CredentialAccess
| Rule Name | id | Required data connectors | Id |
|---|---|---|---|
| 1Password - Secret extraction post vault access change by administrator | 6711b747-16d7-4df4-9f61-8633617f45d7 | 1Password | 6711b747-16d7-4df4-9f61-8633617f45d7 |
| 1Password - Vault export post account creation | 969e2e5c-9cc6-423c-a3de-514f7ad75fe7 | 1Password | 969e2e5c-9cc6-423c-a3de-514f7ad75fe7 |
| 1Password - Vault export prior to account suspension or deletion | 51617533-cf51-4415-9020-b15bd47d69d2 | 1Password | 51617533-cf51-4415-9020-b15bd47d69d2 |
| 1Password - Vault export | dae4c601-51c9-47f5-83d3-e6eaef929cf6 | 1Password | dae4c601-51c9-47f5-83d3-e6eaef929cf6 |
| API - Account Takeover | 25c86f99-0a91-4b7f-88f3-599a008e5ab8 | 42CrunchAPIProtection | 25c86f99-0a91-4b7f-88f3-599a008e5ab8 |
| API - JWT validation | bbd163f4-1f56-434f-9c23-b06713c119c2 | 42CrunchAPIProtection | bbd163f4-1f56-434f-9c23-b06713c119c2 |
| API - Password Cracking | d951d64d-0ecd-4675-8c79-6c870d5f72ac | 42CrunchAPIProtection | d951d64d-0ecd-4675-8c79-6c870d5f72ac |
| API - Suspicious Login | 7bdc10d6-aa24-4ca9-9a93-802cd8761354 | 42CrunchAPIProtection | 7bdc10d6-aa24-4ca9-9a93-802cd8761354 |
| Alsid Active Directory attacks pathways | 9649e203-3cb7-47ff-89a9-42f2a5eefe31 | AlsidForAD | 9649e203-3cb7-47ff-89a9-42f2a5eefe31 |
| Alsid DCSync | d3c658bd-8da9-4372-82e4-aaffa922f428 | AlsidForAD | d3c658bd-8da9-4372-82e4-aaffa922f428 |
| Alsid Golden Ticket | 21ab3f52-6d79-47e3-97f8-ad65f2cb29fb | AlsidForAD | 21ab3f52-6d79-47e3-97f8-ad65f2cb29fb |
| Alsid Indicators of Attack | 3caa67ef-8ed3-4ab5-baf2-3850d3667f3d | AlsidForAD | 3caa67ef-8ed3-4ab5-baf2-3850d3667f3d |
| Alsid Indicators of Exposures | 154fde9f-ae00-4422-a8da-ef00b11da3fc | AlsidForAD | 154fde9f-ae00-4422-a8da-ef00b11da3fc |
| Alsid LSASS Memory | 3acf5617-7c41-4085-9a79-cc3a425ba83a | AlsidForAD | 3acf5617-7c41-4085-9a79-cc3a425ba83a |
| Alsid Password Guessing | ba239935-42c2-472d-80ba-689186099ea1 | AlsidForAD | ba239935-42c2-472d-80ba-689186099ea1 |
| Alsid Password issues | 472b7cf4-bf1a-4061-b9ab-9fe4894e3c17 | AlsidForAD | 472b7cf4-bf1a-4061-b9ab-9fe4894e3c17 |
| Alsid Password Spraying | 9e20eb4e-cc0d-4349-a99d-cad756859dfb | AlsidForAD | 9e20eb4e-cc0d-4349-a99d-cad756859dfb |
| Alsid privileged accounts issues | a5fe9489-cf8b-47ae-a87e-8f3a13e4203e | AlsidForAD | a5fe9489-cf8b-47ae-a87e-8f3a13e4203e |
| Alsid user accounts issues | fb9e0b51-8867-48d7-86f4-6e76f2176bf8 | AlsidForAD | fb9e0b51-8867-48d7-86f4-6e76f2176bf8 |
| Credential Dumping Tools - Service Installation | 4ebbb5c2-8802-11ec-a8a3-0242ac120002 | SecurityEvents WindowsSecurityEvents | 4ebbb5c2-8802-11ec-a8a3-0242ac120002 |
| Credential Dumping Tools - File Artifacts | 32ffb19e-8ed8-40ed-87a0-1adb4746b7c4 | SecurityEvents WindowsSecurityEvents | 32ffb19e-8ed8-40ed-87a0-1adb4746b7c4 |
| Powershell Empire Cmdlets Executed in Command Line | ef88eb96-861c-43a0-ab16-f3835a97c928 | SecurityEvents WindowsSecurityEvents WindowsForwardedEvents | ef88eb96-861c-43a0-ab16-f3835a97c928 |
| Password Exfiltration over SCIM application | 2e3c4ad5-8cb3-4b46-88ff-a88367ee7eaa | Authomize | 2e3c4ad5-8cb3-4b46-88ff-a88367ee7eaa |
| AWS Security Hub - Detect root user lacking MFA | 6b3b9b1d-0d5d-4d4a-9f0f-8d1e2c7a5f44 | AWSSecurityHub | 6b3b9b1d-0d5d-4d4a-9f0f-8d1e2c7a5f44 |
| Microsoft Entra ID Hybrid Health AD FS Suspicious Application | d9938c3b-16f9-444d-bc22-ea9a9110e0fd | AzureActivity | d9938c3b-16f9-444d-bc22-ea9a9110e0fd |
| Rare subscription-level operations in Azure | 23de46ea-c425-4a77-b456-511ae4855d69 | AzureActivity | 23de46ea-c425-4a77-b456-511ae4855d69 |
| Mass secret retrieval from Azure Key Vault | 24f8c234-d1ff-40ec-8b73-96b17a3a9c1c | AzureKeyVault | 24f8c234-d1ff-40ec-8b73-96b17a3a9c1c |
| Azure Key Vault access TimeSeries anomaly | 0914adab-90b5-47a3-a79f-7cdcac843aa7 | AzureKeyVault | 0914adab-90b5-47a3-a79f-7cdcac843aa7 |
| Azure DevOps PAT used with Browser | 5f0d80db-3415-4265-9d52-8466b7372e3a | 5f0d80db-3415-4265-9d52-8466b7372e3a | |
| Azure DevOps Variable Secret Not Secured | 4ca74dc0-8352-4ac5-893c-73571cc78331 | 4ca74dc0-8352-4ac5-893c-73571cc78331 | |
| Bitglass - Multiple failed logins | 7c570bfc-9f20-490e-80e8-b898c7ce4bda | Bitglass | 7c570bfc-9f20-490e-80e8-b898c7ce4bda |
| CiscoISE - Certificate has expired | 6107cba5-2974-4c22-8222-2a6f7bbea664 | SyslogAma | 6107cba5-2974-4c22-8222-2a6f7bbea664 |
| Multi-Factor Authentication Disabled for a User | 65c78944-930b-4cae-bd79-c3664ae30ba7 | AzureActiveDirectory AWS | 65c78944-930b-4cae-bd79-c3664ae30ba7 |
| Contrast ADR - DLP SQL Injection Correlation | 1aac7737-d52f-483d-b225-6a27c1b29a9e | ContrastADR | 1aac7737-d52f-483d-b225-6a27c1b29a9e |
| Corelight - Forced External Outbound SMB | 73f23aa2-5cc4-4507-940b-75c9092e9e01 | Corelight | 73f23aa2-5cc4-4507-940b-75c9092e9e01 |
| Compromised Cards (High) | 2d5481d3-4aad-4ab8-bfea-6da5d6db9fe7 | CBSPollingIDAzureFunctions | 2d5481d3-4aad-4ab8-bfea-6da5d6db9fe7 |
| Compromised Cards (Informational) | 02536cb0-a292-4b30-917b-abfd31a39e14 | CBSPollingIDAzureFunctions | 02536cb0-a292-4b30-917b-abfd31a39e14 |
| Compromised Cards (Low) | 970a9ae9-2e9b-4a51-a1f0-b76acd28f62f | CBSPollingIDAzureFunctions | 970a9ae9-2e9b-4a51-a1f0-b76acd28f62f |
| Compromised Cards (Medium) | 1436c4c5-9304-4d0b-92cd-107e29ec4ef9 | CBSPollingIDAzureFunctions | 1436c4c5-9304-4d0b-92cd-107e29ec4ef9 |
| Cookies: HttpOnly Flag Not Used | e303d68e-08a7-4382-ab31-6a4bd80e8066 | HVPollingIDAzureFunctions | e303d68e-08a7-4382-ab31-6a4bd80e8066 |
| Cookies: Secure Flag Not Used | 91da8421-6066-4570-8a0b-25d980810109 | HVPollingIDAzureFunctions | 91da8421-6066-4570-8a0b-25d980810109 |
| Header: HTTP Strict Transport Security Missing | a3efb9ff-14a4-42ef-b019-0b9cbe5d3888 | HVPollingIDAzureFunctions | a3efb9ff-14a4-42ef-b019-0b9cbe5d3888 |
| Header: Referrer-Policy Missing | 5ee7098a-f0d8-46bf-806d-25015145e24f | HVPollingIDAzureFunctions | 5ee7098a-f0d8-46bf-806d-25015145e24f |
| Leaked Credential (Informational) | 296e0e78-d744-407f-b543-4adf3eed1030 | CBSPollingIDAzureFunctions | 296e0e78-d744-407f-b543-4adf3eed1030 |
| Leaked Credential (Low) | 425007a5-b0e8-4f1a-9bb9-20aac8e97cd7 | CBSPollingIDAzureFunctions | 425007a5-b0e8-4f1a-9bb9-20aac8e97cd7 |
| Leaked Credential (Medium) | 51546727-6467-439e-8799-4cf0232394eb | CBSPollingIDAzureFunctions | 51546727-6467-439e-8799-4cf0232394eb |
| Leaked Credential | a0a46e91-3f94-4ed4-ab70-ecd36ae0ead0 | CBSPollingIDAzureFunctions | a0a46e91-3f94-4ed4-ab70-ecd36ae0ead0 |
| Money Mule Account (High) | f24f7b7a-74cc-4f7a-a1d9-e2b22ab41eac | CBSPollingIDAzureFunctions | f24f7b7a-74cc-4f7a-a1d9-e2b22ab41eac |
| Money Mule Account (Informational) | 65c395f5-e20b-432c-85d8-388b65d0e8ba | CBSPollingIDAzureFunctions | 65c395f5-e20b-432c-85d8-388b65d0e8ba |
| Money Mule Account (Low) | 04fab81c-8cf3-4c9d-80dc-a789e52525a2 | CBSPollingIDAzureFunctions | 04fab81c-8cf3-4c9d-80dc-a789e52525a2 |
| Money Mule Account (Medium) | 249aa6df-5f52-46d9-a908-c28c00db1cee | CBSPollingIDAzureFunctions | 249aa6df-5f52-46d9-a908-c28c00db1cee |
| Social Engineering Vulnerability (High) | 4df9c385-9a5b-4585-8dae-ad3c82066108 | CBSPollingIDAzureFunctions | 4df9c385-9a5b-4585-8dae-ad3c82066108 |
| TLS Certificate Hostname Mismatch | 69761091-1a9a-49a9-8966-be68cd550766 | HVPollingIDAzureFunctions | 69761091-1a9a-49a9-8966-be68cd550766 |
| TLS Certificate Using Weak Cipher - Informational | 1bdf3cba-6b85-4b88-ab1e-681bac20d41f | HVPollingIDAzureFunctions | 1bdf3cba-6b85-4b88-ab1e-681bac20d41f |
| TLS Certificate Using Weak Cipher - Medium | 7bbe51fe-9c5f-4f54-a079-b84cc27737a1 | HVPollingIDAzureFunctions | 7bbe51fe-9c5f-4f54-a079-b84cc27737a1 |
| TLSv1.1 in Use - info | 049edfdd-0331-4493-bcd7-b375bba7b551 | HVPollingIDAzureFunctions | 049edfdd-0331-4493-bcd7-b375bba7b551 |
| TLSv1.1 in Use - Medium | 92400070-199b-46d3-bd86-2fb8421b5338 | HVPollingIDAzureFunctions | 92400070-199b-46d3-bd86-2fb8421b5338 |
| TLSv1 in Use - Low | 9435d04a-e8a6-49e5-90c4-e7f3456f9ed5 | HVPollingIDAzureFunctions | 9435d04a-e8a6-49e5-90c4-e7f3456f9ed5 |
| TLSv1 in Use - Medium | 93f2ab34-15a3-4199-ad5a-6ebf8d2ad449 | HVPollingIDAzureFunctions | 93f2ab34-15a3-4199-ad5a-6ebf8d2ad449 |
| Unauthorized Association (High) | 0e90d290-2422-49a8-8025-a24dd453e48e | CBSPollingIDAzureFunctions | 0e90d290-2422-49a8-8025-a24dd453e48e |
| Unauthorized Association (Informational) | dfdeca9d-c827-49f6-bf46-48520ee9c06f | CBSPollingIDAzureFunctions | dfdeca9d-c827-49f6-bf46-48520ee9c06f |
| Unauthorized Association (Low) | a793865b-6877-4449-b4a8-6d3c60e141c7 | CBSPollingIDAzureFunctions | a793865b-6877-4449-b4a8-6d3c60e141c7 |
| Unauthorized Association (Medium) | 4999feef-84af-4510-a2c8-91265873b552 | CBSPollingIDAzureFunctions | 4999feef-84af-4510-a2c8-91265873b552 |
| CyberArk - Multiple Failed Actions Followed by Success (15m) | |||
| CYFIRMA - Attack Surface - Weak Certificate Exposure - High Rule | 3b5a1c0e-7f3a-4d47-8416-6c0b8b91e9ce | CyfirmaAttackSurfaceAlertsConnector | 3b5a1c0e-7f3a-4d47-8416-6c0b8b91e9ce |
| CYFIRMA - Attack Surface - Weak Certificate Exposure - Medium Rule | 5a617ff2-3e3d-44e7-b761-9f0d542ae191 | CyfirmaAttackSurfaceAlertsConnector | 5a617ff2-3e3d-44e7-b761-9f0d542ae191 |
| CYFIRMA - Attack Surface - Configuration High Rule | 30206b45-75d2-4c6a-87c5-f0861c1f2870 | CyfirmaAttackSurfaceAlertsConnector | 30206b45-75d2-4c6a-87c5-f0861c1f2870 |
| CYFIRMA - Attack Surface - Configuration Medium Rule | e1f88d08-5c32-4d35-a8ce-2f21cdb4b6de | CyfirmaAttackSurfaceAlertsConnector | e1f88d08-5c32-4d35-a8ce-2f21cdb4b6de |
| CYFIRMA - Brand Intelligence - Malicious Mobile App High Rule | 3176ac89-b195-48b7-a01e-740a6b26fb2f | CyfirmaBrandIntelligenceAlertsDC | 3176ac89-b195-48b7-a01e-740a6b26fb2f |
| CYFIRMA - Brand Intelligence - Malicious Mobile App Medium Rule | b73e6628-d44c-4ad3-a801-ea225c5744ee | CyfirmaBrandIntelligenceAlertsDC | b73e6628-d44c-4ad3-a801-ea225c5744ee |
| CYFIRMA - Compromised Employees Detection Rule | 72d3fb86-d1eb-44d6-9352-170c6bb45bb7 | CyfirmaCompromisedAccountsDataConnector | 72d3fb86-d1eb-44d6-9352-170c6bb45bb7 |
| CYFIRMA - Customer Accounts Leaks Detection Rule | ebd1bf8d-aa18-4e66-9cad-555b71a290f1 | CyfirmaCompromisedAccountsDataConnector | ebd1bf8d-aa18-4e66-9cad-555b71a290f1 |
| CYFIRMA - Public Accounts Leaks Detection Rule | 57602938-e95a-4fc3-9352-8d473ed256e1 | CyfirmaCompromisedAccountsDataConnector | 57602938-e95a-4fc3-9352-8d473ed256e1 |
| CYFIRMA - High severity File Hash Indicators with Block Action and Malware | 990fc0dc-e7a5-4f6d-bc24-8569652cd773 | CyfirmaCyberIntelligenceDC | 990fc0dc-e7a5-4f6d-bc24-8569652cd773 |
| CYFIRMA - Medium severity File Hash Indicators with Block Action and Malware | 24dcff02-123c-4e10-a531-2a22a609120a | CyfirmaCyberIntelligenceDC | 24dcff02-123c-4e10-a531-2a22a609120a |
| CYFIRMA - High severity Malicious Phishing Network Indicators - Block Recommended Rule | 6f053867-dbd8-4755-924d-577e3db7f5a6 | CyfirmaCyberIntelligenceDC | 6f053867-dbd8-4755-924d-577e3db7f5a6 |
| CYFIRMA - Medium severity Malicious Phishing Network Indicators - Block Recommended Rule | 5468e012-6681-44fb-be2d-b1cd58b62ac7 | CyfirmaCyberIntelligenceDC | 5468e012-6681-44fb-be2d-b1cd58b62ac7 |
| CYFIRMA - High severity Malicious Phishing Network Indicators - Monitor Recommended Rule | 359e2afb-b6d4-45db-90aa-c89ce7234d72 | CyfirmaCyberIntelligenceDC | 359e2afb-b6d4-45db-90aa-c89ce7234d72 |
| CYFIRMA - Medium severity Malicious Phishing Network Indicators - Monitor Recommended Rule | 1b9603dd-4787-403e-8a35-387c554bd15b | CyfirmaCyberIntelligenceDC | 1b9603dd-4787-403e-8a35-387c554bd15b |
| CYFIRMA - High severity Trojan File Hash Indicators with Block Action Rule | 649f525a-1f92-412d-bfc2-ce642e7a7f1f | CyfirmaCyberIntelligenceDC | 649f525a-1f92-412d-bfc2-ce642e7a7f1f |
| CYFIRMA - Medium severity Trojan File Hash Indicators with Block Action Rule | 25686f44-5f5f-4388-95e2-eea244481438 | CyfirmaCyberIntelligenceDC | 25686f44-5f5f-4388-95e2-eea244481438 |
| CYFIRMA - High severity Trojan File Hash Indicators with Monitor Action Rule | 4afd8960-8bee-4cac-bb5e-a4f200b1f9f3 | CyfirmaCyberIntelligenceDC | 4afd8960-8bee-4cac-bb5e-a4f200b1f9f3 |
| CYFIRMA - Medium severity Trojan File Hash Indicators with Monitor Action Rule | b89c893e-650f-4569-afc3-c487efee2472 | CyfirmaCyberIntelligenceDC | b89c893e-650f-4569-afc3-c487efee2472 |
| CYFIRMA - High severity Trojan Network Indicators - Block Recommended Rule | 441204ca-274f-43d2-aeda-53409b94f447 | CyfirmaCyberIntelligenceDC | 441204ca-274f-43d2-aeda-53409b94f447 |
| CYFIRMA - Medium severity Trojan Network Indicators - Block Recommended Rule | baa63d52-285d-43bf-a34e-8ed2fa260f9e | CyfirmaCyberIntelligenceDC | baa63d52-285d-43bf-a34e-8ed2fa260f9e |
| CYFIRMA - High severity Trojan Network Indicators - Monitor Recommended Rule | 89fd02b8-3c21-492c-a8de-b3e728d39119 | CyfirmaCyberIntelligenceDC | 89fd02b8-3c21-492c-a8de-b3e728d39119 |
| CYFIRMA - Medium severity Trojan Network Indicators - Monitor Recommended Rule | 104f4574-fc95-4f38-8aa2-02f0b78eba9b | CyfirmaCyberIntelligenceDC | 104f4574-fc95-4f38-8aa2-02f0b78eba9b |
| CYFIRMA - Data Breach and Web Monitoring - Dark Web High Rule | c3f1f55b-7e54-4416-8afc-7d7876b29b0f | CyfirmaDigitalRiskAlertsConnector | c3f1f55b-7e54-4416-8afc-7d7876b29b0f |
| CYFIRMA - Data Breach and Web Monitoring - Dark Web Medium Rule | c0afeda7-4832-49a6-8d03-a5d137d513b5 | CyfirmaDigitalRiskAlertsConnector | c0afeda7-4832-49a6-8d03-a5d137d513b5 |
| CYFIRMA - Social and Public Exposure - Exposure of PII/CII in Public Domain Rule | 52d71822-41e4-4c21-b36f-400294f2b43a | CyfirmaDigitalRiskAlertsConnector | 52d71822-41e4-4c21-b36f-400294f2b43a |
| CYFIRMA - Social and Public Exposure - Exposure of PII/CII in Public Domain Rule | b484f224-687f-4406-af8a-ff019f9f2c24 | CyfirmaDigitalRiskAlertsConnector | b484f224-687f-4406-af8a-ff019f9f2c24 |
| CYFIRMA - Social and Public Exposure - Source Code Exposure on Public Repositories Rule | 42e6f16a-7773-44cc-8668-8f648bd1aa4f | CyfirmaDigitalRiskAlertsConnector | 42e6f16a-7773-44cc-8668-8f648bd1aa4f |
| CYFIRMA - Social and Public Exposure - Source Code Exposure on Public Repositories Rule | 28e315a3-725d-4261-a6c2-e597d51541f4 | CyfirmaDigitalRiskAlertsConnector | 28e315a3-725d-4261-a6c2-e597d51541f4 |
| CYFIRMA - High Severity Asset based Vulnerabilities Rule Alert | 123fad02-6d9e-439e-8241-7a2fffa7e0a5 | CyfirmaVulnerabilitiesIntelDC | 123fad02-6d9e-439e-8241-7a2fffa7e0a5 |
| CYFIRMA - Medium Severity Asset based Vulnerabilities Rule Alert | 6306f2d9-34a3-409a-850d-175b7bdd1ab1 | CyfirmaVulnerabilitiesIntelDC | 6306f2d9-34a3-409a-850d-175b7bdd1ab1 |
| CYFIRMA - High Severity Attack Surface based Vulnerabilities Rule Alert | 6cc62c46-dd44-46d7-8681-8422f780eabd | CyfirmaVulnerabilitiesIntelDC | 6cc62c46-dd44-46d7-8681-8422f780eabd |
| CYFIRMA - Medium Severity Attack Surface based Vulnerabilities Rule | 4c1b282b-62f1-4783-bf40-94c44f0ae630 | CyfirmaVulnerabilitiesIntelDC | 4c1b282b-62f1-4783-bf40-94c44f0ae630 |
| Cynerio - IoT - Default password | 84e0ea1f-766d-4775-836a-c0c9cca05085 | CynerioSecurityEvents | 84e0ea1f-766d-4775-836a-c0c9cca05085 |
| Cynerio - IoT - Weak password | 65db1346-6435-4079-bbf4-9a7113c98054 | CynerioSecurityEvents | 65db1346-6435-4079-bbf4-9a7113c98054 |
| Dumping LSASS Process Into a File | a7b9df32-1367-402d-b385-882daf6e3020 | SecurityEvents WindowsSecurityEvents | a7b9df32-1367-402d-b385-882daf6e3020 |
| WDigest downgrade attack | f6502545-ae3a-4232-a8b0-79d87e5c98d7 | SecurityEvents WindowsSecurityEvents | f6502545-ae3a-4232-a8b0-79d87e5c98d7 |
| Threats detected by Eset | 2d8a60aa-c15e-442e-9ce3-ee924889d2a6 | EsetSMC | 2d8a60aa-c15e-442e-9ce3-ee924889d2a6 |
| Expired access credentials being used in Azure | 433c3b0a-7278-4d74-b137-963ac6f9a7e7 | AzureActiveDirectory | 433c3b0a-7278-4d74-b137-963ac6f9a7e7 |
| Password Spraying | e00f72ab-fea1-4a31-9ecc-eea6397cd38d | MicrosoftThreatProtection | e00f72ab-fea1-4a31-9ecc-eea6397cd38d |
| Flare Leaked Credentials | 9cb7c337-f170-4af6-b0e8-b6b7552d762d | Flare | 9cb7c337-f170-4af6-b0e8-b6b7552d762d |
| Flare Infected Device | 9cb7c337-f176-4af6-b0e8-b6b7552d762d | Flare | 9cb7c337-f176-4af6-b0e8-b6b7552d762d |
| GitHub Security Vulnerability in Repository | 5436f471-b03d-41cb-b333-65891f887c43 | 5436f471-b03d-41cb-b333-65891f887c43 | |
| GitLab - Brute-force Attempts | 2238d13a-cf05-4973-a83f-d12a25dbb153 | SyslogAma | 2238d13a-cf05-4973-a83f-d12a25dbb153 |
| GitLab - Local Auth - No MFA | e0b45487-5c79-482d-8ac0-695de8c031af | SyslogAma | e0b45487-5c79-482d-8ac0-695de8c031af |
| GitLab - Repository visibility to Public | 8b291c3d-90ba-4ebf-af2c-0283192d430e | SyslogAma | 8b291c3d-90ba-4ebf-af2c-0283192d430e |
| GitLab - SSO - Sign-Ins Burst | 57b1634b-531d-4eab-a456-8b855887428f | AzureActiveDirectory | 57b1634b-531d-4eab-a456-8b855887428f |
| Google DNS - Exchange online autodiscover abuse | 424c2aca-5367-4247-917a-5d0f7035e40e | GCPDNSDataConnector | 424c2aca-5367-4247-917a-5d0f7035e40e |
| GWorkspace - Possible brute force attack | 8f6cd9a4-5e57-11ec-bf63-0242ac130002 | GoogleWorkspaceReportsAPI | 8f6cd9a4-5e57-11ec-bf63-0242ac130002 |
| GWorkspace - Two-step authentification disabled for a user | c8cc02d0-5da6-11ec-bf63-0242ac130002 | GoogleWorkspaceReportsAPI | c8cc02d0-5da6-11ec-bf63-0242ac130002 |
| Illusive Incidents Analytic Rule | 1a7dbcf6-21a2-4255-84b2-c8dbbdca4630 | Illusive illusiveAttackManagementSystemAma CefAma | 1a7dbcf6-21a2-4255-84b2-c8dbbdca4630 |
| Highly Sensitive Password Accessed | b39e6482-ab7e-4817-813d-ec910b64b26e | LastPass | b39e6482-ab7e-4817-813d-ec910b64b26e |
| [Deprecated] - Known Diamond Sleet related maldoc hash | 3174a9ec-d0ad-4152-8307-94ed04fa450a | CiscoASA PaloAltoNetworks SecurityEvents | 3174a9ec-d0ad-4152-8307-94ed04fa450a |
| [Deprecated] - Emerald Sleet domains included in DCU takedown | 70b12a3b-4896-42cb-910c-5ffaf8d7987d | DNS AzureMonitor(VMInsights) CiscoASA PaloAltoNetworks AzureFirewall Zscaler InfobloxNIOS GCPDNSDataConnector NXLogDnsLogs CiscoUmbrellaDataConnector Corelight | 70b12a3b-4896-42cb-910c-5ffaf8d7987d |
| [Deprecated] - Possible Forest Blizzard attempted credential harvesting - Oct 2020 | 68271db2-cbe9-4009-b1d3-bb3b5fe5713c | Office365 | 68271db2-cbe9-4009-b1d3-bb3b5fe5713c |
| [Deprecated] - Known Granite Typhoon domains and hashes | 26a3b261-b997-4374-94ea-6c37f67f4f39 | DNS AzureMonitor(VMInsights) CiscoASA PaloAltoNetworks SecurityEvents AzureFirewall Zscaler InfobloxNIOS GCPDNSDataConnector NXLogDnsLogs CiscoUmbrellaDataConnector Corelight | 26a3b261-b997-4374-94ea-6c37f67f4f39 |
| [Deprecated] - Known Ruby Sleet domains and hashes | c87fb346-ea3a-4c64-ba92-3dd383e0f0b5 | SquidProxy DNS AzureMonitor(VMInsights) CiscoASA PaloAltoNetworks AzureFirewall Zscaler InfobloxNIOS GCPDNSDataConnector NXLogDnsLogs CiscoUmbrellaDataConnector Corelight | c87fb346-ea3a-4c64-ba92-3dd383e0f0b5 |
| Dataverse - Anomalous application user activity | 0820da12-e895-417f-9175-7c256fcfb33e | Dataverse | 0820da12-e895-417f-9175-7c256fcfb33e |
| Dataverse - Login by a sensitive privileged user | f327816b-9328-4b17-9290-a02adc2f4928 | Dataverse | f327816b-9328-4b17-9290-a02adc2f4928 |
| Dataverse - New Dataverse application user activity type | 5c768e7d-7e5e-4d57-80d4-3f50c96fbf70 | Dataverse | 5c768e7d-7e5e-4d57-80d4-3f50c96fbf70 |
| F&O - Bank account change following network alias reassignment | dccbdb5b-2ce7-4931-bfbe-f1ad6523ee64 | Dynamics365Finance | dccbdb5b-2ce7-4931-bfbe-f1ad6523ee64 |
| F&O - Non-interactive account mapped to self or sensitive privileged user | 5b7cc7f9-fe54-4138-9fb0-d650807345d3 | Dynamics365Finance | 5b7cc7f9-fe54-4138-9fb0-d650807345d3 |
| F&O - Unusual sign-in activity using single factor authentication | 919e939f-95e2-4978-846e-13a721c89ea1 | AzureActiveDirectory | 919e939f-95e2-4978-846e-13a721c89ea1 |
| DopplePaymer Procdump | 1be34fb9-f81b-47ae-84fb-465e6686d76c | MicrosoftThreatProtection | 1be34fb9-f81b-47ae-84fb-465e6686d76c |
| LSASS Credential Dumping with Procdump | c332b840-61e4-462e-a201-0e2d69bad45d | MicrosoftThreatProtection | c332b840-61e4-462e-a201-0e2d69bad45d |
| Detect Potential Kerberoast Activities | 12134de5-361b-427c-a1a0-d43f40a593c4 | MicrosoftThreatProtection | 12134de5-361b-427c-a1a0-d43f40a593c4 |
| LaZagne Credential Theft | 7d0d3050-8dac-4b83-bfae-902f7dc0c21c | MicrosoftThreatProtection | 7d0d3050-8dac-4b83-bfae-902f7dc0c21c |
| Modified domain federation trust settings | 95dc4ae3-e0f2-48bd-b996-cdd22b90f9af | AzureActiveDirectory | 95dc4ae3-e0f2-48bd-b996-cdd22b90f9af |
| Password spray attack against ADFSSignInLogs | 5533fe80-905e-49d5-889a-df27d2c3976d | AzureActiveDirectory | 5533fe80-905e-49d5-889a-df27d2c3976d |
| Brute Force Attack against GitHub Account | 97ad74c4-fdd9-4a3f-b6bf-5e28f4f71e06 | AzureActiveDirectory | 97ad74c4-fdd9-4a3f-b6bf-5e28f4f71e06 |
| Brute force attack against a Cloud PC | 3fbc20a4-04c4-464e-8fcb-6667f53e4987 | AzureActiveDirectory | 3fbc20a4-04c4-464e-8fcb-6667f53e4987 |
| Conditional Access - A Conditional Access user/group/role exclusion has changed | 2ce7f00d-3b3c-41b9-ae9a-b79c19d2394e | AzureActiveDirectory | 2ce7f00d-3b3c-41b9-ae9a-b79c19d2394e |
| Credential added after admin consented to Application | 707494a5-8e44-486b-90f8-155d1797a8eb | AzureActiveDirectory | 707494a5-8e44-486b-90f8-155d1797a8eb |
| Distributed Password cracking attempts in Microsoft Entra ID | bfb1c90f-8006-4325-98be-c7fffbc254d6 | AzureActiveDirectory | bfb1c90f-8006-4325-98be-c7fffbc254d6 |
| [Deprecated] Explicit MFA Deny | a22740ec-fc1e-4c91-8de6-c29c6450ad00 | AzureActiveDirectory MicrosoftThreatProtection | a22740ec-fc1e-4c91-8de6-c29c6450ad00 |
| Failed login attempts to Azure Portal | 223db5c1-1bf8-47d8-8806-bed401b356a4 | AzureActiveDirectory | 223db5c1-1bf8-47d8-8806-bed401b356a4 |
| Suspicious application consent similar to O365 Attack Toolkit | f948a32f-226c-4116-bddd-d95e91d97eb9 | AzureActiveDirectory | f948a32f-226c-4116-bddd-d95e91d97eb9 |
| Suspicious application consent similar to PwnAuth | 39198934-62a0-4781-8416-a81265c03fd6 | AzureActiveDirectory | 39198934-62a0-4781-8416-a81265c03fd6 |
| MFA Spamming followed by Successful login | a8cc6d5c-4e7e-4b48-b4ac-d8a116c62a8b | AzureActiveDirectory | a8cc6d5c-4e7e-4b48-b4ac-d8a116c62a8b |
| NRT Modified domain federation trust settings | 8540c842-5bbc-4a24-9fb2-a836c0e55a51 | AzureActiveDirectory | 8540c842-5bbc-4a24-9fb2-a836c0e55a51 |
| Password spray attack against Microsoft Entra ID Seamless SSO | fb7ca1c9-e14c-40a3-856e-28f3c14ea1ba | AzureActiveDirectory | fb7ca1c9-e14c-40a3-856e-28f3c14ea1ba |
| GitHub Signin Burst from Multiple Locations | d3980830-dd9d-40a5-911f-76b44dfdce16 | AzureActiveDirectory | d3980830-dd9d-40a5-911f-76b44dfdce16 |
| Brute force attack against Azure Portal | 28b42356-45af-40a6-a0b4-a554cdfd5d8a | AzureActiveDirectory | 28b42356-45af-40a6-a0b4-a554cdfd5d8a |
| Password spray attack against Microsoft Entra ID application | 48607a29-a26a-4abf-8078-a06dbdd174a4 | AzureActiveDirectory | 48607a29-a26a-4abf-8078-a06dbdd174a4 |
| Successful logon from IP and failure from a different IP | 02ef8d7e-fc3a-4d86-a457-650fa571d8d2 | AzureActiveDirectory BehaviorAnalytics | 02ef8d7e-fc3a-4d86-a457-650fa571d8d2 |
| Suspicious Entra ID Joined Device Update | 3a3c6835-0086-40ca-b033-a93bf26d878f | AzureActiveDirectory | 3a3c6835-0086-40ca-b033-a93bf26d878f |
| Suspicious application consent for offline access | 3533f74c-9207-4047-96e2-0eb9383be587 | AzureActiveDirectory | 3533f74c-9207-4047-96e2-0eb9383be587 |
| Suspicious Service Principal creation activity | 6852d9da-8015-4b95-8ecf-d9572ee0395d | AzureActiveDirectory | 6852d9da-8015-4b95-8ecf-d9572ee0395d |
| Mimecast Audit - Logon Authentication Failed | f00197ab-491f-41e7-9e22-a7003a4c1e54 | MimecastAuditAPI | f00197ab-491f-41e7-9e22-a7003a4c1e54 |
| Mimecast Audit - Logon Authentication Failed | 9c5dcd76-9f6d-42a3-b984-314b52678f20 | MimecastAuditAPI | 9c5dcd76-9f6d-42a3-b984-314b52678f20 |
| Cross-Cloud Password Spray detection | 1f40ed57-f54b-462f-906a-ac3a89cc90d4 | AWS AzureActiveDirectory BehaviorAnalytics MicrosoftThreatProtection | 1f40ed57-f54b-462f-906a-ac3a89cc90d4 |
| Cross-Cloud Suspicious Compute resource creation in GCP | 5c847e47-0a07-4c01-ab99-5817ad6cb11e | GCPAuditLogsDefinition AWSS3 | 5c847e47-0a07-4c01-ab99-5817ad6cb11e |
| Cross-Cloud Suspicious user activity observed in GCP Envourment | 58e306fe-1c49-4b8f-9b0e-15f25e8f0cd7 | GCPAuditLogsDefinition AzureActiveDirectoryIdentityProtection MicrosoftThreatProtection MicrosoftDefenderAdvancedThreatProtection MicrosoftCloudAppSecurity | 58e306fe-1c49-4b8f-9b0e-15f25e8f0cd7 |
| Cross-Cloud Unauthorized Credential Access Detection From AWS RDS Login | 122fbc6a-57ab-4aa7-b9a9-51ac4970cac1 | AzureActiveDirectory AWSS3 | 122fbc6a-57ab-4aa7-b9a9-51ac4970cac1 |
| Successful AWS Console Login from IP Address Observed Conducting Password Spray | 188db479-d50a-4a9c-a041-644bae347d1f | AWS MicrosoftDefenderAdvancedThreatProtection AzureActiveDirectoryIdentityProtection BehaviorAnalytics MicrosoftThreatProtection | 188db479-d50a-4a9c-a041-644bae347d1f |
| Suspicious AWS console logins by credential access alerts | b51fe620-62ad-4ed2-9d40-5c97c0a8231f | OfficeATP AWS MicrosoftDefenderAdvancedThreatProtection AzureActiveDirectoryIdentityProtection BehaviorAnalytics MicrosoftThreatProtection | b51fe620-62ad-4ed2-9d40-5c97c0a8231f |
| Unauthorized user access across AWS and Azure | 60f31001-018a-42bf-8045-a92e1f361b7b | AzureActiveDirectory AWSS3 | 60f31001-018a-42bf-8045-a92e1f361b7b |
| Remote Desktop Network Brute force (ASIM Network Session schema) | b7dc801e-1e79-48bb-91e8-2229a8e6d40b | b7dc801e-1e79-48bb-91e8-2229a8e6d40b | |
| NordPass - User fails authentication | 27b261dc-68f3-489a-944f-bc252e0c1960 | NordPass | 27b261dc-68f3-489a-944f-bc252e0c1960 |
| Failed Logins from Unknown or Invalid User | 884be6e7-e568-418e-9c12-89229865ffde | OktaSSO OktaSSOv2 | 884be6e7-e568-418e-9c12-89229865ffde |
| MFA Fatigue (OKTA) | c2697b81-7fe9-4f57-ba1d-de46c6f91f9c | OktaSSO OktaSSOv2 | c2697b81-7fe9-4f57-ba1d-de46c6f91f9c |
| Potential Password Spray Attack | e27dd7e5-4367-4c40-a2b7-fcd7e7a8a508 | OktaSSO OktaSSOv2 | e27dd7e5-4367-4c40-a2b7-fcd7e7a8a508 |
| Palo Alto Prisma Cloud - Multiple failed logins for user | 4f688252-bf9b-4136-87bf-d540b5be1050 | PaloAltoPrismaCloud | 4f688252-bf9b-4136-87bf-d540b5be1050 |
| Ping Federate - Abnormal password reset attempts | e45a7334-2cb4-4690-8156-f02cac73d584 | CefAma | e45a7334-2cb4-4690-8156-f02cac73d584 |
| PulseConnectSecure - Potential Brute Force Attempts | 34663177-8abf-4db1-b0a4-5683ab273f44 | SyslogAma | 34663177-8abf-4db1-b0a4-5683ab273f44 |
| PulseConnectSecure - Large Number of Distinct Failed User Logins | 1fa1528e-f746-4794-8a41-14827f4cb798 | SyslogAma | 1fa1528e-f746-4794-8a41-14827f4cb798 |
| Pure Failed Login | ed32b115-5001-43a7-a2bb-f53026db4d97 | ed32b115-5001-43a7-a2bb-f53026db4d97 | |
| Red Canary Threat Detection | 6d263abb-6445-45cc-93e9-c593d3d77b89 | RedCanaryDataConnector | 6d263abb-6445-45cc-93e9-c593d3d77b89 |
| RSA ID Plus - Locked Administrator Account Detected | 488c759d-a82e-44cd-91bb-d766573918d7 | RSAIDPlus_AdminLogs_Connector | 488c759d-a82e-44cd-91bb-d766573918d7 |
| Brute force attack against user credentials | 5a6ce089-e756-40fb-b022-c8e8864a973a | SalesforceServiceCloudCCPDefinition | 5a6ce089-e756-40fb-b022-c8e8864a973a |
| Potential Password Spray Attack | 64d16e62-1a17-4a35-9ea7-2b9fe6f07118 | SalesforceServiceCloudCCPDefinition | 64d16e62-1a17-4a35-9ea7-2b9fe6f07118 |
| Samsung Knox - Password Lockout Events | fbff0a97-1972-4df8-a78c-254ccb9879ef | SamsungDCDefinition | fbff0a97-1972-4df8-a78c-254ccb9879ef |
| BTP - Trust and authorization Identity Provider monitor | 62357c23-ecdc-4edc-9349-8338063af1ef | SAPBTPAuditEvents | 62357c23-ecdc-4edc-9349-8338063af1ef |
| Possible AiTM Phishing Attempt Against Microsoft Entra ID | 16daa67c-b137-48dc-8eb7-76598a44791a | AzureActiveDirectory Zscaler | 16daa67c-b137-48dc-8eb7-76598a44791a |
| Semperis DSP Failed Logons | 0e105444-fe13-4ce6-9239-21880076a3f9 | SemperisDSP | 0e105444-fe13-4ce6-9239-21880076a3f9 |
| Semperis DSP Operations Critical Notifications | 8f471e21-3bb2-466f-9bc2-0a0326a60788 | SemperisDSP | 8f471e21-3bb2-466f-9bc2-0a0326a60788 |
| Semperis DSP Kerberos krbtgt account with old password | 9ff3b26b-7636-412e-ac46-072b084b94cb | SemperisDSP | 9ff3b26b-7636-412e-ac46-072b084b94cb |
| Azure secure score block legacy authentication | C27BB559-28C5-4924-A7DA-3BF04CD02C8F | SenservaPro | C27BB559-28C5-4924-A7DA-3BF04CD02C8F |
| Azure secure score MFA registration V2 | 8EB2B20A-BF64-4DCC-9D98-1AD559502C00 | SenservaPro | 8EB2B20A-BF64-4DCC-9D98-1AD559502C00 |
| Azure secure score PW age policy new | 88C9A5E0-31EC-490B-82E5-A286D9B99A67 | SenservaPro | 88C9A5E0-31EC-490B-82E5-A286D9B99A67 |
| Sentinel One - User viewed agent’s passphrase | 51999097-60f4-42c0-bee8-fa28160e5583 | SentinelOne | 51999097-60f4-42c0-bee8-fa28160e5583 |
| Silverfort - UserBruteForce Incident | 46ff357b-9e98-465b-9e45-cd52fa4a7522 | SilverfortAma | 46ff357b-9e98-465b-9e45-cd52fa4a7522 |
| SlackAudit - Multiple failed logins for user | 93a91c37-032c-4380-847c-957c001957ad | SlackAuditAPI | 93a91c37-032c-4380-847c-957c001957ad |
| SonicWall - Allowed SSH, Telnet, and RDP Connections | 27f1a570-5f20-496b-88f6-a9aa2c5c9534 | CEF SonicWallFirewall CefAma | 27f1a570-5f20-496b-88f6-a9aa2c5c9534 |
| New Sonrai Ticket | bcc3362d-b6f9-4de0-b41c-707fafd5a416 | SonraiDataConnector | bcc3362d-b6f9-4de0-b41c-707fafd5a416 |
| Sonrai Ticket Assigned | 37a8d052-a3db-4dc6-9dca-9390cac6f486 | SonraiDataConnector | 37a8d052-a3db-4dc6-9dca-9390cac6f486 |
| Sonrai Ticket Closed | f5d467de-b5a2-4b4f-96db-55e27c733594 | SonraiDataConnector | f5d467de-b5a2-4b4f-96db-55e27c733594 |
| Sonrai Ticket Escalation Executed | 0d29c93e-b83f-4dfb-bbbb-76824b77eeca | SonraiDataConnector | 0d29c93e-b83f-4dfb-bbbb-76824b77eeca |
| Sonrai Ticket Escalation Executed | 822fff15-ea68-4d0f-94ee-b4482ddb6f3a | SonraiDataConnector | 822fff15-ea68-4d0f-94ee-b4482ddb6f3a |
| Sonrai Ticket Reopened | b60129ab-ce22-4b76-858d-3204932a13cc | SonraiDataConnector | b60129ab-ce22-4b76-858d-3204932a13cc |
| Sonrai Ticket Risk Accepted | 080191e8-271d-4ae6-85ce-c7bcd4b06b40 | SonraiDataConnector | 080191e8-271d-4ae6-85ce-c7bcd4b06b40 |
| Sonrai Ticket Snoozed | 10e6c454-5cad-4f86-81ce-800235cb050a | SonraiDataConnector | 10e6c454-5cad-4f86-81ce-800235cb050a |
| Sonrai Ticket Updated | af9b8eb1-a8ef-40aa-92a4-1fc73a1479c7 | SonraiDataConnector | af9b8eb1-a8ef-40aa-92a4-1fc73a1479c7 |
| SpyCloud Enterprise Breach Detection | cb410ad5-6e9d-4278-b963-1e3af205d680 | cb410ad5-6e9d-4278-b963-1e3af205d680 | |
| SpyCloud Enterprise Malware Detection | 7ba50f9e-2f94-462b-a54b-8642b8c041f5 | 7ba50f9e-2f94-462b-a54b-8642b8c041f5 | |
| ClientDeniedAccess | a9956d3a-07a9-44a6-a279-081a85020cae | SyslogAma | a9956d3a-07a9-44a6-a279-081a85020cae |
| Excessive Failed Authentication from Invalid Inputs | c775a46b-21b1-46d7-afa6-37e3e577a27b | SyslogAma | c775a46b-21b1-46d7-afa6-37e3e577a27b |
| Failed logon attempts in authpriv | e7ec9fa6-e7f7-41ed-a34b-b956837a3ee6 | Syslog SyslogAma | e7ec9fa6-e7f7-41ed-a34b-b956837a3ee6 |
| SSH - Potential Brute Force | e1ce0eab-10d1-4aae-863f-9a383345ba88 | Syslog SyslogAma | e1ce0eab-10d1-4aae-863f-9a383345ba88 |
| TIE Active Directory attacks pathways | de549a62-f595-4810-88bd-621338186588 | TenableIE | de549a62-f595-4810-88bd-621338186588 |
| TIE DCSync | 19d1f964-ddcf-437b-92ce-b9c1c14d24f1 | TenableIE | 19d1f964-ddcf-437b-92ce-b9c1c14d24f1 |
| TIE Golden Ticket | 216e12dd-165a-4537-b241-32e1bd3330c7 | TenableIE | 216e12dd-165a-4537-b241-32e1bd3330c7 |
| TIE Indicators of Attack | 6c75f0d2-2973-4188-bb05-ec7bc8696120 | TenableIE | 6c75f0d2-2973-4188-bb05-ec7bc8696120 |
| TIE Indicators of Exposures | f6ae2eb2-97c9-4e0f-ae73-7420ef80d99d | TenableIE | f6ae2eb2-97c9-4e0f-ae73-7420ef80d99d |
| TIE LSASS Memory | 7851f57c-98b6-43c6-9747-9bb7cf11f21c | TenableIE | 7851f57c-98b6-43c6-9747-9bb7cf11f21c |
| TIE Password Guessing | d1416c25-5a56-4a88-8d7c-568e6551a307 | TenableIE | d1416c25-5a56-4a88-8d7c-568e6551a307 |
| TIE Password issues | 87af910a-e9c0-4c96-8045-f778ba405251 | TenableIE | 87af910a-e9c0-4c96-8045-f778ba405251 |
| TIE Password Spraying | f47eb8cb-4acb-4ee4-887d-0247c6d73a72 | TenableIE | f47eb8cb-4acb-4ee4-887d-0247c6d73a72 |
| TIE privileged accounts issues | 5c170c73-75ba-48ea-8dfc-e4e2d4f23979 | TenableIE | 5c170c73-75ba-48ea-8dfc-e4e2d4f23979 |
| TIE user accounts issues | c4562ef3-d821-4089-b6c0-120d95c855e6 | TenableIE | c4562ef3-d821-4089-b6c0-120d95c855e6 |
| Tenable.ad Active Directory attacks pathways | 4639bb0a-ca12-4a57-8e53-f61c2c6034d6 | Tenable.ad | 4639bb0a-ca12-4a57-8e53-f61c2c6034d6 |
| Tenable.ad DCSync | 0c8d4de3-adb9-4161-a863-aa1e2c8bd959 | Tenable.ad | 0c8d4de3-adb9-4161-a863-aa1e2c8bd959 |
| Tenable.ad Golden Ticket | d1abda25-f88a-429a-8163-582533cd0def | Tenable.ad | d1abda25-f88a-429a-8163-582533cd0def |
| Tenable.ad Indicators of Attack | 6405329a-8d20-48f3-aabc-e1b8a745568e | Tenable.ad | 6405329a-8d20-48f3-aabc-e1b8a745568e |
| Tenable.ad Indicators of Exposures | 55de1072-e93f-40f9-a14d-f7356d217cf6 | Tenable.ad | 55de1072-e93f-40f9-a14d-f7356d217cf6 |
| Tenable.ad LSASS Memory | 6f7fa5f9-7d21-42c1-bc52-ac355b87c6cf | Tenable.ad | 6f7fa5f9-7d21-42c1-bc52-ac355b87c6cf |
| Tenable.ad Password Guessing | 44d74560-0cd1-4e73-a8f5-d16eeeba219e | Tenable.ad | 44d74560-0cd1-4e73-a8f5-d16eeeba219e |
| Tenable.ad Password issues | 2518b57f-1a8b-44ea-935d-7dc1cfe4f918 | Tenable.ad | 2518b57f-1a8b-44ea-935d-7dc1cfe4f918 |
| Tenable.ad Password Spraying | 29d350db-0ac0-4f4c-92ff-dac0f6335612 | Tenable.ad | 29d350db-0ac0-4f4c-92ff-dac0f6335612 |
| Tenable.ad privileged accounts issues | 353d6474-d795-4086-a179-ba1db4d8bbcb | Tenable.ad | 353d6474-d795-4086-a179-ba1db4d8bbcb |
| Tenable.ad user accounts issues | 4f8ed6f3-8815-437d-9462-f0def9dc70d6 | Tenable.ad | 4f8ed6f3-8815-437d-9462-f0def9dc70d6 |
| Theom Critical Risks | bb9051ef-0e72-4758-a143-80c25ee452f0 | Theom | bb9051ef-0e72-4758-a143-80c25ee452f0 |
| Theom High Risks | 74b80987-0a62-448c-8779-47b02e17d3cf | Theom | 74b80987-0a62-448c-8779-47b02e17d3cf |
| Theom Insights | d200da84-0191-44ce-ad9e-b85e64c84c89 | Theom | d200da84-0191-44ce-ad9e-b85e64c84c89 |
| Theom Low Risks | cf7fb616-ac80-40ce-ad18-aa18912811f8 | Theom | cf7fb616-ac80-40ce-ad18-aa18912811f8 |
| Theom Medium Risks | 4cb34832-f73a-49f2-8d38-c2d135c5440b | Theom | 4cb34832-f73a-49f2-8d38-c2d135c5440b |
| Theom - Dev secrets unencrypted | f2490f5b-269c-471d-9ff4-475f62ea498e | Theom | f2490f5b-269c-471d-9ff4-475f62ea498e |
| Vectra AI Detect - Suspected Compromised Account | 321f9dbd-64b7-4541-81dc-08cf7732ccb0 | CefAma | 321f9dbd-64b7-4541-81dc-08cf7732ccb0 |
| Vectra Account’s Behaviors | ce54b5d3-4c31-4eaf-a73e-31412270b6ab | CefAma | ce54b5d3-4c31-4eaf-a73e-31412270b6ab |
| Vectra AI Detect - Detections with High Severity | 39e48890-2c02-487e-aa9e-3ba494061798 | CefAma | 39e48890-2c02-487e-aa9e-3ba494061798 |
| Vectra AI Detect - Suspected Compromised Host | 60eb6cf0-3fa1-44c1-b1fe-220fbee23d63 | CefAma | 60eb6cf0-3fa1-44c1-b1fe-220fbee23d63 |
| Vectra Host’s Behaviors | 33e3b6da-2660-4cd7-9032-11be76db88d2 | CefAma | 33e3b6da-2660-4cd7-9032-11be76db88d2 |
| Vectra AI Detect - Suspicious Behaviors by Category | 6cb75f65-231f-46c4-a0b3-50ff21ee6ed3 | CefAma | 6cb75f65-231f-46c4-a0b3-50ff21ee6ed3 |
| Alarming number of anomalies generated in NetBackup | 2e0efcd4-56d2-41df-9098-d6898a58c62b | 2e0efcd4-56d2-41df-9098-d6898a58c62b | |
| Multiple failed attempts of NetBackup login | d39f0c47-2e85-49b9-a686-388c2eb7062c | d39f0c47-2e85-49b9-a686-388c2eb7062c | |
| VMware ESXi - Multiple Failed Shell Login via SSH | 22d177d5-588c-4f1a-a332-2695f52079bb | SyslogAma | 22d177d5-588c-4f1a-a332-2695f52079bb |
| Identify instances where a single source is observed using multiple user agents (ASIM Web Session) | 813ccf3b-0321-4622-b0bc-63518fd14454 | 813ccf3b-0321-4622-b0bc-63518fd14454 | |
| Detect potential file enumeration activity (ASIM Web Session) | b3731ce1-1f04-47c4-95c2-9827408c4375 | b3731ce1-1f04-47c4-95c2-9827408c4375 | |
| Excessive Windows Logon Failures | 2391ce61-8c8d-41ac-9723-d945b2e90720 | SecurityEvents WindowsSecurityEvents | 2391ce61-8c8d-41ac-9723-d945b2e90720 |
| SecurityEvent - Multiple authentication failures followed by a success | cf3ede88-a429-493b-9108-3e46d3c741f7 | SecurityEvents WindowsSecurityEvents | cf3ede88-a429-493b-9108-3e46d3c741f7 |
| Non Domain Controller Active Directory Replication | b9d2eebc-5dcb-4888-8165-900db44443ab | SecurityEvents WindowsSecurityEvents | b9d2eebc-5dcb-4888-8165-900db44443ab |
| Zero Networks Segment - New API Token created | 603a6b18-b54a-43b7-bb61-d2b0b47d224a | ZeroNetworksSegmentAuditFunction ZeroNetworksSegmentAuditNativePoller | 603a6b18-b54a-43b7-bb61-d2b0b47d224a |
| Brute force attack against user credentials (Uses Authentication Normalization) | a6c435a2-b1a0-466d-b730-9f8af69262e8 | a6c435a2-b1a0-466d-b730-9f8af69262e8 | |
| Potential Password Spray Attack (Uses Authentication Normalization) | 6a2e2ff4-5568-475e-bef2-b95f12b9367b | 6a2e2ff4-5568-475e-bef2-b95f12b9367b | |
| Dev-0228 File Path Hashes November 2021 (ASIM Version) | 29a29e5d-354e-4f5e-8321-8b39d25047bf | 29a29e5d-354e-4f5e-8321-8b39d25047bf | |
| Excessive number of HTTP authentication failures from a source (ASIM Web Session schema) | a1bddaf8-982b-4089-ba9e-6590dfcf80ea | SquidProxy Zscaler | a1bddaf8-982b-4089-ba9e-6590dfcf80ea |
| Wazuh - Large Number of Web errors from an IP | 2790795b-7dba-483e-853f-44aa0bc9c985 | 2790795b-7dba-483e-853f-44aa0bc9c985 | |
| Trust Monitor Event | 8dcf7238-a7d0-4cfd-8d0c-b230e3cd9182 | 8dcf7238-a7d0-4cfd-8d0c-b230e3cd9182 | |
| IP with multiple failed Microsoft Entra ID logins successfully logs in to Palo Alto VPN | ba144bf8-75b8-406f-9420-ed74397f9479 | AzureActiveDirectory PaloAltoNetworks | ba144bf8-75b8-406f-9420-ed74397f9479 |
| Failed AzureAD logons but success logon to AWS Console | 643c2025-9604-47c5-833f-7b4b9378a1f5 | AzureActiveDirectory AWS | 643c2025-9604-47c5-833f-7b4b9378a1f5 |
| Failed AzureAD logons but success logon to host | 8ee967a2-a645-4832-85f4-72b635bcb3a6 | AzureActiveDirectory SecurityEvents Syslog WindowsSecurityEvents WindowsForwardedEvents | 8ee967a2-a645-4832-85f4-72b635bcb3a6 |
| Failed AWS Console logons but success logon to AzureAD | 910124df-913c-47e3-a7cd-29e1643fa55e | AzureActiveDirectory AWS | 910124df-913c-47e3-a7cd-29e1643fa55e |
| Dev-0228 File Path Hashes November 2021 | 3b443f22-9be9-4c35-ac70-a94757748439 | MicrosoftDefenderAdvancedThreatProtection MicrosoftThreatProtection | 3b443f22-9be9-4c35-ac70-a94757748439 |
| Europium - Hash and IP IOCs - September 2022 | 9d8b5a18-b7db-4c23-84a6-95febaf7e1e4 | DNS AzureMonitor(VMInsights) F5 CiscoASA PaloAltoNetworks Fortinet CheckPoint CEF MicrosoftThreatProtection Office365 AzureFirewall WindowsFirewall | 9d8b5a18-b7db-4c23-84a6-95febaf7e1e4 |
| Failed host logons but success logon to AzureAD | 1ce5e766-26ab-4616-b7c8-3b33ae321e80 | AzureActiveDirectory SecurityEvents Syslog WindowsSecurityEvents WindowsForwardedEvents | 1ce5e766-26ab-4616-b7c8-3b33ae321e80 |
| Multiple Password Reset by user | 0b9ae89d-8cad-461c-808f-0494f70ad5c4 | AzureActiveDirectory SecurityEvents Syslog Office365 WindowsSecurityEvents WindowsForwardedEvents | 0b9ae89d-8cad-461c-808f-0494f70ad5c4 |
| Azure VM Run Command operation executed during suspicious login window | 11bda520-a965-4654-9a45-d09f372f71aa | AzureActivity BehaviorAnalytics | 11bda520-a965-4654-9a45-d09f372f71aa |
| AD FS Abnormal EKU object identifier attribute | cfc1ae62-db63-4a3e-b88b-dc04030c2257 | SecurityEvents | cfc1ae62-db63-4a3e-b88b-dc04030c2257 |
| Failed logon attempts by valid accounts within 10 mins | 0777f138-e5d8-4eab-bec1-e11ddfbc2be2 | SecurityEvents WindowsSecurityEvents WindowsForwardedEvents | 0777f138-e5d8-4eab-bec1-e11ddfbc2be2 |
| Potential Kerberoasting | 1572e66b-20a7-4012-9ec4-77ec4b101bc8 | SecurityEvents WindowsSecurityEvents WindowsForwardedEvents | 1572e66b-20a7-4012-9ec4-77ec4b101bc8 |
| New country signIn with correct password | 7808c05a-3afd-4d13-998a-a59e2297693f | AzureActiveDirectory | 7808c05a-3afd-4d13-998a-a59e2297693f |
| High count of failed attempts from same client IP | 19e01883-15d8-4eb6-a7a5-3276cd668388 | AzureMonitor(IIS) | 19e01883-15d8-4eb6-a7a5-3276cd668388 |
| High count of failed logons by a user | 884c4957-70ea-4f57-80b9-1bca3890315b | AzureMonitor(IIS) | 884c4957-70ea-4f57-80b9-1bca3890315b |
| Zoom E2E Encryption Disabled | e4779bdc-397a-4b71-be28-59e6a1e1d16b | e4779bdc-397a-4b71-be28-59e6a1e1d16b | |
| External User Access Enabled | 8e267e91-6bda-4b3c-bf68-9f5cbdd103a3 | 8e267e91-6bda-4b3c-bf68-9f5cbdd103a3 |