Microsoft Sentinel Analytic Rules
cloudbrothers.infoAzure Sentinel RepoToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeBack to homepage

Persistence

Overview

Rule NameidRequired data connectors
1Password - Changes to SSO configuration9406f5ab-1197-4db9-8042-9f3345be061c1Password
1Password - Manual account creation9a264487-bcb8-4c7f-a461-b289a46377b81Password
1Password - New service account integration created26daed54-cea5-469c-9b6e-0d85a40dc4631Password
1Password - Non-privileged vault user permission change327e0579-7c03-4ec7-acf5-a29dcc4a12b61Password
1Password - Privileged vault permission change76e386eb-f51a-4600-97d1-f0db3b7e41f11Password
1Password - User account MFA settings changed3c8140eb-e946-4bf2-8c61-03e4df56d4001Password
1Password - User added to privileged group849ea271-cd9c-4afe-a13b-ddbbac5fc6d31Password
1Password - Vault export post account creation969e2e5c-9cc6-423c-a3de-514f7ad75fe71Password
Changes to internet facing AWS RDS Database instances8c2ef238-67a0-497d-b1dd-5c8a0f533e25AWS
AWSS3
Login to AWS Management Console without MFAd25b1998-a592-4bc5-8a3a-92b39eedb1bcAWS
AWSS3
Changes to AWS Security Group ingress and egress settings4f19d4e3-ec5f-4abc-9e61-819eb131758cAWS
AWSS3
Changes to AWS Elastic Load Balancer security groupsc7bfadd4-34a6-4fa5-82f8-3691a32261e8AWS
AWSS3
SAML update identity providerbce1dcba-4948-414d-8838-6385afb9d496AWS
NRT Login to AWS Management Console without MFA0ee2aafb-4500-4e36-bcb1-e90eec2f0b9bAWS
AWSS3
Jira - New site admin userb894593a-2b4c-4573-bc47-78715224a6f5JiraAuditAPI
Jira - New user created8c90f30f-c612-407c-91a0-c6a6b41ac199JiraAuditAPI
Jira - User’s password changed multiple times943176e8-b979-45c0-8ad3-58ba6cfd41f0JiraAuditAPI
Powershell Empire Cmdlets Executed in Command Lineef88eb96-861c-43a0-ab16-f3835a97c928SecurityEvents
WindowsSecurityEvents
WindowsForwardedEvents
Lateral Movement Risk - Role Chain Length25bef734-4399-4c55-9579-4ebabd9cccf6Authomize
Empty group with entitlementsc4d442a8-8227-4735-ac13-d84704e1b371Authomize
IaaS policy not attached to any identity57bae0c4-50b7-4552-9de9-19dfecddbaceAuthomize
Stale IAAS policy attachment to roleccdf3f87-7890-4549-9d0f-8f43c1d2751dAuthomize
Suspicious granting of permissions to an accountb2c15736-b9eb-4dae-8b02-3016b6a45a32AzureActivity
BehaviorAnalytics
Rare subscription-level operations in Azure23de46ea-c425-4a77-b456-511ae4855d69AzureActivity
Azure DevOps New Extension Addedbf07ca9c-e408-443a-8939-6860a45a929e
Azure DevOps Administrator Group Monitoring89e6adbd-612c-4fbe-bc3d-32f81baf3b6c
Azure DevOps Pull Request Policy Bypassing - Historic allow list4d8de9e6-263e-4845-8618-cd23a4f58b70
Azure DevOps Service Connection Addition/Abuse - Historic allow list5efb0cfd-063d-417a-803b-562eae5b0301
Azure DevOps Service Connection Abused564ff12-8f53-41b8-8649-44f76b37b99f
Box - New external userfd36ac88-cd92-4137-aa23-37a3648621faBoxDataConnector
Account Elevated to New Rolec1c66f0b-5531-4a3e-a619-9d2f770ef730AzureActiveDirectory
Authentication Method Changed for Privileged Accountfeb0a2fb-ae75-4343-8cbc-ed545f1da289AzureActiveDirectory
BehaviorAnalytics
Malicious BEC Inbox Rule8ac77493-3cae-4840-8634-15fb23f8fb68Office365
CiscoISE - ISE administrator password has been resete63b4d90-d0a8-4609-b187-babfcc7f86d7SyslogAma
CiscoISE - Command executed with the highest privileges from new IP1fa0da3e-ec99-484f-aadb-93f59764e158SyslogAma
CiscoISE - Command executed with the highest privileges by new usere71890a2-5f61-4790-b1ed-cf1d92d3e398SyslogAma
CiscoISE - Device PostureStatus changed to non-compliant548a2eda-d3eb-46cc-8d4b-1601551629e4SyslogAma
Cisco Duo - Admin password reset413e49a5-b107-4698-8428-46b89308bd22CiscoDuoSecurity
Cisco Duo - Admin user created0724cb01-4866-483d-a149-eb400fe1daa8CiscoDuoSecurity
Multi-Factor Authentication Disabled for a User65c78944-930b-4cae-bd79-c3664ae30ba7AzureActiveDirectory
AWS
New External User Granted Admin Roled7424fd9-abb3-4ded-a723-eebe023aaa0bAzureActiveDirectory
Cloudflare - Unexpected POST requests7313352a-09f6-4a84-88bd-6f17f1cbeb8fCloudflareDataConnector
Corelight - Possible Webshellf3245aa1-1ca1-471c-a0b7-97ea6b791d5dCorelight
Corelight - Possible Webshell (Rare PUT or POST)db662e49-6e34-4d10-9d3c-5d04b5479658Corelight
TLS Certificate Hostname Mismatch69761091-1a9a-49a9-8966-be68cd550766HVPollingIDAzureFunctions
TLS Certificate Using Weak Cipher - Informational1bdf3cba-6b85-4b88-ab1e-681bac20d41fHVPollingIDAzureFunctions
TLS Certificate Using Weak Cipher - Medium7bbe51fe-9c5f-4f54-a079-b84cc27737a1HVPollingIDAzureFunctions
TLSv1.1 in Use - info049edfdd-0331-4493-bcd7-b375bba7b551HVPollingIDAzureFunctions
TLSv1.1 in Use - Medium92400070-199b-46d3-bd86-2fb8421b5338HVPollingIDAzureFunctions
TLSv1 in Use - Low9435d04a-e8a6-49e5-90c4-e7f3456f9ed5HVPollingIDAzureFunctions
TLSv1 in Use - Medium93f2ab34-15a3-4199-ad5a-6ebf8d2ad449HVPollingIDAzureFunctions
Dataminr - urgent alerts detected64a46029-3236-4d03-b5df-207366a623f1DataminrPulseAlerts
DEV-0270 New User Creation7965f0be-c039-4d18-8ee8-9a6add8aecf3SecurityEvents
WindowsSecurityEvents
MicrosoftThreatProtection
Dynatrace - Problem detection415978ff-074e-4203-824a-b06153d77bf7DynatraceProblems
Dynatrace Application Security - Code-Level runtime vulnerability detection305093b4-0fa2-57bc-bced-caea782a6e9cDynatraceRuntimeVulnerabilities
Dynatrace Application Security - Non-critical runtime vulnerability detectionff0af873-a2f2-4233-8412-0ef4e00b0156DynatraceRuntimeVulnerabilities
Dynatrace Application Security - Third-Party runtime vulnerability detectionaf99b078-124b-543a-9a50-66ef87c09f6aDynatraceRuntimeVulnerabilities
Egress Defend - Dangerous Attachment Detecteda0e55dd4-8454-4396-91e6-f28fec3d2cabEgressDefend
Registry Persistence via AppCert DLL Modificationc61ad0ac-ad68-4ebb-b41a-74296d3e0044SecurityEvents
WindowsSecurityEvents
Registry Persistence via AppInit DLLs Modification9367dff0-941d-44e2-8875-cb48570c7addSecurityEvents
WindowsSecurityEvents
Component Object Model Hijacking - Vault7 trick1aaff41f-4e18-45b1-bb34-de6eb4943cf2MicrosoftThreatProtection
Hijack Execution Flow - DLL Side-Loading3084b487-fad6-4000-9544-6085b9657290MicrosoftThreatProtection
GitLab - External User Added to GitLabc1544d8f-cbbd-4e35-8d32-5b9312279833Syslog
GitLab - User Impersonation0f4f16a2-b464-4c10-9a42-993da3e15a40Syslog
GitLab - Repository visibility to Public8b291c3d-90ba-4ebf-af2c-0283192d430eSyslog
GSA Enriched Office 365 - External User Added and Removed in Short Timeframe1a8f1297-23a4-4f09-a20b-90af8fc3641aAzureActiveDirectory
Office365
GSA Enriched Office 365 - Malicious Inbox Rulea9c76c8d-f60d-49ec-9b1f-bdfee6db3807AzureActiveDirectory
Office365
GSA Enriched Office 365 - Office Policy Tampering0f1f2b17-f9d6-4d2a-a0fb-a7ae1659e3ebAzureActiveDirectory
Office365
GSA Enriched Office 365 - Rare and Potentially High-Risk Office Operations433c254d-4b84-46f7-99ec-9dfefb5f6a7bAzureActiveDirectory
Office365
External User Added and Removed in a Short Timeframe119d9e1c-afcc-4d23-b239-cdb4e7bf851cAzureActiveDirectory
GSA Enriched Office 365 - PowerShell or non-browser mailbox login activity49a4f65a-fe18-408e-afec-042fde93d3ceAzureActiveDirectory
GCP IAM - New Service Accounta768aa52-453e-4e3e-80c2-62928d2e2f56GCPIAMDataConnector
GWorkspace - Admin permissions granted03f25156-6172-11ec-90d6-0242ac120003GoogleWorkspaceReportsAPI
GWorkspace - User access has been changed92fae638-5da8-11ec-bf63-0242ac130002GoogleWorkspaceReportsAPI
GWorkspace - Multiple user agents for single source6ff0e16e-5999-11ec-bf63-0242ac130002GoogleWorkspaceReportsAPI
GWorkspace - Unexpected OS updatec02b0c8e-5da6-11ec-bf63-0242ac130002GoogleWorkspaceReportsAPI
Illusive Incidents Analytic Rule1a7dbcf6-21a2-4255-84b2-c8dbbdca4630Illusive
illusiveAttackManagementSystemAma
CefAma
Firmware Updates (Microsoft Defender for IoT)7cad4b66-5e83-4756-8de4-f21315ab1e77IoT
Unauthorized PLC changes (Microsoft Defender for IoT)c2fb27c7-5f67-49c4-aaf3-d82934234a69IoT
[Deprecated] - Aqua Blizzard Actor IOCs - Feb 2022825991eb-ea39-4590-9de2-ee97ef42eb93DNS
AzureMonitor(VMInsights)
F5
CiscoASA
PaloAltoNetworks
Fortinet
CheckPoint
CEF
MicrosoftThreatProtection
SecurityEvents
AzureFirewall
[Deprecated] - Caramel Tsunami Actor IOC - July 202194749332-1ad9-49dd-a5ab-5ff2170788fcDNS
AzureMonitor(VMInsights)
F5
CiscoASA
PaloAltoNetworks
Fortinet
CheckPoint
CEF
MicrosoftThreatProtection
SecurityEvents
Office365
AzureFirewall
WindowsFirewall
WindowsSecurityEvents
WindowsForwardedEvents
[Deprecated] - SUNSPOT log file creationc0e84221-f240-4dd7-ab1e-37e034ea2a4eMicrosoftThreatProtection
SecurityEvents
WindowsSecurityEvents
WindowsForwardedEvents
[Deprecated] - Tarrask malware IOC - April 2022caf78b95-d886-4ac3-957a-a7a3691ff4edCiscoASA
PaloAltoNetworks
MicrosoftThreatProtection
SecurityEvents
Detect Print Processors Registry Driver Key Creation/Modification7edde3d4-9859-4a00-b93c-b19ddda55320CrowdStrikeFalconEndpointProtection
MicrosoftThreatProtection
SentinelOne
VMwareCarbonBlack
CiscoSecureEndpoint
TrendMicroApexOne
TrendMicroApexOneAma
Detect Registry Run Key Creation/Modificationdd041e4e-1ee2-41ec-ba4e-82a71d628260CrowdStrikeFalconEndpointProtection
MicrosoftThreatProtection
SentinelOne
VMwareCarbonBlack
CiscoSecureEndpoint
TrendMicroApexOne
TrendMicroApexOneAma
McAfee ePO - Multiple threats on same hostf53e5168-afdb-4fad-b29a-bb9cb71ec460McAfeeePO
SyslogAma
External user added and removed in short timeframebff093b2-500e-4ae5-bb49-a5b1423cbd5bOffice365
Malicious Inbox Rule7b907bf7-77d4-41d0-a208-5643ff75bf9aOffice365
Office Policy Tamperingfbd72eb8-087e-466b-bd54-1ca6ea08c6d3Office365
Rare and potentially high-risk Office operations957cb240-f45d-4491-9ba5-93430a3c08beOffice365
Dataverse - Anomalous application user activity0820da12-e895-417f-9175-7c256fcfb33eDataverse
Dataverse - Executable uploaded to SharePoint document management siteba5e608f-7879-4927-8b0d-a9948b4fe6f3Office365
Dataverse - New non-interactive identity granted access682e230c-e5da-4085-8666-701d1f1be7deDataverse
AzureActiveDirectory
Dataverse - Organization settings modifieda6f6b734-3db8-4259-a988-69e0b8eac0c2Dataverse
Dataverse - TI map URL to DataverseActivityd88a0e22-3b6a-40c2-af28-c064b44d03b7Dataverse
ThreatIntelligence
ThreatIntelligenceTaxii
MicrosoftDefenderThreatIntelligence
F&O - Non-interactive account mapped to self or sensitive privileged user5b7cc7f9-fe54-4138-9fb0-d650807345d3Dynamics365Finance
Imminent Ransomwarebb46dd86-e642-48a4-975c-44f5ac2b5033
Bitsadmin Activity2a1dc4c2-a8d6-4a0e-8539-9b971c851195MicrosoftThreatProtection
Account Creation450f4e56-5bba-4070-b9d9-9204ba9d777dMicrosoftThreatProtection
Local Admin Group Changes63aa43c2-e88e-4102-aea5-0432851c541aMicrosoftThreatProtection
Rare Process as a Service91a451e3-178f-41b2-9e5d-da97d75b9971MicrosoftThreatProtection
Potential Ransomware activity related to Cobalt Strike4bd9ce9d-8586-4beb-8fdb-bd018cacbe7dMicrosoftThreatProtection
AV detections related to Tarrask malware1785d372-b9fe-4283-96a6-3a1d83cabfd1MicrosoftThreatProtection
Potential Build Process Compromise - MDE1bf6e165-5e32-420e-ab4f-0da8558a8be2MicrosoftThreatProtection
SUNBURST and SUPERNOVA backdoor hashesa3c144f9-8051-47d4-ac29-ffb0c312c910MicrosoftThreatProtection
SUNBURST network beaconsce1e7025-866c-41f3-9b08-ec170e05e73eMicrosoftThreatProtection
TEARDROP memory-only dropper738702fd-0a66-42c7-8586-e30f0583f8feMicrosoftThreatProtection
SUNSPOT malware hashes53e936c6-6c30-4d12-8343-b8a0456e8429MicrosoftThreatProtection
Modified domain federation trust settings95dc4ae3-e0f2-48bd-b996-cdd22b90f9afAzureActiveDirectory
Admin promotion after Role Management Application Permission Grantf80d951a-eddc-4171-b9d0-d616bb83efdcAzureActiveDirectory
Authentication Methods Changed for Privileged Account694c91ee-d606-4ba9-928e-405a2dd0ff0fAzureActiveDirectory
BehaviorAnalytics
Microsoft Entra ID Role Management Permission Grant1ff56009-db01-4615-8211-d4fda21da02dAzureActiveDirectory
Attempt to bypass conditional access rule in Microsoft Entra ID3af9285d-bb98-4a35-ad29-5ea39ba0c628AzureActiveDirectory
Credential added after admin consented to Application707494a5-8e44-486b-90f8-155d1797a8ebAzureActiveDirectory
Cross-tenant Access Settings Organization Added757e6a79-6d23-4ae6-9845-4dac170656b5AzureActiveDirectory
Cross-tenant Access Settings Organization Deletedeb8a9c1c-f532-4630-817c-1ecd8a60ed80AzureActiveDirectory
Cross-tenant Access Settings Organization Inbound Collaboration Settings Changedc895c5b9-0fc6-40ce-9830-e8818862f2d5AzureActiveDirectory
Cross-tenant Access Settings Organization Inbound Direct Settings Changed276d5190-38de-4eb2-9933-b3b72f4a5737AzureActiveDirectory
Cross-tenant Access Settings Organization Outbound Collaboration Settings Changed229f71ba-d83b-42a5-b83b-11a641049ed1AzureActiveDirectory
Cross-tenant Access Settings Organization Outbound Direct Settings Changed0101e08d-99cd-4a97-a9e0-27649c4369adAzureActiveDirectory
Guest accounts added in Entra ID Groups other than the ones specified6ab1f7b2-61b8-442f-bc81-96afe7ad8c53AzureActiveDirectory
Mail.Read Permissions Granted to Application2560515c-07d1-434e-87fb-ebe3af267760AzureActiveDirectory
NRT Modified domain federation trust settings8540c842-5bbc-4a24-9fb2-a836c0e55a51AzureActiveDirectory
NRT Authentication Methods Changed for VIP Users29e99017-e28d-47be-8b9a-c8c711f8a903AzureActiveDirectory
NRT PIM Elevation Request Rejected5db427b2-f406-4274-b413-e9fcb29412f8AzureActiveDirectory
NRT User added to Microsoft Entra ID Privileged Groups70fc7201-f28e-4ba7-b9ea-c04b96701f13AzureActiveDirectory
PIM Elevation Request Rejected7d7e20f8-3384-4b71-811c-f5e950e8306cAzureActiveDirectory
Possible SignIn from Azure Backdoorfa00014c-c5f4-4715-8f5b-ba567e19e41eAzureActiveDirectory
Rare application consent83ba3057-9ea3-4759-bf6a-933f2e5bc7eeAzureActiveDirectory
Sign-ins from IPs that attempt sign-ins to disabled accounts500c103a-0319-4d56-8e99-3cec8d860757AzureActiveDirectory
BehaviorAnalytics
External guest invitation followed by Microsoft Entra ID PowerShell signinacc4c247-aaf7-494b-b5da-17f18863878aAzureActiveDirectory
User added to Microsoft Entra ID Privileged Groups4d94d4a9-dc96-410a-8dea-4d4d4584188bAzureActiveDirectory
User Assigned New Privileged Role746ddb63-f51b-4563-b449-a8b13cf302ecAzureActiveDirectory
New User Assigned to Privileged Role050b9b3d-53d0-4364-a3da-1b678b8211ecAzureActiveDirectory
VIP Mailbox manipulation5170c3c4-b8c9-485c-910d-a21d965ee181ESI-ExchangeAdminAuditLogEvents
Server Oriented Cmdlet And User Oriented Cmdlet used7bce901b-9bc8-4948-8dfc-8f68878092d5ESI-ExchangeAdminAuditLogEvents
Aqua Blizzard AV hits - Feb 202218dbdc22-b69f-4109-9e39-723d9465f45fMicrosoftDefenderAdvancedThreatProtection
Mimecast Secure Email Gateway - Internal Email Protectd3bd7640-3600-49f9-8d10-6fe312e68b4fMimecastSEGAPI
Mimecast Secure Email Gateway - Internal Email Protect5b66d176-e344-4abf-b915-e5f09a6430efMimecastSIEMAPI
Cross-Cloud Suspicious Compute resource creation in GCP5c847e47-0a07-4c01-ab99-5817ad6cb11eGCPAuditLogsDefinition
AWSS3
Cross-Cloud Suspicious user activity observed in GCP Envourment58e306fe-1c49-4b8f-9b0e-15f25e8f0cd7GCPAuditLogsDefinition
AzureActiveDirectoryIdentityProtection
MicrosoftThreatProtection
MicrosoftDefenderAdvancedThreatProtection
MicrosoftCloudAppSecurity
Device Registration from Malicious IPe36c6bd6-f86a-4282-93a5-b4a1b48dd849OktaSSO
OktaSSOv2
High-Risk Admin Activity9f82a735-ae43-4c03-afb4-d5d153e1ace1OktaSSO
OktaSSOv2
New Device/Location sign-in along with critical operation41e843a8-92e7-444d-8d72-638f1145d1e1OktaSSO
OktaSSOv2
OracleDBAudit - New user accountcca7b348-e904-4a7a-8f26-d22d4d477119OracleDatabaseAudit
SyslogAma
OracleDBAudit - User activity after long inactivity time5e93a535-036b-4570-9e58-d8992f30e1aeOracleDatabaseAudit
SyslogAma
Ping Federate - Abnormal password resets for user6145efdc-4724-42a6-9756-5bd1ba33982eCefAma
Ping Federate - New user SSO success login05282c91-7aaf-4d76-9a19-6dc582e6a411CefAma
Radiflow - Policy Violation Detecteda3f4cc3e-2403-4570-8d21-1dedd5632958RadiflowIsid
RecordedFuture Threat Hunting Hash All Actors6db6a8e6-2959-440b-ba57-a505875fcb37ThreatIntelligenceUploadIndicatorsAPI
RecordedFuture Threat Hunting Url All Actors3f6f0d1a-f2f9-4e01-881a-c55a4a71905bThreatIntelligenceUploadIndicatorsAPI
Red Canary Threat Detection6d263abb-6445-45cc-93e9-c593d3d77b89RedCanaryDataConnector
Threat Essentials - NRT User added to Microsoft Entra ID Privileged Groups0a627f29-f0dd-4924-be92-c3d6dac84367AzureActiveDirectory
Threat Essentials - User Assigned Privileged Roleb09795c9-8dce-47ab-8f75-5a4afb78ef0cAzureActiveDirectory
Semperis DSP RBAC Changese5edf3f3-de53-45e6-b0d7-1ce1c048df4aSemperisDSP
Semperis DSP Recent sIDHistory changes on AD objects64796da3-6383-4de2-9c97-866c83c459aeSemperisDSP
SlackAudit - User role changed to admin or ownerbe6c5fc9-2ac3-43e6-8fb0-cb139e04e43eSlackAuditAPI
SlackAudit - User login after deactivated.e6e99dcb-4dff-48d2-8012-206ca166b36bSlackAuditAPI
SonicWall - Allowed SSH, Telnet, and RDP Connections27f1a570-5f20-496b-88f6-a9aa2c5c9534CEF
SonicWallFirewall
CefAma
New Sonrai Ticketbcc3362d-b6f9-4de0-b41c-707fafd5a416SonraiDataConnector
Sonrai Ticket Assigned37a8d052-a3db-4dc6-9dca-9390cac6f486SonraiDataConnector
Sonrai Ticket Closedf5d467de-b5a2-4b4f-96db-55e27c733594SonraiDataConnector
Sonrai Ticket Escalation Executed0d29c93e-b83f-4dfb-bbbb-76824b77eecaSonraiDataConnector
Sonrai Ticket Escalation Executed822fff15-ea68-4d0f-94ee-b4482ddb6f3aSonraiDataConnector
Sonrai Ticket Reopenedb60129ab-ce22-4b76-858d-3204932a13ccSonraiDataConnector
Sonrai Ticket Risk Accepted080191e8-271d-4ae6-85ce-c7bcd4b06b40SonraiDataConnector
Sonrai Ticket Snoozed10e6c454-5cad-4f86-81ce-800235cb050aSonraiDataConnector
Sonrai Ticket Updatedaf9b8eb1-a8ef-40aa-92a4-1fc73a1479c7SonraiDataConnector
ApexOne - Possible exploit or execute operatione289d762-6cc2-11ec-90d6-0242ac120003CefAma
Vectra Create Incident Based on Tag for Accounts87325835-dd8c-41e7-b686-fd5adbbd0aeeVectraXDR
Vectra Create Incident Based on Tag for Hosts8b7a1a64-8ef2-4000-b8c9-9bca3b93aaceVectraXDR
Vectra Create Detection Alert for Accountse796701f-6b39-4c54-bf8a-1d543a990784VectraXDR
Vectra Create Detection Alert for Hostsfb861539-da19-4266-831f-99459b8e7605VectraXDR
Vectra Create Incident Based on Priority for Accountsaf6f2812-0187-4cc9-822a-952f8b5b6b7eVectraXDR
Vectra Create Incident Based on Priority for Hosts9b51b0fb-0419-4450-9ea0-0a48751c4902VectraXDR
Detect potential presence of a malicious file with a double extension (ASIM Web Session)6a71687f-00cf-44d3-93fc-8cbacc7b5615
Detect web requests to potentially harmful files (ASIM Web Session)c6608467-3678-45fe-b038-b590ce6d00fb
Malicious web application requests linked with Microsoft Defender for Endpoint (formerly Microsoft Defender ATP) alertsfbfbf530-506b-49a4-81ad-4030885a195cMicrosoftDefenderAdvancedThreatProtection
AzureMonitor(IIS)
SUPERNOVA webshell2acc91c3-17c2-4388-938e-4eac2d5894e8AzureMonitor(IIS)
Caramel Tsunami Actor IOC - July 2021066395ac-ef91-4993-8bf6-25c61ab0ca5aWindowsForwardedEvents
AD user enabled and password not set within 48 hours62085097-d113-459f-9ea7-30216f2ee6afSecurityEvents
WindowsSecurityEvents
Zinc Actor IOCs files - October 20229a7f6651-801b-491c-a548-8b454b356eaaMicrosoftThreatProtection
SecurityEvents
WindowsSecurityEvents
[Deprecated] - Zinc Actor IOCs domains hashes IPs and useragent - October 202295543d6d-f00d-4193-a63f-4edeefb7ec36DNS
AzureMonitor(VMInsights)
F5
CiscoASA
CiscoAsaAma
PaloAltoNetworks
Fortinet
CheckPoint
CEF
CefAma
MicrosoftThreatProtection
SecurityEvents
Office365
AzureFirewall
WindowsFirewall
WindowsFirewallAma
WindowsSecurityEvents
WindowsForwardedEvents
Zscaler - Connections by dormant user66bc77ee-3e45-11ec-9bbc-0242ac130002ZscalerPrivateAccess
CustomLogsAma
Zscaler - ZPA connections by new user236a7ec1-0120-40f2-a157-c1a72dde8bcbZscalerPrivateAccess
CustomLogsAma
Sign-ins from IPs that attempt sign-ins to disabled accounts (Uses Authentication Normalization)95002681-4ecb-4da3-9ece-26d7e5feaa33
SUNBURST and SUPERNOVA backdoor hashes (Normalized File Events)bc5ffe2a-84d6-48fe-bc7b-1055100469bc
Midnight Blizzard - suspicious rundll32.exe execution of vbscript (Normalized Process Events)bdf04f58-242b-4729-b376-577c4bdf5d3a
SUNBURST suspicious SolarWinds child processes (Normalized Process Events)631d02df-ab51-46c1-8d72-32d0cfec0720
Excessive number of HTTP authentication failures from a source (ASIM Web Session schema)a1bddaf8-982b-4089-ba9e-6590dfcf80eaSquidProxy
Zscaler
Addition of a Temporary Access Pass to a Privileged Accountd7feb859-f03e-4e8d-8b21-617be0213b13AzureActiveDirectory
BehaviorAnalytics
Application ID URI Changed9fb2ee72-959f-4c2b-bc38-483affc539e4AzureActiveDirectory
Application Redirect URL Updatea1080fc1-13d1-479b-8340-255f0290d96cAzureActiveDirectory
Changes to Application Logout URL492fbe35-cbac-4a8c-9059-826782e6915aAzureActiveDirectory
Changes to Application Ownershipcc5780ce-3245-4bba-8bc1-e9048c2257ceAzureActiveDirectory
End-user consent stopped due to risk-based consent009b9bae-23dd-43c4-bcb9-11c4ba7c784aAzureActiveDirectory
Guest Users Invited to Tenant by New Inviters572e75ef-5147-49d9-9d65-13f2ed1e3a86AzureActiveDirectory
URL Added to Application from Unknown Domain017e095a-94d8-430c-a047-e51a11fb737bAzureActiveDirectory
User Account Created Using Incorrect Naming Formatee55dc85-d2da-48c1-a6c0-3eaee62a8d56AzureActiveDirectory
User account created without expected attributes defineddc99e38c-f4e9-4837-94d7-353ac0b01a77AzureActiveDirectory
User State changed from Guest to Membera09a0b8e-30fe-4ebf-94a0-cffe50f579cdAzureActiveDirectory
SUNBURST suspicious SolarWinds child processes4a3073ac-7383-48a9-90a8-eb6716183a54MicrosoftThreatProtection
Account created from non-approved sources99d589fa-7337-40d7-91a0-c96d0c4fa437AzureActiveDirectory
Anomalous login followed by Teams action2b701288-b428-4fb8-805e-e4372c574786Office365
AzureActiveDirectory
COM Registry Key Modified to Point to File in Color Profile Foldered8c9153-6f7a-4602-97b4-48c336b299e1MicrosoftThreatProtection
SecurityEvents
High risk Office operation conducted by IP Address that recently attempted to log into a disabled account9adbd1c3-a4be-44ef-ac2f-503fd25692eeAzureActiveDirectory
Office365
Unusual identity creation using exchange powershell0a3f4f4f-46ad-4562-acd6-f17730a5aef4SecurityEvents
MicrosoftThreatProtection
NRT Malicious Inbox Ruleb79f6190-d104-4691-b7db-823e05980895Office365
Detect PIM Alert Disabling activity1f3b4dfd-21ff-4ed3-8e27-afc219e05c50AzureActiveDirectory
Modification of Accessibility Featuresd714ef62-1a56-4779-804f-91c4158e528dSecurityEvents
AdminSDHolder Modifications52aec824-96c1-4a03-8e44-bb70532e6ceaSecurityEvents
DSRM Account Abuse979c42dd-533e-4ede-b18b-31a84ba8b3d6SecurityEvents
Group created then added to built in domain local or global groupa7564d76-ec6b-4519-a66b-fcc80c42332bSecurityEvents
WindowsSecurityEvents
WindowsForwardedEvents
Midnight Blizzard - suspicious rundll32.exe execution of vbscriptd82e1987-4356-4a7b-bc5e-064f29b143c0SecurityEvents
WindowsSecurityEvents
WindowsForwardedEvents
AD account with Don’t Expire Password6c360107-f3ee-4b91-9f43-f4cfd90441cfSecurityEvents
WindowsSecurityEvents
WindowsForwardedEvents
Potential Build Process Compromise5ef06767-b37c-4818-b035-47de950d0046SecurityEvents
WindowsSecurityEvents
WindowsForwardedEvents
Account added and removed from privileged groups7efc75ce-e2a4-400f-a8b1-283d3b0f2c60SecurityEvents
WindowsSecurityEvents
WindowsForwardedEvents
User account added to built in domain local or global groupa35f2c18-1b97-458f-ad26-e033af18eb99SecurityEvents
WindowsSecurityEvents
WindowsForwardedEvents
User account created and deleted within 10 mins4b93c5af-d20b-4236-b696-a28b8c51407fSecurityEvents
WindowsSecurityEvents
WindowsForwardedEvents
User account enabled and disabled within 10 mins3d023f64-8225-41a2-9570-2bd7c2c4535eSecurityEvents
WindowsSecurityEvents
WindowsForwardedEvents
New user created and added to the built-in administrators groupaa1eff90-29d4-49dc-a3ea-b65199f516dbSecurityEvents
WindowsSecurityEvents
WindowsForwardedEvents
External User Access Enabled8e267e91-6bda-4b3c-bf68-9f5cbdd103a3