Microsoft Sentinel Analytic Rules
cloudbrothers.infoAzure Sentinel RepoToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeBack to homepage

Initial Access

Overview

Rule NameidRequired data connectors
1Password - Successful anomalous sign-inceb20a5c-adce-4eba-9728-541361d47d871Password
API - Rate limitingc6258d51-7b82-4942-8293-94c1dcf9159542CrunchAPIProtection
API - JWT validationbbd163f4-1f56-434f-9c23-b06713c119c242CrunchAPIProtection
API - Suspicious Login7bdc10d6-aa24-4ca9-9a93-802cd876135442CrunchAPIProtection
Login to AWS Management Console without MFAd25b1998-a592-4bc5-8a3a-92b39eedb1bcAWS
AWSS3
Policy version set to default874a1762-3fd7-4489-b411-6d4a9e9e8a59AWS
NRT Login to AWS Management Console without MFA0ee2aafb-4500-4e36-bcb1-e90eec2f0b9bAWS
AWSS3
Azure WAF matching for Log4j vuln(CVE-2021-44228)2de8abd6-a613-450e-95ed-08e503369fb3WAF
Vulnerable Machines related to log4j CVE-2021-442283d71fc38-f249-454e-8479-0a358382ef9a
User agent search for log4j exploitation attempt29283b22-a1c0-4d16-b0a9-3460b655a46aSquidProxy
Zscaler
WAF
Office365
AzureActiveDirectory
AWS
AzureMonitor(IIS)
Apache - Command in URI54da6a42-3b00-11ec-8d3d-0242ac130003ApacheHTTPServer
Apache - Apache 2.4.49 flaw CVE-2021-41773767f9dc4-3b01-11ec-8d3d-0242ac130003ApacheHTTPServer
Apache - Known malicious user agente9edfe1c-3afd-11ec-8d3d-0242ac130003ApacheHTTPServer
Apache - Multiple client errors from single IP15f5a956-3af9-11ec-8d3d-0242ac130003ApacheHTTPServer
Apache - Multiple server errors from single IP1bf246a2-3af9-11ec-8d3d-0242ac130003ApacheHTTPServer
Apache - Private IP in URLdb5f16f0-3afe-11ec-8d3d-0242ac130003ApacheHTTPServer
Apache - Put suspicious filec5d69e46-3b00-11ec-8d3d-0242ac130003ApacheHTTPServer
Apache - Request from private IPa0077556-3aff-11ec-8d3d-0242ac130003ApacheHTTPServer
Apache - Requests to rare files14d7e15e-3afb-11ec-8d3d-0242ac130003ApacheHTTPServer
Apache - Request to sensitive filesd1c52578-3afc-11ec-8d3d-0242ac130003ApacheHTTPServer
ARGOS Cloud Security - Exploitable Cloud Resourcesa9bf1b8c-c761-4840-b9a8-7535ca68ca28ARGOSCloudSecurity
Jira - New site admin user6bf42891-b54d-4b4e-8533-babc5b3ea4c5JiraAuditAPI
Access to AWS without MFA48a9478b-440a-4330-b42c-94bd84dc904cAuthomize
Admin password not updated in 30 days63d87fcb-d197-48d2-a642-de4813f0219aAuthomize
Admin SaaS account detected87419138-d75f-450d-aca4-1dc802e32540Authomize
AWS role with admin privileges734c00a0-a95b-44dd-9b69-d926ed44256dAuthomize
AWS role with shadow admin privileges2526079b-3355-4756-a2d1-21e9cd957261Authomize
IaaS admin detecteddc728ba1-5204-4fde-ab48-eda19c8fad3aAuthomize
IaaS shadow admin detected31f43e9d-1839-4baf-a668-54c28b98af3eAuthomize
New direct access policy was granted against organizational policyd7ee7bb5-d712-4d44-b201-b13379924934Authomize
New service account gained access to IaaS resource6c17f270-cd56-48cc-9196-1728ffea6538Authomize
Password Exfiltration over SCIM application2e3c4ad5-8cb3-4b46-88ff-a88367ee7eaaAuthomize
Stale AWS policy attachment to identity766a3b1b-0d5b-4a8d-b0d6-7dd379e73567Authomize
Unused IaaS Policye0ae5f9e-865b-41f5-98bb-c04113888e85Authomize
User assigned to a default admin rolec04ed74c-3b23-48cd-9c11-fd10cffddc64Authomize
User without MFA71a7b0de-f13d-44b9-9caa-668f1bad0ce6Authomize
Abnormal Deny Rate for Source IPd36bb1e3-5abc-4037-ad9a-24ba3469819eAzureFirewall
Credential errors stateful anomaly on databasedaa32afa-b5b6-427d-93e9-e32f3f359dd7AzureSql
Firewall errors stateful anomaly on database20f87813-3de0-4a9f-a8c0-6aaa3187be08AzureSql
Syntax errors stateful anomaly on databasec815008d-f4d1-4645-b13b-8b4bc188d5deAzureSql
Drop attempts stateful anomaly on database237c3855-138c-4588-a68f-b870abd3bfc9AzureSql
Execution attempts stateful anomaly on database3367fd5e-44b3-4746-a9a5-dc15c8202490AzureSql
Firewall rule manipulation attempts stateful anomaly on database05030ca6-ef66-42ca-b672-2e84d4aaf5d7AzureSql
OLE object manipulation attempts stateful anomaly on databasedabd7284-004b-4237-b5ee-a22acab19eb2AzureSql
Outgoing connection attempts stateful anomaly on databasec105513d-e398-4a02-bd91-54b9b2d6fa7dAzureSql
Front Door Premium WAF - SQLi Detection16da3a2a-af29-48a0-8606-d467c180fe18WAF
Front Door Premium WAF - XSS Detectionb7643904-5081-4920-917e-a559ddc3448fWAF
AFD WAF - Code Injectionded8168e-c806-4772-af30-10576e0a7529WAF
AFD WAF - Path Traversal Attacka4d99328-e4e6-493d-b0d5-57e6f9ddae77WAF
App GW WAF - Code Injection912a18fc-6165-446b-8740-81ae6c3f75eeWAF
App GW WAF - Path Traversal Attackb6c3a8a6-d22c-4882-9c57-abc01690938bWAF
App Gateway WAF - Scanner Detection9b8dd8fd-f192-42eb-84f6-541920400a7aWAF
App Gateway WAF - SQLi Detectionbdb2cd63-99f2-472e-b1b9-acba473b6744WAF
App Gateway WAF - XSS Detection1c7ff502-2ad4-4970-9d29-9210c6753138WAF
A potentially malicious web request was executed against a web server46ac55ae-47b8-414a-8f94-89ccd1962178WAF
External Upstream Source Added to Azure DevOps Feedadc32a33-1cd6-46f5-8801-e3ed8337885f
New PA, PCA, or PCAS added to Azure DevOps35ce9aff-1708-45b8-a295-5e9a307f5f17
Bitglass - Impossible travel distancecdb6e4a4-b9bd-4c30-94b9-ecce5a72d528Bitglass
Bitglass - Login from new devicebfca0251-1581-4185-906b-4805099e3216Bitglass
Bitglass - New risky usera123668c-d907-41b9-bf3f-8cb4cd7b163aBitglass
Bitglass - User login from new geo location34401e66-9fe9-476b-a443-3a3f89e4f3b0Bitglass
Bitglass - User Agent string has changed for user4dd61530-859f-49e7-bd27-a173cb1a4589Bitglass
Box - Executable file in folderb91ec98d-5747-45c8-b2f6-a07bf47068f0BoxDataConnector
Box - Forbidden file type downloaded8889e69c-2161-412a-94a6-76c1b2d9daa7BoxDataConnector
Box - Inactive user loginedbf38d7-e170-4af2-ad50-1a05b374611bBoxDataConnector
Box - New external userfd36ac88-cd92-4137-aa23-37a3648621faBoxDataConnector
CiscoISE - ISE administrator password has been resete63b4d90-d0a8-4609-b187-babfcc7f86d7CiscoISE
CiscoISE - Command executed with the highest privileges from new IP1fa0da3e-ec99-484f-aadb-93f59764e158CiscoISE
CiscoISE - Command executed with the highest privileges by new usere71890a2-5f61-4790-b1ed-cf1d92d3e398CiscoISE
Cisco SE High Events Last Hour4683ebce-07ad-4089-89e3-39d8fe83c011CiscoSecureEndpoint
Cisco SE - Malware outbreak225053c7-085b-4fca-a18f-c367f9228bf3CiscoSecureEndpoint
Cisco SE - Multiple malware on hostb13489d7-feb1-4ad3-9a4c-09f6d64448fdCiscoSecureEndpoint
Cisco SE - Unexpected binary fileeabb9c20-7b0b-4a77-81e8-b06944f351c6CiscoSecureEndpoint
Cisco Duo - Multiple admin 2FA failurese46c5588-e643-4a60-a008-5ba9a4c84328CiscoDuoSecurity
Cisco Duo - Multiple user login failures034f62b6-df51-49f3-831f-1e4cfd3c40d2CiscoDuoSecurity
Cisco Duo - New access devicef05271b6-26a5-49cf-ad73-4a202fba6eb6CiscoDuoSecurity
Cisco Duo - Authentication device new location01df3abe-3dc7-40e2-8aa7-f00b402df6f0CiscoDuoSecurity
Cisco Duo - Unexpected authentication factor16c91a2c-17ad-4985-a9ad-4a4f1cb11830CiscoDuoSecurity
Cisco SEG - Malicious attachment not blocked236e872c-31d1-4b45-ac2a-fda3af465c97CiscoSEG
CiscoSEGAma
CefAma
Cisco SEG - Multiple suspiciuos attachments receiveddfdb9a73-4335-4bb4-b29b-eb713bce61a6CiscoSEG
CiscoSEGAma
CefAma
Cisco SEG - Possible outbreak53242559-95ea-4d4c-b003-107e8f06304bCiscoSEG
CiscoSEGAma
CefAma
Cisco SEG - Potential phishing link2e5158e1-9fc2-40ff-a909-c701a13a0405CiscoSEG
CiscoSEGAma
CefAma
Cisco SEG - Suspicious link506291dd-8050-4c98-a92f-58e376080a0aCiscoSEG
CiscoSEGAma
CefAma
Cisco SEG - Suspicious sender domainef0a253c-95b5-48e1-8ebc-dbeb073b9338CiscoSEG
CiscoSEGAma
CefAma
Cisco SEG - Unexpected link9cb4a02d-3708-42ba-b33b-0fdd360ce4b6CiscoSEG
CiscoSEGAma
CefAma
Cisco SEG - Unexpected attachmentf8ba18c4-81e3-4db0-8f85-4989f2ed2adeCiscoSEG
CiscoSEGAma
CefAma
Cisco SEG - Unscannable attacmentc66b8ced-8c76-415b-a0f3-08c7030a857dCiscoSEG
CiscoSEGAma
CefAma
Cisco Umbrella - Request Allowed to harmful/malicious URI categoryd6bf1931-b1eb-448d-90b2-de118559c7ceCiscoUmbrellaDataConnector
Cisco Umbrella - Request to blocklisted file typede58ee9e-b229-4252-8537-41a4c2f4045eCiscoUmbrellaDataConnector
Cisco WSA - Access to unwanted site38029e86-030c-46c4-8a91-a2be7c74d74cCiscoWSA
Cisco WSA - Multiple errors to resource from risky categoryebf9db0c-ba7b-4249-b9ec-50a05fa7c7c9CiscoWSA
Cisco WSA - Multiple infected files93186e3d-5dc2-4a00-a993-fa1448db8734CiscoWSA
Cisco WSA - Multiple attempts to download unwanted file46b6c6fc-2c1a-4270-be10-9d444d83f027CiscoWSA
Cisco WSA - Internet access from public IP4250b050-e1c6-4926-af04-9484bbd7e94fCiscoWSA
Cisco WSA - Unexpected file type8e9d1f70-d529-4598-9d3e-5dd5164d1d02CiscoWSA
Cisco WSA - Unscannable file or scan error9b61a945-ebcb-4245-b6e4-51f3addb5248CiscoWSA
Claroty - Login to uncommon locatione7dbcbc3-b18f-4635-b27c-718195c369f1Claroty
ClarotyAma
CefAma
Claroty - Multiple failed logins by user4b5bb3fc-c690-4f54-9a74-016213d699b4Claroty
ClarotyAma
CefAma
Claroty - Multiple failed logins to same destinations1c2310ef-19bf-4caf-b2b0-a4c983932fa5Claroty
ClarotyAma
CefAma
Claroty - New Asset6c29b611-ce69-4016-bf99-eca639fee1f5Claroty
ClarotyAma
CefAma
Cloudflare - Bad client IPa7ce6135-9d55-4f14-b058-adc2e920a4faCloudflareDataConnector
Cloudflare - Empty user agent729c6d21-fad9-4a6a-9c7f-482393c95957CloudflareDataConnector
Cloudflare - Multiple error requests from single sourceef877d68-755f-4cf1-ac1d-f336e395667cCloudflareDataConnector
Cloudflare - Multiple user agents for single sourcefc50076a-0275-43d5-b9dd-38346c061f67CloudflareDataConnector
Cloudflare - Client request from country in blocklist40554544-6e4a-4413-8d14-bf2de939c5d9CloudflareDataConnector
Cloudflare - Unexpected client requestf32142b1-4bcb-45c0-92e4-2ddc18768522CloudflareDataConnector
Cloudflare - Unexpected URIdcb797cd-a4cd-4306-897b-7991f71d7e27CloudflareDataConnector
Cloudflare - WAF Allowed threatf53fe2a9-96b5-454c-827e-cf1764a67fb0CloudflareDataConnector
Cloudflare - XSS probing pattern in request4d9d00b9-31a6-49e4-88c1-9e68277053acCloudflareDataConnector
Contrast Blocks4396f8c3-d114-4154-9f4c-048ba522ed04ContrastProtect
ContrastProtectAma
Contrast Exploitse1abb6ed-be18-40fd-be58-3d3d84041dafContrastProtect
ContrastProtectAma
Contrast Probes297596de-d9ae-4fb8-b6ff-00fc01c9462dContrastProtect
ContrastProtectAma
Contrast Suspiciousf713404e-805c-4e0c-91fa-2c149f76a07dContrastProtect
ContrastProtectAma
Corelight - Network Service Scanning Multiple IP Addresses599570d4-06f8-4939-8e29-95cd003f1abdCorelight
Corelight - SMTP Email containing NON Ascii Characters within the Subject50c61708-9824-46f3-87cf-22490796fae2Corelight
Corelight - Possible Typo Squatting or Punycode Phishing HTTP Request6b579e98-abc9-4e7a-9efc-2f3408ba16c9Corelight
Phishingc3771865-b647-46a7-9be5-a96c418cebc0CBSPollingIDAzureFunctions
Dynatrace Application Security - Attack detection1b0b2065-8bac-5a00-83c4-1b58f69ac212DynatraceAttacks
Dynatrace Application Security - Code-Level runtime vulnerability detection305093b4-0fa2-57bc-bced-caea782a6e9cDynatraceRuntimeVulnerabilities
Dynatrace Application Security - Non-critical runtime vulnerability detectionff0af873-a2f2-4233-8412-0ef4e00b0156DynatraceRuntimeVulnerabilities
Dynatrace Application Security - Third-Party runtime vulnerability detectionaf99b078-124b-543a-9a50-66ef87c09f6aDynatraceRuntimeVulnerabilities
EatonForeseer - Unauthorized Logins5a7fccb8-3ed0-44f2-8477-540af3ef4d92WindowsSecurityEvents
Egress Defend - Dangerous Attachment Detecteda0e55dd4-8454-4396-91e6-f28fec3d2cabEgressDefend
Web sites blocked by Eset84ad2f8a-b64c-49bc-b669-bdb4fd3071e9EsetSMC
Website blocked by ESET7b84fc5b-9ffb-4e9b-945b-5d480e330b3fESETPROTECT
Office ASR rule triggered from browser spawned office process.30580043-2451-4d35-b49f-065728529f4aMicrosoftThreatProtection
Suspicious parentprocess relationship - Office child processes.5ee34fa1-64ed-48c7-afa2-794b244f6c60MicrosoftThreatProtection
Fortiweb - WAF Allowed threat86e9409f-b9ea-4e9a-8b72-5132ba43bcaeFortiWeb
FortinetFortiWebAma
(Preview) GitHub - A payment method was removed6bb50582-caac-4a9b-9afb-3fee766ebbf7
GitHub Activites from a New Countryf041e01d-840d-43da-95c8-4188f6cef546
(Preview) GitHub - Oauth application - a client secret was removed0b85a077-8ba5-4cb5-90f7-1e882afe10c5
(Preview) GitHub - pull request was created0b85a077-8ba5-4cb5-90f7-1e882afe10c7
(Preview) GitHub - pull request was merged0b85a077-8ba5-4cb5-90f7-1e882afe10c6
(Preview) GitHub - Repository was created0b85a077-8ba5-4cb5-90f7-1e882afe10c2
(Preview) GitHub - Repository was destroyed0b85a077-8ba5-4cb5-90f7-1e882afe10c3
(Preview) GitHub - User visibility Was changed0b85a077-8ba5-4cb5-90f7-1e882afe20c9
(Preview) GitHub - User was added to the organization0b85a077-8ba5-4cb5-90f7-1e882afe10c4
(Preview) GitHub - User was blocked0b85a077-8ba5-4cb5-90f7-1e882afe10c8
(Preview) GitHub - User was invited to the repository0b85a077-8ba5-4cb5-90f7-1e882afe40c9
GitLab - TI - Connection from Malicious IP7241740a-5280-4b74-820a-862312d721a8ThreatIntelligence
ThreatIntelligenceTaxii
Syslog
Google DNS - Exchange online autodiscover abuse424c2aca-5367-4247-917a-5d0f7035e40eGCPDNSDataConnector
Google DNS - Malicous Python packages75491db8-eaf7-40bb-a46a-279872cc82f5GCPDNSDataConnector
GWorkspace - Alert eventse369d246-5da8-11ec-bf63-0242ac130002GoogleWorkspaceReportsAPI
GWorkspace - Possible maldoc file name in Google drived80d02a8-5da6-11ec-bf63-0242ac130002GoogleWorkspaceReportsAPI
Imperva - Abnormal protocol usage363307f6-09ba-4926-ad52-03aadfd24b5eImpervaWAFCloudAPI
Imperva - Request from unexpected IP address to admin panel427c025d-c068-4844-8205-66879e89bcfaImpervaWAFCloudAPI
Imperva - Critical severity event not blocked4d365217-f96a-437c-9c57-53594fa261c3ImpervaWAFCloudAPI
Imperva - Possible command injection6214f187-5840-4cf7-a174-0cf9a72bfd29ImpervaWAFCloudAPI
Imperva - Request from unexpected countries58300723-22e0-4096-b33a-aa9b992c3564ImpervaWAFCloudAPI
Imperva - Forbidden HTTP request method in request7ebc9e24-319c-4786-9151-c898240463bcImpervaWAFCloudAPI
Imperva - Malicious Client2ff35ed4-b26a-4cad-93a6-f67adb00e919ImpervaWAFCloudAPI
Imperva - Malicious user agent905794a9-bc46-42b9-974d-5a2dd58110c5ImpervaWAFCloudAPI
Imperva - Multiple user agents from same source4e8032eb-f04d-4a30-85d3-b74bf2c8f204ImpervaWAFCloudAPI
Imperva - Request to unexpected destination port0ba78922-033c-468c-82de-2974d7b1797dImpervaWAFCloudAPI
Potential DHCP Starvation Attack57e56fc9-417a-4f41-a579-5475aea7b8ceInfobloxNIOS
High Urgency IONIX Action Items8e0403b1-07f8-4865-b2e9-74d1e83200a4CyberpionSecurityLogs
Unauthorized remote access to the network (Microsoft Defender for IoT)1ff4fa3d-150b-4c87-b733-26c289af0d49IoT
Jamf Protect - Network Threats44da53c3-f3b0-4b70-afff-f79275cb9442JamfProtect
Failed sign-ins into LastPass due to MFA760b8467-e6cc-4006-9149-5696845c1a54LastPass
AzureActiveDirectory
[Deprecated] - DEV-0322 Serv-U related IOCs - July 20214759ddb4-2daf-43cb-b34e-d85b85b4e4a5DNS
AzureMonitor(VMInsights)
F5
CiscoASA
PaloAltoNetworks
Fortinet
CheckPoint
CEF
MicrosoftThreatProtection
SecurityEvents
Office365
AzureFirewall
WindowsFirewall
[Deprecated] - Exchange Server Vulnerabilities Disclosed March 2021 IoC Matchd804b39c-03a4-417c-a949-bdbf21fa3305AWSS3
WindowsForwardedEvents
AzureMonitor(IIS)
AzureMonitor(WireData)
CheckPoint
CiscoASA
CEF
F5
Fortinet
PaloAltoNetworks
SecurityEvents
WindowsFirewall
DNS
Zscaler
InfobloxNIOS
MicrosoftSysmonForLinux
GCPDNSDataConnector
NXLogDnsLogs
CiscoUmbrellaDataConnector
Corelight
[Deprecated] - Known Mint Sandstorm group domains/IP - October 20207249500f-3038-4b83-8549-9cd8dfa2d498DNS
AzureMonitor(VMInsights)
CiscoASA
PaloAltoNetworks
Zscaler
Fortinet
OfficeATP
AzureFirewall
[Deprecated] - Known Manganese IP and UserAgent activitya04cf847-a832-4c60-b687-b0b6147da219Office365
[Deprecated] - Silk Typhoon UM Service writing suspicious file7d6d8a8e-b08a-4082-8dbb-d7fd2cbbc35eSecurityEvents
MicrosoftThreatProtection
WindowsSecurityEvents
WindowsForwardedEvents
McAfee ePO - Multiple threats on same hostf53e5168-afdb-4fad-b29a-bb9cb71ec460McAfeeePO
McAfee ePO - Spam Email detectedffc9052b-3658-4ad4-9003-0151515fde15McAfeeePO
McAfee ePO - Threat was not blocked6d70a26a-c119-45b7-b4c6-44ac4fd1bcb7McAfeeePO
Accessed files shared by temporary external userbff058b2-500e-4ae5-bb49-a5b1423cbd5bOffice365
AV detections related to SpringShell Vulnerability3bd33158-3f0b-47e3-a50f-7c20a1b88038MicrosoftThreatProtection
Possible Phishing with CSL and Network Sessions6c3a1258-bcdd-4fcd-b753-1a9bc826ce12MicrosoftThreatProtection
Zscaler
Fortinet
CheckPoint
PaloAltoNetworks
AWSS3
WindowsForwardedEvents
SecurityEvents
WindowsSecurityEvents
MicrosoftSysmonForLinux
AzureNSG
AzureMonitor(VMInsights)
AIVectraStream
SUNBURST and SUPERNOVA backdoor hashesa3c144f9-8051-47d4-ac29-ffb0c312c910MicrosoftThreatProtection
SUNBURST network beaconsce1e7025-866c-41f3-9b08-ec170e05e73eMicrosoftThreatProtection
Account Created and Deleted in Short Timeframebb616d82-108f-47d3-9dec-9652ea0d3bf6AzureActiveDirectory
Account created or deleted by non-approved user6d63efa6-7c25-4bd4-a486-aa6bf50fde8aAzureActiveDirectory
Anomalous sign-in location by user account and authenticating application7cb8f77d-c52f-4e46-b82f-3cf2e106224aAzureActiveDirectory
Microsoft Entra ID PowerShell accessing non-Entra ID resources50574fac-f8d1-4395-81c7-78a463ff0c52AzureActiveDirectory
Azure Portal sign in from another Azure Tenant87210ca1-49a4-4a7d-bb4a-4988752f978cAzureActiveDirectory
Attempt to bypass conditional access rule in Microsoft Entra ID3af9285d-bb98-4a35-ad29-5ea39ba0c628AzureActiveDirectory
Cross-tenant Access Settings Organization Added757e6a79-6d23-4ae6-9845-4dac170656b5AzureActiveDirectory
Cross-tenant Access Settings Organization Deletedeb8a9c1c-f532-4630-817c-1ecd8a60ed80AzureActiveDirectory
Cross-tenant Access Settings Organization Inbound Collaboration Settings Changedc895c5b9-0fc6-40ce-9830-e8818862f2d5AzureActiveDirectory
Cross-tenant Access Settings Organization Inbound Direct Settings Changed276d5190-38de-4eb2-9933-b3b72f4a5737AzureActiveDirectory
Cross-tenant Access Settings Organization Outbound Collaboration Settings Changed229f71ba-d83b-42a5-b83b-11a641049ed1AzureActiveDirectory
Cross-tenant Access Settings Organization Outbound Direct Settings Changed0101e08d-99cd-4a97-a9e0-27649c4369adAzureActiveDirectory
Attempts to sign in to disabled accounts75ea5c39-93e5-489b-b1e1-68fa6c9d2d04AzureActiveDirectory
Guest accounts added in Entra ID Groups other than the ones specified6ab1f7b2-61b8-442f-bc81-96afe7ad8c53AzureActiveDirectory
MFA Rejected by Userd99cf5c3-d660-436c-895b-8a8f8448da23AzureActiveDirectory
BehaviorAnalytics
Privileged Accounts - Sign in Failure Spikes34c5aff9-a8c2-4601-9654-c7e46342d03bAzureActiveDirectory
BehaviorAnalytics
Sign-ins from IPs that attempt sign-ins to disabled accounts500c103a-0319-4d56-8e99-3cec8d860757AzureActiveDirectory
BehaviorAnalytics
Successful logon from IP and failure from a different IP02ef8d7e-fc3a-4d86-a457-650fa571d8d2AzureActiveDirectory
BehaviorAnalytics
Suspicious Service Principal creation activity6852d9da-8015-4b95-8ecf-d9572ee0395dAzureActiveDirectory
Suspicious Sign In Followed by MFA Modificationaec77100-25c5-4254-a20a-8027ed92c46cAzureActiveDirectory
BehaviorAnalytics
External guest invitation followed by Microsoft Entra ID PowerShell signinacc4c247-aaf7-494b-b5da-17f18863878aAzureActiveDirectory
User Accounts - Sign in Failure due to CA Spikes3a9d5ede-2b9d-43a2-acc4-d272321ff77cAzureActiveDirectory
BehaviorAnalytics
Correlate Unfamiliar sign-in properties & atypical travel alertsa3df4a32-4805-4c6d-8699-f3c888af2f67AzureActiveDirectoryIdentityProtection
BehaviorAnalytics
Mimecast Audit - Logon Authentication Failed9c5dcd76-9f6d-42a3-b984-314b52678f20MimecastAuditAPI
Mimecast Secure Email Gateway - Attachment Protect72264f4f-61fb-4f4f-96c4-635571a376c2MimecastSIEMAPI
Mimecast Secure Email Gateway - URL Protectea19dae6-bbb3-4444-a1b8-8e9ae6064aabMimecastSIEMAPI
Mimecast Targeted Threat Protection - Attachment Protectaa75944c-a663-4901-969e-7b55bfa49a73MimecastTTPAPI
Mimecast Targeted Threat Protection - URL Protect9d5545bd-1450-4086-935c-62f15fc4a4c9MimecastTTPAPI
Cross-Cloud Suspicious Compute resource creation in GCP5c847e47-0a07-4c01-ab99-5817ad6cb11eGCPAuditLogsDefinition
AWSS3
Cross-Cloud Suspicious user activity observed in GCP Envourment58e306fe-1c49-4b8f-9b0e-15f25e8f0cd7GCPAuditLogsDefinition
AzureActiveDirectoryIdentityProtection
MicrosoftThreatProtection
MicrosoftDefenderAdvancedThreatProtection
MicrosoftCloudAppSecurity
Cross-Cloud Unauthorized Credential Access Detection From AWS RDS Login122fbc6a-57ab-4aa7-b9a9-51ac4970cac1AzureActiveDirectory
AWSS3
Successful AWS Console Login from IP Address Observed Conducting Password Spray188db479-d50a-4a9c-a041-644bae347d1fAWS
MicrosoftDefenderAdvancedThreatProtection
AzureActiveDirectoryIdentityProtection
BehaviorAnalytics
MicrosoftThreatProtection
Suspicious AWS console logins by credential access alertsb51fe620-62ad-4ed2-9d40-5c97c0a8231fOfficeATP
AWS
MicrosoftDefenderAdvancedThreatProtection
AzureActiveDirectoryIdentityProtection
BehaviorAnalytics
MicrosoftThreatProtection
Detect port misuse by anomaly based detection (ASIM Network Session schema)cbf07406-fa2a-48b0-82b8-efad58db14ecAWSS3
MicrosoftThreatProtection
SecurityEvents
WindowsSecurityEvents
WindowsForwardedEvents
Zscaler
MicrosoftSysmonForLinux
PaloAltoNetworks
AzureMonitor(VMInsights)
AzureFirewall
AzureNSG
CiscoASA
CiscoAsaAma
Corelight
AIVectraStream
CheckPoint
Fortinet
CiscoMeraki
Detect port misuse by static threshold (ASIM Network Session schema)156997bd-da0f-4729-b47a-0a3e02dd50c8AWSS3
MicrosoftThreatProtection
SecurityEvents
WindowsSecurityEvents
WindowsForwardedEvents
Zscaler
MicrosoftSysmonForLinux
PaloAltoNetworks
AzureMonitor(VMInsights)
AzureFirewall
AzureNSG
CiscoASA
CiscoAsaAma
Corelight
AIVectraStream
CheckPoint
Fortinet
CiscoMeraki
New UserAgent observed in last 24 hoursb725d62c-eb77-42ff-96f6-bdc6745fc6e0AWS
Office365
AzureMonitor(IIS)
NGINX - Command in URId84739ce-2f46-4391-b25e-a2edbea19d7eNGINXHTTPServer
NGINX - Multiple user agents for single source83a0b48f-1cb7-4b4f-a018-23c3203a239bNGINXHTTPServer
NGINX - Known malicious user agenta10c6551-bbf2-492c-aa8a-fe6efd8c9cc1NGINXHTTPServer
NGINX - Multiple client errors from single IP address42771afe-edb3-4330-bc4a-abf6a5714454NGINXHTTPServer
NGINX - Multiple server errors from single IP addressb3ae0033-552e-4c3c-b493-3edffb4473bbNGINXHTTPServer
NGINX - Private IP address in URL1aa6bfed-f11b-402f-9007-0dccc1152edeNGINXHTTPServer
NGINX - Put file and get file from same IP addresse04fa38e-9fb7-438d-887a-381d5dd235e6NGINXHTTPServer
NGINX - Request to sensitive files2141ef6c-d158-4d44-b739-b145a4c21947NGINXHTTPServer
NGINX - Sql injection patterns3bac451d-f919-4c92-9be7-694990e0ca4bNGINXHTTPServer
User Login from Different Countries within 3 hours2954d424-f786-4677-9ffc-c24c44c6e7d5OktaSSO
OktaSSOv2
New Device/Location sign-in along with critical operation41e843a8-92e7-444d-8d72-638f1145d1e1OktaSSO
OktaSSOv2
Okta Fast Pass phishing Detection78d2b06c-8dc0-40e1-91c8-66d916c186f3OktaSSO
OktaSSOv2
OCI - Inbound SSH connectioneb6e07a1-2895-4c55-9c27-ac84294f0e46OracleCloudInfrastructureLogsConnector
OCI - Unexpected user agenta0b9a7ca-3e6d-4996-ae35-759df1d67a54OracleCloudInfrastructureLogsConnector
OracleDBAudit - Connection to database from external IP54aa2c17-acfd-4e3a-a1c4-99c88cf34ebeOracleDatabaseAudit
OracleDBAudit - Connection to database from unknown IP80b1dd6d-1aea-471e-be7a-a4a0afdeec80OracleDatabaseAudit
OracleDBAudit - User connected to database from new IP39a0995e-f4a9-4869-a0ae-36d6d9049bfdOracleDatabaseAudit
OracleDBAudit - New user accountcca7b348-e904-4a7a-8f26-d22d4d477119OracleDatabaseAudit
OracleDBAudit - User activity after long inactivity time5e93a535-036b-4570-9e58-d8992f30e1aeOracleDatabaseAudit
OracleDBAudit - SQL injection patternsab352f0d-7c55-4ab2-a22e-b1c2d995e193OracleDatabaseAudit
Oracle - Command in URI6ae36a5e-573f-11ec-bf63-0242ac130002OracleWebLogicServer
Oracle - Multiple user agents for single source44c7d12a-573f-11ec-bf63-0242ac130002OracleWebLogicServer
Oracle - Oracle WebLogic Exploit CVE-2021-210967950168-5740-11ec-bf63-0242ac130002OracleWebLogicServer
Oracle - Malicious user agent51d050ee-5740-11ec-bf63-0242ac130002OracleWebLogicServer
Oracle - Multiple client errors from single IP41775080-5740-11ec-bf63-0242ac130002OracleWebLogicServer
Oracle - Multiple server errors from single IP268f4fde-5740-11ec-bf63-0242ac130002OracleWebLogicServer
Oracle - Private IP in URL153ce6d8-5740-11ec-bf63-0242ac130002OracleWebLogicServer
Oracle - Put file and get file from same IP address033e98d2-5740-11ec-bf63-0242ac130002OracleWebLogicServer
Oracle - Put suspicious fileedc2f2b4-573f-11ec-bf63-0242ac130002OracleWebLogicServer
Oracle - Request to sensitive files9cc9ed36-573f-11ec-bf63-0242ac130002OracleWebLogicServer
PaloAlto - MAC address conflict976d2eee-51cb-11ec-bf63-0242ac130002PaloAltoCDL
PaloAltoCDLAma
PaloAlto - Dropping or denying session with trafficba663b74-51f4-11ec-bf63-0242ac130002PaloAltoCDL
PaloAltoCDLAma
PaloAlto - File type changed9150ad68-51c8-11ec-bf63-0242ac130002PaloAltoCDL
PaloAltoCDLAma
PaloAlto - Inbound connection to high risk portsb2dd2dac-51c9-11ec-bf63-0242ac130002PaloAltoCDL
PaloAltoCDLAma
PaloAlto - Possible attack without responseb6d54840-51d3-11ec-bf63-0242ac130002PaloAltoCDL
PaloAltoCDLAma
PaloAlto - Possible floodingfeb185cc-51f4-11ec-bf63-0242ac130002PaloAltoCDL
PaloAltoCDLAma
PaloAlto - User privileges was changed38f9e010-51ca-11ec-bf63-0242ac130002PaloAltoCDL
PaloAltoCDLAma
PaloAlto - Put and post method request in high risk file typef12e9d10-51ca-11ec-bf63-0242ac130002PaloAltoCDL
PaloAltoCDLAma
PaloAlto - Forbidden countries9fcc7734-4d1b-11ec-81d3-0242ac130003PaloAltoCDL
PaloAltoCDLAma
Palo Alto Prisma Cloud - Access keys are not rotated for 90 days777d4993-31bb-4d45-b949-84f58e09fa2fPaloAltoPrismaCloud
Palo Alto Prisma Cloud - Network ACL allow all outbound traffic4264e133-eec2-438f-af85-05e869308f94PaloAltoPrismaCloud
Palo Alto Prisma Cloud - Network ACL allow ingress traffic to server administration portsdf89f4bf-720e-41c5-a209-15e41e400d35PaloAltoPrismaCloud
Palo Alto Prisma Cloud - Network ACLs Inbound rule to allow All Traffic6098b34a-1e6b-440a-9e3b-fb4d5944ade1PaloAltoPrismaCloud
Palo Alto Prisma Cloud - Anomalous access key usagebd602b90-f7f9-4ae9-bf8c-3672a24deb39PaloAltoPrismaCloud
Palo Alto Prisma Cloud - High risk score alert617b02d8-0f47-4f3c-afed-1926a45e7b28PaloAltoPrismaCloud
Palo Alto Prisma Cloud - High severity alert opened for several daysc5bf680f-fa37-47c3-9f38-e839a9b99c05PaloAltoPrismaCloud
Palo Alto Prisma Cloud - IAM Group with Administrator Access Permissionsac76d9c0-17a3-4aaa-a341-48f4c0b1c882PaloAltoPrismaCloud
Palo Alto Prisma Cloud - Inactive user7f78fa52-9833-41de-b5c5-76e61b8af9c1PaloAltoPrismaCloud
Palo Alto Prisma Cloud - Maximum risk score alert119a574d-f37a-403a-a67a-4d6f5083d9cfPaloAltoPrismaCloud
Ping Federate - Authentication from new IP.30583ed4-d13c-43b8-baf2-d75fbe727210PingFederate
PingFederateAma
Ping Federate - Forbidden country14042f74-e50b-4c21-8a01-0faf4915ada4PingFederate
PingFederateAma
Ping Federate - Abnormal password resets for user6145efdc-4724-42a6-9756-5bd1ba33982ePingFederate
PingFederateAma
Ping Federate - New user SSO success login05282c91-7aaf-4d76-9a19-6dc582e6a411PingFederate
PingFederateAma
Ping Federate - OAuth old version85f70197-4865-4635-a4b2-a9c57e8fea1bPingFederate
PingFederateAma
Ping Federate - Password reset request from unexpected source IP address..2d201d21-77b4-4d97-95f3-26b5c6bde09fPingFederate
PingFederateAma
Ping Federate - SAML old versionfddd3840-acd2-41ed-94d9-1474b0a7c8a6PingFederate
PingFederateAma
Ping Federate - Unexpected authentication URL.9578ef7f-cbb4-4e9a-bd26-37c15c53b413PingFederate
PingFederateAma
Ping Federate - Unexpected country for user64e65105-c4fc-4c28-a4e9-bb1a3ce7652dPingFederate
PingFederateAma
Ping Federate - Unusual mail domain.dc79de7d-2590-4852-95fb-f8e02b34f4daPingFederate
PingFederateAma
ProofpointPOD - Binary file in attachmenteb68b129-5f17-4f56-bf6d-dde48d5e615aProofpointPOD
ProofpointPOD - Possible data exfiltration to private emailaedc5b33-2d7c-42cb-a692-f25ef637cbb1ProofpointPOD
ProofpointPOD - Email sender in TI list35a0792a-1269-431e-ac93-7ae2980d4ddeThreatIntelligence
ThreatIntelligenceTaxii
ProofpointPOD
ProofpointPOD - Email sender IP in TI list78979d32-e63f-4740-b206-cfb300c735e0ThreatIntelligence
ThreatIntelligenceTaxii
ProofpointPOD
ProofpointPOD - High risk message not discardedc7cd6073-6d2c-4284-a5c8-da27605bdfdeProofpointPOD
ProofpointPOD - Suspicious attachmentf6a51e2c-2d6a-4f92-a090-cfb002ca611fProofpointPOD
Malware attachment delivered0558155e-4556-447e-9a22-828f2a7de06bProofpointTAP
Malware Link Clicked8675dd7a-795e-4d56-a79c-fc848c5ee61cProofpointTAP
High Number of Urgent Vulnerabilities Detected3edb7215-250b-40c0-8b46-79093949242dQualysVulnerabilityManagement
New High Severity Vulnerability Detected Across Multiple Hosts6116dc19-475a-4148-84b2-efe89c073e27QualysVulnerabilityManagement
Radiflow - Exploit Detected6c028ebd-03ca-41cb-bce7-5727ddb43731RadiflowIsid
Radiflow - New Activity Detected8177ecff-30a1-4d4f-9a82-7fbb69019504RadiflowIsid
Radiflow - Platform Alertff0c781a-b30f-4acf-9cf1-75d7383d66d1RadiflowIsid
Radiflow - Unauthorized Internet Accesscc33e1a9-e167-460b-93e6-f14af652dbd3RadiflowIsid
Red Canary Threat Detection6d263abb-6445-45cc-93e9-c593d3d77b89RedCanaryDataConnector
Critical Risks1eebfaf3-40e1-4bc2-9f42-049b7b8ceb60RidgeBotDataConnector
CefAma
Vulerabilitiesd096643d-6789-4c74-8893-dd3fc8a94069RidgeBotDataConnector
CefAma
SailPointIdentityNowAlertForTriggers08330c3d-487e-4f5e-a539-1e7d06dea786SailPointIdentityNow
SailPointIdentityNowEventType48bb92e2-bad4-4fd4-9684-26cb188299b7SailPointIdentityNow
SailPointIdentityNowEventTypeTechnicalName2151e8ea-4838-4c74-be12-4d6a950dde7aSailPointIdentityNow
SailPointIdentityNowFailedEventsc3835197-fd07-447e-a0ac-7540d51a1f64SailPointIdentityNow
SailPointIdentityNowFailedEventsBasedOnTime175b79ef-0fc3-4b27-b92a-89b2db6c85c2SailPointIdentityNow
SailPointIdentityNowUserWithFailedEvent2a215222-bfc5-4858-a530-6d4088ebfa15SailPointIdentityNow
User Sign in from different countries3094e036-e5ae-4d6e-8626-b0f86ebc71f2SalesforceServiceCloud
SecurityBridge: A critical event occured8c5c766a-ce9b-4112-b6ed-1b8fe33733b7SecurityBridge
Possible AiTM Phishing Attempt Against Microsoft Entra ID16daa67c-b137-48dc-8eb7-76598a44791aAzureActiveDirectory
Zscaler
Non-admin guest9B6558C4-BA23-40AC-B95F-42F8A29A3B35SenservaPro
Service principal not using client credentialsD308318A-B298-4E57-82BD-74AE33C4A539SenservaPro
Stale last password change645A8724-5C7E-4A1F-81CB-C33AFF1439EBSenservaPro
UserAccountDisabled24E0132F-61D1-41BD-9393-06136D1039C7SenservaPro
Sentinel One - Admin login from new location382f37b3-b49a-492f-b436-a4717c8c5c3eSentinelOne
Sentinel One - Alert from custom rule5f37de91-ff2b-45fb-9eda-49e9f76a3942SentinelOne
Sentinel One - Multiple alerts on host47e427e6-61bc-4e24-8d16-a12871b9f939SentinelOne
Sentinel One - Same custom rule triggered on different hosts5586d378-1bce-4d9b-9ac8-e7271c9d5a9aSentinelOne
SlackAudit - Empty User Agent04528635-a5f1-438b-ab74-21ca7bc3aa32SlackAuditAPI
SlackAudit - Suspicious file downloaded.132b98a5-07e9-401a-9b6f-453e52a53979SlackAuditAPI
SlackAudit - User email linked to account changed.9d85feb3-7f54-4181-b143-68abb1a86823SlackAuditAPI
SlackAudit - User login after deactivated.e6e99dcb-4dff-48d2-8012-206ca166b36bSlackAuditAPI
Snowflake - Multiple login failures by usere05cc333-d499-430f-907c-7f28a9e4d1b5Snowflake
Snowflake - Multiple login failures from single IPb7d22407-1391-4256-b09a-414a9719443cSnowflake
SonicWall - Allowed SSH, Telnet, and RDP Connections27f1a570-5f20-496b-88f6-a9aa2c5c9534CEF
SonicWallFirewall
CefAma
TI map Domain entity to EmailEvents96307710-8bb9-4b45-8363-a90c72ebf86fOffice365
ThreatIntelligence
ThreatIntelligenceTaxii
MicrosoftDefenderThreatIntelligence
TI map Domain entity to EmailUrlInfo87cc75df-d7b2-44f1-b064-ee924edfc879Office365
ThreatIntelligence
ThreatIntelligenceTaxii
MicrosoftDefenderThreatIntelligence
TI map Email entity to AzureActivitycca3b4d9-ac39-4109-8b93-65bb284003e6AzureActivity
ThreatIntelligence
ThreatIntelligenceTaxii
MicrosoftDefenderThreatIntelligence
Preview - TI map Email entity to Cloud App Events47b9bb10-d216-4359-8cef-08ca2c67e5beMicrosoftThreatProtection
MicrosoftDefenderThreatIntelligence
TI map Email entity to EmailEvents11f7c6e3-f066-4b3c-9a81-b487ec0a6873Office365
ThreatIntelligence
ThreatIntelligenceTaxii
MicrosoftDefenderThreatIntelligence
TI map Email entity to OfficeActivity4a3f5ed7-8da5-4ce2-af6f-c9ada45060f2Office365
ThreatIntelligence
ThreatIntelligenceTaxii
MicrosoftDefenderThreatIntelligence
TI map Email entity to PaloAlto CommonSecurityLogffcd575b-3d54-482a-a6d8-d0de13b6ac63PaloAltoNetworks
ThreatIntelligence
ThreatIntelligenceTaxii
MicrosoftDefenderThreatIntelligence
TI map Email entity to SecurityAlerta2e36ce0-da4d-4b6e-88c6-4e40161c5bfcAzureSecurityCenter
ThreatIntelligence
ThreatIntelligenceTaxii
MicrosoftDefenderThreatIntelligence
TI map Email entity to SecurityEvent2fc5d810-c9cc-491a-b564-841427ae0e50ThreatIntelligence
ThreatIntelligenceTaxii
SecurityEvents
WindowsSecurityEvents
WindowsForwardedEvents
MicrosoftDefenderThreatIntelligence
TI map Email entity to SigninLogs30fa312c-31eb-43d8-b0cc-bcbdfb360822ThreatIntelligence
ThreatIntelligenceTaxii
AzureActiveDirectory
MicrosoftDefenderThreatIntelligence
Tomcat - Commands in URI91f59cea-486f-11ec-81d3-0242ac130003ApacheTomcat
Tomcat - Known malicious user agent5e77a818-5825-4ff6-a901-80891c4774d1ApacheTomcat
Tomcat - Multiple client errors from single IP address4fa66058-4870-11ec-81d3-0242ac130003ApacheTomcat
Tomcat - Multiple empty requests from same IP7c9a1026-4872-11ec-81d3-0242ac130003ApacheTomcat
Tomcat - Multiple server errors from single IP addressde9df79c-4872-11ec-81d3-0242ac130003ApacheTomcat
Tomcat - Put file and get file from same IP address103d5ada-4874-11ec-81d3-0242ac130003ApacheTomcat
Tomcat - Request from localhost IP addressa45dd6ea-4874-11ec-81d3-0242ac130003ApacheTomcat
Tomcat - Request to sensitive files0c851bd4-4875-11ec-81d3-0242ac130003ApacheTomcat
Tomcat - Server errors after multiple requests from same IP875da588-4875-11ec-81d3-0242ac130003ApacheTomcat
Tomcat - Sql injection patternsce84741e-4875-11ec-81d3-0242ac130003ApacheTomcat
ApexOne - Attack Discovery Detection7a3193b8-67b7-11ec-90d6-0242ac120003TrendMicroApexOne
TrendMicroApexOneAma
ApexOne - Commands in Url4a9a5900-67b7-11ec-90d6-0242ac120003TrendMicroApexOne
TrendMicroApexOneAma
ApexOne - Multiple deny or terminate actions on single IPcd94e078-67b7-11ec-90d6-0242ac120003TrendMicroApexOne
TrendMicroApexOneAma
ApexOne - Spyware with failed responsec92d9fe4-67b6-11ec-90d6-0242ac120003TrendMicroApexOne
TrendMicroApexOneAma
Trend Micro CAS - Possible phishing mail9e7b3811-d743-479c-a296-635410562429TrendMicroCAS
Trend Micro CAS - Suspicious filename52c4640a-1e2b-4155-b69e-e1869c9a57c9TrendMicroCAS
Trend Micro CAS - Unexpected file via mail201fd2d1-9131-4b29-bace-ce5d19f3e4eeTrendMicroCAS
Trend Micro CAS - Unexpected file on file sharede54f817-f338-46bf-989b-4e016ea6b71bTrendMicroCAS
Trend Micro CAS - Infected user3649dfb8-a5ca-47dd-8965-cd2f633ca533TrendMicroCAS
Trend Micro CAS - Multiple infected users65c2a6fe-ff7b-46b0-9278-61265f77f3bcTrendMicroCAS
Ubiquiti - RDP from external source95d5ca9b-72c5-4b80-ad5c-b6401cdc5e08UbiquitiUnifi
Ubiquiti - SSH from external source0998a19d-8451-4cdd-8493-fc342816a197UbiquitiUnifi
Ubiquiti - Unknown MAC Joined AP9757cee3-1a6c-4d8e-a968-3b7e48ded690UbiquitiUnifi
Ubiquiti - Unusual traffic31e868c0-91d3-40eb-accc-3fa73aa96f8eUbiquitiUnifi
VMware vCenter - Root login03e8a895-b5ba-49a0-aed3-f9a997d92fbevCenter
VMware ESXi - Dormant VM started4cdcd5d8-89df-4076-a917-bc50abb9f2abVMwareESXi
VMware ESXi - Multiple new VMs startedbdea247f-7d17-498c-ac0e-c7e764cbdbbeVMwareESXi
VMware ESXi - New VM started0f4a80de-344f-47c0-bc19-cb120c59b6f0VMwareESXi
VMware ESXi - Root logindeb448a8-6a9d-4f8c-8a95-679a0a2cd62cVMwareESXi
VMware ESXi - Shared or stolen root account9c496d6c-42a3-4896-9b6c-00254386928fVMwareESXi
Votiro - File Blocked in Email0b8b91de-c63e-4bc2-b5f4-b15d3b379ec9Votiro
CefAma
Detect URLs containing known malicious keywords or commands (ASIM Web Session)32c08696-2e37-4730-86f8-97d9c8b184c9
Detect known risky user agents (ASIM Web Session)6a4dbcf8-f5e2-4b33-b34f-2db6487613f0
Detect Local File Inclusion(LFI) in web requests (ASIM Web Session)7bb55d05-ef39-4a40-8079-0bc3c05e7881
Detect instances of multiple client errors occurring within a brief period of time (ASIM Web Session)faa40333-1e8b-40cc-a003-51ae41fa886f
Detect instances of multiple server errors occurring within a brief period of time (ASIM Web Session)a59ba76c-0205-4966-948e-3d5640140688
Identify instances where a single source is observed using multiple user agents (ASIM Web Session)813ccf3b-0321-4622-b0bc-63518fd14454
Detect presence of uncommon user agents in web requests (ASIM Web Session)2d50d937-d7f2-4c05-b151-9af7f9ec747e
Detect web requests to potentially harmful files (ASIM Web Session)c6608467-3678-45fe-b038-b590ce6d00fb
Detect threat information in web requests (ASIM Web Session)7d2ed1c7-da26-45fd-b4ea-b6f2bbeccea7
Identify SysAid Server web shell creation50eb4cbd-188f-44f4-b964-bab84dcdec10SecurityEvents
WindowsSecurityEvents
MicrosoftThreatProtection
Exchange OAB Virtual Directory Attribute Containing Potential Webshellfaf1a6ff-53b5-4f92-8c55-4b20e9957594SecurityEvents
WindowsSecurityEvents
ZeroFox Alerts - High Severity Alertsdeb45e6d-892f-40bf-9118-e2a6f26b788dZeroFox_Alert_Polling
ZeroFox Alerts - Informational Severity Alerts6f7a7413-b72f-4361-84ee-897baeb9c6d4ZeroFox_Alert_Polling
ZeroFox Alerts - Low Severity Alertse0c7a91a-7aa1-498a-9c20-cd6c721f9345ZeroFox_Alert_Polling
ZeroFox Alerts - Medium Severity Alertsa6496de5-911b-4199-b7db-d34ac9d70df3ZeroFox_Alert_Polling
Zscaler - Shared ZPA session40a98355-0e52-479f-8c91-4ab659cba878ZscalerPrivateAccess
Zscaler - Unexpected event count of rejects by policy593e3e2a-43ce-11ec-81d3-0242ac130003ZscalerPrivateAccess
Zscaler - Forbidden countriesb3d112b4-3e1e-11ec-9bbc-0242ac130002ZscalerPrivateAccess
Zscaler - Unexpected update operation672e2846-4226-11ec-81d3-0242ac130003ZscalerPrivateAccess
Zscaler - ZPA connections from new countryc4902121-7a7e-44d1-810b-88d26db622ffZscalerPrivateAccess
Zscaler - ZPA connections from new IP24f0779d-3927-403a-aac1-cc8791653606ZscalerPrivateAccess
Zscaler - ZPA connections outside operational hours2859ad22-46c8-4cc7-ad7b-80ce0cba0af3ZscalerPrivateAccess
Zscaler - Unexpected ZPA session duratione07846e0-43ad-11ec-81d3-0242ac130003ZscalerPrivateAccess
Anomaly Sign In Event from an IP9c1e9381-79dd-4ddf-9570-b73a1dc59fe0AzureActiveDirectory
User login from different countries within 3 hours (Uses Authentication Normalization)09ec8fa2-b25f-4696-bfae-05a7b85d7b9e
Sign-ins from IPs that attempt sign-ins to disabled accounts (Uses Authentication Normalization)95002681-4ecb-4da3-9ece-26d7e5feaa33
SUNBURST and SUPERNOVA backdoor hashes (Normalized File Events)bc5ffe2a-84d6-48fe-bc7b-1055100469bc
A client made a web request to a potentially harmful file (ASIM Web Session schema)09c49590-4e9d-4da9-a34d-17222d0c9e7eSquidProxy
Zscaler
Application Gateway WAF - SQLi Detection68c0b6bb-6bd9-4ef4-9011-08998c8ef90fWAF
Application Gateway WAF - XSS Detectiond2bc08fa-030a-4eea-931a-762d27c6a042WAF
Suspicious Sign In by Entra ID Connect Sync Account2cd8b3d5-c9e0-4be3-80f7-0469d511c3f6BehaviorAnalytics
Cisco Umbrella - Request Allowed to harmful/malicious URI categoryd6bf1931-b1eb-448d-90b2-de118559c7ceCiscoUmbrellaDataConnector
Cisco Umbrella - Request to blocklisted file typede58ee9e-b229-4252-8537-41a4c2f4045eCiscoUmbrellaDataConnector
OMI Vulnerability Exploitation3cc5ccd8-b416-4141-bb2d-4eba370e37a5
Exchange Server Suspicious File Downloads.8955c0fb-3408-47b0-a3b9-a1faec41e427
Silk Typhoon Suspicious File Downloads.03e04c97-8cae-48b3-9d2f-4ab262e4ffff
IP with multiple failed Microsoft Entra ID logins successfully logs in to Palo Alto VPNba144bf8-75b8-406f-9420-ed74397f9479AzureActiveDirectory
PaloAltoNetworks
Failed AzureAD logons but success logon to AWS Console643c2025-9604-47c5-833f-7b4b9378a1f5AzureActiveDirectory
AWS
Failed AzureAD logons but success logon to host8ee967a2-a645-4832-85f4-72b635bcb3a6AzureActiveDirectory
SecurityEvents
Syslog
WindowsSecurityEvents
WindowsForwardedEvents
Anomalous login followed by Teams action2b701288-b428-4fb8-805e-e4372c574786Office365
AzureActiveDirectory
Failed AWS Console logons but success logon to AzureAD910124df-913c-47e3-a7cd-29e1643fa55eAzureActiveDirectory
AWS
High risk Office operation conducted by IP Address that recently attempted to log into a disabled account9adbd1c3-a4be-44ef-ac2f-503fd25692eeAzureActiveDirectory
Office365
Failed host logons but success logon to AzureAD1ce5e766-26ab-4616-b7c8-3b33ae321e80AzureActiveDirectory
SecurityEvents
Syslog
WindowsSecurityEvents
WindowsForwardedEvents
Detecting Impossible travel with mailbox permission tampering & Privilege Escalation attempt1399664f-9434-497c-9cde-42e4d74ae20eAzureSecurityCenter
Office365
AzureActivity
AzureActiveDirectory
Malformed user agenta357535e-f722-4afe-b375-cff362b2b376WAF
Office365
AzureActiveDirectory
AWS
AzureMonitor(IIS)
Multiple Password Reset by user0b9ae89d-8cad-461c-808f-0494f70ad5c4AzureActiveDirectory
SecurityEvents
Syslog
Office365
WindowsSecurityEvents
WindowsForwardedEvents
Phishing link click observed in Network Traffic2fed0668-6d43-4c78-87e6-510f96f12145OfficeATP
PaloAltoNetworks
Fortinet
CheckPoint
Zscaler
Cisco - firewall block but success logon to Microsoft Entra ID157c0cfc-d76d-463b-8755-c781608cdc1aCiscoASA
AzureActiveDirectory
Star Blizzard C2 Domains August 20222149d9bb-8298-444c-8f99-f7bf0274dd05AzureMonitor(VMInsights)
CiscoASA
PaloAltoNetworks
MicrosoftThreatProtection
AzureFirewall
Suspicious VM Instance Creation Activity Detected1cc0ba27-c5ca-411a-a779-fbc89e26be83GCPAuditLogsDefinition
AzureActiveDirectoryIdentityProtection
MicrosoftThreatProtection
MicrosoftDefenderAdvancedThreatProtection
MicrosoftCloudAppSecurity
BehaviorAnalytics
PulseConnectSecure - CVE-2021-22893 Possible Pulse Connect Secure RCE Vulnerability Attackd0c82b7f-40b2-4180-a4d6-7aa0541b7599PulseConnectSecure
Microsoft Defender for Endpoint (MDE) signatures for Azure Synapse pipelines and Azure Data Factorya333d8bf-22a3-4c55-a1e9-5f0a135c0253MicrosoftThreatProtection
Solorigate Defender Detectionse70fa6e0-796a-4e85-9420-98b17b0bb749MicrosoftDefenderAdvancedThreatProtection
MicrosoftThreatProtection
Workspace deletion activity from an infected devicea5b3429d-f1da-42b9-883c-327ecb7b91ffAzureActiveDirectoryIdentityProtection
AzureActivity
BehaviorAnalytics
Silk Typhoon New UM Service Child Process95a15f39-d9cc-4667-8cdd-58f3113691c9SecurityEvents
WindowsSecurityEvents
WindowsForwardedEvents
Silk Typhoon Suspicious UM Service Error0625fcce-6d52-491e-8c68-1d9b801d25b9
Vulnerable Machines related to OMIGOD CVE-2021-386474d94d4a9-dc96-450a-9dea-4d4d4594199b
Anomalous Single Factor Signinf7c3f5c8-71ea-49ff-b8b3-148f0e346291AzureActiveDirectory
Authentication Attempt from New Countryef895ada-e8e8-4cf0-9313-b1ab67fab69fAzureActiveDirectory
Authentications of Privileged Accounts Outside of Expected Controlsaf435ca1-fb70-4de1-92c1-7435c48482a9AzureActiveDirectory
BehaviorAnalytics
New country signIn with correct password7808c05a-3afd-4d13-998a-a59e2297693fAzureActiveDirectory
Service Principal Authentication Attempt from New Country1baaaf00-655f-4de9-8ff8-312e902cda71AzureActiveDirectory
Anomalous User Agent connection attemptf845881e-2500-44dc-8ed7-b372af3e1e25AzureMonitor(IIS)
High count of connections by client IP on many ports44a555d8-ecee-4a25-95ce-055879b4b14bAzureMonitor(IIS)
Exchange SSRF Autodiscover ProxyShell - Detection968358d6-6af8-49bb-aaa4-187b3067fb95AzureMonitor(IIS)
Silk Typhoon Suspicious Exchange Request23005e87-2d3a-482b-b03d-edbebd1ae151AzureMonitor(IIS)
User joining Zoom meeting from suspicious timezone58fc0170-0877-4ea8-a9ff-d805e361cfae