Microsoft Sentinel Analytic Rules
cloudbrothers.infoAzure Sentinel RepoToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeBack to homepage

Discovery

Overview

Rule NameidRequired data connectors
API - Account Takeover25c86f99-0a91-4b7f-88f3-599a008e5ab842CrunchAPIProtection
API - Rate limitingc6258d51-7b82-4942-8293-94c1dcf9159542CrunchAPIProtection
API - Kiterunner detection421b38ec-4295-4aed-8299-c92e268ad66342CrunchAPIProtection
Monitor AWS Credential abuse or hijacking32555639-b639-4c2b-afda-c0ae0abefa55AWS
AWSS3
SSM document is publicly exposed75647b58-bcc8-4eb5-9658-46698d3fa153AWS
Probable AdFind Recon Tool Usagec63ae777-d5e0-4113-8c9a-c2c9d3d09fcdMicrosoftThreatProtection
Powershell Empire Cmdlets Executed in Command Lineef88eb96-861c-43a0-ab16-f3835a97c928SecurityEvents
WindowsSecurityEvents
WindowsForwardedEvents
Privileged Machines Exposed to the Internet72891de4-da70-44e4-9984-35fcea98d000Authomize
CloudNGFW By Palo Alto Networks - possible internal to external port scanning5b72f527-e3f6-4a00-9908-8e4fee14da9fCloudNgfwByPAN
CloudNGFW By Palo Alto Networks - Threat signatures from Unusual IP addresses89a86f70-615f-4a79-9621-6f68c50f365fCloudNgfwByPAN
Port Scanb2c5907b-1040-4692-9802-9946031017e8AzureFirewall
Port Sweep720335f4-ee8c-4270-9424-d0859222168cAzureFirewall
Several deny actions registeredf8dad4e9-3f19-4d70-ab7f-8f19ccd43a3eAzureFirewall
AFD WAF - Path Traversal Attacka4d99328-e4e6-493d-b0d5-57e6f9ddae77WAF
App GW WAF - Path Traversal Attackb6c3a8a6-d22c-4882-9c57-abc01690938bWAF
App Gateway WAF - Scanner Detection9b8dd8fd-f192-42eb-84f6-541920400a7aWAF
Azure Security Benchmark Posture Changed0610e72f-ceaf-42d1-879e-952a1bd8d07a
Cisco ASA - average attack detection rate increase79f29feb-6a9d-4cdf-baaa-2daf480a5da1CiscoASA
Cisco ASA - threat detection message fired795edf2d-cf3e-45b5-8452-fe6c9e6a582eCiscoASA
Cisco Umbrella - Hack Tool User-Agent Detected8d537f3c-094f-430c-a588-8a87da36ee3aCiscoUmbrellaDataConnector
Claroty - Policy violation3b22ac47-e02c-4599-a37a-57f965de17beClaroty
ClarotyAma
CefAma
Claroty - Suspicious activity99ad9f3c-304c-44c5-a61f-3a17f8b58218Claroty
ClarotyAma
CefAma
Claroty - Suspicious file transfer5cf35bad-677f-4c23-8927-1611e7ff6f28Claroty
ClarotyAma
CefAma
Claroty - Treat detected731e5ac4-7fe1-4b06-9941-532f2e008bb3Claroty
ClarotyAma
CefAma
CDM_ContinuousDiagnostics&Mitigation_PostureChangedfd950af9-d9db-4879-a60a-7267cc041beb
CDM_ContinuousDiagnostics&Mitigation_Posturee15944a8-4172-4208-a928-631e01920d9c
CMMC 2.0 Level 1 (Foundational) Readiness Posturefb127436-e5c4-4e31-85a8-d3507128dd09
CMMC 2.0 Level 2 (Advanced) Readiness Posture7bfe573b-3069-4e81-98fe-9a4cffbcbc24
Dev-0270 WMIC Discovery6b652b4f-9810-4eec-9027-7aa88ce4db23SecurityEvents
WindowsSecurityEvents
MicrosoftThreatProtection
Excessive share permissionsaba0b08c-aace-40c5-a21d-39153023dcaaSecurityEvents
WindowsSecurityEvents
GSA - Detect Source IP Scanning Multiple Open Ports82cfa6b9-5f7e-4b8b-8b2f-a63f21b7a7d1AzureActiveDirectory
GCP IAM - Privileges Enumeration52d88912-fa8b-4db2-b247-ee9225e41e8fGCPIAMDataConnector
GCP IAM - Publicly exposed storage bucket4a433846-4b05-4a27-99d7-92093feded79GCPIAMDataConnector
GCP IAM - Service Account Enumeration50e0437e-912d-4cd0-ac19-fef0aebdd3d7GCPIAMDataConnector
GCP IAM - Service Account Keys Enumeration7ad3cfed-18c0-44af-9e9d-9fb5472a2321GCPIAMDataConnector
High bandwidth in the network (Microsoft Defender for IoT)caa4665f-21fa-462d-bb31-92226e746c68IoT
Multiple scans in the network (Microsoft Defender for IoT)493916d5-a094-4bfa-bdd1-d983a063ea3dIoT
Unauthorized device in the network (Microsoft Defender for IoT)f4c71e55-6192-47ca-92e2-0856ae502a46IoT
Unauthorized DHCP configuration in the network (Microsoft Defender for IoT)c52ec521-9188-4a9e-a4cd-34a3dfbc3d27IoT
Highly Sensitive Password Accessedb39e6482-ab7e-4817-813d-ec910b64b26eLastPass
Lookout - New Threat events found.7593cc60-e294-402d-9202-279fb3c7d55fLookoutAPI
M2131_AssetStoppedLogging4be5b645-1d08-49e4-b58d-07294ff19223
M2131_DataConnectorAddedChangedRemovedeeb11b6b-e626-4228-b74d-3e730dca8999
M2131_EventLogManagementPostureChanged_EL01f8fcca5-47ed-409d-a8fa-d49ef821feaf
M2131_EventLogManagementPostureChanged_EL1036ce0a8-a1ff-4731-a078-02b3207fa4f3
M2131_EventLogManagementPostureChanged_EL2e1bb07c4-066b-4069-9b8e-f5275c592b6d
M2131_EventLogManagementPostureChanged_EL3672bfd77-4542-4ef1-acf9-e006dcd70c51
M2131_LogRetentionLessThan1Year8178a514-1270-4e31-a1d9-aaafeb40122f
M2131_RecommendedDatatableUnhealthyc61b167a-59ae-42af-bc98-36c78c5acb5c
M2131_RecommendedDatatableNotLogged_EL0b3e0bfd4-52d2-4684-9514-716035cdbff2
M2131_RecommendedDatatableNotLogged_EL1f9e0ae98-6828-4d5a-b596-7c4586bb14f6
M2131_RecommendedDatatableNotLogged_EL276326a24-1223-4066-88a3-3826e3768932
M2131_RecommendedDatatableNotLogged_EL38b415f2d-44c1-4edb-8ca6-ddf7d2d28b20
Detect Suspicious Commands Initiated by Webserver Processesfa2f7d8a-6726-465a-aa72-6f6e3d4c99d7MicrosoftThreatProtection
Qakbot Discovery Activiesba9db6b2-3d05-42ae-8aee-3a15bbe29f27MicrosoftThreatProtection
Cross-tenant Access Settings Organization Added757e6a79-6d23-4ae6-9845-4dac170656b5AzureActiveDirectory
Cross-tenant Access Settings Organization Deletedeb8a9c1c-f532-4630-817c-1ecd8a60ed80AzureActiveDirectory
Cross-tenant Access Settings Organization Inbound Collaboration Settings Changedc895c5b9-0fc6-40ce-9830-e8818862f2d5AzureActiveDirectory
Cross-tenant Access Settings Organization Inbound Direct Settings Changed276d5190-38de-4eb2-9933-b3b72f4a5737AzureActiveDirectory
Cross-tenant Access Settings Organization Outbound Collaboration Settings Changed229f71ba-d83b-42a5-b83b-11a641049ed1AzureActiveDirectory
Cross-tenant Access Settings Organization Outbound Direct Settings Changed0101e08d-99cd-4a97-a9e0-27649c4369adAzureActiveDirectory
Guest accounts added in Entra ID Groups other than the ones specified6ab1f7b2-61b8-442f-bc81-96afe7ad8c53AzureActiveDirectory
External guest invitation followed by Microsoft Entra ID PowerShell signinacc4c247-aaf7-494b-b5da-17f18863878aAzureActiveDirectory
Sensitive Data Discovered in the Last 24 Hours7ae7e8b0-07e9-43cb-b783-b04082f09060MicrosoftAzurePurview
Sensitive Data Discovered in the Last 24 Hours - Customized79f296d9-e6e4-45dc-9ca7-1770955435faMicrosoftAzurePurview
Mimecast Audit - Logon Authentication Failedf00197ab-491f-41e7-9e22-a7003a4c1e54MimecastAuditAPI
Mimecast Secure Email Gateway - Attachment Protect72bd7b0c-493c-4fa5-8a95-7f6376b6cfb2MimecastSEGAPI
Mimecast Secure Email Gateway - Impersonation Protect2ef77cef-439f-4d94-848f-3eca67510d2fMimecastSEGAPI
Mimecast Secure Email Gateway - Spam Event Thread0cda82c8-e8f0-4117-896e-a10f1b43e64aMimecastSEGAPI
Mimecast Secure Email Gateway - URL Protect80f244cd-b0d6-404e-9aed-37f7a66eda9fMimecastSEGAPI
Mimecast Targeted Threat Protection - Attachment Protect617a55be-a8d8-49c1-8687-d19a0231056fMimecastTTPAPI
Mimecast Targeted Threat Protection - Impersonation Protectc048fa06-0d50-4626-ae82-a6cea812d9c4MimecastTTPAPI
Mimecast Targeted Threat Protection - URL Protect952faed4-c6a6-4873-aeb9-b348e9ce5abaMimecastTTPAPI
Mimecast Audit - Logon Authentication Failed9c5dcd76-9f6d-42a3-b984-314b52678f20MimecastAuditAPI
Mimecast Secure Email Gateway - Attachment Protect72264f4f-61fb-4f4f-96c4-635571a376c2MimecastSIEMAPI
Mimecast Secure Email Gateway - Impersonation Protect7034abc9-6b66-4533-9bf3-056672fd9d9eMimecastSIEMAPI
Mimecast Secure Email Gateway - Spam Event Threaddf1b9377-5c29-4928-872f-9934a6b4f611MimecastSIEMAPI
Mimecast Secure Email Gateway - URL Protectea19dae6-bbb3-4444-a1b8-8e9ae6064aabMimecastSIEMAPI
Mimecast Targeted Threat Protection - Attachment Protectaa75944c-a663-4901-969e-7b55bfa49a73MimecastTTPAPI
Mimecast Targeted Threat Protection - Impersonation Protectd8e7eca6-4b59-4069-a31e-a022b2a12ea4MimecastTTPAPI
Mimecast Targeted Threat Protection - URL Protect9d5545bd-1450-4086-935c-62f15fc4a4c9MimecastTTPAPI
Cross-Cloud Suspicious Compute resource creation in GCP5c847e47-0a07-4c01-ab99-5817ad6cb11eGCPAuditLogsDefinition
AWSS3
Cross-Cloud Suspicious user activity observed in GCP Envourment58e306fe-1c49-4b8f-9b0e-15f25e8f0cd7GCPAuditLogsDefinition
AzureActiveDirectoryIdentityProtection
MicrosoftThreatProtection
MicrosoftDefenderAdvancedThreatProtection
MicrosoftCloudAppSecurity
Unauthorized user access across AWS and Azure60f31001-018a-42bf-8045-a92e1f361b7bAzureActiveDirectory
AWSS3
NetClean ProActive Incidents77548170-5c60-42e5-bdac-b0360d0779bbNetclean_ProActive_Incidents
Anomaly found in Network Session Traffic (ASIM Network Session schema)cd6def0d-3ef0-4d55-a7e3-faa96c46ba12AWSS3
MicrosoftThreatProtection
SecurityEvents
WindowsSecurityEvents
WindowsForwardedEvents
Zscaler
MicrosoftSysmonForLinux
PaloAltoNetworks
AzureMonitor(VMInsights)
AzureFirewall
AzureNSG
CiscoASA
CiscoAsaAma
Corelight
AIVectraStream
CheckPoint
Fortinet
CiscoMeraki
Network Port Sweep from External Network (ASIM Network Session schema)cd8faa84-4464-4b4e-96dc-b22f50c27541AWSS3
MicrosoftThreatProtection
SecurityEvents
WindowsSecurityEvents
WindowsForwardedEvents
Zscaler
MicrosoftSysmonForLinux
PaloAltoNetworks
AzureMonitor(VMInsights)
AzureFirewall
AzureNSG
CiscoASA
CiscoAsaAma
Corelight
AIVectraStream
CheckPoint
Fortinet
CiscoMeraki
Port scan detected (ASIM Network Session schema)1da9853f-3dea-4ea9-b7e5-26730da3d537AWSS3
MicrosoftThreatProtection
SecurityEvents
WindowsSecurityEvents
WindowsForwardedEvents
Zscaler
MicrosoftSysmonForLinux
PaloAltoNetworks
AzureMonitor(VMInsights)
AzureFirewall
AzureNSG
CiscoASA
CiscoAsaAma
Corelight
AIVectraStream
CheckPoint
Fortinet
CiscoMeraki
NIST SP 800-53 Posture Changeddd834c97-4638-4bb3-a4e3-807e8b0580dc
OCI - Discovery activity61f995d7-8038-4ff0-ad2b-eccfd18fcc8cOracleCloudInfrastructureLogsConnector
OCI - Insecure metadata endpoint9c4b1b9c-6462-41ce-8f2e-ce8c104331fcOracleCloudInfrastructureLogsConnector
OCI - Instance metadata accessa55b4bbe-a014-4ae9-a50d-441ba5e98b65OracleCloudInfrastructureLogsConnector
Palo Alto - possible internal to external port scanning5b72f527-e3f6-4a00-9908-8e4fee14da9fPaloAltoNetworks
PaloAltoNetworksAma
CefAma
Palo Alto Threat signatures from Unusual IP addresses89a86f70-615f-4a79-9621-6f68c50f365fPaloAltoNetworks
PaloAltoNetworksAma
CefAma
Radiflow - Network Scanning Detectedcde00cc5-5841-4aa9-96c5-dd836f9e3f26RadiflowIsid
Red Canary Threat Detection6d263abb-6445-45cc-93e9-c593d3d77b89RedCanaryDataConnector
Snowflake - Possible discovery activity09b8dfc7-87b0-4215-b34b-bab363d685cbSnowflake
Snowflake - Multiple failed queries5f8a81d9-7d27-4ff5-a0ce-4285ee02c2c8Snowflake
Snowflake - Possible privileges discovery activity627a4ff1-036b-4375-a9f9-288d5e1d7d37Snowflake
SonicWall - Allowed SSH, Telnet, and RDP Connections27f1a570-5f20-496b-88f6-a9aa2c5c9534CEF
SonicWallFirewall
CefAma
New Sonrai Ticketbcc3362d-b6f9-4de0-b41c-707fafd5a416SonraiDataConnector
Sonrai Ticket Assigned37a8d052-a3db-4dc6-9dca-9390cac6f486SonraiDataConnector
Sonrai Ticket Closedf5d467de-b5a2-4b4f-96db-55e27c733594SonraiDataConnector
Sonrai Ticket Escalation Executed0d29c93e-b83f-4dfb-bbbb-76824b77eecaSonraiDataConnector
Sonrai Ticket Escalation Executed822fff15-ea68-4d0f-94ee-b4482ddb6f3aSonraiDataConnector
Sonrai Ticket Reopenedb60129ab-ce22-4b76-858d-3204932a13ccSonraiDataConnector
Sonrai Ticket Risk Accepted080191e8-271d-4ae6-85ce-c7bcd4b06b40SonraiDataConnector
Sonrai Ticket Snoozed10e6c454-5cad-4f86-81ce-800235cb050aSonraiDataConnector
Sonrai Ticket Updatedaf9b8eb1-a8ef-40aa-92a4-1fc73a1479c7SonraiDataConnector
Port Scan Detected427e4c9e-8cf4-4094-a684-a2d060dbca38SophosXGFirewall
SyslogAma
Theom Critical Risksbb9051ef-0e72-4758-a143-80c25ee452f0Theom
Theom High Risks74b80987-0a62-448c-8779-47b02e17d3cfTheom
Theom Insightsd200da84-0191-44ce-ad9e-b85e64c84c89Theom
Theom Low Riskscf7fb616-ac80-40ce-ad18-aa18912811f8Theom
Theom Medium Risks4cb34832-f73a-49f2-8d38-c2d135c5440bTheom
vArmour AppController - SMB Realm Traversala36de6c3-3198-4d37-92ae-e19e36712c2evArmourAC
vArmourACAma
CefAma
Vectra AI Detect - Suspected Compromised Account321f9dbd-64b7-4541-81dc-08cf7732ccb0AIVectraDetect
AIVectraDetectAma
CefAma
Vectra Account’s Behaviorsce54b5d3-4c31-4eaf-a73e-31412270b6abAIVectraDetect
AIVectraDetectAma
CefAma
Vectra AI Detect - Detections with High Severity39e48890-2c02-487e-aa9e-3ba494061798AIVectraDetect
AIVectraDetectAma
CefAma
Vectra AI Detect - Suspected Compromised Host60eb6cf0-3fa1-44c1-b1fe-220fbee23d63AIVectraDetect
AIVectraDetectAma
CefAma
Vectra Host’s Behaviors33e3b6da-2660-4cd7-9032-11be76db88d2AIVectraDetect
AIVectraDetectAma
CefAma
Vectra AI Detect - Suspicious Behaviors by Category6cb75f65-231f-46c4-a0b3-50ff21ee6ed3AIVectraDetect
AIVectraDetectAma
CefAma
Alarming number of anomalies generated in NetBackup2e0efcd4-56d2-41df-9098-d6898a58c62b
Multiple failed attempts of NetBackup logind39f0c47-2e85-49b9-a686-388c2eb7062c
Votiro - File Blocked from Connector17bf3780-ae0d-4cd9-a884-5df8b687f3f5Votiro
CefAma
Detect potential file enumeration activity (ASIM Web Session)b3731ce1-1f04-47c4-95c2-9827408c4375
Microsoft Entra ID Local Device Join Information and Transport Key Registry Keys Accessa356c8bd-c81d-428b-aa36-83be706be034SecurityEvents
WindowsSecurityEvents
Rare client observed with high reverse DNS lookup count15ae38a2-2e29-48f7-883f-863fb25a5a06DNS
ZeroTrust(TIC3.0) Control Assessment Posture Change4942992d-a4d3-44b0-9cf4-b5a23811d82d
Probable AdFind Recon Tool Usage (Normalized Process Events)45076281-35ae-45e0-b443-c32aa0baf965
A host is potentially running a hacking tool (ASIM Web Session schema)3f0c20d5-6228-48ef-92f3-9ff7822c1954SquidProxy
Zscaler
Suspicious VM Instance Creation Activity Detected1cc0ba27-c5ca-411a-a779-fbc89e26be83GCPAuditLogsDefinition
AzureActiveDirectoryIdentityProtection
MicrosoftThreatProtection
MicrosoftDefenderAdvancedThreatProtection
MicrosoftCloudAppSecurity
BehaviorAnalytics
Zoom E2E Encryption Disablede4779bdc-397a-4b71-be28-59e6a1e1d16b