Microsoft Sentinel Analytic Rules
cloudbrothers.infoAzure Sentinel RepoToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeBack to homepage
  1. Microsoft Sentinel Analytics Rules
  2. /
  3. Tactics
  4. /
  5. Discovery

Discovery

Overview

Rule NameidRequired data connectors
API - Account Takeover25c86f99-0a91-4b7f-88f3-599a008e5ab842CrunchAPIProtection
API - Rate limitingc6258d51-7b82-4942-8293-94c1dcf9159542CrunchAPIProtection
API - Kiterunner detection421b38ec-4295-4aed-8299-c92e268ad66342CrunchAPIProtection
Monitor AWS Credential abuse or hijacking32555639-b639-4c2b-afda-c0ae0abefa55AWS
AWSS3
SSM document is publicly exposed75647b58-bcc8-4eb5-9658-46698d3fa153AWS
Probable AdFind Recon Tool Usagec63ae777-d5e0-4113-8c9a-c2c9d3d09fcdMicrosoftThreatProtection
External guest invitation followed by Azure AD PowerShell signinacc4c247-aaf7-494b-b5da-17f18863878aAzureActiveDirectory
Port Scanb2c5907b-1040-4692-9802-9946031017e8AzureFirewall
Port Sweep720335f4-ee8c-4270-9424-d0859222168cAzureFirewall
Several deny actions registeredf8dad4e9-3f19-4d70-ab7f-8f19ccd43a3eAzureFirewall
Azure Security Benchmark Posture Changed0610e72f-ceaf-42d1-879e-952a1bd8d07a
Cisco ASA - average attack detection rate increase79f29feb-6a9d-4cdf-baaa-2daf480a5da1CiscoASA
Cisco ASA - threat detection message fired795edf2d-cf3e-45b5-8452-fe6c9e6a582eCiscoASA
Claroty - Policy violation3b22ac47-e02c-4599-a37a-57f965de17beClaroty
Claroty - Suspicious activity99ad9f3c-304c-44c5-a61f-3a17f8b58218Claroty
Claroty - Suspicious file transfer5cf35bad-677f-4c23-8927-1611e7ff6f28Claroty
Claroty - Treat detected731e5ac4-7fe1-4b06-9941-532f2e008bb3Claroty
CDM_ContinuousDiagnostics&Mitigation_PostureChangedfd950af9-d9db-4879-a60a-7267cc041beb
CDM_ContinuousDiagnostics&Mitigation_Posturee15944a8-4172-4208-a928-631e01920d9c
CMMC 2.0 Level 1 (Foundational) Readiness Posturefb127436-e5c4-4e31-85a8-d3507128dd09
CMMC 2.0 Level 2 (Advanced) Readiness Posture7bfe573b-3069-4e81-98fe-9a4cffbcbc24
Dev-0270 WMIC Discovery6b652b4f-9810-4eec-9027-7aa88ce4db23SecurityEvents
MicrosoftThreatProtection
Excessive share permissionsaba0b08c-aace-40c5-a21d-39153023dcaaSecurityEvents
GCP IAM - Privileges Enumeration52d88912-fa8b-4db2-b247-ee9225e41e8fGCPIAMDataConnector
GCP IAM - Publicly exposed storage bucket4a433846-4b05-4a27-99d7-92093feded79GCPIAMDataConnector
GCP IAM - Service Account Enumeration50e0437e-912d-4cd0-ac19-fef0aebdd3d7GCPIAMDataConnector
GCP IAM - Service Account Keys Enumeration7ad3cfed-18c0-44af-9e9d-9fb5472a2321GCPIAMDataConnector
High bandwidth in the network (Microsoft Defender for IoT)caa4665f-21fa-462d-bb31-92226e746c68IoT
Multiple scans in the network (Microsoft Defender for IoT)493916d5-a094-4bfa-bdd1-d983a063ea3dIoT
Unauthorized device in the network (Microsoft Defender for IoT)f4c71e55-6192-47ca-92e2-0856ae502a46IoT
Unauthorized DHCP configuration in the network (Microsoft Defender for IoT)c52ec521-9188-4a9e-a4cd-34a3dfbc3d27IoT
Highly Sensitive Password Accessedb39e6482-ab7e-4817-813d-ec910b64b26eLastPass
Lookout - New Threat events found.7593cc60-e294-402d-9202-279fb3c7d55fLookoutAPI
M2131_AssetStoppedLogging4be5b645-1d08-49e4-b58d-07294ff19223
M2131_DataConnectorAddedChangedRemovedeeb11b6b-e626-4228-b74d-3e730dca8999
M2131_EventLogManagementPostureChanged_EL01f8fcca5-47ed-409d-a8fa-d49ef821feaf
M2131_EventLogManagementPostureChanged_EL1036ce0a8-a1ff-4731-a078-02b3207fa4f3
M2131_EventLogManagementPostureChanged_EL2e1bb07c4-066b-4069-9b8e-f5275c592b6d
M2131_EventLogManagementPostureChanged_EL3672bfd77-4542-4ef1-acf9-e006dcd70c51
M2131_LogRetentionLessThan1Year8178a514-1270-4e31-a1d9-aaafeb40122f
M2131_RecommendedDatatableUnhealthyc61b167a-59ae-42af-bc98-36c78c5acb5c
M2131_RecommendedDatatableNotLogged_EL0b3e0bfd4-52d2-4684-9514-716035cdbff2
M2131_RecommendedDatatableNotLogged_EL1f9e0ae98-6828-4d5a-b596-7c4586bb14f6
M2131_RecommendedDatatableNotLogged_EL276326a24-1223-4066-88a3-3826e3768932
M2131_RecommendedDatatableNotLogged_EL38b415f2d-44c1-4edb-8ca6-ddf7d2d28b20
Sensitive Data Discovered in the Last 24 Hours7ae7e8b0-07e9-43cb-b783-b04082f09060MicrosoftAzurePurview
Sensitive Data Discovered in the Last 24 Hours - Customized79f296d9-e6e4-45dc-9ca7-1770955435faMicrosoftAzurePurview
Probable AdFind Recon Tool Usagec63ae777-d5e0-4113-8c9a-c2c9d3d09fcdMicrosoftThreatProtection
Anomaly found in Network Session Traffic (ASIM Network Session schema)cd6def0d-3ef0-4d55-a7e3-faa96c46ba12AWSS3
MicrosoftThreatProtection
SecurityEvents
WindowsForwardedEvents
Zscaler
MicrosoftSysmonForLinux
PaloAltoNetworks
AzureMonitor(VMInsights)
AzureFirewall
AzureNSG
CiscoASA
Corelight
AIVectraStream
CheckPoint
Fortinet
CiscoMeraki
Network Port Sweep from External Network (ASIM Network Session schema)fcb9d75c-c3c1-4910-8697-f136bfef2363AWSS3
MicrosoftThreatProtection
SecurityEvents
WindowsForwardedEvents
Zscaler
MicrosoftSysmonForLinux
PaloAltoNetworks
AzureMonitor(VMInsights)
AzureFirewall
AzureNSG
CiscoASA
Corelight
AIVectraStream
CheckPoint
Fortinet
CiscoMeraki
Port scan detected (ASIM Network Session schema)1da9853f-3dea-4ea9-b7e5-26730da3d537AWSS3
MicrosoftThreatProtection
SecurityEvents
WindowsForwardedEvents
Zscaler
MicrosoftSysmonForLinux
PaloAltoNetworks
AzureMonitor(VMInsights)
AzureFirewall
AzureNSG
CiscoASA
Corelight
AIVectraStream
CheckPoint
Fortinet
CiscoMeraki
NIST SP 800-53 Posture Changeddd834c97-4638-4bb3-a4e3-807e8b0580dc
OCI - Discovery activity61f995d7-8038-4ff0-ad2b-eccfd18fcc8cOracleCloudInfrastructureLogsConnector
OCI - Insecure metadata endpoint9c4b1b9c-6462-41ce-8f2e-ce8c104331fcOracleCloudInfrastructureLogsConnector
OCI - Instance metadata accessa55b4bbe-a014-4ae9-a50d-441ba5e98b65OracleCloudInfrastructureLogsConnector
Palo Alto - possible internal to external port scanning5b72f527-e3f6-4a00-9908-8e4fee14da9fPaloAltoNetworks
Palo Alto Threat signatures from Unusual IP addresses89a86f70-615f-4a79-9621-6f68c50f365fPaloAltoNetworks
Red Canary Threat Detection6d263abb-6445-45cc-93e9-c593d3d77b89RedCanaryDataConnector
Snowflake - Possible discovery activity09b8dfc7-87b0-4215-b34b-bab363d685cbSnowflake
Snowflake - Multiple failed queries5f8a81d9-7d27-4ff5-a0ce-4285ee02c2c8Snowflake
Snowflake - Possible privileges discovery activity627a4ff1-036b-4375-a9f9-288d5e1d7d37Snowflake
Port Scan Detected427e4c9e-8cf4-4094-a684-a2d060dbca38SophosXGFirewall
vArmour AppController - SMB Realm Traversala36de6c3-3198-4d37-92ae-e19e36712c2evArmourAC
Vectra AI Detect - Suspected Compromised Account321f9dbd-64b7-4541-81dc-08cf7732ccb0AIVectraDetect
Vectra AI Detect - Detections with High Severity39e48890-2c02-487e-aa9e-3ba494061798AIVectraDetect
Vectra AI Detect - Suspected Compromised Host60eb6cf0-3fa1-44c1-b1fe-220fbee23d63AIVectraDetect
Vectra AI Detect - Suspicious Behaviors6cb75f65-231f-46c4-a0b3-50ff21ee6ed3AIVectraDetect
AAD Local Device Join Information and Transport Key Registry Keys Accessa356c8bd-c81d-428b-aa36-83be706be034SecurityEvents
WindowsSecurityEvents
Rare client observed with high reverse DNS lookup count15ae38a2-2e29-48f7-883f-863fb25a5a06DNS
ZeroTrust(TIC3.0) Control Assessment Posture Change4942992d-a4d3-44b0-9cf4-b5a23811d82d
Probable AdFind Recon Tool Usage (Normalized Process Events)45076281-35ae-45e0-b443-c32aa0baf965
Cross-tenant Access Settings Organization Added757e6a79-6d23-4ae6-9845-4dac170656b5AzureActiveDirectory
Cross-tenant Access Settings Organization Deletedeb8a9c1c-f532-4630-817c-1ecd8a60ed80AzureActiveDirectory
Cross-tenant Access Settings Organization Inbound Collaboration Settings Changedc895c5b9-0fc6-40ce-9830-e8818862f2d5AzureActiveDirectory
Cross-tenant Access Settings Organization Inbound Direct Settings Changed276d5190-38de-4eb2-9933-b3b72f4a5737AzureActiveDirectory
Cross-tenant Access Settings Organization Outbound Collaboration Settings Changed229f71ba-d83b-42a5-b83b-11a641049ed1AzureActiveDirectory
Cross-tenant Access Settings Organization Outbound Direct Settings Changed0101e08d-99cd-4a97-a9e0-27649c4369adAzureActiveDirectory
Guest accounts added in AAD Groups other than the ones specified6ab1f7b2-61b8-442f-bc81-96afe7ad8c53AzureActiveDirectory
Zoom E2E Encryption Disablede4779bdc-397a-4b71-be28-59e6a1e1d16b