CredentialAccess
| Rule Name | id | Required data connectors |
|---|---|---|
| API - Account Takeover | 25c86f99-0a91-4b7f-88f3-599a008e5ab8 | 42CrunchAPIProtection |
| API - JWT validation | bbd163f4-1f56-434f-9c23-b06713c119c2 | 42CrunchAPIProtection |
| API - Password Cracking | d951d64d-0ecd-4675-8c79-6c870d5f72ac | 42CrunchAPIProtection |
| API - Suspicious Login | 7bdc10d6-aa24-4ca9-9a93-802cd8761354 | 42CrunchAPIProtection |
| Alsid Active Directory attacks pathways | 9649e203-3cb7-47ff-89a9-42f2a5eefe31 | AlsidForAD |
| Alsid DCSync | d3c658bd-8da9-4372-82e4-aaffa922f428 | AlsidForAD |
| Alsid Golden Ticket | 21ab3f52-6d79-47e3-97f8-ad65f2cb29fb | AlsidForAD |
| Alsid Indicators of Attack | 3caa67ef-8ed3-4ab5-baf2-3850d3667f3d | AlsidForAD |
| Alsid Indicators of Exposures | 154fde9f-ae00-4422-a8da-ef00b11da3fc | AlsidForAD |
| Alsid LSASS Memory | 3acf5617-7c41-4085-9a79-cc3a425ba83a | AlsidForAD |
| Alsid Password Guessing | ba239935-42c2-472d-80ba-689186099ea1 | AlsidForAD |
| Alsid Password issues | 472b7cf4-bf1a-4061-b9ab-9fe4894e3c17 | AlsidForAD |
| Alsid Password Spraying | 9e20eb4e-cc0d-4349-a99d-cad756859dfb | AlsidForAD |
| Alsid privileged accounts issues | a5fe9489-cf8b-47ae-a87e-8f3a13e4203e | AlsidForAD |
| Alsid user accounts issues | fb9e0b51-8867-48d7-86f4-6e76f2176bf8 | AlsidForAD |
| Credential Dumping Tools - Service Installation | 4ebbb5c2-8802-11ec-a8a3-0242ac120002 | SecurityEvents |
| Credential Dumping Tools - File Artifacts | 32ffb19e-8ed8-40ed-87a0-1adb4746b7c4 | SecurityEvents |
| Powershell Empire Cmdlets Executed in Command Line | ef88eb96-861c-43a0-ab16-f3835a97c928 | SecurityEvents WindowsSecurityEvents WindowsForwardedEvents |
| Modified domain federation trust settings | 95dc4ae3-e0f2-48bd-b996-cdd22b90f9af | AzureActiveDirectory |
| Password spray attack against ADFSSignInLogs | 5533fe80-905e-49d5-889a-df27d2c3976d | AzureActiveDirectory |
| Brute Force Attack against GitHub Account | 97ad74c4-fdd9-4a3f-b6bf-5e28f4f71e06 | AzureActiveDirectory |
| Brute force attack against a Cloud PC | 3fbc20a4-04c4-464e-8fcb-6667f53e4987 | AzureActiveDirectory |
| Credential added after admin consented to Application | 707494a5-8e44-486b-90f8-155d1797a8eb | AzureActiveDirectory |
| Distributed Password cracking attempts in AzureAD | bfb1c90f-8006-4325-98be-c7fffbc254d6 | AzureActiveDirectory |
| Explicit MFA Deny | a22740ec-fc1e-4c91-8de6-c29c6450ad00 | AzureActiveDirectory |
| Failed login attempts to Azure Portal | 223db5c1-1bf8-47d8-8806-bed401b356a4 | AzureActiveDirectory |
| Suspicious application consent similar to O365 Attack Toolkit | f948a32f-226c-4116-bddd-d95e91d97eb9 | AzureActiveDirectory |
| Suspicious application consent similar to PwnAuth | 39198934-62a0-4781-8416-a81265c03fd6 | AzureActiveDirectory |
| MFA Spamming followed by Successful login | a8cc6d5c-4e7e-4b48-b4ac-d8a116c62a8b | AzureActiveDirectory |
| NRT Modified domain federation trust settings | 8540c842-5bbc-4a24-9fb2-a836c0e55a51 | AzureActiveDirectory |
| Password spray attack against Azure AD Seamless SSO | fb7ca1c9-e14c-40a3-856e-28f3c14ea1ba | AzureActiveDirectory |
| GitHub Signin Burst from Multiple Locations | d3980830-dd9d-40a5-911f-76b44dfdce16 | AzureActiveDirectory |
| Brute force attack against Azure Portal | 28b42356-45af-40a6-a0b4-a554cdfd5d8a | AzureActiveDirectory |
| Password spray attack against Azure AD application | 48607a29-a26a-4abf-8078-a06dbdd174a4 | AzureActiveDirectory |
| Successful logon from IP and failure from a different IP | 02ef8d7e-fc3a-4d86-a457-650fa571d8d2 | AzureActiveDirectory BehaviorAnalytics IdentityInfo |
| Suspicious AAD Joined Device Update | 3a3c6835-0086-40ca-b033-a93bf26d878f | AzureActiveDirectory |
| Suspicious application consent for offline access | 3533f74c-9207-4047-96e2-0eb9383be587 | AzureActiveDirectory |
| Suspicious Service Principal creation activity | 6852d9da-8015-4b95-8ecf-d9572ee0395d | AzureActiveDirectory |
| Azure Active Directory Hybrid Health AD FS Suspicious Application | d9938c3b-16f9-444d-bc22-ea9a9110e0fd | AzureActivity |
| Rare subscription-level operations in Azure | 23de46ea-c425-4a77-b456-511ae4855d69 | AzureActivity |
| Mass secret retrieval from Azure Key Vault | 24f8c234-d1ff-40ec-8b73-96b17a3a9c1c | AzureKeyVault |
| Azure Key Vault access TimeSeries anomaly | 0914adab-90b5-47a3-a79f-7cdcac843aa7 | AzureKeyVault |
| Azure DevOps PAT used with Browser. | 5f0d80db-3415-4265-9d52-8466b7372e3a | |
| Azure DevOps Variable Secret Not Secured | 4ca74dc0-8352-4ac5-893c-73571cc78331 | |
| Bitglass - Multiple failed logins | 7c570bfc-9f20-490e-80e8-b898c7ce4bda | Bitglass |
| CiscoISE - Certificate has expired | 6107cba5-2974-4c22-8222-2a6f7bbea664 | CiscoISE |
| CiscoISE - Device PostureStatus changed to non-compliant | 548a2eda-d3eb-46cc-8d4b-1601551629e4 | CiscoISE |
| Multi-Factor Authentication Disabled for a User | 65c78944-930b-4cae-bd79-c3664ae30ba7 | AzureActiveDirectory AWS |
| Corelight - Forced External Outbound SMB | 73f23aa2-5cc4-4507-940b-75c9092e9e01 | Corelight |
| Cynerio - IoT - Default password | 84e0ea1f-766d-4775-836a-c0c9cca05085 | CynerioSecurityEvents |
| Cynerio - IoT - Weak password | 65db1346-6435-4079-bbf4-9a7113c98054 | CynerioSecurityEvents |
| Dumping LSASS Process Into a File | a7b9df32-1367-402d-b385-882daf6e3020 | SecurityEvents |
| WDigest downgrade attack | f6502545-ae3a-4232-a8b0-79d87e5c98d7 | SecurityEvents |
| Threats detected by Eset | 2d8a60aa-c15e-442e-9ce3-ee924889d2a6 | EsetSMC |
| Expired access credentials being used in Azure | 433c3b0a-7278-4d74-b137-963ac6f9a7e7 | AzureActiveDirectory |
| Password Spraying | e00f72ab-fea1-4a31-9ecc-eea6397cd38d | MicrosoftThreatProtection |
| Flare Leaked Credentials | 9cb7c337-f170-4af6-b0e8-b6b7552d762d | Flare |
| Flare Infected Device | 9cb7c337-f176-4af6-b0e8-b6b7552d762d | Flare |
| GitLab - Brute-force Attempts | 2238d13a-cf05-4973-a83f-d12a25dbb153 | Syslog |
| GitLab - Local Auth - No MFA | e0b45487-5c79-482d-8ac0-695de8c031af | Syslog |
| GitLab - Repository visibility to Public | 8b291c3d-90ba-4ebf-af2c-0283192d430e | Syslog |
| GitLab - SSO - Sign-Ins Burst | 57b1634b-531d-4eab-a456-8b855887428f | AzureActiveDirectory |
| Google DNS - Exchange online autodiscover abuse | 424c2aca-5367-4247-917a-5d0f7035e40e | GCPDNSDataConnector |
| GWorkspace - Possible brute force attack | 8f6cd9a4-5e57-11ec-bf63-0242ac130002 | GoogleWorkspaceReportsAPI |
| GWorkspace - Two-step authentification disabled for a user | c8cc02d0-5da6-11ec-bf63-0242ac130002 | GoogleWorkspaceReportsAPI |
| Highly Sensitive Password Accessed | b39e6482-ab7e-4817-813d-ec910b64b26e | LastPass |
| [Deprecated] - Known Diamond Sleet related maldoc hash | 3174a9ec-d0ad-4152-8307-94ed04fa450a | CiscoASA PaloAltoNetworks SecurityEvents |
| [Deprecated] - Emerald Sleet domains included in DCU takedown | 70b12a3b-4896-42cb-910c-5ffaf8d7987d | DNS AzureMonitor(VMInsights) CiscoASA PaloAltoNetworks AzureFirewall Zscaler InfobloxNIOS GCPDNSDataConnector NXLogDnsLogs CiscoUmbrellaDataConnector Corelight |
| [Deprecated] - Possible Forest Blizzard attempted credential harvesting - Oct 2020 | 68271db2-cbe9-4009-b1d3-bb3b5fe5713c | Office365 |
| [Deprecated] - Known Granite Typhoon domains and hashes | 26a3b261-b997-4374-94ea-6c37f67f4f39 | DNS AzureMonitor(VMInsights) CiscoASA PaloAltoNetworks SecurityEvents AzureFirewall Zscaler InfobloxNIOS GCPDNSDataConnector NXLogDnsLogs CiscoUmbrellaDataConnector Corelight |
| [Deprecated] - Known Ruby Sleet domains and hashes | c87fb346-ea3a-4c64-ba92-3dd383e0f0b5 | SquidProxy DNS AzureMonitor(VMInsights) CiscoASA PaloAltoNetworks AzureFirewall Zscaler InfobloxNIOS GCPDNSDataConnector NXLogDnsLogs CiscoUmbrellaDataConnector Corelight |
| Possible Forest Blizzard attempted credential harvesting - Sept 2020 | 04384937-e927-4595-8f3c-89ff58ed231f | Office365 |
| Mimecast Audit - Logon Authentication Failed | 9c5dcd76-9f6d-42a3-b984-314b52678f20 | MimecastAuditAPI |
| Failed Logins from Unknown or Invalid User | 884be6e7-e568-418e-9c12-89229865ffde | OktaSSO |
| MFA Fatigue (OKTA) | c2697b81-7fe9-4f57-ba1d-de46c6f91f9c | OktaSSO |
| Potential Password Spray Attack | e27dd7e5-4367-4c40-a2b7-fcd7e7a8a508 | OktaSSO |
| Palo Alto Prisma Cloud - Multiple failed logins for user | 4f688252-bf9b-4136-87bf-d540b5be1050 | PaloAltoPrismaCloud |
| Ping Federate - Abnormal password reset attempts | e45a7334-2cb4-4690-8156-f02cac73d584 | PingFederate PingFederateAma |
| PulseConnectSecure - Potential Brute Force Attempts | 34663177-8abf-4db1-b0a4-5683ab273f44 | PulseConnectSecure |
| PulseConnectSecure - Large Number of Distinct Failed User Logins | 1fa1528e-f746-4794-8a41-14827f4cb798 | PulseConnectSecure |
| Red Canary Threat Detection | 6d263abb-6445-45cc-93e9-c593d3d77b89 | RedCanaryDataConnector |
| Brute force attack against user credentials | 5a6ce089-e756-40fb-b022-c8e8864a973a | SalesforceServiceCloud |
| Potential Password Spray Attack | 64d16e62-1a17-4a35-9ea7-2b9fe6f07118 | SalesforceServiceCloud |
| Possible AiTM Phishing Attempt Against Azure AD | 16daa67c-b137-48dc-8eb7-76598a44791a | AzureActiveDirectory Zscaler |
| Semperis DSP Kerberos krbtgt account with old password | 9ff3b26b-7636-412e-ac46-072b084b94cb | SemperisDSP |
| Azure secure score block legacy authentication | C27BB559-28C5-4924-A7DA-3BF04CD02C8F | SenservaPro |
| Azure secure score MFA registration V2 | 8EB2B20A-BF64-4DCC-9D98-1AD559502C00 | SenservaPro |
| Azure secure score PW age policy new | 88C9A5E0-31EC-490B-82E5-A286D9B99A67 | SenservaPro |
| Sentinel One - User viewed agent’s passphrase | 51999097-60f4-42c0-bee8-fa28160e5583 | SentinelOne |
| SlackAudit - Multiple failed logins for user | 93a91c37-032c-4380-847c-957c001957ad | SlackAuditAPI |
| SpyCloud Enterprise Breach Detection | cb410ad5-6e9d-4278-b963-1e3af205d680 | |
| SpyCloud Enterprise Malware Detection | 7ba50f9e-2f94-462b-a54b-8642b8c041f5 | |
| ClientDeniedAccess | a9956d3a-07a9-44a6-a279-081a85020cae | SymantecVIP |
| Excessive Failed Authentication from Invalid Inputs | c775a46b-21b1-46d7-afa6-37e3e577a27b | SymantecVIP |
| Failed logon attempts in authpriv | e7ec9fa6-e7f7-41ed-a34b-b956837a3ee6 | Syslog |
| SSH - Potential Brute Force | e1ce0eab-10d1-4aae-863f-9a383345ba88 | Syslog |
| Tenable.ad Active Directory attacks pathways | 4639bb0a-ca12-4a57-8e53-f61c2c6034d6 | Tenable.ad |
| Tenable.ad DCSync | 0c8d4de3-adb9-4161-a863-aa1e2c8bd959 | Tenable.ad |
| Tenable.ad Golden Ticket | d1abda25-f88a-429a-8163-582533cd0def | Tenable.ad |
| Tenable.ad Indicators of Attack | 6405329a-8d20-48f3-aabc-e1b8a745568e | Tenable.ad |
| Tenable.ad Indicators of Exposures | 55de1072-e93f-40f9-a14d-f7356d217cf6 | Tenable.ad |
| Tenable.ad LSASS Memory | 6f7fa5f9-7d21-42c1-bc52-ac355b87c6cf | Tenable.ad |
| Tenable.ad Password Guessing | 44d74560-0cd1-4e73-a8f5-d16eeeba219e | Tenable.ad |
| Tenable.ad Password issues | 2518b57f-1a8b-44ea-935d-7dc1cfe4f918 | Tenable.ad |
| Tenable.ad Password Spraying | 29d350db-0ac0-4f4c-92ff-dac0f6335612 | Tenable.ad |
| Tenable.ad privileged accounts issues | 353d6474-d795-4086-a179-ba1db4d8bbcb | Tenable.ad |
| Tenable.ad user accounts issues | 4f8ed6f3-8815-437d-9462-f0def9dc70d6 | Tenable.ad |
| Vectra AI Detect - Suspected Compromised Account | 321f9dbd-64b7-4541-81dc-08cf7732ccb0 | AIVectraDetect |
| Vectra Account’s Behaviors | ce54b5d3-4c31-4eaf-a73e-31412270b6ab | AIVectraDetect |
| Vectra AI Detect - Detections with High Severity | 39e48890-2c02-487e-aa9e-3ba494061798 | AIVectraDetect |
| Vectra AI Detect - Suspected Compromised Host | 60eb6cf0-3fa1-44c1-b1fe-220fbee23d63 | AIVectraDetect |
| Vectra Host’s Behaviors | 33e3b6da-2660-4cd7-9032-11be76db88d2 | AIVectraDetect |
| Vectra AI Detect - Suspicious Behaviors by Category | 6cb75f65-231f-46c4-a0b3-50ff21ee6ed3 | AIVectraDetect |
| Identify instances where a single source is observed using multiple user agents (ASIM Web Session) | 813ccf3b-0321-4622-b0bc-63518fd14454 | |
| Detect potential file enumeration activity (ASIM Web Session) | b3731ce1-1f04-47c4-95c2-9827408c4375 | |
| Excessive Windows Logon Failures | 2391ce61-8c8d-41ac-9723-d945b2e90720 | SecurityEvents WindowsSecurityEvents |
| SecurityEvent - Multiple authentication failures followed by a success | cf3ede88-a429-493b-9108-3e46d3c741f7 | SecurityEvents WindowsSecurityEvents |
| Non Domain Controller Active Directory Replication | b9d2eebc-5dcb-4888-8165-900db44443ab | SecurityEvents WindowsSecurityEvents |
| Zero Networks Segment - New API Token created | 603a6b18-b54a-43b7-bb61-d2b0b47d224a | ZeroNetworksSegmentAuditFunction ZeroNetworksSegmentAuditNativePoller |
| Brute force attack against user credentials (Uses Authentication Normalization) | a6c435a2-b1a0-466d-b730-9f8af69262e8 | |
| Potential Password Spray Attack (Uses Authentication Normalization) | 6a2e2ff4-5568-475e-bef2-b95f12b9367b | |
| Dev-0228 File Path Hashes November 2021 (ASIM Version) | 29a29e5d-354e-4f5e-8321-8b39d25047bf | |
| Excessive number of HTTP authentication failures from a source (ASIM Web Session schema) | a1bddaf8-982b-4089-ba9e-6590dfcf80ea | SquidProxy Zscaler |
| Trust Monitor Event | 8dcf7238-a7d0-4cfd-8d0c-b230e3cd9182 | |
| IP with multiple failed Azure AD logins successfully logs in to Palo Alto VPN | ba144bf8-75b8-406f-9420-ed74397f9479 | AzureActiveDirectory PaloAltoNetworks |
| Failed AzureAD logons but success logon to AWS Console | 643c2025-9604-47c5-833f-7b4b9378a1f5 | AzureActiveDirectory AWS |
| Failed AzureAD logons but success logon to host | 8ee967a2-a645-4832-85f4-72b635bcb3a6 | AzureActiveDirectory SecurityEvents Syslog WindowsSecurityEvents WindowsForwardedEvents |
| Failed AWS Console logons but success logon to AzureAD | 910124df-913c-47e3-a7cd-29e1643fa55e | AzureActiveDirectory AWS |
| Cross-Cloud Password Spray detection | 1f40ed57-f54b-462f-906a-ac3a89cc90d4 | AWS AzureActiveDirectory BehaviorAnalytics MicrosoftThreatProtection |
| Cross-Cloud Unauthorized Credential Access Detection From AWS RDS Login | 122fbc6a-57ab-4aa7-b9a9-51ac4970cac1 | AzureActiveDirectory AWSS3 |
| Dev-0228 File Path Hashes November 2021 | 3b443f22-9be9-4c35-ac70-a94757748439 | MicrosoftDefenderAdvancedThreatProtection MicrosoftThreatProtection |
| Europium - Hash and IP IOCs - September 2022 | 9d8b5a18-b7db-4c23-84a6-95febaf7e1e4 | DNS AzureMonitor(VMInsights) F5 CiscoASA PaloAltoNetworks Fortinet CheckPoint CEF MicrosoftThreatProtection Office365 AzureFirewall WindowsFirewall |
| Failed host logons but success logon to AzureAD | 1ce5e766-26ab-4616-b7c8-3b33ae321e80 | AzureActiveDirectory SecurityEvents Syslog WindowsSecurityEvents WindowsForwardedEvents |
| Multiple Password Reset by user | 0b9ae89d-8cad-461c-808f-0494f70ad5c4 | AzureActiveDirectory SecurityEvents Syslog Office365 WindowsSecurityEvents WindowsForwardedEvents |
| Azure VM Run Command operation executed during suspicious login window | 11bda520-a965-4654-9a45-d09f372f71aa | AzureActivity BehaviorAnalytics |
| Successful AWS Console Login from IP Address Observed Conducting Password Spray | 188db479-d50a-4a9c-a041-644bae347d1f | AWS MicrosoftDefenderAdvancedThreatProtection AzureActiveDirectoryIdentityProtection BehaviorAnalytics MicrosoftThreatProtection |
| Suspicious AWS console logins by credential access alerts | b51fe620-62ad-4ed2-9d40-5c97c0a8231f | OfficeATP AWS MicrosoftDefenderAdvancedThreatProtection AzureActiveDirectoryIdentityProtection BehaviorAnalytics MicrosoftThreatProtection |
| Unauthorized user access across AWS and Azure | 60f31001-018a-42bf-8045-a92e1f361b7b | AzureActiveDirectory AWSS3 |
| AD FS Abnormal EKU object identifier attribute | cfc1ae62-db63-4a3e-b88b-dc04030c2257 | SecurityEvents |
| Failed logon attempts by valid accounts within 10 mins | 0777f138-e5d8-4eab-bec1-e11ddfbc2be2 | SecurityEvents WindowsSecurityEvents WindowsForwardedEvents |
| Potential Kerberoasting | 1572e66b-20a7-4012-9ec4-77ec4b101bc8 | SecurityEvents WindowsSecurityEvents WindowsForwardedEvents |
| New country signIn with correct password | 7808c05a-3afd-4d13-998a-a59e2297693f | AzureActiveDirectory |
| High count of failed attempts from same client IP | 19e01883-15d8-4eb6-a7a5-3276cd668388 | AzureMonitor(IIS) |
| High count of failed logons by a user | 884c4957-70ea-4f57-80b9-1bca3890315b | AzureMonitor(IIS) |
| Zoom E2E Encryption Disabled | e4779bdc-397a-4b71-be28-59e6a1e1d16b | |
| External User Access Enabled | 8e267e91-6bda-4b3c-bf68-9f5cbdd103a3 | |
| Suspicious link sharing pattern | 1218175f-c534-421c-8070-5dcaabf28067 |