Microsoft Sentinel Analytic Rules
cloudbrothers.infoAzure Sentinel RepoToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeBack to homepage
  1. Microsoft Sentinel Analytics Rules
  2. /
  3. Tactics
  4. /
  5. Impact

Impact

Overview

Rule NameidRequired data connectors
Creating keys with encrypt policy without MFA454133a7-5427-4a7c-bdc4-0adfa84dda16AWS
Suspicious overly permissive KMS key policy created60dfc193-0f73-4279-b43c-110ade02b201AWS
S3 bucket suspicious ransomware activityb442b9e2-5cc4-4129-a85b-a5ef38a9e5f0AWS
Suspicious AWS EC2 Compute Resource Deployments9e457dc4-81f0-4d25-bc37-a5fa4a17946aAWS
Apache - Multiple server errors from single IP1bf246a2-3af9-11ec-8d3d-0242ac130003ApacheHTTPServer
Apache - Request from private IPa0077556-3aff-11ec-8d3d-0242ac130003ApacheHTTPServer
Jira - Permission scheme updated72592618-fa57-45e1-9f01-ca8706a5e3f5JiraAuditAPI
Jira - Project roles changedfb6a8001-fe87-4177-a8f3-df2302215c4fJiraAuditAPI
Jira - User removed from groupc13ecb19-4317-4d87-9a1c-52660dd44a7dJiraAuditAPI
Jira - User removed from project5d3af0aa-833e-48ed-a29a-8cfd2705c953JiraAuditAPI
Privileged Machines Exposed to the Internet72891de4-da70-44e4-9984-35fcea98d000Authomize
Suspicious number of resource creation or deployment activities361dd1e3-1c11-491e-82a3-bb2e44ac36baAzureActivity
Suspicious Resource deployment9fb57e58-3ed8-4b89-afcf-c8e786508b1cAzureActivity
Subscription moved to another tenant48c026d8-7f36-4a95-9568-6f1420d66e37AzureActivity
Mass Cloud resource deletions Time Series Anomalyed43bdb7-eaab-4ea4-be52-6951fcfa7e3bAzureActivity
DDoS Attack IP Addresses - Percent Threshold402a42ad-f31c-48d1-8f80-0200846b7f25DDOS
DDoS Attack IP Addresses - PPS Threshold6e76fd9d-8104-41eb-bad3-26054a3ad5f0DDOS
Sensitive Azure Key Vault operationsd6491be0-ab2d-439d-95d6-ad8ea39277c5AzureKeyVault
NRT Sensitive Azure Key Vault operations884ead54-cb3f-4676-a1eb-b26532d6cbfdAzureKeyVault
Affected rows stateful anomaly on database2a632013-379d-4993-956f-615063d31e10AzureSql
Azure DevOps Service Connection Addition/Abuse - Historic allow list5efb0cfd-063d-417a-803b-562eae5b0301
Azure DevOps Personal Access Token (PAT) misuseac891683-53c3-4f86-86b4-c361708e2b2b
Azure DevOps Service Connection Abused564ff12-8f53-41b8-8649-44f76b37b99f
BitSight - new alert founda1275c5e-0ff4-4d15-a7b7-96018cd979f5BitSight
BitSight - new breach founda5526ba9-5997-47c6-bf2e-60a08b681e9bBitSight
Box - Many items deleted by user1b212329-6f2c-46ca-9071-de3464f3d88dBoxDataConnector
Cisco SE - Ransomware Activityc9629114-0f49-4b50-9f1b-345287b2eebfCiscoSecureEndpoint
Cisco ASA - average attack detection rate increase79f29feb-6a9d-4cdf-baaa-2daf480a5da1CiscoASA
Cisco ASA - threat detection message fired795edf2d-cf3e-45b5-8452-fe6c9e6a582eCiscoASA
Cisco Duo - Admin user deleted6424c623-31a5-4892-be33-452586fd4075CiscoDuoSecurity
Cisco Duo - AD sync failed398dd1cd-3251-49d8-b927-5b93bae4a094CiscoDuoSecurity
Cisco Duo - Multiple users deleted6e4f9031-91d3-4fa1-8baf-624935f04ad8CiscoDuoSecurity
Claroty - Asset Downfd6e3416-0421-4166-adb9-186e555a7008Claroty
ClarotyAma
Claroty - Critical baseline deviation9a8b4321-e2be-449b-8227-a78227441b2aClaroty
ClarotyAma
Data Alert1d2c3da7-60ec-40be-9c14-bade6eaf3c49
IDP Alertc982bcc1-ef73-485b-80d5-2a637ce4ab2b
User Alert29e0767c-80ac-4689-9a2e-b25b9fc88fce
Dev-0270 Registry IOC - September 20222566e99f-ad0f-472a-b9ac-d3899c9283e6SecurityEvents
MicrosoftThreatProtection
Dynatrace Application Security - Attack detection1b0b2065-8bac-5a00-83c4-1b58f69ac212DynatraceAttacks
Dynatrace Application Security - Code-Level runtime vulnerability detection305093b4-0fa2-57bc-bced-caea782a6e9cDynatraceRuntimeVulnerabilities
Dynatrace Application Security - Non-critical runtime vulnerability detectionff0af873-a2f2-4233-8412-0ef4e00b0156DynatraceRuntimeVulnerabilities
Dynatrace Application Security - Third-Party runtime vulnerability detectionaf99b078-124b-543a-9a50-66ef87c09f6aDynatraceRuntimeVulnerabilities
Detecting UAC bypass - elevated COM interface2d5efc71-2e91-4ca2-8506-857eecb453ecMicrosoftThreatProtection
Detecting UAC bypass - modify Windows Store settings8b8fbf9c-35d4-474b-8151-a40173521293MicrosoftThreatProtection
Detecting UAC bypass - ChangePK and SLUI registry tampering829a69ba-93e1-491f-8a1f-b19506e9d88aMicrosoftThreatProtection
GitLab - Abnormal number of repositories deleted3efd09bd-a582-4410-b7ec-5ff21cfad7bdSyslog
GreyNoise TI Map IP Entity to CommonSecurityLoge50657d7-8bca-43ff-a647-d407fae440d6ThreatIntelligence
CEF
GreyNoise2SentinelAPI
GreyNoise TI Map IP Entity to DnsEventsddf47b6f-870c-5712-a296-1383acb13c82ThreatIntelligence
ThreatIntelligenceTaxii
DNS
GreyNoise2SentinelAPI
GreyNoise TI map IP entity to Network Session Events (ASIM Network Session schema)536e8e5c-ce0e-575e-bcc9-aba8e7bf9316AWSS3
MicrosoftThreatProtection
SecurityEvents
WindowsForwardedEvents
Zscaler
MicrosoftSysmonForLinux
PaloAltoNetworks
AzureMonitor(VMInsights)
AzureFirewall
AzureNSG
CiscoASA
Corelight
AIVectraStream
CheckPoint
Fortinet
MicrosoftDefenderThreatIntelligence
CiscoMeraki
GreyNoise2SentinelAPI
GreyNoise TI map IP entity to OfficeActivityc51628fe-999c-5150-9fd7-660fc4f58ed2ThreatIntelligence
ThreatIntelligenceTaxii
MicrosoftDefenderThreatIntelligence
Office365
GreyNoise2SentinelAPI
GreyNoise TI Map IP Entity to SigninLogsf6c76cc9-218c-5b76-9b82-8607f09ea1b4ThreatIntelligence
ThreatIntelligenceTaxii
AzureActiveDirectory
MicrosoftDefenderThreatIntelligence
GreyNoise2SentinelAPI
Infoblox - Data Exfiltration Attack8db2b374-0337-49bd-94c9-cfbf8e5d83adInfobloxCloudDataConnector
InfobloxCloudDataConnectorAma
Infoblox - High Threat Level Query Not Blocked Detecteddc7af829-d716-4774-9d6f-03d9aa7c27a4InfobloxCloudDataConnector
InfobloxCloudDataConnectorAma
Infoblox - Many High Threat Level Queries From Single Host Detected3822b794-fa89-4420-aad6-0e1a2307f419InfobloxCloudDataConnector
InfobloxCloudDataConnectorAma
Infoblox - Many High Threat Level Single Query Detected99278700-79ca-4b0f-b416-bf57ec699e1aInfobloxCloudDataConnector
InfobloxCloudDataConnectorAma
Infoblox - Many NXDOMAIN DNS Responses Detectedb2f34315-9065-488e-88d0-a171d2b0da8eInfobloxCloudDataConnector
InfobloxCloudDataConnectorAma
Infoblox - TI - CommonSecurityLog Match Found - MalwareC25b0864a9-4577-4087-b9fa-de3e14a8a999CEF
ThreatIntelligence
InfobloxCloudDataConnectorAma
InfobloxCloudDataConnector
Infoblox - TI - InfobloxCDC Match Found - Lookalike Domains568730be-b39d-45e3-a392-941e00837d52InfobloxCloudDataConnector
ThreatIntelligence
InfobloxCloudDataConnectorAma
Infoblox - TI - Syslog Match Found - URL28ee3c2b-eb4b-44de-a71e-e462843fea72Syslog
ThreatIntelligence
InfobloxCloudDataConnectorAma
InfobloxCloudDataConnector
Infoblox - SOC Insight Detected - API Sourcecf9847bb-ab46-4050-bb81-75cab3f893dcInfobloxSOCInsightsDataConnector_API
Infoblox - SOC Insight Detected - CDC Sourcea4bdd81e-afc8-4410-a3d1-8478fa810537InfobloxSOCInsightsDataConnector_Legacy
InfobloxSOCInsightsDataConnector_AMA
Suspicious malware found in the network (Microsoft Defender for IoT)6fb1acd5-356d-40f7-9b97-78d993c6a183IoT
Employee account deleted8a2cc466-342d-4ebb-8871-f9e1d83a24a5LastPass
TI map IP entity to LastPass data2a723664-22c2-4d3e-bbec-5843b90166f3LastPass
ThreatIntelligence
Unusual Volume of Password Updated or Removeda3bbdf60-0a6d-4cc2-b1d1-dd70aca184ceLastPass
[Deprecated] - Cadet Blizzard Actor IOC - January 2022961b6a81-5c53-40b6-9800-4f661a8faea7CiscoASA
PaloAltoNetworks
MicrosoftThreatProtection
SecurityEvents
WindowsSecurityEvents
[Deprecated] - Chia_Crypto_Mining - Domain, Process, Hash and IP IOCs - June 2021595a10c9-91be-4abb-bbc7-ae9c57848befDNS
AzureMonitor(VMInsights)
F5
CiscoASA
PaloAltoNetworks
Fortinet
CheckPoint
CEF
MicrosoftThreatProtection
SecurityEvents
Office365
AzureFirewall
WindowsFirewall
[Deprecated] - Dev-0530 IOC - July 2022a172107d-794c-48c0-bc26-d3349fe10b4dCiscoASA
PaloAltoNetworks
MicrosoftThreatProtection
SecurityEvents
Office365
AzureActiveDirectory
AzureMonitor(IIS)
AzureActivity
AWS
AzureFirewall
[Deprecated] - Hive Ransomware IOC - July 2022b2199398-8942-4b8c-91a9-b0a707c5d147CiscoASA
PaloAltoNetworks
MicrosoftThreatProtection
SecurityEvents
[Deprecated] - Alert for IOCs related to Windows/ELF malware - IP, Hash IOCs - September 2021d992b87b-eb49-4a9d-aa96-baacf9d26247F5
CiscoASA
PaloAltoNetworks
Fortinet
CheckPoint
CEF
MicrosoftThreatProtection
SecurityEvents
AzureFirewall
WindowsFirewall
WindowsSecurityEvents
WindowsForwardedEvents
Detect Malicious Usage of Recovery Tools to Delete Backup Files259de2c1-c546-4c6d-a17c-df639722f4d7CrowdStrikeFalconEndpointProtection
MicrosoftThreatProtection
SentinelOne
VMwareCarbonBlack
CiscoSecureEndpoint
TrendMicroApexOne
TrendMicroApexOneAma
Multiple Teams deleted by a single user173f8699-6af5-484a-8b06-8c47ba89b380Office365
Detect CoreBackUp Deletion Activity from related Security Alerts011c84d8-85f0-4370-b864-24c13455aa94AzureSecurityCenter
MicrosoftDefenderForCloudTenantBased
Unusual Volume of file deletion by userse5f8e196-3544-4a8b-96a9-17c1b6a49710MicrosoftThreatProtection
Deletion of data on multiple drives using cipher exe03caa992-477f-4b19-8e2a-8cd58f8f9652MicrosoftThreatProtection
Potential Ransomware activity related to Cobalt Strike4bd9ce9d-8586-4beb-8fdb-bd018cacbe7dMicrosoftThreatProtection
Shadow Copy Deletions28c63a44-2d35-48b7-831b-3ed24af17c7eMicrosoftThreatProtection
AV detections related to Ukraine threatsb6685757-3ed1-4b05-a5bd-2cacadc86c2aMicrosoftThreatProtection
Microsoft Entra ID Role Management Permission Grant1ff56009-db01-4615-8211-d4fda21da02dAzureActiveDirectory
Multiple admin membership removals from newly created admin.cda5928c-2c1e-4575-9dfa-07568bc27a4fAzureActiveDirectory
Ransomware Attack Detected6c8770fb-c854-403e-a64d-0293ba344d5fNasuniEdgeAppliance
Ransomware Client Blocked0c96a5a2-d60d-427d-8399-8df7fe8e6536NasuniEdgeAppliance
Excessive number of failed connections from a single source (ASIM Network Session schema)4902eddb-34f7-44a8-ac94-8486366e9494AWSS3
MicrosoftThreatProtection
SecurityEvents
WindowsForwardedEvents
Zscaler
MicrosoftSysmonForLinux
PaloAltoNetworks
AzureMonitor(VMInsights)
AzureFirewall
AzureNSG
CiscoASA
Corelight
AIVectraStream
CheckPoint
Fortinet
CiscoMeraki
NGINX - Core Dump9a7f5a97-354b-4eac-b407-a1cc7fc4b4ecNGINXHTTPServer
NGINX - Multiple server errors from single IP addressb3ae0033-552e-4c3c-b493-3edffb4473bbNGINXHTTPServer
OCI - Multiple instances launcheda79cf2b9-a511-4282-ba5d-812e14b07831OracleCloudInfrastructureLogsConnector
OCI - Multiple instances terminated252e651d-d825-480c-bdeb-8b239354577dOracleCloudInfrastructureLogsConnector
OracleDBAudit - Multiple tables dropped in short timeb3aa0e5a-75a2-4613-80ec-93a1be3aeb8fOracleDatabaseAudit
OracleDBAudit - Shutdown Server27cc2cdc-ba67-4906-a6ef-ecbc9c284f4eOracleDatabaseAudit
Oracle - Multiple server errors from single IP268f4fde-5740-11ec-bf63-0242ac130002OracleWebLogicServer
Microsoft COVID-19 file hash indicator matches2be4ef67-a93f-4d8a-981a-88158cb73abdPaloAltoNetworks
PaloAltoNetworksAma
Detection of Malicious URLs in Syslog Events9acb3664-72c4-4676-80fa-9f81912e347eSyslog
Red Canary Threat Detection6d263abb-6445-45cc-93e9-c593d3d77b89RedCanaryDataConnector
Threat Essentials - Multiple admin membership removals from newly created admin.199978c5-cd6d-4194-b505-8ef5800739dfAzureActiveDirectory
Threat Essentials - Mass Cloud resource deletions Time Series Anomalyfa2658fe-3714-4c55-bb12-2b7275c628e8AzureActivity
Azure secure score admin MFA9a15c3dd-f72b-49a4-bcb7-94406395661eSenservaPro
SenservaPro AD Applications Not Using Client Credentials56910d7b-aae7-452c-a3ed-89f72ef59234SenservaPro
Azure secure score role overlap8E6D9A66-F1B0-463D-BA90-11A5AEC0E15ASenservaPro
Azure secure score one adminF539B2A7-D9E7-4438-AA20-893BC61DF130SenservaPro
Azure Secure Score Self Service Password Reset114120B2-AAA0-4C4E-BDF1-2EE178465047SenservaPro
Azure secure score sign in risk policy5231D757-A5B5-4CA7-A91B-AA3702970E02SenservaPro
Azure secure score user risk policy1C07A4CB-E31B-4917-BD2A-3572E42F602CSenservaPro
Snowflake - Abnormal query process time1376f5e5-855a-4f88-8591-19eba4575a0fSnowflake
Snowflake - Possible data destractionc2f93727-e4b0-4cb9-8f80-f52ebbd96eceSnowflake
SonicWall - Allowed SSH, Telnet, and RDP Connections27f1a570-5f20-496b-88f6-a9aa2c5c9534CEF
SonicWallFirewall
Excessive Amount of Denied Connections from a Single Source3d645a88-2724-41a7-adea-db74c439cf79SophosXGFirewall
TI map Domain entity to PaloAlto CommonSecurityLogdd0a6029-ecef-4507-89c4-fc355ac52111ThreatIntelligence
ThreatIntelligenceTaxii
MicrosoftDefenderThreatIntelligence
TI Map Domain Entity to DeviceNetworkEventsc308b2f3-eebe-4a20-905c-cb8293b062dbMicrosoftThreatProtection
ThreatIntelligence
ThreatIntelligenceTaxii
MicrosoftDefenderThreatIntelligence
TI map Domain entity to DnsEvents85aca4d1-5d15-4001-abd9-acb86ca1786aDNS
ThreatIntelligence
ThreatIntelligenceTaxii
MicrosoftDefenderThreatIntelligence
TI map Domain entity to EmailEvents96307710-8bb9-4b45-8363-a90c72ebf86fOffice365
ThreatIntelligence
ThreatIntelligenceTaxii
MicrosoftDefenderThreatIntelligence
TI map Domain entity to EmailUrlInfo87cc75df-d7b2-44f1-b064-ee924edfc879Office365
ThreatIntelligence
ThreatIntelligenceTaxii
MicrosoftDefenderThreatIntelligence
TI map Domain entity to Web Session Events (ASIM Web Session schema)b1832f60-6c3d-4722-a0a5-3d564ee61a63SquidProxy
Zscaler
ThreatIntelligence
ThreatIntelligenceTaxii
MicrosoftDefenderThreatIntelligence
TI map Domain entity to PaloAltoec21493c-2684-4acd-9bc2-696dbad72426PaloAltoNetworks
ThreatIntelligence
ThreatIntelligenceTaxii
MicrosoftDefenderThreatIntelligence
TI map Domain entity to SecurityAlert87890d78-3e05-43ec-9ab9-ba32f4e01250ThreatIntelligence
ThreatIntelligenceTaxii
MicrosoftCloudAppSecurity
AzureSecurityCenter
MicrosoftDefenderThreatIntelligence
TI map Domain entity to Syslog532f62c1-fba6-4baa-bbb6-4a32a4ef32faSyslog
ThreatIntelligence
ThreatIntelligenceTaxii
MicrosoftDefenderThreatIntelligence
TI map Email entity to AzureActivitycca3b4d9-ac39-4109-8b93-65bb284003e6AzureActivity
ThreatIntelligence
ThreatIntelligenceTaxii
MicrosoftDefenderThreatIntelligence
TI map Email entity to EmailEvents11f7c6e3-f066-4b3c-9a81-b487ec0a6873Office365
ThreatIntelligence
ThreatIntelligenceTaxii
MicrosoftDefenderThreatIntelligence
TI map Email entity to OfficeActivity4a3f5ed7-8da5-4ce2-af6f-c9ada45060f2Office365
ThreatIntelligence
ThreatIntelligenceTaxii
MicrosoftDefenderThreatIntelligence
TI map Email entity to PaloAlto CommonSecurityLogffcd575b-3d54-482a-a6d8-d0de13b6ac63PaloAltoNetworks
ThreatIntelligence
ThreatIntelligenceTaxii
MicrosoftDefenderThreatIntelligence
TI map Email entity to SecurityAlerta2e36ce0-da4d-4b6e-88c6-4e40161c5bfcAzureSecurityCenter
ThreatIntelligence
ThreatIntelligenceTaxii
MicrosoftDefenderThreatIntelligence
TI map Email entity to SecurityEvent2fc5d810-c9cc-491a-b564-841427ae0e50ThreatIntelligence
ThreatIntelligenceTaxii
SecurityEvents
WindowsSecurityEvents
WindowsForwardedEvents
MicrosoftDefenderThreatIntelligence
TI map Email entity to SigninLogs30fa312c-31eb-43d8-b0cc-bcbdfb360822ThreatIntelligence
ThreatIntelligenceTaxii
AzureActiveDirectory
MicrosoftDefenderThreatIntelligence
TI map File Hash to CommonSecurityLog Event5d33fc63-b83b-4913-b95e-94d13f0d379fPaloAltoNetworks
ThreatIntelligence
ThreatIntelligenceTaxii
MicrosoftDefenderThreatIntelligence
TI map File Hash to DeviceFileEvents Eventbc0eca2e-db50-44e6-8fa3-b85f91ff5ee7MicrosoftThreatProtection
ThreatIntelligence
ThreatIntelligenceTaxii
MicrosoftDefenderThreatIntelligence
TI map File Hash to Security Eventa7427ed7-04b4-4e3b-b323-08b981b9b4bfSecurityEvents
WindowsSecurityEvents
WindowsForwardedEvents
ThreatIntelligence
ThreatIntelligenceTaxii
MicrosoftDefenderThreatIntelligence
TI map Domain entity to Dns Events (ASIM DNS Schema)999e9f5d-db4a-4b07-a206-29c4e667b7e8ThreatIntelligence
ThreatIntelligenceTaxii
DNS
AzureFirewall
Zscaler
InfobloxNIOS
GCPDNSDataConnector
NXLogDnsLogs
MicrosoftDefenderThreatIntelligence
CiscoUmbrellaDataConnector
Corelight
TI map IP entity to DNS Events (ASIM DNS schema)67775878-7f8b-4380-ac54-115e1e828901ThreatIntelligence
ThreatIntelligenceTaxii
DNS
AzureFirewall
Zscaler
InfobloxNIOS
GCPDNSDataConnector
NXLogDnsLogs
CiscoUmbrellaDataConnector
MicrosoftDefenderThreatIntelligence
Corelight
TI map IP entity to AppServiceHTTPLogsf9949656-473f-4503-bf43-a9d9890f7d08ThreatIntelligence
ThreatIntelligenceTaxii
MicrosoftDefenderThreatIntelligence
TI map IP entity to AWSCloudTrailf110287e-1358-490d-8147-ed804b328514ThreatIntelligence
ThreatIntelligenceTaxii
AWS
MicrosoftDefenderThreatIntelligence
TI Map IP Entity to AzureActivity2441bce9-02e4-407b-8cc7-7d597f38b8b0ThreatIntelligence
ThreatIntelligenceTaxii
AzureActivity
MicrosoftDefenderThreatIntelligence
TI map IP entity to AzureFirewall0b904747-1336-4363-8d84-df2710bfe5e7ThreatIntelligence
ThreatIntelligenceTaxii
AzureFirewall
MicrosoftDefenderThreatIntelligence
TI map IP entity to Azure Key Vault logs57c7e832-64eb-411f-8928-4133f01f4a25ThreatIntelligence
ThreatIntelligenceTaxii
AzureKeyVault
MicrosoftDefenderThreatIntelligence
TI map IP entity to AzureNetworkAnalytics_CL (NSG Flow Logs)a4025a76-6490-4e6b-bb69-d02be4b03f07ThreatIntelligence
ThreatIntelligenceTaxii
MicrosoftDefenderThreatIntelligence
TI Map IP Entity to Azure SQL Security Audit Eventsd0aa8969-1bbe-4da3-9e76-09e5f67c9d85ThreatIntelligence
ThreatIntelligenceTaxii
AzureSql
MicrosoftDefenderThreatIntelligence
TI Map IP Entity to CommonSecurityLog66c81ae2-1f89-4433-be00-2fbbd9ba5ebeThreatIntelligence
ThreatIntelligenceTaxii
CEF
MicrosoftDefenderThreatIntelligence
TI Map IP Entity to DeviceNetworkEventsb2df4979-d34a-48b3-a7d9-f473a4bf8058MicrosoftThreatProtection
ThreatIntelligence
ThreatIntelligenceTaxii
MicrosoftDefenderThreatIntelligence
TI Map IP Entity to DnsEvents69b7723c-2889-469f-8b55-a2d355ed9c87ThreatIntelligence
ThreatIntelligenceTaxii
DNS
MicrosoftDefenderThreatIntelligence
TI Map IP Entity to Duo Securityd23ed927-5be3-4902-a9c1-85f841eb4fa1ThreatIntelligence
ThreatIntelligenceTaxii
CiscoDuoSecurity
MicrosoftDefenderThreatIntelligence
TI map IP entity to Network Session Events (ASIM Network Session schema)e2399891-383c-4caf-ae67-68a008b9f89eAWSS3
MicrosoftThreatProtection
SecurityEvents
WindowsForwardedEvents
Zscaler
MicrosoftSysmonForLinux
PaloAltoNetworks
AzureMonitor(VMInsights)
AzureFirewall
AzureNSG
CiscoASA
Corelight
AIVectraStream
CheckPoint
Fortinet
MicrosoftDefenderThreatIntelligence
CiscoMeraki
ThreatIntelligenceTaxii
TI map IP entity to Web Session Events (ASIM Web Session schema)e2559891-383c-4caf-ae67-55a008b9f89eSquidProxy
Zscaler
ThreatIntelligence
ThreatIntelligenceTaxii
MicrosoftDefenderThreatIntelligence
TI map IP entity to OfficeActivityf15370f4-c6fa-42c5-9be4-1d308f40284eThreatIntelligence
ThreatIntelligenceTaxii
MicrosoftDefenderThreatIntelligence
Office365
TI Map IP Entity to SigninLogsf2eb15bd-8a88-4b24-9281-e133edfba315ThreatIntelligence
ThreatIntelligenceTaxii
AzureActiveDirectory
MicrosoftDefenderThreatIntelligence
TI Map IP Entity to VMConnection9713e3c0-1410-468d-b79e-383448434b2dThreatIntelligence
ThreatIntelligenceTaxii
MicrosoftDefenderThreatIntelligence
AzureMonitor(VMInsights)
TI Map IP Entity to W3CIISLog5e45930c-09b1-4430-b2d1-cc75ada0dc0fThreatIntelligence
ThreatIntelligenceTaxii
MicrosoftDefenderThreatIntelligence
AzureMonitor(IIS)
TI map IP entity to GitHub_CLaac495a9-feb1-446d-b08e-a1164a539452ThreatIntelligence
ThreatIntelligenceTaxii
MicrosoftDefenderThreatIntelligence
TI Map URL Entity to AuditLogs712fab52-2a7d-401e-a08c-ff939cc7c25eAzureActiveDirectory
ThreatIntelligence
ThreatIntelligenceTaxii
MicrosoftDefenderThreatIntelligence
TI Map URL Entity to AuditLogs6ddbd892-a9be-47be-bab7-521241695bd6MicrosoftThreatProtection
ThreatIntelligence
ThreatIntelligenceTaxii
MicrosoftDefenderThreatIntelligence
TI Map URL Entity to EmailUrlInfoa0038239-72f4-4f7b-90ff-37f89f7881e0AzureActiveDirectory
ThreatIntelligence
ThreatIntelligenceTaxii
MicrosoftDefenderThreatIntelligence
TI Map URL Entity to OfficeActivity Data [Deprecated]36a9c9e5-3dc1-4ed9-afaa-1d13617bfc2bOffice365
ThreatIntelligence
MicrosoftDefenderThreatIntelligence
ThreatIntelligenceTaxii
TI Map URL Entity to PaloAlto Data106813db-679e-4382-a51b-1bfc463befc3PaloAltoNetworks
ThreatIntelligence
ThreatIntelligenceTaxii
MicrosoftDefenderThreatIntelligence
TI Map URL Entity to SecurityAlert Dataf30a47c1-65fb-42b1-a7f4-00941c12550bMicrosoftCloudAppSecurity
AzureSecurityCenter
ThreatIntelligence
ThreatIntelligenceTaxii
MicrosoftDefenderThreatIntelligence
TI Map URL Entity to Syslog Datab31037ea-6f68-4fbd-bab2-d0d0f44c2fcfSyslog
ThreatIntelligence
ThreatIntelligenceTaxii
MicrosoftDefenderThreatIntelligence
TI Map URL Entity to UrlClickEvents23391c84-87d8-452f-a84c-47a62f01e115MicrosoftThreatProtection
ThreatIntelligence
ThreatIntelligenceTaxii
MicrosoftDefenderThreatIntelligence
Threat Connect TI map Domain entity to DnsEventsf8960f1c-07d2-512b-9c41-952772d40c84DNS
ThreatIntelligence
ThreatIntelligenceTaxii
MicrosoftDefenderThreatIntelligence
ThreatConnect TI map Email entity to OfficeActivity4f7ade3e-7121-5274-83ea-d7ed22a01feaOffice365
ThreatIntelligence
ThreatIntelligenceTaxii
MicrosoftDefenderThreatIntelligence
ThreatConnect TI map Email entity to SigninLogsecb68ce7-c309-59a7-a8de-07ccf2a0ea4fThreatIntelligence
ThreatIntelligenceTaxii
AzureActiveDirectory
MicrosoftDefenderThreatIntelligence
ThreatConnect TI map IP entity to Network Session Events (ASIM Network Session schema)ee1fd303-2081-47b7-8f02-e38bfd0868e6ThreatIntelligence
ThreatConnect TI Map URL Entity to OfficeActivity Data12c3b31b-66a6-53ff-b6ab-6ae45e56dc92Office365
ThreatIntelligence
MicrosoftDefenderThreatIntelligence
Tomcat - Multiple empty requests from same IP7c9a1026-4872-11ec-81d3-0242ac130003ApacheTomcat
Tomcat - Multiple server errors from single IP addressde9df79c-4872-11ec-81d3-0242ac130003ApacheTomcat
Tomcat - Server errors after multiple requests from same IP875da588-4875-11ec-81d3-0242ac130003ApacheTomcat
Trend Micro CAS - Ransomware infection0bec3f9a-dbe9-4b4c-9ff6-498d64bbef90TrendMicroCAS
Trend Micro CAS - Ransomware outbreak38e043ce-a1fd-497b-8d4f-ce5ca2db90cdTrendMicroCAS
Vectra AI Detect - Suspected Compromised Account321f9dbd-64b7-4541-81dc-08cf7732ccb0AIVectraDetect
AIVectraDetectAma
Vectra Account’s Behaviorsce54b5d3-4c31-4eaf-a73e-31412270b6abAIVectraDetect
AIVectraDetectAma
Vectra AI Detect - Detections with High Severity39e48890-2c02-487e-aa9e-3ba494061798AIVectraDetect
AIVectraDetectAma
Vectra AI Detect - Suspected Compromised Host60eb6cf0-3fa1-44c1-b1fe-220fbee23d63AIVectraDetect
AIVectraDetectAma
Vectra Host’s Behaviors33e3b6da-2660-4cd7-9032-11be76db88d2AIVectraDetect
AIVectraDetectAma
Vectra AI Detect - Suspicious Behaviors by Category6cb75f65-231f-46c4-a0b3-50ff21ee6ed3AIVectraDetect
AIVectraDetectAma
VMware SD-WAN Edge - Device Congestion Alert - Packet Dropsa88ead0a-f022-48d6-8f53-e5a164c4c72eVMwareSDWAN
VMware SD-WAN Edge - Network Anomaly Detection - Potential Fragmentation Attackce207901-ed7b-49ae-ada7-033e1fbb1240VMwareSDWAN
VMware SD-WAN Edge - Network Anomaly Detection - RPF Check Failure840b050f-842b-4264-8973-d4f9b65facb5VMwareSDWAN
VMware ESXi - Low patch disk space48d992ba-d404-4159-a8c6-46f51d1325c7VMwareESXi
VMware ESXi - Low temp directory space2ee727f7-b7c2-4034-b6c9-d245d5a29343VMwareESXi
VMware ESXi - Multiple VMs stopped5fe1af14-cd40-48ff-b581-3a12a1f90785VMwareESXi
VMware ESXi - Unexpected disk image395c5560-ddc2-45b2-aafe-2e3f64528d3dVMwareESXi
VMware ESXi - VM stopped43889f30-7bce-4d8a-93bb-29c9615ca8ddVMwareESXi
Votiro - File Blocked from Connector17bf3780-ae0d-4cd9-a884-5df8b687f3f5Votiro
Votiro - File Blocked in Email0b8b91de-c63e-4bc2-b5f4-b15d3b379ec9Votiro
Detect instances of multiple server errors occurring within a brief period of time (ASIM Web Session)a59ba76c-0205-4966-948e-3d5640140688
Chia_Crypto_Mining IOC - June 20214d173248-439b-4741-8b37-f63ad0c896aeWindowsForwardedEvents
Potential re-named sdelete usage720d12c6-a08c-44c4-b18f-2236412d59b0SecurityEvents
WindowsSecurityEvents
Sdelete deployed via GPO and run recursivelyd9f28fdf-abc8-4f1a-a7e7-1aaec87a2fc5SecurityEvents
WindowsSecurityEvents
DNS events related to mining pools0d76e9cf-788d-4a69-ac7d-f234826b5bedDNS
NRT DNS events related to mining poolsd5b32cd4-2328-43da-ab47-cd289c1f5efcDNS
AV detections related to Zinc actors3705158d-e008-49c9-92dd-e538e1549090MicrosoftThreatProtection
DNS events related to mining pools (ASIM DNS Schema)c094384d-7ea7-4091-83be-18706ecca981WindowsForwardedEvents
DNS
AzureFirewall
Zscaler
InfobloxNIOS
GCPDNSDataConnector
NXLogDnsLogs
CiscoUmbrellaDataConnector
Corelight
Potential re-named sdelete usage (ASIM Version)5b6ae038-f66e-4f74-9315-df52fd492be4
Sdelete deployed via GPO and run recursively (ASIM Version)30c8b802-ace1-4408-bc29-4c5c5afb49e1
Missing Domain Controller Heartbeatb8b8ba09-1e89-45a1-8bd7-691cd23bfa32
Dev-0530 File Extension Renamed82eb796-d1eb-43c8-a813-325ce3417cefMicrosoftThreatProtection
AV detections related to Dev-0530 actors5f171045-88ab-4634-baae-a7b6509f483bMicrosoftThreatProtection
AV detections related to Europium actors186970ee-5001-41c1-8c73-3178f75ce96aMicrosoftThreatProtection
AV detections related to Hive Ransomware4e5914a4-2ccd-429d-a845-fa597f0bd8c5MicrosoftThreatProtection
Workspace deletion activity from an infected devicea5b3429d-f1da-42b9-883c-327ecb7b91ffAzureActiveDirectoryIdentityProtection
AzureActivity
BehaviorAnalytics