Execution
| Rule Name | id | Required data connectors |
|---|---|---|
| Successful API executed from a Tor exit node | 0adab960-5565-4978-ba6d-044553e4acc4 | AWS |
| ECR image scan findings high or critical | f6928301-56da-4d2c-aabe-e1a552bc8892 | AWS |
| Suspicious command sent to EC2 | 21702832-aff3-4bd6-a8e1-663b6818503d | AWS |
| Vulnerable Machines related to log4j CVE-2021-44228 | 3d71fc38-f249-454e-8479-0a358382ef9a | |
| Powershell Empire cmdlets seen in command line | ef88eb96-861c-43a0-ab16-f3835a97c928 | SecurityEvents WindowsSecurityEvents WindowsForwardedEvents |
| New CloudShell User | 6d7214d9-4a28-44df-aafb-0910b9e6ae3e | AzureActivity |
| Front Door Premium WAF - SQLi Detection | 16da3a2a-af29-48a0-8606-d467c180fe18 | WAF |
| Front Door Premium WAF - XSS Detection | b7643904-5081-4920-917e-a559ddc3448f | WAF |
| Azure DevOps Pipeline modified by a new user. | 155e9134-d5ad-4a6f-88f3-99c220040b66 | |
| Azure DevOps Personal Access Token (PAT) misuse | ac891683-53c3-4f86-86b4-c361708e2b2b | |
| Azure DevOps Pipeline Created and Deleted on the Same Day | 17f23fbe-bb73-4324-8ecf-a18545a5dc26 | |
| New Agent Added to Pool by New User or Added to a New OS Type. | 4ce177b3-56b1-4f0e-b83e-27eed4cb0b16 | |
| CiscoISE - Command executed with the highest privileges from new IP | 1fa0da3e-ec99-484f-aadb-93f59764e158 | CiscoISE |
| CiscoISE - Command executed with the highest privileges by new user | e71890a2-5f61-4790-b1ed-cf1d92d3e398 | CiscoISE |
| Cisco SE High Events Last Hour | 4683ebce-07ad-4089-89e3-39d8fe83c011 | CiscoSecureEndpoint |
| Cisco SE - Dropper activity on host | b6df3e11-de70-4779-ac9a-276c454a9025 | CiscoSecureEndpoint |
| Cisco SE - Generic IOC | bccdbc39-31d3-4e2b-9df2-e4c9eecba825 | CiscoSecureEndpoint |
| Cisco SE - Malware execusion on host | aea4468e-6322-48b6-bd83-f9d300cce855 | CiscoSecureEndpoint |
| CyberArkEPM - Attack attempt not blocked | 8e8978a2-9188-4187-8909-5ea00507bf16 | CyberArkEPM |
| CyberArkEPM - Multiple attack types | c02f96b4-057b-4e63-87af-6376ef7a081b | CyberArkEPM |
| CyberArkEPM - Uncommon Windows process started from System folder | 16b940d2-aaf8-4eaa-a5e1-05df5f5c3d43 | CyberArkEPM |
| CyberArkEPM - Possible execution of Powershell Empire | eddfd1fd-71df-4cc3-b050-287643bee398 | CyberArkEPM |
| CyberArkEPM - Process started from different locations | 0d4e62da-0a64-4532-b93e-28cd2940c300 | CyberArkEPM |
| CyberArkEPM - Uncommon process Internet access | 9d0d44ab-54dc-472a-9931-53521e888932 | CyberArkEPM |
| CyberArkEPM - Renamed Windows binary | 9281b7cc-8f05-45a9-bf10-17fb29492a84 | CyberArkEPM |
| CyberArkEPM - Unexpected executable extension | 911d5b75-a1ce-4f13-a839-9c2474768696 | CyberArkEPM |
| CyberArkEPM - Unexpected executable location | c1fcbbd7-74f8-4f32-8116-0a533ebd3878 | CyberArkEPM |
| Dynatrace Application Security - Attack detection | 1b0b2065-8bac-5a00-83c4-1b58f69ac212 | DynatraceAttacks |
| Dynatrace Application Security - Code-Level runtime vulnerability detection | 305093b4-0fa2-57bc-bced-caea782a6e9c | DynatraceRuntimeVulnerabilities |
| Dynatrace Application Security - Non-critical runtime vulnerability detection | ff0af873-a2f2-4233-8412-0ef4e00b0156 | DynatraceRuntimeVulnerabilities |
| Dynatrace Application Security - Third-Party runtime vulnerability detection | af99b078-124b-543a-9a50-66ef87c09f6a | DynatraceRuntimeVulnerabilities |
| Base64 encoded Windows process command-lines | ca67c83e-7fff-4127-a3e3-1af66d6d4cad | SecurityEvents WindowsSecurityEvents WindowsForwardedEvents |
| Process executed from binary hidden in Base64 encoded file | d6190dde-8fd2-456a-ac5b-0a32400b0464 | SecurityEvents WindowsSecurityEvents WindowsForwardedEvents |
| Windows Binaries Executed from Non-Default Directory | 15049017-527f-4d3b-b011-b0e99e68ef45 | SecurityEvents |
| Windows Binaries Lolbins Renamed | cbf6ad48-fa5c-4bf7-b205-28dbadb91255 | SecurityEvents |
| Execution of File with One Character in the Name | 299472c4-8382-4c5b-82d9-718cda193393 | SecurityEvents |
| Scheduled Task Creation or Update from User Writable Directory | 0b827a49-427e-4721-b05e-b151a8af524e | SecurityEvents |
| Threats detected by Eset | 2d8a60aa-c15e-442e-9ce3-ee924889d2a6 | EsetSMC |
| Threats detected by ESET | 64badfab-1dd8-4491-927b-3ca206fa9a17 | ESETPROTECT |
| Detect .NET runtime being loaded in JScript for code execution | 9f921513-65f3-48a2-ae7d-326c5901c55e | MicrosoftThreatProtection |
| Suspicious Process Injection from Office application | a4d8e681-6f30-440a-a2f3-c312bc1389d0 | MicrosoftThreatProtection |
| Suspicious named pipes | ddf7c669-db26-4215-acaf-11e2953a04e6 | MicrosoftThreatProtection |
| PLC unsecure key state (Microsoft Defender for IoT) | f9df500a-e2a4-4104-a517-dc1d85bb654f | IoT |
| KNOTWEED AV Detection | 9f9c1e51-4fb1-4510-a675-c7c2fb32f47e | MicrosoftThreatProtection SecurityEvents |
| KNOTWEED File Hashes July 2022 | a779e2d5-9109-4f0a-a75e-f3d4f3c58560 | MicrosoftThreatProtection SecurityEvents WindowsFirewall |
| MSHTML vulnerability CVE-2021-40444 attack | 972c89fa-c969-4d12-932f-04d55d145299 | SecurityEvents MicrosoftThreatProtection |
| NOBELIUM - Domain, Hash and IP IOCs - May 2021 | 677da133-e487-4108-a150-5b926591a92b | AWSS3 WindowsForwardedEvents SquidProxy MicrosoftSysmonForLinux DNS AzureMonitor(VMInsights) F5 CiscoASA PaloAltoNetworks Fortinet CheckPoint CEF MicrosoftThreatProtection SecurityEvents Office365 AzureFirewall WindowsFirewall Zscaler InfobloxNIOS GCPDNSDataConnector NXLogDnsLogs CiscoUmbrellaDataConnector Corelight |
| Known ZINC Comebacker and Klackring malware hashes | 09551db0-e147-4a0c-9e7b-918f88847605 | DNS AzureMonitor(VMInsights) CiscoASA PaloAltoNetworks SecurityEvents MicrosoftThreatProtection AzureFirewall Zscaler InfobloxNIOS GCPDNSDataConnector NXLogDnsLogs CiscoUmbrellaDataConnector Corelight WindowsForwardedEvents |
| SUNBURST and SUPERNOVA backdoor hashes | a3c144f9-8051-47d4-ac29-ffb0c312c910 | MicrosoftThreatProtection |
| SUNBURST network beacons | ce1e7025-866c-41f3-9b08-ec170e05e73e | MicrosoftThreatProtection |
| TEARDROP memory-only dropper | 738702fd-0a66-42c7-8586-e30f0583f8fe | MicrosoftThreatProtection |
| SUNBURST suspicious SolarWinds child processes | 4a3073ac-7383-48a9-90a8-eb6716183a54 | MicrosoftThreatProtection |
| Insider Risk_High User Security Alert Correlations | a4fb4255-f55b-4c24-b396-976ee075d406 | MicrosoftDefenderAdvancedThreatProtection AzureActiveDirectoryIdentityProtection AzureSecurityCenter IoT MicrosoftCloudAppSecurity OfficeATP |
| Insider Risk_High User Security Incidents Correlation | 28a75d10-9b75-4192-9863-e452c3ad24db | MicrosoftDefenderAdvancedThreatProtection AzureActiveDirectoryIdentityProtection AzureSecurityCenter IoT MicrosoftCloudAppSecurity OfficeATP |
| Insider Risk_Microsoft Purview Insider Risk Management Alert Observed | 69660e65-0e5c-4700-8b99-5caf59786606 | OfficeATP |
| Insider Risk_Risky User Access By Application | 15386bba-dc70-463f-a09f-d392e7731c63 | AzureActiveDirectory |
| Detect port misuse by anomaly based detection (ASIM Network Session schema) | cbf07406-fa2a-48b0-82b8-efad58db14ec | AWSS3 MicrosoftThreatProtection SecurityEvents WindowsForwardedEvents Zscaler MicrosoftSysmonForLinux PaloAltoNetworks AzureMonitor(VMInsights) AzureFirewall AzureNSG CiscoASA Corelight AIVectraStream CheckPoint Fortinet CiscoMeraki |
| Detect port misuse by static threshold (ASIM Network Session schema) | 156997bd-da0f-4729-b47a-0a3e02dd50c8 | AWSS3 MicrosoftThreatProtection SecurityEvents WindowsForwardedEvents Zscaler MicrosoftSysmonForLinux PaloAltoNetworks AzureMonitor(VMInsights) AzureFirewall AzureNSG CiscoASA Corelight AIVectraStream CheckPoint Fortinet CiscoMeraki |
| Network endpoint to host executable correlation | 01f64465-b1ef-41ea-a7f5-31553a11ad43 | TrendMicro SecurityEvents WindowsSecurityEvents WindowsForwardedEvents |
| New UserAgent observed in last 24 hours | b725d62c-eb77-42ff-96f6-bdc6745fc6e0 | AWS Office365 AzureMonitor(IIS) |
| Red Canary Threat Detection | 6d263abb-6445-45cc-93e9-c593d3d77b89 | RedCanaryDataConnector |
| Malware Detected | 072ee087-17e1-474d-b162-bbe38bcab9f9 | SymantecEndpointProtection |
| ApexOne - Suspicious commandline arguments | 4d7199b2-67b8-11ec-90d6-0242ac120003 | TrendMicroApexOne |
| Known Malware Detected | 9f86885f-f31f-4e66-a39d-352771ee789e | VMwareCarbonBlack |
| New EXE deployed via Default Domain or Default Domain Controller Policies | 05b4bccd-dd12-423d-8de4-5a6fb526bb4f | SecurityEvents WindowsSecurityEvents |
| NRT Base64 encoded Windows process command-lines | c3e5dbaa-a540-408c-8b36-68bdfb3df088 | SecurityEvents WindowsSecurityEvents |
| NRT Process executed from binary hidden in Base64 encoded file | 7ad4c32b-d0d2-411c-a0e8-b557afa12fce | SecurityEvents WindowsSecurityEvents |
| Process execution frequency anomaly | 2c55fe7a-b06f-4029-a5b9-c54a2320d7b8 | SecurityEvents WindowsSecurityEvents |
| Service installation from user writable directory | 5a9ccb48-1316-46e1-89d1-aca0355c305e | SecurityEvents WindowsSecurityEvents |
| SUNBURST and SUPERNOVA backdoor hashes (Normalized File Events) | bc5ffe2a-84d6-48fe-bc7b-1055100469bc | |
| Dev-0228 File Path Hashes November 2021 (ASIM Version) | 29a29e5d-354e-4f5e-8321-8b39d25047bf | |
| Base64 encoded Windows process command-lines (Normalized Process Events) | f8b3c49c-4087-499b-920f-0dcfaff0cbca | |
| SUNBURST suspicious SolarWinds child processes (Normalized Process Events) | 631d02df-ab51-46c1-8d72-32d0cfec0720 | |
| New EXE deployed via Default Domain or Default Domain Controller Policies (ASIM Version) | 0dd2a343-4bf9-4c93-a547-adf3658ddaec | SecurityEvents |
| Azure VM Run Command operations executing a unique PowerShell script | 5239248b-abfb-4c6a-8177-b104ade5db56 | AzureActivity MicrosoftThreatProtection |
| Application Gateway WAF - SQLi Detection | 68c0b6bb-6bd9-4ef4-9011-08998c8ef90f | WAF |
| Application Gateway WAF - XSS Detection | d2bc08fa-030a-4eea-931a-762d27c6a042 | WAF |
| PE file dropped in Color Profile Folder | f68a5046-b7eb-4f69-9519-1e99708bb9e0 | MicrosoftThreatProtection |
| SUNBURST suspicious SolarWinds child processes | 4a3073ac-7383-48a9-90a8-eb6716183a54 | MicrosoftThreatProtection |
| Audit policy manipulation using auditpol utility | 66276b14-32c5-4226-88e3-080dacc31ce1 | SecurityEvents MicrosoftThreatProtection |
| Dev-0228 File Path Hashes November 2021 | 3b443f22-9be9-4c35-ac70-a94757748439 | MicrosoftDefenderAdvancedThreatProtection MicrosoftThreatProtection |
| Exchange Worker Process Making Remote Call | 2c701f94-783c-4cd4-bc9b-3b3334976090 | AzureMonitor(IIS) MicrosoftThreatProtection |
| Malformed user agent | a357535e-f722-4afe-b375-cff362b2b376 | WAF Office365 AzureActiveDirectory AWS AzureMonitor(IIS) |
| Prestige ransomware IOCs Oct 2022 | bca9c877-2afc-4246-a26d-087ab1cdcd5f | MicrosoftThreatProtection SecurityEvents |
| NOBELIUM - Script payload stored in Registry | 00cb180c-08a8-4e55-a276-63fb1442d5b5 | SecurityEvents WindowsSecurityEvents WindowsForwardedEvents |
| Vulnerable Machines related to OMIGOD CVE-2021-38647 | 4d94d4a9-dc96-450a-9dea-4d4d4594199b |