Impact
Rule Name | id | Required data connectors |
---|---|---|
Creating keys with encrypt policy without MFA | 454133a7-5427-4a7c-bdc4-0adfa84dda16 | AWS |
Suspicious overly permessive KMS key policy created | 60dfc193-0f73-4279-b43c-110ade02b201 | AWS |
S3 bucket suspicious ransomware activity | b442b9e2-5cc4-4129-a85b-a5ef38a9e5f0 | AWS |
Suspicious AWS EC2 Compute Resource Deployments | 9e457dc4-81f0-4d25-bc37-a5fa4a17946a | AWS |
Apache - Multiple server errors from single IP | 1bf246a2-3af9-11ec-8d3d-0242ac130003 | ApacheHTTPServer |
Apache - Request from private IP | a0077556-3aff-11ec-8d3d-0242ac130003 | ApacheHTTPServer |
Jira - Permission scheme updated | 72592618-fa57-45e1-9f01-ca8706a5e3f5 | JiraAuditAPI |
Jira - Project roles changed | fb6a8001-fe87-4177-a8f3-df2302215c4f | JiraAuditAPI |
Jira - User removed from group | c13ecb19-4317-4d87-9a1c-52660dd44a7d | JiraAuditAPI |
Jira - User removed from project | 5d3af0aa-833e-48ed-a29a-8cfd2705c953 | JiraAuditAPI |
Azure AD Role Management Permission Grant | 1ff56009-db01-4615-8211-d4fda21da02d | AzureActiveDirectory |
Multiple admin membership removals from newly created admin. | cda5928c-2c1e-4575-9dfa-07568bc27a4f | AzureActiveDirectory |
Suspicious number of resource creation or deployment activities | 361dd1e3-1c11-491e-82a3-bb2e44ac36ba | AzureActivity |
Suspicious Resource deployment | 9fb57e58-3ed8-4b89-afcf-c8e786508b1c | AzureActivity |
Subscription moved to another tenant | 48c026d8-7f36-4a95-9568-6f1420d66e37 | AzureActivity |
Mass Cloud resource deletions Time Series Anomaly | ed43bdb7-eaab-4ea4-be52-6951fcfa7e3b | AzureActivity |
DDoS Attack IP Addresses - Percent Threshold | 402a42ad-f31c-48d1-8f80-0200846b7f25 | DDOS |
DDoS Attack IP Addresses - PPS Threshold | 6e76fd9d-8104-41eb-bad3-26054a3ad5f0 | DDOS |
Sensitive Azure Key Vault operations | d6491be0-ab2d-439d-95d6-ad8ea39277c5 | AzureKeyVault |
NRT Sensitive Azure Key Vault operations | 884ead54-cb3f-4676-a1eb-b26532d6cbfd | AzureKeyVault |
Affected rows stateful anomaly on database | 2a632013-379d-4993-956f-615063d31e10 | AzureSql |
Azure DevOps Service Connection Addition/Abuse - Historic allow list | 5efb0cfd-063d-417a-803b-562eae5b0301 | |
Azure DevOps Personal Access Token (PAT) misuse | ac891683-53c3-4f86-86b4-c361708e2b2b | |
Azure DevOps Service Connection Abuse | d564ff12-8f53-41b8-8649-44f76b37b99f | |
BitSight - new alert found | a1275c5e-0ff4-4d15-a7b7-96018cd979f5 | BitSight |
BitSight - new breach found | a5526ba9-5997-47c6-bf2e-60a08b681e9b | BitSight |
Box - Many items deleted by user | 1b212329-6f2c-46ca-9071-de3464f3d88d | BoxDataConnector |
Cisco SE - Ransomware Activity | c9629114-0f49-4b50-9f1b-345287b2eebf | CiscoSecureEndpoint |
Cisco ASA - average attack detection rate increase | 79f29feb-6a9d-4cdf-baaa-2daf480a5da1 | CiscoASA |
Cisco ASA - threat detection message fired | 795edf2d-cf3e-45b5-8452-fe6c9e6a582e | CiscoASA |
Cisco Duo - Admin user deleted | 6424c623-31a5-4892-be33-452586fd4075 | CiscoDuoSecurity |
Cisco Duo - AD sync failed | 398dd1cd-3251-49d8-b927-5b93bae4a094 | CiscoDuoSecurity |
Cisco Duo - Multiple users deleted | 6e4f9031-91d3-4fa1-8baf-624935f04ad8 | CiscoDuoSecurity |
Claroty - Asset Down | fd6e3416-0421-4166-adb9-186e555a7008 | Claroty ClarotyAma |
Claroty - Critical baseline deviation | 9a8b4321-e2be-449b-8227-a78227441b2a | Claroty ClarotyAma |
Data Alert | 1d2c3da7-60ec-40be-9c14-bade6eaf3c49 | |
IDP Alert | c982bcc1-ef73-485b-80d5-2a637ce4ab2b | |
User Alert | 29e0767c-80ac-4689-9a2e-b25b9fc88fce | |
Dev-0270 Registry IOC - September 2022 | 2566e99f-ad0f-472a-b9ac-d3899c9283e6 | SecurityEvents MicrosoftThreatProtection |
Dynatrace Application Security - Attack detection | 1b0b2065-8bac-5a00-83c4-1b58f69ac212 | DynatraceAttacks |
Dynatrace Application Security - Code-Level runtime vulnerability detection | 305093b4-0fa2-57bc-bced-caea782a6e9c | DynatraceRuntimeVulnerabilities |
Dynatrace Application Security - Non-critical runtime vulnerability detection | ff0af873-a2f2-4233-8412-0ef4e00b0156 | DynatraceRuntimeVulnerabilities |
Dynatrace Application Security - Third-Party runtime vulnerability detection | af99b078-124b-543a-9a50-66ef87c09f6a | DynatraceRuntimeVulnerabilities |
Detecting UAC bypass - elevated COM interface | 2d5efc71-2e91-4ca2-8506-857eecb453ec | MicrosoftThreatProtection |
Detecting UAC bypass - modify Windows Store settings | 8b8fbf9c-35d4-474b-8151-a40173521293 | MicrosoftThreatProtection |
Detecting UAC bypass - ChangePK and SLUI registry tampering | 829a69ba-93e1-491f-8a1f-b19506e9d88a | MicrosoftThreatProtection |
GitLab - Abnormal number of repositories deleted | 3efd09bd-a582-4410-b7ec-5ff21cfad7bd | Syslog |
Infoblox - Data Exfiltration Attack | 8db2b374-0337-49bd-94c9-cfbf8e5d83ad | InfobloxCloudDataConnector InfobloxCloudDataConnectorAma |
Infoblox - High Threat Level Query Not Blocked Detected | dc7af829-d716-4774-9d6f-03d9aa7c27a4 | InfobloxCloudDataConnector InfobloxCloudDataConnectorAma |
Infoblox - Many High Threat Level Queries From Single Host Detected | 3822b794-fa89-4420-aad6-0e1a2307f419 | InfobloxCloudDataConnector InfobloxCloudDataConnectorAma |
Infoblox - Many High Threat Level Single Query Detected | 99278700-79ca-4b0f-b416-bf57ec699e1a | InfobloxCloudDataConnector InfobloxCloudDataConnectorAma |
Infoblox - Many NXDOMAIN DNS Responses Detected | b2f34315-9065-488e-88d0-a171d2b0da8e | InfobloxCloudDataConnector InfobloxCloudDataConnectorAma |
Infoblox - TI - CommonSecurityLog Match Found - MalwareC2 | 5b0864a9-4577-4087-b9fa-de3e14a8a999 | CEF ThreatIntelligence InfobloxCloudDataConnectorAma InfobloxCloudDataConnector |
Infoblox - TI - InfobloxCDC Match Found - Lookalike Domains | 568730be-b39d-45e3-a392-941e00837d52 | InfobloxCloudDataConnector ThreatIntelligence InfobloxCloudDataConnectorAma |
Infoblox - TI - Syslog Match Found - URL | 28ee3c2b-eb4b-44de-a71e-e462843fea72 | Syslog ThreatIntelligence InfobloxCloudDataConnectorAma InfobloxCloudDataConnector |
Suspicious malware found in the network (Microsoft Defender for IoT) | 6fb1acd5-356d-40f7-9b97-78d993c6a183 | IoT |
Employee account deleted | 8a2cc466-342d-4ebb-8871-f9e1d83a24a5 | LastPass |
TI map IP entity to LastPass data | 2a723664-22c2-4d3e-bbec-5843b90166f3 | LastPass ThreatIntelligence |
Unusual Volume of Password Updated or Removed | a3bbdf60-0a6d-4cc2-b1d1-dd70aca184ce | LastPass |
[Deprecated] - Cadet Blizzard Actor IOC - January 2022 | 961b6a81-5c53-40b6-9800-4f661a8faea7 | CiscoASA PaloAltoNetworks MicrosoftThreatProtection SecurityEvents WindowsSecurityEvents |
[Deprecated] - Chia_Crypto_Mining - Domain, Process, Hash and IP IOCs - June 2021 | 595a10c9-91be-4abb-bbc7-ae9c57848bef | DNS AzureMonitor(VMInsights) F5 CiscoASA PaloAltoNetworks Fortinet CheckPoint CEF MicrosoftThreatProtection SecurityEvents Office365 AzureFirewall WindowsFirewall |
[Deprecated] - Dev-0530 IOC - July 2022 | a172107d-794c-48c0-bc26-d3349fe10b4d | CiscoASA PaloAltoNetworks MicrosoftThreatProtection SecurityEvents Office365 AzureActiveDirectory AzureMonitor(IIS) AzureActivity AWS AzureFirewall |
[Deprecated] - Hive Ransomware IOC - July 2022 | b2199398-8942-4b8c-91a9-b0a707c5d147 | CiscoASA PaloAltoNetworks MicrosoftThreatProtection SecurityEvents |
[Deprecated] - Alert for IOCs related to Windows/ELF malware - IP, Hash IOCs - September 2021 | d992b87b-eb49-4a9d-aa96-baacf9d26247 | F5 CiscoASA PaloAltoNetworks Fortinet CheckPoint CEF MicrosoftThreatProtection SecurityEvents AzureFirewall WindowsFirewall WindowsSecurityEvents WindowsForwardedEvents |
Multiple Teams deleted by a single user | 173f8699-6af5-484a-8b06-8c47ba89b380 | Office365 |
AV detections related to Ukraine threats | b6685757-3ed1-4b05-a5bd-2cacadc86c2a | MicrosoftThreatProtection |
Detect CoreBackUp Deletion Activity from related Security Alerts | 011c84d8-85f0-4370-b864-24c13455aa94 | AzureSecurityCenter |
Ransomware Attack Detected | 6c8770fb-c854-403e-a64d-0293ba344d5f | NasuniEdgeAppliance |
Ransomware Client Blocked | 0c96a5a2-d60d-427d-8399-8df7fe8e6536 | NasuniEdgeAppliance |
Excessive number of failed connections from a single source (ASIM Network Session schema) | 4902eddb-34f7-44a8-ac94-8486366e9494 | AWSS3 MicrosoftThreatProtection SecurityEvents WindowsForwardedEvents Zscaler MicrosoftSysmonForLinux PaloAltoNetworks AzureMonitor(VMInsights) AzureFirewall AzureNSG CiscoASA Corelight AIVectraStream CheckPoint Fortinet CiscoMeraki |
NGINX - Core Dump | 9a7f5a97-354b-4eac-b407-a1cc7fc4b4ec | NGINXHTTPServer |
NGINX - Multiple server errors from single IP address | b3ae0033-552e-4c3c-b493-3edffb4473bb | NGINXHTTPServer |
OCI - Multiple instances launched | a79cf2b9-a511-4282-ba5d-812e14b07831 | OracleCloudInfrastructureLogsConnector |
OCI - Multiple instances terminated | 252e651d-d825-480c-bdeb-8b239354577d | OracleCloudInfrastructureLogsConnector |
OracleDBAudit - Multiple tables dropped in short time | b3aa0e5a-75a2-4613-80ec-93a1be3aeb8f | OracleDatabaseAudit |
OracleDBAudit - Shutdown Server | 27cc2cdc-ba67-4906-a6ef-ecbc9c284f4e | OracleDatabaseAudit |
Oracle - Multiple server errors from single IP | 268f4fde-5740-11ec-bf63-0242ac130002 | OracleWebLogicServer |
Microsoft COVID-19 file hash indicator matches | 2be4ef67-a93f-4d8a-981a-88158cb73abd | PaloAltoNetworks PaloAltoNetworksAma |
Detection of Malicious URLs in Syslog Events | 9acb3664-72c4-4676-80fa-9f81912e347e | Syslog |
Red Canary Threat Detection | 6d263abb-6445-45cc-93e9-c593d3d77b89 | RedCanaryDataConnector |
Threat Essentials - Multiple admin membership removals from newly created admin. | 199978c5-cd6d-4194-b505-8ef5800739df | AzureActiveDirectory |
Threat Essentials - Mass Cloud resource deletions Time Series Anomaly | fa2658fe-3714-4c55-bb12-2b7275c628e8 | AzureActivity |
Azure secure score admin MFA | 9a15c3dd-f72b-49a4-bcb7-94406395661e | SenservaPro |
SenservaPro AD Applications Not Using Client Credentials | 56910d7b-aae7-452c-a3ed-89f72ef59234 | SenservaPro |
Azure secure score role overlap | 8E6D9A66-F1B0-463D-BA90-11A5AEC0E15A | SenservaPro |
Azure secure score one admin | F539B2A7-D9E7-4438-AA20-893BC61DF130 | SenservaPro |
Azure Secure Score Self Service Password Reset | 114120B2-AAA0-4C4E-BDF1-2EE178465047 | SenservaPro |
Azure secure score sign in risk policy | 5231D757-A5B5-4CA7-A91B-AA3702970E02 | SenservaPro |
Azure secure score user risk policy | 1C07A4CB-E31B-4917-BD2A-3572E42F602C | SenservaPro |
Snowflake - Abnormal query process time | 1376f5e5-855a-4f88-8591-19eba4575a0f | Snowflake |
Snowflake - Possible data destraction | c2f93727-e4b0-4cb9-8f80-f52ebbd96ece | Snowflake |
Excessive Amount of Denied Connections from a Single Source | 3d645a88-2724-41a7-adea-db74c439cf79 | SophosXGFirewall |
TI map Domain entity to CommonSecurityLog | dd0a6029-ecef-4507-89c4-fc355ac52111 | ThreatIntelligence ThreatIntelligenceTaxii MicrosoftDefenderThreatIntelligence |
TI map Domain entity to DnsEvents | 85aca4d1-5d15-4001-abd9-acb86ca1786a | DNS ThreatIntelligence ThreatIntelligenceTaxii MicrosoftDefenderThreatIntelligence |
TI map Domain entity to Web Session Events (ASIM Web Session schema) | b1832f60-6c3d-4722-a0a5-3d564ee61a63 | SquidProxy Zscaler ThreatIntelligence MicrosoftDefenderThreatIntelligence |
TI map Domain entity to PaloAlto | ec21493c-2684-4acd-9bc2-696dbad72426 | PaloAltoNetworks ThreatIntelligence ThreatIntelligenceTaxii MicrosoftDefenderThreatIntelligence |
TI map Domain entity to SecurityAlert | 87890d78-3e05-43ec-9ab9-ba32f4e01250 | ThreatIntelligence ThreatIntelligenceTaxii MicrosoftCloudAppSecurity AzureSecurityCenter MicrosoftDefenderThreatIntelligence |
TI map Domain entity to Syslog | 532f62c1-fba6-4baa-bbb6-4a32a4ef32fa | Syslog ThreatIntelligence ThreatIntelligenceTaxii MicrosoftDefenderThreatIntelligence |
TI map Email entity to AzureActivity | cca3b4d9-ac39-4109-8b93-65bb284003e6 | AzureActivity ThreatIntelligence ThreatIntelligenceTaxii MicrosoftDefenderThreatIntelligence |
TI map Email entity to OfficeActivity | 4a3f5ed7-8da5-4ce2-af6f-c9ada45060f2 | Office365 ThreatIntelligence ThreatIntelligenceTaxii MicrosoftDefenderThreatIntelligence |
TI map Email entity to PaloAlto CommonSecurityLog | ffcd575b-3d54-482a-a6d8-d0de13b6ac63 | PaloAltoNetworks ThreatIntelligence ThreatIntelligenceTaxii MicrosoftDefenderThreatIntelligence |
TI map Email entity to SecurityAlert | a2e36ce0-da4d-4b6e-88c6-4e40161c5bfc | AzureSecurityCenter ThreatIntelligence ThreatIntelligenceTaxii MicrosoftDefenderThreatIntelligence |
TI map Email entity to SecurityEvent | 2fc5d810-c9cc-491a-b564-841427ae0e50 | ThreatIntelligence ThreatIntelligenceTaxii SecurityEvents WindowsSecurityEvents WindowsForwardedEvents MicrosoftDefenderThreatIntelligence |
TI map Email entity to SigninLogs | 30fa312c-31eb-43d8-b0cc-bcbdfb360822 | ThreatIntelligence ThreatIntelligenceTaxii AzureActiveDirectory MicrosoftDefenderThreatIntelligence |
TI map File Hash to CommonSecurityLog Event | 5d33fc63-b83b-4913-b95e-94d13f0d379f | PaloAltoNetworks ThreatIntelligence ThreatIntelligenceTaxii MicrosoftDefenderThreatIntelligence |
TI map File Hash to Security Event | a7427ed7-04b4-4e3b-b323-08b981b9b4bf | SecurityEvents WindowsSecurityEvents WindowsForwardedEvents ThreatIntelligence ThreatIntelligenceTaxii MicrosoftDefenderThreatIntelligence |
TI map Domain entity to Dns Events (ASIM DNS Schema) | 999e9f5d-db4a-4b07-a206-29c4e667b7e8 | ThreatIntelligence ThreatIntelligenceTaxii DNS AzureFirewall Zscaler InfobloxNIOS GCPDNSDataConnector NXLogDnsLogs MicrosoftDefenderThreatIntelligence CiscoUmbrellaDataConnector Corelight |
TI map IP entity to DNS Events (ASIM DNS schema) | 67775878-7f8b-4380-ac54-115e1e828901 | ThreatIntelligence ThreatIntelligenceTaxii DNS AzureFirewall Zscaler InfobloxNIOS GCPDNSDataConnector NXLogDnsLogs CiscoUmbrellaDataConnector MicrosoftDefenderThreatIntelligence Corelight |
TI map IP entity to AppServiceHTTPLogs | f9949656-473f-4503-bf43-a9d9890f7d08 | ThreatIntelligence ThreatIntelligenceTaxii MicrosoftDefenderThreatIntelligence |
TI map IP entity to AWSCloudTrail | f110287e-1358-490d-8147-ed804b328514 | ThreatIntelligence ThreatIntelligenceTaxii AWS MicrosoftDefenderThreatIntelligence |
TI Map IP Entity to AzureActivity | 2441bce9-02e4-407b-8cc7-7d597f38b8b0 | ThreatIntelligence ThreatIntelligenceTaxii AzureActivity MicrosoftDefenderThreatIntelligence |
TI map IP entity to AzureFirewall | 0b904747-1336-4363-8d84-df2710bfe5e7 | ThreatIntelligence ThreatIntelligenceTaxii AzureFirewall MicrosoftDefenderThreatIntelligence |
TI map IP entity to Azure Key Vault logs | 57c7e832-64eb-411f-8928-4133f01f4a25 | ThreatIntelligence ThreatIntelligenceTaxii AzureKeyVault MicrosoftDefenderThreatIntelligence |
TI map IP entity to AzureNetworkAnalytics_CL (NSG Flow Logs) | a4025a76-6490-4e6b-bb69-d02be4b03f07 | ThreatIntelligence ThreatIntelligenceTaxii MicrosoftDefenderThreatIntelligence |
TI Map IP Entity to Azure SQL Security Audit Events | d0aa8969-1bbe-4da3-9e76-09e5f67c9d85 | ThreatIntelligence ThreatIntelligenceTaxii AzureSql MicrosoftDefenderThreatIntelligence |
TI Map IP Entity to CommonSecurityLog | 66c81ae2-1f89-4433-be00-2fbbd9ba5ebe | ThreatIntelligence ThreatIntelligenceTaxii CEF MicrosoftDefenderThreatIntelligence |
TI Map IP Entity to DnsEvents | 69b7723c-2889-469f-8b55-a2d355ed9c87 | ThreatIntelligence ThreatIntelligenceTaxii DNS MicrosoftDefenderThreatIntelligence |
TI Map IP Entity to Duo Security | d23ed927-5be3-4902-a9c1-85f841eb4fa1 | ThreatIntelligence ThreatIntelligenceTaxii CiscoDuoSecurity MicrosoftDefenderThreatIntelligence |
TI map IP entity to Network Session Events (ASIM Network Session schema) | e2399891-383c-4caf-ae67-68a008b9f89e | AWSS3 MicrosoftThreatProtection SecurityEvents WindowsForwardedEvents Zscaler MicrosoftSysmonForLinux PaloAltoNetworks AzureMonitor(VMInsights) AzureFirewall AzureNSG CiscoASA Corelight AIVectraStream CheckPoint Fortinet MicrosoftDefenderThreatIntelligence CiscoMeraki |
TI map IP entity to Web Session Events (ASIM Web Session schema) | e2559891-383c-4caf-ae67-55a008b9f89e | SquidProxy Zscaler ThreatIntelligence ThreatIntelligenceTaxii MicrosoftDefenderThreatIntelligence |
TI map IP entity to OfficeActivity | f15370f4-c6fa-42c5-9be4-1d308f40284e | ThreatIntelligence ThreatIntelligenceTaxii MicrosoftDefenderThreatIntelligence Office365 |
TI Map IP Entity to SigninLogs | f2eb15bd-8a88-4b24-9281-e133edfba315 | ThreatIntelligence ThreatIntelligenceTaxii AzureActiveDirectory MicrosoftDefenderThreatIntelligence |
TI Map IP Entity to VMConnection | 9713e3c0-1410-468d-b79e-383448434b2d | ThreatIntelligence ThreatIntelligenceTaxii MicrosoftDefenderThreatIntelligence AzureMonitor(VMInsights) |
TI Map IP Entity to W3CIISLog | 5e45930c-09b1-4430-b2d1-cc75ada0dc0f | ThreatIntelligence ThreatIntelligenceTaxii MicrosoftDefenderThreatIntelligence AzureMonitor(IIS) |
TI map IP entity to GitHub_CL | aac495a9-feb1-446d-b08e-a1164a539452 | ThreatIntelligence ThreatIntelligenceTaxii MicrosoftDefenderThreatIntelligence |
TI Map URL Entity to AuditLogs | 712fab52-2a7d-401e-a08c-ff939cc7c25e | AzureActiveDirectory ThreatIntelligence ThreatIntelligenceTaxii MicrosoftDefenderThreatIntelligence |
TI Map URL Entity to OfficeActivity Data | 36a9c9e5-3dc1-4ed9-afaa-1d13617bfc2b | Office365 ThreatIntelligence MicrosoftDefenderThreatIntelligence |
TI Map URL Entity to PaloAlto Data | 106813db-679e-4382-a51b-1bfc463befc3 | PaloAltoNetworks ThreatIntelligence ThreatIntelligenceTaxii MicrosoftDefenderThreatIntelligence |
TI Map URL Entity to SecurityAlert Data | f30a47c1-65fb-42b1-a7f4-00941c12550b | MicrosoftCloudAppSecurity AzureSecurityCenter ThreatIntelligence ThreatIntelligenceTaxii MicrosoftDefenderThreatIntelligence |
TI Map URL Entity to Syslog Data | b31037ea-6f68-4fbd-bab2-d0d0f44c2fcf | Syslog ThreatIntelligence ThreatIntelligenceTaxii MicrosoftDefenderThreatIntelligence |
Tomcat - Multiple empty requests from same IP | 7c9a1026-4872-11ec-81d3-0242ac130003 | ApacheTomcat |
Tomcat - Multiple server errors from single IP address | de9df79c-4872-11ec-81d3-0242ac130003 | ApacheTomcat |
Tomcat - Server errors after multiple requests from same IP | 875da588-4875-11ec-81d3-0242ac130003 | ApacheTomcat |
Trend Micro CAS - Ransomware infection | 0bec3f9a-dbe9-4b4c-9ff6-498d64bbef90 | TrendMicroCAS |
Trend Micro CAS - Ransomware outbreak | 38e043ce-a1fd-497b-8d4f-ce5ca2db90cd | TrendMicroCAS |
Vectra AI Detect - Suspected Compromised Account | 321f9dbd-64b7-4541-81dc-08cf7732ccb0 | AIVectraDetect |
Vectra Account’s Behaviors | ce54b5d3-4c31-4eaf-a73e-31412270b6ab | AIVectraDetect |
Vectra AI Detect - Detections with High Severity | 39e48890-2c02-487e-aa9e-3ba494061798 | AIVectraDetect |
Vectra AI Detect - Suspected Compromised Host | 60eb6cf0-3fa1-44c1-b1fe-220fbee23d63 | AIVectraDetect |
Vectra Host’s Behaviors | 33e3b6da-2660-4cd7-9032-11be76db88d2 | AIVectraDetect |
Vectra AI Detect - Suspicious Behaviors by Category | 6cb75f65-231f-46c4-a0b3-50ff21ee6ed3 | AIVectraDetect |
VMware ESXi - Low patch disk space | 48d992ba-d404-4159-a8c6-46f51d1325c7 | VMwareESXi |
VMware ESXi - Low temp directory space | 2ee727f7-b7c2-4034-b6c9-d245d5a29343 | VMwareESXi |
VMware ESXi - Multiple VMs stopped | 5fe1af14-cd40-48ff-b581-3a12a1f90785 | VMwareESXi |
VMware ESXi - Unexpected disk image | 395c5560-ddc2-45b2-aafe-2e3f64528d3d | VMwareESXi |
VMware ESXi - VM stopped | 43889f30-7bce-4d8a-93bb-29c9615ca8dd | VMwareESXi |
Votiro - File Blocked from Connector | 17bf3780-ae0d-4cd9-a884-5df8b687f3f5 | Votiro |
Votiro - File Blocked in Email | 0b8b91de-c63e-4bc2-b5f4-b15d3b379ec9 | Votiro |
Detect instances of multiple server errors occurring within a brief period of time (ASIM Web Session) | a59ba76c-0205-4966-948e-3d5640140688 | |
Chia_Crypto_Mining IOC - June 2021 | 4d173248-439b-4741-8b37-f63ad0c896ae | WindowsForwardedEvents |
Potential re-named sdelete usage | 720d12c6-a08c-44c4-b18f-2236412d59b0 | SecurityEvents WindowsSecurityEvents |
Sdelete deployed via GPO and run recursively | d9f28fdf-abc8-4f1a-a7e7-1aaec87a2fc5 | SecurityEvents WindowsSecurityEvents |
DNS events related to mining pools | 0d76e9cf-788d-4a69-ac7d-f234826b5bed | DNS |
NRT DNS events related to mining pools | d5b32cd4-2328-43da-ab47-cd289c1f5efc | DNS |
AV detections related to Zinc actors | 3705158d-e008-49c9-92dd-e538e1549090 | MicrosoftThreatProtection |
DNS events related to mining pools (ASIM DNS Schema) | c094384d-7ea7-4091-83be-18706ecca981 | WindowsForwardedEvents DNS AzureFirewall Zscaler InfobloxNIOS GCPDNSDataConnector NXLogDnsLogs CiscoUmbrellaDataConnector Corelight |
Potential re-named sdelete usage (ASIM Version) | 5b6ae038-f66e-4f74-9315-df52fd492be4 | |
Sdelete deployed via GPO and run recursively (ASIM Version) | 30c8b802-ace1-4408-bc29-4c5c5afb49e1 | |
Missing Domain Controller Heartbeat | b8b8ba09-1e89-45a1-8bd7-691cd23bfa32 | |
Dev-0530 File Extension Rename | d82eb796-d1eb-43c8-a813-325ce3417cef | MicrosoftThreatProtection |
AV detections related to Dev-0530 actors | 5f171045-88ab-4634-baae-a7b6509f483b | MicrosoftThreatProtection |
AV detections related to Europium actors | 186970ee-5001-41c1-8c73-3178f75ce96a | MicrosoftThreatProtection |
AV detections related to Hive Ransomware | 4e5914a4-2ccd-429d-a845-fa597f0bd8c5 | MicrosoftThreatProtection |
Workspace deletion activity from an infected device | a5b3429d-f1da-42b9-883c-327ecb7b91ff | AzureActiveDirectoryIdentityProtection AzureActivity BehaviorAnalytics |