Microsoft Sentinel Analytic Rules
cloudbrothers.infoAzure Sentinel RepoToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeBack to homepage

Exfiltration

Overview

Rule NameidRequired data connectors
API - BOLA1b047dc3-a879-4f99-949b-d1dc867efc8342CrunchAPIProtection
RDS instance publicly exposed8f1630c2-2e45-4df2-be43-50fba90f601dAWS
S3 bucket access point publicly exposedb7a44e0d-ae4c-4fb2-be1b-aa0e45f2327bAWS
S3 bucket exposed via ACL6b9b4ee6-f4c1-4b86-8c8c-beb0bb59ae44AWS
S3 bucket exposed via policy44a5b65e-b0a9-4591-aabc-388fd92a28c4AWS
S3 object publicly exposed09f2a28b-3286-4268-9e2f-33805f104e5dAWS
Apache - Put suspicious filec5d69e46-3b00-11ec-8d3d-0242ac130003ApacheHTTPServer
CustomLogsAma
Powershell Empire Cmdlets Executed in Command Lineef88eb96-861c-43a0-ab16-f3835a97c928SecurityEvents
WindowsSecurityEvents
WindowsForwardedEvents
CloudNGFW By Palo Alto Networks - Threat signatures from Unusual IP addresses89a86f70-615f-4a79-9621-6f68c50f365fCloudNgfwByPAN
Abnormal Deny Rate for Source IPd36bb1e3-5abc-4037-ad9a-24ba3469819eAzureFirewall
Abnormal Port to Protocol826f930c-2f25-4508-8e75-a95b809a4e15AzureFirewall
Multiple Sources Affected by the Same TI Destination4644baf7-3464-45dd-bd9d-e07687e25f81AzureFirewall
Response rows stateful anomaly on database9851c360-5fd5-4bae-a117-b66d8476bf5eAzureSql
Bitglass - Multiple files shared with external entity09690f9b-33d1-4372-a6aa-eb7d3b3cdebcBitglass
Bitglass - Suspicious file uploads4b272e82-19f1-40d1-bfdf-74fbb6353e8bBitglass
Box - Item shared to external entity3b803560-f8a6-4db4-89cb-617d89724ba1BoxDataConnector
Box - File containing sensitive data266746ae-5eaf-4068-a980-5d630f435c46BoxDataConnector
Cisco SEG - DLP policy violationdf5c34dd-e1e6-4e07-90b1-4309ebfe754cCiscoSEG
CiscoSEGAma
CefAma
Cisco SEG - Multiple large emails sent to external recipient1399a9a5-6200-411e-8c34-ca5658754cf7CiscoSEG
CiscoSEGAma
CefAma
Cisco Umbrella - Connection to non-corporate private networkc9b6d281-b96b-4763-b728-9a04b9fe1246CiscoUmbrellaDataConnector
Cisco Umbrella - Connection to Unpopular Website Detected75297f62-10a8-4fc1-9b2a-12f25c6f05a7CiscoUmbrellaDataConnector
Cisco Umbrella - Crypto Miner User-Agent Detectedb619d1f1-7f39-4c7e-bf9e-afbb46457997CiscoUmbrellaDataConnector
Cisco Umbrella - Hack Tool User-Agent Detected8d537f3c-094f-430c-a588-8a87da36ee3aCiscoUmbrellaDataConnector
Cisco Umbrella - Rare User Agent Detected8c8de3fa-6425-4623-9cd9-45de1dd0569aCiscoUmbrellaDataConnector
Cisco Umbrella - Request Allowed to harmful/malicious URI categoryd6bf1931-b1eb-448d-90b2-de118559c7ceCiscoUmbrellaDataConnector
Cisco Umbrella - URI contains IP addressee1818ec-5f65-4991-b711-bcf2ab7e36c3CiscoUmbrellaDataConnector
Cisco WSA - Unexpected uploads32c460ad-2d40-43e9-8ead-5cdd1d7a3163CiscoWSA
SyslogAma
Cisco WSA - Suspected protocol abuse6f756792-4888-48a5-97cf-40d9430dc932CiscoWSA
SyslogAma
Contrast Blocks4396f8c3-d114-4154-9f4c-048ba522ed04ContrastProtect
ContrastProtectAma
CefAma
Contrast Exploitse1abb6ed-be18-40fd-be58-3d3d84041dafContrastProtect
ContrastProtectAma
CefAma
Contrast Probes297596de-d9ae-4fb8-b6ff-00fc01c9462dContrastProtect
ContrastProtectAma
CefAma
Contrast Suspiciousf713404e-805c-4e0c-91fa-2c149f76a07dContrastProtect
ContrastProtectAma
CefAma
Corelight - Multiple Compressed Files Transferred over HTTP4e55e306-3022-43a1-870a-41c4d5116079Corelight
Corelight - Multiple files sent over HTTP with abnormal requests7226d37b-50ee-4e3b-9f80-5b74080d8f2cCorelight
Dev-0270 Malicious Powershell usage422ca2bf-598b-4872-82bb-5f7e8fa731e7SecurityEvents
WindowsSecurityEvents
MicrosoftThreatProtection
Digital Guardian - Sensitive data transfer over insecure channelb52cda18-c1af-40e5-91f3-1fcbf9fa267eDigitalGuardianDLP
SyslogAma
Digital Guardian - Exfiltration using DNS protocol39e25deb-49bb-4cdb-89c1-c466d596e2bdDigitalGuardianDLP
SyslogAma
Digital Guardian - Exfiltration to online filesharef7b6ddef-c1e9-46f0-8539-dbba7fb8a5b8DigitalGuardianDLP
SyslogAma
Digital Guardian - Exfiltration to private emailedead9b5-243a-466b-ae78-2dae32ab1117DigitalGuardianDLP
SyslogAma
Digital Guardian - Exfiltration to external domaina19885c8-1e44-47e3-81df-d1d109f5c92dDigitalGuardianDLP
SyslogAma
Digital Guardian - Bulk exfiltration to external domain5f75a873-b524-4ba5-a3b8-2c20db517148DigitalGuardianDLP
SyslogAma
Digital Guardian - Multiple incidents from usere8901dac-2549-4948-b793-5197a5ed697aDigitalGuardianDLP
SyslogAma
Digital Guardian - Possible SMTP protocol abusea374a933-f6c4-4200-8682-70402a9054ddDigitalGuardianDLP
SyslogAma
Digital Guardian - Unexpected protocola14f2f95-bbd2-4036-ad59-e3aff132b296DigitalGuardianDLP
SyslogAma
Digital Guardian - Incident with not blocked action07bca129-e7d6-4421-b489-32abade0b6a7DigitalGuardianDLP
SyslogAma
Web sites blocked by Eset84ad2f8a-b64c-49bc-b669-bdb4fd3071e9EsetSMC
Website blocked by ESET7b84fc5b-9ffb-4e9b-945b-5d480e330b3fESETPROTECT
SyslogAma
Office 365 - Mail redirect via ExO transport ruleedcfc2e0-3134-434c-8074-9101c530d419AzureActiveDirectory
Office 365 - Multiple Users Email Forwarded to Same Destinationd75e8289-d1cb-44d4-bd59-2f44a9172478AzureActiveDirectory
Office 365 - SharePoint File Operation via Previously Unseen IPs7460e34e-4c99-47b2-b7c0-c42e339fc586AzureActiveDirectory
Office 365 - SharePointFileOperation via devices with previously unseen user agentsefd17c5f-5167-40f8-a1e9-0818940785d9AzureActiveDirectory
Office 365 - Sharepoint File Transfer Above Threshold30375d00-68cc-4f95-b89a-68064d566358AzureActiveDirectory
Office 365 - Sharepoint File Transfer Above Thresholdabd6976d-8f71-4851-98c4-4d086201319cAzureActiveDirectory
Detect Abnormal Deny Rate for Source to Destination IPe3b6a9e7-4c3a-45e6-8baf-1d3bfa8e0c2bAzureActiveDirectory
Detect Protocol Changes for Destination Portsf6a8d6a5-3e9f-47c8-a8d5-1b2b9d3b7d6aAzureActiveDirectory
Multiple Users Email Forwarded to Same Destinationa1551ae4-f61c-4bca-9c57-4d0d681db2e9AzureActiveDirectory
SharePointFileOperation via devices with previously unseen user agentsf2367171-1514-4c67-88ef-27434b6a1093AzureActiveDirectory
Office Mail Forwarding - Hunting Versiond49fc965-aef3-49f6-89ad-10cc4697eb5bAzureActiveDirectory
Google DNS - Possible data exfiltration705bed63-668f-4508-9d2d-26faf4010700GCPDNSDataConnector
Mail redirect via ExO transport rule500415fb-bba7-4227-a08a-9857fb61b6a7Office365
Multiple users email forwarded to same destination871ba14c-88ef-48aa-ad38-810f26760ca3Office365
SharePointFileOperation via previously unseen IPs4b11568b-3f5f-4ba1-80c8-7f1dc8390eb7Office365
SharePointFileOperation via devices with previously unseen user agents5dd76a87-9f87-4576-bab3-268b0e2b338bOffice365
Office365 Sharepoint File transfer above threshold8b4f03e7-3460-4401-824d-e65a8dd464f0Office365
Office365 Sharepoint File transfer Folders above threshold8a547285-801c-4290-aa2e-5e7e20ca157dOffice365
Multiple users email forwarded to same destinationa1551ae4-f61c-4bca-9c57-4d0d681db2e9Office365
Linked Malicious Storage Artifactsb9e3b9f8-a406-4151-9891-e5ff1ddd8c1dMicrosoftCloudAppSecurity
Deimos Component Executionc25a8cd4-5b4a-45a8-9ba0-3b753a652f6bMicrosoftThreatProtection
Bitsadmin Activity2a1dc4c2-a8d6-4a0e-8539-9b971c851195MicrosoftThreatProtection
Files Copied to USB Drives3ab04acf-e0e7-4f7c-8995-748ab4c848c2MicrosoftThreatProtection
VIP Mailbox manipulation5170c3c4-b8c9-485c-910d-a21d965ee181ESI-ExchangeAdminAuditLogEvents
Server Oriented Cmdlet And User Oriented Cmdlet used7bce901b-9bc8-4948-8dfc-8f68878092d5ESI-ExchangeAdminAuditLogEvents
Insider Risk_Sensitive Data Access Outside Organizational Geo-locationb81ed294-28cf-48c3-bac8-ac60dcef293bAzureInformationProtection
AzureActiveDirectory
Mimecast Data Leak Prevention - Hold3e12b7b1-75e5-497c-ba01-b6cb30b60d7fMimecastSIEMAPI
Mimecast Data Leak Prevention - Notifications1818aeaa-4cc8-426b-ba54-539de896d299MimecastSIEMAPI
Mimecast Secure Email Gateway - Attachment Protect72264f4f-61fb-4f4f-96c4-635571a376c2MimecastSIEMAPI
Mimecast Secure Email Gateway - Internal Email Protect5b66d176-e344-4abf-b915-e5f09a6430efMimecastSIEMAPI
Mimecast Targeted Threat Protection - Impersonation Protectd8e7eca6-4b59-4069-a31e-a022b2a12ea4MimecastTTPAPI
Unauthorized user access across AWS and Azure60f31001-018a-42bf-8045-a92e1f361b7bAzureActiveDirectory
AWSS3
Anomaly found in Network Session Traffic (ASIM Network Session schema)cd6def0d-3ef0-4d55-a7e3-faa96c46ba12AWSS3
MicrosoftThreatProtection
SecurityEvents
WindowsSecurityEvents
WindowsForwardedEvents
Zscaler
MicrosoftSysmonForLinux
PaloAltoNetworks
AzureMonitor(VMInsights)
AzureFirewall
AzureNSG
CiscoASA
CiscoAsaAma
Corelight
AIVectraStream
CheckPoint
Fortinet
CiscoMeraki
OracleDBAudit - Connection to database from external IP54aa2c17-acfd-4e3a-a1c4-99c88cf34ebeOracleDatabaseAudit
SyslogAma
Oracle - Put suspicious fileedc2f2b4-573f-11ec-bf63-0242ac130002OracleWebLogicServer
CustomLogsAma
Palo Alto Threat signatures from Unusual IP addresses89a86f70-615f-4a79-9621-6f68c50f365fPaloAltoNetworks
PaloAltoNetworksAma
CefAma
ProofpointPOD - Email sender in TI list35a0792a-1269-431e-ac93-7ae2980d4ddeThreatIntelligence
ThreatIntelligenceTaxii
ProofpointPOD
ProofpointPOD - Email sender IP in TI list78979d32-e63f-4740-b206-cfb300c735e0ThreatIntelligence
ThreatIntelligenceTaxii
ProofpointPOD
ProofpointPOD - Multiple archived attachments to the same recipientbda5a2bd-979b-4828-a91f-27c2a5048f7fProofpointPOD
ProofpointPOD - Multiple large emails to the same recipientd1aba9a3-5ab1-45ef-8ed4-da57dc3c0d32ProofpointPOD
ProofpointPOD - Multiple protected emails to unknown recipientf8127962-7739-4211-a4a9-390a7a00e91fProofpointPOD
Radiflow - Platform Alertff0c781a-b30f-4acf-9cf1-75d7383d66d1RadiflowIsid
RecordedFuture Threat Hunting IP All Actorse31bc14e-2b4c-42a4-af34-5bfd7d768aeaThreatIntelligenceUploadIndicatorsAPI
Red Canary Threat Detection6d263abb-6445-45cc-93e9-c593d3d77b89RedCanaryDataConnector
Threat Essentials - Mail redirect via ExO transport ruled7c575b2-84f5-48cb-92c5-70d7e8246284Office365
Threat Essentials - Time series anomaly for data size transferred to public internetb49a1093-cbf6-4973-89ac-2eef98f533c6CiscoASA
CiscoAsaAma
PaloAltoNetworks
AzureMonitor(VMInsights)
Third party integrated appsBFA7EE22-B5A9-42C8-BD50-2E95885640BBSenservaPro
SlackAudit - Multiple archived files uploaded in short period of time3db0cb83-5fa4-4310-a8a0-d8d66183f0bdSlackAuditAPI
SlackAudit - Public link created for file which can contain sensitive information.279316e8-8965-47d2-9788-b94dc352c853SlackAuditAPI
SonicWall - Allowed SSH, Telnet, and RDP Connections27f1a570-5f20-496b-88f6-a9aa2c5c9534CEF
SonicWallFirewall
CefAma
New Sonrai Ticketbcc3362d-b6f9-4de0-b41c-707fafd5a416SonraiDataConnector
Sonrai Ticket Assigned37a8d052-a3db-4dc6-9dca-9390cac6f486SonraiDataConnector
Sonrai Ticket Closedf5d467de-b5a2-4b4f-96db-55e27c733594SonraiDataConnector
Sonrai Ticket Escalation Executed0d29c93e-b83f-4dfb-bbbb-76824b77eecaSonraiDataConnector
Sonrai Ticket Escalation Executed822fff15-ea68-4d0f-94ee-b4482ddb6f3aSonraiDataConnector
Sonrai Ticket Reopenedb60129ab-ce22-4b76-858d-3204932a13ccSonraiDataConnector
Sonrai Ticket Risk Accepted080191e8-271d-4ae6-85ce-c7bcd4b06b40SonraiDataConnector
Sonrai Ticket Snoozed10e6c454-5cad-4f86-81ce-800235cb050aSonraiDataConnector
Sonrai Ticket Updatedaf9b8eb1-a8ef-40aa-92a4-1fc73a1479c7SonraiDataConnector
Excessive Blocked Traffic Events Generated by Userfa0ab69c-7124-4f62-acdd-61017cf6ce89SymantecEndpointProtection
SyslogAma
SFTP File transfer above thresholdbb6a74c8-889d-4c6e-8412-7d5efe33f4edSyslog
SyslogAma
SFTP File transfer folder count above threshold7355434e-09d5-4401-b56d-e03e9379dfb1Syslog
SyslogAma
Theom Critical Risksbb9051ef-0e72-4758-a143-80c25ee452f0Theom
Theom High Risks74b80987-0a62-448c-8779-47b02e17d3cfTheom
Theom Insightsd200da84-0191-44ce-ad9e-b85e64c84c89Theom
Theom Low Riskscf7fb616-ac80-40ce-ad18-aa18912811f8Theom
Theom Medium Risks4cb34832-f73a-49f2-8d38-c2d135c5440bTheom
Trend Micro CAS - DLP violation1ddeb8ad-cad9-4db4-b074-f9da003ca3edTrendMicroCAS
Ubiquiti - Connection to known malicious IP or C2db60ca0b-b668-439b-b889-b63b57ef20fbUbiquitiUnifi
CustomLogsAma
Ubiquiti - Unusual FTP connection to external serverfd200125-9d57-4838-85ca-6430c63e4e5dUbiquitiUnifi
CustomLogsAma
Ubiquiti - Large ICMP to external server6df85d74-e32f-4b71-80e5-bfe2af00be1cUbiquitiUnifi
CustomLogsAma
Ubiquiti - connection to non-corporate DNS serverfe232837-9bdc-4e2b-8c08-cdac2610eed3UbiquitiUnifi
CustomLogsAma
Vectra AI Detect - Suspected Compromised Account321f9dbd-64b7-4541-81dc-08cf7732ccb0AIVectraDetect
AIVectraDetectAma
CefAma
Vectra Account’s Behaviorsce54b5d3-4c31-4eaf-a73e-31412270b6abAIVectraDetect
AIVectraDetectAma
CefAma
Vectra AI Detect - Detections with High Severity39e48890-2c02-487e-aa9e-3ba494061798AIVectraDetect
AIVectraDetectAma
CefAma
Vectra AI Detect - Suspected Compromised Host60eb6cf0-3fa1-44c1-b1fe-220fbee23d63AIVectraDetect
AIVectraDetectAma
CefAma
Vectra Host’s Behaviors33e3b6da-2660-4cd7-9032-11be76db88d2AIVectraDetect
AIVectraDetectAma
CefAma
Vectra AI Detect - Suspicious Behaviors by Category6cb75f65-231f-46c4-a0b3-50ff21ee6ed3AIVectraDetect
AIVectraDetectAma
CefAma
Detect unauthorized data transfers using timeseries anomaly (ASIM Web Session)5965d3e7-8ed0-477c-9b42-e75d9237fab0
Detect presence of private IP addresses in URLs (ASIM Web Session)e3a7722a-e099-45a9-9afb-6618e8f05405
Progress MOVEIt File transfer above threshold9bd18b63-f1ca-4375-95db-39fda00bfe20WindowsForwardedEvents
Progress MOVEIt File transfer folder count above threshold26a993ca-0a96-45a0-8405-05a210fb98f8WindowsForwardedEvents
DNS events related to ToR proxiesa83ef0f4-dace-4767-bce3-ebd32599d2a0DNS
DNS events related to ToR proxies (ASIM DNS Schema)3fe3c520-04f1-44b8-8398-782ed21435f8DNS
AzureFirewall
Zscaler
InfobloxNIOS
GCPDNSDataConnector
NXLogDnsLogs
CiscoUmbrellaDataConnector
Corelight
A host is potentially running a hacking tool (ASIM Web Session schema)3f0c20d5-6228-48ef-92f3-9ff7822c1954SquidProxy
Zscaler
Cisco Umbrella - Connection to non-corporate private networkc9b6d281-b96b-4763-b728-9a04b9fe1246CiscoUmbrellaDataConnector
CreepyDrive request URL sequenceeda260eb-f4a1-4379-ad98-452604da9b3eZscaler
Fortinet
CheckPoint
PaloAltoNetworks
CreepyDrive URLsb6d03b88-4d27-49a2-9c1c-29f1ad2842dcZscaler
Fortinet
CheckPoint
PaloAltoNetworks
RunningRAT request parametersbaedfdf4-7cc8-45a1-81a9-065821628b83Zscaler
Fortinet
CheckPoint
PaloAltoNetworks
Time series anomaly detection for total volume of traffic06a9b845-6a95-4432-a78b-83919b28c375Barracuda
CEF
CheckPoint
CiscoASA
F5
Fortinet
PaloAltoNetworks
Users searching for VIP user activityf7f4a77e-f68f-4b56-9aaf-a0c9d87d7a8e
IP address of Windows host encoded in web requesta4ce20ae-a2e4-4d50-b40d-d49f1353b6ccZscaler
Fortinet
CheckPoint
PaloAltoNetworks
MicrosoftThreatProtection
Windows host username encoded in base64 web request6e715730-82c0-496c-983b-7a20c4590bd9Zscaler
Fortinet
CheckPoint
PaloAltoNetworks
MicrosoftThreatProtection
Time series anomaly for data size transferred to public internetf2dd4a3a-ebac-4994-9499-1a859938c947CiscoASA
PaloAltoNetworks
AzureMonitor(VMInsights)
NRT Multiple users email forwarded to same destination3b05727d-a8d1-477d-bbdd-d957da96ac7bOffice365
Mass Download & copy to USB device by single user6267ce44-1e9d-471b-9f1e-ae76a6b7aa84MicrosoftCloudAppSecurity
MicrosoftThreatProtection