Microsoft Sentinel Analytic Rules
cloudbrothers.infoAzure Sentinel RepoToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeBack to homepage

Lateral Movement

Overview

Rule NameidRequired data connectors
Changes to Amazon VPC settings65360bb0-8986-4ade-a89d-af3cf44d28aaAWS
AWSS3
Apache - Apache 2.4.49 flaw CVE-2021-41773767f9dc4-3b01-11ec-8d3d-0242ac130003ApacheHTTPServer
Powershell Empire Cmdlets Executed in Command Lineef88eb96-861c-43a0-ab16-f3835a97c928SecurityEvents
WindowsSecurityEvents
WindowsForwardedEvents
Several deny actions registeredf8dad4e9-3f19-4d70-ab7f-8f19ccd43a3eAzureFirewall
Phishingc3771865-b647-46a7-9be5-a96c418cebc0CBSPollingIDAzureFunctions
Cynerio - Exploitation Attempt of IoT device3d853a88-92d2-4aec-a680-2bf7bb560c56CynerioSecurityEvents
Cynerio - Medical device scanning211e9f49-3fca-4598-bc6e-e2c28d86e72cCynerioSecurityEvents
Cynerio - Suspicious Connection to External Addressc0756978-baa6-4239-9174-bac1b1ca1a6aCynerioSecurityEvents
Dynatrace Application Security - Code-Level runtime vulnerability detection305093b4-0fa2-57bc-bced-caea782a6e9cDynatraceRuntimeVulnerabilities
Dynatrace Application Security - Non-critical runtime vulnerability detectionff0af873-a2f2-4233-8412-0ef4e00b0156DynatraceRuntimeVulnerabilities
Dynatrace Application Security - Third-Party runtime vulnerability detectionaf99b078-124b-543a-9a50-66ef87c09f6aDynatraceRuntimeVulnerabilities
Lateral Movement via DCOM50cbf34a-4cdd-45d7-b3f5-8b53a1d0d14fSecurityEvents
WindowsSecurityEvents
Detecting Macro Invoking ShellBrowserWindow COM Objectse7470b35-0128-4508-bfc9-e01cfb3c2eb7SecurityEvents
WindowsSecurityEvents
DCOM Lateral Movementd58035ff-0bac-4c61-a7f4-f58939ff9764MicrosoftThreatProtection
Oracle suspicious command executione6c5ff42-0f42-4cec-994a-dabb92fe36e1MicrosoftThreatProtection
Remote Desktop Protocol - SharpRDPcc46e76c-0d04-40b0-9c8b-929aa40513e7MicrosoftThreatProtection
SMB/Windows Admin Shares9da25366-2c77-41a5-a159-0da5e2f5fb90MicrosoftThreatProtection
GCP IAM - New Authentication Token for Service Account80e4db30-5636-4fbd-8816-24c3ded8d243GCPIAMDataConnector
GCP IAM - New Service Account Keyfc135860-8773-4ead-b5be-9789af1ff8ffGCPIAMDataConnector
GWorkspace - API Access Grantedc45a9804-5da8-11ec-bf63-0242ac130002GoogleWorkspaceReportsAPI
Internet Access (Microsoft Defender for IoT)9ff3b13b-287a-4ed0-8f6b-7e7b66cbbcbdIoT
New executable via Office FileUploaded Operationd722831e-88f5-4e25-b106-4ef6e29f8c13Office365
Remote File Creation with PsExec35ab0d58-baab-4154-87ed-fa2f69797e9eMicrosoftThreatProtection
Service Accounts Performing Remote PSd29cc957-0ddb-4d00-8d6f-ad1bb345ff9aMicrosoftThreatProtection
Mimecast Secure Email Gateway - Impersonation Protect7034abc9-6b66-4533-9bf3-056672fd9d9eMimecastSIEMAPI
Mimecast Secure Email Gateway - Internal Email Protect5b66d176-e344-4abf-b915-e5f09a6430efMimecastSIEMAPI
Cross-Cloud Suspicious Compute resource creation in GCP5c847e47-0a07-4c01-ab99-5817ad6cb11eGCPAuditLogsDefinition
AWSS3
Anomaly in SMB Traffic(ASIM Network Session schema)8717e498-7b5d-4e23-9e7c-fa4913dbfd79
Anomaly found in Network Session Traffic (ASIM Network Session schema)cd6def0d-3ef0-4d55-a7e3-faa96c46ba12AWSS3
MicrosoftThreatProtection
SecurityEvents
WindowsSecurityEvents
WindowsForwardedEvents
Zscaler
MicrosoftSysmonForLinux
PaloAltoNetworks
AzureMonitor(VMInsights)
AzureFirewall
AzureNSG
CiscoASA
CiscoAsaAma
Corelight
AIVectraStream
CheckPoint
Fortinet
CiscoMeraki
Detect port misuse by anomaly based detection (ASIM Network Session schema)cbf07406-fa2a-48b0-82b8-efad58db14ecAWSS3
MicrosoftThreatProtection
SecurityEvents
WindowsSecurityEvents
WindowsForwardedEvents
Zscaler
MicrosoftSysmonForLinux
PaloAltoNetworks
AzureMonitor(VMInsights)
AzureFirewall
AzureNSG
CiscoASA
CiscoAsaAma
Corelight
AIVectraStream
CheckPoint
Fortinet
CiscoMeraki
Radiflow - Exploit Detected6c028ebd-03ca-41cb-bce7-5727ddb43731RadiflowIsid
Radiflow - Platform Alertff0c781a-b30f-4acf-9cf1-75d7383d66d1RadiflowIsid
Radiflow - Policy Violation Detecteda3f4cc3e-2403-4570-8d21-1dedd5632958RadiflowIsid
Radiflow - Unauthorized Command in Operational Device4d90d485-6d47-417e-80ea-9cf956c1a671RadiflowIsid
Red Canary Threat Detection6d263abb-6445-45cc-93e9-c593d3d77b89RedCanaryDataConnector
SonicWall - Allowed SSH, Telnet, and RDP Connections27f1a570-5f20-496b-88f6-a9aa2c5c9534CEF
SonicWallFirewall
CefAma
ApexOne - Inbound remote access connection6303235a-ee70-42a4-b969-43e7b969b916TrendMicroApexOne
TrendMicroApexOneAma
vArmour AppController - SMB Realm Traversala36de6c3-3198-4d37-92ae-e19e36712c2evArmourAC
vArmourACAma
CefAma
Vectra AI Detect - Suspected Compromised Account321f9dbd-64b7-4541-81dc-08cf7732ccb0AIVectraDetect
AIVectraDetectAma
CefAma
Vectra Account’s Behaviorsce54b5d3-4c31-4eaf-a73e-31412270b6abAIVectraDetect
AIVectraDetectAma
CefAma
Vectra AI Detect - Detections with High Severity39e48890-2c02-487e-aa9e-3ba494061798AIVectraDetect
AIVectraDetectAma
CefAma
Vectra AI Detect - Suspected Compromised Host60eb6cf0-3fa1-44c1-b1fe-220fbee23d63AIVectraDetect
AIVectraDetectAma
CefAma
Vectra Host’s Behaviors33e3b6da-2660-4cd7-9032-11be76db88d2AIVectraDetect
AIVectraDetectAma
CefAma
Vectra AI Detect - New Campaign Detecteda34d0338-eda0-42b5-8b93-32aae0d7a501AIVectraDetect
AIVectraDetectAma
CefAma
Vectra AI Detect - Suspicious Behaviors by Category6cb75f65-231f-46c4-a0b3-50ff21ee6ed3AIVectraDetect
AIVectraDetectAma
CefAma
Critical Threat Detected2ca4e7fc-c61a-49e5-9736-5da8035c47e0VMwareCarbonBlack
VMware SD-WAN Edge - IDS/IPS Alert triggered (Search API)44f78dbf-9f29-4ec0-aaca-ab5bf0b559afVMwareSDWAN
VMware SD-WAN Edge - IDS/IPS Alert triggered (Syslog)a8e2bfd2-5d9c-4acc-aa55-30029e50d574VMwareSDWAN
Gain Code Execution on ADFS Server via SMB + Remote Service or Scheduled Task12dcea64-bec2-41c9-9df2-9f28461b1295SecurityEvents
WindowsSecurityEvents
New EXE deployed via Default Domain or Default Domain Controller Policies05b4bccd-dd12-423d-8de4-5a6fb526bb4fSecurityEvents
WindowsSecurityEvents
Decoy User Account Authentication Attempta4dbc292-87eb-11ec-a8a3-0242ac120002SecurityEvents
WindowsSecurityEvents
Zero Networks Segment - Rare JIT Rule Creation58688058-68b2-4b39-8009-ac6dc4d81ea1ZeroNetworksSegmentAuditFunction
ZeroNetworksSegmentAuditNativePoller
New EXE deployed via Default Domain or Default Domain Controller Policies (ASIM Version)0dd2a343-4bf9-4c93-a547-adf3658ddaecSecurityEvents
Azure VM Run Command operations executing a unique PowerShell script5239248b-abfb-4c6a-8177-b104ade5db56AzureActivity
MicrosoftThreatProtection
Gain Code Execution on ADFS Server via Remote WMI Execution0bd65651-1404-438b-8f63-eecddcec87b4SecurityEvents
WindowsSecurityEvents
WindowsForwardedEvents
Identify Mango Sandstorm powershell commandsce74dc9a-cb3c-4081-8c2f-7d39f6b7bae1SecurityEvents
MicrosoftThreatProtection
Azure VM Run Command operation executed during suspicious login window11bda520-a965-4654-9a45-d09f372f71aaAzureActivity
BehaviorAnalytics
Multiple RDP connections from Single System78422ef2-62bf-48ca-9bab-72c69818a425SecurityEvents
WindowsSecurityEvents
WindowsForwardedEvents
RDP Nesting69a45b05-71f5-45ca-8944-2e038747fb39SecurityEvents
WindowsSecurityEvents
WindowsForwardedEvents
Rare RDP Connections45b903c5-6f56-4969-af10-ae62ac709718SecurityEvents
WindowsSecurityEvents
WindowsForwardedEvents