor(VMInsights)
TI Map IP Entity to W3CIISLog5e45930c-09b1-4430-b2d1-cc75ada0dc0fThreatIntelligence
ThreatIntelligenceTaxii
MicrosoftDefenderThreatIntelligence
AzureMonitor(IIS)
TI map IP entity to GitHub_CLaac495a9-feb1-446d-b08e-a1164a539452ThreatIntelligence
ThreatIntelligenceTaxii
MicrosoftDefenderThreatIntelligence
TI Map URL Entity to AuditLogs712fab52-2a7d-401e-a08c-ff939cc7c25eAzureActiveDirectory
ThreatIntelligence
ThreatIntelligenceTaxii
MicrosoftDefenderThreatIntelligence
Preview - TI map URL entity to Cloud App Eventse8ae92dd-1d41-4530-8be8-85c5014c7b47MicrosoftThreatProtection
MicrosoftDefenderThreatIntelligence
TI Map URL Entity to DeviceNetworkEvents6ddbd892-a9be-47be-bab7-521241695bd6MicrosoftThreatProtection
ThreatIntelligence
ThreatIntelligenceTaxii
MicrosoftDefenderThreatIntelligence
TI Map URL Entity to EmailUrlInfoa0038239-72f4-4f7b-90ff-37f89f7881e0AzureActiveDirectory
ThreatIntelligence
ThreatIntelligenceTaxii
MicrosoftDefenderThreatIntelligence
TI Map URL Entity to OfficeActivity Data [Deprecated]36a9c9e5-3dc1-4ed9-afaa-1d13617bfc2bOffice365
ThreatIntelligence
MicrosoftDefenderThreatIntelligence
ThreatIntelligenceTaxii
TI Map URL Entity to PaloAlto Data106813db-679e-4382-a51b-1bfc463befc3PaloAltoNetworks
ThreatIntelligence
ThreatIntelligenceTaxii
MicrosoftDefenderThreatIntelligence
TI Map URL Entity to SecurityAlert Dataf30a47c1-65fb-42b1-a7f4-00941c12550bMicrosoftCloudAppSecurity
AzureSecurityCenter
ThreatIntelligence
ThreatIntelligenceTaxii
MicrosoftDefenderThreatIntelligence
TI Map URL Entity to Syslog Datab31037ea-6f68-4fbd-bab2-d0d0f44c2fcfSyslog
ThreatIntelligence
ThreatIntelligenceTaxii
MicrosoftDefenderThreatIntelligence
TI Map URL Entity to UrlClickEvents23391c84-87d8-452f-a84c-47a62f01e115MicrosoftThreatProtection
ThreatIntelligence
ThreatIntelligenceTaxii
MicrosoftDefenderThreatIntelligence
Threat Connect TI map Domain entity to DnsEventsf8960f1c-07d2-512b-9c41-952772d40c84DNS
ASimDnsActivityLogs
ThreatIntelligence
ThreatIntelligenceTaxii
MicrosoftDefenderThreatIntelligence
ThreatConnect TI map Email entity to OfficeActivity4f7ade3e-7121-5274-83ea-d7ed22a01feaOffice365
ThreatIntelligence
ThreatIntelligenceTaxii
MicrosoftDefenderThreatIntelligence
ThreatConnect TI map Email entity to SigninLogsecb68ce7-c309-59a7-a8de-07ccf2a0ea4fThreatIntelligence
ThreatIntelligenceTaxii
AzureActiveDirectory
MicrosoftDefenderThreatIntelligence
ThreatConnect TI map IP entity to Network Session Events (ASIM Network Session schema)ee1fd303-2081-47b7-8f02-e38bfd0868e6ThreatIntelligence
ThreatConnect TI Map URL Entity to OfficeActivity Data12c3b31b-66a6-53ff-b6ab-6ae45e56dc92Office365
ThreatIntelligence
MicrosoftDefenderThreatIntelligence
ApexOne - C&C callback events1a87cd10-67b7-11ec-90d6-0242ac120003TrendMicroApexOne
TrendMicroApexOneAma
CefAma
ApexOne - Suspicious connections9e3dc038-67b7-11ec-90d6-0242ac120003TrendMicroApexOne
TrendMicroApexOneAma
CefAma
Ubiquiti - Possible connection to cryptominning pool7feb3c32-2a11-4eb8-a2d7-e3792b31cb80UbiquitiUnifi
Ubiquiti - Connection to known malicious IP or C2db60ca0b-b668-439b-b889-b63b57ef20fbUbiquitiUnifi
Ubiquiti - Unusual FTP connection to external serverfd200125-9d57-4838-85ca-6430c63e4e5dUbiquitiUnifi
Ubiquiti - Large ICMP to external server6df85d74-e32f-4b71-80e5-bfe2af00be1cUbiquitiUnifi
Ubiquiti - connection to non-corporate DNS serverfe232837-9bdc-4e2b-8c08-cdac2610eed3UbiquitiUnifi
Ubiquiti - Unusual DNS connection14a23ded-7fb9-48ee-ba39-859517a49b51UbiquitiUnifi
Ubiquiti - Unusual traffic31e868c0-91d3-40eb-accc-3fa73aa96f8eUbiquitiUnifi
Vectra AI Detect - Suspected Compromised Account321f9dbd-64b7-4541-81dc-08cf7732ccb0AIVectraDetect
AIVectraDetectAma
CefAma
Vectra Account’s Behaviorsce54b5d3-4c31-4eaf-a73e-31412270b6abAIVectraDetect
AIVectraDetectAma
CefAma
Vectra AI Detect - Detections with High Severity39e48890-2c02-487e-aa9e-3ba494061798AIVectraDetect
AIVectraDetectAma
CefAma
Vectra AI Detect - Suspected Compromised Host60eb6cf0-3fa1-44c1-b1fe-220fbee23d63AIVectraDetect
AIVectraDetectAma
CefAma
Vectra Host’s Behaviors33e3b6da-2660-4cd7-9032-11be76db88d2AIVectraDetect
AIVectraDetectAma
CefAma
Vectra AI Detect - New Campaign Detecteda34d0338-eda0-42b5-8b93-32aae0d7a501AIVectraDetect
AIVectraDetectAma
CefAma
Vectra AI Detect - Suspicious Behaviors by Category6cb75f65-231f-46c4-a0b3-50ff21ee6ed3AIVectraDetect
AIVectraDetectAma
CefAma
Votiro - File Blocked in Email0b8b91de-c63e-4bc2-b5f4-b15d3b379ec9Votiro
CefAma
Detect URLs containing known malicious keywords or commands (ASIM Web Session)32c08696-2e37-4730-86f8-97d9c8b184c9
The download of potentially risky files from the Discord Content Delivery Network (CDN) (ASIM Web Session)b7fe8f27-7010-404b-aec5-6e5245cea580
Detect known risky user agents (ASIM Web Session)6a4dbcf8-f5e2-4b33-b34f-2db6487613f0
Detect instances of multiple client errors occurring within a brief period of time (ASIM Web Session)faa40333-1e8b-40cc-a003-51ae41fa886f
Detect potential presence of a malicious file with a double extension (ASIM Web Session)6a71687f-00cf-44d3-93fc-8cbacc7b5615
Detect potential file enumeration activity (ASIM Web Session)b3731ce1-1f04-47c4-95c2-9827408c4375
Detect presence of private IP addresses in URLs (ASIM Web Session)e3a7722a-e099-45a9-9afb-6618e8f05405
Detect requests for an uncommon resources on the web (ASIM Web Session)c99cf650-c53b-4c4c-9671-7d7500191a10
SUPERNOVA webshell2acc91c3-17c2-4388-938e-4eac2d5894e8AzureMonitor(IIS)
Potential DGA detecteda0907abe-6925-4d90-af2b-c7e89dc201a6DNS
Discord CDN Risky File Download010bd98c-a6be-498c-bdcd-502308c0fdaeZscaler
ZscalerAma
CefAma
Request for single resource on domain4d500e6d-c984-43a3-9f39-7edec8dcc04dZscaler
ZscalerAma
CefAma
Excessive NXDOMAIN DNS Queries (ASIM DNS Schema)c3b11fb2-9201-4844-b7b9-6b7bf6d9b851DNS
AzureFirewall
Zscaler
InfobloxNIOS
GCPDNSDataConnector
NXLogDnsLogs
CiscoUmbrellaDataConnector
Corelight
Potential DGA detected (ASIM DNS Schema)983a6922-894d-413c-9f04-d7add0ecc307DNS
AzureFirewall
Zscaler
InfobloxNIOS
GCPDNSDataConnector
NXLogDnsLogs
CiscoUmbrellaDataConnector
Corelight
Discord CDN Risky File Download (ASIM Web Session Schema)01e8ffff-dc0c-43fe-aa22-d459c4204553SquidProxy
Zscaler
Potential communication with a Domain Generation Algorithm (DGA) based hostname (ASIM Web Session schema)9176b18f-a946-42c6-a2f6-0f6d17cd6a8aSquidProxy
Zscaler
A host is potentially running a hacking tool (ASIM Web Session schema)3f0c20d5-6228-48ef-92f3-9ff7822c1954SquidProxy
Zscaler
A host is potentially running PowerShell to send HTTP(S) requests (ASIM Web Session schema)42436753-9944-4d70-801c-daaa4d19ddd2SquidProxy
Zscaler
Cisco Umbrella - Connection to non-corporate private networkc9b6d281-b96b-4763-b728-9a04b9fe1246CiscoUmbrellaDataConnector
Cisco Umbrella - Connection to Unpopular Website Detected75297f62-10a8-4fc1-9b2a-12f25c6f05a7CiscoUmbrellaDataConnector
Cisco Umbrella - Crypto Miner User-Agent Detectedb619d1f1-7f39-4c7e-bf9e-afbb46457997CiscoUmbrellaDataConnector
Cisco Umbrella - Empty User Agent Detected2b328487-162d-4034-b472-59f1d53684a1CiscoUmbrellaDataConnector
Cisco Umbrella - Hack Tool User-Agent Detected8d537f3c-094f-430c-a588-8a87da36ee3aCiscoUmbrellaDataConnector
Cisco Umbrella - Windows PowerShell User-Agent Detectedb12b3dab-d973-45af-b07e-e29bb34d8db9CiscoUmbrellaDataConnector
Cisco Umbrella - Rare User Agent Detected8c8de3fa-6425-4623-9cd9-45de1dd0569aCiscoUmbrellaDataConnector
Cisco Umbrella - Request Allowed to harmful/malicious URI categoryd6bf1931-b1eb-448d-90b2-de118559c7ceCiscoUmbrellaDataConnector
Cisco Umbrella - URI contains IP addressee1818ec-5f65-4991-b711-bcf2ab7e36c3CiscoUmbrellaDataConnector
CreepyDrive request URL sequenceeda260eb-f4a1-4379-ad98-452604da9b3eZscaler
Fortinet
CheckPoint
PaloAltoNetworks
CreepyDrive URLsb6d03b88-4d27-49a2-9c1c-29f1ad2842dcZscaler
Fortinet
CheckPoint
PaloAltoNetworks
RunningRAT request parametersbaedfdf4-7cc8-45a1-81a9-065821628b83Zscaler
Fortinet
CheckPoint
PaloAltoNetworks
Fortinet - Beacon pattern detected3255ec41-6bd6-4f35-84b1-c032b18bbfcbFortinet
Possible contact with a domain generated by a DGA4acd3a04-2fad-4efc-8a4b-51476594cec4Zscaler
Barracuda
CEF
CheckPoint
CiscoASA
F5
Fortinet
PaloAltoNetworks
IP address of Windows host encoded in web requesta4ce20ae-a2e4-4d50-b40d-d49f1353b6ccZscaler
Fortinet
CheckPoint
PaloAltoNetworks
MicrosoftThreatProtection
Windows host username encoded in base64 web request6e715730-82c0-496c-983b-7a20c4590bd9Zscaler
Fortinet
CheckPoint
PaloAltoNetworks
MicrosoftThreatProtection
Europium - Hash and IP IOCs - September 20229d8b5a18-b7db-4c23-84a6-95febaf7e1e4DNS
AzureMonitor(VMInsights)
F5
CiscoASA
PaloAltoNetworks
Fortinet
CheckPoint
CEF
MicrosoftThreatProtection
Office365
AzureFirewall
WindowsFirewall
Known Forest Blizzard group domains - July 2019074ce265-f684-41cd-af07-613c5f3e6d0dDNS
AzureMonitor(VMInsights)
CiscoASA
PaloAltoNetworks
AzureFirewall
Zscaler
InfobloxNIOS
GCPDNSDataConnector
NXLogDnsLogs
CiscoUmbrellaDataConnector
Corelight
Malformed user agenta357535e-f722-4afe-b375-cff362b2b376WAF
Office365
AzureActiveDirectory
AWS
AzureMonitor(IIS)
Mercury - Domain, Hash and IP IOCs - August 2022ae10c588-7ff7-486c-9920-ab8b0bdb6edeDNS
AzureMonitor(VMInsights)
F5
CiscoASA
PaloAltoNetworks
Fortinet
CheckPoint
CEF
MicrosoftThreatProtection
Office365
AzureFirewall
WindowsFirewall
Risky user signin observed in non-Microsoft network device042f2801-a375-4cfd-bd29-041fc7ed88a0AzureActiveDirectory
PaloAltoNetworks
Fortinet
CheckPoint
Zscaler