DefenseEvasion
| Rule Name | id | Required data connectors |
|---|---|---|
| API - Anomaly Detection | 2c59e609-e0a0-4e8e-adc5-ab4224be8a36 | 42CrunchAPIProtection |
| API - Rate limiting | b808063b-07d5-432c-95d0-8900da61cce9 | 42CrunchAPIProtection |
| Alsid DCShadow | 25e0b2dd-3ad3-4d5b-80dd-720f4ef0f12c | AlsidForAD |
| Changes made to AWS CloudTrail logs | 610d3850-c26f-4f20-8d86-f10fdf2425f5 | AWS AWSS3 |
| AWS Config Service Resource Deletion Attempts | 093fe75e-44f1-4d3e-94dc-6d258a6dd2d2 | AWS AWSS3 |
| Login to AWS Management Console without MFA | d25b1998-a592-4bc5-8a3a-92b39eedb1bc | AWS AWSS3 |
| Automatic image scanning disabled for ECR | 19602494-94af-43c8-90ba-eb0e14999612 | AWS |
| GuardDuty detector disabled or suspended | 9da99021-d318-4711-a78a-6dea76129b3a | AWS |
| Changes made to AWS CloudTrail logs | 633a91df-d031-4b6e-a413-607a61540559 | AWS |
| Network ACL with all the open ports to a specified CIDR | f8ea7d50-e33b-4b9d-9c3e-a59fcbcee281 | AWS |
| Successful brute force attack on S3 Bucket. | 31b9e94b-0df6-4a3d-a297-3457b53c5d86 | AWS |
| NRT Login to AWS Management Console without MFA | 0ee2aafb-4500-4e36-bcb1-e90eec2f0b9b | AWS AWSS3 |
| Powershell Empire Cmdlets Executed in Command Line | ef88eb96-861c-43a0-ab16-f3835a97c928 | SecurityEvents WindowsSecurityEvents WindowsForwardedEvents |
| Microsoft Entra ID Hybrid Health AD FS New Server | 88f453ff-7b9e-45bb-8c12-4058ca5e44ee | AzureActivity |
| Microsoft Entra ID Hybrid Health AD FS Service Delete | 86a036b2-3686-42eb-b417-909fc0867771 | AzureActivity |
| Microsoft Entra ID Hybrid Health AD FS Suspicious Application | d9938c3b-16f9-444d-bc22-ea9a9110e0fd | AzureActivity |
| Creation of expensive computes in Azure | 9736e5f1-7b6e-4bfb-a708-e53ff1d182c3 | AzureActivity |
| NRT Creation of expensive computes in Azure | 56fe0db0-6779-46fa-b3c5-006082a53064 | AzureActivity |
| NRT Microsoft Entra ID Hybrid Health AD FS New Server | ec491363-5fe7-4eff-b68e-f42dcb76fcf6 | AzureActivity |
| Abnormal Port to Protocol | 826f930c-2f25-4508-8e75-a95b809a4e15 | AzureFirewall |
| Front Door Premium WAF - SQLi Detection | 16da3a2a-af29-48a0-8606-d467c180fe18 | WAF |
| AFD WAF - Code Injection | ded8168e-c806-4772-af30-10576e0a7529 | WAF |
| AFD WAF - Path Traversal Attack | a4d99328-e4e6-493d-b0d5-57e6f9ddae77 | WAF |
| App GW WAF - Code Injection | 912a18fc-6165-446b-8740-81ae6c3f75ee | WAF |
| App GW WAF - Path Traversal Attack | b6c3a8a6-d22c-4882-9c57-abc01690938b | WAF |
| App Gateway WAF - Scanner Detection | 9b8dd8fd-f192-42eb-84f6-541920400a7a | WAF |
| Azure DevOps Agent Pool Created Then Deleted | acfdee3f-b794-404a-aeba-ef6a1fa08ad1 | |
| Azure DevOps Audit Stream Disabled | 4e8238bd-ff4f-4126-a9f6-09b3b6801b3d | |
| Azure DevOps Pipeline modified by a new user | 155e9134-d5ad-4a6f-88f3-99c220040b66 | |
| Azure DevOps Retention Reduced | 71d374e0-1cf8-4e50-aecd-ab6c519795c2 | |
| Azure DevOps Build Variable Modified by New User | 3b9a44d7-c651-45ed-816c-eae583a6f2f1 | |
| NRT Azure DevOps Audit Stream Disabled | 74ed028d-e392-40b7-baef-e69627bf89d1 | |
| Bitglass - The SmartEdge endpoint agent was uninstalled | 40f69a27-8c68-4c8c-bb7c-7eb0f0a8a1fa | Bitglass |
| Malicious BEC Inbox Rule | 8ac77493-3cae-4840-8634-15fb23f8fb68 | Office365 |
| CiscoISE - ISE administrator password has been reset | e63b4d90-d0a8-4609-b187-babfcc7f86d7 | CiscoISE |
| CiscoISE - Attempt to delete local store logs | b6549a28-d61c-476e-b350-4404352ee427 | CiscoISE |
| CiscoISE - Command executed with the highest privileges from new IP | 1fa0da3e-ec99-484f-aadb-93f59764e158 | CiscoISE |
| CiscoISE - Command executed with the highest privileges by new user | e71890a2-5f61-4790-b1ed-cf1d92d3e398 | CiscoISE |
| CiscoISE - Log collector was suspended | ce171782-1643-4f21-bbb7-fa954b1e6897 | CiscoISE |
| CiscoISE - Log files deleted | 21d3be4c-6088-4e76-b6eb-d25479019cb9 | CiscoISE |
| Cisco SDWAN - Intrusion Events | 232a1c75-63fc-4c81-8b18-b4a739fccba8 | CiscoSDWAN |
| Cisco SE - Policy update failure | 64fece0a-44db-4bab-844d-fd503dc0aaba | CiscoSecureEndpoint |
| Cisco Umbrella - Windows PowerShell User-Agent Detected | b12b3dab-d973-45af-b07e-e29bb34d8db9 | CiscoUmbrellaDataConnector |
| Data Alert | 1d2c3da7-60ec-40be-9c14-bade6eaf3c49 | |
| IDP Alert | c982bcc1-ef73-485b-80d5-2a637ce4ab2b | |
| User Alert | 29e0767c-80ac-4689-9a2e-b25b9fc88fce | |
| Corelight - External Proxy Detected | 05850746-9ae4-412f-838b-844f0903f4a9 | Corelight |
| Brand Abuse | 6e9e1975-6d85-4387-bd30-3881c66e302e | CBSPollingIDAzureFunctions |
| CyberArkEPM - MSBuild usage as LOLBin | a11bf869-458e-49fd-be03-58021b14be15 | CyberArkEPM |
| CyberArkEPM - Uncommon Windows process started from System folder | 16b940d2-aaf8-4eaa-a5e1-05df5f5c3d43 | CyberArkEPM |
| CyberArkEPM - Process started from different locations | 0d4e62da-0a64-4532-b93e-28cd2940c300 | CyberArkEPM |
| CyberArkEPM - Uncommon process Internet access | 9d0d44ab-54dc-472a-9931-53521e888932 | CyberArkEPM |
| CyberArkEPM - Renamed Windows binary | 9281b7cc-8f05-45a9-bf10-17fb29492a84 | CyberArkEPM |
| CyberArkEPM - Unexpected executable extension | 911d5b75-a1ce-4f13-a839-9c2474768696 | CyberArkEPM |
| CyberArkEPM - Unexpected executable location | c1fcbbd7-74f8-4f32-8116-0a533ebd3878 | CyberArkEPM |
| Dev-0270 Malicious Powershell usage | 422ca2bf-598b-4872-82bb-5f7e8fa731e7 | SecurityEvents MicrosoftThreatProtection |
| Dynatrace Application Security - Code-Level runtime vulnerability detection | 305093b4-0fa2-57bc-bced-caea782a6e9c | DynatraceRuntimeVulnerabilities |
| Dynatrace Application Security - Non-critical runtime vulnerability detection | ff0af873-a2f2-4233-8412-0ef4e00b0156 | DynatraceRuntimeVulnerabilities |
| Dynatrace Application Security - Third-Party runtime vulnerability detection | af99b078-124b-543a-9a50-66ef87c09f6a | DynatraceRuntimeVulnerabilities |
| Base64 encoded Windows process command-lines | ca67c83e-7fff-4127-a3e3-1af66d6d4cad | SecurityEvents WindowsSecurityEvents WindowsForwardedEvents |
| Process executed from binary hidden in Base64 encoded file | d6190dde-8fd2-456a-ac5b-0a32400b0464 | SecurityEvents WindowsSecurityEvents WindowsForwardedEvents |
| Malware in the recycle bin | 75bf9902-0789-47c1-a5d8-f57046aa72df | SecurityEvents WindowsSecurityEvents WindowsForwardedEvents |
| Security Event log cleared | 80da0a8f-cfe1-4cd0-a895-8bc1771a720e | SecurityEvents WindowsSecurityEvents WindowsForwardedEvents |
| ASR Bypassing Writing Executable Content | efe4efef-5ca7-4b51-a53e-0e96492ce97a | MicrosoftThreatProtection |
| Microsoft Entra ID Rare UserAgent App Sign-in | 87d5cd18-211d-4fd4-9b86-65d23fed87ea | AzureActiveDirectory |
| Microsoft Entra ID UserAgent OS Missmatch | 6a638d80-f6b2-473b-9087-3cac78a84b40 | AzureActiveDirectory |
| Certified Pre-Owned - backup of CA private key - rule 1 | aa5eaac7-1264-4833-b620-8f062be75541 | SecurityEvents |
| Certified Pre-Owned - backup of CA private key - rule 2 | 88f8fbc0-345d-458e-85f6-f73921d5ef50 | SecurityEvents |
| Certified Pre-Owned - TGTs requested with certificate authentication | b838a13c-052e-45b8-a5ac-7d3eb62efa11 | SecurityEvents |
| Ingress Tool Transfer - Certutil | f0be11a9-ec48-4df6-801d-479556044d4e | MicrosoftThreatProtection |
| Access Token Manipulation - Create Process with Token | 8df80270-b4fa-4a7a-931e-8d17c0b321ae | MicrosoftThreatProtection |
| Disable or Modify Windows Defender | 20d52a04-b5d8-402d-88e2-7929d12cbdcd | MicrosoftThreatProtection |
| Hijack Execution Flow - DLL Side-Loading | 3084b487-fad6-4000-9544-6085b9657290 | MicrosoftThreatProtection |
| Match Legitimate Name or Location - 2 | dd22dc4f-ab7c-4d0a-84ad-cc393638ba31 | MicrosoftThreatProtection |
| Rename System Utilities | 335ddff8-b615-42cd-b593-86e419b45d78 | MicrosoftThreatProtection |
| Suspicious named pipes | ddf7c669-db26-4215-acaf-11e2953a04e6 | MicrosoftThreatProtection |
| Trusted Developer Utilities Proxy Execution | 5c2bb446-926f-4160-a233-21e335c2c290 | MicrosoftThreatProtection |
| GitHub Two Factor Auth Disable | 3ff0fffb-d963-40c0-b235-3404f915add7 | |
| NRT GitHub Two Factor Auth Disable | 594c653d-719a-4c23-b028-36e3413e632e | |
| GitLab - Repository visibility to Public | 8b291c3d-90ba-4ebf-af2c-0283192d430e | Syslog |
| GCP IAM - Disable Data Access Logging | 2530a631-9605-404d-ae58-58ef1f91b17c | GCPIAMDataConnector |
| GCP IAM - Empty user agent | 9e0d8632-d33d-4075-979e-c972674f77b3 | GCPIAMDataConnector |
| GWorkspace - API Access Granted | c45a9804-5da8-11ec-bf63-0242ac130002 | GoogleWorkspaceReportsAPI |
| PLC Stop Command (Microsoft Defender for IoT) | a7d3f642-15d8-4e83-99ee-83ca3352525d | IoT |
| Detect Registry Run Key Creation/Modification | dd041e4e-1ee2-41ec-ba4e-82a71d628260 | CrowdStrikeFalconEndpointProtection MicrosoftThreatProtection SentinelOne VMwareCarbonBlack CiscoSecureEndpoint TrendMicroApexOne TrendMicroApexOneAma |
| Process Creation with Suspicious CommandLine Arguments | fdbcc0eb-44fb-467e-a51d-a91df0780a81 | CrowdStrikeFalconEndpointProtection MicrosoftThreatProtection SentinelOne VMwareCarbonBlack CiscoSecureEndpoint TrendMicroApexOne TrendMicroApexOneAma |
| Detect Windows Allow Firewall Rule Addition/Modification | 056593d4-ca3b-47a7-be9d-d1d0884a1d36 | CrowdStrikeFalconEndpointProtection MicrosoftThreatProtection SentinelOne VMwareCarbonBlack CiscoSecureEndpoint TrendMicroApexOne TrendMicroApexOneAma |
| Detect Windows Update Disabled from Registry | f1443a87-78d5-40c3-b051-f468f0f2def0 | CrowdStrikeFalconEndpointProtection MicrosoftThreatProtection SentinelOne VMwareCarbonBlack CiscoSecureEndpoint TrendMicroApexOne TrendMicroApexOneAma |
| McAfee ePO - Agent Handler down | 3c1425d3-93d4-4eaf-8aa0-370dbac94c82 | McAfeeePO |
| McAfee ePO - Error sending alert | 1e3bcd0f-10b2-4fbd-854f-1c6f33acc36a | McAfeeePO |
| McAfee ePO - Attempt uninstall McAfee agent | 2eff5809-bf84-48e0-8288-768689672c37 | McAfeeePO |
| McAfee ePO - Deployment failed | 155243f4-d962-4717-8a7b-b15b6d112660 | McAfeeePO |
| McAfee ePO - File added to exceptions | b9d9fdfe-bc17-45ce-a70d-67a5cfd119f4 | McAfeeePO |
| McAfee ePO - Firewall disabled | bd3cedc3-efba-455a-85bd-0cf9ac1b0727 | McAfeeePO |
| McAfee ePO - Logging error occurred | 0c9243d6-d2ec-48e1-8593-e713859c8f3c | McAfeeePO |
| McAfee ePO - Multiple threats on same host | f53e5168-afdb-4fad-b29a-bb9cb71ec460 | McAfeeePO |
| McAfee ePO - Scanning engine disabled | 5223c1b8-75ef-4019-9076-a19b1ef3e5d1 | McAfeeePO |
| McAfee ePO - Task error | 3e397e31-7964-417e-a3e0-0acfaa2056f4 | McAfeeePO |
| McAfee ePO - Threat was not blocked | 6d70a26a-c119-45b7-b4c6-44ac4fd1bcb7 | McAfeeePO |
| McAfee ePO - Unable to clean or delete infected file | 9860e89f-72c8-425e-bac9-4a170798d3ea | McAfeeePO |
| McAfee ePO - Update failed | 4f0c91c3-1690-48f0-b538-4282dd5417a4 | McAfeeePO |
| Exchange AuditLog Disabled | 194dd92e-d6e7-4249-85a5-273350a7f5ce | Office365 |
| Malicious Inbox Rule | 7b907bf7-77d4-41d0-a208-5643ff75bf9a | Office365 |
| Office Policy Tampering | fbd72eb8-087e-466b-bd54-1ca6ea08c6d3 | Office365 |
| Imminent Ransomware | bb46dd86-e642-48a4-975c-44f5ac2b5033 | |
| Doppelpaymer Stop Services | 5bdc1504-880c-4b30-a39c-7c746535928d | MicrosoftThreatProtection |
| Qakbot Campaign Self Deletion | 47c02e21-3949-4e05-a28e-576cd75ff6f6 | MicrosoftThreatProtection |
| Regsvr32 Rundll32 Image Loads Abnormal Extension | 36fbd4e7-5630-4414-aa42-702a7fdded21 | MicrosoftThreatProtection |
| Regsvr32 Rundll32 with Anomalous Parent Process | 2624fc55-0998-4897-bb48-1c6422befce4 | MicrosoftThreatProtection |
| Detect Suspicious Commands Initiated by Webserver Processes | fa2f7d8a-6726-465a-aa72-6f6e3d4c99d7 | MicrosoftThreatProtection |
| MosaicLoader | 506f4d6b-3864-4bb1-8f75-a13fb066f97a | MicrosoftThreatProtection |
| Disabling Security Services via Registry | 32b29155-3fd3-4a9e-a0ca-a67e2593b60b | MicrosoftThreatProtection |
| Clearing of forensic evidence from event logs using wevtutil | 515d0bba-b297-4f83-8280-20ff7f27ecb1 | MicrosoftThreatProtection |
| Stopping multiple processes using taskkill | 4dd31bd5-11a3-4b9c-a7c5-4927ab4f2a77 | MicrosoftThreatProtection |
| Potential Ransomware activity related to Cobalt Strike | 4bd9ce9d-8586-4beb-8fdb-bd018cacbe7d | MicrosoftThreatProtection |
| Qakbot Discovery Activies | ba9db6b2-3d05-42ae-8aee-3a15bbe29f27 | MicrosoftThreatProtection |
| TEARDROP memory-only dropper | 738702fd-0a66-42c7-8586-e30f0583f8fe | MicrosoftThreatProtection |
| full_access_as_app Granted To Application | 54e22fed-0ec6-4fb2-8312-2a3809a93f63 | AzureActiveDirectory |
| First access credential added to Application or Service Principal where no credential was present | 2cfc3c6e-f424-4b88-9cc9-c89f482d016a | AzureActiveDirectory |
| Suspicious application consent similar to O365 Attack Toolkit | f948a32f-226c-4116-bddd-d95e91d97eb9 | AzureActiveDirectory |
| Suspicious application consent similar to PwnAuth | 39198934-62a0-4781-8416-a81265c03fd6 | AzureActiveDirectory |
| New access credential added to Application or Service Principal | 79566f41-df67-4e10-a703-c38a6213afd8 | AzureActiveDirectory |
| NRT First access credential added to Application or Service Principal where no credential was present | b6988c32-4f3b-4a45-8313-b46b33061a74 | AzureActiveDirectory |
| NRT New access credential added to Application or Service Principal | e42e889a-caaf-4dbb-aec6-371b37d64298 | AzureActiveDirectory |
| Suspicious Sign In Followed by MFA Modification | aec77100-25c5-4254-a20a-8027ed92c46c | AzureActiveDirectory BehaviorAnalytics |
| OCI - Event rule deleted | 31b15699-0b55-4246-851e-93f9cefb6f5c | OracleCloudInfrastructureLogsConnector |
| Palo Alto Prevention alert | 5180e347-32fb-4a0a-9cfa-d6e0e10fc4eb | PaloAltoNetworksCortex |
| Palo Alto WildFire Malware Detection | 961672e7-15db-4df1-9bab-dc4f032b9b6f | PaloAltoNetworksCortex |
| Red Canary Threat Detection | 6d263abb-6445-45cc-93e9-c593d3d77b89 | RedCanaryDataConnector |
| Possible AiTM Phishing Attempt Against Microsoft Entra ID | 16daa67c-b137-48dc-8eb7-76598a44791a | AzureActiveDirectory Zscaler |
| Semperis DSP Mimikatz’s DCShadow Alert | 1a6d0a49-64b3-4ca1-96c3-f154c16c218c | SemperisDSP |
| Semperis DSP Well-known privileged SIDs in sIDHistory | ddd75d93-5b8b-4349-babe-c4e15343c5a3 | SemperisDSP |
| Sentinel One - Agent uninstalled from multiple hosts | 4ad87e4a-d045-4c6b-9652-c9de27fcb442 | SentinelOne |
| Sentinel One - Blacklist hash deleted | de339761-2298-4b37-8f1b-80ebd4f0b5f6 | SentinelOne |
| Sentinel One - Exclusion added | 4224409f-a7bf-45eb-a931-922d79575a05 | SentinelOne |
| Sentinel One - Rule deleted | e171b587-22bd-46ec-b96c-7c99024847a7 | SentinelOne |
| Sentinel One - Rule disabled | 84e210dd-8982-4398-b6f3-264fd72d036c | SentinelOne |
| Excessive Denied Proxy Traffic | 7a58b253-0ef2-4248-b4e5-c350f15a8346 | SymantecProxySG |
| User Accessed Suspicious URL Categories | fb0f4a93-d8ad-4b54-9931-85bdb7550f90 | SymantecProxySG |
| Tenable.ad DCShadow | 861044f3-6eef-4f79-8609-e3764abb02f4 | Tenable.ad |
| Trend Micro CAS - Threat detected and not blocked | c8e2ad52-bd5f-4f74-a2f7-6c3ab8ba687a | TrendMicroCAS |
| VMware SD-WAN Edge - Network Anomaly Detection - Potential Fragmentation Attack | ce207901-ed7b-49ae-ada7-033e1fbb1240 | VMwareSDWAN |
| Votiro - File Blocked from Connector | 17bf3780-ae0d-4cd9-a884-5df8b687f3f5 | Votiro |
| Votiro - File Blocked in Email | 0b8b91de-c63e-4bc2-b5f4-b15d3b379ec9 | Votiro |
| Detect potential presence of a malicious file with a double extension (ASIM Web Session) | 6a71687f-00cf-44d3-93fc-8cbacc7b5615 | |
| NRT Base64 Encoded Windows Process Command-lines | c3e5dbaa-a540-408c-8b36-68bdfb3df088 | SecurityEvents WindowsSecurityEvents |
| NRT Process executed from binary hidden in Base64 encoded file | 7ad4c32b-d0d2-411c-a0e8-b557afa12fce | SecurityEvents WindowsSecurityEvents |
| NRT Security Event log cleared | 508cef41-2cd8-4d40-a519-b04826a9085f | SecurityEvents WindowsSecurityEvents |
| Potential re-named sdelete usage | 720d12c6-a08c-44c4-b18f-2236412d59b0 | SecurityEvents WindowsSecurityEvents |
| Scheduled Task Hide | 6dd2629c-534b-4275-8201-d7968b4fa77e | SecurityEvents WindowsSecurityEvents |
| Starting or Stopping HealthService to Avoid Detection | 2bc7b4ae-eeaa-4538-ba15-ef298ec1ffae | SecurityEvents WindowsSecurityEvents |
| Zero Networks Segement - Machine Removed from protection | a4ce12ca-d01d-460a-b15e-6c74ef328b82 | ZeroNetworksSegmentAuditFunction ZeroNetworksSegmentAuditNativePoller |
| Base64 encoded Windows process command-lines (Normalized Process Events) | f8b3c49c-4087-499b-920f-0dcfaff0cbca | |
| Malware in the recycle bin (Normalized Process Events) | 61988db3-0565-49b5-b8e3-747195baac6e | |
| Potential re-named sdelete usage (ASIM Version) | 5b6ae038-f66e-4f74-9315-df52fd492be4 | |
| A host is potentially running PowerShell to send HTTP(S) requests (ASIM Web Session schema) | 42436753-9944-4d70-801c-daaa4d19ddd2 | SquidProxy Zscaler |
| Conditional Access Policy Modified by New User | 25a7f951-54b7-4cf5-9862-ebc04306c590 | AzureActiveDirectory |
| Azure Diagnostic settings removed from a resource | 6e95aef3-a1e0-4063-8e74-cd59aa59f245 | AzureActivity |
| Application Gateway WAF - SQLi Detection | 68c0b6bb-6bd9-4ef4-9011-08998c8ef90f | WAF |
| Cisco Umbrella - Windows PowerShell User-Agent Detected | b12b3dab-d973-45af-b07e-e29bb34d8db9 | CiscoUmbrellaDataConnector |
| Missing Domain Controller Heartbeat | b8b8ba09-1e89-45a1-8bd7-691cd23bfa32 | |
| Security Service Registry ACL Modification | 473d57e6-f787-435c-a16b-b38b51fa9a4b | SecurityEvents MicrosoftThreatProtection WindowsSecurityEvents WindowsForwardedEvents |
| NRT Malicious Inbox Rule | b79f6190-d104-4691-b7db-823e05980895 | Office365 |
| Fake computer account created | c1faf5e8-6958-11ec-90d6-0242ac120003 | SecurityEvents |
| Solorigate Named Pipe | 11b4c19d-2a79-4da3-af38-b067e1273dee | SecurityEvents WindowsSecurityEvents WindowsForwardedEvents |
| Privileged User Logon from new ASN | 55073036-bb86-47d3-a85a-b113ac3d9396 | AzureActiveDirectory BehaviorAnalytics |