Impact
| Rule Name | id | Required data connectors |
|---|---|---|
| Creating keys with encrypt policy without MFA | 454133a7-5427-4a7c-bdc4-0adfa84dda16 | AWS |
| Suspicious overly permessive KMS key policy created | 60dfc193-0f73-4279-b43c-110ade02b201 | AWS |
| S3 bucket suspicious ransomware activity | b442b9e2-5cc4-4129-a85b-a5ef38a9e5f0 | AWS |
| Apache - Multiple server errors from single IP | 1bf246a2-3af9-11ec-8d3d-0242ac130003 | ApacheHTTPServer |
| Apache - Request from private IP | a0077556-3aff-11ec-8d3d-0242ac130003 | ApacheHTTPServer |
| Jira - Permission scheme updated | 72592618-fa57-45e1-9f01-ca8706a5e3f5 | JiraAuditAPI |
| Jira - Project roles changed | fb6a8001-fe87-4177-a8f3-df2302215c4f | JiraAuditAPI |
| Jira - User removed from group | c13ecb19-4317-4d87-9a1c-52660dd44a7d | JiraAuditAPI |
| Jira - User removed from project | 5d3af0aa-833e-48ed-a29a-8cfd2705c953 | JiraAuditAPI |
| Azure AD Role Management Permission Grant | 1ff56009-db01-4615-8211-d4fda21da02d | AzureActiveDirectory |
| Multiple admin membership removals from newly created admin. | cda5928c-2c1e-4575-9dfa-07568bc27a4f | AzureActiveDirectory |
| Suspicious number of resource creation or deployment activities | 361dd1e3-1c11-491e-82a3-bb2e44ac36ba | AzureActivity |
| Suspicious Resource deployment | 9fb57e58-3ed8-4b89-afcf-c8e786508b1c | AzureActivity |
| Mass Cloud resource deletions Time Series Anomaly | ed43bdb7-eaab-4ea4-be52-6951fcfa7e3b | AzureActivity |
| DDoS Attack IP Addresses - Percent Threshold | 402a42ad-f31c-48d1-8f80-0200846b7f25 | DDOS |
| DDoS Attack IP Addresses - PPS Threshold | 6e76fd9d-8104-41eb-bad3-26054a3ad5f0 | DDOS |
| Sensitive Azure Key Vault operations | d6491be0-ab2d-439d-95d6-ad8ea39277c5 | AzureKeyVault |
| NRT Sensitive Azure Key Vault operations | 884ead54-cb3f-4676-a1eb-b26532d6cbfd | AzureKeyVault |
| Affected rows stateful anomaly on database | 2a632013-379d-4993-956f-615063d31e10 | AzureSql |
| Azure DevOps Service Connection Addition/Abuse - Historic allow list | 5efb0cfd-063d-417a-803b-562eae5b0301 | |
| Azure DevOps Personal Access Token (PAT) misuse | ac891683-53c3-4f86-86b4-c361708e2b2b | |
| Azure DevOps Service Connection Abuse | d564ff12-8f53-41b8-8649-44f76b37b99f | |
| Box - Many items deleted by user | 1b212329-6f2c-46ca-9071-de3464f3d88d | BoxDataConnector |
| Cisco SE - Ransomware Activity | c9629114-0f49-4b50-9f1b-345287b2eebf | CiscoSecureEndpoint |
| Cisco ASA - average attack detection rate increase | 79f29feb-6a9d-4cdf-baaa-2daf480a5da1 | CiscoASA |
| Cisco ASA - threat detection message fired | 795edf2d-cf3e-45b5-8452-fe6c9e6a582e | CiscoASA |
| Cisco Duo - Admin user deleted | 6424c623-31a5-4892-be33-452586fd4075 | CiscoDuoSecurity |
| Cisco Duo - AD sync failed | 398dd1cd-3251-49d8-b927-5b93bae4a094 | CiscoDuoSecurity |
| Cisco Duo - Multiple users deleted | 6e4f9031-91d3-4fa1-8baf-624935f04ad8 | CiscoDuoSecurity |
| Claroty - Asset Down | fd6e3416-0421-4166-adb9-186e555a7008 | Claroty |
| Claroty - Critical baseline deviation | 9a8b4321-e2be-449b-8227-a78227441b2a | Claroty |
| Dev-0270 Registry IOC - September 2022 | 2566e99f-ad0f-472a-b9ac-d3899c9283e6 | SecurityEvents MicrosoftThreatProtection |
| Detect DNS requests to known Domain IOCs (ASIM DNS Solution) | 8e4a010a-972c-4124-8c27-1efcd7e3125a | ASimDnsActivityLogs GCPDNSDataConnector AzureFirewall CiscoUmbrellaDataConnector Corelight InfobloxNIOS NXLogDnsLogs DNS AIVectraStream WindowsForwardedEvents Zscaler ISCBind |
| Dynatrace Application Security - Attack detection | 1b0b2065-8bac-5a00-83c4-1b58f69ac212 | DynatraceAttacks |
| Dynatrace Application Security - Code-Level runtime vulnerability detection | 305093b4-0fa2-57bc-bced-caea782a6e9c | DynatraceRuntimeVulnerabilities |
| Dynatrace Application Security - Non-critical runtime vulnerability detection | ff0af873-a2f2-4233-8412-0ef4e00b0156 | DynatraceRuntimeVulnerabilities |
| Dynatrace Application Security - Third-Party runtime vulnerability detection | af99b078-124b-543a-9a50-66ef87c09f6a | DynatraceRuntimeVulnerabilities |
| Detecting UAC bypass - elevated COM interface | 2d5efc71-2e91-4ca2-8506-857eecb453ec | MicrosoftThreatProtection |
| Detecting UAC bypass - modify Windows Store settings | 8b8fbf9c-35d4-474b-8151-a40173521293 | MicrosoftThreatProtection |
| Detecting UAC bypass - ChangePK and SLUI registry tampering | 829a69ba-93e1-491f-8a1f-b19506e9d88a | MicrosoftThreatProtection |
| GitLab - Abnormal number of repositories deleted | 3efd09bd-a582-4410-b7ec-5ff21cfad7bd | Syslog |
| Infoblox - High Number of High Threat Level Queries Detected | 57113ad7-7dd6-4150-84d8-252e162aaf4a | InfobloxCloudDataConnector |
| Infoblox - High Number of NXDOMAIN DNS Responses Detected | 818eddaa-3806-43a2-8930-3defc5a06803 | InfobloxCloudDataConnector |
| Infoblox - High Threat Level Query Not Blocked Detected | dc7af829-d716-4774-9d6f-03d9aa7c27a4 | InfobloxCloudDataConnector |
| Suspicious malware found in the network (Microsoft Defender for IoT) | 6fb1acd5-356d-40f7-9b97-78d993c6a183 | IoT |
| Employee account deleted | 8a2cc466-342d-4ebb-8871-f9e1d83a24a5 | LastPass |
| TI map IP entity to LastPass data | 2a723664-22c2-4d3e-bbec-5843b90166f3 | LastPass ThreatIntelligence |
| Unusual Volume of Password Updated or Removed | a3bbdf60-0a6d-4cc2-b1d1-dd70aca184ce | LastPass |
| Chia_Crypto_Mining - Domain, Process, Hash and IP IOCs - June 2021 | 595a10c9-91be-4abb-bbc7-ae9c57848bef | DNS AzureMonitor(VMInsights) F5 CiscoASA PaloAltoNetworks Fortinet CheckPoint CEF MicrosoftThreatProtection SecurityEvents Office365 AzureFirewall WindowsFirewall |
| Dev-0530 IOC - July 2022 | a172107d-794c-48c0-bc26-d3349fe10b4d | CiscoASA PaloAltoNetworks MicrosoftThreatProtection SecurityEvents Office365 AzureActiveDirectory AzureMonitor(IIS) AzureActivity AWS AzureFirewall |
| DEV-0586 Actor IOC - January 2022 | 961b6a81-5c53-40b6-9800-4f661a8faea7 | CiscoASA PaloAltoNetworks MicrosoftThreatProtection SecurityEvents WindowsSecurityEvents |
| Hive Ransomware IOC - July 2022 | b2199398-8942-4b8c-91a9-b0a707c5d147 | CiscoASA PaloAltoNetworks MicrosoftThreatProtection SecurityEvents |
| Alert for IOCs related to Windows/ELF malware - IP, Hash IOCs - September 2021 | d992b87b-eb49-4a9d-aa96-baacf9d26247 | F5 CiscoASA PaloAltoNetworks Fortinet CheckPoint CEF MicrosoftThreatProtection SecurityEvents AzureFirewall WindowsFirewall WindowsSecurityEvents WindowsForwardedEvents |
| Multiple Teams deleted by a single user | 173f8699-6af5-484a-8b06-8c47ba89b380 | Office365 |
| AV detections related to Ukraine threats | b6685757-3ed1-4b05-a5bd-2cacadc86c2a | MicrosoftThreatProtection |
| CoreBackUp Deletion in correlation with other related security alerts | 011c84d8-85f0-4370-b864-24c13455aa94 | AzureSecurityCenter |
| Excessive number of failed connections from a single source (ASIM Network Session schema) | 4902eddb-34f7-44a8-ac94-8486366e9494 | AWSS3 MicrosoftThreatProtection SecurityEvents WindowsForwardedEvents Zscaler MicrosoftSysmonForLinux PaloAltoNetworks AzureMonitor(VMInsights) AzureFirewall AzureNSG CiscoASA Corelight AIVectraStream CheckPoint Fortinet CiscoMeraki |
| NGINX - Core Dump | 9a7f5a97-354b-4eac-b407-a1cc7fc4b4ec | NGINXHTTPServer |
| NGINX - Multiple server errors from single IP address | b3ae0033-552e-4c3c-b493-3edffb4473bb | NGINXHTTPServer |
| OCI - Multiple instances launched | a79cf2b9-a511-4282-ba5d-812e14b07831 | OracleCloudInfrastructureLogsConnector |
| OCI - Multiple instances terminated | 252e651d-d825-480c-bdeb-8b239354577d | OracleCloudInfrastructureLogsConnector |
| OracleDBAudit - Multiple tables dropped in short time | b3aa0e5a-75a2-4613-80ec-93a1be3aeb8f | OracleDatabaseAudit |
| OracleDBAudit - Shutdown Server | 27cc2cdc-ba67-4906-a6ef-ecbc9c284f4e | OracleDatabaseAudit |
| Oracle - Multiple server errors from single IP | 268f4fde-5740-11ec-bf63-0242ac130002 | OracleWebLogicServer |
| Microsoft COVID-19 file hash indicator matches | 2be4ef67-a93f-4d8a-981a-88158cb73abd | PaloAltoNetworks |
| Detection of Malicious URLs in Syslog Events | 9acb3664-72c4-4676-80fa-9f81912e347e | Syslog |
| Red Canary Threat Detection | 6d263abb-6445-45cc-93e9-c593d3d77b89 | RedCanaryDataConnector |
| Threat Essentials - Multiple admin membership removals from newly created admin. | 199978c5-cd6d-4194-b505-8ef5800739df | AzureActiveDirectory |
| Threat Essentials - Mass Cloud resource deletions Time Series Anomaly | fa2658fe-3714-4c55-bb12-2b7275c628e8 | AzureActivity |
| Azure secure score admin MFA | 9a15c3dd-f72b-49a4-bcb7-94406395661e | SenservaPro |
| SenservaPro AD Applications Not Using Client Credentials | 56910d7b-aae7-452c-a3ed-89f72ef59234 | SenservaPro |
| Azure secure score role overlap | 8E6D9A66-F1B0-463D-BA90-11A5AEC0E15A | SenservaPro |
| Azure secure score one admin | F539B2A7-D9E7-4438-AA20-893BC61DF130 | SenservaPro |
| Azure Secure Score Self Service Password Reset | 114120B2-AAA0-4C4E-BDF1-2EE178465047 | SenservaPro |
| Azure secure score sign in risk policy | 5231D757-A5B5-4CA7-A91B-AA3702970E02 | SenservaPro |
| Azure secure score user risk policy | 1C07A4CB-E31B-4917-BD2A-3572E42F602C | SenservaPro |
| Snowflake - Abnormal query process time | 1376f5e5-855a-4f88-8591-19eba4575a0f | Snowflake |
| Snowflake - Possible data destraction | c2f93727-e4b0-4cb9-8f80-f52ebbd96ece | Snowflake |
| Excessive Amount of Denied Connections from a Single Source | 3d645a88-2724-41a7-adea-db74c439cf79 | SophosXGFirewall |
| TI map Domain entity to CommonSecurityLog | dd0a6029-ecef-4507-89c4-fc355ac52111 | ThreatIntelligence ThreatIntelligenceTaxii |
| TI map Domain entity to DnsEvents | 85aca4d1-5d15-4001-abd9-acb86ca1786a | DNS ThreatIntelligence ThreatIntelligenceTaxii |
| (Preview) TI map Domain entity to Web Session Events (ASIM Web Session schema) | b1832f60-6c3d-4722-a0a5-3d564ee61a63 | SquidProxy Zscaler ThreatIntelligence |
| TI map Domain entity to PaloAlto | ec21493c-2684-4acd-9bc2-696dbad72426 | PaloAltoNetworks ThreatIntelligence ThreatIntelligenceTaxii |
| TI map Domain entity to SecurityAlert | 87890d78-3e05-43ec-9ab9-ba32f4e01250 | ThreatIntelligence ThreatIntelligenceTaxii MicrosoftCloudAppSecurity AzureSecurityCenter |
| TI map Domain entity to Syslog | 532f62c1-fba6-4baa-bbb6-4a32a4ef32fa | Syslog ThreatIntelligence ThreatIntelligenceTaxii |
| TI map Email entity to AzureActivity | cca3b4d9-ac39-4109-8b93-65bb284003e6 | AzureActivity ThreatIntelligence ThreatIntelligenceTaxii |
| TI map Email entity to OfficeActivity | 4a3f5ed7-8da5-4ce2-af6f-c9ada45060f2 | Office365 ThreatIntelligence ThreatIntelligenceTaxii |
| TI map Email entity to CommonSecurityLog | ffcd575b-3d54-482a-a6d8-d0de13b6ac63 | PaloAltoNetworks ThreatIntelligence ThreatIntelligenceTaxii |
| TI map Email entity to SecurityAlert | a2e36ce0-da4d-4b6e-88c6-4e40161c5bfc | AzureSecurityCenter ThreatIntelligence ThreatIntelligenceTaxii |
| TI map Email entity to SecurityEvent | 2fc5d810-c9cc-491a-b564-841427ae0e50 | ThreatIntelligence ThreatIntelligenceTaxii SecurityEvents WindowsSecurityEvents WindowsForwardedEvents |
| TI map Email entity to SigninLogs | 30fa312c-31eb-43d8-b0cc-bcbdfb360822 | ThreatIntelligence ThreatIntelligenceTaxii AzureActiveDirectory |
| TI map File Hash to CommonSecurityLog Event | 5d33fc63-b83b-4913-b95e-94d13f0d379f | PaloAltoNetworks ThreatIntelligence ThreatIntelligenceTaxii |
| TI map File Hash to Security Event | a7427ed7-04b4-4e3b-b323-08b981b9b4bf | SecurityEvents WindowsSecurityEvents WindowsForwardedEvents ThreatIntelligence ThreatIntelligenceTaxii |
| TI map IP entity to AppServiceHTTPLogs | f9949656-473f-4503-bf43-a9d9890f7d08 | ThreatIntelligence ThreatIntelligenceTaxii |
| TI map IP entity to AWSCloudTrail | f110287e-1358-490d-8147-ed804b328514 | ThreatIntelligence ThreatIntelligenceTaxii AWS |
| TI map IP entity to AzureActivity | 2441bce9-02e4-407b-8cc7-7d597f38b8b0 | ThreatIntelligence ThreatIntelligenceTaxii AzureActivity |
| TI map IP entity to AzureFirewall | 0b904747-1336-4363-8d84-df2710bfe5e7 | ThreatIntelligence ThreatIntelligenceTaxii AzureFirewall |
| TI map IP entity to Azure Key Vault logs | 57c7e832-64eb-411f-8928-4133f01f4a25 | ThreatIntelligence ThreatIntelligenceTaxii AzureKeyVault |
| TI map IP entity to AzureNetworkAnalytics_CL (NSG Flow Logs) | a4025a76-6490-4e6b-bb69-d02be4b03f07 | ThreatIntelligence ThreatIntelligenceTaxii |
| TI map IP entity to Azure SQL Security Audit Events | d0aa8969-1bbe-4da3-9e76-09e5f67c9d85 | ThreatIntelligence ThreatIntelligenceTaxii |
| TI map IP entity to CommonSecurityLog | 66c81ae2-1f89-4433-be00-2fbbd9ba5ebe | ThreatIntelligence ThreatIntelligenceTaxii |
| TI map IP entity to DnsEvents | 69b7723c-2889-469f-8b55-a2d355ed9c87 | ThreatIntelligence ThreatIntelligenceTaxii DNS |
| TI map IP entity to Duo Security | d23ed927-5be3-4902-a9c1-85f841eb4fa1 | ThreatIntelligence ThreatIntelligenceTaxii |
| (Preview) TI map IP entity to Web Session Events (ASIM Web Session schema) | e2559891-383c-4caf-ae67-55a008b9f89e | SquidProxy Zscaler ThreatIntelligence ThreatIntelligenceTaxii |
| TI map IP entity to OfficeActivity | f15370f4-c6fa-42c5-9be4-1d308f40284e | ThreatIntelligence ThreatIntelligenceTaxii Office365 |
| TI map IP entity to SigninLogs | f2eb15bd-8a88-4b24-9281-e133edfba315 | ThreatIntelligence ThreatIntelligenceTaxii AzureActiveDirectory |
| TI map IP entity to VMConnection | 9713e3c0-1410-468d-b79e-383448434b2d | ThreatIntelligence ThreatIntelligenceTaxii AzureMonitor(VMInsights) |
| TI map IP entity to W3CIISLog | 5e45930c-09b1-4430-b2d1-cc75ada0dc0f | ThreatIntelligence ThreatIntelligenceTaxii AzureMonitor(IIS) |
| TI map URL entity to AuditLogs | 712fab52-2a7d-401e-a08c-ff939cc7c25e | AzureActiveDirectory ThreatIntelligence ThreatIntelligenceTaxii |
| TI map URL entity to OfficeActivity data | 36a9c9e5-3dc1-4ed9-afaa-1d13617bfc2b | Office365 ThreatIntelligence |
| TI map URL entity to PaloAlto data | 106813db-679e-4382-a51b-1bfc463befc3 | PaloAltoNetworks ThreatIntelligence ThreatIntelligenceTaxii |
| TI map URL entity to SecurityAlert data | f30a47c1-65fb-42b1-a7f4-00941c12550b | MicrosoftCloudAppSecurity AzureSecurityCenter ThreatIntelligence ThreatIntelligenceTaxii |
| TI map URL entity to Syslog data | b31037ea-6f68-4fbd-bab2-d0d0f44c2fcf | Syslog ThreatIntelligence ThreatIntelligenceTaxii |
| Tomcat - Multiple empty requests from same IP | 7c9a1026-4872-11ec-81d3-0242ac130003 | ApacheTomcat |
| Tomcat - Multiple server errors from single IP address | de9df79c-4872-11ec-81d3-0242ac130003 | ApacheTomcat |
| Tomcat - Server errors after multiple requests from same IP | 875da588-4875-11ec-81d3-0242ac130003 | ApacheTomcat |
| Trend Micro CAS - Ransomware infection | 0bec3f9a-dbe9-4b4c-9ff6-498d64bbef90 | TrendMicroCAS |
| Trend Micro CAS - Ransomware outbreak | 38e043ce-a1fd-497b-8d4f-ce5ca2db90cd | TrendMicroCAS |
| Vectra AI Detect - Suspected Compromised Account | 321f9dbd-64b7-4541-81dc-08cf7732ccb0 | AIVectraDetect |
| Vectra AI Detect - Detections with High Severity | 39e48890-2c02-487e-aa9e-3ba494061798 | AIVectraDetect |
| Vectra AI Detect - Suspected Compromised Host | 60eb6cf0-3fa1-44c1-b1fe-220fbee23d63 | AIVectraDetect |
| Vectra AI Detect - Suspicious Behaviors | 6cb75f65-231f-46c4-a0b3-50ff21ee6ed3 | AIVectraDetect |
| VMware ESXi - Low patch disk space | 48d992ba-d404-4159-a8c6-46f51d1325c7 | VMwareESXi |
| VMware ESXi - Low temp directory space | 2ee727f7-b7c2-4034-b6c9-d245d5a29343 | VMwareESXi |
| VMware ESXi - Multiple VMs stopped | 5fe1af14-cd40-48ff-b581-3a12a1f90785 | VMwareESXi |
| VMware ESXi - Unexpected disk image | 395c5560-ddc2-45b2-aafe-2e3f64528d3d | VMwareESXi |
| VMware ESXi - VM stopped | 43889f30-7bce-4d8a-93bb-29c9615ca8dd | VMwareESXi |
| Chia_Crypto_Mining IOC - June 2021 | 4d173248-439b-4741-8b37-f63ad0c896ae | WindowsForwardedEvents |
| Potential re-named sdelete usage | 720d12c6-a08c-44c4-b18f-2236412d59b0 | SecurityEvents WindowsSecurityEvents |
| Sdelete deployed via GPO and run recursively | d9f28fdf-abc8-4f1a-a7e7-1aaec87a2fc5 | SecurityEvents WindowsSecurityEvents |
| DNS events related to mining pools | 0d76e9cf-788d-4a69-ac7d-f234826b5bed | DNS |
| NRT DNS events related to mining pools | d5b32cd4-2328-43da-ab47-cd289c1f5efc | DNS |
| AV detections related to Zinc actors | 3705158d-e008-49c9-92dd-e538e1549090 | MicrosoftThreatProtection |
| (Preview) TI map Domain entity to Dns Events (ASIM DNS Schema) | 999e9f5d-db4a-4b07-a206-29c4e667b7e8 | ThreatIntelligence ThreatIntelligenceTaxii DNS AzureFirewall Zscaler InfobloxNIOS GCPDNSDataConnector NXLogDnsLogs CiscoUmbrellaDataConnector Corelight |
| (Preview) TI map IP entity to DNS Events (ASIM DNS schema) | 67775878-7f8b-4380-ac54-115e1e828901 | ThreatIntelligence ThreatIntelligenceTaxii DNS AzureFirewall Zscaler InfobloxNIOS GCPDNSDataConnector NXLogDnsLogs CiscoUmbrellaDataConnector Corelight |
| DNS events related to mining pools (ASIM DNS Schema) | c094384d-7ea7-4091-83be-18706ecca981 | WindowsForwardedEvents DNS AzureFirewall Zscaler InfobloxNIOS GCPDNSDataConnector NXLogDnsLogs CiscoUmbrellaDataConnector Corelight |
| TI map IP entity to Network Session Events (ASIM Network Session schema) | e2399891-383c-4caf-ae67-68a008b9f89e | AWSS3 MicrosoftThreatProtection SecurityEvents WindowsForwardedEvents Zscaler MicrosoftSysmonForLinux PaloAltoNetworks AzureMonitor(VMInsights) AzureFirewall AzureNSG CiscoASA Corelight AIVectraStream CheckPoint Fortinet CiscoMeraki |
| Potential re-named sdelete usage (ASIM Version) | 5b6ae038-f66e-4f74-9315-df52fd492be4 | |
| Sdelete deployed via GPO and run recursively (ASIM Version) | 30c8b802-ace1-4408-bc29-4c5c5afb49e1 | |
| TI map IP entity to GitHub_CL | aac495a9-feb1-446d-b08e-a1164a539452 | ThreatIntelligence ThreatIntelligenceTaxii |
| Missing Domain Controller Heartbeat | b8b8ba09-1e89-45a1-8bd7-691cd23bfa32 | |
| Dev-0530 File Extension Rename | d82eb796-d1eb-43c8-a813-325ce3417cef | MicrosoftThreatProtection |
| AV detections related to Dev-0530 actors | 5f171045-88ab-4634-baae-a7b6509f483b | MicrosoftThreatProtection |
| AV detections related to Europium actors | 186970ee-5001-41c1-8c73-3178f75ce96a | MicrosoftThreatProtection |
| AV detections related to Hive Ransomware | 4e5914a4-2ccd-429d-a845-fa597f0bd8c5 | MicrosoftThreatProtection |
| Workspace deletion activity from an infected device | a5b3429d-f1da-42b9-883c-327ecb7b91ff | AzureActiveDirectoryIdentityProtection AzureActivity BehaviorAnalytics |