Microsoft Sentinel Analytic Rules
cloudbrothers.infoAzure Sentinel RepoToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeBack to homepage
  1. Microsoft Sentinel Analytics Rules
  2. /
  3. Tactics
  4. /
  5. Persistence

Persistence

Overview

Rule NameidRequired data connectors
Changes to internet facing AWS RDS Database instances8c2ef238-67a0-497d-b1dd-5c8a0f533e25AWS
AWSS3
Login to AWS Management Console without MFAd25b1998-a592-4bc5-8a3a-92b39eedb1bcAWS
AWSS3
Changes to AWS Security Group ingress and egress settings4f19d4e3-ec5f-4abc-9e61-819eb131758cAWS
AWSS3
Changes to AWS Elastic Load Balancer security groupsc7bfadd4-34a6-4fa5-82f8-3691a32261e8AWS
AWSS3
SAML update identity providerbce1dcba-4948-414d-8838-6385afb9d496AWS
NRT Login to AWS Management Console without MFA0ee2aafb-4500-4e36-bcb1-e90eec2f0b9bAWS
AWSS3
Jira - New site admin userb894593a-2b4c-4573-bc47-78715224a6f5JiraAuditAPI
Jira - New user created8c90f30f-c612-407c-91a0-c6a6b41ac199JiraAuditAPI
Jira - User’s password changed multiple times943176e8-b979-45c0-8ad3-58ba6cfd41f0JiraAuditAPI
Powershell Empire cmdlets seen in command lineef88eb96-861c-43a0-ab16-f3835a97c928SecurityEvents
WindowsSecurityEvents
WindowsForwardedEvents
Admin promotion after Role Management Application Permission Grantf80d951a-eddc-4171-b9d0-d616bb83efdcAzureActiveDirectory
Authentication Methods Changed for Privileged Account694c91ee-d606-4ba9-928e-405a2dd0ff0fAzureActiveDirectory
Azure AD Role Management Permission Grant1ff56009-db01-4615-8211-d4fda21da02dAzureActiveDirectory
Attempt to bypass conditional access rule in Azure AD3af9285d-bb98-4a35-ad29-5ea39ba0c628AzureActiveDirectory
Mail.Read Permissions Granted to Application2560515c-07d1-434e-87fb-ebe3af267760AzureActiveDirectory
NRT PIM Elevation Request Rejected5db427b2-f406-4274-b413-e9fcb29412f8AzureActiveDirectory
NRT User added to Azure Active Directory Privileged Groups70fc7201-f28e-4ba7-b9ea-c04b96701f13AzureActiveDirectory
PIM Elevation Request Rejected7d7e20f8-3384-4b71-811c-f5e950e8306cAzureActiveDirectory
Rare application consent83ba3057-9ea3-4759-bf6a-933f2e5bc7eeAzureActiveDirectory
Sign-ins from IPs that attempt sign-ins to disabled accounts500c103a-0319-4d56-8e99-3cec8d860757AzureActiveDirectory
External guest invitation followed by Azure AD PowerShell signinacc4c247-aaf7-494b-b5da-17f18863878aAzureActiveDirectory
User added to Azure Active Directory Privileged Groups4d94d4a9-dc96-410a-8dea-4d4d4584188bAzureActiveDirectory
User Assigned Privileged Role050b9b3d-53d0-4364-a3da-1b678b8211ecAzureActiveDirectory
Suspicious granting of permissions to an accountb2c15736-b9eb-4dae-8b02-3016b6a45a32AzureActivity
BehaviorAnalytics
Rare subscription-level operations in Azure23de46ea-c425-4a77-b456-511ae4855d69AzureActivity
Azure DevOps New Extension Addedbf07ca9c-e408-443a-8939-6860a45a929e
Azure DevOps Administrator Group Monitoring89e6adbd-612c-4fbe-bc3d-32f81baf3b6c
Azure DevOps Pull Request Policy Bypassing - Historic allow list4d8de9e6-263e-4845-8618-cd23a4f58b70
Azure DevOps Service Connection Addition/Abuse - Historic allow list5efb0cfd-063d-417a-803b-562eae5b0301
Azure DevOps Service Connection Abused564ff12-8f53-41b8-8649-44f76b37b99f
Box - New external userfd36ac88-cd92-4137-aa23-37a3648621faBoxDataConnector
CiscoISE - ISE administrator password has been resete63b4d90-d0a8-4609-b187-babfcc7f86d7CiscoISE
CiscoISE - Command executed with the highest privileges from new IP1fa0da3e-ec99-484f-aadb-93f59764e158CiscoISE
CiscoISE - Command executed with the highest privileges by new usere71890a2-5f61-4790-b1ed-cf1d92d3e398CiscoISE
Cisco Duo - Admin password reset413e49a5-b107-4698-8428-46b89308bd22CiscoDuoSecurity
Cisco Duo - Admin user created0724cb01-4866-483d-a149-eb400fe1daa8CiscoDuoSecurity
MFA disabled for a user65c78944-930b-4cae-bd79-c3664ae30ba7AzureActiveDirectory
AWS
New External User Granted Admind7424fd9-abb3-4ded-a723-eebe023aaa0bAzureActiveDirectory
Cloudflare - Unexpected POST requests7313352a-09f6-4a84-88bd-6f17f1cbeb8fCloudflareDataConnector
Corelight - Possible Webshellf3245aa1-1ca1-471c-a0b7-97ea6b791d5dCorelight
Corelight - Possible Webshell (Rare PUT or POST)db662e49-6e34-4d10-9d3c-5d04b5479658Corelight
Dynatrace Application Security - Code-Level runtime vulnerability detection305093b4-0fa2-57bc-bced-caea782a6e9cDynatraceRuntimeVulnerabilities
Dynatrace Application Security - Non-critical runtime vulnerability detectionff0af873-a2f2-4233-8412-0ef4e00b0156DynatraceRuntimeVulnerabilities
Dynatrace Application Security - Third-Party runtime vulnerability detectionaf99b078-124b-543a-9a50-66ef87c09f6aDynatraceRuntimeVulnerabilities
Registry Persistence via AppCert DLL Modificationc61ad0ac-ad68-4ebb-b41a-74296d3e0044SecurityEvents
Registry Persistence via AppInit DLLs Modification9367dff0-941d-44e2-8875-cb48570c7addSecurityEvents
Remote Scheduled Task Creation or Update using ATSVC Named Pipe7aad876a-a6fe-4c11-879e-8b29d35ff739SecurityEvents
Component Object Model Hijacking - Vault7 trick1aaff41f-4e18-45b1-bb34-de6eb4943cf2MicrosoftThreatProtection
Hijack Execution Flow - DLL Side-Loading3084b487-fad6-4000-9544-6085b9657290MicrosoftThreatProtection
GitLab - External User Added to GitLabc1544d8f-cbbd-4e35-8d32-5b9312279833Syslog
GitLab - User Impersonation0f4f16a2-b464-4c10-9a42-993da3e15a40Syslog
GitLab - Repository visibility to Public8b291c3d-90ba-4ebf-af2c-0283192d430eSyslog
GCP IAM - New Service Accounta768aa52-453e-4e3e-80c2-62928d2e2f56GCPIAMDataConnector
GWorkspace - Admin permissions granted03f25156-6172-11ec-90d6-0242ac120003GoogleWorkspaceReportsAPI
GWorkspace - User access has been changed92fae638-5da8-11ec-bf63-0242ac130002GoogleWorkspaceReportsAPI
GWorkspace - Multiple user agents for single source6ff0e16e-5999-11ec-bf63-0242ac130002GoogleWorkspaceReportsAPI
Firmware Updates (Microsoft Defender for IoT)7cad4b66-5e83-4756-8de4-f21315ab1e77IoT
Unauthorized PLC changes (Microsoft Defender for IoT)c2fb27c7-5f67-49c4-aaf3-d82934234a69IoT
ACTINIUM Actor IOCs - Feb 2022825991eb-ea39-4590-9de2-ee97ef42eb93DNS
AzureMonitor(VMInsights)
F5
CiscoASA
PaloAltoNetworks
Fortinet
CheckPoint
CEF
MicrosoftThreatProtection
SecurityEvents
AzureFirewall
SOURGUM Actor IOC - July 202194749332-1ad9-49dd-a5ab-5ff2170788fcDNS
AzureMonitor(VMInsights)
F5
CiscoASA
PaloAltoNetworks
Fortinet
CheckPoint
CEF
MicrosoftThreatProtection
SecurityEvents
Office365
AzureFirewall
WindowsFirewall
WindowsSecurityEvents
WindowsForwardedEvents
SUNSPOT log file creationc0e84221-f240-4dd7-ab1e-37e034ea2a4eMicrosoftThreatProtection
SecurityEvents
WindowsSecurityEvents
WindowsForwardedEvents
Tarrask malware IOC - April 2022caf78b95-d886-4ac3-957a-a7a3691ff4edCiscoASA
PaloAltoNetworks
MicrosoftThreatProtection
SecurityEvents
McAfee ePO - Multiple threats on same hostf53e5168-afdb-4fad-b29a-bb9cb71ec460McAfeeePO
External user added and removed in short timeframebff093b2-500e-4ae5-bb49-a5b1423cbd5bOffice365
Malicious Inbox Rule7b907bf7-77d4-41d0-a208-5643ff75bf9aOffice365
Office policy tamperingfbd72eb8-087e-466b-bd54-1ca6ea08c6d3Office365
Rare and potentially high-risk Office operations957cb240-f45d-4491-9ba5-93430a3c08beOffice365
AV detections related to Tarrask malware1785d372-b9fe-4283-96a6-3a1d83cabfd1MicrosoftThreatProtection
Potential Build Process Compromise - MDE1bf6e165-5e32-420e-ab4f-0da8558a8be2MicrosoftThreatProtection
SUNBURST and SUPERNOVA backdoor hashesa3c144f9-8051-47d4-ac29-ffb0c312c910MicrosoftThreatProtection
SUNBURST network beaconsce1e7025-866c-41f3-9b08-ec170e05e73eMicrosoftThreatProtection
TEARDROP memory-only dropper738702fd-0a66-42c7-8586-e30f0583f8feMicrosoftThreatProtection
SUNSPOT malware hashes53e936c6-6c30-4d12-8343-b8a0456e8429MicrosoftThreatProtection
VIP Mailbox manipulation5170c3c4-b8c9-485c-910d-a21d965ee181ESI-ExchangeAdminAuditLogEvents
Server Oriented Cmdlet And User Oriented Cmdlet used7bce901b-9bc8-4948-8dfc-8f68878092d5ESI-ExchangeAdminAuditLogEvents
ACTINIUM AV hits - Feb 202218dbdc22-b69f-4109-9e39-723d9465f45fMicrosoftDefenderAdvancedThreatProtection
SUNBURST suspicious SolarWinds child processes4a3073ac-7383-48a9-90a8-eb6716183a54MicrosoftThreatProtection
OracleDBAudit - New user accountcca7b348-e904-4a7a-8f26-d22d4d477119OracleDatabaseAudit
OracleDBAudit - User activity after long inactivity time5e93a535-036b-4570-9e58-d8992f30e1aeOracleDatabaseAudit
Ping Federate - Abnormal password resets for user6145efdc-4724-42a6-9756-5bd1ba33982ePingFederate
Ping Federate - New user SSO success login05282c91-7aaf-4d76-9a19-6dc582e6a411PingFederate
Red Canary Threat Detection6d263abb-6445-45cc-93e9-c593d3d77b89RedCanaryDataConnector
Threat Essentials - NRT User added to Azure Active Directory Privileged Groups0a627f29-f0dd-4924-be92-c3d6dac84367AzureActiveDirectory
Threat Essentials - User Assigned Privileged Roleb09795c9-8dce-47ab-8f75-5a4afb78ef0cAzureActiveDirectory
SlackAudit - Unknown User Agent3b11f06e-4afd-4ae6-8477-c61136619ac8SlackAuditAPI
SlackAudit - User role changed to admin or ownerbe6c5fc9-2ac3-43e6-8fb0-cb139e04e43eSlackAuditAPI
SlackAudit - User login after deactivated.e6e99dcb-4dff-48d2-8012-206ca166b36bSlackAuditAPI
ApexOne - Possible exploit or execute operatione289d762-6cc2-11ec-90d6-0242ac120003TrendMicroApexOne
SOURGUM Actor IOC - July 2021066395ac-ef91-4993-8bf6-25c61ab0ca5aWindowsForwardedEvents
AD user enabled and password not set within 48 hours62085097-d113-459f-9ea7-30216f2ee6afSecurityEvents
WindowsSecurityEvents
Zinc Actor IOCs files - October 20229a7f6651-801b-491c-a548-8b454b356eaaMicrosoftThreatProtection
SecurityEvents
WindowsSecurityEvents
Zinc Actor IOCs domains hashes IPs and useragent - October 202295543d6d-f00d-4193-a63f-4edeefb7ec36DNS
AzureMonitor(VMInsights)
F5
CiscoASA
PaloAltoNetworks
Fortinet
CheckPoint
CEF
MicrosoftThreatProtection
SecurityEvents
Office365
AzureFirewall
WindowsFirewall
WindowsSecurityEvents
WindowsForwardedEvents
Zscaler - Connections by dormant user66bc77ee-3e45-11ec-9bbc-0242ac130002ZscalerPrivateAccess
Zscaler - ZPA connections by new user236a7ec1-0120-40f2-a157-c1a72dde8bcbZscalerPrivateAccess
Sign-ins from IPs that attempt sign-ins to disabled accounts (Uses Authentication Normalization)95002681-4ecb-4da3-9ece-26d7e5feaa33
SUNBURST and SUPERNOVA backdoor hashes (Normalized File Events)bc5ffe2a-84d6-48fe-bc7b-1055100469bc
NOBELIUM - suspicious rundll32.exe execution of vbscript (Normalized Process Events)bdf04f58-242b-4729-b376-577c4bdf5d3a
SUNBURST suspicious SolarWinds child processes (Normalized Process Events)631d02df-ab51-46c1-8d72-32d0cfec0720
Excessive number of HTTP authentication failures from a source (ASIM Web Session schema)a1bddaf8-982b-4089-ba9e-6590dfcf80eaSquidProxy
Zscaler
Account Elevated to New Rolec1c66f0b-5531-4a3e-a619-9d2f770ef730AzureActiveDirectory
Addition of a Temporary Access Pass to a Privileged Accountd7feb859-f03e-4e8d-8b21-617be0213b13AzureActiveDirectory
BehaviorAnalytics
Application ID URI Changed9fb2ee72-959f-4c2b-bc38-483affc539e4AzureActiveDirectory
Application Redirect URL Updatea1080fc1-13d1-479b-8340-255f0290d96cAzureActiveDirectory
Authentication Method Changed for Privileged Accountfeb0a2fb-ae75-4343-8cbc-ed545f1da289AzureActiveDirectory
BehaviorAnalytics
Changes to Application Logout URL492fbe35-cbac-4a8c-9059-826782e6915aAzureActiveDirectory
Changes to Application Ownershipcc5780ce-3245-4bba-8bc1-e9048c2257ceAzureActiveDirectory
Cross-tenant Access Settings Organization Added757e6a79-6d23-4ae6-9845-4dac170656b5AzureActiveDirectory
Cross-tenant Access Settings Organization Deletedeb8a9c1c-f532-4630-817c-1ecd8a60ed80AzureActiveDirectory
Cross-tenant Access Settings Organization Inbound Collaboration Settings Changedc895c5b9-0fc6-40ce-9830-e8818862f2d5AzureActiveDirectory
Cross-tenant Access Settings Organization Inbound Direct Settings Changed276d5190-38de-4eb2-9933-b3b72f4a5737AzureActiveDirectory
Cross-tenant Access Settings Organization Outbound Collaboration Settings Changed229f71ba-d83b-42a5-b83b-11a641049ed1AzureActiveDirectory
Cross-tenant Access Settings Organization Outbound Direct Settings Changed0101e08d-99cd-4a97-a9e0-27649c4369adAzureActiveDirectory
End-user consent stopped due to risk-based consent009b9bae-23dd-43c4-bcb9-11c4ba7c784aAzureActiveDirectory
Guest accounts added in AAD Groups other than the ones specified6ab1f7b2-61b8-442f-bc81-96afe7ad8c53AzureActiveDirectory
Guest Users Invited to Tenant by New Inviters572e75ef-5147-49d9-9d65-13f2ed1e3a86AzureActiveDirectory
NRT Authentication Methods Changed for VIP Users29e99017-e28d-47be-8b9a-c8c711f8a903AzureActiveDirectory
URL Added to Application from Unknown Domain017e095a-94d8-430c-a047-e51a11fb737bAzureActiveDirectory
User Account Created Using Incorrect Naming Formatee55dc85-d2da-48c1-a6c0-3eaee62a8d56AzureActiveDirectory
User account created without expected attributes defineddc99e38c-f4e9-4837-94d7-353ac0b01a77AzureActiveDirectory
User State changed from Guest to Membera09a0b8e-30fe-4ebf-94a0-cffe50f579cdAzureActiveDirectory
Wazuh - Large Number of Web errors from an IP2790795b-7dba-483e-853f-44aa0bc9c985
SUNBURST suspicious SolarWinds child processes4a3073ac-7383-48a9-90a8-eb6716183a54MicrosoftThreatProtection
Account created from non-approved sources99d589fa-7337-40d7-91a0-c96d0c4fa437AzureActiveDirectory
Anomalous login followed by Teams action2b701288-b428-4fb8-805e-e4372c574786Office365
AzureActiveDirectory
COM Registry Key Modified to Point to File in Color Profile Foldered8c9153-6f7a-4602-97b4-48c336b299e1MicrosoftThreatProtection
SecurityEvents
DEV-0270 New User Creation7965f0be-c039-4d18-8ee8-9a6add8aecf3SecurityEvents
MicrosoftThreatProtection
Unusual identity creation using exchange powershell0a3f4f4f-46ad-4562-acd6-f17730a5aef4SecurityEvents
MicrosoftThreatProtection
NRT Malicious Inbox Ruleb79f6190-d104-4691-b7db-823e05980895Office365
Detect PIM Alert Disabling activity1f3b4dfd-21ff-4ed3-8e27-afc219e05c50AzureActiveDirectory
Modification of Accessibility Featuresd714ef62-1a56-4779-804f-91c4158e528dSecurityEvents
AdminSDHolder Modifications52aec824-96c1-4a03-8e44-bb70532e6ceaSecurityEvents
DSRM Account Abuse979c42dd-533e-4ede-b18b-31a84ba8b3d6SecurityEvents
Group created then added to built in domain local or global groupa7564d76-ec6b-4519-a66b-fcc80c42332bSecurityEvents
WindowsSecurityEvents
WindowsForwardedEvents
NOBELIUM - suspicious rundll32.exe execution of vbscriptd82e1987-4356-4a7b-bc5e-064f29b143c0SecurityEvents
WindowsSecurityEvents
WindowsForwardedEvents
AD account with Don’t Expire Password6c360107-f3ee-4b91-9f43-f4cfd90441cfSecurityEvents
WindowsSecurityEvents
WindowsForwardedEvents
Potential Build Process Compromise5ef06767-b37c-4818-b035-47de950d0046SecurityEvents
WindowsSecurityEvents
WindowsForwardedEvents
Account added and removed from privileged groups7efc75ce-e2a4-400f-a8b1-283d3b0f2c60SecurityEvents
WindowsSecurityEvents
WindowsForwardedEvents
User account added to built in domain local or global groupa35f2c18-1b97-458f-ad26-e033af18eb99SecurityEvents
WindowsSecurityEvents
WindowsForwardedEvents
User account created and deleted within 10 mins4b93c5af-d20b-4236-b696-a28b8c51407fSecurityEvents
WindowsSecurityEvents
WindowsForwardedEvents
User account enabled and disabled within 10 mins3d023f64-8225-41a2-9570-2bd7c2c4535eSecurityEvents
WindowsSecurityEvents
WindowsForwardedEvents
New user created and added to the built-in administrators groupaa1eff90-29d4-49dc-a3ea-b65199f516dbSecurityEvents
WindowsSecurityEvents
WindowsForwardedEvents
Malicious web application requests linked with Microsoft Defender for Endpoint (formerly Microsoft Defender ATP) alertsfbfbf530-506b-49a4-81ad-4030885a195cMicrosoftDefenderAdvancedThreatProtection
AzureMonitor(IIS)
SUPERNOVA webshell2acc91c3-17c2-4388-938e-4eac2d5894e8AzureMonitor(IIS)
External User Access Enabled8e267e91-6bda-4b3c-bf68-9f5cbdd103a3
Suspicious link sharing pattern1218175f-c534-421c-8070-5dcaabf28067