Impact
| Rule Name | id | Required data connectors |
|---|---|---|
| API - Rate limiting | b808063b-07d5-432c-95d0-8900da61cce9 | 42CrunchAPIProtection |
| Creating keys with encrypt policy without MFA | 454133a7-5427-4a7c-bdc4-0adfa84dda16 | AWS |
| Suspicious overly permissive KMS key policy created | 60dfc193-0f73-4279-b43c-110ade02b201 | AWS |
| S3 bucket suspicious ransomware activity | b442b9e2-5cc4-4129-a85b-a5ef38a9e5f0 | AWS |
| Suspicious AWS EC2 Compute Resource Deployments | 9e457dc4-81f0-4d25-bc37-a5fa4a17946a | AWS |
| Apache - Multiple server errors from single IP | 1bf246a2-3af9-11ec-8d3d-0242ac130003 | ApacheHTTPServer |
| Apache - Request from private IP | a0077556-3aff-11ec-8d3d-0242ac130003 | ApacheHTTPServer |
| Jira - Permission scheme updated | 72592618-fa57-45e1-9f01-ca8706a5e3f5 | JiraAuditAPI |
| Jira - Project roles changed | fb6a8001-fe87-4177-a8f3-df2302215c4f | JiraAuditAPI |
| Jira - User removed from group | c13ecb19-4317-4d87-9a1c-52660dd44a7d | JiraAuditAPI |
| Jira - User removed from project | 5d3af0aa-833e-48ed-a29a-8cfd2705c953 | JiraAuditAPI |
| Privileged Machines Exposed to the Internet | 72891de4-da70-44e4-9984-35fcea98d000 | Authomize |
| Suspicious number of resource creation or deployment activities | 361dd1e3-1c11-491e-82a3-bb2e44ac36ba | AzureActivity |
| Suspicious Resource deployment | 9fb57e58-3ed8-4b89-afcf-c8e786508b1c | AzureActivity |
| Subscription moved to another tenant | 48c026d8-7f36-4a95-9568-6f1420d66e37 | AzureActivity |
| Mass Cloud resource deletions Time Series Anomaly | ed43bdb7-eaab-4ea4-be52-6951fcfa7e3b | AzureActivity |
| DDoS Attack IP Addresses - Percent Threshold | 402a42ad-f31c-48d1-8f80-0200846b7f25 | DDOS |
| DDoS Attack IP Addresses - PPS Threshold | 6e76fd9d-8104-41eb-bad3-26054a3ad5f0 | DDOS |
| Sensitive Azure Key Vault operations | d6491be0-ab2d-439d-95d6-ad8ea39277c5 | AzureKeyVault |
| NRT Sensitive Azure Key Vault operations | 884ead54-cb3f-4676-a1eb-b26532d6cbfd | AzureKeyVault |
| Affected rows stateful anomaly on database | 2a632013-379d-4993-956f-615063d31e10 | AzureSql |
| Azure DevOps Service Connection Addition/Abuse - Historic allow list | 5efb0cfd-063d-417a-803b-562eae5b0301 | |
| Azure DevOps Personal Access Token (PAT) misuse | ac891683-53c3-4f86-86b4-c361708e2b2b | |
| Azure DevOps Service Connection Abuse | d564ff12-8f53-41b8-8649-44f76b37b99f | |
| BitSight - new alert found | a1275c5e-0ff4-4d15-a7b7-96018cd979f5 | BitSight |
| BitSight - new breach found | a5526ba9-5997-47c6-bf2e-60a08b681e9b | BitSight |
| Box - Many items deleted by user | 1b212329-6f2c-46ca-9071-de3464f3d88d | BoxDataConnector |
| CiscoISE - Backup failed | 4eddd44a-25e4-41af-930d-0c17218bec74 | CiscoISE SyslogAma |
| Cisco SE - Ransomware Activity | c9629114-0f49-4b50-9f1b-345287b2eebf | CiscoSecureEndpoint |
| Cisco ASA - average attack detection rate increase | 79f29feb-6a9d-4cdf-baaa-2daf480a5da1 | CiscoASA |
| Cisco ASA - threat detection message fired | 795edf2d-cf3e-45b5-8452-fe6c9e6a582e | CiscoASA |
| Cisco Duo - Admin user deleted | 6424c623-31a5-4892-be33-452586fd4075 | CiscoDuoSecurity |
| Cisco Duo - AD sync failed | 398dd1cd-3251-49d8-b927-5b93bae4a094 | CiscoDuoSecurity |
| Cisco Duo - Multiple users deleted | 6e4f9031-91d3-4fa1-8baf-624935f04ad8 | CiscoDuoSecurity |
| Cisco Umbrella - Crypto Miner User-Agent Detected | b619d1f1-7f39-4c7e-bf9e-afbb46457997 | CiscoUmbrellaDataConnector |
| Claroty - Asset Down | fd6e3416-0421-4166-adb9-186e555a7008 | Claroty ClarotyAma CefAma |
| Claroty - Critical baseline deviation | 9a8b4321-e2be-449b-8227-a78227441b2a | Claroty ClarotyAma CefAma |
| CommvaultSecurityIQ Alert | 317e757e-c320-448e-8837-fc61a70fe609 | |
| Data Alert | 1d2c3da7-60ec-40be-9c14-bade6eaf3c49 | |
| IDP Alert | c982bcc1-ef73-485b-80d5-2a637ce4ab2b | |
| User Alert | 29e0767c-80ac-4689-9a2e-b25b9fc88fce | |
| Dev-0270 Registry IOC - September 2022 | 2566e99f-ad0f-472a-b9ac-d3899c9283e6 | SecurityEvents WindowsSecurityEvents MicrosoftThreatProtection |
| Dynatrace - Problem detection | 415978ff-074e-4203-824a-b06153d77bf7 | DynatraceProblems |
| Dynatrace Application Security - Attack detection | 1b0b2065-8bac-5a00-83c4-1b58f69ac212 | DynatraceAttacks |
| Dynatrace Application Security - Code-Level runtime vulnerability detection | 305093b4-0fa2-57bc-bced-caea782a6e9c | DynatraceRuntimeVulnerabilities |
| Dynatrace Application Security - Non-critical runtime vulnerability detection | ff0af873-a2f2-4233-8412-0ef4e00b0156 | DynatraceRuntimeVulnerabilities |
| Dynatrace Application Security - Third-Party runtime vulnerability detection | af99b078-124b-543a-9a50-66ef87c09f6a | DynatraceRuntimeVulnerabilities |
| Detecting UAC bypass - elevated COM interface | 2d5efc71-2e91-4ca2-8506-857eecb453ec | MicrosoftThreatProtection |
| Detecting UAC bypass - modify Windows Store settings | 8b8fbf9c-35d4-474b-8151-a40173521293 | MicrosoftThreatProtection |
| Detecting UAC bypass - ChangePK and SLUI registry tampering | 829a69ba-93e1-491f-8a1f-b19506e9d88a | MicrosoftThreatProtection |
| GitLab - Abnormal number of repositories deleted | 3efd09bd-a582-4410-b7ec-5ff21cfad7bd | Syslog |
| Infoblox - Data Exfiltration Attack | 8db2b374-0337-49bd-94c9-cfbf8e5d83ad | InfobloxCloudDataConnector InfobloxCloudDataConnectorAma CefAma |
| Infoblox - High Threat Level Query Not Blocked Detected | dc7af829-d716-4774-9d6f-03d9aa7c27a4 | InfobloxCloudDataConnector InfobloxCloudDataConnectorAma CefAma |
| Infoblox - Many High Threat Level Queries From Single Host Detected | 3822b794-fa89-4420-aad6-0e1a2307f419 | InfobloxCloudDataConnector InfobloxCloudDataConnectorAma CefAma |
| Infoblox - Many High Threat Level Single Query Detected | 99278700-79ca-4b0f-b416-bf57ec699e1a | InfobloxCloudDataConnector InfobloxCloudDataConnectorAma CefAma |
| Infoblox - Many NXDOMAIN DNS Responses Detected | b2f34315-9065-488e-88d0-a171d2b0da8e | InfobloxCloudDataConnector InfobloxCloudDataConnectorAma CefAma |
| Infoblox - TI - CommonSecurityLog Match Found - MalwareC2 | 5b0864a9-4577-4087-b9fa-de3e14a8a999 | CEF ThreatIntelligence InfobloxCloudDataConnectorAma InfobloxCloudDataConnector CefAma |
| Infoblox - TI - InfobloxCDC Match Found - Lookalike Domains | 568730be-b39d-45e3-a392-941e00837d52 | InfobloxCloudDataConnector ThreatIntelligence InfobloxCloudDataConnectorAma CefAma |
| Infoblox - TI - Syslog Match Found - URL | 28ee3c2b-eb4b-44de-a71e-e462843fea72 | Syslog ThreatIntelligence InfobloxCloudDataConnectorAma InfobloxCloudDataConnector CefAma |
| Infoblox - SOC Insight Detected - API Source | cf9847bb-ab46-4050-bb81-75cab3f893dc | InfobloxSOCInsightsDataConnector_API |
| Infoblox - SOC Insight Detected - CDC Source | a4bdd81e-afc8-4410-a3d1-8478fa810537 | InfobloxSOCInsightsDataConnector_Legacy InfobloxSOCInsightsDataConnector_AMA CefAma |
| Suspicious malware found in the network (Microsoft Defender for IoT) | 6fb1acd5-356d-40f7-9b97-78d993c6a183 | IoT |
| Employee account deleted | 8a2cc466-342d-4ebb-8871-f9e1d83a24a5 | LastPass |
| TI map IP entity to LastPass data | 2a723664-22c2-4d3e-bbec-5843b90166f3 | LastPass ThreatIntelligence |
| Unusual Volume of Password Updated or Removed | a3bbdf60-0a6d-4cc2-b1d1-dd70aca184ce | LastPass |
| [Deprecated] - Cadet Blizzard Actor IOC - January 2022 | 961b6a81-5c53-40b6-9800-4f661a8faea7 | CiscoASA PaloAltoNetworks MicrosoftThreatProtection SecurityEvents WindowsSecurityEvents |
| [Deprecated] - Chia_Crypto_Mining - Domain, Process, Hash and IP IOCs - June 2021 | 595a10c9-91be-4abb-bbc7-ae9c57848bef | DNS AzureMonitor(VMInsights) F5 CiscoASA PaloAltoNetworks Fortinet CheckPoint CEF MicrosoftThreatProtection SecurityEvents Office365 AzureFirewall WindowsFirewall |
| [Deprecated] - Dev-0530 IOC - July 2022 | a172107d-794c-48c0-bc26-d3349fe10b4d | CiscoASA PaloAltoNetworks MicrosoftThreatProtection SecurityEvents Office365 AzureActiveDirectory AzureMonitor(IIS) AzureActivity AWS AzureFirewall |
| [Deprecated] - Hive Ransomware IOC - July 2022 | b2199398-8942-4b8c-91a9-b0a707c5d147 | CiscoASA PaloAltoNetworks MicrosoftThreatProtection SecurityEvents |
| [Deprecated] - Alert for IOCs related to Windows/ELF malware - IP, Hash IOCs - September 2021 | d992b87b-eb49-4a9d-aa96-baacf9d26247 | F5 CiscoASA PaloAltoNetworks Fortinet CheckPoint CEF MicrosoftThreatProtection SecurityEvents AzureFirewall WindowsFirewall WindowsSecurityEvents WindowsForwardedEvents |
| Detect Malicious Usage of Recovery Tools to Delete Backup Files | 259de2c1-c546-4c6d-a17c-df639722f4d7 | CrowdStrikeFalconEndpointProtection MicrosoftThreatProtection SentinelOne VMwareCarbonBlack CiscoSecureEndpoint TrendMicroApexOne TrendMicroApexOneAma |
| Multiple Teams deleted by a single user | 173f8699-6af5-484a-8b06-8c47ba89b380 | Office365 |
| Detect CoreBackUp Deletion Activity from related Security Alerts | 011c84d8-85f0-4370-b864-24c13455aa94 | AzureSecurityCenter MicrosoftDefenderForCloudTenantBased |
| Unusual Volume of file deletion by users | e5f8e196-3544-4a8b-96a9-17c1b6a49710 | MicrosoftThreatProtection |
| Deletion of data on multiple drives using cipher exe | 03caa992-477f-4b19-8e2a-8cd58f8f9652 | MicrosoftThreatProtection |
| Potential Ransomware activity related to Cobalt Strike | 4bd9ce9d-8586-4beb-8fdb-bd018cacbe7d | MicrosoftThreatProtection |
| Shadow Copy Deletions | 28c63a44-2d35-48b7-831b-3ed24af17c7e | MicrosoftThreatProtection |
| AV detections related to Ukraine threats | b6685757-3ed1-4b05-a5bd-2cacadc86c2a | MicrosoftThreatProtection |
| Microsoft Entra ID Role Management Permission Grant | 1ff56009-db01-4615-8211-d4fda21da02d | AzureActiveDirectory |
| Multiple admin membership removals from newly created admin. | cda5928c-2c1e-4575-9dfa-07568bc27a4f | AzureActiveDirectory |
| Ransomware Attack Detected | 6c8770fb-c854-403e-a64d-0293ba344d5f | NasuniEdgeAppliance SyslogAma |
| Ransomware Client Blocked | 0c96a5a2-d60d-427d-8399-8df7fe8e6536 | NasuniEdgeAppliance SyslogAma |
| Excessive number of failed connections from a single source (ASIM Network Session schema) | 4902eddb-34f7-44a8-ac94-8486366e9494 | AWSS3 MicrosoftThreatProtection SecurityEvents WindowsSecurityEvents WindowsForwardedEvents Zscaler MicrosoftSysmonForLinux PaloAltoNetworks AzureMonitor(VMInsights) AzureFirewall AzureNSG CiscoASA CiscoAsaAma Corelight AIVectraStream CheckPoint Fortinet CiscoMeraki |
| NGINX - Core Dump | 9a7f5a97-354b-4eac-b407-a1cc7fc4b4ec | NGINXHTTPServer |
| NGINX - Multiple server errors from single IP address | b3ae0033-552e-4c3c-b493-3edffb4473bb | NGINXHTTPServer |
| OCI - Multiple instances launched | a79cf2b9-a511-4282-ba5d-812e14b07831 | OracleCloudInfrastructureLogsConnector |
| OCI - Multiple instances terminated | 252e651d-d825-480c-bdeb-8b239354577d | OracleCloudInfrastructureLogsConnector |
| OracleDBAudit - Multiple tables dropped in short time | b3aa0e5a-75a2-4613-80ec-93a1be3aeb8f | OracleDatabaseAudit SyslogAma |
| OracleDBAudit - Shutdown Server | 27cc2cdc-ba67-4906-a6ef-ecbc9c284f4e | OracleDatabaseAudit SyslogAma |
| Oracle - Multiple server errors from single IP | 268f4fde-5740-11ec-bf63-0242ac130002 | OracleWebLogicServer |
| Radiflow - Unauthorized Internet Access | cc33e1a9-e167-460b-93e6-f14af652dbd3 | RadiflowIsid |
| Red Canary Threat Detection | 6d263abb-6445-45cc-93e9-c593d3d77b89 | RedCanaryDataConnector |
| Threat Essentials - Multiple admin membership removals from newly created admin. | 199978c5-cd6d-4194-b505-8ef5800739df | AzureActiveDirectory |
| Threat Essentials - Mass Cloud resource deletions Time Series Anomaly | fa2658fe-3714-4c55-bb12-2b7275c628e8 | AzureActivity |
| Azure secure score admin MFA | 9a15c3dd-f72b-49a4-bcb7-94406395661e | SenservaPro |
| SenservaPro AD Applications Not Using Client Credentials | 56910d7b-aae7-452c-a3ed-89f72ef59234 | SenservaPro |
| Azure secure score role overlap | 8E6D9A66-F1B0-463D-BA90-11A5AEC0E15A | SenservaPro |
| Azure secure score one admin | F539B2A7-D9E7-4438-AA20-893BC61DF130 | SenservaPro |
| Azure Secure Score Self Service Password Reset | 114120B2-AAA0-4C4E-BDF1-2EE178465047 | SenservaPro |
| Azure secure score sign in risk policy | 5231D757-A5B5-4CA7-A91B-AA3702970E02 | SenservaPro |
| Azure secure score user risk policy | 1C07A4CB-E31B-4917-BD2A-3572E42F602C | SenservaPro |
| Snowflake - Abnormal query process time | 1376f5e5-855a-4f88-8591-19eba4575a0f | Snowflake |
| Snowflake - Possible data destraction | c2f93727-e4b0-4cb9-8f80-f52ebbd96ece | Snowflake |
| SonicWall - Allowed SSH, Telnet, and RDP Connections | 27f1a570-5f20-496b-88f6-a9aa2c5c9534 | CEF SonicWallFirewall CefAma |
| New Sonrai Ticket | bcc3362d-b6f9-4de0-b41c-707fafd5a416 | SonraiDataConnector |
| Sonrai Ticket Assigned | 37a8d052-a3db-4dc6-9dca-9390cac6f486 | SonraiDataConnector |
| Sonrai Ticket Closed | f5d467de-b5a2-4b4f-96db-55e27c733594 | SonraiDataConnector |
| Sonrai Ticket Escalation Executed | 0d29c93e-b83f-4dfb-bbbb-76824b77eeca | SonraiDataConnector |
| Sonrai Ticket Escalation Executed | 822fff15-ea68-4d0f-94ee-b4482ddb6f3a | SonraiDataConnector |
| Sonrai Ticket Reopened | b60129ab-ce22-4b76-858d-3204932a13cc | SonraiDataConnector |
| Sonrai Ticket Risk Accepted | 080191e8-271d-4ae6-85ce-c7bcd4b06b40 | SonraiDataConnector |
| Sonrai Ticket Snoozed | 10e6c454-5cad-4f86-81ce-800235cb050a | SonraiDataConnector |
| Sonrai Ticket Updated | af9b8eb1-a8ef-40aa-92a4-1fc73a1479c7 | SonraiDataConnector |
| Excessive Amount of Denied Connections from a Single Source | 3d645a88-2724-41a7-adea-db74c439cf79 | SophosXGFirewall |
| Theom Critical Risks | bb9051ef-0e72-4758-a143-80c25ee452f0 | Theom |
| Theom High Risks | 74b80987-0a62-448c-8779-47b02e17d3cf | Theom |
| Theom Insights | d200da84-0191-44ce-ad9e-b85e64c84c89 | Theom |
| Theom Low Risks | cf7fb616-ac80-40ce-ad18-aa18912811f8 | Theom |
| Theom Medium Risks | 4cb34832-f73a-49f2-8d38-c2d135c5440b | Theom |
| Tomcat - Multiple empty requests from same IP | 7c9a1026-4872-11ec-81d3-0242ac130003 | ApacheTomcat |
| Tomcat - Multiple server errors from single IP address | de9df79c-4872-11ec-81d3-0242ac130003 | ApacheTomcat |
| Tomcat - Server errors after multiple requests from same IP | 875da588-4875-11ec-81d3-0242ac130003 | ApacheTomcat |
| Trend Micro CAS - Ransomware infection | 0bec3f9a-dbe9-4b4c-9ff6-498d64bbef90 | TrendMicroCAS |
| Trend Micro CAS - Ransomware outbreak | 38e043ce-a1fd-497b-8d4f-ce5ca2db90cd | TrendMicroCAS |
| Vectra AI Detect - Suspected Compromised Account | 321f9dbd-64b7-4541-81dc-08cf7732ccb0 | AIVectraDetect AIVectraDetectAma CefAma |
| Vectra Account’s Behaviors | ce54b5d3-4c31-4eaf-a73e-31412270b6ab | AIVectraDetect AIVectraDetectAma CefAma |
| Vectra AI Detect - Detections with High Severity | 39e48890-2c02-487e-aa9e-3ba494061798 | AIVectraDetect AIVectraDetectAma CefAma |
| Vectra AI Detect - Suspected Compromised Host | 60eb6cf0-3fa1-44c1-b1fe-220fbee23d63 | AIVectraDetect AIVectraDetectAma CefAma |
| Vectra Host’s Behaviors | 33e3b6da-2660-4cd7-9032-11be76db88d2 | AIVectraDetect AIVectraDetectAma CefAma |
| Vectra AI Detect - Suspicious Behaviors by Category | 6cb75f65-231f-46c4-a0b3-50ff21ee6ed3 | AIVectraDetect AIVectraDetectAma CefAma |
| VMware SD-WAN Edge - Device Congestion Alert - Packet Drops | a88ead0a-f022-48d6-8f53-e5a164c4c72e | VMwareSDWAN |
| VMware SD-WAN Edge - Network Anomaly Detection - Potential Fragmentation Attack | ce207901-ed7b-49ae-ada7-033e1fbb1240 | VMwareSDWAN |
| VMware SD-WAN Edge - Network Anomaly Detection - RPF Check Failure | 840b050f-842b-4264-8973-d4f9b65facb5 | VMwareSDWAN |
| VMware ESXi - Low patch disk space | 48d992ba-d404-4159-a8c6-46f51d1325c7 | VMwareESXi |
| VMware ESXi - Low temp directory space | 2ee727f7-b7c2-4034-b6c9-d245d5a29343 | VMwareESXi |
| VMware ESXi - Multiple VMs stopped | 5fe1af14-cd40-48ff-b581-3a12a1f90785 | VMwareESXi |
| VMware ESXi - Unexpected disk image | 395c5560-ddc2-45b2-aafe-2e3f64528d3d | VMwareESXi |
| VMware ESXi - VM stopped | 43889f30-7bce-4d8a-93bb-29c9615ca8dd | VMwareESXi |
| Votiro - File Blocked from Connector | 17bf3780-ae0d-4cd9-a884-5df8b687f3f5 | Votiro CefAma |
| Votiro - File Blocked in Email | 0b8b91de-c63e-4bc2-b5f4-b15d3b379ec9 | Votiro CefAma |
| Detect instances of multiple server errors occurring within a brief period of time (ASIM Web Session) | a59ba76c-0205-4966-948e-3d5640140688 | |
| Chia_Crypto_Mining IOC - June 2021 | 4d173248-439b-4741-8b37-f63ad0c896ae | WindowsForwardedEvents |
| Potential re-named sdelete usage | 720d12c6-a08c-44c4-b18f-2236412d59b0 | SecurityEvents WindowsSecurityEvents |
| Sdelete deployed via GPO and run recursively | d9f28fdf-abc8-4f1a-a7e7-1aaec87a2fc5 | SecurityEvents WindowsSecurityEvents |
| DNS events related to mining pools | 0d76e9cf-788d-4a69-ac7d-f234826b5bed | DNS |
| NRT DNS events related to mining pools | d5b32cd4-2328-43da-ab47-cd289c1f5efc | DNS |
| AV detections related to Zinc actors | 3705158d-e008-49c9-92dd-e538e1549090 | MicrosoftThreatProtection |
| DNS events related to mining pools (ASIM DNS Schema) | c094384d-7ea7-4091-83be-18706ecca981 | WindowsForwardedEvents DNS AzureFirewall Zscaler InfobloxNIOS GCPDNSDataConnector NXLogDnsLogs CiscoUmbrellaDataConnector Corelight |
| Potential re-named sdelete usage (ASIM Version) | 5b6ae038-f66e-4f74-9315-df52fd492be4 | |
| Sdelete deployed via GPO and run recursively (ASIM Version) | 30c8b802-ace1-4408-bc29-4c5c5afb49e1 | |
| A host is potentially running a crypto miner (ASIM Web Session schema) | 8cbc3215-fa58-4bd6-aaaa-f0029c351730 | SquidProxy Zscaler |
| Missing Domain Controller Heartbeat | b8b8ba09-1e89-45a1-8bd7-691cd23bfa32 | |
| Dev-0530 File Extension Rename | d82eb796-d1eb-43c8-a813-325ce3417cef | MicrosoftThreatProtection |
| AV detections related to Dev-0530 actors | 5f171045-88ab-4634-baae-a7b6509f483b | MicrosoftThreatProtection |
| AV detections related to Europium actors | 186970ee-5001-41c1-8c73-3178f75ce96a | MicrosoftThreatProtection |
| AV detections related to Hive Ransomware | 4e5914a4-2ccd-429d-a845-fa597f0bd8c5 | MicrosoftThreatProtection |
| Workspace deletion activity from an infected device | a5b3429d-f1da-42b9-883c-327ecb7b91ff | AzureActiveDirectoryIdentityProtection AzureActivity BehaviorAnalytics |