Lateral Movement
| Rule Name | id | Required data connectors |
|---|---|---|
| Changes to Amazon VPC settings | 65360bb0-8986-4ade-a89d-af3cf44d28aa | AWS AWSS3 |
| Apache - Apache 2.4.49 flaw CVE-2021-41773 | 767f9dc4-3b01-11ec-8d3d-0242ac130003 | ApacheHTTPServer |
| Powershell Empire Cmdlets Executed in Command Line | ef88eb96-861c-43a0-ab16-f3835a97c928 | SecurityEvents WindowsSecurityEvents WindowsForwardedEvents |
| Several deny actions registered | f8dad4e9-3f19-4d70-ab7f-8f19ccd43a3e | AzureFirewall |
| Phishing | c3771865-b647-46a7-9be5-a96c418cebc0 | CBSPollingIDAzureFunctions |
| Cynerio - Exploitation Attempt of IoT device | 3d853a88-92d2-4aec-a680-2bf7bb560c56 | CynerioSecurityEvents |
| Cynerio - Medical device scanning | 211e9f49-3fca-4598-bc6e-e2c28d86e72c | CynerioSecurityEvents |
| Cynerio - Suspicious Connection to External Address | c0756978-baa6-4239-9174-bac1b1ca1a6a | CynerioSecurityEvents |
| Dynatrace Application Security - Code-Level runtime vulnerability detection | 305093b4-0fa2-57bc-bced-caea782a6e9c | DynatraceRuntimeVulnerabilities |
| Dynatrace Application Security - Non-critical runtime vulnerability detection | ff0af873-a2f2-4233-8412-0ef4e00b0156 | DynatraceRuntimeVulnerabilities |
| Dynatrace Application Security - Third-Party runtime vulnerability detection | af99b078-124b-543a-9a50-66ef87c09f6a | DynatraceRuntimeVulnerabilities |
| Lateral Movement via DCOM | 50cbf34a-4cdd-45d7-b3f5-8b53a1d0d14f | SecurityEvents |
| Detecting Macro Invoking ShellBrowserWindow COM Objects | e7470b35-0128-4508-bfc9-e01cfb3c2eb7 | SecurityEvents |
| DCOM Lateral Movement | d58035ff-0bac-4c61-a7f4-f58939ff9764 | MicrosoftThreatProtection |
| Oracle suspicious command execution | e6c5ff42-0f42-4cec-994a-dabb92fe36e1 | MicrosoftThreatProtection |
| Remote Desktop Protocol - SharpRDP | cc46e76c-0d04-40b0-9c8b-929aa40513e7 | MicrosoftThreatProtection |
| SMB/Windows Admin Shares | 9da25366-2c77-41a5-a159-0da5e2f5fb90 | MicrosoftThreatProtection |
| GCP IAM - New Authentication Token for Service Account | 80e4db30-5636-4fbd-8816-24c3ded8d243 | GCPIAMDataConnector |
| GCP IAM - New Service Account Key | fc135860-8773-4ead-b5be-9789af1ff8ff | GCPIAMDataConnector |
| GWorkspace - API Access Granted | c45a9804-5da8-11ec-bf63-0242ac130002 | GoogleWorkspaceReportsAPI |
| Internet Access (Microsoft Defender for IoT) | 9ff3b13b-287a-4ed0-8f6b-7e7b66cbbcbd | IoT |
| New executable via Office FileUploaded Operation | d722831e-88f5-4e25-b106-4ef6e29f8c13 | Office365 |
| Remote File Creation with PsExec | 35ab0d58-baab-4154-87ed-fa2f69797e9e | MicrosoftThreatProtection |
| Service Accounts Performing Remote PS | d29cc957-0ddb-4d00-8d6f-ad1bb345ff9a | MicrosoftThreatProtection |
| Mimecast Secure Email Gateway - Impersonation Protect | 7034abc9-6b66-4533-9bf3-056672fd9d9e | MimecastSIEMAPI |
| Mimecast Secure Email Gateway - Internal Email Protect | 5b66d176-e344-4abf-b915-e5f09a6430ef | MimecastSIEMAPI |
| Cross-Cloud Suspicious Compute resource creation in GCP | 5c847e47-0a07-4c01-ab99-5817ad6cb11e | GCPAuditLogsDefinition AWSS3 |
| Anomaly in SMB Traffic(ASIM Network Session schema) | 8717e498-7b5d-4e23-9e7c-fa4913dbfd79 | |
| Anomaly found in Network Session Traffic (ASIM Network Session schema) | cd6def0d-3ef0-4d55-a7e3-faa96c46ba12 | AWSS3 MicrosoftThreatProtection SecurityEvents WindowsForwardedEvents Zscaler MicrosoftSysmonForLinux PaloAltoNetworks AzureMonitor(VMInsights) AzureFirewall AzureNSG CiscoASA Corelight AIVectraStream CheckPoint Fortinet CiscoMeraki |
| Detect port misuse by anomaly based detection (ASIM Network Session schema) | cbf07406-fa2a-48b0-82b8-efad58db14ec | AWSS3 MicrosoftThreatProtection SecurityEvents WindowsForwardedEvents Zscaler MicrosoftSysmonForLinux PaloAltoNetworks AzureMonitor(VMInsights) AzureFirewall AzureNSG CiscoASA Corelight AIVectraStream CheckPoint Fortinet CiscoMeraki |
| Red Canary Threat Detection | 6d263abb-6445-45cc-93e9-c593d3d77b89 | RedCanaryDataConnector |
| SonicWall - Allowed SSH, Telnet, and RDP Connections | 27f1a570-5f20-496b-88f6-a9aa2c5c9534 | CEF SonicWallFirewall |
| ApexOne - Inbound remote access connection | 6303235a-ee70-42a4-b969-43e7b969b916 | TrendMicroApexOne TrendMicroApexOneAma |
| vArmour AppController - SMB Realm Traversal | a36de6c3-3198-4d37-92ae-e19e36712c2e | vArmourAC vArmourACAma |
| Vectra AI Detect - Suspected Compromised Account | 321f9dbd-64b7-4541-81dc-08cf7732ccb0 | AIVectraDetect AIVectraDetectAma |
| Vectra Account’s Behaviors | ce54b5d3-4c31-4eaf-a73e-31412270b6ab | AIVectraDetect AIVectraDetectAma |
| Vectra AI Detect - Detections with High Severity | 39e48890-2c02-487e-aa9e-3ba494061798 | AIVectraDetect AIVectraDetectAma |
| Vectra AI Detect - Suspected Compromised Host | 60eb6cf0-3fa1-44c1-b1fe-220fbee23d63 | AIVectraDetect AIVectraDetectAma |
| Vectra Host’s Behaviors | 33e3b6da-2660-4cd7-9032-11be76db88d2 | AIVectraDetect AIVectraDetectAma |
| Vectra AI Detect - New Campaign Detected | a34d0338-eda0-42b5-8b93-32aae0d7a501 | AIVectraDetect AIVectraDetectAma |
| Vectra AI Detect - Suspicious Behaviors by Category | 6cb75f65-231f-46c4-a0b3-50ff21ee6ed3 | AIVectraDetect AIVectraDetectAma |
| Critical Threat Detected | 2ca4e7fc-c61a-49e5-9736-5da8035c47e0 | VMwareCarbonBlack |
| VMware SD-WAN Edge - IDS/IPS Alert triggered (Search API) | 44f78dbf-9f29-4ec0-aaca-ab5bf0b559af | VMwareSDWAN |
| VMware SD-WAN Edge - IDS/IPS Alert triggered (Syslog) | a8e2bfd2-5d9c-4acc-aa55-30029e50d574 | VMwareSDWAN |
| Gain Code Execution on ADFS Server via SMB + Remote Service or Scheduled Task | 12dcea64-bec2-41c9-9df2-9f28461b1295 | SecurityEvents WindowsSecurityEvents |
| New EXE deployed via Default Domain or Default Domain Controller Policies | 05b4bccd-dd12-423d-8de4-5a6fb526bb4f | SecurityEvents WindowsSecurityEvents |
| Decoy User Account Authentication Attempt | a4dbc292-87eb-11ec-a8a3-0242ac120002 | SecurityEvents WindowsSecurityEvents |
| Zero Networks Segment - Rare JIT Rule Creation | 58688058-68b2-4b39-8009-ac6dc4d81ea1 | ZeroNetworksSegmentAuditFunction ZeroNetworksSegmentAuditNativePoller |
| New EXE deployed via Default Domain or Default Domain Controller Policies (ASIM Version) | 0dd2a343-4bf9-4c93-a547-adf3658ddaec | SecurityEvents |
| Azure VM Run Command operations executing a unique PowerShell script | 5239248b-abfb-4c6a-8177-b104ade5db56 | AzureActivity MicrosoftThreatProtection |
| Gain Code Execution on ADFS Server via Remote WMI Execution | 0bd65651-1404-438b-8f63-eecddcec87b4 | SecurityEvents WindowsSecurityEvents WindowsForwardedEvents |
| Identify Mango Sandstorm powershell commands | ce74dc9a-cb3c-4081-8c2f-7d39f6b7bae1 | SecurityEvents MicrosoftThreatProtection |
| Azure VM Run Command operation executed during suspicious login window | 11bda520-a965-4654-9a45-d09f372f71aa | AzureActivity BehaviorAnalytics |
| Multiple RDP connections from Single System | 78422ef2-62bf-48ca-9bab-72c69818a425 | SecurityEvents WindowsSecurityEvents WindowsForwardedEvents |
| RDP Nesting | 69a45b05-71f5-45ca-8944-2e038747fb39 | SecurityEvents WindowsSecurityEvents WindowsForwardedEvents |
| Rare RDP Connections | 45b903c5-6f56-4969-af10-ae62ac709718 | SecurityEvents WindowsSecurityEvents WindowsForwardedEvents |