Initial Access
| Rule Name | id | Required data connectors |
|---|---|---|
| 1Password - Successful anomalous sign-in | ceb20a5c-adce-4eba-9728-541361d47d87 | 1Password |
| API - Rate limiting | c6258d51-7b82-4942-8293-94c1dcf91595 | 42CrunchAPIProtection |
| API - JWT validation | bbd163f4-1f56-434f-9c23-b06713c119c2 | 42CrunchAPIProtection |
| API - Suspicious Login | 7bdc10d6-aa24-4ca9-9a93-802cd8761354 | 42CrunchAPIProtection |
| Login to AWS Management Console without MFA | d25b1998-a592-4bc5-8a3a-92b39eedb1bc | AWS AWSS3 |
| Policy version set to default | 874a1762-3fd7-4489-b411-6d4a9e9e8a59 | AWS |
| NRT Login to AWS Management Console without MFA | 0ee2aafb-4500-4e36-bcb1-e90eec2f0b9b | AWS AWSS3 |
| Azure WAF matching for Log4j vuln(CVE-2021-44228) | 2de8abd6-a613-450e-95ed-08e503369fb3 | WAF |
| Vulnerable Machines related to log4j CVE-2021-44228 | 3d71fc38-f249-454e-8479-0a358382ef9a | |
| User agent search for log4j exploitation attempt | 29283b22-a1c0-4d16-b0a9-3460b655a46a | SquidProxy Zscaler WAF Office365 AzureActiveDirectory AWS AzureMonitor(IIS) |
| Apache - Command in URI | 54da6a42-3b00-11ec-8d3d-0242ac130003 | CustomLogsAma |
| Apache - Apache 2.4.49 flaw CVE-2021-41773 | 767f9dc4-3b01-11ec-8d3d-0242ac130003 | CustomLogsAma |
| Apache - Known malicious user agent | e9edfe1c-3afd-11ec-8d3d-0242ac130003 | CustomLogsAma |
| Apache - Multiple client errors from single IP | 15f5a956-3af9-11ec-8d3d-0242ac130003 | CustomLogsAma |
| Apache - Multiple server errors from single IP | 1bf246a2-3af9-11ec-8d3d-0242ac130003 | CustomLogsAma |
| Apache - Private IP in URL | db5f16f0-3afe-11ec-8d3d-0242ac130003 | CustomLogsAma |
| Apache - Put suspicious file | c5d69e46-3b00-11ec-8d3d-0242ac130003 | CustomLogsAma |
| Apache - Request from private IP | a0077556-3aff-11ec-8d3d-0242ac130003 | CustomLogsAma |
| Apache - Requests to rare files | 14d7e15e-3afb-11ec-8d3d-0242ac130003 | CustomLogsAma |
| Apache - Request to sensitive files | d1c52578-3afc-11ec-8d3d-0242ac130003 | CustomLogsAma |
| ARGOS Cloud Security - Exploitable Cloud Resources | a9bf1b8c-c761-4840-b9a8-7535ca68ca28 | ARGOSCloudSecurity |
| Jira - New site admin user | 6bf42891-b54d-4b4e-8533-babc5b3ea4c5 | JiraAuditAPI |
| Access to AWS without MFA | 48a9478b-440a-4330-b42c-94bd84dc904c | Authomize |
| Admin password not updated in 30 days | 63d87fcb-d197-48d2-a642-de4813f0219a | Authomize |
| Admin SaaS account detected | 87419138-d75f-450d-aca4-1dc802e32540 | Authomize |
| AWS role with admin privileges | 734c00a0-a95b-44dd-9b69-d926ed44256d | Authomize |
| AWS role with shadow admin privileges | 2526079b-3355-4756-a2d1-21e9cd957261 | Authomize |
| IaaS admin detected | dc728ba1-5204-4fde-ab48-eda19c8fad3a | Authomize |
| IaaS shadow admin detected | 31f43e9d-1839-4baf-a668-54c28b98af3e | Authomize |
| New direct access policy was granted against organizational policy | d7ee7bb5-d712-4d44-b201-b13379924934 | Authomize |
| New service account gained access to IaaS resource | 6c17f270-cd56-48cc-9196-1728ffea6538 | Authomize |
| Password Exfiltration over SCIM application | 2e3c4ad5-8cb3-4b46-88ff-a88367ee7eaa | Authomize |
| Stale AWS policy attachment to identity | 766a3b1b-0d5b-4a8d-b0d6-7dd379e73567 | Authomize |
| Unused IaaS Policy | e0ae5f9e-865b-41f5-98bb-c04113888e85 | Authomize |
| User assigned to a default admin role | c04ed74c-3b23-48cd-9c11-fd10cffddc64 | Authomize |
| User without MFA | 71a7b0de-f13d-44b9-9caa-668f1bad0ce6 | Authomize |
| Abnormal Deny Rate for Source IP | d36bb1e3-5abc-4037-ad9a-24ba3469819e | AzureFirewall |
| Credential errors stateful anomaly on database | daa32afa-b5b6-427d-93e9-e32f3f359dd7 | AzureSql |
| Firewall errors stateful anomaly on database | 20f87813-3de0-4a9f-a8c0-6aaa3187be08 | AzureSql |
| Syntax errors stateful anomaly on database | c815008d-f4d1-4645-b13b-8b4bc188d5de | AzureSql |
| Drop attempts stateful anomaly on database | 237c3855-138c-4588-a68f-b870abd3bfc9 | AzureSql |
| Execution attempts stateful anomaly on database | 3367fd5e-44b3-4746-a9a5-dc15c8202490 | AzureSql |
| Firewall rule manipulation attempts stateful anomaly on database | 05030ca6-ef66-42ca-b672-2e84d4aaf5d7 | AzureSql |
| OLE object manipulation attempts stateful anomaly on database | dabd7284-004b-4237-b5ee-a22acab19eb2 | AzureSql |
| Outgoing connection attempts stateful anomaly on database | c105513d-e398-4a02-bd91-54b9b2d6fa7d | AzureSql |
| Front Door Premium WAF - SQLi Detection | 16da3a2a-af29-48a0-8606-d467c180fe18 | WAF |
| Front Door Premium WAF - XSS Detection | b7643904-5081-4920-917e-a559ddc3448f | WAF |
| AFD WAF - Code Injection | ded8168e-c806-4772-af30-10576e0a7529 | WAF |
| AFD WAF - Path Traversal Attack | a4d99328-e4e6-493d-b0d5-57e6f9ddae77 | WAF |
| App GW WAF - Code Injection | 912a18fc-6165-446b-8740-81ae6c3f75ee | WAF |
| App GW WAF - Path Traversal Attack | b6c3a8a6-d22c-4882-9c57-abc01690938b | WAF |
| App Gateway WAF - Scanner Detection | 9b8dd8fd-f192-42eb-84f6-541920400a7a | WAF |
| App Gateway WAF - SQLi Detection | bdb2cd63-99f2-472e-b1b9-acba473b6744 | WAF |
| App Gateway WAF - XSS Detection | 1c7ff502-2ad4-4970-9d29-9210c6753138 | WAF |
| A potentially malicious web request was executed against a web server | 46ac55ae-47b8-414a-8f94-89ccd1962178 | WAF |
| External Upstream Source Added to Azure DevOps Feed | adc32a33-1cd6-46f5-8801-e3ed8337885f | |
| New PA, PCA, or PCAS added to Azure DevOps | 35ce9aff-1708-45b8-a295-5e9a307f5f17 | |
| Bitglass - Impossible travel distance | cdb6e4a4-b9bd-4c30-94b9-ecce5a72d528 | Bitglass |
| Bitglass - Login from new device | bfca0251-1581-4185-906b-4805099e3216 | Bitglass |
| Bitglass - New risky user | a123668c-d907-41b9-bf3f-8cb4cd7b163a | Bitglass |
| Bitglass - User login from new geo location | 34401e66-9fe9-476b-a443-3a3f89e4f3b0 | Bitglass |
| Bitglass - User Agent string has changed for user | 4dd61530-859f-49e7-bd27-a173cb1a4589 | Bitglass |
| BitSight - new alert found | a1275c5e-0ff4-4d15-a7b7-96018cd979f5 | BitSight |
| BitSight - new breach found | a5526ba9-5997-47c6-bf2e-60a08b681e9b | BitSight |
| Box - Executable file in folder | b91ec98d-5747-45c8-b2f6-a07bf47068f0 | BoxDataConnector |
| Box - Forbidden file type downloaded | 8889e69c-2161-412a-94a6-76c1b2d9daa7 | BoxDataConnector |
| Box - Inactive user login | edbf38d7-e170-4af2-ad50-1a05b374611b | BoxDataConnector |
| Box - New external user | fd36ac88-cd92-4137-aa23-37a3648621fa | BoxDataConnector |
| CiscoISE - Command executed with the highest privileges from new IP | 1fa0da3e-ec99-484f-aadb-93f59764e158 | SyslogAma |
| CiscoISE - Command executed with the highest privileges by new user | e71890a2-5f61-4790-b1ed-cf1d92d3e398 | SyslogAma |
| Cisco SDWAN - Intrusion Events | 232a1c75-63fc-4c81-8b18-b4a739fccba8 | CiscoSDWAN |
| Cisco SDWAN - IPS Event Threshold | dc3627c3-f9de-4f17-bfd3-ba99b64a0a67 | CiscoSDWAN |
| Cisco SE High Events Last Hour | 4683ebce-07ad-4089-89e3-39d8fe83c011 | CiscoSecureEndpoint |
| Cisco SE - Malware outbreak | 225053c7-085b-4fca-a18f-c367f9228bf3 | CiscoSecureEndpoint |
| Cisco SE - Multiple malware on host | b13489d7-feb1-4ad3-9a4c-09f6d64448fd | CiscoSecureEndpoint |
| Cisco SE - Unexpected binary file | eabb9c20-7b0b-4a77-81e8-b06944f351c6 | CiscoSecureEndpoint |
| Cisco Duo - Multiple admin 2FA failures | e46c5588-e643-4a60-a008-5ba9a4c84328 | CiscoDuoSecurity |
| Cisco Duo - Multiple user login failures | 034f62b6-df51-49f3-831f-1e4cfd3c40d2 | CiscoDuoSecurity |
| Cisco Duo - New access device | f05271b6-26a5-49cf-ad73-4a202fba6eb6 | CiscoDuoSecurity |
| Cisco Duo - Authentication device new location | 01df3abe-3dc7-40e2-8aa7-f00b402df6f0 | CiscoDuoSecurity |
| Cisco Duo - Unexpected authentication factor | 16c91a2c-17ad-4985-a9ad-4a4f1cb11830 | CiscoDuoSecurity |
| Cisco SEG - Malicious attachment not blocked | 236e872c-31d1-4b45-ac2a-fda3af465c97 | CefAma |
| Cisco SEG - Multiple suspiciuos attachments received | dfdb9a73-4335-4bb4-b29b-eb713bce61a6 | CefAma |
| Cisco SEG - Possible outbreak | 53242559-95ea-4d4c-b003-107e8f06304b | CefAma |
| Cisco SEG - Potential phishing link | 2e5158e1-9fc2-40ff-a909-c701a13a0405 | CefAma |
| Cisco SEG - Suspicious link | 506291dd-8050-4c98-a92f-58e376080a0a | CefAma |
| Cisco SEG - Suspicious sender domain | ef0a253c-95b5-48e1-8ebc-dbeb073b9338 | CefAma |
| Cisco SEG - Unexpected link | 9cb4a02d-3708-42ba-b33b-0fdd360ce4b6 | CefAma |
| Cisco SEG - Unexpected attachment | f8ba18c4-81e3-4db0-8f85-4989f2ed2ade | CefAma |
| Cisco SEG - Unscannable attacment | c66b8ced-8c76-415b-a0f3-08c7030a857d | CefAma |
| Cisco Umbrella - Request to blocklisted file type | de58ee9e-b229-4252-8537-41a4c2f4045e | CiscoUmbrellaDataConnector |
| Cisco WSA - Access to unwanted site | 38029e86-030c-46c4-8a91-a2be7c74d74c | SyslogAma |
| Cisco WSA - Multiple errors to resource from risky category | ebf9db0c-ba7b-4249-b9ec-50a05fa7c7c9 | SyslogAma |
| Cisco WSA - Multiple infected files | 93186e3d-5dc2-4a00-a993-fa1448db8734 | SyslogAma |
| Cisco WSA - Multiple attempts to download unwanted file | 46b6c6fc-2c1a-4270-be10-9d444d83f027 | SyslogAma |
| Cisco WSA - Internet access from public IP | 4250b050-e1c6-4926-af04-9484bbd7e94f | SyslogAma |
| Cisco WSA - Unexpected file type | 8e9d1f70-d529-4598-9d3e-5dd5164d1d02 | SyslogAma |
| Cisco WSA - Unscannable file or scan error | 9b61a945-ebcb-4245-b6e4-51f3addb5248 | SyslogAma |
| Claroty - Login to uncommon location | e7dbcbc3-b18f-4635-b27c-718195c369f1 | CefAma |
| Claroty - Multiple failed logins by user | 4b5bb3fc-c690-4f54-9a74-016213d699b4 | CefAma |
| Claroty - Multiple failed logins to same destinations | 1c2310ef-19bf-4caf-b2b0-a4c983932fa5 | CefAma |
| Claroty - New Asset | 6c29b611-ce69-4016-bf99-eca639fee1f5 | CefAma |
| Cloudflare - Bad client IP | a7ce6135-9d55-4f14-b058-adc2e920a4fa | CloudflareDataConnector |
| Cloudflare - Empty user agent | 729c6d21-fad9-4a6a-9c7f-482393c95957 | CloudflareDataConnector |
| Cloudflare - Multiple error requests from single source | ef877d68-755f-4cf1-ac1d-f336e395667c | CloudflareDataConnector |
| Cloudflare - Multiple user agents for single source | fc50076a-0275-43d5-b9dd-38346c061f67 | CloudflareDataConnector |
| Cloudflare - Client request from country in blocklist | 40554544-6e4a-4413-8d14-bf2de939c5d9 | CloudflareDataConnector |
| Cloudflare - Unexpected client request | f32142b1-4bcb-45c0-92e4-2ddc18768522 | CloudflareDataConnector |
| Cloudflare - Unexpected URI | dcb797cd-a4cd-4306-897b-7991f71d7e27 | CloudflareDataConnector |
| Cloudflare - WAF Allowed threat | f53fe2a9-96b5-454c-827e-cf1764a67fb0 | CloudflareDataConnector |
| Cloudflare - XSS probing pattern in request | 4d9d00b9-31a6-49e4-88c1-9e68277053ac | CloudflareDataConnector |
| Contrast Blocks | 4396f8c3-d114-4154-9f4c-048ba522ed04 | ContrastProtect ContrastProtectAma CefAma |
| Contrast Exploits | e1abb6ed-be18-40fd-be58-3d3d84041daf | ContrastProtect ContrastProtectAma CefAma |
| Contrast Probes | 297596de-d9ae-4fb8-b6ff-00fc01c9462d | ContrastProtect ContrastProtectAma CefAma |
| Contrast Suspicious | f713404e-805c-4e0c-91fa-2c149f76a07d | ContrastProtect ContrastProtectAma CefAma |
| Corelight - Network Service Scanning Multiple IP Addresses | 599570d4-06f8-4939-8e29-95cd003f1abd | Corelight |
| Corelight - SMTP Email containing NON Ascii Characters within the Subject | 50c61708-9824-46f3-87cf-22490796fae2 | Corelight |
| Corelight - Possible Typo Squatting or Punycode Phishing HTTP Request | 6b579e98-abc9-4e7a-9efc-2f3408ba16c9 | Corelight |
| Auto Generated Page | abe1a662-d00d-482e-aa68-9394622ae03e | CBSPollingIDAzureFunctions |
| Brand Abuse | 6e9e1975-6d85-4387-bd30-3881c66e302e | CBSPollingIDAzureFunctions |
| Brand Impersonation - HIGH | bf93bd26-cad8-40a3-bde0-71acb874d595 | CBSPollingIDAzureFunctions |
| Brand Impersonation - INFO | 40045fff-d01f-4165-af5f-aca94fd402af | CBSPollingIDAzureFunctions |
| Code Repository | da2059f5-8463-49d5-a6dc-22597fd9ce66 | CBSPollingIDAzureFunctions |
| Cookies: SameSite Flag Not Used | f4a06203-66f0-4f84-8bc8-05a44161b426 | HVPollingIDAzureFunctions |
| Domain Infringement | 0faddbac-0004-40fa-9046-a1ead13e005a | CBSPollingIDAzureFunctions |
| Executive Impersonation | 24e1b876-f0ee-44cd-86a2-ec81d08f4ba7 | CBSPollingIDAzureFunctions |
| Exposed Admin Login Page | 2f58535e-e92a-450f-8052-a905b8c340b1 | HVPollingIDAzureFunctions |
| Header: Content Security Policy Missing | 0765fa90-1198-4241-960b-975387ac73fa | HVPollingIDAzureFunctions |
| Header: X-Frame-Options Missing - Informational | b3235222-fdb9-4083-b4ce-05aef9f48630 | HVPollingIDAzureFunctions |
| Header: X-Frame-Options Missing - Low | ffa44079-5658-45f0-8d26-f73684455615 | HVPollingIDAzureFunctions |
| Header: X-Frame-Options Missing - Medium | 99212068-e9b9-445f-838b-aec05585e43e | HVPollingIDAzureFunctions |
| Header: X-XSS-Protection Missing | 62956863-f450-48d6-bf8f-41956d2e8b29 | HVPollingIDAzureFunctions |
| Phishing | c3771865-b647-46a7-9be5-a96c418cebc0 | CBSPollingIDAzureFunctions |
| SPF Not Configured | f78c03ec-4397-42f6-9c51-a54421817fd8 | HVPollingIDAzureFunctions |
| SPF Policy Set to Soft Fail | 32f4eb88-0d23-4185-8579-f1645412e9de | HVPollingIDAzureFunctions |
| Subdomain Infringement | 20ffc702-b7b2-4041-8f08-10ede8906cbf | CBSPollingIDAzureFunctions |
| Subresource Integrity (SRI) Not Implemented | 6e9c75ed-7009-4918-a2f0-40b446614ea0 | HVPollingIDAzureFunctions |
| Dynatrace - Problem detection | 415978ff-074e-4203-824a-b06153d77bf7 | DynatraceProblems |
| Dynatrace Application Security - Attack detection | 1b0b2065-8bac-5a00-83c4-1b58f69ac212 | DynatraceAttacks |
| Dynatrace Application Security - Code-Level runtime vulnerability detection | 305093b4-0fa2-57bc-bced-caea782a6e9c | DynatraceRuntimeVulnerabilities |
| Dynatrace Application Security - Non-critical runtime vulnerability detection | ff0af873-a2f2-4233-8412-0ef4e00b0156 | DynatraceRuntimeVulnerabilities |
| Dynatrace Application Security - Third-Party runtime vulnerability detection | af99b078-124b-543a-9a50-66ef87c09f6a | DynatraceRuntimeVulnerabilities |
| EatonForeseer - Unauthorized Logins | 5a7fccb8-3ed0-44f2-8477-540af3ef4d92 | WindowsSecurityEvents |
| Egress Defend - Dangerous Attachment Detected | a0e55dd4-8454-4396-91e6-f28fec3d2cab | EgressDefend |
| Web sites blocked by Eset | 84ad2f8a-b64c-49bc-b669-bdb4fd3071e9 | EsetSMC |
| Website blocked by ESET | 7b84fc5b-9ffb-4e9b-945b-5d480e330b3f | ESETPROTECT SyslogAma |
| Office ASR rule triggered from browser spawned office process. | 30580043-2451-4d35-b49f-065728529f4a | MicrosoftThreatProtection |
| Suspicious parentprocess relationship - Office child processes. | 5ee34fa1-64ed-48c7-afa2-794b244f6c60 | MicrosoftThreatProtection |
| Fortiweb - WAF Allowed threat | 86e9409f-b9ea-4e9a-8b72-5132ba43bcae | FortinetFortiWebAma |
| (Preview) GitHub - A payment method was removed | 6bb50582-caac-4a9b-9afb-3fee766ebbf7 | |
| GitHub Activites from a New Country | f041e01d-840d-43da-95c8-4188f6cef546 | |
| (Preview) GitHub - Oauth application - a client secret was removed | 0b85a077-8ba5-4cb5-90f7-1e882afe10c5 | |
| (Preview) GitHub - pull request was created | 0b85a077-8ba5-4cb5-90f7-1e882afe10c7 | |
| (Preview) GitHub - pull request was merged | 0b85a077-8ba5-4cb5-90f7-1e882afe10c6 | |
| (Preview) GitHub - Repository was created | 0b85a077-8ba5-4cb5-90f7-1e882afe10c2 | |
| (Preview) GitHub - Repository was destroyed | 0b85a077-8ba5-4cb5-90f7-1e882afe10c3 | |
| (Preview) GitHub - User visibility Was changed | 0b85a077-8ba5-4cb5-90f7-1e882afe20c9 | |
| (Preview) GitHub - User was added to the organization | 0b85a077-8ba5-4cb5-90f7-1e882afe10c4 | |
| (Preview) GitHub - User was blocked | 0b85a077-8ba5-4cb5-90f7-1e882afe10c8 | |
| (Preview) GitHub - User was invited to the repository | 0b85a077-8ba5-4cb5-90f7-1e882afe40c9 | |
| GitHub Security Vulnerability in Repository | 5436f471-b03d-41cb-b333-65891f887c43 | |
| GitLab - TI - Connection from Malicious IP | 7241740a-5280-4b74-820a-862312d721a8 | ThreatIntelligence ThreatIntelligenceTaxii SyslogAma |
| GSA - Detect Connections Outside Operational Hours | 4c9f0a9e-44d7-4c9b-b7f0-f6a6e0d8f8fa | AzureActiveDirectory |
| GSA Enriched Office 365 - Accessed files shared by temporary external user | 4d38f80f-6b7d-4a1f-aeaf-e38df637e6ac | AzureActiveDirectory Office365 |
| GSA - Detect Abnormal Deny Rate for Source to Destination IP | e3b6a9e7-4c3a-45e6-8baf-1d3bfa8e0c2b | AzureActiveDirectory |
| Google DNS - Exchange online autodiscover abuse | 424c2aca-5367-4247-917a-5d0f7035e40e | GCPDNSDataConnector |
| Google DNS - Malicous Python packages | 75491db8-eaf7-40bb-a46a-279872cc82f5 | GCPDNSDataConnector |
| GWorkspace - Alert events | e369d246-5da8-11ec-bf63-0242ac130002 | GoogleWorkspaceReportsAPI |
| GWorkspace - Possible maldoc file name in Google drive | d80d02a8-5da6-11ec-bf63-0242ac130002 | GoogleWorkspaceReportsAPI |
| Imperva - Abnormal protocol usage | 363307f6-09ba-4926-ad52-03aadfd24b5e | ImpervaWAFCloudAPI |
| Imperva - Request from unexpected IP address to admin panel | 427c025d-c068-4844-8205-66879e89bcfa | ImpervaWAFCloudAPI |
| Imperva - Critical severity event not blocked | 4d365217-f96a-437c-9c57-53594fa261c3 | ImpervaWAFCloudAPI |
| Imperva - Possible command injection | 6214f187-5840-4cf7-a174-0cf9a72bfd29 | ImpervaWAFCloudAPI |
| Imperva - Request from unexpected countries | 58300723-22e0-4096-b33a-aa9b992c3564 | ImpervaWAFCloudAPI |
| Imperva - Forbidden HTTP request method in request | 7ebc9e24-319c-4786-9151-c898240463bc | ImpervaWAFCloudAPI |
| Imperva - Malicious Client | 2ff35ed4-b26a-4cad-93a6-f67adb00e919 | ImpervaWAFCloudAPI |
| Imperva - Malicious user agent | 905794a9-bc46-42b9-974d-5a2dd58110c5 | ImpervaWAFCloudAPI |
| Imperva - Multiple user agents from same source | 4e8032eb-f04d-4a30-85d3-b74bf2c8f204 | ImpervaWAFCloudAPI |
| Imperva - Request to unexpected destination port | 0ba78922-033c-468c-82de-2974d7b1797d | ImpervaWAFCloudAPI |
| Potential DHCP Starvation Attack | 57e56fc9-417a-4f41-a579-5475aea7b8ce | SyslogAma |
| High Urgency IONIX Action Items | 8e0403b1-07f8-4865-b2e9-74d1e83200a4 | CyberpionSecurityLogs |
| Unauthorized remote access to the network (Microsoft Defender for IoT) | 1ff4fa3d-150b-4c87-b733-26c289af0d49 | IoT |
| Jamf Protect - Network Threats | 44da53c3-f3b0-4b70-afff-f79275cb9442 | JamfProtect |
| Failed sign-ins into LastPass due to MFA | 760b8467-e6cc-4006-9149-5696845c1a54 | LastPass AzureActiveDirectory |
| [Deprecated] - DEV-0322 Serv-U related IOCs - July 2021 | 4759ddb4-2daf-43cb-b34e-d85b85b4e4a5 | DNS AzureMonitor(VMInsights) F5 CiscoASA PaloAltoNetworks Fortinet CheckPoint CEF MicrosoftThreatProtection SecurityEvents Office365 AzureFirewall WindowsFirewall |
| [Deprecated] - Exchange Server Vulnerabilities Disclosed March 2021 IoC Match | d804b39c-03a4-417c-a949-bdbf21fa3305 | AWSS3 WindowsForwardedEvents AzureMonitor(IIS) AzureMonitor(WireData) CheckPoint CiscoASA CEF F5 Fortinet PaloAltoNetworks SecurityEvents WindowsFirewall DNS Zscaler InfobloxNIOS MicrosoftSysmonForLinux GCPDNSDataConnector NXLogDnsLogs CiscoUmbrellaDataConnector Corelight |
| [Deprecated] - Known Mint Sandstorm group domains/IP - October 2020 | 7249500f-3038-4b83-8549-9cd8dfa2d498 | DNS AzureMonitor(VMInsights) CiscoASA PaloAltoNetworks Zscaler Fortinet OfficeATP AzureFirewall |
| [Deprecated] - Known Manganese IP and UserAgent activity | a04cf847-a832-4c60-b687-b0b6147da219 | Office365 |
| [Deprecated] - Silk Typhoon UM Service writing suspicious file | 7d6d8a8e-b08a-4082-8dbb-d7fd2cbbc35e | SecurityEvents MicrosoftThreatProtection WindowsSecurityEvents WindowsForwardedEvents |
| McAfee ePO - Multiple threats on same host | f53e5168-afdb-4fad-b29a-bb9cb71ec460 | SyslogAma |
| McAfee ePO - Spam Email detected | ffc9052b-3658-4ad4-9003-0151515fde15 | SyslogAma |
| McAfee ePO - Threat was not blocked | 6d70a26a-c119-45b7-b4c6-44ac4fd1bcb7 | SyslogAma |
| Accessed files shared by temporary external user | bff058b2-500e-4ae5-bb49-a5b1423cbd5b | Office365 |
| Dataverse - Login by a sensitive privileged user | f327816b-9328-4b17-9290-a02adc2f4928 | Dataverse |
| Dataverse - Login from IP in the block list | 666fef96-1bb8-4abf-ad72-e5cb49561381 | Dataverse |
| Dataverse - Login from IP not in the allow list | 81c693fe-f6c4-4352-bc10-3526f6e22637 | Dataverse |
| Dataverse - New sign-in from an unauthorized domain | 4c1c9aee-8e44-4bb9-bd53-f3e7d6761282 | Dataverse |
| Dataverse - New user agent type that was not used before | 34a5d79b-8f9a-420c-aa64-7f4d262ac29a | Dataverse |
| Dataverse - New user agent type that was not used with Office 365 | 094b3c0a-1f63-42f7-9535-c8c7b7198328 | Dataverse |
| Dataverse - Suspicious use of TDS endpoint | d875af10-6bb9-4d6a-a6e4-78439a98bf4b | Dataverse AzureActiveDirectoryIdentityProtection |
| Dataverse - TI map IP to DataverseActivity | 56d5aa0c-d871-4167-ba13-61c2f0fd17bf | Dataverse ThreatIntelligence ThreatIntelligenceTaxii MicrosoftDefenderThreatIntelligence |
| Dataverse - TI map URL to DataverseActivity | d88a0e22-3b6a-40c2-af28-c064b44d03b7 | Dataverse ThreatIntelligence ThreatIntelligenceTaxii MicrosoftDefenderThreatIntelligence |
| F&O - Unusual sign-in activity using single factor authentication | 919e939f-95e2-4978-846e-13a721c89ea1 | AzureActiveDirectory |
| Power Apps - App activity from unauthorized geo | 7ec1e61d-f3b7-4f40-bb1a-357a63913c23 | PowerPlatformAdmin AzureActiveDirectory |
| Power Apps - Bulk sharing of Power Apps to newly created guest users | 943acfa0-9285-4eb0-a9c0-42e36177ef19 | PowerPlatformAdmin AzureActiveDirectory |
| Power Apps - Multiple users access a malicious link after launching new app | 4bd7e93a-0646-4e02-8dcb-aa16d16618f4 | PowerPlatformAdmin MicrosoftThreatProtection ThreatIntelligence ThreatIntelligenceTaxii MicrosoftDefenderThreatIntelligence AzureActiveDirectoryIdentityProtection |
| Power Platform - Possibly compromised user accesses Power Platform services | 54d48840-1c64-4399-afee-ad39a069118d | AzureActiveDirectory |
| AV detections related to SpringShell Vulnerability | 3bd33158-3f0b-47e3-a50f-7c20a1b88038 | MicrosoftThreatProtection |
| Possible Phishing with CSL and Network Sessions | 6c3a1258-bcdd-4fcd-b753-1a9bc826ce12 | MicrosoftThreatProtection Zscaler Fortinet CheckPoint PaloAltoNetworks AWSS3 WindowsForwardedEvents SecurityEvents WindowsSecurityEvents MicrosoftSysmonForLinux AzureNSG AzureMonitor(VMInsights) AIVectraStream |
| SUNBURST and SUPERNOVA backdoor hashes | a3c144f9-8051-47d4-ac29-ffb0c312c910 | MicrosoftThreatProtection |
| SUNBURST network beacons | ce1e7025-866c-41f3-9b08-ec170e05e73e | MicrosoftThreatProtection |
| Account Created and Deleted in Short Timeframe | bb616d82-108f-47d3-9dec-9652ea0d3bf6 | AzureActiveDirectory |
| Account created or deleted by non-approved user | 6d63efa6-7c25-4bd4-a486-aa6bf50fde8a | AzureActiveDirectory |
| Anomalous sign-in location by user account and authenticating application | 7cb8f77d-c52f-4e46-b82f-3cf2e106224a | AzureActiveDirectory |
| Microsoft Entra ID PowerShell accessing non-Entra ID resources | 50574fac-f8d1-4395-81c7-78a463ff0c52 | AzureActiveDirectory |
| Azure Portal sign in from another Azure Tenant | 87210ca1-49a4-4a7d-bb4a-4988752f978c | AzureActiveDirectory |
| Attempt to bypass conditional access rule in Microsoft Entra ID | 3af9285d-bb98-4a35-ad29-5ea39ba0c628 | AzureActiveDirectory |
| Cross-tenant Access Settings Organization Added | 757e6a79-6d23-4ae6-9845-4dac170656b5 | AzureActiveDirectory |
| Cross-tenant Access Settings Organization Deleted | eb8a9c1c-f532-4630-817c-1ecd8a60ed80 | AzureActiveDirectory |
| Cross-tenant Access Settings Organization Inbound Collaboration Settings Changed | c895c5b9-0fc6-40ce-9830-e8818862f2d5 | AzureActiveDirectory |
| Cross-tenant Access Settings Organization Inbound Direct Settings Changed | 276d5190-38de-4eb2-9933-b3b72f4a5737 | AzureActiveDirectory |
| Cross-tenant Access Settings Organization Outbound Collaboration Settings Changed | 229f71ba-d83b-42a5-b83b-11a641049ed1 | AzureActiveDirectory |
| Cross-tenant Access Settings Organization Outbound Direct Settings Changed | 0101e08d-99cd-4a97-a9e0-27649c4369ad | AzureActiveDirectory |
| Attempts to sign in to disabled accounts | 75ea5c39-93e5-489b-b1e1-68fa6c9d2d04 | AzureActiveDirectory |
| Guest accounts added in Entra ID Groups other than the ones specified | 6ab1f7b2-61b8-442f-bc81-96afe7ad8c53 | AzureActiveDirectory |
| MFA Rejected by User | d99cf5c3-d660-436c-895b-8a8f8448da23 | AzureActiveDirectory BehaviorAnalytics |
| Privileged Accounts - Sign in Failure Spikes | 34c5aff9-a8c2-4601-9654-c7e46342d03b | AzureActiveDirectory BehaviorAnalytics |
| Sign-ins from IPs that attempt sign-ins to disabled accounts | 500c103a-0319-4d56-8e99-3cec8d860757 | AzureActiveDirectory BehaviorAnalytics |
| Successful logon from IP and failure from a different IP | 02ef8d7e-fc3a-4d86-a457-650fa571d8d2 | AzureActiveDirectory BehaviorAnalytics |
| Suspicious Service Principal creation activity | 6852d9da-8015-4b95-8ecf-d9572ee0395d | AzureActiveDirectory |
| Suspicious Sign In Followed by MFA Modification | aec77100-25c5-4254-a20a-8027ed92c46c | AzureActiveDirectory BehaviorAnalytics |
| External guest invitation followed by Microsoft Entra ID PowerShell signin | acc4c247-aaf7-494b-b5da-17f18863878a | AzureActiveDirectory |
| User Accounts - Sign in Failure due to CA Spikes | 3a9d5ede-2b9d-43a2-acc4-d272321ff77c | AzureActiveDirectory BehaviorAnalytics |
| Correlate Unfamiliar sign-in properties & atypical travel alerts | a3df4a32-4805-4c6d-8699-f3c888af2f67 | AzureActiveDirectoryIdentityProtection BehaviorAnalytics |
| Mimecast Audit - Logon Authentication Failed | f00197ab-491f-41e7-9e22-a7003a4c1e54 | MimecastAuditAPI |
| Mimecast Secure Email Gateway - Attachment Protect | 72bd7b0c-493c-4fa5-8a95-7f6376b6cfb2 | MimecastSEGAPI |
| Mimecast Secure Email Gateway - URL Protect | 80f244cd-b0d6-404e-9aed-37f7a66eda9f | MimecastSEGAPI |
| Mimecast Targeted Threat Protection - Attachment Protect | 617a55be-a8d8-49c1-8687-d19a0231056f | MimecastTTPAPI |
| Mimecast Targeted Threat Protection - URL Protect | 952faed4-c6a6-4873-aeb9-b348e9ce5aba | MimecastTTPAPI |
| Mimecast Audit - Logon Authentication Failed | 9c5dcd76-9f6d-42a3-b984-314b52678f20 | MimecastAuditAPI |
| Mimecast Secure Email Gateway - Attachment Protect | 72264f4f-61fb-4f4f-96c4-635571a376c2 | MimecastSIEMAPI |
| Mimecast Secure Email Gateway - URL Protect | ea19dae6-bbb3-4444-a1b8-8e9ae6064aab | MimecastSIEMAPI |
| Mimecast Targeted Threat Protection - Attachment Protect | aa75944c-a663-4901-969e-7b55bfa49a73 | MimecastTTPAPI |
| Mimecast Targeted Threat Protection - URL Protect | 9d5545bd-1450-4086-935c-62f15fc4a4c9 | MimecastTTPAPI |
| Cross-Cloud Suspicious Compute resource creation in GCP | 5c847e47-0a07-4c01-ab99-5817ad6cb11e | GCPAuditLogsDefinition AWSS3 |
| Cross-Cloud Suspicious user activity observed in GCP Envourment | 58e306fe-1c49-4b8f-9b0e-15f25e8f0cd7 | GCPAuditLogsDefinition AzureActiveDirectoryIdentityProtection MicrosoftThreatProtection MicrosoftDefenderAdvancedThreatProtection MicrosoftCloudAppSecurity |
| Cross-Cloud Unauthorized Credential Access Detection From AWS RDS Login | 122fbc6a-57ab-4aa7-b9a9-51ac4970cac1 | AzureActiveDirectory AWSS3 |
| Successful AWS Console Login from IP Address Observed Conducting Password Spray | 188db479-d50a-4a9c-a041-644bae347d1f | AWS MicrosoftDefenderAdvancedThreatProtection AzureActiveDirectoryIdentityProtection BehaviorAnalytics MicrosoftThreatProtection |
| Suspicious AWS console logins by credential access alerts | b51fe620-62ad-4ed2-9d40-5c97c0a8231f | OfficeATP AWS MicrosoftDefenderAdvancedThreatProtection AzureActiveDirectoryIdentityProtection BehaviorAnalytics MicrosoftThreatProtection |
| Detect port misuse by anomaly based detection (ASIM Network Session schema) | cbf07406-fa2a-48b0-82b8-efad58db14ec | AWSS3 MicrosoftThreatProtection SecurityEvents WindowsSecurityEvents WindowsForwardedEvents Zscaler MicrosoftSysmonForLinux PaloAltoNetworks AzureMonitor(VMInsights) AzureFirewall AzureNSG CiscoASA CiscoAsaAma Corelight AIVectraStream CheckPoint Fortinet CiscoMeraki |
| Detect port misuse by static threshold (ASIM Network Session schema) | 156997bd-da0f-4729-b47a-0a3e02dd50c8 | AWSS3 MicrosoftThreatProtection SecurityEvents WindowsSecurityEvents WindowsForwardedEvents Zscaler MicrosoftSysmonForLinux PaloAltoNetworks AzureMonitor(VMInsights) AzureFirewall AzureNSG CiscoASA CiscoAsaAma Corelight AIVectraStream CheckPoint Fortinet CiscoMeraki |
| New UserAgent observed in last 24 hours | b725d62c-eb77-42ff-96f6-bdc6745fc6e0 | AWS Office365 AzureMonitor(IIS) |
| NGINX - Command in URI | d84739ce-2f46-4391-b25e-a2edbea19d7e | CustomLogsAma |
| NGINX - Multiple user agents for single source | 83a0b48f-1cb7-4b4f-a018-23c3203a239b | CustomLogsAma |
| NGINX - Known malicious user agent | a10c6551-bbf2-492c-aa8a-fe6efd8c9cc1 | CustomLogsAma |
| NGINX - Multiple client errors from single IP address | 42771afe-edb3-4330-bc4a-abf6a5714454 | CustomLogsAma |
| NGINX - Multiple server errors from single IP address | b3ae0033-552e-4c3c-b493-3edffb4473bb | CustomLogsAma |
| NGINX - Private IP address in URL | 1aa6bfed-f11b-402f-9007-0dccc1152ede | CustomLogsAma |
| NGINX - Put file and get file from same IP address | e04fa38e-9fb7-438d-887a-381d5dd235e6 | CustomLogsAma |
| NGINX - Request to sensitive files | 2141ef6c-d158-4d44-b739-b145a4c21947 | CustomLogsAma |
| NGINX - Sql injection patterns | 3bac451d-f919-4c92-9be7-694990e0ca4b | CustomLogsAma |
| User Login from Different Countries within 3 hours | 2954d424-f786-4677-9ffc-c24c44c6e7d5 | OktaSSO OktaSSOv2 |
| New Device/Location sign-in along with critical operation | 41e843a8-92e7-444d-8d72-638f1145d1e1 | OktaSSO OktaSSOv2 |
| Okta Fast Pass phishing Detection | 78d2b06c-8dc0-40e1-91c8-66d916c186f3 | OktaSSO OktaSSOv2 |
| OCI - Inbound SSH connection | eb6e07a1-2895-4c55-9c27-ac84294f0e46 | OracleCloudInfrastructureLogsConnector |
| OCI - Unexpected user agent | a0b9a7ca-3e6d-4996-ae35-759df1d67a54 | OracleCloudInfrastructureLogsConnector |
| OracleDBAudit - Connection to database from external IP | 54aa2c17-acfd-4e3a-a1c4-99c88cf34ebe | SyslogAma |
| OracleDBAudit - Connection to database from unknown IP | 80b1dd6d-1aea-471e-be7a-a4a0afdeec80 | SyslogAma |
| OracleDBAudit - User connected to database from new IP | 39a0995e-f4a9-4869-a0ae-36d6d9049bfd | SyslogAma |
| OracleDBAudit - New user account | cca7b348-e904-4a7a-8f26-d22d4d477119 | SyslogAma |
| OracleDBAudit - User activity after long inactivity time | 5e93a535-036b-4570-9e58-d8992f30e1ae | SyslogAma |
| OracleDBAudit - SQL injection patterns | ab352f0d-7c55-4ab2-a22e-b1c2d995e193 | SyslogAma |
| Oracle - Command in URI | 6ae36a5e-573f-11ec-bf63-0242ac130002 | CustomLogsAma |
| Oracle - Multiple user agents for single source | 44c7d12a-573f-11ec-bf63-0242ac130002 | CustomLogsAma |
| Oracle - Oracle WebLogic Exploit CVE-2021-2109 | 67950168-5740-11ec-bf63-0242ac130002 | CustomLogsAma |
| Oracle - Malicious user agent | 51d050ee-5740-11ec-bf63-0242ac130002 | CustomLogsAma |
| Oracle - Multiple client errors from single IP | 41775080-5740-11ec-bf63-0242ac130002 | CustomLogsAma |
| Oracle - Multiple server errors from single IP | 268f4fde-5740-11ec-bf63-0242ac130002 | CustomLogsAma |
| Oracle - Private IP in URL | 153ce6d8-5740-11ec-bf63-0242ac130002 | CustomLogsAma |
| Oracle - Put file and get file from same IP address | 033e98d2-5740-11ec-bf63-0242ac130002 | CustomLogsAma |
| Oracle - Put suspicious file | edc2f2b4-573f-11ec-bf63-0242ac130002 | CustomLogsAma |
| Oracle - Request to sensitive files | 9cc9ed36-573f-11ec-bf63-0242ac130002 | CustomLogsAma |
| PaloAlto - MAC address conflict | 976d2eee-51cb-11ec-bf63-0242ac130002 | CefAma |
| PaloAlto - Dropping or denying session with traffic | ba663b74-51f4-11ec-bf63-0242ac130002 | CefAma |
| PaloAlto - File type changed | 9150ad68-51c8-11ec-bf63-0242ac130002 | CefAma |
| PaloAlto - Inbound connection to high risk ports | b2dd2dac-51c9-11ec-bf63-0242ac130002 | CefAma |
| PaloAlto - Possible attack without response | b6d54840-51d3-11ec-bf63-0242ac130002 | CefAma |
| PaloAlto - Possible flooding | feb185cc-51f4-11ec-bf63-0242ac130002 | CefAma |
| PaloAlto - User privileges was changed | 38f9e010-51ca-11ec-bf63-0242ac130002 | CefAma |
| PaloAlto - Put and post method request in high risk file type | f12e9d10-51ca-11ec-bf63-0242ac130002 | CefAma |
| PaloAlto - Forbidden countries | 9fcc7734-4d1b-11ec-81d3-0242ac130003 | CefAma |
| Palo Alto Prisma Cloud - Access keys are not rotated for 90 days | 777d4993-31bb-4d45-b949-84f58e09fa2f | PaloAltoPrismaCloud |
| Palo Alto Prisma Cloud - Network ACL allow all outbound traffic | 4264e133-eec2-438f-af85-05e869308f94 | PaloAltoPrismaCloud |
| Palo Alto Prisma Cloud - Network ACL allow ingress traffic to server administration ports | df89f4bf-720e-41c5-a209-15e41e400d35 | PaloAltoPrismaCloud |
| Palo Alto Prisma Cloud - Network ACLs Inbound rule to allow All Traffic | 6098b34a-1e6b-440a-9e3b-fb4d5944ade1 | PaloAltoPrismaCloud |
| Palo Alto Prisma Cloud - Anomalous access key usage | bd602b90-f7f9-4ae9-bf8c-3672a24deb39 | PaloAltoPrismaCloud |
| Palo Alto Prisma Cloud - High risk score alert | 617b02d8-0f47-4f3c-afed-1926a45e7b28 | PaloAltoPrismaCloud |
| Palo Alto Prisma Cloud - High severity alert opened for several days | c5bf680f-fa37-47c3-9f38-e839a9b99c05 | PaloAltoPrismaCloud |
| Palo Alto Prisma Cloud - IAM Group with Administrator Access Permissions | ac76d9c0-17a3-4aaa-a341-48f4c0b1c882 | PaloAltoPrismaCloud |
| Palo Alto Prisma Cloud - Inactive user | 7f78fa52-9833-41de-b5c5-76e61b8af9c1 | PaloAltoPrismaCloud |
| Palo Alto Prisma Cloud - Maximum risk score alert | 119a574d-f37a-403a-a67a-4d6f5083d9cf | PaloAltoPrismaCloud |
| Ping Federate - Authentication from new IP. | 30583ed4-d13c-43b8-baf2-d75fbe727210 | CefAma |
| Ping Federate - Forbidden country | 14042f74-e50b-4c21-8a01-0faf4915ada4 | CefAma |
| Ping Federate - Abnormal password resets for user | 6145efdc-4724-42a6-9756-5bd1ba33982e | CefAma |
| Ping Federate - New user SSO success login | 05282c91-7aaf-4d76-9a19-6dc582e6a411 | CefAma |
| Ping Federate - OAuth old version | 85f70197-4865-4635-a4b2-a9c57e8fea1b | CefAma |
| Ping Federate - Password reset request from unexpected source IP address.. | 2d201d21-77b4-4d97-95f3-26b5c6bde09f | CefAma |
| Ping Federate - SAML old version | fddd3840-acd2-41ed-94d9-1474b0a7c8a6 | CefAma |
| Ping Federate - Unexpected authentication URL. | 9578ef7f-cbb4-4e9a-bd26-37c15c53b413 | CefAma |
| Ping Federate - Unexpected country for user | 64e65105-c4fc-4c28-a4e9-bb1a3ce7652d | CefAma |
| Ping Federate - Unusual mail domain. | dc79de7d-2590-4852-95fb-f8e02b34f4da | CefAma |
| ProofpointPOD - Binary file in attachment | eb68b129-5f17-4f56-bf6d-dde48d5e615a | ProofpointPOD |
| ProofpointPOD - Possible data exfiltration to private email | aedc5b33-2d7c-42cb-a692-f25ef637cbb1 | ProofpointPOD |
| ProofpointPOD - Email sender in TI list | 35a0792a-1269-431e-ac93-7ae2980d4dde | ThreatIntelligence ThreatIntelligenceTaxii ProofpointPOD |
| ProofpointPOD - Email sender IP in TI list | 78979d32-e63f-4740-b206-cfb300c735e0 | ThreatIntelligence ThreatIntelligenceTaxii ProofpointPOD |
| ProofpointPOD - High risk message not discarded | c7cd6073-6d2c-4284-a5c8-da27605bdfde | ProofpointPOD |
| ProofpointPOD - Suspicious attachment | f6a51e2c-2d6a-4f92-a090-cfb002ca611f | ProofpointPOD |
| Malware attachment delivered | 0558155e-4556-447e-9a22-828f2a7de06b | ProofpointTAP |
| Malware Link Clicked | 8675dd7a-795e-4d56-a79c-fc848c5ee61c | ProofpointTAP |
| High Number of Urgent Vulnerabilities Detected | 3edb7215-250b-40c0-8b46-79093949242d | QualysVulnerabilityManagement |
| New High Severity Vulnerability Detected Across Multiple Hosts | 6116dc19-475a-4148-84b2-efe89c073e27 | QualysVulnerabilityManagement |
| Radiflow - Exploit Detected | 6c028ebd-03ca-41cb-bce7-5727ddb43731 | RadiflowIsid |
| Radiflow - New Activity Detected | 8177ecff-30a1-4d4f-9a82-7fbb69019504 | RadiflowIsid |
| Radiflow - Platform Alert | ff0c781a-b30f-4acf-9cf1-75d7383d66d1 | RadiflowIsid |
| Radiflow - Unauthorized Internet Access | cc33e1a9-e167-460b-93e6-f14af652dbd3 | RadiflowIsid |
| RecordedFuture Threat Hunting Domain All Actors | acbf7ef6-f964-44c3-9031-7834ec68175f | ThreatIntelligenceUploadIndicatorsAPI |
| RecordedFuture Threat Hunting Hash All Actors | 6db6a8e6-2959-440b-ba57-a505875fcb37 | ThreatIntelligenceUploadIndicatorsAPI |
| Red Canary Threat Detection | 6d263abb-6445-45cc-93e9-c593d3d77b89 | RedCanaryDataConnector |
| Critical Risks | 1eebfaf3-40e1-4bc2-9f42-049b7b8ceb60 | RidgeBotDataConnector CefAma |
| Vulerabilities | d096643d-6789-4c74-8893-dd3fc8a94069 | RidgeBotDataConnector CefAma |
| SailPointIdentityNowAlertForTriggers | 08330c3d-487e-4f5e-a539-1e7d06dea786 | SailPointIdentityNow |
| SailPointIdentityNowEventType | 48bb92e2-bad4-4fd4-9684-26cb188299b7 | SailPointIdentityNow |
| SailPointIdentityNowEventTypeTechnicalName | 2151e8ea-4838-4c74-be12-4d6a950dde7a | SailPointIdentityNow |
| SailPointIdentityNowFailedEvents | c3835197-fd07-447e-a0ac-7540d51a1f64 | SailPointIdentityNow |
| SailPointIdentityNowFailedEventsBasedOnTime | 175b79ef-0fc3-4b27-b92a-89b2db6c85c2 | SailPointIdentityNow |
| SailPointIdentityNowUserWithFailedEvent | 2a215222-bfc5-4858-a530-6d4088ebfa15 | SailPointIdentityNow |
| User Sign in from different countries | 3094e036-e5ae-4d6e-8626-b0f86ebc71f2 | SalesforceServiceCloud |
| Knox Keyguard Disabled Feature Set | fb4853c9-28c1-4dab-830c-e086cb975170 | SamsungDCDefinition |
| Knox Suspicious URL Accessed Events | 18d4d4f3-6605-4fd2-968c-82c171409c1c | SamsungDCDefinition |
| SecurityBridge: A critical event occured | 8c5c766a-ce9b-4112-b6ed-1b8fe33733b7 | CustomLogsAma |
| Possible AiTM Phishing Attempt Against Microsoft Entra ID | 16daa67c-b137-48dc-8eb7-76598a44791a | AzureActiveDirectory Zscaler |
| Semperis DSP Failed Logons | 0e105444-fe13-4ce6-9239-21880076a3f9 | SemperisDSP |
| Semperis DSP Operations Critical Notifications | 8f471e21-3bb2-466f-9bc2-0a0326a60788 | SemperisDSP |
| Non-admin guest | 9B6558C4-BA23-40AC-B95F-42F8A29A3B35 | SenservaPro |
| Service principal not using client credentials | D308318A-B298-4E57-82BD-74AE33C4A539 | SenservaPro |
| Stale last password change | 645A8724-5C7E-4A1F-81CB-C33AFF1439EB | SenservaPro |
| UserAccountDisabled | 24E0132F-61D1-41BD-9393-06136D1039C7 | SenservaPro |
| Sentinel One - Admin login from new location | 382f37b3-b49a-492f-b436-a4717c8c5c3e | SentinelOne |
| Sentinel One - Alert from custom rule | 5f37de91-ff2b-45fb-9eda-49e9f76a3942 | SentinelOne |
| Sentinel One - Multiple alerts on host | 47e427e6-61bc-4e24-8d16-a12871b9f939 | SentinelOne |
| Sentinel One - Same custom rule triggered on different hosts | 5586d378-1bce-4d9b-9ac8-e7271c9d5a9a | SentinelOne |
| Silverfort - Log4Shell Incident | d6abed70-4043-46da-9304-a98f3446fa5f | SilverfortAma |
| SlackAudit - Empty User Agent | 04528635-a5f1-438b-ab74-21ca7bc3aa32 | SlackAuditAPI |
| SlackAudit - Suspicious file downloaded. | 132b98a5-07e9-401a-9b6f-453e52a53979 | SlackAuditAPI |
| SlackAudit - User email linked to account changed. | 9d85feb3-7f54-4181-b143-68abb1a86823 | SlackAuditAPI |
| SlackAudit - User login after deactivated. | e6e99dcb-4dff-48d2-8012-206ca166b36b | SlackAuditAPI |
| Snowflake - Multiple login failures by user | e05cc333-d499-430f-907c-7f28a9e4d1b5 | Snowflake |
| Snowflake - Multiple login failures from single IP | b7d22407-1391-4256-b09a-414a9719443c | Snowflake |
| SonicWall - Allowed SSH, Telnet, and RDP Connections | 27f1a570-5f20-496b-88f6-a9aa2c5c9534 | CEF SonicWallFirewall CefAma |
| New Sonrai Ticket | bcc3362d-b6f9-4de0-b41c-707fafd5a416 | SonraiDataConnector |
| Sonrai Ticket Assigned | 37a8d052-a3db-4dc6-9dca-9390cac6f486 | SonraiDataConnector |
| Sonrai Ticket Closed | f5d467de-b5a2-4b4f-96db-55e27c733594 | SonraiDataConnector |
| Sonrai Ticket Escalation Executed | 0d29c93e-b83f-4dfb-bbbb-76824b77eeca | SonraiDataConnector |
| Sonrai Ticket Escalation Executed | 822fff15-ea68-4d0f-94ee-b4482ddb6f3a | SonraiDataConnector |
| Sonrai Ticket Reopened | b60129ab-ce22-4b76-858d-3204932a13cc | SonraiDataConnector |
| Sonrai Ticket Risk Accepted | 080191e8-271d-4ae6-85ce-c7bcd4b06b40 | SonraiDataConnector |
| Sonrai Ticket Snoozed | 10e6c454-5cad-4f86-81ce-800235cb050a | SonraiDataConnector |
| Sonrai Ticket Updated | af9b8eb1-a8ef-40aa-92a4-1fc73a1479c7 | SonraiDataConnector |
| User Accessed Suspicious URL Categories | fb0f4a93-d8ad-4b54-9931-85bdb7550f90 | SyslogAma |
| TI map Domain entity to EmailEvents | 96307710-8bb9-4b45-8363-a90c72ebf86f | Office365 ThreatIntelligence ThreatIntelligenceTaxii MicrosoftDefenderThreatIntelligence |
| TI map Domain entity to EmailUrlInfo | 87cc75df-d7b2-44f1-b064-ee924edfc879 | Office365 ThreatIntelligence ThreatIntelligenceTaxii MicrosoftDefenderThreatIntelligence |
| TI map Email entity to AzureActivity | cca3b4d9-ac39-4109-8b93-65bb284003e6 | AzureActivity ThreatIntelligence ThreatIntelligenceTaxii MicrosoftDefenderThreatIntelligence |
| Preview - TI map Email entity to Cloud App Events | 47b9bb10-d216-4359-8cef-08ca2c67e5be | MicrosoftThreatProtection MicrosoftDefenderThreatIntelligence |
| TI map Email entity to EmailEvents | 11f7c6e3-f066-4b3c-9a81-b487ec0a6873 | Office365 ThreatIntelligence ThreatIntelligenceTaxii MicrosoftDefenderThreatIntelligence |
| TI map Email entity to OfficeActivity | 4a3f5ed7-8da5-4ce2-af6f-c9ada45060f2 | Office365 ThreatIntelligence ThreatIntelligenceTaxii MicrosoftDefenderThreatIntelligence |
| TI map Email entity to PaloAlto CommonSecurityLog | ffcd575b-3d54-482a-a6d8-d0de13b6ac63 | PaloAltoNetworks ThreatIntelligence ThreatIntelligenceTaxii MicrosoftDefenderThreatIntelligence |
| TI map Email entity to SecurityAlert | a2e36ce0-da4d-4b6e-88c6-4e40161c5bfc | AzureSecurityCenter ThreatIntelligence ThreatIntelligenceTaxii MicrosoftDefenderThreatIntelligence |
| TI map Email entity to SecurityEvent | 2fc5d810-c9cc-491a-b564-841427ae0e50 | ThreatIntelligence ThreatIntelligenceTaxii SecurityEvents WindowsSecurityEvents WindowsForwardedEvents MicrosoftDefenderThreatIntelligence |
| TI map Email entity to SigninLogs | 30fa312c-31eb-43d8-b0cc-bcbdfb360822 | ThreatIntelligence ThreatIntelligenceTaxii AzureActiveDirectory MicrosoftDefenderThreatIntelligence |
| Tomcat - Commands in URI | 91f59cea-486f-11ec-81d3-0242ac130003 | CustomLogsAma |
| Tomcat - Known malicious user agent | 5e77a818-5825-4ff6-a901-80891c4774d1 | CustomLogsAma |
| Tomcat - Multiple client errors from single IP address | 4fa66058-4870-11ec-81d3-0242ac130003 | CustomLogsAma |
| Tomcat - Multiple empty requests from same IP | 7c9a1026-4872-11ec-81d3-0242ac130003 | CustomLogsAma |
| Tomcat - Multiple server errors from single IP address | de9df79c-4872-11ec-81d3-0242ac130003 | CustomLogsAma |
| Tomcat - Put file and get file from same IP address | 103d5ada-4874-11ec-81d3-0242ac130003 | CustomLogsAma |
| Tomcat - Request from localhost IP address | a45dd6ea-4874-11ec-81d3-0242ac130003 | CustomLogsAma |
| Tomcat - Request to sensitive files | 0c851bd4-4875-11ec-81d3-0242ac130003 | CustomLogsAma |
| Tomcat - Server errors after multiple requests from same IP | 875da588-4875-11ec-81d3-0242ac130003 | CustomLogsAma |
| Tomcat - Sql injection patterns | ce84741e-4875-11ec-81d3-0242ac130003 | CustomLogsAma |
| ApexOne - Attack Discovery Detection | 7a3193b8-67b7-11ec-90d6-0242ac120003 | CefAma |
| ApexOne - Commands in Url | 4a9a5900-67b7-11ec-90d6-0242ac120003 | CefAma |
| ApexOne - Multiple deny or terminate actions on single IP | cd94e078-67b7-11ec-90d6-0242ac120003 | CefAma |
| ApexOne - Spyware with failed response | c92d9fe4-67b6-11ec-90d6-0242ac120003 | CefAma |
| Trend Micro CAS - Possible phishing mail | 9e7b3811-d743-479c-a296-635410562429 | TrendMicroCAS |
| Trend Micro CAS - Suspicious filename | 52c4640a-1e2b-4155-b69e-e1869c9a57c9 | TrendMicroCAS |
| Trend Micro CAS - Unexpected file via mail | 201fd2d1-9131-4b29-bace-ce5d19f3e4ee | TrendMicroCAS |
| Trend Micro CAS - Unexpected file on file share | de54f817-f338-46bf-989b-4e016ea6b71b | TrendMicroCAS |
| Trend Micro CAS - Infected user | 3649dfb8-a5ca-47dd-8965-cd2f633ca533 | TrendMicroCAS |
| Trend Micro CAS - Multiple infected users | 65c2a6fe-ff7b-46b0-9278-61265f77f3bc | TrendMicroCAS |
| Ubiquiti - RDP from external source | 95d5ca9b-72c5-4b80-ad5c-b6401cdc5e08 | CustomLogsAma |
| Ubiquiti - SSH from external source | 0998a19d-8451-4cdd-8493-fc342816a197 | CustomLogsAma |
| Ubiquiti - Unknown MAC Joined AP | 9757cee3-1a6c-4d8e-a968-3b7e48ded690 | CustomLogsAma |
| VMware vCenter - Root login | 03e8a895-b5ba-49a0-aed3-f9a997d92fbe | CustomLogsAma |
| VMware ESXi - Dormant VM started | 4cdcd5d8-89df-4076-a917-bc50abb9f2ab | SyslogAma |
| VMware ESXi - Multiple new VMs started | bdea247f-7d17-498c-ac0e-c7e764cbdbbe | SyslogAma |
| VMware ESXi - New VM started | 0f4a80de-344f-47c0-bc19-cb120c59b6f0 | SyslogAma |
| VMware ESXi - Root login | deb448a8-6a9d-4f8c-8a95-679a0a2cd62c | SyslogAma |
| VMware ESXi - Shared or stolen root account | 9c496d6c-42a3-4896-9b6c-00254386928f | SyslogAma |
| Votiro - File Blocked in Email | 0b8b91de-c63e-4bc2-b5f4-b15d3b379ec9 | Votiro CefAma |
| Detect URLs containing known malicious keywords or commands (ASIM Web Session) | 32c08696-2e37-4730-86f8-97d9c8b184c9 | |
| Detect known risky user agents (ASIM Web Session) | 6a4dbcf8-f5e2-4b33-b34f-2db6487613f0 | |
| Detect Local File Inclusion(LFI) in web requests (ASIM Web Session) | 7bb55d05-ef39-4a40-8079-0bc3c05e7881 | |
| Detect instances of multiple client errors occurring within a brief period of time (ASIM Web Session) | faa40333-1e8b-40cc-a003-51ae41fa886f | |
| Detect instances of multiple server errors occurring within a brief period of time (ASIM Web Session) | a59ba76c-0205-4966-948e-3d5640140688 | |
| Identify instances where a single source is observed using multiple user agents (ASIM Web Session) | 813ccf3b-0321-4622-b0bc-63518fd14454 | |
| Detect presence of uncommon user agents in web requests (ASIM Web Session) | 2d50d937-d7f2-4c05-b151-9af7f9ec747e | |
| Detect web requests to potentially harmful files (ASIM Web Session) | c6608467-3678-45fe-b038-b590ce6d00fb | |
| Detect threat information in web requests (ASIM Web Session) | 7d2ed1c7-da26-45fd-b4ea-b6f2bbeccea7 | |
| Identify SysAid Server web shell creation | 50eb4cbd-188f-44f4-b964-bab84dcdec10 | SecurityEvents WindowsSecurityEvents MicrosoftThreatProtection |
| Exchange OAB Virtual Directory Attribute Containing Potential Webshell | faf1a6ff-53b5-4f92-8c55-4b20e9957594 | SecurityEvents WindowsSecurityEvents |
| ZeroFox Alerts - High Severity Alerts | deb45e6d-892f-40bf-9118-e2a6f26b788d | ZeroFox_Alert_Polling |
| ZeroFox Alerts - Informational Severity Alerts | 6f7a7413-b72f-4361-84ee-897baeb9c6d4 | ZeroFox_Alert_Polling |
| ZeroFox Alerts - Low Severity Alerts | e0c7a91a-7aa1-498a-9c20-cd6c721f9345 | ZeroFox_Alert_Polling |
| ZeroFox Alerts - Medium Severity Alerts | a6496de5-911b-4199-b7db-d34ac9d70df3 | ZeroFox_Alert_Polling |
| Zscaler - Shared ZPA session | 40a98355-0e52-479f-8c91-4ab659cba878 | CustomLogsAma |
| Zscaler - Unexpected event count of rejects by policy | 593e3e2a-43ce-11ec-81d3-0242ac130003 | CustomLogsAma |
| Zscaler - Forbidden countries | b3d112b4-3e1e-11ec-9bbc-0242ac130002 | CustomLogsAma |
| Zscaler - Unexpected update operation | 672e2846-4226-11ec-81d3-0242ac130003 | CustomLogsAma |
| Zscaler - ZPA connections from new country | c4902121-7a7e-44d1-810b-88d26db622ff | CustomLogsAma |
| Zscaler - ZPA connections from new IP | 24f0779d-3927-403a-aac1-cc8791653606 | CustomLogsAma |
| Zscaler - ZPA connections outside operational hours | 2859ad22-46c8-4cc7-ad7b-80ce0cba0af3 | CustomLogsAma |
| Zscaler - Unexpected ZPA session duration | e07846e0-43ad-11ec-81d3-0242ac130003 | CustomLogsAma |
| Anomaly Sign In Event from an IP | 9c1e9381-79dd-4ddf-9570-b73a1dc59fe0 | AzureActiveDirectory |
| User login from different countries within 3 hours (Uses Authentication Normalization) | 09ec8fa2-b25f-4696-bfae-05a7b85d7b9e | |
| Sign-ins from IPs that attempt sign-ins to disabled accounts (Uses Authentication Normalization) | 95002681-4ecb-4da3-9ece-26d7e5feaa33 | |
| SUNBURST and SUPERNOVA backdoor hashes (Normalized File Events) | bc5ffe2a-84d6-48fe-bc7b-1055100469bc | |
| A client made a web request to a potentially harmful file (ASIM Web Session schema) | 09c49590-4e9d-4da9-a34d-17222d0c9e7e | SquidProxy Zscaler |
| Application Gateway WAF - SQLi Detection | 68c0b6bb-6bd9-4ef4-9011-08998c8ef90f | WAF |
| Application Gateway WAF - XSS Detection | d2bc08fa-030a-4eea-931a-762d27c6a042 | WAF |
| Suspicious Sign In by Entra ID Connect Sync Account | 2cd8b3d5-c9e0-4be3-80f7-0469d511c3f6 | BehaviorAnalytics |
| Cisco Umbrella - Request Allowed to harmful/malicious URI category | d6bf1931-b1eb-448d-90b2-de118559c7ce | CiscoUmbrellaDataConnector |
| Cisco Umbrella - Request to blocklisted file type | de58ee9e-b229-4252-8537-41a4c2f4045e | CiscoUmbrellaDataConnector |
| OMI Vulnerability Exploitation | 3cc5ccd8-b416-4141-bb2d-4eba370e37a5 | |
| Exchange Server Suspicious File Downloads. | 8955c0fb-3408-47b0-a3b9-a1faec41e427 | |
| Silk Typhoon Suspicious File Downloads. | 03e04c97-8cae-48b3-9d2f-4ab262e4ffff | |
| IP with multiple failed Microsoft Entra ID logins successfully logs in to Palo Alto VPN | ba144bf8-75b8-406f-9420-ed74397f9479 | AzureActiveDirectory PaloAltoNetworks |
| Failed AzureAD logons but success logon to AWS Console | 643c2025-9604-47c5-833f-7b4b9378a1f5 | AzureActiveDirectory AWS |
| Failed AzureAD logons but success logon to host | 8ee967a2-a645-4832-85f4-72b635bcb3a6 | AzureActiveDirectory SecurityEvents Syslog WindowsSecurityEvents WindowsForwardedEvents |
| Anomalous login followed by Teams action | 2b701288-b428-4fb8-805e-e4372c574786 | Office365 AzureActiveDirectory |
| Failed AWS Console logons but success logon to AzureAD | 910124df-913c-47e3-a7cd-29e1643fa55e | AzureActiveDirectory AWS |
| High risk Office operation conducted by IP Address that recently attempted to log into a disabled account | 9adbd1c3-a4be-44ef-ac2f-503fd25692ee | AzureActiveDirectory Office365 |
| Failed host logons but success logon to AzureAD | 1ce5e766-26ab-4616-b7c8-3b33ae321e80 | AzureActiveDirectory SecurityEvents Syslog WindowsSecurityEvents WindowsForwardedEvents |
| Detecting Impossible travel with mailbox permission tampering & Privilege Escalation attempt | 1399664f-9434-497c-9cde-42e4d74ae20e | AzureSecurityCenter Office365 AzureActivity AzureActiveDirectory |
| Malformed user agent | a357535e-f722-4afe-b375-cff362b2b376 | WAF Office365 AzureActiveDirectory AWS AzureMonitor(IIS) |
| Multiple Password Reset by user | 0b9ae89d-8cad-461c-808f-0494f70ad5c4 | AzureActiveDirectory SecurityEvents Syslog Office365 WindowsSecurityEvents WindowsForwardedEvents |
| Phishing link click observed in Network Traffic | 2fed0668-6d43-4c78-87e6-510f96f12145 | OfficeATP PaloAltoNetworks Fortinet CheckPoint Zscaler |
| Cisco - firewall block but success logon to Microsoft Entra ID | 157c0cfc-d76d-463b-8755-c781608cdc1a | CiscoASA AzureActiveDirectory |
| Star Blizzard C2 Domains August 2022 | 2149d9bb-8298-444c-8f99-f7bf0274dd05 | AzureMonitor(VMInsights) CiscoASA PaloAltoNetworks MicrosoftThreatProtection AzureFirewall |
| Suspicious VM Instance Creation Activity Detected | 1cc0ba27-c5ca-411a-a779-fbc89e26be83 | GCPAuditLogsDefinition AzureActiveDirectoryIdentityProtection MicrosoftThreatProtection MicrosoftDefenderAdvancedThreatProtection MicrosoftCloudAppSecurity BehaviorAnalytics |
| PulseConnectSecure - CVE-2021-22893 Possible Pulse Connect Secure RCE Vulnerability Attack | d0c82b7f-40b2-4180-a4d6-7aa0541b7599 | PulseConnectSecure |
| Microsoft Defender for Endpoint (MDE) signatures for Azure Synapse pipelines and Azure Data Factory | a333d8bf-22a3-4c55-a1e9-5f0a135c0253 | MicrosoftThreatProtection |
| Solorigate Defender Detections | e70fa6e0-796a-4e85-9420-98b17b0bb749 | MicrosoftDefenderAdvancedThreatProtection MicrosoftThreatProtection |
| Workspace deletion activity from an infected device | a5b3429d-f1da-42b9-883c-327ecb7b91ff | AzureActiveDirectoryIdentityProtection AzureActivity BehaviorAnalytics |
| Silk Typhoon New UM Service Child Process | 95a15f39-d9cc-4667-8cdd-58f3113691c9 | SecurityEvents WindowsSecurityEvents WindowsForwardedEvents |
| Silk Typhoon Suspicious UM Service Error | 0625fcce-6d52-491e-8c68-1d9b801d25b9 | |
| Vulnerable Machines related to OMIGOD CVE-2021-38647 | 4d94d4a9-dc96-450a-9dea-4d4d4594199b | |
| Anomalous Single Factor Signin | f7c3f5c8-71ea-49ff-b8b3-148f0e346291 | AzureActiveDirectory |
| Authentication Attempt from New Country | ef895ada-e8e8-4cf0-9313-b1ab67fab69f | AzureActiveDirectory |
| Authentications of Privileged Accounts Outside of Expected Controls | af435ca1-fb70-4de1-92c1-7435c48482a9 | AzureActiveDirectory BehaviorAnalytics |
| New country signIn with correct password | 7808c05a-3afd-4d13-998a-a59e2297693f | AzureActiveDirectory |
| Service Principal Authentication Attempt from New Country | 1baaaf00-655f-4de9-8ff8-312e902cda71 | AzureActiveDirectory |
| Anomalous User Agent connection attempt | f845881e-2500-44dc-8ed7-b372af3e1e25 | AzureMonitor(IIS) |
| High count of connections by client IP on many ports | 44a555d8-ecee-4a25-95ce-055879b4b14b | AzureMonitor(IIS) |
| Exchange SSRF Autodiscover ProxyShell - Detection | 968358d6-6af8-49bb-aaa4-187b3067fb95 | AzureMonitor(IIS) |
| Silk Typhoon Suspicious Exchange Request | 23005e87-2d3a-482b-b03d-edbebd1ae151 | AzureMonitor(IIS) |
| User joining Zoom meeting from suspicious timezone | 58fc0170-0877-4ea8-a9ff-d805e361cfae |