Microsoft Sentinel Analytic Rules
cloudbrothers.infoAzure Sentinel RepoToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeBack to homepage

DefenseEvasion

Overview

Rule NameidRequired data connectors
1Password - Changes to firewall rules54e6bb8e-2935-422f-9387-dba1961abfd71Password
1Password - Disable MFA factor or type for all user accounts92ab0938-1e7c-4671-9810-392e8b9714da1Password
1Password - Log Ingestion Failurebf9132c7-9d4d-4244-98c7-7d994703c2081Password
1Password - Service account integration token adjustmentd54a3cf9-6169-449c-83f1-e7def33597021Password
1Password - User account MFA settings changed3c8140eb-e946-4bf2-8c61-03e4df56d4001Password
Alsid DCShadow25e0b2dd-3ad3-4d5b-80dd-720f4ef0f12cAlsidForAD
Changes made to AWS CloudTrail logs610d3850-c26f-4f20-8d86-f10fdf2425f5AWS
AWSS3
AWS Config Service Resource Deletion Attempts093fe75e-44f1-4d3e-94dc-6d258a6dd2d2AWS
AWSS3
Login to AWS Management Console without MFAd25b1998-a592-4bc5-8a3a-92b39eedb1bcAWS
AWSS3
Automatic image scanning disabled for ECR19602494-94af-43c8-90ba-eb0e14999612AWS
Full Admin policy created and then attached to Roles, Users or Groups826bb2f8-7894-4785-9a6b-a8a855d8366fAWS
AWSS3
GuardDuty detector disabled or suspended9da99021-d318-4711-a78a-6dea76129b3aAWS
Changes made to AWS CloudTrail logs633a91df-d031-4b6e-a413-607a61540559AWS
Network ACL with all the open ports to a specified CIDRf8ea7d50-e33b-4b9d-9c3e-a59fcbcee281AWS
Successful brute force attack on S3 Bucket.31b9e94b-0df6-4a3d-a297-3457b53c5d86AWS
NRT Login to AWS Management Console without MFA0ee2aafb-4500-4e36-bcb1-e90eec2f0b9bAWS
AWSS3
Powershell Empire Cmdlets Executed in Command Lineef88eb96-861c-43a0-ab16-f3835a97c928SecurityEvents
WindowsSecurityEvents
WindowsForwardedEvents
Microsoft Entra ID Hybrid Health AD FS New Server88f453ff-7b9e-45bb-8c12-4058ca5e44eeAzureActivity
Microsoft Entra ID Hybrid Health AD FS Service Delete86a036b2-3686-42eb-b417-909fc0867771AzureActivity
Microsoft Entra ID Hybrid Health AD FS Suspicious Applicationd9938c3b-16f9-444d-bc22-ea9a9110e0fdAzureActivity
Creation of expensive computes in Azure9736e5f1-7b6e-4bfb-a708-e53ff1d182c3AzureActivity
NRT Creation of expensive computes in Azure56fe0db0-6779-46fa-b3c5-006082a53064AzureActivity
NRT Microsoft Entra ID Hybrid Health AD FS New Serverec491363-5fe7-4eff-b68e-f42dcb76fcf6AzureActivity
Front Door Premium WAF - SQLi Detection16da3a2a-af29-48a0-8606-d467c180fe18WAF
AFD WAF - Code Injectionded8168e-c806-4772-af30-10576e0a7529WAF
AFD WAF - Path Traversal Attacka4d99328-e4e6-493d-b0d5-57e6f9ddae77WAF
App GW WAF - Code Injection912a18fc-6165-446b-8740-81ae6c3f75eeWAF
App GW WAF - Path Traversal Attackb6c3a8a6-d22c-4882-9c57-abc01690938bWAF
App Gateway WAF - Scanner Detection9b8dd8fd-f192-42eb-84f6-541920400a7aWAF
App Gateway WAF - SQLi Detectionbdb2cd63-99f2-472e-b1b9-acba473b6744WAF
Azure DevOps Agent Pool Created Then Deletedacfdee3f-b794-404a-aeba-ef6a1fa08ad1
Azure DevOps Audit Stream Disabled4e8238bd-ff4f-4126-a9f6-09b3b6801b3d
Azure DevOps Pipeline modified by a new user155e9134-d5ad-4a6f-88f3-99c220040b66
Azure DevOps Retention Reduced71d374e0-1cf8-4e50-aecd-ab6c519795c2
Azure DevOps Build Variable Modified by New User3b9a44d7-c651-45ed-816c-eae583a6f2f1
NRT Azure DevOps Audit Stream Disabled74ed028d-e392-40b7-baef-e69627bf89d1
Bitglass - The SmartEdge endpoint agent was uninstalled40f69a27-8c68-4c8c-bb7c-7eb0f0a8a1faBitglass
Malicious BEC Inbox Rule8ac77493-3cae-4840-8634-15fb23f8fb68Office365
CiscoISE - Attempt to delete local store logsb6549a28-d61c-476e-b350-4404352ee427CiscoISE
CiscoISE - Command executed with the highest privileges from new IP1fa0da3e-ec99-484f-aadb-93f59764e158CiscoISE
CiscoISE - Command executed with the highest privileges by new usere71890a2-5f61-4790-b1ed-cf1d92d3e398CiscoISE
CiscoISE - Log collector was suspendedce171782-1643-4f21-bbb7-fa954b1e6897CiscoISE
CiscoISE - Log files deleted21d3be4c-6088-4e76-b6eb-d25479019cb9CiscoISE
Cisco SE - Policy update failure64fece0a-44db-4bab-844d-fd503dc0aabaCiscoSecureEndpoint
Cisco Umbrella - Windows PowerShell User-Agent Detectedb12b3dab-d973-45af-b07e-e29bb34d8db9CiscoUmbrellaDataConnector
CommvaultSecurityIQ Alert317e757e-c320-448e-8837-fc61a70fe609
Data Alert1d2c3da7-60ec-40be-9c14-bade6eaf3c49
IDP Alertc982bcc1-ef73-485b-80d5-2a637ce4ab2b
User Alert29e0767c-80ac-4689-9a2e-b25b9fc88fce
Corelight - External Proxy Detected05850746-9ae4-412f-838b-844f0903f4a9Corelight
TLS Certificate Hostname Mismatch69761091-1a9a-49a9-8966-be68cd550766HVPollingIDAzureFunctions
TLS Certificate Using Weak Cipher - Informational1bdf3cba-6b85-4b88-ab1e-681bac20d41fHVPollingIDAzureFunctions
TLS Certificate Using Weak Cipher - Medium7bbe51fe-9c5f-4f54-a079-b84cc27737a1HVPollingIDAzureFunctions
TLSv1.1 in Use - info049edfdd-0331-4493-bcd7-b375bba7b551HVPollingIDAzureFunctions
TLSv1.1 in Use - Medium92400070-199b-46d3-bd86-2fb8421b5338HVPollingIDAzureFunctions
TLSv1 in Use - Low9435d04a-e8a6-49e5-90c4-e7f3456f9ed5HVPollingIDAzureFunctions
TLSv1 in Use - Medium93f2ab34-15a3-4199-ad5a-6ebf8d2ad449HVPollingIDAzureFunctions
CyberArkEPM - MSBuild usage as LOLBina11bf869-458e-49fd-be03-58021b14be15CyberArkEPM
CyberArkEPM - Uncommon Windows process started from System folder16b940d2-aaf8-4eaa-a5e1-05df5f5c3d43CyberArkEPM
CyberArkEPM - Process started from different locations0d4e62da-0a64-4532-b93e-28cd2940c300CyberArkEPM
CyberArkEPM - Uncommon process Internet access9d0d44ab-54dc-472a-9931-53521e888932CyberArkEPM
CyberArkEPM - Renamed Windows binary9281b7cc-8f05-45a9-bf10-17fb29492a84CyberArkEPM
CyberArkEPM - Unexpected executable extension911d5b75-a1ce-4f13-a839-9c2474768696CyberArkEPM
CyberArkEPM - Unexpected executable locationc1fcbbd7-74f8-4f32-8116-0a533ebd3878CyberArkEPM
Dev-0270 Malicious Powershell usage422ca2bf-598b-4872-82bb-5f7e8fa731e7SecurityEvents
WindowsSecurityEvents
MicrosoftThreatProtection
Dynatrace - Problem detection415978ff-074e-4203-824a-b06153d77bf7DynatraceProblems
Dynatrace Application Security - Code-Level runtime vulnerability detection305093b4-0fa2-57bc-bced-caea782a6e9cDynatraceRuntimeVulnerabilities
Dynatrace Application Security - Non-critical runtime vulnerability detectionff0af873-a2f2-4233-8412-0ef4e00b0156DynatraceRuntimeVulnerabilities
Dynatrace Application Security - Third-Party runtime vulnerability detectionaf99b078-124b-543a-9a50-66ef87c09f6aDynatraceRuntimeVulnerabilities
Base64 encoded Windows process command-linesca67c83e-7fff-4127-a3e3-1af66d6d4cadSecurityEvents
WindowsSecurityEvents
WindowsForwardedEvents
Process executed from binary hidden in Base64 encoded filed6190dde-8fd2-456a-ac5b-0a32400b0464SecurityEvents
WindowsSecurityEvents
WindowsForwardedEvents
Malware in the recycle bin75bf9902-0789-47c1-a5d8-f57046aa72dfSecurityEvents
WindowsSecurityEvents
WindowsForwardedEvents
Security Event log cleared80da0a8f-cfe1-4cd0-a895-8bc1771a720eSecurityEvents
WindowsSecurityEvents
WindowsForwardedEvents
ASR Bypassing Writing Executable Contentefe4efef-5ca7-4b51-a53e-0e96492ce97aMicrosoftThreatProtection
Microsoft Entra ID Rare UserAgent App Sign-in87d5cd18-211d-4fd4-9b86-65d23fed87eaAzureActiveDirectory
Microsoft Entra ID UserAgent OS Missmatch6a638d80-f6b2-473b-9087-3cac78a84b40AzureActiveDirectory
Certified Pre-Owned - backup of CA private key - rule 1aa5eaac7-1264-4833-b620-8f062be75541SecurityEvents
WindowsSecurityEvents
Certified Pre-Owned - backup of CA private key - rule 288f8fbc0-345d-458e-85f6-f73921d5ef50SecurityEvents
WindowsSecurityEvents
Certified Pre-Owned - TGTs requested with certificate authenticationb838a13c-052e-45b8-a5ac-7d3eb62efa11SecurityEvents
WindowsSecurityEvents
Ingress Tool Transfer - Certutilf0be11a9-ec48-4df6-801d-479556044d4eMicrosoftThreatProtection
Access Token Manipulation - Create Process with Token8df80270-b4fa-4a7a-931e-8d17c0b321aeMicrosoftThreatProtection
Disable or Modify Windows Defender20d52a04-b5d8-402d-88e2-7929d12cbdcdMicrosoftThreatProtection
Hijack Execution Flow - DLL Side-Loading3084b487-fad6-4000-9544-6085b9657290MicrosoftThreatProtection
Match Legitimate Name or Location - 2dd22dc4f-ab7c-4d0a-84ad-cc393638ba31MicrosoftThreatProtection
Rename System Utilities335ddff8-b615-42cd-b593-86e419b45d78MicrosoftThreatProtection
Suspicious named pipesddf7c669-db26-4215-acaf-11e2953a04e6MicrosoftThreatProtection
Trusted Developer Utilities Proxy Execution5c2bb446-926f-4160-a233-21e335c2c290MicrosoftThreatProtection
GitHub Two Factor Auth Disable3ff0fffb-d963-40c0-b235-3404f915add7
NRT GitHub Two Factor Auth Disable594c653d-719a-4c23-b028-36e3413e632e
GitLab - Repository visibility to Public8b291c3d-90ba-4ebf-af2c-0283192d430eSyslog
GCP IAM - Disable Data Access Logging2530a631-9605-404d-ae58-58ef1f91b17cGCPIAMDataConnector
GCP IAM - Empty user agent9e0d8632-d33d-4075-979e-c972674f77b3GCPIAMDataConnector
GWorkspace - API Access Grantedc45a9804-5da8-11ec-bf63-0242ac130002GoogleWorkspaceReportsAPI
GWorkspace - Unexpected OS updatec02b0c8e-5da6-11ec-bf63-0242ac130002GoogleWorkspaceReportsAPI
PLC Stop Command (Microsoft Defender for IoT)a7d3f642-15d8-4e83-99ee-83ca3352525dIoT
Detect Registry Run Key Creation/Modificationdd041e4e-1ee2-41ec-ba4e-82a71d628260CrowdStrikeFalconEndpointProtection
MicrosoftThreatProtection
SentinelOne
VMwareCarbonBlack
CiscoSecureEndpoint
TrendMicroApexOne
TrendMicroApexOneAma
Process Creation with Suspicious CommandLine Argumentsfdbcc0eb-44fb-467e-a51d-a91df0780a81CrowdStrikeFalconEndpointProtection
MicrosoftThreatProtection
SentinelOne
VMwareCarbonBlack
CiscoSecureEndpoint
TrendMicroApexOne
TrendMicroApexOneAma
Detect Windows Allow Firewall Rule Addition/Modification056593d4-ca3b-47a7-be9d-d1d0884a1d36CrowdStrikeFalconEndpointProtection
MicrosoftThreatProtection
SentinelOne
VMwareCarbonBlack
CiscoSecureEndpoint
TrendMicroApexOne
TrendMicroApexOneAma
Detect Windows Update Disabled from Registryf1443a87-78d5-40c3-b051-f468f0f2def0CrowdStrikeFalconEndpointProtection
MicrosoftThreatProtection
SentinelOne
VMwareCarbonBlack
CiscoSecureEndpoint
TrendMicroApexOne
TrendMicroApexOneAma
McAfee ePO - Agent Handler down3c1425d3-93d4-4eaf-8aa0-370dbac94c82McAfeeePO
McAfee ePO - Error sending alert1e3bcd0f-10b2-4fbd-854f-1c6f33acc36aMcAfeeePO
McAfee ePO - Attempt uninstall McAfee agent2eff5809-bf84-48e0-8288-768689672c37McAfeeePO
McAfee ePO - Deployment failed155243f4-d962-4717-8a7b-b15b6d112660McAfeeePO
McAfee ePO - File added to exceptionsb9d9fdfe-bc17-45ce-a70d-67a5cfd119f4McAfeeePO
McAfee ePO - Firewall disabledbd3cedc3-efba-455a-85bd-0cf9ac1b0727McAfeeePO
McAfee ePO - Logging error occurred0c9243d6-d2ec-48e1-8593-e713859c8f3cMcAfeeePO
McAfee ePO - Multiple threats on same hostf53e5168-afdb-4fad-b29a-bb9cb71ec460McAfeeePO
McAfee ePO - Scanning engine disabled5223c1b8-75ef-4019-9076-a19b1ef3e5d1McAfeeePO
McAfee ePO - Task error3e397e31-7964-417e-a3e0-0acfaa2056f4McAfeeePO
McAfee ePO - Threat was not blocked6d70a26a-c119-45b7-b4c6-44ac4fd1bcb7McAfeeePO
McAfee ePO - Unable to clean or delete infected file9860e89f-72c8-425e-bac9-4a170798d3eaMcAfeeePO
McAfee ePO - Update failed4f0c91c3-1690-48f0-b538-4282dd5417a4McAfeeePO
Exchange AuditLog Disabled194dd92e-d6e7-4249-85a5-273350a7f5ceOffice365
Malicious Inbox Rule7b907bf7-77d4-41d0-a208-5643ff75bf9aOffice365
Office Policy Tamperingfbd72eb8-087e-466b-bd54-1ca6ea08c6d3Office365
Imminent Ransomwarebb46dd86-e642-48a4-975c-44f5ac2b5033
Doppelpaymer Stop Services5bdc1504-880c-4b30-a39c-7c746535928dMicrosoftThreatProtection
Qakbot Campaign Self Deletion47c02e21-3949-4e05-a28e-576cd75ff6f6MicrosoftThreatProtection
Regsvr32 Rundll32 Image Loads Abnormal Extension36fbd4e7-5630-4414-aa42-702a7fdded21MicrosoftThreatProtection
Regsvr32 Rundll32 with Anomalous Parent Process2624fc55-0998-4897-bb48-1c6422befce4MicrosoftThreatProtection
Detect Suspicious Commands Initiated by Webserver Processesfa2f7d8a-6726-465a-aa72-6f6e3d4c99d7MicrosoftThreatProtection
MosaicLoader506f4d6b-3864-4bb1-8f75-a13fb066f97aMicrosoftThreatProtection
Disabling Security Services via Registry32b29155-3fd3-4a9e-a0ca-a67e2593b60bMicrosoftThreatProtection
Clearing of forensic evidence from event logs using wevtutil515d0bba-b297-4f83-8280-20ff7f27ecb1MicrosoftThreatProtection
Stopping multiple processes using taskkill4dd31bd5-11a3-4b9c-a7c5-4927ab4f2a77MicrosoftThreatProtection
Potential Ransomware activity related to Cobalt Strike4bd9ce9d-8586-4beb-8fdb-bd018cacbe7dMicrosoftThreatProtection
Qakbot Discovery Activiesba9db6b2-3d05-42ae-8aee-3a15bbe29f27MicrosoftThreatProtection
TEARDROP memory-only dropper738702fd-0a66-42c7-8586-e30f0583f8feMicrosoftThreatProtection
full_access_as_app Granted To Application54e22fed-0ec6-4fb2-8312-2a3809a93f63AzureActiveDirectory
First access credential added to Application or Service Principal where no credential was present2cfc3c6e-f424-4b88-9cc9-c89f482d016aAzureActiveDirectory
Suspicious application consent similar to O365 Attack Toolkitf948a32f-226c-4116-bddd-d95e91d97eb9AzureActiveDirectory
Suspicious application consent similar to PwnAuth39198934-62a0-4781-8416-a81265c03fd6AzureActiveDirectory
New access credential added to Application or Service Principal79566f41-df67-4e10-a703-c38a6213afd8AzureActiveDirectory
NRT First access credential added to Application or Service Principal where no credential was presentb6988c32-4f3b-4a45-8313-b46b33061a74AzureActiveDirectory
NRT New access credential added to Application or Service Principale42e889a-caaf-4dbb-aec6-371b37d64298AzureActiveDirectory
Suspicious Sign In Followed by MFA Modificationaec77100-25c5-4254-a20a-8027ed92c46cAzureActiveDirectory
BehaviorAnalytics
OCI - Event rule deleted31b15699-0b55-4246-851e-93f9cefb6f5cOracleCloudInfrastructureLogsConnector
Palo Alto Prevention alert5180e347-32fb-4a0a-9cfa-d6e0e10fc4ebPaloAltoNetworksCortex
Palo Alto WildFire Malware Detection961672e7-15db-4df1-9bab-dc4f032b9b6fPaloAltoNetworksCortex
Radiflow - Suspicious Malicious Activity Detectedecac26b8-147d-478a-9d50-99be4bf14019RadiflowIsid
RecordedFuture Threat Hunting Url All Actors3f6f0d1a-f2f9-4e01-881a-c55a4a71905bThreatIntelligenceUploadIndicatorsAPI
Red Canary Threat Detection6d263abb-6445-45cc-93e9-c593d3d77b89RedCanaryDataConnector
Possible AiTM Phishing Attempt Against Microsoft Entra ID16daa67c-b137-48dc-8eb7-76598a44791aAzureActiveDirectory
Zscaler
Semperis DSP Mimikatz’s DCShadow Alert1a6d0a49-64b3-4ca1-96c3-f154c16c218cSemperisDSP
Semperis DSP Well-known privileged SIDs in sIDHistoryddd75d93-5b8b-4349-babe-c4e15343c5a3SemperisDSP
Sentinel One - Agent uninstalled from multiple hosts4ad87e4a-d045-4c6b-9652-c9de27fcb442SentinelOne
Sentinel One - Blacklist hash deletedde339761-2298-4b37-8f1b-80ebd4f0b5f6SentinelOne
Sentinel One - Exclusion added4224409f-a7bf-45eb-a931-922d79575a05SentinelOne
Sentinel One - Rule deletede171b587-22bd-46ec-b96c-7c99024847a7SentinelOne
Sentinel One - Rule disabled84e210dd-8982-4398-b6f3-264fd72d036cSentinelOne
Excessive Denied Proxy Traffic7a58b253-0ef2-4248-b4e5-c350f15a8346SymantecProxySG
TIE DCShadow874e3530-552e-437b-ba2e-227979e7e43cTenableIE
Tenable.ad DCShadow861044f3-6eef-4f79-8609-e3764abb02f4Tenable.ad
Trend Micro CAS - Threat detected and not blockedc8e2ad52-bd5f-4f74-a2f7-6c3ab8ba687aTrendMicroCAS
VMware SD-WAN Edge - Network Anomaly Detection - Potential Fragmentation Attackce207901-ed7b-49ae-ada7-033e1fbb1240VMwareSDWAN
Votiro - File Blocked from Connector17bf3780-ae0d-4cd9-a884-5df8b687f3f5Votiro
CefAma
Votiro - File Blocked in Email0b8b91de-c63e-4bc2-b5f4-b15d3b379ec9Votiro
CefAma
Detect potential presence of a malicious file with a double extension (ASIM Web Session)6a71687f-00cf-44d3-93fc-8cbacc7b5615
NRT Base64 Encoded Windows Process Command-linesc3e5dbaa-a540-408c-8b36-68bdfb3df088SecurityEvents
WindowsSecurityEvents
NRT Process executed from binary hidden in Base64 encoded file7ad4c32b-d0d2-411c-a0e8-b557afa12fceSecurityEvents
WindowsSecurityEvents
NRT Security Event log cleared508cef41-2cd8-4d40-a519-b04826a9085fSecurityEvents
WindowsSecurityEvents
Potential re-named sdelete usage720d12c6-a08c-44c4-b18f-2236412d59b0SecurityEvents
WindowsSecurityEvents
Scheduled Task Hide6dd2629c-534b-4275-8201-d7968b4fa77eSecurityEvents
WindowsSecurityEvents
Starting or Stopping HealthService to Avoid Detection2bc7b4ae-eeaa-4538-ba15-ef298ec1ffaeSecurityEvents
WindowsSecurityEvents
Zero Networks Segement - Machine Removed from protectiona4ce12ca-d01d-460a-b15e-6c74ef328b82ZeroNetworksSegmentAuditFunction
ZeroNetworksSegmentAuditNativePoller
Base64 encoded Windows process command-lines (Normalized Process Events)f8b3c49c-4087-499b-920f-0dcfaff0cbca
Malware in the recycle bin (Normalized Process Events)61988db3-0565-49b5-b8e3-747195baac6e
Potential re-named sdelete usage (ASIM Version)5b6ae038-f66e-4f74-9315-df52fd492be4
A host is potentially running PowerShell to send HTTP(S) requests (ASIM Web Session schema)42436753-9944-4d70-801c-daaa4d19ddd2SquidProxy
Zscaler
Conditional Access Policy Modified by New User25a7f951-54b7-4cf5-9862-ebc04306c590AzureActiveDirectory
Azure Diagnostic settings removed from a resource6e95aef3-a1e0-4063-8e74-cd59aa59f245AzureActivity
Application Gateway WAF - SQLi Detection68c0b6bb-6bd9-4ef4-9011-08998c8ef90fWAF
Cisco Umbrella - Windows PowerShell User-Agent Detectedb12b3dab-d973-45af-b07e-e29bb34d8db9CiscoUmbrellaDataConnector
Missing Domain Controller Heartbeatb8b8ba09-1e89-45a1-8bd7-691cd23bfa32
Security Service Registry ACL Modification473d57e6-f787-435c-a16b-b38b51fa9a4bSecurityEvents
MicrosoftThreatProtection
WindowsSecurityEvents
WindowsForwardedEvents
NRT Malicious Inbox Ruleb79f6190-d104-4691-b7db-823e05980895Office365
Fake computer account createdc1faf5e8-6958-11ec-90d6-0242ac120003SecurityEvents
Solorigate Named Pipe11b4c19d-2a79-4da3-af38-b067e1273deeSecurityEvents
WindowsSecurityEvents
WindowsForwardedEvents
Privileged User Logon from new ASN55073036-bb86-47d3-a85a-b113ac3d9396AzureActiveDirectory
BehaviorAnalytics