Microsoft Sentinel Analytic Rules
cloudbrothers.infoAzure Sentinel RepoToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeBack to homepage
  1. Microsoft Sentinel Analytics Rules
  2. /
  3. Tactics
  4. /
  5. Impact

Impact

Overview

Rule NameidRequired data connectors
API - Rate limitingb808063b-07d5-432c-95d0-8900da61cce942CrunchAPIProtection
Creating keys with encrypt policy without MFA454133a7-5427-4a7c-bdc4-0adfa84dda16AWS
Suspicious overly permissive KMS key policy created60dfc193-0f73-4279-b43c-110ade02b201AWS
S3 bucket suspicious ransomware activityb442b9e2-5cc4-4129-a85b-a5ef38a9e5f0AWS
Suspicious AWS EC2 Compute Resource Deployments9e457dc4-81f0-4d25-bc37-a5fa4a17946aAWS
Apache - Multiple server errors from single IP1bf246a2-3af9-11ec-8d3d-0242ac130003ApacheHTTPServer
CustomLogsAma
Apache - Request from private IPa0077556-3aff-11ec-8d3d-0242ac130003ApacheHTTPServer
CustomLogsAma
Jira - Permission scheme updated72592618-fa57-45e1-9f01-ca8706a5e3f5JiraAuditAPI
Jira - Project roles changedfb6a8001-fe87-4177-a8f3-df2302215c4fJiraAuditAPI
Jira - User removed from groupc13ecb19-4317-4d87-9a1c-52660dd44a7dJiraAuditAPI
Jira - User removed from project5d3af0aa-833e-48ed-a29a-8cfd2705c953JiraAuditAPI
Privileged Machines Exposed to the Internet72891de4-da70-44e4-9984-35fcea98d000Authomize
Suspicious number of resource creation or deployment activities361dd1e3-1c11-491e-82a3-bb2e44ac36baAzureActivity
Suspicious Resource deployment9fb57e58-3ed8-4b89-afcf-c8e786508b1cAzureActivity
Subscription moved to another tenant48c026d8-7f36-4a95-9568-6f1420d66e37AzureActivity
Mass Cloud resource deletions Time Series Anomalyed43bdb7-eaab-4ea4-be52-6951fcfa7e3bAzureActivity
DDoS Attack IP Addresses - Percent Threshold402a42ad-f31c-48d1-8f80-0200846b7f25DDOS
DDoS Attack IP Addresses - PPS Threshold6e76fd9d-8104-41eb-bad3-26054a3ad5f0DDOS
Sensitive Azure Key Vault operationsd6491be0-ab2d-439d-95d6-ad8ea39277c5AzureKeyVault
NRT Sensitive Azure Key Vault operations884ead54-cb3f-4676-a1eb-b26532d6cbfdAzureKeyVault
Affected rows stateful anomaly on database2a632013-379d-4993-956f-615063d31e10AzureSql
Azure DevOps Service Connection Addition/Abuse - Historic allow list5efb0cfd-063d-417a-803b-562eae5b0301
Azure DevOps Personal Access Token (PAT) misuseac891683-53c3-4f86-86b4-c361708e2b2b
Azure DevOps Service Connection Abused564ff12-8f53-41b8-8649-44f76b37b99f
BitSight - new alert founda1275c5e-0ff4-4d15-a7b7-96018cd979f5BitSight
BitSight - new breach founda5526ba9-5997-47c6-bf2e-60a08b681e9bBitSight
Box - Many items deleted by user1b212329-6f2c-46ca-9071-de3464f3d88dBoxDataConnector
CiscoISE - Backup failed4eddd44a-25e4-41af-930d-0c17218bec74CiscoISE
SyslogAma
Cisco SE - Ransomware Activityc9629114-0f49-4b50-9f1b-345287b2eebfCiscoSecureEndpoint
Cisco ASA - average attack detection rate increase79f29feb-6a9d-4cdf-baaa-2daf480a5da1CiscoASA
Cisco ASA - threat detection message fired795edf2d-cf3e-45b5-8452-fe6c9e6a582eCiscoASA
Cisco Duo - Admin user deleted6424c623-31a5-4892-be33-452586fd4075CiscoDuoSecurity
Cisco Duo - AD sync failed398dd1cd-3251-49d8-b927-5b93bae4a094CiscoDuoSecurity
Cisco Duo - Multiple users deleted6e4f9031-91d3-4fa1-8baf-624935f04ad8CiscoDuoSecurity
Cisco Umbrella - Crypto Miner User-Agent Detectedb619d1f1-7f39-4c7e-bf9e-afbb46457997CiscoUmbrellaDataConnector
Claroty - Asset Downfd6e3416-0421-4166-adb9-186e555a7008Claroty
ClarotyAma
CefAma
Claroty - Critical baseline deviation9a8b4321-e2be-449b-8227-a78227441b2aClaroty
ClarotyAma
CefAma
CommvaultSecurityIQ Alert317e757e-c320-448e-8837-fc61a70fe609
Data Alert1d2c3da7-60ec-40be-9c14-bade6eaf3c49
IDP Alertc982bcc1-ef73-485b-80d5-2a637ce4ab2b
User Alert29e0767c-80ac-4689-9a2e-b25b9fc88fce
Ransom Protect Detected a Ransomware Attack7a075edf-1cf2-4038-ba9c-c354db6409deCTERA
Ransom Protect User Blockedd5d4766b-e547-44da-9d85-48ff393db201CTERA
Dev-0270 Registry IOC - September 20222566e99f-ad0f-472a-b9ac-d3899c9283e6SecurityEvents
WindowsSecurityEvents
MicrosoftThreatProtection
Dynatrace - Problem detection415978ff-074e-4203-824a-b06153d77bf7DynatraceProblems
Dynatrace Application Security - Attack detection1b0b2065-8bac-5a00-83c4-1b58f69ac212DynatraceAttacks
Dynatrace Application Security - Code-Level runtime vulnerability detection305093b4-0fa2-57bc-bced-caea782a6e9cDynatraceRuntimeVulnerabilities
Dynatrace Application Security - Non-critical runtime vulnerability detectionff0af873-a2f2-4233-8412-0ef4e00b0156DynatraceRuntimeVulnerabilities
Dynatrace Application Security - Third-Party runtime vulnerability detectionaf99b078-124b-543a-9a50-66ef87c09f6aDynatraceRuntimeVulnerabilities
Detecting UAC bypass - elevated COM interface2d5efc71-2e91-4ca2-8506-857eecb453ecMicrosoftThreatProtection
Detecting UAC bypass - modify Windows Store settings8b8fbf9c-35d4-474b-8151-a40173521293MicrosoftThreatProtection
Detecting UAC bypass - ChangePK and SLUI registry tampering829a69ba-93e1-491f-8a1f-b19506e9d88aMicrosoftThreatProtection
GitLab - Abnormal number of repositories deleted3efd09bd-a582-4410-b7ec-5ff21cfad7bdSyslog
GSA Enriched Office 365 - Multiple Teams deleted by a single userdb60e4b6-a845-4f28-a18c-94ebbaad6c6cAzureActiveDirectory
Office365
Infoblox - SOC Insight Detected - API Sourcea5e2df87-f0c9-4540-8715-96e71b608986InfobloxSOCInsightsDataConnector_API
Infoblox - SOC Insight Detected - CDC Sourced04f1963-df27-4127-b1ec-3d37148d65beInfobloxSOCInsightsDataConnector_Legacy
InfobloxSOCInsightsDataConnector_AMA
Infoblox - Data Exfiltration Attack8db2b374-0337-49bd-94c9-cfbf8e5d83adInfobloxCloudDataConnector
InfobloxCloudDataConnectorAma
CefAma
Infoblox - High Threat Level Query Not Blocked Detecteddc7af829-d716-4774-9d6f-03d9aa7c27a4InfobloxCloudDataConnector
InfobloxCloudDataConnectorAma
CefAma
Infoblox - Many High Threat Level Queries From Single Host Detected3822b794-fa89-4420-aad6-0e1a2307f419InfobloxCloudDataConnector
InfobloxCloudDataConnectorAma
CefAma
Infoblox - Many High Threat Level Single Query Detected99278700-79ca-4b0f-b416-bf57ec699e1aInfobloxCloudDataConnector
InfobloxCloudDataConnectorAma
CefAma
Infoblox - Many NXDOMAIN DNS Responses Detectedb2f34315-9065-488e-88d0-a171d2b0da8eInfobloxCloudDataConnector
InfobloxCloudDataConnectorAma
CefAma
Infoblox - TI - CommonSecurityLog Match Found - MalwareC25b0864a9-4577-4087-b9fa-de3e14a8a999CEF
ThreatIntelligence
InfobloxCloudDataConnectorAma
InfobloxCloudDataConnector
CefAma
Infoblox - TI - InfobloxCDC Match Found - Lookalike Domains568730be-b39d-45e3-a392-941e00837d52InfobloxCloudDataConnector
ThreatIntelligence
InfobloxCloudDataConnectorAma
CefAma
Infoblox - TI - Syslog Match Found - URL28ee3c2b-eb4b-44de-a71e-e462843fea72Syslog
ThreatIntelligence
InfobloxCloudDataConnectorAma
InfobloxCloudDataConnector
CefAma
Infoblox - SOC Insight Detected - API Sourcecf9847bb-ab46-4050-bb81-75cab3f893dcInfobloxSOCInsightsDataConnector_API
Infoblox - SOC Insight Detected - CDC Sourcea4bdd81e-afc8-4410-a3d1-8478fa810537InfobloxSOCInsightsDataConnector_Legacy
InfobloxSOCInsightsDataConnector_AMA
CefAma
Suspicious malware found in the network (Microsoft Defender for IoT)6fb1acd5-356d-40f7-9b97-78d993c6a183IoT
Employee account deleted8a2cc466-342d-4ebb-8871-f9e1d83a24a5LastPass
TI map IP entity to LastPass data2a723664-22c2-4d3e-bbec-5843b90166f3LastPass
ThreatIntelligence
Unusual Volume of Password Updated or Removeda3bbdf60-0a6d-4cc2-b1d1-dd70aca184ceLastPass
[Deprecated] - Cadet Blizzard Actor IOC - January 2022961b6a81-5c53-40b6-9800-4f661a8faea7CiscoASA
PaloAltoNetworks
MicrosoftThreatProtection
SecurityEvents
WindowsSecurityEvents
[Deprecated] - Chia_Crypto_Mining - Domain, Process, Hash and IP IOCs - June 2021595a10c9-91be-4abb-bbc7-ae9c57848befDNS
AzureMonitor(VMInsights)
F5
CiscoASA
PaloAltoNetworks
Fortinet
CheckPoint
CEF
MicrosoftThreatProtection
SecurityEvents
Office365
AzureFirewall
WindowsFirewall
[Deprecated] - Dev-0530 IOC - July 2022a172107d-794c-48c0-bc26-d3349fe10b4dCiscoASA
PaloAltoNetworks
MicrosoftThreatProtection
SecurityEvents
Office365
AzureActiveDirectory
AzureMonitor(IIS)
AzureActivity
AWS
AzureFirewall
[Deprecated] - Hive Ransomware IOC - July 2022b2199398-8942-4b8c-91a9-b0a707c5d147CiscoASA
PaloAltoNetworks
MicrosoftThreatProtection
SecurityEvents
[Deprecated] - Alert for IOCs related to Windows/ELF malware - IP, Hash IOCs - September 2021d992b87b-eb49-4a9d-aa96-baacf9d26247F5
CiscoASA
PaloAltoNetworks
Fortinet
CheckPoint
CEF
MicrosoftThreatProtection
SecurityEvents
AzureFirewall
WindowsFirewall
WindowsSecurityEvents
WindowsForwardedEvents
Detect Malicious Usage of Recovery Tools to Delete Backup Files259de2c1-c546-4c6d-a17c-df639722f4d7CrowdStrikeFalconEndpointProtection
MicrosoftThreatProtection
SentinelOne
VMwareCarbonBlack
CiscoSecureEndpoint
TrendMicroApexOne
TrendMicroApexOneAma
Multiple Teams deleted by a single user173f8699-6af5-484a-8b06-8c47ba89b380Office365
Detect CoreBackUp Deletion Activity from related Security Alerts011c84d8-85f0-4370-b864-24c13455aa94AzureSecurityCenter
MicrosoftDefenderForCloudTenantBased
Unusual Volume of file deletion by userse5f8e196-3544-4a8b-96a9-17c1b6a49710MicrosoftThreatProtection
Deletion of data on multiple drives using cipher exe03caa992-477f-4b19-8e2a-8cd58f8f9652MicrosoftThreatProtection
Potential Ransomware activity related to Cobalt Strike4bd9ce9d-8586-4beb-8fdb-bd018cacbe7dMicrosoftThreatProtection
Shadow Copy Deletions28c63a44-2d35-48b7-831b-3ed24af17c7eMicrosoftThreatProtection
AV detections related to Ukraine threatsb6685757-3ed1-4b05-a5bd-2cacadc86c2aMicrosoftThreatProtection
Microsoft Entra ID Role Management Permission Grant1ff56009-db01-4615-8211-d4fda21da02dAzureActiveDirectory
Multiple admin membership removals from newly created admin.cda5928c-2c1e-4575-9dfa-07568bc27a4fAzureActiveDirectory
Ransomware Attack Detected6c8770fb-c854-403e-a64d-0293ba344d5fNasuniEdgeAppliance
SyslogAma
Ransomware Client Blocked0c96a5a2-d60d-427d-8399-8df7fe8e6536NasuniEdgeAppliance
SyslogAma
Excessive number of failed connections from a single source (ASIM Network Session schema)4902eddb-34f7-44a8-ac94-8486366e9494AWSS3
MicrosoftThreatProtection
SecurityEvents
WindowsSecurityEvents
WindowsForwardedEvents
Zscaler
MicrosoftSysmonForLinux
PaloAltoNetworks
AzureMonitor(VMInsights)
AzureFirewall
AzureNSG
CiscoASA
CiscoAsaAma
Corelight
AIVectraStream
CheckPoint
Fortinet
CiscoMeraki
NGINX - Core Dump9a7f5a97-354b-4eac-b407-a1cc7fc4b4ecNGINXHTTPServer
CustomLogsAma
NGINX - Multiple server errors from single IP addressb3ae0033-552e-4c3c-b493-3edffb4473bbNGINXHTTPServer
CustomLogsAma
OCI - Multiple instances launcheda79cf2b9-a511-4282-ba5d-812e14b07831OracleCloudInfrastructureLogsConnector
OCI - Multiple instances terminated252e651d-d825-480c-bdeb-8b239354577dOracleCloudInfrastructureLogsConnector
OracleDBAudit - Multiple tables dropped in short timeb3aa0e5a-75a2-4613-80ec-93a1be3aeb8fOracleDatabaseAudit
SyslogAma
OracleDBAudit - Shutdown Server27cc2cdc-ba67-4906-a6ef-ecbc9c284f4eOracleDatabaseAudit
SyslogAma
Oracle - Multiple server errors from single IP268f4fde-5740-11ec-bf63-0242ac130002OracleWebLogicServer
CustomLogsAma
Radiflow - Unauthorized Internet Accesscc33e1a9-e167-460b-93e6-f14af652dbd3RadiflowIsid
Red Canary Threat Detection6d263abb-6445-45cc-93e9-c593d3d77b89RedCanaryDataConnector
Threat Essentials - Multiple admin membership removals from newly created admin.199978c5-cd6d-4194-b505-8ef5800739dfAzureActiveDirectory
Threat Essentials - Mass Cloud resource deletions Time Series Anomalyfa2658fe-3714-4c55-bb12-2b7275c628e8AzureActivity
Azure secure score admin MFA9a15c3dd-f72b-49a4-bcb7-94406395661eSenservaPro
SenservaPro AD Applications Not Using Client Credentials56910d7b-aae7-452c-a3ed-89f72ef59234SenservaPro
Azure secure score role overlap8E6D9A66-F1B0-463D-BA90-11A5AEC0E15ASenservaPro
Azure secure score one adminF539B2A7-D9E7-4438-AA20-893BC61DF130SenservaPro
Azure Secure Score Self Service Password Reset114120B2-AAA0-4C4E-BDF1-2EE178465047SenservaPro
Azure secure score sign in risk policy5231D757-A5B5-4CA7-A91B-AA3702970E02SenservaPro
Azure secure score user risk policy1C07A4CB-E31B-4917-BD2A-3572E42F602CSenservaPro
SSG_Security_Incidentsd41fa731-45a2-4b23-bb1d-29896fbc5298
Snowflake - Abnormal query process time1376f5e5-855a-4f88-8591-19eba4575a0fSnowflake
Snowflake - Possible data destractionc2f93727-e4b0-4cb9-8f80-f52ebbd96eceSnowflake
SonicWall - Allowed SSH, Telnet, and RDP Connections27f1a570-5f20-496b-88f6-a9aa2c5c9534CEF
SonicWallFirewall
CefAma
New Sonrai Ticketbcc3362d-b6f9-4de0-b41c-707fafd5a416SonraiDataConnector
Sonrai Ticket Assigned37a8d052-a3db-4dc6-9dca-9390cac6f486SonraiDataConnector
Sonrai Ticket Closedf5d467de-b5a2-4b4f-96db-55e27c733594SonraiDataConnector
Sonrai Ticket Escalation Executed0d29c93e-b83f-4dfb-bbbb-76824b77eecaSonraiDataConnector
Sonrai Ticket Escalation Executed822fff15-ea68-4d0f-94ee-b4482ddb6f3aSonraiDataConnector
Sonrai Ticket Reopenedb60129ab-ce22-4b76-858d-3204932a13ccSonraiDataConnector
Sonrai Ticket Risk Accepted080191e8-271d-4ae6-85ce-c7bcd4b06b40SonraiDataConnector
Sonrai Ticket Snoozed10e6c454-5cad-4f86-81ce-800235cb050aSonraiDataConnector
Sonrai Ticket Updatedaf9b8eb1-a8ef-40aa-92a4-1fc73a1479c7SonraiDataConnector
Excessive Amount of Denied Connections from a Single Source3d645a88-2724-41a7-adea-db74c439cf79SophosXGFirewall
SyslogAma
Theom Critical Risksbb9051ef-0e72-4758-a143-80c25ee452f0Theom
Theom High Risks74b80987-0a62-448c-8779-47b02e17d3cfTheom
Theom Insightsd200da84-0191-44ce-ad9e-b85e64c84c89Theom
Theom Low Riskscf7fb616-ac80-40ce-ad18-aa18912811f8Theom
Theom Medium Risks4cb34832-f73a-49f2-8d38-c2d135c5440bTheom
Tomcat - Multiple empty requests from same IP7c9a1026-4872-11ec-81d3-0242ac130003ApacheTomcat
CustomLogsAma
Tomcat - Multiple server errors from single IP addressde9df79c-4872-11ec-81d3-0242ac130003ApacheTomcat
CustomLogsAma
Tomcat - Server errors after multiple requests from same IP875da588-4875-11ec-81d3-0242ac130003ApacheTomcat
CustomLogsAma
Trend Micro CAS - Ransomware infection0bec3f9a-dbe9-4b4c-9ff6-498d64bbef90TrendMicroCAS
Trend Micro CAS - Ransomware outbreak38e043ce-a1fd-497b-8d4f-ce5ca2db90cdTrendMicroCAS
Vectra AI Detect - Suspected Compromised Account321f9dbd-64b7-4541-81dc-08cf7732ccb0AIVectraDetect
AIVectraDetectAma
CefAma
Vectra Account’s Behaviorsce54b5d3-4c31-4eaf-a73e-31412270b6abAIVectraDetect
AIVectraDetectAma
CefAma
Vectra AI Detect - Detections with High Severity39e48890-2c02-487e-aa9e-3ba494061798AIVectraDetect
AIVectraDetectAma
CefAma
Vectra AI Detect - Suspected Compromised Host60eb6cf0-3fa1-44c1-b1fe-220fbee23d63AIVectraDetect
AIVectraDetectAma
CefAma
Vectra Host’s Behaviors33e3b6da-2660-4cd7-9032-11be76db88d2AIVectraDetect
AIVectraDetectAma
CefAma
Vectra AI Detect - Suspicious Behaviors by Category6cb75f65-231f-46c4-a0b3-50ff21ee6ed3AIVectraDetect
AIVectraDetectAma
CefAma
VMware SD-WAN Edge - Device Congestion Alert - Packet Dropsa88ead0a-f022-48d6-8f53-e5a164c4c72eVMwareSDWAN
VMware SD-WAN Edge - Network Anomaly Detection - Potential Fragmentation Attackce207901-ed7b-49ae-ada7-033e1fbb1240VMwareSDWAN
VMware SD-WAN Edge - Network Anomaly Detection - RPF Check Failure840b050f-842b-4264-8973-d4f9b65facb5VMwareSDWAN
VMware ESXi - Low patch disk space48d992ba-d404-4159-a8c6-46f51d1325c7VMwareESXi
SyslogAma
VMware ESXi - Low temp directory space2ee727f7-b7c2-4034-b6c9-d245d5a29343VMwareESXi
SyslogAma
VMware ESXi - Multiple VMs stopped5fe1af14-cd40-48ff-b581-3a12a1f90785VMwareESXi
SyslogAma
VMware ESXi - Unexpected disk image395c5560-ddc2-45b2-aafe-2e3f64528d3dVMwareESXi
SyslogAma
VMware ESXi - VM stopped43889f30-7bce-4d8a-93bb-29c9615ca8ddVMwareESXi
SyslogAma
Votiro - File Blocked from Connector17bf3780-ae0d-4cd9-a884-5df8b687f3f5Votiro
CefAma
Votiro - File Blocked in Email0b8b91de-c63e-4bc2-b5f4-b15d3b379ec9Votiro
CefAma
Detect instances of multiple server errors occurring within a brief period of time (ASIM Web Session)a59ba76c-0205-4966-948e-3d5640140688
Chia_Crypto_Mining IOC - June 20214d173248-439b-4741-8b37-f63ad0c896aeWindowsForwardedEvents
Potential re-named sdelete usage720d12c6-a08c-44c4-b18f-2236412d59b0SecurityEvents
WindowsSecurityEvents
Sdelete deployed via GPO and run recursivelyd9f28fdf-abc8-4f1a-a7e7-1aaec87a2fc5SecurityEvents
WindowsSecurityEvents
DNS events related to mining pools0d76e9cf-788d-4a69-ac7d-f234826b5bedDNS
NRT DNS events related to mining poolsd5b32cd4-2328-43da-ab47-cd289c1f5efcDNS
AV detections related to Zinc actors3705158d-e008-49c9-92dd-e538e1549090MicrosoftThreatProtection
DNS events related to mining pools (ASIM DNS Schema)c094384d-7ea7-4091-83be-18706ecca981WindowsForwardedEvents
DNS
AzureFirewall
Zscaler
InfobloxNIOS
GCPDNSDataConnector
NXLogDnsLogs
CiscoUmbrellaDataConnector
Corelight
Potential re-named sdelete usage (ASIM Version)5b6ae038-f66e-4f74-9315-df52fd492be4
Sdelete deployed via GPO and run recursively (ASIM Version)30c8b802-ace1-4408-bc29-4c5c5afb49e1
A host is potentially running a crypto miner (ASIM Web Session schema)8cbc3215-fa58-4bd6-aaaa-f0029c351730SquidProxy
Zscaler
Missing Domain Controller Heartbeatb8b8ba09-1e89-45a1-8bd7-691cd23bfa32
Dev-0530 File Extension Renamed82eb796-d1eb-43c8-a813-325ce3417cefMicrosoftThreatProtection
AV detections related to Dev-0530 actors5f171045-88ab-4634-baae-a7b6509f483bMicrosoftThreatProtection
AV detections related to Europium actors186970ee-5001-41c1-8c73-3178f75ce96aMicrosoftThreatProtection
AV detections related to Hive Ransomware4e5914a4-2ccd-429d-a845-fa597f0bd8c5MicrosoftThreatProtection
Workspace deletion activity from an infected devicea5b3429d-f1da-42b9-883c-327ecb7b91ffAzureActiveDirectoryIdentityProtection
AzureActivity
BehaviorAnalytics