Persistence
| Rule Name | id | Required data connectors |
|---|---|---|
| Changes to internet facing AWS RDS Database instances | 8c2ef238-67a0-497d-b1dd-5c8a0f533e25 | AWS AWSS3 |
| Login to AWS Management Console without MFA | d25b1998-a592-4bc5-8a3a-92b39eedb1bc | AWS AWSS3 |
| Changes to AWS Security Group ingress and egress settings | 4f19d4e3-ec5f-4abc-9e61-819eb131758c | AWS AWSS3 |
| Changes to AWS Elastic Load Balancer security groups | c7bfadd4-34a6-4fa5-82f8-3691a32261e8 | AWS AWSS3 |
| SAML update identity provider | bce1dcba-4948-414d-8838-6385afb9d496 | AWS |
| NRT Login to AWS Management Console without MFA | 0ee2aafb-4500-4e36-bcb1-e90eec2f0b9b | AWS AWSS3 |
| Jira - New site admin user | b894593a-2b4c-4573-bc47-78715224a6f5 | JiraAuditAPI |
| Jira - New user created | 8c90f30f-c612-407c-91a0-c6a6b41ac199 | JiraAuditAPI |
| Jira - User’s password changed multiple times | 943176e8-b979-45c0-8ad3-58ba6cfd41f0 | JiraAuditAPI |
| Powershell Empire Cmdlets Executed in Command Line | ef88eb96-861c-43a0-ab16-f3835a97c928 | SecurityEvents WindowsSecurityEvents WindowsForwardedEvents |
| Admin promotion after Role Management Application Permission Grant | f80d951a-eddc-4171-b9d0-d616bb83efdc | AzureActiveDirectory |
| Authentication Methods Changed for Privileged Account | 694c91ee-d606-4ba9-928e-405a2dd0ff0f | AzureActiveDirectory |
| Azure AD Role Management Permission Grant | 1ff56009-db01-4615-8211-d4fda21da02d | AzureActiveDirectory |
| Attempt to bypass conditional access rule in Azure AD | 3af9285d-bb98-4a35-ad29-5ea39ba0c628 | AzureActiveDirectory |
| Cross-tenant Access Settings Organization Added | 757e6a79-6d23-4ae6-9845-4dac170656b5 | AzureActiveDirectory |
| Cross-tenant Access Settings Organization Deleted | eb8a9c1c-f532-4630-817c-1ecd8a60ed80 | AzureActiveDirectory |
| Cross-tenant Access Settings Organization Inbound Collaboration Settings Changed | c895c5b9-0fc6-40ce-9830-e8818862f2d5 | AzureActiveDirectory |
| Cross-tenant Access Settings Organization Inbound Direct Settings Changed | 276d5190-38de-4eb2-9933-b3b72f4a5737 | AzureActiveDirectory |
| Cross-tenant Access Settings Organization Outbound Collaboration Settings Changed | 229f71ba-d83b-42a5-b83b-11a641049ed1 | AzureActiveDirectory |
| Cross-tenant Access Settings Organization Outbound Direct Settings Changed | 0101e08d-99cd-4a97-a9e0-27649c4369ad | AzureActiveDirectory |
| Guest accounts added in AAD Groups other than the ones specified | 6ab1f7b2-61b8-442f-bc81-96afe7ad8c53 | AzureActiveDirectory |
| Mail.Read Permissions Granted to Application | 2560515c-07d1-434e-87fb-ebe3af267760 | AzureActiveDirectory |
| NRT Authentication Methods Changed for VIP Users | 29e99017-e28d-47be-8b9a-c8c711f8a903 | AzureActiveDirectory |
| NRT PIM Elevation Request Rejected | 5db427b2-f406-4274-b413-e9fcb29412f8 | AzureActiveDirectory |
| NRT User added to Azure Active Directory Privileged Groups | 70fc7201-f28e-4ba7-b9ea-c04b96701f13 | AzureActiveDirectory |
| PIM Elevation Request Rejected | 7d7e20f8-3384-4b71-811c-f5e950e8306c | AzureActiveDirectory |
| Rare application consent | 83ba3057-9ea3-4759-bf6a-933f2e5bc7ee | AzureActiveDirectory |
| Sign-ins from IPs that attempt sign-ins to disabled accounts | 500c103a-0319-4d56-8e99-3cec8d860757 | AzureActiveDirectory BehaviorAnalytics |
| External guest invitation followed by Azure AD PowerShell signin | acc4c247-aaf7-494b-b5da-17f18863878a | AzureActiveDirectory |
| User added to Azure Active Directory Privileged Groups | 4d94d4a9-dc96-410a-8dea-4d4d4584188b | AzureActiveDirectory |
| User Assigned Privileged Role | 050b9b3d-53d0-4364-a3da-1b678b8211ec | AzureActiveDirectory |
| Suspicious granting of permissions to an account | b2c15736-b9eb-4dae-8b02-3016b6a45a32 | AzureActivity BehaviorAnalytics |
| Rare subscription-level operations in Azure | 23de46ea-c425-4a77-b456-511ae4855d69 | AzureActivity |
| Azure DevOps New Extension Added | bf07ca9c-e408-443a-8939-6860a45a929e | |
| Azure DevOps Administrator Group Monitoring | 89e6adbd-612c-4fbe-bc3d-32f81baf3b6c | |
| Azure DevOps Pull Request Policy Bypassing - Historic allow list | 4d8de9e6-263e-4845-8618-cd23a4f58b70 | |
| Azure DevOps Service Connection Addition/Abuse - Historic allow list | 5efb0cfd-063d-417a-803b-562eae5b0301 | |
| Azure DevOps Service Connection Abuse | d564ff12-8f53-41b8-8649-44f76b37b99f | |
| Box - New external user | fd36ac88-cd92-4137-aa23-37a3648621fa | BoxDataConnector |
| Account Elevated to New Role | c1c66f0b-5531-4a3e-a619-9d2f770ef730 | AzureActiveDirectory |
| Authentication Method Changed for Privileged Account | feb0a2fb-ae75-4343-8cbc-ed545f1da289 | AzureActiveDirectory BehaviorAnalytics |
| Malicious BEC Inbox Rule | 8ac77493-3cae-4840-8634-15fb23f8fb68 | Office365 |
| CiscoISE - ISE administrator password has been reset | e63b4d90-d0a8-4609-b187-babfcc7f86d7 | CiscoISE |
| CiscoISE - Command executed with the highest privileges from new IP | 1fa0da3e-ec99-484f-aadb-93f59764e158 | CiscoISE |
| CiscoISE - Command executed with the highest privileges by new user | e71890a2-5f61-4790-b1ed-cf1d92d3e398 | CiscoISE |
| Cisco Duo - Admin password reset | 413e49a5-b107-4698-8428-46b89308bd22 | CiscoDuoSecurity |
| Cisco Duo - Admin user created | 0724cb01-4866-483d-a149-eb400fe1daa8 | CiscoDuoSecurity |
| Multi-Factor Authentication Disabled for a User | 65c78944-930b-4cae-bd79-c3664ae30ba7 | AzureActiveDirectory AWS |
| New External User Granted Admin Role | d7424fd9-abb3-4ded-a723-eebe023aaa0b | AzureActiveDirectory |
| Cloudflare - Unexpected POST requests | 7313352a-09f6-4a84-88bd-6f17f1cbeb8f | CloudflareDataConnector |
| Corelight - Possible Webshell | f3245aa1-1ca1-471c-a0b7-97ea6b791d5d | Corelight |
| Corelight - Possible Webshell (Rare PUT or POST) | db662e49-6e34-4d10-9d3c-5d04b5479658 | Corelight |
| Dataminr - urgent alerts detected | 64a46029-3236-4d03-b5df-207366a623f1 | DataminrPulseAlerts |
| DEV-0270 New User Creation | 7965f0be-c039-4d18-8ee8-9a6add8aecf3 | SecurityEvents MicrosoftThreatProtection |
| Dynatrace Application Security - Code-Level runtime vulnerability detection | 305093b4-0fa2-57bc-bced-caea782a6e9c | DynatraceRuntimeVulnerabilities |
| Dynatrace Application Security - Non-critical runtime vulnerability detection | ff0af873-a2f2-4233-8412-0ef4e00b0156 | DynatraceRuntimeVulnerabilities |
| Dynatrace Application Security - Third-Party runtime vulnerability detection | af99b078-124b-543a-9a50-66ef87c09f6a | DynatraceRuntimeVulnerabilities |
| Egress Defend - Dangerous Attachment Detected | a0e55dd4-8454-4396-91e6-f28fec3d2cab | EgressDefend |
| Registry Persistence via AppCert DLL Modification | c61ad0ac-ad68-4ebb-b41a-74296d3e0044 | SecurityEvents |
| Registry Persistence via AppInit DLLs Modification | 9367dff0-941d-44e2-8875-cb48570c7add | SecurityEvents |
| Component Object Model Hijacking - Vault7 trick | 1aaff41f-4e18-45b1-bb34-de6eb4943cf2 | MicrosoftThreatProtection |
| Hijack Execution Flow - DLL Side-Loading | 3084b487-fad6-4000-9544-6085b9657290 | MicrosoftThreatProtection |
| GitLab - External User Added to GitLab | c1544d8f-cbbd-4e35-8d32-5b9312279833 | Syslog |
| GitLab - User Impersonation | 0f4f16a2-b464-4c10-9a42-993da3e15a40 | Syslog |
| GitLab - Repository visibility to Public | 8b291c3d-90ba-4ebf-af2c-0283192d430e | Syslog |
| GCP IAM - New Service Account | a768aa52-453e-4e3e-80c2-62928d2e2f56 | GCPIAMDataConnector |
| GWorkspace - Admin permissions granted | 03f25156-6172-11ec-90d6-0242ac120003 | GoogleWorkspaceReportsAPI |
| GWorkspace - User access has been changed | 92fae638-5da8-11ec-bf63-0242ac130002 | GoogleWorkspaceReportsAPI |
| GWorkspace - Multiple user agents for single source | 6ff0e16e-5999-11ec-bf63-0242ac130002 | GoogleWorkspaceReportsAPI |
| Firmware Updates (Microsoft Defender for IoT) | 7cad4b66-5e83-4756-8de4-f21315ab1e77 | IoT |
| Unauthorized PLC changes (Microsoft Defender for IoT) | c2fb27c7-5f67-49c4-aaf3-d82934234a69 | IoT |
| [Deprecated] - Aqua Blizzard Actor IOCs - Feb 2022 | 825991eb-ea39-4590-9de2-ee97ef42eb93 | DNS AzureMonitor(VMInsights) F5 CiscoASA PaloAltoNetworks Fortinet CheckPoint CEF MicrosoftThreatProtection SecurityEvents AzureFirewall |
| [Deprecated] - Caramel Tsunami Actor IOC - July 2021 | 94749332-1ad9-49dd-a5ab-5ff2170788fc | DNS AzureMonitor(VMInsights) F5 CiscoASA PaloAltoNetworks Fortinet CheckPoint CEF MicrosoftThreatProtection SecurityEvents Office365 AzureFirewall WindowsFirewall WindowsSecurityEvents WindowsForwardedEvents |
| [Deprecated] - SUNSPOT log file creation | c0e84221-f240-4dd7-ab1e-37e034ea2a4e | MicrosoftThreatProtection SecurityEvents WindowsSecurityEvents WindowsForwardedEvents |
| [Deprecated] - Tarrask malware IOC - April 2022 | caf78b95-d886-4ac3-957a-a7a3691ff4ed | CiscoASA PaloAltoNetworks MicrosoftThreatProtection SecurityEvents |
| McAfee ePO - Multiple threats on same host | f53e5168-afdb-4fad-b29a-bb9cb71ec460 | McAfeeePO |
| External user added and removed in short timeframe | bff093b2-500e-4ae5-bb49-a5b1423cbd5b | Office365 |
| Malicious Inbox Rule | 7b907bf7-77d4-41d0-a208-5643ff75bf9a | Office365 |
| Office policy tampering | fbd72eb8-087e-466b-bd54-1ca6ea08c6d3 | Office365 |
| Rare and potentially high-risk Office operations | 957cb240-f45d-4491-9ba5-93430a3c08be | Office365 |
| AV detections related to Tarrask malware | 1785d372-b9fe-4283-96a6-3a1d83cabfd1 | MicrosoftThreatProtection |
| Potential Build Process Compromise - MDE | 1bf6e165-5e32-420e-ab4f-0da8558a8be2 | MicrosoftThreatProtection |
| SUNBURST and SUPERNOVA backdoor hashes | a3c144f9-8051-47d4-ac29-ffb0c312c910 | MicrosoftThreatProtection |
| SUNBURST network beacons | ce1e7025-866c-41f3-9b08-ec170e05e73e | MicrosoftThreatProtection |
| TEARDROP memory-only dropper | 738702fd-0a66-42c7-8586-e30f0583f8fe | MicrosoftThreatProtection |
| SUNSPOT malware hashes | 53e936c6-6c30-4d12-8343-b8a0456e8429 | MicrosoftThreatProtection |
| VIP Mailbox manipulation | 5170c3c4-b8c9-485c-910d-a21d965ee181 | ESI-ExchangeAdminAuditLogEvents |
| Server Oriented Cmdlet And User Oriented Cmdlet used | 7bce901b-9bc8-4948-8dfc-8f68878092d5 | ESI-ExchangeAdminAuditLogEvents |
| Aqua Blizzard AV hits - Feb 2022 | 18dbdc22-b69f-4109-9e39-723d9465f45f | MicrosoftDefenderAdvancedThreatProtection |
| SUNBURST suspicious SolarWinds child processes | 4a3073ac-7383-48a9-90a8-eb6716183a54 | MicrosoftThreatProtection |
| Mimecast Secure Email Gateway - Internal Email Protect | 5b66d176-e344-4abf-b915-e5f09a6430ef | MimecastSIEMAPI |
| Device Registration from Malicious IP | e36c6bd6-f86a-4282-93a5-b4a1b48dd849 | OktaSSO |
| High-Risk Admin Activity | 9f82a735-ae43-4c03-afb4-d5d153e1ace1 | OktaSSO |
| New Device/Location sign-in along with critical operation | 41e843a8-92e7-444d-8d72-638f1145d1e1 | OktaSSO |
| OracleDBAudit - New user account | cca7b348-e904-4a7a-8f26-d22d4d477119 | OracleDatabaseAudit |
| OracleDBAudit - User activity after long inactivity time | 5e93a535-036b-4570-9e58-d8992f30e1ae | OracleDatabaseAudit |
| Ping Federate - Abnormal password resets for user | 6145efdc-4724-42a6-9756-5bd1ba33982e | PingFederate PingFederateAma |
| Ping Federate - New user SSO success login | 05282c91-7aaf-4d76-9a19-6dc582e6a411 | PingFederate PingFederateAma |
| Red Canary Threat Detection | 6d263abb-6445-45cc-93e9-c593d3d77b89 | RedCanaryDataConnector |
| Threat Essentials - NRT User added to Azure Active Directory Privileged Groups | 0a627f29-f0dd-4924-be92-c3d6dac84367 | AzureActiveDirectory |
| Threat Essentials - User Assigned Privileged Role | b09795c9-8dce-47ab-8f75-5a4afb78ef0c | AzureActiveDirectory |
| SlackAudit - Unknown User Agent | 3b11f06e-4afd-4ae6-8477-c61136619ac8 | SlackAuditAPI |
| SlackAudit - User role changed to admin or owner | be6c5fc9-2ac3-43e6-8fb0-cb139e04e43e | SlackAuditAPI |
| SlackAudit - User login after deactivated. | e6e99dcb-4dff-48d2-8012-206ca166b36b | SlackAuditAPI |
| ApexOne - Possible exploit or execute operation | e289d762-6cc2-11ec-90d6-0242ac120003 | TrendMicroApexOne TrendMicroApexOneAma |
| Detect potential presence of a malicious file with a double extension (ASIM Web Session) | 6a71687f-00cf-44d3-93fc-8cbacc7b5615 | |
| Detect web requests to potentially harmful files (ASIM Web Session) | c6608467-3678-45fe-b038-b590ce6d00fb | |
| Malicious web application requests linked with Microsoft Defender for Endpoint (formerly Microsoft Defender ATP) alerts | fbfbf530-506b-49a4-81ad-4030885a195c | MicrosoftDefenderAdvancedThreatProtection AzureMonitor(IIS) |
| SUPERNOVA webshell | 2acc91c3-17c2-4388-938e-4eac2d5894e8 | AzureMonitor(IIS) |
| Caramel Tsunami Actor IOC - July 2021 | 066395ac-ef91-4993-8bf6-25c61ab0ca5a | WindowsForwardedEvents |
| AD user enabled and password not set within 48 hours | 62085097-d113-459f-9ea7-30216f2ee6af | SecurityEvents WindowsSecurityEvents |
| Zinc Actor IOCs files - October 2022 | 9a7f6651-801b-491c-a548-8b454b356eaa | MicrosoftThreatProtection SecurityEvents WindowsSecurityEvents |
| [Deprecated] - Zinc Actor IOCs domains hashes IPs and useragent - October 2022 | 95543d6d-f00d-4193-a63f-4edeefb7ec36 | DNS AzureMonitor(VMInsights) F5 CiscoASA PaloAltoNetworks Fortinet CheckPoint CEF MicrosoftThreatProtection SecurityEvents Office365 AzureFirewall WindowsFirewall WindowsSecurityEvents WindowsForwardedEvents |
| Zscaler - Connections by dormant user | 66bc77ee-3e45-11ec-9bbc-0242ac130002 | ZscalerPrivateAccess |
| Zscaler - ZPA connections by new user | 236a7ec1-0120-40f2-a157-c1a72dde8bcb | ZscalerPrivateAccess |
| Sign-ins from IPs that attempt sign-ins to disabled accounts (Uses Authentication Normalization) | 95002681-4ecb-4da3-9ece-26d7e5feaa33 | |
| SUNBURST and SUPERNOVA backdoor hashes (Normalized File Events) | bc5ffe2a-84d6-48fe-bc7b-1055100469bc | |
| Midnight Blizzard - suspicious rundll32.exe execution of vbscript (Normalized Process Events) | bdf04f58-242b-4729-b376-577c4bdf5d3a | |
| SUNBURST suspicious SolarWinds child processes (Normalized Process Events) | 631d02df-ab51-46c1-8d72-32d0cfec0720 | |
| Excessive number of HTTP authentication failures from a source (ASIM Web Session schema) | a1bddaf8-982b-4089-ba9e-6590dfcf80ea | SquidProxy Zscaler |
| Addition of a Temporary Access Pass to a Privileged Account | d7feb859-f03e-4e8d-8b21-617be0213b13 | AzureActiveDirectory BehaviorAnalytics |
| Application ID URI Changed | 9fb2ee72-959f-4c2b-bc38-483affc539e4 | AzureActiveDirectory |
| Application Redirect URL Update | a1080fc1-13d1-479b-8340-255f0290d96c | AzureActiveDirectory |
| Changes to Application Logout URL | 492fbe35-cbac-4a8c-9059-826782e6915a | AzureActiveDirectory |
| Changes to Application Ownership | cc5780ce-3245-4bba-8bc1-e9048c2257ce | AzureActiveDirectory |
| End-user consent stopped due to risk-based consent | 009b9bae-23dd-43c4-bcb9-11c4ba7c784a | AzureActiveDirectory |
| Guest Users Invited to Tenant by New Inviters | 572e75ef-5147-49d9-9d65-13f2ed1e3a86 | AzureActiveDirectory |
| URL Added to Application from Unknown Domain | 017e095a-94d8-430c-a047-e51a11fb737b | AzureActiveDirectory |
| User Account Created Using Incorrect Naming Format | ee55dc85-d2da-48c1-a6c0-3eaee62a8d56 | AzureActiveDirectory |
| User account created without expected attributes defined | dc99e38c-f4e9-4837-94d7-353ac0b01a77 | AzureActiveDirectory |
| User State changed from Guest to Member | a09a0b8e-30fe-4ebf-94a0-cffe50f579cd | AzureActiveDirectory |
| Wazuh - Large Number of Web errors from an IP | 2790795b-7dba-483e-853f-44aa0bc9c985 | |
| SUNBURST suspicious SolarWinds child processes | 4a3073ac-7383-48a9-90a8-eb6716183a54 | MicrosoftThreatProtection |
| Account created from non-approved sources | 99d589fa-7337-40d7-91a0-c96d0c4fa437 | AzureActiveDirectory |
| Anomalous login followed by Teams action | 2b701288-b428-4fb8-805e-e4372c574786 | Office365 AzureActiveDirectory |
| COM Registry Key Modified to Point to File in Color Profile Folder | ed8c9153-6f7a-4602-97b4-48c336b299e1 | MicrosoftThreatProtection SecurityEvents |
| Unusual identity creation using exchange powershell | 0a3f4f4f-46ad-4562-acd6-f17730a5aef4 | SecurityEvents MicrosoftThreatProtection |
| NRT Malicious Inbox Rule | b79f6190-d104-4691-b7db-823e05980895 | Office365 |
| Detect PIM Alert Disabling activity | 1f3b4dfd-21ff-4ed3-8e27-afc219e05c50 | AzureActiveDirectory |
| Modification of Accessibility Features | d714ef62-1a56-4779-804f-91c4158e528d | SecurityEvents |
| AdminSDHolder Modifications | 52aec824-96c1-4a03-8e44-bb70532e6cea | SecurityEvents |
| DSRM Account Abuse | 979c42dd-533e-4ede-b18b-31a84ba8b3d6 | SecurityEvents |
| Group created then added to built in domain local or global group | a7564d76-ec6b-4519-a66b-fcc80c42332b | SecurityEvents WindowsSecurityEvents WindowsForwardedEvents |
| Midnight Blizzard - suspicious rundll32.exe execution of vbscript | d82e1987-4356-4a7b-bc5e-064f29b143c0 | SecurityEvents WindowsSecurityEvents WindowsForwardedEvents |
| AD account with Don’t Expire Password | 6c360107-f3ee-4b91-9f43-f4cfd90441cf | SecurityEvents WindowsSecurityEvents WindowsForwardedEvents |
| Potential Build Process Compromise | 5ef06767-b37c-4818-b035-47de950d0046 | SecurityEvents WindowsSecurityEvents WindowsForwardedEvents |
| Account added and removed from privileged groups | 7efc75ce-e2a4-400f-a8b1-283d3b0f2c60 | SecurityEvents WindowsSecurityEvents WindowsForwardedEvents |
| User account added to built in domain local or global group | a35f2c18-1b97-458f-ad26-e033af18eb99 | SecurityEvents WindowsSecurityEvents WindowsForwardedEvents |
| User account created and deleted within 10 mins | 4b93c5af-d20b-4236-b696-a28b8c51407f | SecurityEvents WindowsSecurityEvents WindowsForwardedEvents |
| User account enabled and disabled within 10 mins | 3d023f64-8225-41a2-9570-2bd7c2c4535e | SecurityEvents WindowsSecurityEvents WindowsForwardedEvents |
| New user created and added to the built-in administrators group | aa1eff90-29d4-49dc-a3ea-b65199f516db | SecurityEvents WindowsSecurityEvents WindowsForwardedEvents |
| External User Access Enabled | 8e267e91-6bda-4b3c-bf68-9f5cbdd103a3 | |
| Suspicious link sharing pattern | 1218175f-c534-421c-8070-5dcaabf28067 |