Discovery
| Rule Name | id | Required data connectors |
|---|---|---|
| API - Account Takeover | 25c86f99-0a91-4b7f-88f3-599a008e5ab8 | 42CrunchAPIProtection |
| API - Rate limiting | c6258d51-7b82-4942-8293-94c1dcf91595 | 42CrunchAPIProtection |
| API - Kiterunner detection | 421b38ec-4295-4aed-8299-c92e268ad663 | 42CrunchAPIProtection |
| Monitor AWS Credential abuse or hijacking | 32555639-b639-4c2b-afda-c0ae0abefa55 | AWS AWSS3 |
| SSM document is publicly exposed | 75647b58-bcc8-4eb5-9658-46698d3fa153 | AWS |
| Probable AdFind Recon Tool Usage | c63ae777-d5e0-4113-8c9a-c2c9d3d09fcd | MicrosoftThreatProtection |
| Powershell Empire Cmdlets Executed in Command Line | ef88eb96-861c-43a0-ab16-f3835a97c928 | SecurityEvents WindowsSecurityEvents WindowsForwardedEvents |
| Privileged Machines Exposed to the Internet | 72891de4-da70-44e4-9984-35fcea98d000 | Authomize |
| CloudNGFW By Palo Alto Networks - possible internal to external port scanning | 5b72f527-e3f6-4a00-9908-8e4fee14da9f | AzureCloudNGFWByPaloAltoNetworks |
| CloudNGFW By Palo Alto Networks - Threat signatures from Unusual IP addresses | 89a86f70-615f-4a79-9621-6f68c50f365f | AzureCloudNGFWByPaloAltoNetworks |
| Port Scan | b2c5907b-1040-4692-9802-9946031017e8 | AzureFirewall |
| Port Sweep | 720335f4-ee8c-4270-9424-d0859222168c | AzureFirewall |
| Several deny actions registered | f8dad4e9-3f19-4d70-ab7f-8f19ccd43a3e | AzureFirewall |
| AFD WAF - Path Traversal Attack | a4d99328-e4e6-493d-b0d5-57e6f9ddae77 | WAF |
| App GW WAF - Path Traversal Attack | b6c3a8a6-d22c-4882-9c57-abc01690938b | WAF |
| App Gateway WAF - Scanner Detection | 9b8dd8fd-f192-42eb-84f6-541920400a7a | WAF |
| Azure Security Benchmark Posture Changed | 0610e72f-ceaf-42d1-879e-952a1bd8d07a | |
| Cisco ASA - average attack detection rate increase | 79f29feb-6a9d-4cdf-baaa-2daf480a5da1 | CiscoASA |
| Cisco ASA - threat detection message fired | 795edf2d-cf3e-45b5-8452-fe6c9e6a582e | CiscoASA |
| Cisco Umbrella - Hack Tool User-Agent Detected | 8d537f3c-094f-430c-a588-8a87da36ee3a | CiscoUmbrellaDataConnector |
| Claroty - Policy violation | 3b22ac47-e02c-4599-a37a-57f965de17be | CefAma |
| Claroty - Suspicious activity | 99ad9f3c-304c-44c5-a61f-3a17f8b58218 | CefAma |
| Claroty - Suspicious file transfer | 5cf35bad-677f-4c23-8927-1611e7ff6f28 | CefAma |
| Claroty - Treat detected | 731e5ac4-7fe1-4b06-9941-532f2e008bb3 | Claroty ClarotyAma CefAma |
| CDM_ContinuousDiagnostics&Mitigation_PostureChanged | fd950af9-d9db-4879-a60a-7267cc041beb | |
| CDM_ContinuousDiagnostics&Mitigation_Posture | e15944a8-4172-4208-a928-631e01920d9c | |
| CMMC 2.0 Level 1 (Foundational) Readiness Posture | fb127436-e5c4-4e31-85a8-d3507128dd09 | |
| CMMC 2.0 Level 2 (Advanced) Readiness Posture | 7bfe573b-3069-4e81-98fe-9a4cffbcbc24 | |
| Dev-0270 WMIC Discovery | 6b652b4f-9810-4eec-9027-7aa88ce4db23 | SecurityEvents WindowsSecurityEvents MicrosoftThreatProtection |
| Excessive share permissions | aba0b08c-aace-40c5-a21d-39153023dcaa | SecurityEvents WindowsSecurityEvents |
| GSA - Detect Source IP Scanning Multiple Open Ports | 82cfa6b9-5f7e-4b8b-8b2f-a63f21b7a7d1 | AzureActiveDirectory |
| GCP IAM - Privileges Enumeration | 52d88912-fa8b-4db2-b247-ee9225e41e8f | GCPIAMDataConnector |
| GCP IAM - Publicly exposed storage bucket | 4a433846-4b05-4a27-99d7-92093feded79 | GCPIAMDataConnector |
| GCP IAM - Service Account Enumeration | 50e0437e-912d-4cd0-ac19-fef0aebdd3d7 | GCPIAMDataConnector |
| GCP IAM - Service Account Keys Enumeration | 7ad3cfed-18c0-44af-9e9d-9fb5472a2321 | GCPIAMDataConnector |
| High bandwidth in the network (Microsoft Defender for IoT) | caa4665f-21fa-462d-bb31-92226e746c68 | IoT |
| Multiple scans in the network (Microsoft Defender for IoT) | 493916d5-a094-4bfa-bdd1-d983a063ea3d | IoT |
| Unauthorized device in the network (Microsoft Defender for IoT) | f4c71e55-6192-47ca-92e2-0856ae502a46 | IoT |
| Unauthorized DHCP configuration in the network (Microsoft Defender for IoT) | c52ec521-9188-4a9e-a4cd-34a3dfbc3d27 | IoT |
| Highly Sensitive Password Accessed | b39e6482-ab7e-4817-813d-ec910b64b26e | LastPass |
| Lookout - New Threat events found. | 7593cc60-e294-402d-9202-279fb3c7d55f | LookoutAPI |
| M2131_AssetStoppedLogging | 4be5b645-1d08-49e4-b58d-07294ff19223 | |
| M2131_DataConnectorAddedChangedRemoved | eeb11b6b-e626-4228-b74d-3e730dca8999 | |
| M2131_EventLogManagementPostureChanged_EL0 | 1f8fcca5-47ed-409d-a8fa-d49ef821feaf | |
| M2131_EventLogManagementPostureChanged_EL1 | 036ce0a8-a1ff-4731-a078-02b3207fa4f3 | |
| M2131_EventLogManagementPostureChanged_EL2 | e1bb07c4-066b-4069-9b8e-f5275c592b6d | |
| M2131_EventLogManagementPostureChanged_EL3 | 672bfd77-4542-4ef1-acf9-e006dcd70c51 | |
| M2131_LogRetentionLessThan1Year | 8178a514-1270-4e31-a1d9-aaafeb40122f | |
| M2131_RecommendedDatatableUnhealthy | c61b167a-59ae-42af-bc98-36c78c5acb5c | |
| M2131_RecommendedDatatableNotLogged_EL0 | b3e0bfd4-52d2-4684-9514-716035cdbff2 | |
| M2131_RecommendedDatatableNotLogged_EL1 | f9e0ae98-6828-4d5a-b596-7c4586bb14f6 | |
| M2131_RecommendedDatatableNotLogged_EL2 | 76326a24-1223-4066-88a3-3826e3768932 | |
| M2131_RecommendedDatatableNotLogged_EL3 | 8b415f2d-44c1-4edb-8ca6-ddf7d2d28b20 | |
| Dataverse - Honeypot instance activity | 11650b85-d8cc-49c4-8c04-a8a739635983 | Dataverse |
| Dataverse - Suspicious use of Web API | 8a6ecba2-ccfe-4c8c-b086-fa3e6ff7fa86 | Dataverse AzureActiveDirectory |
| Dataverse - TI map IP to DataverseActivity | 56d5aa0c-d871-4167-ba13-61c2f0fd17bf | Dataverse ThreatIntelligence ThreatIntelligenceTaxii MicrosoftDefenderThreatIntelligence |
| Detect Suspicious Commands Initiated by Webserver Processes | fa2f7d8a-6726-465a-aa72-6f6e3d4c99d7 | MicrosoftThreatProtection |
| Qakbot Discovery Activies | ba9db6b2-3d05-42ae-8aee-3a15bbe29f27 | MicrosoftThreatProtection |
| Cross-tenant Access Settings Organization Added | 757e6a79-6d23-4ae6-9845-4dac170656b5 | AzureActiveDirectory |
| Cross-tenant Access Settings Organization Deleted | eb8a9c1c-f532-4630-817c-1ecd8a60ed80 | AzureActiveDirectory |
| Cross-tenant Access Settings Organization Inbound Collaboration Settings Changed | c895c5b9-0fc6-40ce-9830-e8818862f2d5 | AzureActiveDirectory |
| Cross-tenant Access Settings Organization Inbound Direct Settings Changed | 276d5190-38de-4eb2-9933-b3b72f4a5737 | AzureActiveDirectory |
| Cross-tenant Access Settings Organization Outbound Collaboration Settings Changed | 229f71ba-d83b-42a5-b83b-11a641049ed1 | AzureActiveDirectory |
| Cross-tenant Access Settings Organization Outbound Direct Settings Changed | 0101e08d-99cd-4a97-a9e0-27649c4369ad | AzureActiveDirectory |
| Guest accounts added in Entra ID Groups other than the ones specified | 6ab1f7b2-61b8-442f-bc81-96afe7ad8c53 | AzureActiveDirectory |
| External guest invitation followed by Microsoft Entra ID PowerShell signin | acc4c247-aaf7-494b-b5da-17f18863878a | AzureActiveDirectory |
| Sensitive Data Discovered in the Last 24 Hours | 7ae7e8b0-07e9-43cb-b783-b04082f09060 | MicrosoftAzurePurview |
| Sensitive Data Discovered in the Last 24 Hours - Customized | 79f296d9-e6e4-45dc-9ca7-1770955435fa | MicrosoftAzurePurview |
| Mimecast Audit - Logon Authentication Failed | f00197ab-491f-41e7-9e22-a7003a4c1e54 | MimecastAuditAPI |
| Mimecast Secure Email Gateway - Attachment Protect | 72bd7b0c-493c-4fa5-8a95-7f6376b6cfb2 | MimecastSEGAPI |
| Mimecast Secure Email Gateway - Impersonation Protect | 2ef77cef-439f-4d94-848f-3eca67510d2f | MimecastSEGAPI |
| Mimecast Secure Email Gateway - Spam Event Thread | 0cda82c8-e8f0-4117-896e-a10f1b43e64a | MimecastSEGAPI |
| Mimecast Secure Email Gateway - URL Protect | 80f244cd-b0d6-404e-9aed-37f7a66eda9f | MimecastSEGAPI |
| Mimecast Targeted Threat Protection - Attachment Protect | 617a55be-a8d8-49c1-8687-d19a0231056f | MimecastTTPAPI |
| Mimecast Targeted Threat Protection - Impersonation Protect | c048fa06-0d50-4626-ae82-a6cea812d9c4 | MimecastTTPAPI |
| Mimecast Targeted Threat Protection - URL Protect | 952faed4-c6a6-4873-aeb9-b348e9ce5aba | MimecastTTPAPI |
| Mimecast Audit - Logon Authentication Failed | 9c5dcd76-9f6d-42a3-b984-314b52678f20 | MimecastAuditAPI |
| Mimecast Secure Email Gateway - Attachment Protect | 72264f4f-61fb-4f4f-96c4-635571a376c2 | MimecastSIEMAPI |
| Mimecast Secure Email Gateway - Impersonation Protect | 7034abc9-6b66-4533-9bf3-056672fd9d9e | MimecastSIEMAPI |
| Mimecast Secure Email Gateway - Spam Event Thread | df1b9377-5c29-4928-872f-9934a6b4f611 | MimecastSIEMAPI |
| Mimecast Secure Email Gateway - URL Protect | ea19dae6-bbb3-4444-a1b8-8e9ae6064aab | MimecastSIEMAPI |
| Mimecast Targeted Threat Protection - Attachment Protect | aa75944c-a663-4901-969e-7b55bfa49a73 | MimecastTTPAPI |
| Mimecast Targeted Threat Protection - Impersonation Protect | d8e7eca6-4b59-4069-a31e-a022b2a12ea4 | MimecastTTPAPI |
| Mimecast Targeted Threat Protection - URL Protect | 9d5545bd-1450-4086-935c-62f15fc4a4c9 | MimecastTTPAPI |
| Cross-Cloud Suspicious Compute resource creation in GCP | 5c847e47-0a07-4c01-ab99-5817ad6cb11e | GCPAuditLogsDefinition AWSS3 |
| Cross-Cloud Suspicious user activity observed in GCP Envourment | 58e306fe-1c49-4b8f-9b0e-15f25e8f0cd7 | GCPAuditLogsDefinition AzureActiveDirectoryIdentityProtection MicrosoftThreatProtection MicrosoftDefenderAdvancedThreatProtection MicrosoftCloudAppSecurity |
| Unauthorized user access across AWS and Azure | 60f31001-018a-42bf-8045-a92e1f361b7b | AzureActiveDirectory AWSS3 |
| NetClean ProActive Incidents | 77548170-5c60-42e5-bdac-b0360d0779bb | Netclean_ProActive_Incidents |
| Anomaly found in Network Session Traffic (ASIM Network Session schema) | cd6def0d-3ef0-4d55-a7e3-faa96c46ba12 | AWSS3 MicrosoftThreatProtection SecurityEvents WindowsSecurityEvents WindowsForwardedEvents Zscaler MicrosoftSysmonForLinux PaloAltoNetworks AzureMonitor(VMInsights) AzureFirewall AzureNSG CiscoASA CiscoAsaAma Corelight AIVectraStream CheckPoint Fortinet CiscoMeraki |
| Network Port Sweep from External Network (ASIM Network Session schema) | cd8faa84-4464-4b4e-96dc-b22f50c27541 | AWSS3 MicrosoftThreatProtection SecurityEvents WindowsSecurityEvents WindowsForwardedEvents Zscaler MicrosoftSysmonForLinux PaloAltoNetworks AzureMonitor(VMInsights) AzureFirewall AzureNSG CiscoASA CiscoAsaAma Corelight AIVectraStream CheckPoint Fortinet CiscoMeraki |
| Port scan detected (ASIM Network Session schema) | 1da9853f-3dea-4ea9-b7e5-26730da3d537 | AWSS3 MicrosoftThreatProtection SecurityEvents WindowsSecurityEvents WindowsForwardedEvents Zscaler MicrosoftSysmonForLinux PaloAltoNetworks AzureMonitor(VMInsights) AzureFirewall AzureNSG CiscoASA CiscoAsaAma Corelight AIVectraStream CheckPoint Fortinet CiscoMeraki |
| NIST SP 800-53 Posture Changed | dd834c97-4638-4bb3-a4e3-807e8b0580dc | |
| OCI - Discovery activity | 61f995d7-8038-4ff0-ad2b-eccfd18fcc8c | OracleCloudInfrastructureLogsConnector |
| OCI - Insecure metadata endpoint | 9c4b1b9c-6462-41ce-8f2e-ce8c104331fc | OracleCloudInfrastructureLogsConnector |
| OCI - Instance metadata access | a55b4bbe-a014-4ae9-a50d-441ba5e98b65 | OracleCloudInfrastructureLogsConnector |
| Palo Alto - possible internal to external port scanning | 5b72f527-e3f6-4a00-9908-8e4fee14da9f | CefAma |
| Palo Alto Threat signatures from Unusual IP addresses | 89a86f70-615f-4a79-9621-6f68c50f365f | CefAma |
| Radiflow - Network Scanning Detected | cde00cc5-5841-4aa9-96c5-dd836f9e3f26 | RadiflowIsid |
| Red Canary Threat Detection | 6d263abb-6445-45cc-93e9-c593d3d77b89 | RedCanaryDataConnector |
| BTP - Failed access attempts across multiple BAS subaccounts | 74b243a6-3046-48aa-8b03-e43b3c529cc1 | SAPBTPAuditEvents |
| Snowflake - Possible discovery activity | 09b8dfc7-87b0-4215-b34b-bab363d685cb | Snowflake |
| Snowflake - Multiple failed queries | 5f8a81d9-7d27-4ff5-a0ce-4285ee02c2c8 | Snowflake |
| Snowflake - Possible privileges discovery activity | 627a4ff1-036b-4375-a9f9-288d5e1d7d37 | Snowflake |
| SonicWall - Allowed SSH, Telnet, and RDP Connections | 27f1a570-5f20-496b-88f6-a9aa2c5c9534 | CEF SonicWallFirewall CefAma |
| New Sonrai Ticket | bcc3362d-b6f9-4de0-b41c-707fafd5a416 | SonraiDataConnector |
| Sonrai Ticket Assigned | 37a8d052-a3db-4dc6-9dca-9390cac6f486 | SonraiDataConnector |
| Sonrai Ticket Closed | f5d467de-b5a2-4b4f-96db-55e27c733594 | SonraiDataConnector |
| Sonrai Ticket Escalation Executed | 0d29c93e-b83f-4dfb-bbbb-76824b77eeca | SonraiDataConnector |
| Sonrai Ticket Escalation Executed | 822fff15-ea68-4d0f-94ee-b4482ddb6f3a | SonraiDataConnector |
| Sonrai Ticket Reopened | b60129ab-ce22-4b76-858d-3204932a13cc | SonraiDataConnector |
| Sonrai Ticket Risk Accepted | 080191e8-271d-4ae6-85ce-c7bcd4b06b40 | SonraiDataConnector |
| Sonrai Ticket Snoozed | 10e6c454-5cad-4f86-81ce-800235cb050a | SonraiDataConnector |
| Sonrai Ticket Updated | af9b8eb1-a8ef-40aa-92a4-1fc73a1479c7 | SonraiDataConnector |
| Port Scan Detected | 427e4c9e-8cf4-4094-a684-a2d060dbca38 | SyslogAma |
| Theom Critical Risks | bb9051ef-0e72-4758-a143-80c25ee452f0 | Theom |
| Theom High Risks | 74b80987-0a62-448c-8779-47b02e17d3cf | Theom |
| Theom Insights | d200da84-0191-44ce-ad9e-b85e64c84c89 | Theom |
| Theom Low Risks | cf7fb616-ac80-40ce-ad18-aa18912811f8 | Theom |
| Theom Medium Risks | 4cb34832-f73a-49f2-8d38-c2d135c5440b | Theom |
| vArmour AppController - SMB Realm Traversal | a36de6c3-3198-4d37-92ae-e19e36712c2e | vArmourAC vArmourACAma CefAma |
| Vectra AI Detect - Suspected Compromised Account | 321f9dbd-64b7-4541-81dc-08cf7732ccb0 | CefAma |
| Vectra Account’s Behaviors | ce54b5d3-4c31-4eaf-a73e-31412270b6ab | CefAma |
| Vectra AI Detect - Detections with High Severity | 39e48890-2c02-487e-aa9e-3ba494061798 | CefAma |
| Vectra AI Detect - Suspected Compromised Host | 60eb6cf0-3fa1-44c1-b1fe-220fbee23d63 | CefAma |
| Vectra Host’s Behaviors | 33e3b6da-2660-4cd7-9032-11be76db88d2 | CefAma |
| Vectra AI Detect - Suspicious Behaviors by Category | 6cb75f65-231f-46c4-a0b3-50ff21ee6ed3 | CefAma |
| Alarming number of anomalies generated in NetBackup | 2e0efcd4-56d2-41df-9098-d6898a58c62b | |
| Multiple failed attempts of NetBackup login | d39f0c47-2e85-49b9-a686-388c2eb7062c | |
| Votiro - File Blocked from Connector | 17bf3780-ae0d-4cd9-a884-5df8b687f3f5 | Votiro CefAma |
| Detect potential file enumeration activity (ASIM Web Session) | b3731ce1-1f04-47c4-95c2-9827408c4375 | |
| Microsoft Entra ID Local Device Join Information and Transport Key Registry Keys Access | a356c8bd-c81d-428b-aa36-83be706be034 | SecurityEvents WindowsSecurityEvents |
| Rare client observed with high reverse DNS lookup count | 15ae38a2-2e29-48f7-883f-863fb25a5a06 | DNS |
| ZeroTrust(TIC3.0) Control Assessment Posture Change | 4942992d-a4d3-44b0-9cf4-b5a23811d82d | |
| Probable AdFind Recon Tool Usage (Normalized Process Events) | 45076281-35ae-45e0-b443-c32aa0baf965 | |
| A host is potentially running a hacking tool (ASIM Web Session schema) | 3f0c20d5-6228-48ef-92f3-9ff7822c1954 | SquidProxy Zscaler |
| Suspicious VM Instance Creation Activity Detected | 1cc0ba27-c5ca-411a-a779-fbc89e26be83 | GCPAuditLogsDefinition AzureActiveDirectoryIdentityProtection MicrosoftThreatProtection MicrosoftDefenderAdvancedThreatProtection MicrosoftCloudAppSecurity BehaviorAnalytics |
| Zoom E2E Encryption Disabled | e4779bdc-397a-4b71-be28-59e6a1e1d16b |