Microsoft Sentinel Analytic Rules
cloudbrothers.infoAzure Sentinel RepoToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeBack to homepage

Lateral Movement

Overview

Rule NameidRequired data connectors
Changes to Amazon VPC settings65360bb0-8986-4ade-a89d-af3cf44d28aaAWS
AWSS3
Apache - Apache 2.4.49 flaw CVE-2021-41773767f9dc4-3b01-11ec-8d3d-0242ac130003ApacheHTTPServer
Powershell Empire Cmdlets Executed in Command Lineef88eb96-861c-43a0-ab16-f3835a97c928SecurityEvents
WindowsSecurityEvents
WindowsForwardedEvents
Several deny actions registeredf8dad4e9-3f19-4d70-ab7f-8f19ccd43a3eAzureFirewall
Dynatrace Application Security - Code-Level runtime vulnerability detection305093b4-0fa2-57bc-bced-caea782a6e9cDynatraceRuntimeVulnerabilities
Dynatrace Application Security - Non-critical runtime vulnerability detectionff0af873-a2f2-4233-8412-0ef4e00b0156DynatraceRuntimeVulnerabilities
Dynatrace Application Security - Third-Party runtime vulnerability detectionaf99b078-124b-543a-9a50-66ef87c09f6aDynatraceRuntimeVulnerabilities
Lateral Movement via DCOM50cbf34a-4cdd-45d7-b3f5-8b53a1d0d14fSecurityEvents
Detecting Macro Invoking ShellBrowserWindow COM Objectse7470b35-0128-4508-bfc9-e01cfb3c2eb7SecurityEvents
DCOM Lateral Movementd58035ff-0bac-4c61-a7f4-f58939ff9764MicrosoftThreatProtection
Oracle suspicious command executione6c5ff42-0f42-4cec-994a-dabb92fe36e1MicrosoftThreatProtection
Remote Desktop Protocol - SharpRDPcc46e76c-0d04-40b0-9c8b-929aa40513e7MicrosoftThreatProtection
SMB/Windows Admin Shares9da25366-2c77-41a5-a159-0da5e2f5fb90MicrosoftThreatProtection
GCP IAM - New Authentication Token for Service Account80e4db30-5636-4fbd-8816-24c3ded8d243GCPIAMDataConnector
GCP IAM - New Service Account Keyfc135860-8773-4ead-b5be-9789af1ff8ffGCPIAMDataConnector
GWorkspace - API Access Grantedc45a9804-5da8-11ec-bf63-0242ac130002GoogleWorkspaceReportsAPI
Internet Access (Microsoft Defender for IoT)9ff3b13b-287a-4ed0-8f6b-7e7b66cbbcbdIoT
Anomaly found in Network Session Traffic (ASIM Network Session schema)cd6def0d-3ef0-4d55-a7e3-faa96c46ba12AWSS3
MicrosoftThreatProtection
SecurityEvents
WindowsForwardedEvents
Zscaler
MicrosoftSysmonForLinux
PaloAltoNetworks
AzureMonitor(VMInsights)
AzureFirewall
AzureNSG
CiscoASA
Corelight
AIVectraStream
CheckPoint
Fortinet
CiscoMeraki
Detect port misuse by anomaly based detection (ASIM Network Session schema)cbf07406-fa2a-48b0-82b8-efad58db14ecAWSS3
MicrosoftThreatProtection
SecurityEvents
WindowsForwardedEvents
Zscaler
MicrosoftSysmonForLinux
PaloAltoNetworks
AzureMonitor(VMInsights)
AzureFirewall
AzureNSG
CiscoASA
Corelight
AIVectraStream
CheckPoint
Fortinet
CiscoMeraki
Red Canary Threat Detection6d263abb-6445-45cc-93e9-c593d3d77b89RedCanaryDataConnector
ApexOne - Inbound remote access connection6303235a-ee70-42a4-b969-43e7b969b916TrendMicroApexOne
vArmour AppController - SMB Realm Traversala36de6c3-3198-4d37-92ae-e19e36712c2evArmourAC
Vectra AI Detect - Suspected Compromised Account321f9dbd-64b7-4541-81dc-08cf7732ccb0AIVectraDetect
Vectra Account’s Behaviorsce54b5d3-4c31-4eaf-a73e-31412270b6abAIVectraDetect
Vectra AI Detect - Detections with High Severity39e48890-2c02-487e-aa9e-3ba494061798AIVectraDetect
Vectra AI Detect - Suspected Compromised Host60eb6cf0-3fa1-44c1-b1fe-220fbee23d63AIVectraDetect
Vectra Host’s Behaviors33e3b6da-2660-4cd7-9032-11be76db88d2AIVectraDetect
Vectra AI Detect - New Campaign Detecteda34d0338-eda0-42b5-8b93-32aae0d7a501AIVectraDetect
Vectra AI Detect - Suspicious Behaviors by Category6cb75f65-231f-46c4-a0b3-50ff21ee6ed3AIVectraDetect
Critical Threat Detected2ca4e7fc-c61a-49e5-9736-5da8035c47e0VMwareCarbonBlack
Gain Code Execution on ADFS Server via SMB + Remote Service or Scheduled Task12dcea64-bec2-41c9-9df2-9f28461b1295SecurityEvents
WindowsSecurityEvents
New EXE deployed via Default Domain or Default Domain Controller Policies05b4bccd-dd12-423d-8de4-5a6fb526bb4fSecurityEvents
WindowsSecurityEvents
Decoy User Account Authentication Attempta4dbc292-87eb-11ec-a8a3-0242ac120002SecurityEvents
WindowsSecurityEvents
Zero Networks Segment - Rare JIT Rule Creation58688058-68b2-4b39-8009-ac6dc4d81ea1ZeroNetworksSegmentAuditFunction
ZeroNetworksSegmentAuditNativePoller
New EXE deployed via Default Domain or Default Domain Controller Policies (ASIM Version)0dd2a343-4bf9-4c93-a547-adf3658ddaecSecurityEvents
Azure VM Run Command operations executing a unique PowerShell script5239248b-abfb-4c6a-8177-b104ade5db56AzureActivity
MicrosoftThreatProtection
Gain Code Execution on ADFS Server via Remote WMI Execution0bd65651-1404-438b-8f63-eecddcec87b4SecurityEvents
WindowsSecurityEvents
WindowsForwardedEvents
Identify Mango Sandstorm powershell commandsce74dc9a-cb3c-4081-8c2f-7d39f6b7bae1SecurityEvents
MicrosoftThreatProtection
Azure VM Run Command operation executed during suspicious login window11bda520-a965-4654-9a45-d09f372f71aaAzureActivity
Multiple RDP connections from Single System78422ef2-62bf-48ca-9bab-72c69818a425SecurityEvents
WindowsSecurityEvents
WindowsForwardedEvents
RDP Nesting69a45b05-71f5-45ca-8944-2e038747fb39SecurityEvents
WindowsSecurityEvents
WindowsForwardedEvents
Rare RDP Connections45b903c5-6f56-4969-af10-ae62ac709718SecurityEvents
WindowsSecurityEvents
WindowsForwardedEvents