Discovery
| Rule Name | id | Required data connectors |
|---|---|---|
| API - Account Takeover | 25c86f99-0a91-4b7f-88f3-599a008e5ab8 | 42CrunchAPIProtection |
| API - Rate limiting | c6258d51-7b82-4942-8293-94c1dcf91595 | 42CrunchAPIProtection |
| API - Kiterunner detection | 421b38ec-4295-4aed-8299-c92e268ad663 | 42CrunchAPIProtection |
| Monitor AWS Credential abuse or hijacking | 32555639-b639-4c2b-afda-c0ae0abefa55 | AWS AWSS3 |
| SSM document is publicly exposed | 75647b58-bcc8-4eb5-9658-46698d3fa153 | AWS |
| Probable AdFind Recon Tool Usage | c63ae777-d5e0-4113-8c9a-c2c9d3d09fcd | MicrosoftThreatProtection |
| Powershell Empire Cmdlets Executed in Command Line | ef88eb96-861c-43a0-ab16-f3835a97c928 | SecurityEvents WindowsSecurityEvents WindowsForwardedEvents |
| Privileged Machines Exposed to the Internet | 72891de4-da70-44e4-9984-35fcea98d000 | Authomize |
| CloudNGFW By Palo Alto Networks - possible internal to external port scanning | 5b72f527-e3f6-4a00-9908-8e4fee14da9f | CloudNgfwByPAN |
| CloudNGFW By Palo Alto Networks - Threat signatures from Unusual IP addresses | 89a86f70-615f-4a79-9621-6f68c50f365f | CloudNgfwByPAN |
| Port Scan | b2c5907b-1040-4692-9802-9946031017e8 | AzureFirewall |
| Port Sweep | 720335f4-ee8c-4270-9424-d0859222168c | AzureFirewall |
| Several deny actions registered | f8dad4e9-3f19-4d70-ab7f-8f19ccd43a3e | AzureFirewall |
| AFD WAF - Path Traversal Attack | a4d99328-e4e6-493d-b0d5-57e6f9ddae77 | WAF |
| App GW WAF - Path Traversal Attack | b6c3a8a6-d22c-4882-9c57-abc01690938b | WAF |
| App Gateway WAF - Scanner Detection | 9b8dd8fd-f192-42eb-84f6-541920400a7a | WAF |
| Azure Security Benchmark Posture Changed | 0610e72f-ceaf-42d1-879e-952a1bd8d07a | |
| Cisco SDWAN - IPS Event Threshold | dc3627c3-f9de-4f17-bfd3-ba99b64a0a67 | CiscoSDWAN |
| Cisco SDWAN - Maleware Events | cb14defd-3415-4420-a2e4-2dd0f3e07a86 | CiscoSDWAN |
| Cisco SDWAN - Monitor Critical IPs | a62a207e-62be-4a74-acab-4466d5b3854f | CiscoSDWAN |
| Cisco ASA - average attack detection rate increase | 79f29feb-6a9d-4cdf-baaa-2daf480a5da1 | CiscoASA |
| Cisco ASA - threat detection message fired | 795edf2d-cf3e-45b5-8452-fe6c9e6a582e | CiscoASA |
| Claroty - Policy violation | 3b22ac47-e02c-4599-a37a-57f965de17be | Claroty ClarotyAma |
| Claroty - Suspicious activity | 99ad9f3c-304c-44c5-a61f-3a17f8b58218 | Claroty ClarotyAma |
| Claroty - Suspicious file transfer | 5cf35bad-677f-4c23-8927-1611e7ff6f28 | Claroty ClarotyAma |
| Claroty - Treat detected | 731e5ac4-7fe1-4b06-9941-532f2e008bb3 | Claroty ClarotyAma |
| CDM_ContinuousDiagnostics&Mitigation_PostureChanged | fd950af9-d9db-4879-a60a-7267cc041beb | |
| CDM_ContinuousDiagnostics&Mitigation_Posture | e15944a8-4172-4208-a928-631e01920d9c | |
| CMMC 2.0 Level 1 (Foundational) Readiness Posture | fb127436-e5c4-4e31-85a8-d3507128dd09 | |
| CMMC 2.0 Level 2 (Advanced) Readiness Posture | 7bfe573b-3069-4e81-98fe-9a4cffbcbc24 | |
| Dev-0270 WMIC Discovery | 6b652b4f-9810-4eec-9027-7aa88ce4db23 | SecurityEvents MicrosoftThreatProtection |
| Excessive share permissions | aba0b08c-aace-40c5-a21d-39153023dcaa | SecurityEvents |
| GCP IAM - Privileges Enumeration | 52d88912-fa8b-4db2-b247-ee9225e41e8f | GCPIAMDataConnector |
| GCP IAM - Publicly exposed storage bucket | 4a433846-4b05-4a27-99d7-92093feded79 | GCPIAMDataConnector |
| GCP IAM - Service Account Enumeration | 50e0437e-912d-4cd0-ac19-fef0aebdd3d7 | GCPIAMDataConnector |
| GCP IAM - Service Account Keys Enumeration | 7ad3cfed-18c0-44af-9e9d-9fb5472a2321 | GCPIAMDataConnector |
| High bandwidth in the network (Microsoft Defender for IoT) | caa4665f-21fa-462d-bb31-92226e746c68 | IoT |
| Multiple scans in the network (Microsoft Defender for IoT) | 493916d5-a094-4bfa-bdd1-d983a063ea3d | IoT |
| Unauthorized device in the network (Microsoft Defender for IoT) | f4c71e55-6192-47ca-92e2-0856ae502a46 | IoT |
| Unauthorized DHCP configuration in the network (Microsoft Defender for IoT) | c52ec521-9188-4a9e-a4cd-34a3dfbc3d27 | IoT |
| Highly Sensitive Password Accessed | b39e6482-ab7e-4817-813d-ec910b64b26e | LastPass |
| Lookout - New Threat events found. | 7593cc60-e294-402d-9202-279fb3c7d55f | LookoutAPI |
| M2131_AssetStoppedLogging | 4be5b645-1d08-49e4-b58d-07294ff19223 | |
| M2131_DataConnectorAddedChangedRemoved | eeb11b6b-e626-4228-b74d-3e730dca8999 | |
| M2131_EventLogManagementPostureChanged_EL0 | 1f8fcca5-47ed-409d-a8fa-d49ef821feaf | |
| M2131_EventLogManagementPostureChanged_EL1 | 036ce0a8-a1ff-4731-a078-02b3207fa4f3 | |
| M2131_EventLogManagementPostureChanged_EL2 | e1bb07c4-066b-4069-9b8e-f5275c592b6d | |
| M2131_EventLogManagementPostureChanged_EL3 | 672bfd77-4542-4ef1-acf9-e006dcd70c51 | |
| M2131_LogRetentionLessThan1Year | 8178a514-1270-4e31-a1d9-aaafeb40122f | |
| M2131_RecommendedDatatableUnhealthy | c61b167a-59ae-42af-bc98-36c78c5acb5c | |
| M2131_RecommendedDatatableNotLogged_EL0 | b3e0bfd4-52d2-4684-9514-716035cdbff2 | |
| M2131_RecommendedDatatableNotLogged_EL1 | f9e0ae98-6828-4d5a-b596-7c4586bb14f6 | |
| M2131_RecommendedDatatableNotLogged_EL2 | 76326a24-1223-4066-88a3-3826e3768932 | |
| M2131_RecommendedDatatableNotLogged_EL3 | 8b415f2d-44c1-4edb-8ca6-ddf7d2d28b20 | |
| Detect Suspicious Commands Initiated by Webserver Processes | fa2f7d8a-6726-465a-aa72-6f6e3d4c99d7 | MicrosoftThreatProtection |
| Qakbot Discovery Activies | ba9db6b2-3d05-42ae-8aee-3a15bbe29f27 | MicrosoftThreatProtection |
| Cross-tenant Access Settings Organization Added | 757e6a79-6d23-4ae6-9845-4dac170656b5 | AzureActiveDirectory |
| Cross-tenant Access Settings Organization Deleted | eb8a9c1c-f532-4630-817c-1ecd8a60ed80 | AzureActiveDirectory |
| Cross-tenant Access Settings Organization Inbound Collaboration Settings Changed | c895c5b9-0fc6-40ce-9830-e8818862f2d5 | AzureActiveDirectory |
| Cross-tenant Access Settings Organization Inbound Direct Settings Changed | 276d5190-38de-4eb2-9933-b3b72f4a5737 | AzureActiveDirectory |
| Cross-tenant Access Settings Organization Outbound Collaboration Settings Changed | 229f71ba-d83b-42a5-b83b-11a641049ed1 | AzureActiveDirectory |
| Cross-tenant Access Settings Organization Outbound Direct Settings Changed | 0101e08d-99cd-4a97-a9e0-27649c4369ad | AzureActiveDirectory |
| Guest accounts added in Entra ID Groups other than the ones specified | 6ab1f7b2-61b8-442f-bc81-96afe7ad8c53 | AzureActiveDirectory |
| External guest invitation followed by Microsoft Entra ID PowerShell signin | acc4c247-aaf7-494b-b5da-17f18863878a | AzureActiveDirectory |
| Sensitive Data Discovered in the Last 24 Hours | 7ae7e8b0-07e9-43cb-b783-b04082f09060 | MicrosoftAzurePurview |
| Sensitive Data Discovered in the Last 24 Hours - Customized | 79f296d9-e6e4-45dc-9ca7-1770955435fa | MicrosoftAzurePurview |
| Mimecast Audit - Logon Authentication Failed | 9c5dcd76-9f6d-42a3-b984-314b52678f20 | MimecastAuditAPI |
| Mimecast Secure Email Gateway - Attachment Protect | 72264f4f-61fb-4f4f-96c4-635571a376c2 | MimecastSIEMAPI |
| Mimecast Secure Email Gateway - Impersonation Protect | 7034abc9-6b66-4533-9bf3-056672fd9d9e | MimecastSIEMAPI |
| Mimecast Secure Email Gateway - Spam Event Thread | df1b9377-5c29-4928-872f-9934a6b4f611 | MimecastSIEMAPI |
| Mimecast Secure Email Gateway - URL Protect | ea19dae6-bbb3-4444-a1b8-8e9ae6064aab | MimecastSIEMAPI |
| Mimecast Targeted Threat Protection - Attachment Protect | aa75944c-a663-4901-969e-7b55bfa49a73 | MimecastTTPAPI |
| Mimecast Targeted Threat Protection - Impersonation Protect | d8e7eca6-4b59-4069-a31e-a022b2a12ea4 | MimecastTTPAPI |
| Mimecast Targeted Threat Protection - URL Protect | 9d5545bd-1450-4086-935c-62f15fc4a4c9 | MimecastTTPAPI |
| Cross-Cloud Suspicious Compute resource creation in GCP | 5c847e47-0a07-4c01-ab99-5817ad6cb11e | GCPAuditLogsDefinition AWSS3 |
| Cross-Cloud Suspicious user activity observed in GCP Envourment | 58e306fe-1c49-4b8f-9b0e-15f25e8f0cd7 | GCPAuditLogsDefinition AzureActiveDirectoryIdentityProtection MicrosoftThreatProtection MicrosoftDefenderAdvancedThreatProtection MicrosoftCloudAppSecurity |
| Unauthorized user access across AWS and Azure | 60f31001-018a-42bf-8045-a92e1f361b7b | AzureActiveDirectory AWSS3 |
| NetClean ProActive Incidents | 77548170-5c60-42e5-bdac-b0360d0779bb | Netclean_ProActive_Incidents |
| Anomaly found in Network Session Traffic (ASIM Network Session schema) | cd6def0d-3ef0-4d55-a7e3-faa96c46ba12 | AWSS3 MicrosoftThreatProtection SecurityEvents WindowsForwardedEvents Zscaler MicrosoftSysmonForLinux PaloAltoNetworks AzureMonitor(VMInsights) AzureFirewall AzureNSG CiscoASA Corelight AIVectraStream CheckPoint Fortinet CiscoMeraki |
| Network Port Sweep from External Network (ASIM Network Session schema) | cd8faa84-4464-4b4e-96dc-b22f50c27541 | AWSS3 MicrosoftThreatProtection SecurityEvents WindowsForwardedEvents Zscaler MicrosoftSysmonForLinux PaloAltoNetworks AzureMonitor(VMInsights) AzureFirewall AzureNSG CiscoASA Corelight AIVectraStream CheckPoint Fortinet CiscoMeraki |
| Port scan detected (ASIM Network Session schema) | 1da9853f-3dea-4ea9-b7e5-26730da3d537 | AWSS3 MicrosoftThreatProtection SecurityEvents WindowsForwardedEvents Zscaler MicrosoftSysmonForLinux PaloAltoNetworks AzureMonitor(VMInsights) AzureFirewall AzureNSG CiscoASA Corelight AIVectraStream CheckPoint Fortinet CiscoMeraki |
| NIST SP 800-53 Posture Changed | dd834c97-4638-4bb3-a4e3-807e8b0580dc | |
| OCI - Discovery activity | 61f995d7-8038-4ff0-ad2b-eccfd18fcc8c | OracleCloudInfrastructureLogsConnector |
| OCI - Insecure metadata endpoint | 9c4b1b9c-6462-41ce-8f2e-ce8c104331fc | OracleCloudInfrastructureLogsConnector |
| OCI - Instance metadata access | a55b4bbe-a014-4ae9-a50d-441ba5e98b65 | OracleCloudInfrastructureLogsConnector |
| Palo Alto - possible internal to external port scanning | 5b72f527-e3f6-4a00-9908-8e4fee14da9f | PaloAltoNetworks PaloAltoNetworksAma |
| Palo Alto Threat signatures from Unusual IP addresses | 89a86f70-615f-4a79-9621-6f68c50f365f | PaloAltoNetworks PaloAltoNetworksAma |
| Red Canary Threat Detection | 6d263abb-6445-45cc-93e9-c593d3d77b89 | RedCanaryDataConnector |
| Snowflake - Possible discovery activity | 09b8dfc7-87b0-4215-b34b-bab363d685cb | Snowflake |
| Snowflake - Multiple failed queries | 5f8a81d9-7d27-4ff5-a0ce-4285ee02c2c8 | Snowflake |
| Snowflake - Possible privileges discovery activity | 627a4ff1-036b-4375-a9f9-288d5e1d7d37 | Snowflake |
| SonicWall - Allowed SSH, Telnet, and RDP Connections | 27f1a570-5f20-496b-88f6-a9aa2c5c9534 | CEF SonicWallFirewall |
| Port Scan Detected | 427e4c9e-8cf4-4094-a684-a2d060dbca38 | SophosXGFirewall |
| vArmour AppController - SMB Realm Traversal | a36de6c3-3198-4d37-92ae-e19e36712c2e | vArmourAC vArmourACAma |
| Vectra AI Detect - Suspected Compromised Account | 321f9dbd-64b7-4541-81dc-08cf7732ccb0 | AIVectraDetect AIVectraDetectAma |
| Vectra Account’s Behaviors | ce54b5d3-4c31-4eaf-a73e-31412270b6ab | AIVectraDetect AIVectraDetectAma |
| Vectra AI Detect - Detections with High Severity | 39e48890-2c02-487e-aa9e-3ba494061798 | AIVectraDetect AIVectraDetectAma |
| Vectra AI Detect - Suspected Compromised Host | 60eb6cf0-3fa1-44c1-b1fe-220fbee23d63 | AIVectraDetect AIVectraDetectAma |
| Vectra Host’s Behaviors | 33e3b6da-2660-4cd7-9032-11be76db88d2 | AIVectraDetect AIVectraDetectAma |
| Vectra AI Detect - Suspicious Behaviors by Category | 6cb75f65-231f-46c4-a0b3-50ff21ee6ed3 | AIVectraDetect AIVectraDetectAma |
| Alarming number of anomalies generated in NetBackup | 2e0efcd4-56d2-41df-9098-d6898a58c62b | |
| Multiple failed attempts of NetBackup login | d39f0c47-2e85-49b9-a686-388c2eb7062c | |
| Votiro - File Blocked from Connector | 17bf3780-ae0d-4cd9-a884-5df8b687f3f5 | Votiro |
| Detect potential file enumeration activity (ASIM Web Session) | b3731ce1-1f04-47c4-95c2-9827408c4375 | |
| Microsoft Entra ID Local Device Join Information and Transport Key Registry Keys Access | a356c8bd-c81d-428b-aa36-83be706be034 | SecurityEvents WindowsSecurityEvents |
| Rare client observed with high reverse DNS lookup count | 15ae38a2-2e29-48f7-883f-863fb25a5a06 | DNS |
| ZeroTrust(TIC3.0) Control Assessment Posture Change | 4942992d-a4d3-44b0-9cf4-b5a23811d82d | |
| Probable AdFind Recon Tool Usage (Normalized Process Events) | 45076281-35ae-45e0-b443-c32aa0baf965 | |
| Suspicious VM Instance Creation Activity Detected | 1cc0ba27-c5ca-411a-a779-fbc89e26be83 | GCPAuditLogsDefinition AzureActiveDirectoryIdentityProtection MicrosoftThreatProtection MicrosoftDefenderAdvancedThreatProtection MicrosoftCloudAppSecurity BehaviorAnalytics |
| Zoom E2E Encryption Disabled | e4779bdc-397a-4b71-be28-59e6a1e1d16b |