Microsoft Sentinel Analytic Rules
cloudbrothers.infoAzure Sentinel RepoToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeBack to homepage

CredentialAccess

Overview

Rule NameidRequired data connectors
1Password - Secret extraction post vault access change by administrator6711b747-16d7-4df4-9f61-8633617f45d71Password
1Password - Vault export post account creation969e2e5c-9cc6-423c-a3de-514f7ad75fe71Password
1Password - Vault export prior to account suspension or deletion51617533-cf51-4415-9020-b15bd47d69d21Password
1Password - Vault exportdae4c601-51c9-47f5-83d3-e6eaef929cf61Password
API - Account Takeover25c86f99-0a91-4b7f-88f3-599a008e5ab842CrunchAPIProtection
API - JWT validationbbd163f4-1f56-434f-9c23-b06713c119c242CrunchAPIProtection
API - Password Crackingd951d64d-0ecd-4675-8c79-6c870d5f72ac42CrunchAPIProtection
API - Suspicious Login7bdc10d6-aa24-4ca9-9a93-802cd876135442CrunchAPIProtection
Alsid Active Directory attacks pathways9649e203-3cb7-47ff-89a9-42f2a5eefe31AlsidForAD
Alsid DCSyncd3c658bd-8da9-4372-82e4-aaffa922f428AlsidForAD
Alsid Golden Ticket21ab3f52-6d79-47e3-97f8-ad65f2cb29fbAlsidForAD
Alsid Indicators of Attack3caa67ef-8ed3-4ab5-baf2-3850d3667f3dAlsidForAD
Alsid Indicators of Exposures154fde9f-ae00-4422-a8da-ef00b11da3fcAlsidForAD
Alsid LSASS Memory3acf5617-7c41-4085-9a79-cc3a425ba83aAlsidForAD
Alsid Password Guessingba239935-42c2-472d-80ba-689186099ea1AlsidForAD
Alsid Password issues472b7cf4-bf1a-4061-b9ab-9fe4894e3c17AlsidForAD
Alsid Password Spraying9e20eb4e-cc0d-4349-a99d-cad756859dfbAlsidForAD
Alsid privileged accounts issuesa5fe9489-cf8b-47ae-a87e-8f3a13e4203eAlsidForAD
Alsid user accounts issuesfb9e0b51-8867-48d7-86f4-6e76f2176bf8AlsidForAD
Credential Dumping Tools - Service Installation4ebbb5c2-8802-11ec-a8a3-0242ac120002SecurityEvents
WindowsSecurityEvents
Credential Dumping Tools - File Artifacts32ffb19e-8ed8-40ed-87a0-1adb4746b7c4SecurityEvents
WindowsSecurityEvents
Powershell Empire Cmdlets Executed in Command Lineef88eb96-861c-43a0-ab16-f3835a97c928SecurityEvents
WindowsSecurityEvents
WindowsForwardedEvents
Password Exfiltration over SCIM application2e3c4ad5-8cb3-4b46-88ff-a88367ee7eaaAuthomize
Microsoft Entra ID Hybrid Health AD FS Suspicious Applicationd9938c3b-16f9-444d-bc22-ea9a9110e0fdAzureActivity
Rare subscription-level operations in Azure23de46ea-c425-4a77-b456-511ae4855d69AzureActivity
Mass secret retrieval from Azure Key Vault24f8c234-d1ff-40ec-8b73-96b17a3a9c1cAzureKeyVault
Azure Key Vault access TimeSeries anomaly0914adab-90b5-47a3-a79f-7cdcac843aa7AzureKeyVault
Azure DevOps PAT used with Browser5f0d80db-3415-4265-9d52-8466b7372e3a
Azure DevOps Variable Secret Not Secured4ca74dc0-8352-4ac5-893c-73571cc78331
Bitglass - Multiple failed logins7c570bfc-9f20-490e-80e8-b898c7ce4bdaBitglass
CiscoISE - Certificate has expired6107cba5-2974-4c22-8222-2a6f7bbea664SyslogAma
Multi-Factor Authentication Disabled for a User65c78944-930b-4cae-bd79-c3664ae30ba7AzureActiveDirectory
AWS
Corelight - Forced External Outbound SMB73f23aa2-5cc4-4507-940b-75c9092e9e01Corelight
Cookies: HttpOnly Flag Not Usede303d68e-08a7-4382-ab31-6a4bd80e8066HVPollingIDAzureFunctions
Cookies: Secure Flag Not Used91da8421-6066-4570-8a0b-25d980810109HVPollingIDAzureFunctions
Header: HTTP Strict Transport Security Missinga3efb9ff-14a4-42ef-b019-0b9cbe5d3888HVPollingIDAzureFunctions
Header: Referrer-Policy Missing5ee7098a-f0d8-46bf-806d-25015145e24fHVPollingIDAzureFunctions
Leaked Credentiala0a46e91-3f94-4ed4-ab70-ecd36ae0ead0CBSPollingIDAzureFunctions
TLS Certificate Hostname Mismatch69761091-1a9a-49a9-8966-be68cd550766HVPollingIDAzureFunctions
TLS Certificate Using Weak Cipher - Informational1bdf3cba-6b85-4b88-ab1e-681bac20d41fHVPollingIDAzureFunctions
TLS Certificate Using Weak Cipher - Medium7bbe51fe-9c5f-4f54-a079-b84cc27737a1HVPollingIDAzureFunctions
TLSv1.1 in Use - info049edfdd-0331-4493-bcd7-b375bba7b551HVPollingIDAzureFunctions
TLSv1.1 in Use - Medium92400070-199b-46d3-bd86-2fb8421b5338HVPollingIDAzureFunctions
TLSv1 in Use - Low9435d04a-e8a6-49e5-90c4-e7f3456f9ed5HVPollingIDAzureFunctions
TLSv1 in Use - Medium93f2ab34-15a3-4199-ad5a-6ebf8d2ad449HVPollingIDAzureFunctions
Cynerio - IoT - Default password84e0ea1f-766d-4775-836a-c0c9cca05085CynerioSecurityEvents
Cynerio - IoT - Weak password65db1346-6435-4079-bbf4-9a7113c98054CynerioSecurityEvents
Dumping LSASS Process Into a Filea7b9df32-1367-402d-b385-882daf6e3020SecurityEvents
WindowsSecurityEvents
WDigest downgrade attackf6502545-ae3a-4232-a8b0-79d87e5c98d7SecurityEvents
WindowsSecurityEvents
Threats detected by Eset2d8a60aa-c15e-442e-9ce3-ee924889d2a6EsetSMC
Expired access credentials being used in Azure433c3b0a-7278-4d74-b137-963ac6f9a7e7AzureActiveDirectory
Password Sprayinge00f72ab-fea1-4a31-9ecc-eea6397cd38dMicrosoftThreatProtection
Flare Leaked Credentials9cb7c337-f170-4af6-b0e8-b6b7552d762dFlare
Flare Infected Device9cb7c337-f176-4af6-b0e8-b6b7552d762dFlare
GitHub Security Vulnerability in Repository5436f471-b03d-41cb-b333-65891f887c43
GitLab - Brute-force Attempts2238d13a-cf05-4973-a83f-d12a25dbb153Syslog
GitLab - Local Auth - No MFAe0b45487-5c79-482d-8ac0-695de8c031afSyslog
GitLab - Repository visibility to Public8b291c3d-90ba-4ebf-af2c-0283192d430eSyslog
GitLab - SSO - Sign-Ins Burst57b1634b-531d-4eab-a456-8b855887428fAzureActiveDirectory
Google DNS - Exchange online autodiscover abuse424c2aca-5367-4247-917a-5d0f7035e40eGCPDNSDataConnector
GWorkspace - Possible brute force attack8f6cd9a4-5e57-11ec-bf63-0242ac130002GoogleWorkspaceReportsAPI
GWorkspace - Two-step authentification disabled for a userc8cc02d0-5da6-11ec-bf63-0242ac130002GoogleWorkspaceReportsAPI
Illusive Incidents Analytic Rule1a7dbcf6-21a2-4255-84b2-c8dbbdca4630Illusive
illusiveAttackManagementSystemAma
CefAma
Highly Sensitive Password Accessedb39e6482-ab7e-4817-813d-ec910b64b26eLastPass
[Deprecated] - Known Diamond Sleet related maldoc hash3174a9ec-d0ad-4152-8307-94ed04fa450aCiscoASA
PaloAltoNetworks
SecurityEvents
[Deprecated] - Emerald Sleet domains included in DCU takedown70b12a3b-4896-42cb-910c-5ffaf8d7987dDNS
AzureMonitor(VMInsights)
CiscoASA
PaloAltoNetworks
AzureFirewall
Zscaler
InfobloxNIOS
GCPDNSDataConnector
NXLogDnsLogs
CiscoUmbrellaDataConnector
Corelight
[Deprecated] - Possible Forest Blizzard attempted credential harvesting - Oct 202068271db2-cbe9-4009-b1d3-bb3b5fe5713cOffice365
[Deprecated] - Known Granite Typhoon domains and hashes26a3b261-b997-4374-94ea-6c37f67f4f39DNS
AzureMonitor(VMInsights)
CiscoASA
PaloAltoNetworks
SecurityEvents
AzureFirewall
Zscaler
InfobloxNIOS
GCPDNSDataConnector
NXLogDnsLogs
CiscoUmbrellaDataConnector
Corelight
[Deprecated] - Known Ruby Sleet domains and hashesc87fb346-ea3a-4c64-ba92-3dd383e0f0b5SquidProxy
DNS
AzureMonitor(VMInsights)
CiscoASA
PaloAltoNetworks
AzureFirewall
Zscaler
InfobloxNIOS
GCPDNSDataConnector
NXLogDnsLogs
CiscoUmbrellaDataConnector
Corelight
Dataverse - Anomalous application user activity0820da12-e895-417f-9175-7c256fcfb33eDataverse
Dataverse - Login by a sensitive privileged userf327816b-9328-4b17-9290-a02adc2f4928Dataverse
Dataverse - New Dataverse application user activity type5c768e7d-7e5e-4d57-80d4-3f50c96fbf70Dataverse
F&O - Bank account change following network alias reassignmentdccbdb5b-2ce7-4931-bfbe-f1ad6523ee64Dynamics365Finance
F&O - Non-interactive account mapped to self or sensitive privileged user5b7cc7f9-fe54-4138-9fb0-d650807345d3Dynamics365Finance
F&O - Unusual sign-in activity using single factor authentication919e939f-95e2-4978-846e-13a721c89ea1AzureActiveDirectory
DopplePaymer Procdump1be34fb9-f81b-47ae-84fb-465e6686d76cMicrosoftThreatProtection
LSASS Credential Dumping with Procdumpc332b840-61e4-462e-a201-0e2d69bad45dMicrosoftThreatProtection
Detect Potential Kerberoast Activities12134de5-361b-427c-a1a0-d43f40a593c4MicrosoftThreatProtection
LaZagne Credential Theft7d0d3050-8dac-4b83-bfae-902f7dc0c21cMicrosoftThreatProtection
Modified domain federation trust settings95dc4ae3-e0f2-48bd-b996-cdd22b90f9afAzureActiveDirectory
Password spray attack against ADFSSignInLogs5533fe80-905e-49d5-889a-df27d2c3976dAzureActiveDirectory
Brute Force Attack against GitHub Account97ad74c4-fdd9-4a3f-b6bf-5e28f4f71e06AzureActiveDirectory
Brute force attack against a Cloud PC3fbc20a4-04c4-464e-8fcb-6667f53e4987AzureActiveDirectory
Credential added after admin consented to Application707494a5-8e44-486b-90f8-155d1797a8ebAzureActiveDirectory
Distributed Password cracking attempts in Microsoft Entra IDbfb1c90f-8006-4325-98be-c7fffbc254d6AzureActiveDirectory
[Deprecated] Explicit MFA Denya22740ec-fc1e-4c91-8de6-c29c6450ad00AzureActiveDirectory
MicrosoftThreatProtection
Failed login attempts to Azure Portal223db5c1-1bf8-47d8-8806-bed401b356a4AzureActiveDirectory
Suspicious application consent similar to O365 Attack Toolkitf948a32f-226c-4116-bddd-d95e91d97eb9AzureActiveDirectory
Suspicious application consent similar to PwnAuth39198934-62a0-4781-8416-a81265c03fd6AzureActiveDirectory
MFA Spamming followed by Successful logina8cc6d5c-4e7e-4b48-b4ac-d8a116c62a8bAzureActiveDirectory
NRT Modified domain federation trust settings8540c842-5bbc-4a24-9fb2-a836c0e55a51AzureActiveDirectory
Password spray attack against Microsoft Entra ID Seamless SSOfb7ca1c9-e14c-40a3-856e-28f3c14ea1baAzureActiveDirectory
GitHub Signin Burst from Multiple Locationsd3980830-dd9d-40a5-911f-76b44dfdce16AzureActiveDirectory
Brute force attack against Azure Portal28b42356-45af-40a6-a0b4-a554cdfd5d8aAzureActiveDirectory
Password spray attack against Microsoft Entra ID application48607a29-a26a-4abf-8078-a06dbdd174a4AzureActiveDirectory
Successful logon from IP and failure from a different IP02ef8d7e-fc3a-4d86-a457-650fa571d8d2AzureActiveDirectory
BehaviorAnalytics
Suspicious Entra ID Joined Device Update3a3c6835-0086-40ca-b033-a93bf26d878fAzureActiveDirectory
Suspicious application consent for offline access3533f74c-9207-4047-96e2-0eb9383be587AzureActiveDirectory
Suspicious Service Principal creation activity6852d9da-8015-4b95-8ecf-d9572ee0395dAzureActiveDirectory
Mimecast Audit - Logon Authentication Failedf00197ab-491f-41e7-9e22-a7003a4c1e54MimecastAuditAPI
Mimecast Audit - Logon Authentication Failed9c5dcd76-9f6d-42a3-b984-314b52678f20MimecastAuditAPI
Cross-Cloud Password Spray detection1f40ed57-f54b-462f-906a-ac3a89cc90d4AWS
AzureActiveDirectory
BehaviorAnalytics
MicrosoftThreatProtection
Cross-Cloud Suspicious Compute resource creation in GCP5c847e47-0a07-4c01-ab99-5817ad6cb11eGCPAuditLogsDefinition
AWSS3
Cross-Cloud Suspicious user activity observed in GCP Envourment58e306fe-1c49-4b8f-9b0e-15f25e8f0cd7GCPAuditLogsDefinition
AzureActiveDirectoryIdentityProtection
MicrosoftThreatProtection
MicrosoftDefenderAdvancedThreatProtection
MicrosoftCloudAppSecurity
Cross-Cloud Unauthorized Credential Access Detection From AWS RDS Login122fbc6a-57ab-4aa7-b9a9-51ac4970cac1AzureActiveDirectory
AWSS3
Successful AWS Console Login from IP Address Observed Conducting Password Spray188db479-d50a-4a9c-a041-644bae347d1fAWS
MicrosoftDefenderAdvancedThreatProtection
AzureActiveDirectoryIdentityProtection
BehaviorAnalytics
MicrosoftThreatProtection
Suspicious AWS console logins by credential access alertsb51fe620-62ad-4ed2-9d40-5c97c0a8231fOfficeATP
AWS
MicrosoftDefenderAdvancedThreatProtection
AzureActiveDirectoryIdentityProtection
BehaviorAnalytics
MicrosoftThreatProtection
Unauthorized user access across AWS and Azure60f31001-018a-42bf-8045-a92e1f361b7bAzureActiveDirectory
AWSS3
Remote Desktop Network Brute force (ASIM Network Session schema)b7dc801e-1e79-48bb-91e8-2229a8e6d40b
Failed Logins from Unknown or Invalid User884be6e7-e568-418e-9c12-89229865ffdeOktaSSO
OktaSSOv2
MFA Fatigue (OKTA)c2697b81-7fe9-4f57-ba1d-de46c6f91f9cOktaSSO
OktaSSOv2
Potential Password Spray Attacke27dd7e5-4367-4c40-a2b7-fcd7e7a8a508OktaSSO
OktaSSOv2
Palo Alto Prisma Cloud - Multiple failed logins for user4f688252-bf9b-4136-87bf-d540b5be1050PaloAltoPrismaCloud
Ping Federate - Abnormal password reset attemptse45a7334-2cb4-4690-8156-f02cac73d584CefAma
PulseConnectSecure - Potential Brute Force Attempts34663177-8abf-4db1-b0a4-5683ab273f44PulseConnectSecure
SyslogAma
PulseConnectSecure - Large Number of Distinct Failed User Logins1fa1528e-f746-4794-8a41-14827f4cb798PulseConnectSecure
SyslogAma
Pure Failed Logined32b115-5001-43a7-a2bb-f53026db4d97
Red Canary Threat Detection6d263abb-6445-45cc-93e9-c593d3d77b89RedCanaryDataConnector
Brute force attack against user credentials5a6ce089-e756-40fb-b022-c8e8864a973aSalesforceServiceCloud
Potential Password Spray Attack64d16e62-1a17-4a35-9ea7-2b9fe6f07118SalesforceServiceCloud
BTP - Trust and authorization Identity Provider monitor62357c23-ecdc-4edc-9349-8338063af1efSAPBTPAuditEvents
Possible AiTM Phishing Attempt Against Microsoft Entra ID16daa67c-b137-48dc-8eb7-76598a44791aAzureActiveDirectory
Zscaler
Semperis DSP Failed Logons0e105444-fe13-4ce6-9239-21880076a3f9SemperisDSP
Semperis DSP Operations Critical Notifications8f471e21-3bb2-466f-9bc2-0a0326a60788SemperisDSP
Semperis DSP Kerberos krbtgt account with old password9ff3b26b-7636-412e-ac46-072b084b94cbSemperisDSP
Azure secure score block legacy authenticationC27BB559-28C5-4924-A7DA-3BF04CD02C8FSenservaPro
Azure secure score MFA registration V28EB2B20A-BF64-4DCC-9D98-1AD559502C00SenservaPro
Azure secure score PW age policy new88C9A5E0-31EC-490B-82E5-A286D9B99A67SenservaPro
Sentinel One - User viewed agent’s passphrase51999097-60f4-42c0-bee8-fa28160e5583SentinelOne
Silverfort - UserBruteForce Incident46ff357b-9e98-465b-9e45-cd52fa4a7522SilverfortAma
SlackAudit - Multiple failed logins for user93a91c37-032c-4380-847c-957c001957adSlackAuditAPI
SonicWall - Allowed SSH, Telnet, and RDP Connections27f1a570-5f20-496b-88f6-a9aa2c5c9534CEF
SonicWallFirewall
CefAma
New Sonrai Ticketbcc3362d-b6f9-4de0-b41c-707fafd5a416SonraiDataConnector
Sonrai Ticket Assigned37a8d052-a3db-4dc6-9dca-9390cac6f486SonraiDataConnector
Sonrai Ticket Closedf5d467de-b5a2-4b4f-96db-55e27c733594SonraiDataConnector
Sonrai Ticket Escalation Executed0d29c93e-b83f-4dfb-bbbb-76824b77eecaSonraiDataConnector
Sonrai Ticket Escalation Executed822fff15-ea68-4d0f-94ee-b4482ddb6f3aSonraiDataConnector
Sonrai Ticket Reopenedb60129ab-ce22-4b76-858d-3204932a13ccSonraiDataConnector
Sonrai Ticket Risk Accepted080191e8-271d-4ae6-85ce-c7bcd4b06b40SonraiDataConnector
Sonrai Ticket Snoozed10e6c454-5cad-4f86-81ce-800235cb050aSonraiDataConnector
Sonrai Ticket Updatedaf9b8eb1-a8ef-40aa-92a4-1fc73a1479c7SonraiDataConnector
SpyCloud Enterprise Breach Detectioncb410ad5-6e9d-4278-b963-1e3af205d680
SpyCloud Enterprise Malware Detection7ba50f9e-2f94-462b-a54b-8642b8c041f5
ClientDeniedAccessa9956d3a-07a9-44a6-a279-081a85020caeSymantecVIP
SyslogAma
Excessive Failed Authentication from Invalid Inputsc775a46b-21b1-46d7-afa6-37e3e577a27bSymantecVIP
SyslogAma
Failed logon attempts in authprive7ec9fa6-e7f7-41ed-a34b-b956837a3ee6Syslog
SyslogAma
SSH - Potential Brute Forcee1ce0eab-10d1-4aae-863f-9a383345ba88Syslog
SyslogAma
TIE Active Directory attacks pathwaysde549a62-f595-4810-88bd-621338186588TenableIE
TIE DCSync19d1f964-ddcf-437b-92ce-b9c1c14d24f1TenableIE
TIE Golden Ticket216e12dd-165a-4537-b241-32e1bd3330c7TenableIE
TIE Indicators of Attack6c75f0d2-2973-4188-bb05-ec7bc8696120TenableIE
TIE Indicators of Exposuresf6ae2eb2-97c9-4e0f-ae73-7420ef80d99dTenableIE
TIE LSASS Memory7851f57c-98b6-43c6-9747-9bb7cf11f21cTenableIE
TIE Password Guessingd1416c25-5a56-4a88-8d7c-568e6551a307TenableIE
TIE Password issues87af910a-e9c0-4c96-8045-f778ba405251TenableIE
TIE Password Sprayingf47eb8cb-4acb-4ee4-887d-0247c6d73a72TenableIE
TIE privileged accounts issues5c170c73-75ba-48ea-8dfc-e4e2d4f23979TenableIE
TIE user accounts issuesc4562ef3-d821-4089-b6c0-120d95c855e6TenableIE
Tenable.ad Active Directory attacks pathways4639bb0a-ca12-4a57-8e53-f61c2c6034d6Tenable.ad
Tenable.ad DCSync0c8d4de3-adb9-4161-a863-aa1e2c8bd959Tenable.ad
Tenable.ad Golden Ticketd1abda25-f88a-429a-8163-582533cd0defTenable.ad
Tenable.ad Indicators of Attack6405329a-8d20-48f3-aabc-e1b8a745568eTenable.ad
Tenable.ad Indicators of Exposures55de1072-e93f-40f9-a14d-f7356d217cf6Tenable.ad
Tenable.ad LSASS Memory6f7fa5f9-7d21-42c1-bc52-ac355b87c6cfTenable.ad
Tenable.ad Password Guessing44d74560-0cd1-4e73-a8f5-d16eeeba219eTenable.ad
Tenable.ad Password issues2518b57f-1a8b-44ea-935d-7dc1cfe4f918Tenable.ad
Tenable.ad Password Spraying29d350db-0ac0-4f4c-92ff-dac0f6335612Tenable.ad
Tenable.ad privileged accounts issues353d6474-d795-4086-a179-ba1db4d8bbcbTenable.ad
Tenable.ad user accounts issues4f8ed6f3-8815-437d-9462-f0def9dc70d6Tenable.ad
Theom Critical Risksbb9051ef-0e72-4758-a143-80c25ee452f0Theom
Theom High Risks74b80987-0a62-448c-8779-47b02e17d3cfTheom
Theom Insightsd200da84-0191-44ce-ad9e-b85e64c84c89Theom
Theom Low Riskscf7fb616-ac80-40ce-ad18-aa18912811f8Theom
Theom Medium Risks4cb34832-f73a-49f2-8d38-c2d135c5440bTheom
Theom - Dev secrets unencryptedf2490f5b-269c-471d-9ff4-475f62ea498eTheom
Vectra AI Detect - Suspected Compromised Account321f9dbd-64b7-4541-81dc-08cf7732ccb0CefAma
Vectra Account’s Behaviorsce54b5d3-4c31-4eaf-a73e-31412270b6abCefAma
Vectra AI Detect - Detections with High Severity39e48890-2c02-487e-aa9e-3ba494061798CefAma
Vectra AI Detect - Suspected Compromised Host60eb6cf0-3fa1-44c1-b1fe-220fbee23d63CefAma
Vectra Host’s Behaviors33e3b6da-2660-4cd7-9032-11be76db88d2CefAma
Vectra AI Detect - Suspicious Behaviors by Category6cb75f65-231f-46c4-a0b3-50ff21ee6ed3CefAma
Alarming number of anomalies generated in NetBackup2e0efcd4-56d2-41df-9098-d6898a58c62b
Multiple failed attempts of NetBackup logind39f0c47-2e85-49b9-a686-388c2eb7062c
Identify instances where a single source is observed using multiple user agents (ASIM Web Session)813ccf3b-0321-4622-b0bc-63518fd14454
Detect potential file enumeration activity (ASIM Web Session)b3731ce1-1f04-47c4-95c2-9827408c4375
Excessive Windows Logon Failures2391ce61-8c8d-41ac-9723-d945b2e90720SecurityEvents
WindowsSecurityEvents
SecurityEvent - Multiple authentication failures followed by a successcf3ede88-a429-493b-9108-3e46d3c741f7SecurityEvents
WindowsSecurityEvents
Non Domain Controller Active Directory Replicationb9d2eebc-5dcb-4888-8165-900db44443abSecurityEvents
WindowsSecurityEvents
Zero Networks Segment - New API Token created603a6b18-b54a-43b7-bb61-d2b0b47d224aZeroNetworksSegmentAuditFunction
ZeroNetworksSegmentAuditNativePoller
Brute force attack against user credentials (Uses Authentication Normalization)a6c435a2-b1a0-466d-b730-9f8af69262e8
Potential Password Spray Attack (Uses Authentication Normalization)6a2e2ff4-5568-475e-bef2-b95f12b9367b
Dev-0228 File Path Hashes November 2021 (ASIM Version)29a29e5d-354e-4f5e-8321-8b39d25047bf
Excessive number of HTTP authentication failures from a source (ASIM Web Session schema)a1bddaf8-982b-4089-ba9e-6590dfcf80eaSquidProxy
Zscaler
Wazuh - Large Number of Web errors from an IP2790795b-7dba-483e-853f-44aa0bc9c985
Trust Monitor Event8dcf7238-a7d0-4cfd-8d0c-b230e3cd9182
IP with multiple failed Microsoft Entra ID logins successfully logs in to Palo Alto VPNba144bf8-75b8-406f-9420-ed74397f9479AzureActiveDirectory
PaloAltoNetworks
Failed AzureAD logons but success logon to AWS Console643c2025-9604-47c5-833f-7b4b9378a1f5AzureActiveDirectory
AWS
Failed AzureAD logons but success logon to host8ee967a2-a645-4832-85f4-72b635bcb3a6AzureActiveDirectory
SecurityEvents
Syslog
WindowsSecurityEvents
WindowsForwardedEvents
Failed AWS Console logons but success logon to AzureAD910124df-913c-47e3-a7cd-29e1643fa55eAzureActiveDirectory
AWS
Dev-0228 File Path Hashes November 20213b443f22-9be9-4c35-ac70-a94757748439MicrosoftDefenderAdvancedThreatProtection
MicrosoftThreatProtection
Europium - Hash and IP IOCs - September 20229d8b5a18-b7db-4c23-84a6-95febaf7e1e4DNS
AzureMonitor(VMInsights)
F5
CiscoASA
PaloAltoNetworks
Fortinet
CheckPoint
CEF
MicrosoftThreatProtection
Office365
AzureFirewall
WindowsFirewall
Failed host logons but success logon to AzureAD1ce5e766-26ab-4616-b7c8-3b33ae321e80AzureActiveDirectory
SecurityEvents
Syslog
WindowsSecurityEvents
WindowsForwardedEvents
Multiple Password Reset by user0b9ae89d-8cad-461c-808f-0494f70ad5c4AzureActiveDirectory
SecurityEvents
Syslog
Office365
WindowsSecurityEvents
WindowsForwardedEvents
Azure VM Run Command operation executed during suspicious login window11bda520-a965-4654-9a45-d09f372f71aaAzureActivity
BehaviorAnalytics
AD FS Abnormal EKU object identifier attributecfc1ae62-db63-4a3e-b88b-dc04030c2257SecurityEvents
Failed logon attempts by valid accounts within 10 mins0777f138-e5d8-4eab-bec1-e11ddfbc2be2SecurityEvents
WindowsSecurityEvents
WindowsForwardedEvents
Potential Kerberoasting1572e66b-20a7-4012-9ec4-77ec4b101bc8SecurityEvents
WindowsSecurityEvents
WindowsForwardedEvents
New country signIn with correct password7808c05a-3afd-4d13-998a-a59e2297693fAzureActiveDirectory
High count of failed attempts from same client IP19e01883-15d8-4eb6-a7a5-3276cd668388AzureMonitor(IIS)
High count of failed logons by a user884c4957-70ea-4f57-80b9-1bca3890315bAzureMonitor(IIS)
Zoom E2E Encryption Disablede4779bdc-397a-4b71-be28-59e6a1e1d16b
External User Access Enabled8e267e91-6bda-4b3c-bf68-9f5cbdd103a3