Microsoft Sentinel Analytic Rules
cloudbrothers.infoAzure Sentinel RepoToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeBack to homepage

Lateral Movement

Overview

Rule NameidRequired data connectors
Changes to Amazon VPC settings65360bb0-8986-4ade-a89d-af3cf44d28aaAWS
AWSS3
Apache - Apache 2.4.49 flaw CVE-2021-41773767f9dc4-3b01-11ec-8d3d-0242ac130003ApacheHTTPServer
CustomLogsAma
Powershell Empire Cmdlets Executed in Command Lineef88eb96-861c-43a0-ab16-f3835a97c928SecurityEvents
WindowsSecurityEvents
WindowsForwardedEvents
Several deny actions registeredf8dad4e9-3f19-4d70-ab7f-8f19ccd43a3eAzureFirewall
Cisco Umbrella - Hack Tool User-Agent Detected8d537f3c-094f-430c-a588-8a87da36ee3aCiscoUmbrellaDataConnector
TLS Certificate Using Weak Cipher - Informational1bdf3cba-6b85-4b88-ab1e-681bac20d41fHVPollingIDAzureFunctions
TLS Certificate Using Weak Cipher - Medium7bbe51fe-9c5f-4f54-a079-b84cc27737a1HVPollingIDAzureFunctions
TLSv1.1 in Use - info049edfdd-0331-4493-bcd7-b375bba7b551HVPollingIDAzureFunctions
TLSv1.1 in Use - Medium92400070-199b-46d3-bd86-2fb8421b5338HVPollingIDAzureFunctions
TLSv1 in Use - Low9435d04a-e8a6-49e5-90c4-e7f3456f9ed5HVPollingIDAzureFunctions
TLSv1 in Use - Medium93f2ab34-15a3-4199-ad5a-6ebf8d2ad449HVPollingIDAzureFunctions
Cynerio - Exploitation Attempt of IoT device3d853a88-92d2-4aec-a680-2bf7bb560c56CynerioSecurityEvents
Cynerio - Medical device scanning211e9f49-3fca-4598-bc6e-e2c28d86e72cCynerioSecurityEvents
Cynerio - Suspicious Connection to External Addressc0756978-baa6-4239-9174-bac1b1ca1a6aCynerioSecurityEvents
Dynatrace - Problem detection415978ff-074e-4203-824a-b06153d77bf7DynatraceProblems
Dynatrace Application Security - Code-Level runtime vulnerability detection305093b4-0fa2-57bc-bced-caea782a6e9cDynatraceRuntimeVulnerabilities
Dynatrace Application Security - Non-critical runtime vulnerability detectionff0af873-a2f2-4233-8412-0ef4e00b0156DynatraceRuntimeVulnerabilities
Dynatrace Application Security - Third-Party runtime vulnerability detectionaf99b078-124b-543a-9a50-66ef87c09f6aDynatraceRuntimeVulnerabilities
Lateral Movement via DCOM50cbf34a-4cdd-45d7-b3f5-8b53a1d0d14fSecurityEvents
WindowsSecurityEvents
Detecting Macro Invoking ShellBrowserWindow COM Objectse7470b35-0128-4508-bfc9-e01cfb3c2eb7SecurityEvents
WindowsSecurityEvents
DCOM Lateral Movementd58035ff-0bac-4c61-a7f4-f58939ff9764MicrosoftThreatProtection
Oracle suspicious command executione6c5ff42-0f42-4cec-994a-dabb92fe36e1MicrosoftThreatProtection
Remote Desktop Protocol - SharpRDPcc46e76c-0d04-40b0-9c8b-929aa40513e7MicrosoftThreatProtection
SMB/Windows Admin Shares9da25366-2c77-41a5-a159-0da5e2f5fb90MicrosoftThreatProtection
GitHub Security Vulnerability in Repository5436f471-b03d-41cb-b333-65891f887c43
Office 365 - New Executable via Office FileUploaded Operation178c62b4-d5e5-40f5-8eab-7fccd0051e7aAzureActiveDirectory
GCP IAM - New Authentication Token for Service Account80e4db30-5636-4fbd-8816-24c3ded8d243GCPIAMDataConnector
GCP IAM - New Service Account Keyfc135860-8773-4ead-b5be-9789af1ff8ffGCPIAMDataConnector
GWorkspace - API Access Grantedc45a9804-5da8-11ec-bf63-0242ac130002GoogleWorkspaceReportsAPI
Illusive Incidents Analytic Rule1a7dbcf6-21a2-4255-84b2-c8dbbdca4630Illusive
illusiveAttackManagementSystemAma
CefAma
Internet Access (Microsoft Defender for IoT)9ff3b13b-287a-4ed0-8f6b-7e7b66cbbcbdIoT
New executable via Office FileUploaded Operationd722831e-88f5-4e25-b106-4ef6e29f8c13Office365
Remote File Creation with PsExec35ab0d58-baab-4154-87ed-fa2f69797e9eMicrosoftThreatProtection
Service Accounts Performing Remote PSd29cc957-0ddb-4d00-8d6f-ad1bb345ff9aMicrosoftThreatProtection
Mimecast Secure Email Gateway - Impersonation Protect7034abc9-6b66-4533-9bf3-056672fd9d9eMimecastSIEMAPI
Mimecast Secure Email Gateway - Internal Email Protect5b66d176-e344-4abf-b915-e5f09a6430efMimecastSIEMAPI
Cross-Cloud Suspicious Compute resource creation in GCP5c847e47-0a07-4c01-ab99-5817ad6cb11eGCPAuditLogsDefinition
AWSS3
Anomaly in SMB Traffic(ASIM Network Session schema)8717e498-7b5d-4e23-9e7c-fa4913dbfd79
Anomaly found in Network Session Traffic (ASIM Network Session schema)cd6def0d-3ef0-4d55-a7e3-faa96c46ba12AWSS3
MicrosoftThreatProtection
SecurityEvents
WindowsSecurityEvents
WindowsForwardedEvents
Zscaler
MicrosoftSysmonForLinux
PaloAltoNetworks
AzureMonitor(VMInsights)
AzureFirewall
AzureNSG
CiscoASA
CiscoAsaAma
Corelight
AIVectraStream
CheckPoint
Fortinet
CiscoMeraki
Detect port misuse by anomaly based detection (ASIM Network Session schema)cbf07406-fa2a-48b0-82b8-efad58db14ecAWSS3
MicrosoftThreatProtection
SecurityEvents
WindowsSecurityEvents
WindowsForwardedEvents
Zscaler
MicrosoftSysmonForLinux
PaloAltoNetworks
AzureMonitor(VMInsights)
AzureFirewall
AzureNSG
CiscoASA
CiscoAsaAma
Corelight
AIVectraStream
CheckPoint
Fortinet
CiscoMeraki
Radiflow - Exploit Detected6c028ebd-03ca-41cb-bce7-5727ddb43731RadiflowIsid
Radiflow - Platform Alertff0c781a-b30f-4acf-9cf1-75d7383d66d1RadiflowIsid
Radiflow - Policy Violation Detecteda3f4cc3e-2403-4570-8d21-1dedd5632958RadiflowIsid
Radiflow - Unauthorized Command in Operational Device4d90d485-6d47-417e-80ea-9cf956c1a671RadiflowIsid
Detection of Malicious URLs in Syslog Events9acb3664-72c4-4676-80fa-9f81912e347eSyslog
SyslogAma
Red Canary Threat Detection6d263abb-6445-45cc-93e9-c593d3d77b89RedCanaryDataConnector
Sentinel One - Same custom rule triggered on different hosts5586d378-1bce-4d9b-9ac8-e7271c9d5a9aSentinelOne
SonicWall - Allowed SSH, Telnet, and RDP Connections27f1a570-5f20-496b-88f6-a9aa2c5c9534CEF
SonicWallFirewall
CefAma
New Sonrai Ticketbcc3362d-b6f9-4de0-b41c-707fafd5a416SonraiDataConnector
Sonrai Ticket Assigned37a8d052-a3db-4dc6-9dca-9390cac6f486SonraiDataConnector
Sonrai Ticket Closedf5d467de-b5a2-4b4f-96db-55e27c733594SonraiDataConnector
Sonrai Ticket Escalation Executed0d29c93e-b83f-4dfb-bbbb-76824b77eecaSonraiDataConnector
Sonrai Ticket Escalation Executed822fff15-ea68-4d0f-94ee-b4482ddb6f3aSonraiDataConnector
Sonrai Ticket Reopenedb60129ab-ce22-4b76-858d-3204932a13ccSonraiDataConnector
Sonrai Ticket Risk Accepted080191e8-271d-4ae6-85ce-c7bcd4b06b40SonraiDataConnector
Sonrai Ticket Snoozed10e6c454-5cad-4f86-81ce-800235cb050aSonraiDataConnector
Sonrai Ticket Updatedaf9b8eb1-a8ef-40aa-92a4-1fc73a1479c7SonraiDataConnector
Excessive Blocked Traffic Events Generated by Userfa0ab69c-7124-4f62-acdd-61017cf6ce89SymantecEndpointProtection
SyslogAma
ApexOne - Inbound remote access connection6303235a-ee70-42a4-b969-43e7b969b916TrendMicroApexOne
TrendMicroApexOneAma
CefAma
vArmour AppController - SMB Realm Traversala36de6c3-3198-4d37-92ae-e19e36712c2evArmourAC
vArmourACAma
CefAma
Vectra AI Detect - Suspected Compromised Account321f9dbd-64b7-4541-81dc-08cf7732ccb0AIVectraDetect
AIVectraDetectAma
CefAma
Vectra Account’s Behaviorsce54b5d3-4c31-4eaf-a73e-31412270b6abAIVectraDetect
AIVectraDetectAma
CefAma
Vectra AI Detect - Detections with High Severity39e48890-2c02-487e-aa9e-3ba494061798AIVectraDetect
AIVectraDetectAma
CefAma
Vectra AI Detect - Suspected Compromised Host60eb6cf0-3fa1-44c1-b1fe-220fbee23d63AIVectraDetect
AIVectraDetectAma
CefAma
Vectra Host’s Behaviors33e3b6da-2660-4cd7-9032-11be76db88d2AIVectraDetect
AIVectraDetectAma
CefAma
Vectra AI Detect - New Campaign Detecteda34d0338-eda0-42b5-8b93-32aae0d7a501AIVectraDetect
AIVectraDetectAma
CefAma
Vectra AI Detect - Suspicious Behaviors by Category6cb75f65-231f-46c4-a0b3-50ff21ee6ed3AIVectraDetect
AIVectraDetectAma
CefAma
Critical Threat Detected2ca4e7fc-c61a-49e5-9736-5da8035c47e0VMwareCarbonBlack
VMware SD-WAN Edge - IDS/IPS Alert triggered (Search API)44f78dbf-9f29-4ec0-aaca-ab5bf0b559afVMwareSDWAN
VMware SD-WAN Edge - IDS/IPS Alert triggered (Syslog)a8e2bfd2-5d9c-4acc-aa55-30029e50d574VMwareSDWAN
Gain Code Execution on ADFS Server via SMB + Remote Service or Scheduled Task12dcea64-bec2-41c9-9df2-9f28461b1295SecurityEvents
WindowsSecurityEvents
New EXE deployed via Default Domain or Default Domain Controller Policies05b4bccd-dd12-423d-8de4-5a6fb526bb4fSecurityEvents
WindowsSecurityEvents
Decoy User Account Authentication Attempta4dbc292-87eb-11ec-a8a3-0242ac120002SecurityEvents
WindowsSecurityEvents
Zero Networks Segment - Rare JIT Rule Creation58688058-68b2-4b39-8009-ac6dc4d81ea1ZeroNetworksSegmentAuditFunction
ZeroNetworksSegmentAuditNativePoller
New EXE deployed via Default Domain or Default Domain Controller Policies (ASIM Version)0dd2a343-4bf9-4c93-a547-adf3658ddaecSecurityEvents
A host is potentially running a hacking tool (ASIM Web Session schema)3f0c20d5-6228-48ef-92f3-9ff7822c1954SquidProxy
Zscaler
Azure VM Run Command operations executing a unique PowerShell script5239248b-abfb-4c6a-8177-b104ade5db56AzureActivity
MicrosoftThreatProtection
Gain Code Execution on ADFS Server via Remote WMI Execution0bd65651-1404-438b-8f63-eecddcec87b4SecurityEvents
WindowsSecurityEvents
WindowsForwardedEvents
Identify Mango Sandstorm powershell commandsce74dc9a-cb3c-4081-8c2f-7d39f6b7bae1SecurityEvents
MicrosoftThreatProtection
Azure VM Run Command operation executed during suspicious login window11bda520-a965-4654-9a45-d09f372f71aaAzureActivity
BehaviorAnalytics
Multiple RDP connections from Single System78422ef2-62bf-48ca-9bab-72c69818a425SecurityEvents
WindowsSecurityEvents
WindowsForwardedEvents
RDP Nesting69a45b05-71f5-45ca-8944-2e038747fb39SecurityEvents
WindowsSecurityEvents
WindowsForwardedEvents
Rare RDP Connections45b903c5-6f56-4969-af10-ae62ac709718SecurityEvents
WindowsSecurityEvents
WindowsForwardedEvents