Execution
| Rule Name | id | Required data connectors |
|---|---|---|
| Successful API executed from a Tor exit node | 0adab960-5565-4978-ba6d-044553e4acc4 | AWS |
| ECR image scan findings high or critical | f6928301-56da-4d2c-aabe-e1a552bc8892 | AWS |
| Suspicious command sent to EC2 | 21702832-aff3-4bd6-a8e1-663b6818503d | AWS |
| Vulnerable Machines related to log4j CVE-2021-44228 | 3d71fc38-f249-454e-8479-0a358382ef9a | |
| Powershell Empire Cmdlets Executed in Command Line | ef88eb96-861c-43a0-ab16-f3835a97c928 | SecurityEvents WindowsSecurityEvents WindowsForwardedEvents |
| New CloudShell User | 6d7214d9-4a28-44df-aafb-0910b9e6ae3e | AzureActivity |
| Front Door Premium WAF - SQLi Detection | 16da3a2a-af29-48a0-8606-d467c180fe18 | WAF |
| Front Door Premium WAF - XSS Detection | b7643904-5081-4920-917e-a559ddc3448f | WAF |
| AFD WAF - Code Injection | ded8168e-c806-4772-af30-10576e0a7529 | WAF |
| AFD WAF - Path Traversal Attack | a4d99328-e4e6-493d-b0d5-57e6f9ddae77 | WAF |
| App GW WAF - Code Injection | 912a18fc-6165-446b-8740-81ae6c3f75ee | WAF |
| App GW WAF - Path Traversal Attack | b6c3a8a6-d22c-4882-9c57-abc01690938b | WAF |
| App Gateway WAF - Scanner Detection | 9b8dd8fd-f192-42eb-84f6-541920400a7a | WAF |
| App Gateway WAF - SQLi Detection | bdb2cd63-99f2-472e-b1b9-acba473b6744 | WAF |
| App Gateway WAF - XSS Detection | 1c7ff502-2ad4-4970-9d29-9210c6753138 | WAF |
| Azure DevOps Pipeline modified by a new user | 155e9134-d5ad-4a6f-88f3-99c220040b66 | |
| Azure DevOps Personal Access Token (PAT) misuse | ac891683-53c3-4f86-86b4-c361708e2b2b | |
| Azure DevOps Pipeline Created and Deleted on the Same Day | 17f23fbe-bb73-4324-8ecf-a18545a5dc26 | |
| New Agent Added to Pool by New User or Added to a New OS Type | 4ce177b3-56b1-4f0e-b83e-27eed4cb0b16 | |
| BitSight - compromised systems detected | d68b758a-b117-4cb8-8e1d-dcab5a4a2f21 | BitSight |
| BitSight - diligence risk category detected | 161ed3ac-b242-4b13-8c6b-58716e5e9972 | BitSight |
| CiscoISE - Command executed with the highest privileges from new IP | 1fa0da3e-ec99-484f-aadb-93f59764e158 | CiscoISE SyslogAma |
| CiscoISE - Command executed with the highest privileges by new user | e71890a2-5f61-4790-b1ed-cf1d92d3e398 | CiscoISE SyslogAma |
| Cisco SE High Events Last Hour | 4683ebce-07ad-4089-89e3-39d8fe83c011 | CiscoSecureEndpoint |
| Cisco SE - Dropper activity on host | b6df3e11-de70-4779-ac9a-276c454a9025 | CiscoSecureEndpoint |
| Cisco SE - Generic IOC | bccdbc39-31d3-4e2b-9df2-e4c9eecba825 | CiscoSecureEndpoint |
| Cisco SE - Malware execusion on host | aea4468e-6322-48b6-bd83-f9d300cce855 | CiscoSecureEndpoint |
| Cisco Umbrella - Hack Tool User-Agent Detected | 8d537f3c-094f-430c-a588-8a87da36ee3a | CiscoUmbrellaDataConnector |
| Cisco Umbrella - Windows PowerShell User-Agent Detected | b12b3dab-d973-45af-b07e-e29bb34d8db9 | CiscoUmbrellaDataConnector |
| CyberArkEPM - Attack attempt not blocked | 8e8978a2-9188-4187-8909-5ea00507bf16 | CyberArkEPM |
| CyberArkEPM - Multiple attack types | c02f96b4-057b-4e63-87af-6376ef7a081b | CyberArkEPM |
| CyberArkEPM - Uncommon Windows process started from System folder | 16b940d2-aaf8-4eaa-a5e1-05df5f5c3d43 | CyberArkEPM |
| CyberArkEPM - Possible execution of Powershell Empire | eddfd1fd-71df-4cc3-b050-287643bee398 | CyberArkEPM |
| CyberArkEPM - Process started from different locations | 0d4e62da-0a64-4532-b93e-28cd2940c300 | CyberArkEPM |
| CyberArkEPM - Uncommon process Internet access | 9d0d44ab-54dc-472a-9931-53521e888932 | CyberArkEPM |
| CyberArkEPM - Renamed Windows binary | 9281b7cc-8f05-45a9-bf10-17fb29492a84 | CyberArkEPM |
| CyberArkEPM - Unexpected executable extension | 911d5b75-a1ce-4f13-a839-9c2474768696 | CyberArkEPM |
| CyberArkEPM - Unexpected executable location | c1fcbbd7-74f8-4f32-8116-0a533ebd3878 | CyberArkEPM |
| Dynatrace - Problem detection | 415978ff-074e-4203-824a-b06153d77bf7 | DynatraceProblems |
| Dynatrace Application Security - Attack detection | 1b0b2065-8bac-5a00-83c4-1b58f69ac212 | DynatraceAttacks |
| Dynatrace Application Security - Code-Level runtime vulnerability detection | 305093b4-0fa2-57bc-bced-caea782a6e9c | DynatraceRuntimeVulnerabilities |
| Dynatrace Application Security - Non-critical runtime vulnerability detection | ff0af873-a2f2-4233-8412-0ef4e00b0156 | DynatraceRuntimeVulnerabilities |
| Dynatrace Application Security - Third-Party runtime vulnerability detection | af99b078-124b-543a-9a50-66ef87c09f6a | DynatraceRuntimeVulnerabilities |
| Egress Defend - Dangerous Attachment Detected | a0e55dd4-8454-4396-91e6-f28fec3d2cab | EgressDefend |
| Egress Defend - Dangerous Link Click | a896123e-03a5-4a4d-a7e3-fd814846dfb2 | EgressDefend |
| Base64 encoded Windows process command-lines | ca67c83e-7fff-4127-a3e3-1af66d6d4cad | SecurityEvents WindowsSecurityEvents WindowsForwardedEvents |
| Process executed from binary hidden in Base64 encoded file | d6190dde-8fd2-456a-ac5b-0a32400b0464 | SecurityEvents WindowsSecurityEvents WindowsForwardedEvents |
| Suspicious Powershell Commandlet Executed | b5153fb3-ada9-4ce4-9131-79c771efb50d | MicrosoftThreatProtection |
| Windows Binaries Executed from Non-Default Directory | 15049017-527f-4d3b-b011-b0e99e68ef45 | SecurityEvents WindowsSecurityEvents |
| Windows Binaries Lolbins Renamed | cbf6ad48-fa5c-4bf7-b205-28dbadb91255 | SecurityEvents WindowsSecurityEvents |
| Threats detected by Eset | 2d8a60aa-c15e-442e-9ce3-ee924889d2a6 | EsetSMC |
| Threats detected by ESET | 64badfab-1dd8-4491-927b-3ca206fa9a17 | ESETPROTECT SyslogAma |
| Detect .NET runtime being loaded in JScript for code execution | 9f921513-65f3-48a2-ae7d-326c5901c55e | MicrosoftThreatProtection |
| Suspicious Process Injection from Office application | a4d8e681-6f30-440a-a2f3-c312bc1389d0 | MicrosoftThreatProtection |
| Suspicious named pipes | ddf7c669-db26-4215-acaf-11e2953a04e6 | MicrosoftThreatProtection |
| GitHub Security Vulnerability in Repository | 5436f471-b03d-41cb-b333-65891f887c43 | |
| GSA Enriched Office 365 - PowerShell or non-browser mailbox login activity | 49a4f65a-fe18-408e-afec-042fde93d3ce | AzureActiveDirectory |
| PLC unsecure key state (Microsoft Defender for IoT) | f9df500a-e2a4-4104-a517-dc1d85bb654f | IoT |
| [Deprecated] - Denim Tsunami AV Detection | 9f9c1e51-4fb1-4510-a675-c7c2fb32f47e | MicrosoftThreatProtection SecurityEvents |
| [Deprecated] - Denim Tsunami File Hashes July 2022 | a779e2d5-9109-4f0a-a75e-f3d4f3c58560 | MicrosoftThreatProtection SecurityEvents WindowsFirewall |
| [Deprecated] - Known Diamond Sleet Comebacker and Klackring malware hashes | 09551db0-e147-4a0c-9e7b-918f88847605 | DNS AzureMonitor(VMInsights) CiscoASA PaloAltoNetworks SecurityEvents MicrosoftThreatProtection AzureFirewall Zscaler InfobloxNIOS GCPDNSDataConnector NXLogDnsLogs CiscoUmbrellaDataConnector Corelight WindowsForwardedEvents |
| [Deprecated] - Midnight Blizzard - Domain, Hash and IP IOCs - May 2021 | 677da133-e487-4108-a150-5b926591a92b | AWSS3 WindowsForwardedEvents SquidProxy MicrosoftSysmonForLinux DNS AzureMonitor(VMInsights) F5 CiscoASA PaloAltoNetworks Fortinet CheckPoint CEF MicrosoftThreatProtection SecurityEvents Office365 AzureFirewall WindowsFirewall Zscaler InfobloxNIOS GCPDNSDataConnector NXLogDnsLogs CiscoUmbrellaDataConnector Corelight |
| [Deprecated] - MSHTML vulnerability CVE-2021-40444 attack | 972c89fa-c969-4d12-932f-04d55d145299 | SecurityEvents MicrosoftThreatProtection |
| Process Creation with Suspicious CommandLine Arguments | fdbcc0eb-44fb-467e-a51d-a91df0780a81 | CrowdStrikeFalconEndpointProtection MicrosoftThreatProtection SentinelOne VMwareCarbonBlack CiscoSecureEndpoint TrendMicroApexOne TrendMicroApexOneAma |
| Deimos Component Execution | c25a8cd4-5b4a-45a8-9ba0-3b753a652f6b | MicrosoftThreatProtection |
| Java Executing cmd to run Powershell | 2c81c0a0-9823-4a14-b21a-2b4acd3335d2 | MicrosoftThreatProtection |
| Doppelpaymer Stop Services | 5bdc1504-880c-4b30-a39c-7c746535928d | MicrosoftThreatProtection |
| Detect Suspicious Commands Initiated by Webserver Processes | fa2f7d8a-6726-465a-aa72-6f6e3d4c99d7 | MicrosoftThreatProtection |
| Office Apps Launching Wscipt | 174de33b-107b-4cd8-a85d-b4025a35453f | MicrosoftThreatProtection |
| Potential Ransomware activity related to Cobalt Strike | 4bd9ce9d-8586-4beb-8fdb-bd018cacbe7d | MicrosoftThreatProtection |
| Qakbot Discovery Activies | ba9db6b2-3d05-42ae-8aee-3a15bbe29f27 | MicrosoftThreatProtection |
| Execution of software vulnerable to webp buffer overflow of CVE-2023-4863 | 26e81021-2de6-4442-a74a-a77885e96911 | MicrosoftThreatProtection |
| SUNBURST and SUPERNOVA backdoor hashes | a3c144f9-8051-47d4-ac29-ffb0c312c910 | MicrosoftThreatProtection |
| SUNBURST network beacons | ce1e7025-866c-41f3-9b08-ec170e05e73e | MicrosoftThreatProtection |
| TEARDROP memory-only dropper | 738702fd-0a66-42c7-8586-e30f0583f8fe | MicrosoftThreatProtection |
| Insider Risk_High User Security Alert Correlations | a4fb4255-f55b-4c24-b396-976ee075d406 | MicrosoftDefenderAdvancedThreatProtection AzureActiveDirectoryIdentityProtection AzureSecurityCenter IoT MicrosoftCloudAppSecurity OfficeATP |
| Insider Risk_High User Security Incidents Correlation | 28a75d10-9b75-4192-9863-e452c3ad24db | MicrosoftDefenderAdvancedThreatProtection AzureActiveDirectoryIdentityProtection AzureSecurityCenter IoT MicrosoftCloudAppSecurity OfficeATP |
| Insider Risk_Microsoft Purview Insider Risk Management Alert Observed | 69660e65-0e5c-4700-8b99-5caf59786606 | OfficeATP |
| Insider Risk_Risky User Access By Application | 15386bba-dc70-463f-a09f-d392e7731c63 | AzureActiveDirectory |
| Mimecast Secure Email Gateway - Attachment Protect | 72bd7b0c-493c-4fa5-8a95-7f6376b6cfb2 | MimecastSEGAPI |
| Mimecast Secure Email Gateway - AV | 33bf0cc9-e568-42bf-9571-c22adf7be66d | MimecastSEGAPI |
| Mimecast Secure Email Gateway - URL Protect | 80f244cd-b0d6-404e-9aed-37f7a66eda9f | MimecastSEGAPI |
| Mimecast Secure Email Gateway - Virus | d78d7352-fa5a-47d4-b48f-cb2c3252c0eb | MimecastSEGAPI |
| Mimecast Secure Email Gateway - Attachment Protect | 72264f4f-61fb-4f4f-96c4-635571a376c2 | MimecastSIEMAPI |
| Mimecast Secure Email Gateway - AV | 0f0dc725-29dc-48c3-bf10-bd2f34fd1cbb | MimecastSIEMAPI |
| Mimecast Secure Email Gateway - URL Protect | ea19dae6-bbb3-4444-a1b8-8e9ae6064aab | MimecastSIEMAPI |
| Mimecast Secure Email Gateway - Virus | 30f73baa-602c-4373-8f02-04ff5e51fc7f | MimecastSIEMAPI |
| Cross-Cloud Suspicious Compute resource creation in GCP | 5c847e47-0a07-4c01-ab99-5817ad6cb11e | GCPAuditLogsDefinition AWSS3 |
| Cross-Cloud Suspicious user activity observed in GCP Envourment | 58e306fe-1c49-4b8f-9b0e-15f25e8f0cd7 | GCPAuditLogsDefinition AzureActiveDirectoryIdentityProtection MicrosoftThreatProtection MicrosoftDefenderAdvancedThreatProtection MicrosoftCloudAppSecurity |
| Netskope - WebTransaction Error Detection | 66c4cd4c-d391-47e8-b4e6-93e55d86ca9f | NetskopeDataConnector |
| Detect port misuse by anomaly based detection (ASIM Network Session schema) | cbf07406-fa2a-48b0-82b8-efad58db14ec | AWSS3 MicrosoftThreatProtection SecurityEvents WindowsSecurityEvents WindowsForwardedEvents Zscaler MicrosoftSysmonForLinux PaloAltoNetworks AzureMonitor(VMInsights) AzureFirewall AzureNSG CiscoASA CiscoAsaAma Corelight AIVectraStream CheckPoint Fortinet CiscoMeraki |
| Detect port misuse by static threshold (ASIM Network Session schema) | 156997bd-da0f-4729-b47a-0a3e02dd50c8 | AWSS3 MicrosoftThreatProtection SecurityEvents WindowsSecurityEvents WindowsForwardedEvents Zscaler MicrosoftSysmonForLinux PaloAltoNetworks AzureMonitor(VMInsights) AzureFirewall AzureNSG CiscoASA CiscoAsaAma Corelight AIVectraStream CheckPoint Fortinet CiscoMeraki |
| Network endpoint to host executable correlation | 01f64465-b1ef-41ea-a7f5-31553a11ad43 | TrendMicro SecurityEvents WindowsSecurityEvents WindowsForwardedEvents |
| New UserAgent observed in last 24 hours | b725d62c-eb77-42ff-96f6-bdc6745fc6e0 | AWS Office365 AzureMonitor(IIS) |
| Microsoft COVID-19 file hash indicator matches | 2be4ef67-a93f-4d8a-981a-88158cb73abd | CefAma |
| External Fabric Module XFM1 is unhealthy | a8130dcc-3617-41c0-a7ac-5f352bcfffaf | |
| Pure Controller Failed | c317b007-84e7-4449-93f4-4444f6638fd0 | |
| Radiflow - Platform Alert | ff0c781a-b30f-4acf-9cf1-75d7383d66d1 | RadiflowIsid |
| Radiflow - Policy Violation Detected | a3f4cc3e-2403-4570-8d21-1dedd5632958 | RadiflowIsid |
| Radiflow - Unauthorized Command in Operational Device | 4d90d485-6d47-417e-80ea-9cf956c1a671 | RadiflowIsid |
| RecordedFuture Threat Hunting Hash All Actors | 6db6a8e6-2959-440b-ba57-a505875fcb37 | ThreatIntelligenceUploadIndicatorsAPI |
| Detection of Malicious URLs in Syslog Events | 9acb3664-72c4-4676-80fa-9f81912e347e | Syslog SyslogAma |
| Red Canary Threat Detection | 6d263abb-6445-45cc-93e9-c593d3d77b89 | RedCanaryDataConnector |
| Critical Risks | 1eebfaf3-40e1-4bc2-9f42-049b7b8ceb60 | RidgeBotDataConnector CefAma |
| Vulerabilities | d096643d-6789-4c74-8893-dd3fc8a94069 | RidgeBotDataConnector CefAma |
| SonicWall - Allowed SSH, Telnet, and RDP Connections | 27f1a570-5f20-496b-88f6-a9aa2c5c9534 | CEF SonicWallFirewall CefAma |
| SonicWall - Capture ATP Malicious File Detection | 3db9f99e-a459-41e0-8e02-8b332f5fcb2c | CEF SonicWallFirewall CefAma |
| New Sonrai Ticket | bcc3362d-b6f9-4de0-b41c-707fafd5a416 | SonraiDataConnector |
| Sonrai Ticket Assigned | 37a8d052-a3db-4dc6-9dca-9390cac6f486 | SonraiDataConnector |
| Sonrai Ticket Closed | f5d467de-b5a2-4b4f-96db-55e27c733594 | SonraiDataConnector |
| Sonrai Ticket Escalation Executed | 0d29c93e-b83f-4dfb-bbbb-76824b77eeca | SonraiDataConnector |
| Sonrai Ticket Escalation Executed | 822fff15-ea68-4d0f-94ee-b4482ddb6f3a | SonraiDataConnector |
| Sonrai Ticket Reopened | b60129ab-ce22-4b76-858d-3204932a13cc | SonraiDataConnector |
| Sonrai Ticket Risk Accepted | 080191e8-271d-4ae6-85ce-c7bcd4b06b40 | SonraiDataConnector |
| Sonrai Ticket Snoozed | 10e6c454-5cad-4f86-81ce-800235cb050a | SonraiDataConnector |
| Sonrai Ticket Updated | af9b8eb1-a8ef-40aa-92a4-1fc73a1479c7 | SonraiDataConnector |
| Malware Detected | 072ee087-17e1-474d-b162-bbe38bcab9f9 | SymantecEndpointProtection SyslogAma |
| ApexOne - Suspicious commandline arguments | 4d7199b2-67b8-11ec-90d6-0242ac120003 | CefAma |
| Known Malware Detected | 9f86885f-f31f-4e66-a39d-352771ee789e | VMwareCarbonBlack |
| Detect Local File Inclusion(LFI) in web requests (ASIM Web Session) | 7bb55d05-ef39-4a40-8079-0bc3c05e7881 | |
| Detect web requests to potentially harmful files (ASIM Web Session) | c6608467-3678-45fe-b038-b590ce6d00fb | |
| New EXE deployed via Default Domain or Default Domain Controller Policies | 05b4bccd-dd12-423d-8de4-5a6fb526bb4f | SecurityEvents WindowsSecurityEvents |
| NRT Base64 Encoded Windows Process Command-lines | c3e5dbaa-a540-408c-8b36-68bdfb3df088 | SecurityEvents WindowsSecurityEvents |
| NRT Process executed from binary hidden in Base64 encoded file | 7ad4c32b-d0d2-411c-a0e8-b557afa12fce | SecurityEvents WindowsSecurityEvents |
| Process Execution Frequency Anomaly | 2c55fe7a-b06f-4029-a5b9-c54a2320d7b8 | SecurityEvents WindowsSecurityEvents |
| SUNBURST and SUPERNOVA backdoor hashes (Normalized File Events) | bc5ffe2a-84d6-48fe-bc7b-1055100469bc | |
| Dev-0228 File Path Hashes November 2021 (ASIM Version) | 29a29e5d-354e-4f5e-8321-8b39d25047bf | |
| Base64 encoded Windows process command-lines (Normalized Process Events) | f8b3c49c-4087-499b-920f-0dcfaff0cbca | |
| SUNBURST suspicious SolarWinds child processes (Normalized Process Events) | 631d02df-ab51-46c1-8d72-32d0cfec0720 | |
| New EXE deployed via Default Domain or Default Domain Controller Policies (ASIM Version) | 0dd2a343-4bf9-4c93-a547-adf3658ddaec | SecurityEvents |
| A host is potentially running a hacking tool (ASIM Web Session schema) | 3f0c20d5-6228-48ef-92f3-9ff7822c1954 | SquidProxy Zscaler |
| A host is potentially running PowerShell to send HTTP(S) requests (ASIM Web Session schema) | 42436753-9944-4d70-801c-daaa4d19ddd2 | SquidProxy Zscaler |
| Azure VM Run Command operations executing a unique PowerShell script | 5239248b-abfb-4c6a-8177-b104ade5db56 | AzureActivity MicrosoftThreatProtection |
| Application Gateway WAF - SQLi Detection | 68c0b6bb-6bd9-4ef4-9011-08998c8ef90f | WAF |
| Application Gateway WAF - XSS Detection | d2bc08fa-030a-4eea-931a-762d27c6a042 | WAF |
| PE file dropped in Color Profile Folder | f68a5046-b7eb-4f69-9519-1e99708bb9e0 | MicrosoftThreatProtection |
| SUNBURST suspicious SolarWinds child processes | 4a3073ac-7383-48a9-90a8-eb6716183a54 | MicrosoftThreatProtection |
| Audit policy manipulation using auditpol utility | 66276b14-32c5-4226-88e3-080dacc31ce1 | SecurityEvents MicrosoftThreatProtection |
| Dev-0228 File Path Hashes November 2021 | 3b443f22-9be9-4c35-ac70-a94757748439 | MicrosoftDefenderAdvancedThreatProtection MicrosoftThreatProtection |
| Exchange Worker Process Making Remote Call | 2c701f94-783c-4cd4-bc9b-3b3334976090 | AzureMonitor(IIS) MicrosoftThreatProtection |
| Malformed user agent | a357535e-f722-4afe-b375-cff362b2b376 | WAF Office365 AzureActiveDirectory AWS AzureMonitor(IIS) |
| Prestige ransomware IOCs Oct 2022 | bca9c877-2afc-4246-a26d-087ab1cdcd5f | MicrosoftThreatProtection SecurityEvents |
| Suspicious VM Instance Creation Activity Detected | 1cc0ba27-c5ca-411a-a779-fbc89e26be83 | GCPAuditLogsDefinition AzureActiveDirectoryIdentityProtection MicrosoftThreatProtection MicrosoftDefenderAdvancedThreatProtection MicrosoftCloudAppSecurity BehaviorAnalytics |
| Midnight Blizzard - Script payload stored in Registry | 00cb180c-08a8-4e55-a276-63fb1442d5b5 | SecurityEvents WindowsSecurityEvents WindowsForwardedEvents |
| Vulnerable Machines related to OMIGOD CVE-2021-38647 | 4d94d4a9-dc96-450a-9dea-4d4d4594199b |