Microsoft Sentinel Analytic Rules
cloudbrothers.infoAzure Sentinel RepoToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeBack to homepage
  1. Microsoft Sentinel Analytics Rules
  2. /
  3. Tactics
  4. /
  5. Execution

Execution

Overview

Rule NameidRequired data connectors
Successful API executed from a Tor exit node0adab960-5565-4978-ba6d-044553e4acc4AWS
ECR image scan findings high or criticalf6928301-56da-4d2c-aabe-e1a552bc8892AWS
Suspicious command sent to EC221702832-aff3-4bd6-a8e1-663b6818503dAWS
Vulnerable Machines related to log4j CVE-2021-442283d71fc38-f249-454e-8479-0a358382ef9a
Powershell Empire Cmdlets Executed in Command Lineef88eb96-861c-43a0-ab16-f3835a97c928SecurityEvents
WindowsSecurityEvents
WindowsForwardedEvents
Azure Machine Learning Write Operations68c89998-8052-4c80-a1f6-9d81060b6d57AzureActivity
New CloudShell User6d7214d9-4a28-44df-aafb-0910b9e6ae3eAzureActivity
Front Door Premium WAF - SQLi Detection16da3a2a-af29-48a0-8606-d467c180fe18WAF
Front Door Premium WAF - XSS Detectionb7643904-5081-4920-917e-a559ddc3448fWAF
AFD WAF - Code Injectionded8168e-c806-4772-af30-10576e0a7529WAF
AFD WAF - Path Traversal Attacka4d99328-e4e6-493d-b0d5-57e6f9ddae77WAF
App GW WAF - Code Injection912a18fc-6165-446b-8740-81ae6c3f75eeWAF
App GW WAF - Path Traversal Attackb6c3a8a6-d22c-4882-9c57-abc01690938bWAF
App Gateway WAF - Scanner Detection9b8dd8fd-f192-42eb-84f6-541920400a7aWAF
App Gateway WAF - SQLi Detectionbdb2cd63-99f2-472e-b1b9-acba473b6744WAF
App Gateway WAF - XSS Detection1c7ff502-2ad4-4970-9d29-9210c6753138WAF
Azure DevOps Pipeline modified by a new user155e9134-d5ad-4a6f-88f3-99c220040b66
Azure DevOps Personal Access Token (PAT) misuseac891683-53c3-4f86-86b4-c361708e2b2b
Azure DevOps Pipeline Created and Deleted on the Same Day17f23fbe-bb73-4324-8ecf-a18545a5dc26
New Agent Added to Pool by New User or Added to a New OS Type4ce177b3-56b1-4f0e-b83e-27eed4cb0b16
BitSight - compromised systems detectedd68b758a-b117-4cb8-8e1d-dcab5a4a2f21BitSight
BitSight - diligence risk category detected161ed3ac-b242-4b13-8c6b-58716e5e9972BitSight
CiscoISE - Command executed with the highest privileges from new IP1fa0da3e-ec99-484f-aadb-93f59764e158SyslogAma
CiscoISE - Command executed with the highest privileges by new usere71890a2-5f61-4790-b1ed-cf1d92d3e398SyslogAma
Cisco SE High Events Last Hour4683ebce-07ad-4089-89e3-39d8fe83c011CiscoSecureEndpoint
Cisco SE - Dropper activity on hostb6df3e11-de70-4779-ac9a-276c454a9025CiscoSecureEndpoint
Cisco SE - Generic IOCbccdbc39-31d3-4e2b-9df2-e4c9eecba825CiscoSecureEndpoint
Cisco SE - Malware execusion on hostaea4468e-6322-48b6-bd83-f9d300cce855CiscoSecureEndpoint
Cisco Umbrella - Hack Tool User-Agent Detected8d537f3c-094f-430c-a588-8a87da36ee3aCiscoUmbrellaDataConnector
Cisco Umbrella - Windows PowerShell User-Agent Detectedb12b3dab-d973-45af-b07e-e29bb34d8db9CiscoUmbrellaDataConnector
CyberArkEPM - Attack attempt not blocked8e8978a2-9188-4187-8909-5ea00507bf16CyberArkEPM
CyberArkEPM - Multiple attack typesc02f96b4-057b-4e63-87af-6376ef7a081bCyberArkEPM
CyberArkEPM - Uncommon Windows process started from System folder16b940d2-aaf8-4eaa-a5e1-05df5f5c3d43CyberArkEPM
CyberArkEPM - Possible execution of Powershell Empireeddfd1fd-71df-4cc3-b050-287643bee398CyberArkEPM
CyberArkEPM - Process started from different locations0d4e62da-0a64-4532-b93e-28cd2940c300CyberArkEPM
CyberArkEPM - Uncommon process Internet access9d0d44ab-54dc-472a-9931-53521e888932CyberArkEPM
CyberArkEPM - Renamed Windows binary9281b7cc-8f05-45a9-bf10-17fb29492a84CyberArkEPM
CyberArkEPM - Unexpected executable extension911d5b75-a1ce-4f13-a839-9c2474768696CyberArkEPM
CyberArkEPM - Unexpected executable locationc1fcbbd7-74f8-4f32-8116-0a533ebd3878CyberArkEPM
Dynatrace - Problem detection415978ff-074e-4203-824a-b06153d77bf7DynatraceProblems
Dynatrace Application Security - Attack detection1b0b2065-8bac-5a00-83c4-1b58f69ac212DynatraceAttacks
Dynatrace Application Security - Code-Level runtime vulnerability detection305093b4-0fa2-57bc-bced-caea782a6e9cDynatraceRuntimeVulnerabilities
Dynatrace Application Security - Non-critical runtime vulnerability detectionff0af873-a2f2-4233-8412-0ef4e00b0156DynatraceRuntimeVulnerabilities
Dynatrace Application Security - Third-Party runtime vulnerability detectionaf99b078-124b-543a-9a50-66ef87c09f6aDynatraceRuntimeVulnerabilities
Egress Defend - Dangerous Attachment Detecteda0e55dd4-8454-4396-91e6-f28fec3d2cabEgressDefend
Egress Defend - Dangerous Link Clicka896123e-03a5-4a4d-a7e3-fd814846dfb2EgressDefend
Base64 encoded Windows process command-linesca67c83e-7fff-4127-a3e3-1af66d6d4cadSecurityEvents
WindowsSecurityEvents
WindowsForwardedEvents
Process executed from binary hidden in Base64 encoded filed6190dde-8fd2-456a-ac5b-0a32400b0464SecurityEvents
WindowsSecurityEvents
WindowsForwardedEvents
Suspicious Powershell Commandlet Executedb5153fb3-ada9-4ce4-9131-79c771efb50dMicrosoftThreatProtection
Windows Binaries Executed from Non-Default Directory15049017-527f-4d3b-b011-b0e99e68ef45SecurityEvents
WindowsSecurityEvents
Windows Binaries Lolbins Renamedcbf6ad48-fa5c-4bf7-b205-28dbadb91255SecurityEvents
WindowsSecurityEvents
Threats detected by Eset2d8a60aa-c15e-442e-9ce3-ee924889d2a6EsetSMC
Threats detected by ESET64badfab-1dd8-4491-927b-3ca206fa9a17ESETPROTECT
SyslogAma
Detect .NET runtime being loaded in JScript for code execution9f921513-65f3-48a2-ae7d-326c5901c55eMicrosoftThreatProtection
Suspicious Process Injection from Office applicationa4d8e681-6f30-440a-a2f3-c312bc1389d0MicrosoftThreatProtection
Suspicious named pipesddf7c669-db26-4215-acaf-11e2953a04e6MicrosoftThreatProtection
GitHub Security Vulnerability in Repository5436f471-b03d-41cb-b333-65891f887c43
GSA Enriched Office 365 - PowerShell or non-browser mailbox login activity49a4f65a-fe18-408e-afec-042fde93d3ceAzureActiveDirectory
PLC unsecure key state (Microsoft Defender for IoT)f9df500a-e2a4-4104-a517-dc1d85bb654fIoT
[Deprecated] - Denim Tsunami AV Detection9f9c1e51-4fb1-4510-a675-c7c2fb32f47eMicrosoftThreatProtection
SecurityEvents
[Deprecated] - Denim Tsunami File Hashes July 2022a779e2d5-9109-4f0a-a75e-f3d4f3c58560MicrosoftThreatProtection
SecurityEvents
WindowsFirewall
[Deprecated] - Known Diamond Sleet Comebacker and Klackring malware hashes09551db0-e147-4a0c-9e7b-918f88847605DNS
AzureMonitor(VMInsights)
CiscoASA
PaloAltoNetworks
SecurityEvents
MicrosoftThreatProtection
AzureFirewall
Zscaler
InfobloxNIOS
GCPDNSDataConnector
NXLogDnsLogs
CiscoUmbrellaDataConnector
Corelight
WindowsForwardedEvents
[Deprecated] - Midnight Blizzard - Domain, Hash and IP IOCs - May 2021677da133-e487-4108-a150-5b926591a92bAWSS3
WindowsForwardedEvents
SquidProxy
MicrosoftSysmonForLinux
DNS
AzureMonitor(VMInsights)
F5
CiscoASA
PaloAltoNetworks
Fortinet
CheckPoint
CEF
MicrosoftThreatProtection
SecurityEvents
Office365
AzureFirewall
WindowsFirewall
Zscaler
InfobloxNIOS
GCPDNSDataConnector
NXLogDnsLogs
CiscoUmbrellaDataConnector
Corelight
[Deprecated] - MSHTML vulnerability CVE-2021-40444 attack972c89fa-c969-4d12-932f-04d55d145299SecurityEvents
MicrosoftThreatProtection
Process Creation with Suspicious CommandLine Argumentsfdbcc0eb-44fb-467e-a51d-a91df0780a81CrowdStrikeFalconEndpointProtection
MicrosoftThreatProtection
SentinelOne
VMwareCarbonBlack
CiscoSecureEndpoint
TrendMicroApexOne
TrendMicroApexOneAma
Dataverse - Anomalous application user activity0820da12-e895-417f-9175-7c256fcfb33eDataverse
Dataverse - Executable uploaded to SharePoint document management siteba5e608f-7879-4927-8b0d-a9948b4fe6f3Office365
Dataverse - Malware found in SharePoint document management site2e3878bb-d519-43aa-9992-ea069df099e4Dataverse
Office365
Dataverse - New Dataverse application user activity type5c768e7d-7e5e-4d57-80d4-3f50c96fbf70Dataverse
Dataverse - Suspicious use of Web API8a6ecba2-ccfe-4c8c-b086-fa3e6ff7fa86Dataverse
AzureActiveDirectory
Dataverse - TI map URL to DataverseActivityd88a0e22-3b6a-40c2-af28-c064b44d03b7Dataverse
ThreatIntelligence
ThreatIntelligenceTaxii
MicrosoftDefenderThreatIntelligence
Power Platform - Connector added to a sensitive environment886a5655-3d12-42f1-8927-4095789c575ePowerPlatformAdmin
Deimos Component Executionc25a8cd4-5b4a-45a8-9ba0-3b753a652f6bMicrosoftThreatProtection
Java Executing cmd to run Powershell2c81c0a0-9823-4a14-b21a-2b4acd3335d2MicrosoftThreatProtection
Doppelpaymer Stop Services5bdc1504-880c-4b30-a39c-7c746535928dMicrosoftThreatProtection
Detect Suspicious Commands Initiated by Webserver Processesfa2f7d8a-6726-465a-aa72-6f6e3d4c99d7MicrosoftThreatProtection
Office Apps Launching Wscipt174de33b-107b-4cd8-a85d-b4025a35453fMicrosoftThreatProtection
Potential Ransomware activity related to Cobalt Strike4bd9ce9d-8586-4beb-8fdb-bd018cacbe7dMicrosoftThreatProtection
Qakbot Discovery Activiesba9db6b2-3d05-42ae-8aee-3a15bbe29f27MicrosoftThreatProtection
Execution of software vulnerable to webp buffer overflow of CVE-2023-486326e81021-2de6-4442-a74a-a77885e96911MicrosoftThreatProtection
SUNBURST and SUPERNOVA backdoor hashesa3c144f9-8051-47d4-ac29-ffb0c312c910MicrosoftThreatProtection
SUNBURST network beaconsce1e7025-866c-41f3-9b08-ec170e05e73eMicrosoftThreatProtection
TEARDROP memory-only dropper738702fd-0a66-42c7-8586-e30f0583f8feMicrosoftThreatProtection
Insider Risk_High User Security Alert Correlationsa4fb4255-f55b-4c24-b396-976ee075d406MicrosoftDefenderAdvancedThreatProtection
AzureActiveDirectoryIdentityProtection
AzureSecurityCenter
IoT
MicrosoftCloudAppSecurity
OfficeATP
Insider Risk_High User Security Incidents Correlation28a75d10-9b75-4192-9863-e452c3ad24dbMicrosoftDefenderAdvancedThreatProtection
AzureActiveDirectoryIdentityProtection
AzureSecurityCenter
IoT
MicrosoftCloudAppSecurity
OfficeATP
Insider Risk_Microsoft Purview Insider Risk Management Alert Observed69660e65-0e5c-4700-8b99-5caf59786606OfficeATP
Insider Risk_Risky User Access By Application15386bba-dc70-463f-a09f-d392e7731c63AzureActiveDirectory
Mimecast Secure Email Gateway - Attachment Protect72bd7b0c-493c-4fa5-8a95-7f6376b6cfb2MimecastSEGAPI
Mimecast Secure Email Gateway - AV33bf0cc9-e568-42bf-9571-c22adf7be66dMimecastSEGAPI
Mimecast Secure Email Gateway - URL Protect80f244cd-b0d6-404e-9aed-37f7a66eda9fMimecastSEGAPI
Mimecast Secure Email Gateway - Virusd78d7352-fa5a-47d4-b48f-cb2c3252c0ebMimecastSEGAPI
Mimecast Secure Email Gateway - Attachment Protect72264f4f-61fb-4f4f-96c4-635571a376c2MimecastSIEMAPI
Mimecast Secure Email Gateway - AV0f0dc725-29dc-48c3-bf10-bd2f34fd1cbbMimecastSIEMAPI
Mimecast Secure Email Gateway - URL Protectea19dae6-bbb3-4444-a1b8-8e9ae6064aabMimecastSIEMAPI
Mimecast Secure Email Gateway - Virus30f73baa-602c-4373-8f02-04ff5e51fc7fMimecastSIEMAPI
Cross-Cloud Suspicious Compute resource creation in GCP5c847e47-0a07-4c01-ab99-5817ad6cb11eGCPAuditLogsDefinition
AWSS3
Cross-Cloud Suspicious user activity observed in GCP Envourment58e306fe-1c49-4b8f-9b0e-15f25e8f0cd7GCPAuditLogsDefinition
AzureActiveDirectoryIdentityProtection
MicrosoftThreatProtection
MicrosoftDefenderAdvancedThreatProtection
MicrosoftCloudAppSecurity
Netskope - WebTransaction Error Detection66c4cd4c-d391-47e8-b4e6-93e55d86ca9fNetskopeDataConnector
Detect port misuse by anomaly based detection (ASIM Network Session schema)cbf07406-fa2a-48b0-82b8-efad58db14ecAWSS3
MicrosoftThreatProtection
SecurityEvents
WindowsSecurityEvents
WindowsForwardedEvents
Zscaler
MicrosoftSysmonForLinux
PaloAltoNetworks
AzureMonitor(VMInsights)
AzureFirewall
AzureNSG
CiscoASA
CiscoAsaAma
Corelight
AIVectraStream
CheckPoint
Fortinet
CiscoMeraki
Detect port misuse by static threshold (ASIM Network Session schema)156997bd-da0f-4729-b47a-0a3e02dd50c8AWSS3
MicrosoftThreatProtection
SecurityEvents
WindowsSecurityEvents
WindowsForwardedEvents
Zscaler
MicrosoftSysmonForLinux
PaloAltoNetworks
AzureMonitor(VMInsights)
AzureFirewall
AzureNSG
CiscoASA
CiscoAsaAma
Corelight
AIVectraStream
CheckPoint
Fortinet
CiscoMeraki
Network endpoint to host executable correlation01f64465-b1ef-41ea-a7f5-31553a11ad43TrendMicro
SecurityEvents
WindowsSecurityEvents
WindowsForwardedEvents
New UserAgent observed in last 24 hoursb725d62c-eb77-42ff-96f6-bdc6745fc6e0AWS
Office365
AzureMonitor(IIS)
Microsoft COVID-19 file hash indicator matches2be4ef67-a93f-4d8a-981a-88158cb73abdCefAma
External Fabric Module XFM1 is unhealthya8130dcc-3617-41c0-a7ac-5f352bcfffaf
Pure Controller Failedc317b007-84e7-4449-93f4-4444f6638fd0
Radiflow - Platform Alertff0c781a-b30f-4acf-9cf1-75d7383d66d1RadiflowIsid
Radiflow - Policy Violation Detecteda3f4cc3e-2403-4570-8d21-1dedd5632958RadiflowIsid
Radiflow - Unauthorized Command in Operational Device4d90d485-6d47-417e-80ea-9cf956c1a671RadiflowIsid
RecordedFuture Threat Hunting Hash All Actors6db6a8e6-2959-440b-ba57-a505875fcb37ThreatIntelligenceUploadIndicatorsAPI
Detection of Malicious URLs in Syslog Events9acb3664-72c4-4676-80fa-9f81912e347eSyslog
SyslogAma
Red Canary Threat Detection6d263abb-6445-45cc-93e9-c593d3d77b89RedCanaryDataConnector
Critical Risks1eebfaf3-40e1-4bc2-9f42-049b7b8ceb60RidgeBotDataConnector
CefAma
Vulerabilitiesd096643d-6789-4c74-8893-dd3fc8a94069RidgeBotDataConnector
CefAma
BTP - Malware detected in BAS dev space31997e9a-7447-47f3-8208-4f5d7efe497cSAPBTPAuditEvents
SonicWall - Allowed SSH, Telnet, and RDP Connections27f1a570-5f20-496b-88f6-a9aa2c5c9534CEF
SonicWallFirewall
CefAma
SonicWall - Capture ATP Malicious File Detection3db9f99e-a459-41e0-8e02-8b332f5fcb2cCefAma
New Sonrai Ticketbcc3362d-b6f9-4de0-b41c-707fafd5a416SonraiDataConnector
Sonrai Ticket Assigned37a8d052-a3db-4dc6-9dca-9390cac6f486SonraiDataConnector
Sonrai Ticket Closedf5d467de-b5a2-4b4f-96db-55e27c733594SonraiDataConnector
Sonrai Ticket Escalation Executed0d29c93e-b83f-4dfb-bbbb-76824b77eecaSonraiDataConnector
Sonrai Ticket Escalation Executed822fff15-ea68-4d0f-94ee-b4482ddb6f3aSonraiDataConnector
Sonrai Ticket Reopenedb60129ab-ce22-4b76-858d-3204932a13ccSonraiDataConnector
Sonrai Ticket Risk Accepted080191e8-271d-4ae6-85ce-c7bcd4b06b40SonraiDataConnector
Sonrai Ticket Snoozed10e6c454-5cad-4f86-81ce-800235cb050aSonraiDataConnector
Sonrai Ticket Updatedaf9b8eb1-a8ef-40aa-92a4-1fc73a1479c7SonraiDataConnector
Malware Detected072ee087-17e1-474d-b162-bbe38bcab9f9SyslogAma
ApexOne - Suspicious commandline arguments4d7199b2-67b8-11ec-90d6-0242ac120003CefAma
Known Malware Detected9f86885f-f31f-4e66-a39d-352771ee789eVMwareCarbonBlack
Detect Local File Inclusion(LFI) in web requests (ASIM Web Session)7bb55d05-ef39-4a40-8079-0bc3c05e7881
Detect web requests to potentially harmful files (ASIM Web Session)c6608467-3678-45fe-b038-b590ce6d00fb
New EXE deployed via Default Domain or Default Domain Controller Policies05b4bccd-dd12-423d-8de4-5a6fb526bb4fSecurityEvents
WindowsSecurityEvents
NRT Base64 Encoded Windows Process Command-linesc3e5dbaa-a540-408c-8b36-68bdfb3df088SecurityEvents
WindowsSecurityEvents
NRT Process executed from binary hidden in Base64 encoded file7ad4c32b-d0d2-411c-a0e8-b557afa12fceSecurityEvents
WindowsSecurityEvents
Process Execution Frequency Anomaly2c55fe7a-b06f-4029-a5b9-c54a2320d7b8SecurityEvents
WindowsSecurityEvents
SUNBURST and SUPERNOVA backdoor hashes (Normalized File Events)bc5ffe2a-84d6-48fe-bc7b-1055100469bc
Dev-0228 File Path Hashes November 2021 (ASIM Version)29a29e5d-354e-4f5e-8321-8b39d25047bf
Base64 encoded Windows process command-lines (Normalized Process Events)f8b3c49c-4087-499b-920f-0dcfaff0cbca
SUNBURST suspicious SolarWinds child processes (Normalized Process Events)631d02df-ab51-46c1-8d72-32d0cfec0720
New EXE deployed via Default Domain or Default Domain Controller Policies (ASIM Version)0dd2a343-4bf9-4c93-a547-adf3658ddaecSecurityEvents
A host is potentially running a hacking tool (ASIM Web Session schema)3f0c20d5-6228-48ef-92f3-9ff7822c1954SquidProxy
Zscaler
A host is potentially running PowerShell to send HTTP(S) requests (ASIM Web Session schema)42436753-9944-4d70-801c-daaa4d19ddd2SquidProxy
Zscaler
Azure VM Run Command operations executing a unique PowerShell script5239248b-abfb-4c6a-8177-b104ade5db56AzureActivity
MicrosoftThreatProtection
Application Gateway WAF - SQLi Detection68c0b6bb-6bd9-4ef4-9011-08998c8ef90fWAF
Application Gateway WAF - XSS Detectiond2bc08fa-030a-4eea-931a-762d27c6a042WAF
PE file dropped in Color Profile Folderf68a5046-b7eb-4f69-9519-1e99708bb9e0MicrosoftThreatProtection
SUNBURST suspicious SolarWinds child processes4a3073ac-7383-48a9-90a8-eb6716183a54MicrosoftThreatProtection
Audit policy manipulation using auditpol utility66276b14-32c5-4226-88e3-080dacc31ce1SecurityEvents
MicrosoftThreatProtection
Dev-0228 File Path Hashes November 20213b443f22-9be9-4c35-ac70-a94757748439MicrosoftDefenderAdvancedThreatProtection
MicrosoftThreatProtection
Exchange Worker Process Making Remote Call2c701f94-783c-4cd4-bc9b-3b3334976090AzureMonitor(IIS)
MicrosoftThreatProtection
Malformed user agenta357535e-f722-4afe-b375-cff362b2b376WAF
Office365
AzureActiveDirectory
AWS
AzureMonitor(IIS)
Prestige ransomware IOCs Oct 2022bca9c877-2afc-4246-a26d-087ab1cdcd5fMicrosoftThreatProtection
SecurityEvents
Suspicious VM Instance Creation Activity Detected1cc0ba27-c5ca-411a-a779-fbc89e26be83GCPAuditLogsDefinition
AzureActiveDirectoryIdentityProtection
MicrosoftThreatProtection
MicrosoftDefenderAdvancedThreatProtection
MicrosoftCloudAppSecurity
BehaviorAnalytics
Midnight Blizzard - Script payload stored in Registry00cb180c-08a8-4e55-a276-63fb1442d5b5SecurityEvents
WindowsSecurityEvents
WindowsForwardedEvents
Vulnerable Machines related to OMIGOD CVE-2021-386474d94d4a9-dc96-450a-9dea-4d4d4594199b