CredentialAccess
| Rule Name | id | Required data connectors |
|---|---|---|
| 1Password - Secret extraction post vault access change by administrator | 6711b747-16d7-4df4-9f61-8633617f45d7 | 1Password |
| 1Password - Vault export post account creation | 969e2e5c-9cc6-423c-a3de-514f7ad75fe7 | 1Password |
| 1Password - Vault export prior to account suspension or deletion | 51617533-cf51-4415-9020-b15bd47d69d2 | 1Password |
| 1Password - Vault export | dae4c601-51c9-47f5-83d3-e6eaef929cf6 | 1Password |
| API - Account Takeover | 25c86f99-0a91-4b7f-88f3-599a008e5ab8 | 42CrunchAPIProtection |
| API - JWT validation | bbd163f4-1f56-434f-9c23-b06713c119c2 | 42CrunchAPIProtection |
| API - Password Cracking | d951d64d-0ecd-4675-8c79-6c870d5f72ac | 42CrunchAPIProtection |
| API - Suspicious Login | 7bdc10d6-aa24-4ca9-9a93-802cd8761354 | 42CrunchAPIProtection |
| Alsid Active Directory attacks pathways | 9649e203-3cb7-47ff-89a9-42f2a5eefe31 | AlsidForAD |
| Alsid DCSync | d3c658bd-8da9-4372-82e4-aaffa922f428 | AlsidForAD |
| Alsid Golden Ticket | 21ab3f52-6d79-47e3-97f8-ad65f2cb29fb | AlsidForAD |
| Alsid Indicators of Attack | 3caa67ef-8ed3-4ab5-baf2-3850d3667f3d | AlsidForAD |
| Alsid Indicators of Exposures | 154fde9f-ae00-4422-a8da-ef00b11da3fc | AlsidForAD |
| Alsid LSASS Memory | 3acf5617-7c41-4085-9a79-cc3a425ba83a | AlsidForAD |
| Alsid Password Guessing | ba239935-42c2-472d-80ba-689186099ea1 | AlsidForAD |
| Alsid Password issues | 472b7cf4-bf1a-4061-b9ab-9fe4894e3c17 | AlsidForAD |
| Alsid Password Spraying | 9e20eb4e-cc0d-4349-a99d-cad756859dfb | AlsidForAD |
| Alsid privileged accounts issues | a5fe9489-cf8b-47ae-a87e-8f3a13e4203e | AlsidForAD |
| Alsid user accounts issues | fb9e0b51-8867-48d7-86f4-6e76f2176bf8 | AlsidForAD |
| Credential Dumping Tools - Service Installation | 4ebbb5c2-8802-11ec-a8a3-0242ac120002 | SecurityEvents WindowsSecurityEvents |
| Credential Dumping Tools - File Artifacts | 32ffb19e-8ed8-40ed-87a0-1adb4746b7c4 | SecurityEvents WindowsSecurityEvents |
| Powershell Empire Cmdlets Executed in Command Line | ef88eb96-861c-43a0-ab16-f3835a97c928 | SecurityEvents WindowsSecurityEvents WindowsForwardedEvents |
| Password Exfiltration over SCIM application | 2e3c4ad5-8cb3-4b46-88ff-a88367ee7eaa | Authomize |
| Microsoft Entra ID Hybrid Health AD FS Suspicious Application | d9938c3b-16f9-444d-bc22-ea9a9110e0fd | AzureActivity |
| Rare subscription-level operations in Azure | 23de46ea-c425-4a77-b456-511ae4855d69 | AzureActivity |
| Mass secret retrieval from Azure Key Vault | 24f8c234-d1ff-40ec-8b73-96b17a3a9c1c | AzureKeyVault |
| Azure Key Vault access TimeSeries anomaly | 0914adab-90b5-47a3-a79f-7cdcac843aa7 | AzureKeyVault |
| Azure DevOps PAT used with Browser | 5f0d80db-3415-4265-9d52-8466b7372e3a | |
| Azure DevOps Variable Secret Not Secured | 4ca74dc0-8352-4ac5-893c-73571cc78331 | |
| Bitglass - Multiple failed logins | 7c570bfc-9f20-490e-80e8-b898c7ce4bda | Bitglass |
| CiscoISE - Certificate has expired | 6107cba5-2974-4c22-8222-2a6f7bbea664 | CiscoISE SyslogAma |
| Multi-Factor Authentication Disabled for a User | 65c78944-930b-4cae-bd79-c3664ae30ba7 | AzureActiveDirectory AWS |
| Corelight - Forced External Outbound SMB | 73f23aa2-5cc4-4507-940b-75c9092e9e01 | Corelight |
| Cookies: HttpOnly Flag Not Used | e303d68e-08a7-4382-ab31-6a4bd80e8066 | HVPollingIDAzureFunctions |
| Cookies: Secure Flag Not Used | 91da8421-6066-4570-8a0b-25d980810109 | HVPollingIDAzureFunctions |
| Header: HTTP Strict Transport Security Missing | a3efb9ff-14a4-42ef-b019-0b9cbe5d3888 | HVPollingIDAzureFunctions |
| Header: Referrer-Policy Missing | 5ee7098a-f0d8-46bf-806d-25015145e24f | HVPollingIDAzureFunctions |
| Leaked Credential | a0a46e91-3f94-4ed4-ab70-ecd36ae0ead0 | CBSPollingIDAzureFunctions |
| TLS Certificate Hostname Mismatch | 69761091-1a9a-49a9-8966-be68cd550766 | HVPollingIDAzureFunctions |
| TLS Certificate Using Weak Cipher - Informational | 1bdf3cba-6b85-4b88-ab1e-681bac20d41f | HVPollingIDAzureFunctions |
| TLS Certificate Using Weak Cipher - Medium | 7bbe51fe-9c5f-4f54-a079-b84cc27737a1 | HVPollingIDAzureFunctions |
| TLSv1.1 in Use - info | 049edfdd-0331-4493-bcd7-b375bba7b551 | HVPollingIDAzureFunctions |
| TLSv1.1 in Use - Medium | 92400070-199b-46d3-bd86-2fb8421b5338 | HVPollingIDAzureFunctions |
| TLSv1 in Use - Low | 9435d04a-e8a6-49e5-90c4-e7f3456f9ed5 | HVPollingIDAzureFunctions |
| TLSv1 in Use - Medium | 93f2ab34-15a3-4199-ad5a-6ebf8d2ad449 | HVPollingIDAzureFunctions |
| Cynerio - IoT - Default password | 84e0ea1f-766d-4775-836a-c0c9cca05085 | CynerioSecurityEvents |
| Cynerio - IoT - Weak password | 65db1346-6435-4079-bbf4-9a7113c98054 | CynerioSecurityEvents |
| Dumping LSASS Process Into a File | a7b9df32-1367-402d-b385-882daf6e3020 | SecurityEvents WindowsSecurityEvents |
| WDigest downgrade attack | f6502545-ae3a-4232-a8b0-79d87e5c98d7 | SecurityEvents WindowsSecurityEvents |
| Threats detected by Eset | 2d8a60aa-c15e-442e-9ce3-ee924889d2a6 | EsetSMC |
| Expired access credentials being used in Azure | 433c3b0a-7278-4d74-b137-963ac6f9a7e7 | AzureActiveDirectory |
| Password Spraying | e00f72ab-fea1-4a31-9ecc-eea6397cd38d | MicrosoftThreatProtection |
| Flare Leaked Credentials | 9cb7c337-f170-4af6-b0e8-b6b7552d762d | Flare |
| Flare Infected Device | 9cb7c337-f176-4af6-b0e8-b6b7552d762d | Flare |
| GitHub Security Vulnerability in Repository | 5436f471-b03d-41cb-b333-65891f887c43 | |
| GitLab - Brute-force Attempts | 2238d13a-cf05-4973-a83f-d12a25dbb153 | Syslog |
| GitLab - Local Auth - No MFA | e0b45487-5c79-482d-8ac0-695de8c031af | Syslog |
| GitLab - Repository visibility to Public | 8b291c3d-90ba-4ebf-af2c-0283192d430e | Syslog |
| GitLab - SSO - Sign-Ins Burst | 57b1634b-531d-4eab-a456-8b855887428f | AzureActiveDirectory |
| Google DNS - Exchange online autodiscover abuse | 424c2aca-5367-4247-917a-5d0f7035e40e | GCPDNSDataConnector |
| GWorkspace - Possible brute force attack | 8f6cd9a4-5e57-11ec-bf63-0242ac130002 | GoogleWorkspaceReportsAPI |
| GWorkspace - Two-step authentification disabled for a user | c8cc02d0-5da6-11ec-bf63-0242ac130002 | GoogleWorkspaceReportsAPI |
| Illusive Incidents Analytic Rule | 1a7dbcf6-21a2-4255-84b2-c8dbbdca4630 | Illusive illusiveAttackManagementSystemAma CefAma |
| Highly Sensitive Password Accessed | b39e6482-ab7e-4817-813d-ec910b64b26e | LastPass |
| [Deprecated] - Known Diamond Sleet related maldoc hash | 3174a9ec-d0ad-4152-8307-94ed04fa450a | CiscoASA PaloAltoNetworks SecurityEvents |
| [Deprecated] - Emerald Sleet domains included in DCU takedown | 70b12a3b-4896-42cb-910c-5ffaf8d7987d | DNS AzureMonitor(VMInsights) CiscoASA PaloAltoNetworks AzureFirewall Zscaler InfobloxNIOS GCPDNSDataConnector NXLogDnsLogs CiscoUmbrellaDataConnector Corelight |
| [Deprecated] - Possible Forest Blizzard attempted credential harvesting - Oct 2020 | 68271db2-cbe9-4009-b1d3-bb3b5fe5713c | Office365 |
| [Deprecated] - Known Granite Typhoon domains and hashes | 26a3b261-b997-4374-94ea-6c37f67f4f39 | DNS AzureMonitor(VMInsights) CiscoASA PaloAltoNetworks SecurityEvents AzureFirewall Zscaler InfobloxNIOS GCPDNSDataConnector NXLogDnsLogs CiscoUmbrellaDataConnector Corelight |
| [Deprecated] - Known Ruby Sleet domains and hashes | c87fb346-ea3a-4c64-ba92-3dd383e0f0b5 | SquidProxy DNS AzureMonitor(VMInsights) CiscoASA PaloAltoNetworks AzureFirewall Zscaler InfobloxNIOS GCPDNSDataConnector NXLogDnsLogs CiscoUmbrellaDataConnector Corelight |
| DopplePaymer Procdump | 1be34fb9-f81b-47ae-84fb-465e6686d76c | MicrosoftThreatProtection |
| LSASS Credential Dumping with Procdump | c332b840-61e4-462e-a201-0e2d69bad45d | MicrosoftThreatProtection |
| Detect Potential Kerberoast Activities | 12134de5-361b-427c-a1a0-d43f40a593c4 | MicrosoftThreatProtection |
| LaZagne Credential Theft | 7d0d3050-8dac-4b83-bfae-902f7dc0c21c | MicrosoftThreatProtection |
| Modified domain federation trust settings | 95dc4ae3-e0f2-48bd-b996-cdd22b90f9af | AzureActiveDirectory |
| Password spray attack against ADFSSignInLogs | 5533fe80-905e-49d5-889a-df27d2c3976d | AzureActiveDirectory |
| Brute Force Attack against GitHub Account | 97ad74c4-fdd9-4a3f-b6bf-5e28f4f71e06 | AzureActiveDirectory |
| Brute force attack against a Cloud PC | 3fbc20a4-04c4-464e-8fcb-6667f53e4987 | AzureActiveDirectory |
| Credential added after admin consented to Application | 707494a5-8e44-486b-90f8-155d1797a8eb | AzureActiveDirectory |
| Distributed Password cracking attempts in Microsoft Entra ID | bfb1c90f-8006-4325-98be-c7fffbc254d6 | AzureActiveDirectory |
| [Deprecated] Explicit MFA Deny | a22740ec-fc1e-4c91-8de6-c29c6450ad00 | AzureActiveDirectory MicrosoftThreatProtection |
| Failed login attempts to Azure Portal | 223db5c1-1bf8-47d8-8806-bed401b356a4 | AzureActiveDirectory |
| Suspicious application consent similar to O365 Attack Toolkit | f948a32f-226c-4116-bddd-d95e91d97eb9 | AzureActiveDirectory |
| Suspicious application consent similar to PwnAuth | 39198934-62a0-4781-8416-a81265c03fd6 | AzureActiveDirectory |
| MFA Spamming followed by Successful login | a8cc6d5c-4e7e-4b48-b4ac-d8a116c62a8b | AzureActiveDirectory |
| NRT Modified domain federation trust settings | 8540c842-5bbc-4a24-9fb2-a836c0e55a51 | AzureActiveDirectory |
| Password spray attack against Microsoft Entra ID Seamless SSO | fb7ca1c9-e14c-40a3-856e-28f3c14ea1ba | AzureActiveDirectory |
| GitHub Signin Burst from Multiple Locations | d3980830-dd9d-40a5-911f-76b44dfdce16 | AzureActiveDirectory |
| Brute force attack against Azure Portal | 28b42356-45af-40a6-a0b4-a554cdfd5d8a | AzureActiveDirectory |
| Password spray attack against Microsoft Entra ID application | 48607a29-a26a-4abf-8078-a06dbdd174a4 | AzureActiveDirectory |
| Successful logon from IP and failure from a different IP | 02ef8d7e-fc3a-4d86-a457-650fa571d8d2 | AzureActiveDirectory BehaviorAnalytics |
| Suspicious Entra ID Joined Device Update | 3a3c6835-0086-40ca-b033-a93bf26d878f | AzureActiveDirectory |
| Suspicious application consent for offline access | 3533f74c-9207-4047-96e2-0eb9383be587 | AzureActiveDirectory |
| Suspicious Service Principal creation activity | 6852d9da-8015-4b95-8ecf-d9572ee0395d | AzureActiveDirectory |
| Mimecast Audit - Logon Authentication Failed | f00197ab-491f-41e7-9e22-a7003a4c1e54 | MimecastAuditAPI |
| Mimecast Audit - Logon Authentication Failed | 9c5dcd76-9f6d-42a3-b984-314b52678f20 | MimecastAuditAPI |
| Cross-Cloud Password Spray detection | 1f40ed57-f54b-462f-906a-ac3a89cc90d4 | AWS AzureActiveDirectory BehaviorAnalytics MicrosoftThreatProtection |
| Cross-Cloud Suspicious Compute resource creation in GCP | 5c847e47-0a07-4c01-ab99-5817ad6cb11e | GCPAuditLogsDefinition AWSS3 |
| Cross-Cloud Suspicious user activity observed in GCP Envourment | 58e306fe-1c49-4b8f-9b0e-15f25e8f0cd7 | GCPAuditLogsDefinition AzureActiveDirectoryIdentityProtection MicrosoftThreatProtection MicrosoftDefenderAdvancedThreatProtection MicrosoftCloudAppSecurity |
| Cross-Cloud Unauthorized Credential Access Detection From AWS RDS Login | 122fbc6a-57ab-4aa7-b9a9-51ac4970cac1 | AzureActiveDirectory AWSS3 |
| Successful AWS Console Login from IP Address Observed Conducting Password Spray | 188db479-d50a-4a9c-a041-644bae347d1f | AWS MicrosoftDefenderAdvancedThreatProtection AzureActiveDirectoryIdentityProtection BehaviorAnalytics MicrosoftThreatProtection |
| Suspicious AWS console logins by credential access alerts | b51fe620-62ad-4ed2-9d40-5c97c0a8231f | OfficeATP AWS MicrosoftDefenderAdvancedThreatProtection AzureActiveDirectoryIdentityProtection BehaviorAnalytics MicrosoftThreatProtection |
| Unauthorized user access across AWS and Azure | 60f31001-018a-42bf-8045-a92e1f361b7b | AzureActiveDirectory AWSS3 |
| Remote Desktop Network Brute force (ASIM Network Session schema) | b7dc801e-1e79-48bb-91e8-2229a8e6d40b | |
| Failed Logins from Unknown or Invalid User | 884be6e7-e568-418e-9c12-89229865ffde | OktaSSO OktaSSOv2 |
| MFA Fatigue (OKTA) | c2697b81-7fe9-4f57-ba1d-de46c6f91f9c | OktaSSO OktaSSOv2 |
| Potential Password Spray Attack | e27dd7e5-4367-4c40-a2b7-fcd7e7a8a508 | OktaSSO OktaSSOv2 |
| Palo Alto Prisma Cloud - Multiple failed logins for user | 4f688252-bf9b-4136-87bf-d540b5be1050 | PaloAltoPrismaCloud |
| Ping Federate - Abnormal password reset attempts | e45a7334-2cb4-4690-8156-f02cac73d584 | PingFederate PingFederateAma CefAma |
| PulseConnectSecure - Potential Brute Force Attempts | 34663177-8abf-4db1-b0a4-5683ab273f44 | PulseConnectSecure SyslogAma |
| PulseConnectSecure - Large Number of Distinct Failed User Logins | 1fa1528e-f746-4794-8a41-14827f4cb798 | PulseConnectSecure SyslogAma |
| Pure Failed Login | ed32b115-5001-43a7-a2bb-f53026db4d97 | |
| Red Canary Threat Detection | 6d263abb-6445-45cc-93e9-c593d3d77b89 | RedCanaryDataConnector |
| Brute force attack against user credentials | 5a6ce089-e756-40fb-b022-c8e8864a973a | SalesforceServiceCloud |
| Potential Password Spray Attack | 64d16e62-1a17-4a35-9ea7-2b9fe6f07118 | SalesforceServiceCloud |
| Possible AiTM Phishing Attempt Against Microsoft Entra ID | 16daa67c-b137-48dc-8eb7-76598a44791a | AzureActiveDirectory Zscaler |
| Semperis DSP Failed Logons | 0e105444-fe13-4ce6-9239-21880076a3f9 | SemperisDSP |
| Semperis DSP Operations Critical Notifications | 8f471e21-3bb2-466f-9bc2-0a0326a60788 | SemperisDSP |
| Semperis DSP Kerberos krbtgt account with old password | 9ff3b26b-7636-412e-ac46-072b084b94cb | SemperisDSP |
| Azure secure score block legacy authentication | C27BB559-28C5-4924-A7DA-3BF04CD02C8F | SenservaPro |
| Azure secure score MFA registration V2 | 8EB2B20A-BF64-4DCC-9D98-1AD559502C00 | SenservaPro |
| Azure secure score PW age policy new | 88C9A5E0-31EC-490B-82E5-A286D9B99A67 | SenservaPro |
| Sentinel One - User viewed agent’s passphrase | 51999097-60f4-42c0-bee8-fa28160e5583 | SentinelOne |
| Silverfort - UserBruteForce Incident | 46ff357b-9e98-465b-9e45-cd52fa4a7522 | SilverfortAma |
| SlackAudit - Multiple failed logins for user | 93a91c37-032c-4380-847c-957c001957ad | SlackAuditAPI |
| SonicWall - Allowed SSH, Telnet, and RDP Connections | 27f1a570-5f20-496b-88f6-a9aa2c5c9534 | CEF SonicWallFirewall CefAma |
| New Sonrai Ticket | bcc3362d-b6f9-4de0-b41c-707fafd5a416 | SonraiDataConnector |
| Sonrai Ticket Assigned | 37a8d052-a3db-4dc6-9dca-9390cac6f486 | SonraiDataConnector |
| Sonrai Ticket Closed | f5d467de-b5a2-4b4f-96db-55e27c733594 | SonraiDataConnector |
| Sonrai Ticket Escalation Executed | 0d29c93e-b83f-4dfb-bbbb-76824b77eeca | SonraiDataConnector |
| Sonrai Ticket Escalation Executed | 822fff15-ea68-4d0f-94ee-b4482ddb6f3a | SonraiDataConnector |
| Sonrai Ticket Reopened | b60129ab-ce22-4b76-858d-3204932a13cc | SonraiDataConnector |
| Sonrai Ticket Risk Accepted | 080191e8-271d-4ae6-85ce-c7bcd4b06b40 | SonraiDataConnector |
| Sonrai Ticket Snoozed | 10e6c454-5cad-4f86-81ce-800235cb050a | SonraiDataConnector |
| Sonrai Ticket Updated | af9b8eb1-a8ef-40aa-92a4-1fc73a1479c7 | SonraiDataConnector |
| SpyCloud Enterprise Breach Detection | cb410ad5-6e9d-4278-b963-1e3af205d680 | |
| SpyCloud Enterprise Malware Detection | 7ba50f9e-2f94-462b-a54b-8642b8c041f5 | |
| ClientDeniedAccess | a9956d3a-07a9-44a6-a279-081a85020cae | SymantecVIP SyslogAma |
| Excessive Failed Authentication from Invalid Inputs | c775a46b-21b1-46d7-afa6-37e3e577a27b | SymantecVIP SyslogAma |
| Failed logon attempts in authpriv | e7ec9fa6-e7f7-41ed-a34b-b956837a3ee6 | Syslog SyslogAma |
| SSH - Potential Brute Force | e1ce0eab-10d1-4aae-863f-9a383345ba88 | Syslog SyslogAma |
| TIE Active Directory attacks pathways | de549a62-f595-4810-88bd-621338186588 | TenableIE |
| TIE DCSync | 19d1f964-ddcf-437b-92ce-b9c1c14d24f1 | TenableIE |
| TIE Golden Ticket | 216e12dd-165a-4537-b241-32e1bd3330c7 | TenableIE |
| TIE Indicators of Attack | 6c75f0d2-2973-4188-bb05-ec7bc8696120 | TenableIE |
| TIE Indicators of Exposures | f6ae2eb2-97c9-4e0f-ae73-7420ef80d99d | TenableIE |
| TIE LSASS Memory | 7851f57c-98b6-43c6-9747-9bb7cf11f21c | TenableIE |
| TIE Password Guessing | d1416c25-5a56-4a88-8d7c-568e6551a307 | TenableIE |
| TIE Password issues | 87af910a-e9c0-4c96-8045-f778ba405251 | TenableIE |
| TIE Password Spraying | f47eb8cb-4acb-4ee4-887d-0247c6d73a72 | TenableIE |
| TIE privileged accounts issues | 5c170c73-75ba-48ea-8dfc-e4e2d4f23979 | TenableIE |
| TIE user accounts issues | c4562ef3-d821-4089-b6c0-120d95c855e6 | TenableIE |
| Tenable.ad Active Directory attacks pathways | 4639bb0a-ca12-4a57-8e53-f61c2c6034d6 | Tenable.ad |
| Tenable.ad DCSync | 0c8d4de3-adb9-4161-a863-aa1e2c8bd959 | Tenable.ad |
| Tenable.ad Golden Ticket | d1abda25-f88a-429a-8163-582533cd0def | Tenable.ad |
| Tenable.ad Indicators of Attack | 6405329a-8d20-48f3-aabc-e1b8a745568e | Tenable.ad |
| Tenable.ad Indicators of Exposures | 55de1072-e93f-40f9-a14d-f7356d217cf6 | Tenable.ad |
| Tenable.ad LSASS Memory | 6f7fa5f9-7d21-42c1-bc52-ac355b87c6cf | Tenable.ad |
| Tenable.ad Password Guessing | 44d74560-0cd1-4e73-a8f5-d16eeeba219e | Tenable.ad |
| Tenable.ad Password issues | 2518b57f-1a8b-44ea-935d-7dc1cfe4f918 | Tenable.ad |
| Tenable.ad Password Spraying | 29d350db-0ac0-4f4c-92ff-dac0f6335612 | Tenable.ad |
| Tenable.ad privileged accounts issues | 353d6474-d795-4086-a179-ba1db4d8bbcb | Tenable.ad |
| Tenable.ad user accounts issues | 4f8ed6f3-8815-437d-9462-f0def9dc70d6 | Tenable.ad |
| Theom Critical Risks | bb9051ef-0e72-4758-a143-80c25ee452f0 | Theom |
| Theom High Risks | 74b80987-0a62-448c-8779-47b02e17d3cf | Theom |
| Theom Insights | d200da84-0191-44ce-ad9e-b85e64c84c89 | Theom |
| Theom Low Risks | cf7fb616-ac80-40ce-ad18-aa18912811f8 | Theom |
| Theom Medium Risks | 4cb34832-f73a-49f2-8d38-c2d135c5440b | Theom |
| Theom - Dev secrets unencrypted | f2490f5b-269c-471d-9ff4-475f62ea498e | Theom |
| Vectra AI Detect - Suspected Compromised Account | 321f9dbd-64b7-4541-81dc-08cf7732ccb0 | AIVectraDetect AIVectraDetectAma CefAma |
| Vectra Account’s Behaviors | ce54b5d3-4c31-4eaf-a73e-31412270b6ab | AIVectraDetect AIVectraDetectAma CefAma |
| Vectra AI Detect - Detections with High Severity | 39e48890-2c02-487e-aa9e-3ba494061798 | AIVectraDetect AIVectraDetectAma CefAma |
| Vectra AI Detect - Suspected Compromised Host | 60eb6cf0-3fa1-44c1-b1fe-220fbee23d63 | AIVectraDetect AIVectraDetectAma CefAma |
| Vectra Host’s Behaviors | 33e3b6da-2660-4cd7-9032-11be76db88d2 | AIVectraDetect AIVectraDetectAma CefAma |
| Vectra AI Detect - Suspicious Behaviors by Category | 6cb75f65-231f-46c4-a0b3-50ff21ee6ed3 | AIVectraDetect AIVectraDetectAma CefAma |
| Alarming number of anomalies generated in NetBackup | 2e0efcd4-56d2-41df-9098-d6898a58c62b | |
| Multiple failed attempts of NetBackup login | d39f0c47-2e85-49b9-a686-388c2eb7062c | |
| Identify instances where a single source is observed using multiple user agents (ASIM Web Session) | 813ccf3b-0321-4622-b0bc-63518fd14454 | |
| Detect potential file enumeration activity (ASIM Web Session) | b3731ce1-1f04-47c4-95c2-9827408c4375 | |
| Excessive Windows Logon Failures | 2391ce61-8c8d-41ac-9723-d945b2e90720 | SecurityEvents WindowsSecurityEvents |
| SecurityEvent - Multiple authentication failures followed by a success | cf3ede88-a429-493b-9108-3e46d3c741f7 | SecurityEvents WindowsSecurityEvents |
| Non Domain Controller Active Directory Replication | b9d2eebc-5dcb-4888-8165-900db44443ab | SecurityEvents WindowsSecurityEvents |
| Zero Networks Segment - New API Token created | 603a6b18-b54a-43b7-bb61-d2b0b47d224a | ZeroNetworksSegmentAuditFunction ZeroNetworksSegmentAuditNativePoller |
| Brute force attack against user credentials (Uses Authentication Normalization) | a6c435a2-b1a0-466d-b730-9f8af69262e8 | |
| Potential Password Spray Attack (Uses Authentication Normalization) | 6a2e2ff4-5568-475e-bef2-b95f12b9367b | |
| Dev-0228 File Path Hashes November 2021 (ASIM Version) | 29a29e5d-354e-4f5e-8321-8b39d25047bf | |
| Excessive number of HTTP authentication failures from a source (ASIM Web Session schema) | a1bddaf8-982b-4089-ba9e-6590dfcf80ea | SquidProxy Zscaler |
| Wazuh - Large Number of Web errors from an IP | 2790795b-7dba-483e-853f-44aa0bc9c985 | |
| Trust Monitor Event | 8dcf7238-a7d0-4cfd-8d0c-b230e3cd9182 | |
| IP with multiple failed Microsoft Entra ID logins successfully logs in to Palo Alto VPN | ba144bf8-75b8-406f-9420-ed74397f9479 | AzureActiveDirectory PaloAltoNetworks |
| Failed AzureAD logons but success logon to AWS Console | 643c2025-9604-47c5-833f-7b4b9378a1f5 | AzureActiveDirectory AWS |
| Failed AzureAD logons but success logon to host | 8ee967a2-a645-4832-85f4-72b635bcb3a6 | AzureActiveDirectory SecurityEvents Syslog WindowsSecurityEvents WindowsForwardedEvents |
| Failed AWS Console logons but success logon to AzureAD | 910124df-913c-47e3-a7cd-29e1643fa55e | AzureActiveDirectory AWS |
| Dev-0228 File Path Hashes November 2021 | 3b443f22-9be9-4c35-ac70-a94757748439 | MicrosoftDefenderAdvancedThreatProtection MicrosoftThreatProtection |
| Europium - Hash and IP IOCs - September 2022 | 9d8b5a18-b7db-4c23-84a6-95febaf7e1e4 | DNS AzureMonitor(VMInsights) F5 CiscoASA PaloAltoNetworks Fortinet CheckPoint CEF MicrosoftThreatProtection Office365 AzureFirewall WindowsFirewall |
| Failed host logons but success logon to AzureAD | 1ce5e766-26ab-4616-b7c8-3b33ae321e80 | AzureActiveDirectory SecurityEvents Syslog WindowsSecurityEvents WindowsForwardedEvents |
| Multiple Password Reset by user | 0b9ae89d-8cad-461c-808f-0494f70ad5c4 | AzureActiveDirectory SecurityEvents Syslog Office365 WindowsSecurityEvents WindowsForwardedEvents |
| Azure VM Run Command operation executed during suspicious login window | 11bda520-a965-4654-9a45-d09f372f71aa | AzureActivity BehaviorAnalytics |
| AD FS Abnormal EKU object identifier attribute | cfc1ae62-db63-4a3e-b88b-dc04030c2257 | SecurityEvents |
| Failed logon attempts by valid accounts within 10 mins | 0777f138-e5d8-4eab-bec1-e11ddfbc2be2 | SecurityEvents WindowsSecurityEvents WindowsForwardedEvents |
| Potential Kerberoasting | 1572e66b-20a7-4012-9ec4-77ec4b101bc8 | SecurityEvents WindowsSecurityEvents WindowsForwardedEvents |
| New country signIn with correct password | 7808c05a-3afd-4d13-998a-a59e2297693f | AzureActiveDirectory |
| High count of failed attempts from same client IP | 19e01883-15d8-4eb6-a7a5-3276cd668388 | AzureMonitor(IIS) |
| High count of failed logons by a user | 884c4957-70ea-4f57-80b9-1bca3890315b | AzureMonitor(IIS) |
| Zoom E2E Encryption Disabled | e4779bdc-397a-4b71-be28-59e6a1e1d16b | |
| External User Access Enabled | 8e267e91-6bda-4b3c-bf68-9f5cbdd103a3 |