Lateral Movement
| Rule Name | id | Required data connectors |
|---|---|---|
| Changes to Amazon VPC settings | 65360bb0-8986-4ade-a89d-af3cf44d28aa | AWS AWSS3 |
| Apache - Apache 2.4.49 flaw CVE-2021-41773 | 767f9dc4-3b01-11ec-8d3d-0242ac130003 | CustomLogsAma |
| Powershell Empire Cmdlets Executed in Command Line | ef88eb96-861c-43a0-ab16-f3835a97c928 | SecurityEvents WindowsSecurityEvents WindowsForwardedEvents |
| Several deny actions registered | f8dad4e9-3f19-4d70-ab7f-8f19ccd43a3e | AzureFirewall |
| Cisco Umbrella - Hack Tool User-Agent Detected | 8d537f3c-094f-430c-a588-8a87da36ee3a | CiscoUmbrellaDataConnector |
| TLS Certificate Using Weak Cipher - Informational | 1bdf3cba-6b85-4b88-ab1e-681bac20d41f | HVPollingIDAzureFunctions |
| TLS Certificate Using Weak Cipher - Medium | 7bbe51fe-9c5f-4f54-a079-b84cc27737a1 | HVPollingIDAzureFunctions |
| TLSv1.1 in Use - info | 049edfdd-0331-4493-bcd7-b375bba7b551 | HVPollingIDAzureFunctions |
| TLSv1.1 in Use - Medium | 92400070-199b-46d3-bd86-2fb8421b5338 | HVPollingIDAzureFunctions |
| TLSv1 in Use - Low | 9435d04a-e8a6-49e5-90c4-e7f3456f9ed5 | HVPollingIDAzureFunctions |
| TLSv1 in Use - Medium | 93f2ab34-15a3-4199-ad5a-6ebf8d2ad449 | HVPollingIDAzureFunctions |
| Cynerio - Exploitation Attempt of IoT device | 3d853a88-92d2-4aec-a680-2bf7bb560c56 | CynerioSecurityEvents |
| Cynerio - Medical device scanning | 211e9f49-3fca-4598-bc6e-e2c28d86e72c | CynerioSecurityEvents |
| Cynerio - Suspicious Connection to External Address | c0756978-baa6-4239-9174-bac1b1ca1a6a | CynerioSecurityEvents |
| Dynatrace - Problem detection | 415978ff-074e-4203-824a-b06153d77bf7 | DynatraceProblems |
| Dynatrace Application Security - Code-Level runtime vulnerability detection | 305093b4-0fa2-57bc-bced-caea782a6e9c | DynatraceRuntimeVulnerabilities |
| Dynatrace Application Security - Non-critical runtime vulnerability detection | ff0af873-a2f2-4233-8412-0ef4e00b0156 | DynatraceRuntimeVulnerabilities |
| Dynatrace Application Security - Third-Party runtime vulnerability detection | af99b078-124b-543a-9a50-66ef87c09f6a | DynatraceRuntimeVulnerabilities |
| Lateral Movement via DCOM | 50cbf34a-4cdd-45d7-b3f5-8b53a1d0d14f | SecurityEvents WindowsSecurityEvents |
| Detecting Macro Invoking ShellBrowserWindow COM Objects | e7470b35-0128-4508-bfc9-e01cfb3c2eb7 | SecurityEvents WindowsSecurityEvents |
| DCOM Lateral Movement | d58035ff-0bac-4c61-a7f4-f58939ff9764 | MicrosoftThreatProtection |
| Oracle suspicious command execution | e6c5ff42-0f42-4cec-994a-dabb92fe36e1 | MicrosoftThreatProtection |
| Remote Desktop Protocol - SharpRDP | cc46e76c-0d04-40b0-9c8b-929aa40513e7 | MicrosoftThreatProtection |
| SMB/Windows Admin Shares | 9da25366-2c77-41a5-a159-0da5e2f5fb90 | MicrosoftThreatProtection |
| GitHub Security Vulnerability in Repository | 5436f471-b03d-41cb-b333-65891f887c43 | |
| GSA Enriched Office 365 - New Executable via Office FileUploaded Operation | 178c62b4-d5e5-40f5-8eab-7fccd0051e7a | AzureActiveDirectory Office365 |
| GCP IAM - New Authentication Token for Service Account | 80e4db30-5636-4fbd-8816-24c3ded8d243 | GCPIAMDataConnector |
| GCP IAM - New Service Account Key | fc135860-8773-4ead-b5be-9789af1ff8ff | GCPIAMDataConnector |
| GWorkspace - API Access Granted | c45a9804-5da8-11ec-bf63-0242ac130002 | GoogleWorkspaceReportsAPI |
| Illusive Incidents Analytic Rule | 1a7dbcf6-21a2-4255-84b2-c8dbbdca4630 | Illusive illusiveAttackManagementSystemAma CefAma |
| Internet Access (Microsoft Defender for IoT) | 9ff3b13b-287a-4ed0-8f6b-7e7b66cbbcbd | IoT |
| New executable via Office FileUploaded Operation | d722831e-88f5-4e25-b106-4ef6e29f8c13 | Office365 |
| Dataverse - New non-interactive identity granted access | 682e230c-e5da-4085-8666-701d1f1be7de | Dataverse AzureActiveDirectory |
| Dataverse - TI map IP to DataverseActivity | 56d5aa0c-d871-4167-ba13-61c2f0fd17bf | Dataverse ThreatIntelligence ThreatIntelligenceTaxii MicrosoftDefenderThreatIntelligence |
| F&O - Bank account change following network alias reassignment | dccbdb5b-2ce7-4931-bfbe-f1ad6523ee64 | Dynamics365Finance |
| Power Apps - Bulk sharing of Power Apps to newly created guest users | 943acfa0-9285-4eb0-a9c0-42e36177ef19 | PowerPlatformAdmin AzureActiveDirectory |
| Power Platform - Possibly compromised user accesses Power Platform services | 54d48840-1c64-4399-afee-ad39a069118d | AzureActiveDirectory |
| Remote File Creation with PsExec | 35ab0d58-baab-4154-87ed-fa2f69797e9e | MicrosoftThreatProtection |
| Service Accounts Performing Remote PS | d29cc957-0ddb-4d00-8d6f-ad1bb345ff9a | MicrosoftThreatProtection |
| Mimecast Secure Email Gateway - Impersonation Protect | 2ef77cef-439f-4d94-848f-3eca67510d2f | MimecastSEGAPI |
| Mimecast Secure Email Gateway - Internal Email Protect | d3bd7640-3600-49f9-8d10-6fe312e68b4f | MimecastSEGAPI |
| Mimecast Secure Email Gateway - Impersonation Protect | 7034abc9-6b66-4533-9bf3-056672fd9d9e | MimecastSIEMAPI |
| Mimecast Secure Email Gateway - Internal Email Protect | 5b66d176-e344-4abf-b915-e5f09a6430ef | MimecastSIEMAPI |
| Cross-Cloud Suspicious Compute resource creation in GCP | 5c847e47-0a07-4c01-ab99-5817ad6cb11e | GCPAuditLogsDefinition AWSS3 |
| Anomaly in SMB Traffic(ASIM Network Session schema) | 8717e498-7b5d-4e23-9e7c-fa4913dbfd79 | |
| Anomaly found in Network Session Traffic (ASIM Network Session schema) | cd6def0d-3ef0-4d55-a7e3-faa96c46ba12 | AWSS3 MicrosoftThreatProtection SecurityEvents WindowsSecurityEvents WindowsForwardedEvents Zscaler MicrosoftSysmonForLinux PaloAltoNetworks AzureMonitor(VMInsights) AzureFirewall AzureNSG CiscoASA CiscoAsaAma Corelight AIVectraStream CheckPoint Fortinet CiscoMeraki |
| Detect port misuse by anomaly based detection (ASIM Network Session schema) | cbf07406-fa2a-48b0-82b8-efad58db14ec | AWSS3 MicrosoftThreatProtection SecurityEvents WindowsSecurityEvents WindowsForwardedEvents Zscaler MicrosoftSysmonForLinux PaloAltoNetworks AzureMonitor(VMInsights) AzureFirewall AzureNSG CiscoASA CiscoAsaAma Corelight AIVectraStream CheckPoint Fortinet CiscoMeraki |
| Radiflow - Exploit Detected | 6c028ebd-03ca-41cb-bce7-5727ddb43731 | RadiflowIsid |
| Radiflow - Platform Alert | ff0c781a-b30f-4acf-9cf1-75d7383d66d1 | RadiflowIsid |
| Radiflow - Policy Violation Detected | a3f4cc3e-2403-4570-8d21-1dedd5632958 | RadiflowIsid |
| Radiflow - Unauthorized Command in Operational Device | 4d90d485-6d47-417e-80ea-9cf956c1a671 | RadiflowIsid |
| Detection of Malicious URLs in Syslog Events | 9acb3664-72c4-4676-80fa-9f81912e347e | Syslog SyslogAma |
| Red Canary Threat Detection | 6d263abb-6445-45cc-93e9-c593d3d77b89 | RedCanaryDataConnector |
| BTP - User added to sensitive privileged role collection | 5acbe4cb-a379-4acc-9ad3-28dc48ad33d3 | SAPBTPAuditEvents |
| Sentinel One - Same custom rule triggered on different hosts | 5586d378-1bce-4d9b-9ac8-e7271c9d5a9a | SentinelOne |
| SonicWall - Allowed SSH, Telnet, and RDP Connections | 27f1a570-5f20-496b-88f6-a9aa2c5c9534 | CEF SonicWallFirewall CefAma |
| New Sonrai Ticket | bcc3362d-b6f9-4de0-b41c-707fafd5a416 | SonraiDataConnector |
| Sonrai Ticket Assigned | 37a8d052-a3db-4dc6-9dca-9390cac6f486 | SonraiDataConnector |
| Sonrai Ticket Closed | f5d467de-b5a2-4b4f-96db-55e27c733594 | SonraiDataConnector |
| Sonrai Ticket Escalation Executed | 0d29c93e-b83f-4dfb-bbbb-76824b77eeca | SonraiDataConnector |
| Sonrai Ticket Escalation Executed | 822fff15-ea68-4d0f-94ee-b4482ddb6f3a | SonraiDataConnector |
| Sonrai Ticket Reopened | b60129ab-ce22-4b76-858d-3204932a13cc | SonraiDataConnector |
| Sonrai Ticket Risk Accepted | 080191e8-271d-4ae6-85ce-c7bcd4b06b40 | SonraiDataConnector |
| Sonrai Ticket Snoozed | 10e6c454-5cad-4f86-81ce-800235cb050a | SonraiDataConnector |
| Sonrai Ticket Updated | af9b8eb1-a8ef-40aa-92a4-1fc73a1479c7 | SonraiDataConnector |
| Excessive Blocked Traffic Events Generated by User | fa0ab69c-7124-4f62-acdd-61017cf6ce89 | SyslogAma |
| ApexOne - Inbound remote access connection | 6303235a-ee70-42a4-b969-43e7b969b916 | CefAma |
| vArmour AppController - SMB Realm Traversal | a36de6c3-3198-4d37-92ae-e19e36712c2e | vArmourAC vArmourACAma CefAma |
| Vectra AI Detect - Suspected Compromised Account | 321f9dbd-64b7-4541-81dc-08cf7732ccb0 | CefAma |
| Vectra Account’s Behaviors | ce54b5d3-4c31-4eaf-a73e-31412270b6ab | CefAma |
| Vectra AI Detect - Detections with High Severity | 39e48890-2c02-487e-aa9e-3ba494061798 | CefAma |
| Vectra AI Detect - Suspected Compromised Host | 60eb6cf0-3fa1-44c1-b1fe-220fbee23d63 | CefAma |
| Vectra Host’s Behaviors | 33e3b6da-2660-4cd7-9032-11be76db88d2 | CefAma |
| Vectra AI Detect - New Campaign Detected | a34d0338-eda0-42b5-8b93-32aae0d7a501 | CefAma |
| Vectra AI Detect - Suspicious Behaviors by Category | 6cb75f65-231f-46c4-a0b3-50ff21ee6ed3 | CefAma |
| Critical Threat Detected | 2ca4e7fc-c61a-49e5-9736-5da8035c47e0 | VMwareCarbonBlack |
| VMware SD-WAN Edge - IDS/IPS Alert triggered (Search API) | 44f78dbf-9f29-4ec0-aaca-ab5bf0b559af | VMwareSDWAN |
| VMware SD-WAN Edge - IDS/IPS Alert triggered (Syslog) | a8e2bfd2-5d9c-4acc-aa55-30029e50d574 | VMwareSDWAN |
| Gain Code Execution on ADFS Server via SMB + Remote Service or Scheduled Task | 12dcea64-bec2-41c9-9df2-9f28461b1295 | SecurityEvents WindowsSecurityEvents |
| New EXE deployed via Default Domain or Default Domain Controller Policies | 05b4bccd-dd12-423d-8de4-5a6fb526bb4f | SecurityEvents WindowsSecurityEvents |
| Decoy User Account Authentication Attempt | a4dbc292-87eb-11ec-a8a3-0242ac120002 | SecurityEvents WindowsSecurityEvents |
| Zero Networks Segment - Rare JIT Rule Creation | 58688058-68b2-4b39-8009-ac6dc4d81ea1 | ZeroNetworksSegmentAuditFunction ZeroNetworksSegmentAuditNativePoller |
| New EXE deployed via Default Domain or Default Domain Controller Policies (ASIM Version) | 0dd2a343-4bf9-4c93-a547-adf3658ddaec | SecurityEvents |
| A host is potentially running a hacking tool (ASIM Web Session schema) | 3f0c20d5-6228-48ef-92f3-9ff7822c1954 | SquidProxy Zscaler |
| Azure VM Run Command operations executing a unique PowerShell script | 5239248b-abfb-4c6a-8177-b104ade5db56 | AzureActivity MicrosoftThreatProtection |
| Gain Code Execution on ADFS Server via Remote WMI Execution | 0bd65651-1404-438b-8f63-eecddcec87b4 | SecurityEvents WindowsSecurityEvents WindowsForwardedEvents |
| Identify Mango Sandstorm powershell commands | ce74dc9a-cb3c-4081-8c2f-7d39f6b7bae1 | SecurityEvents MicrosoftThreatProtection |
| Azure VM Run Command operation executed during suspicious login window | 11bda520-a965-4654-9a45-d09f372f71aa | AzureActivity BehaviorAnalytics |
| Multiple RDP connections from Single System | 78422ef2-62bf-48ca-9bab-72c69818a425 | SecurityEvents WindowsSecurityEvents WindowsForwardedEvents |
| RDP Nesting | 69a45b05-71f5-45ca-8944-2e038747fb39 | SecurityEvents WindowsSecurityEvents WindowsForwardedEvents |
| Rare RDP Connections | 45b903c5-6f56-4969-af10-ae62ac709718 | SecurityEvents WindowsSecurityEvents WindowsForwardedEvents |