Privilege Escalation
| Rule Name | id | Required data connectors | Id |
|---|---|---|---|
| 1Password - Potential insider privilege escalation via group | 398a1cf1-f56f-4700-912c-9bf4c8409ebc | 1Password | 398a1cf1-f56f-4700-912c-9bf4c8409ebc |
| 1Password - Potential insider privilege escalation via vault | a00ffbd8-1d1c-47a3-b0a6-7d70bd8017ed | 1Password | a00ffbd8-1d1c-47a3-b0a6-7d70bd8017ed |
| Changes to Amazon VPC settings | 65360bb0-8986-4ade-a89d-af3cf44d28aa | AWS AWSS3 | 65360bb0-8986-4ade-a89d-af3cf44d28aa |
| Login to AWS Management Console without MFA | d25b1998-a592-4bc5-8a3a-92b39eedb1bc | AWS AWSS3 | d25b1998-a592-4bc5-8a3a-92b39eedb1bc |
| CloudFormation policy created then used for privilege escalation | efdc3cff-f006-426f-97fd-4657862f7b9a | AWS | efdc3cff-f006-426f-97fd-4657862f7b9a |
| Creation of CRUD DynamoDB policy and then privilege escalation. | 6f675c17-7a61-440c-abd1-c73ef4d748ec | AWS | 6f675c17-7a61-440c-abd1-c73ef4d748ec |
| Creation of new CRUD IAM policy and then privilege escalation. | 8a607285-d95c-473d-8aab-59920de63af6 | AWS | 8a607285-d95c-473d-8aab-59920de63af6 |
| Creation of CRUD KMS policy and then privilege escalation | 8e15998e-1e32-4b6d-abd1-e8482e8f3def | AWS | 8e15998e-1e32-4b6d-abd1-e8482e8f3def |
| Created CRUD S3 policy and then privilege escalation | 467cbe7e-e6d4-4f4e-8e44-84dd01932c32 | AWS | 467cbe7e-e6d4-4f4e-8e44-84dd01932c32 |
| Creation of CRUD Lambda policy and then privilege escalation | 22115d3c-e87c-485a-9130-33797d619124 | AWS | 22115d3c-e87c-485a-9130-33797d619124 |
| Creation of DataPipeline policy and then privilege escalation. | 6009c632-94e9-4ffb-a11a-b4b99f457f88 | AWS | 6009c632-94e9-4ffb-a11a-b4b99f457f88 |
| Creation of EC2 policy and then privilege escalation | a694e977-740c-4578-9f8f-5e39029f1d23 | AWS | a694e977-740c-4578-9f8f-5e39029f1d23 |
| Creation of Glue policy and then privilege escalation | 56626956-304f-4408-8ea6-7ba5746ce09e | AWS | 56626956-304f-4408-8ea6-7ba5746ce09e |
| Creation of Lambda policy and then privilege escalation | 796a45ee-220b-42be-8415-c8c933cf3b6d | AWS | 796a45ee-220b-42be-8415-c8c933cf3b6d |
| Creation of SSM policy and then privilege escalation | aaa2c05e-fdd4-4fa0-9072-6cffe3641b34 | AWS | aaa2c05e-fdd4-4fa0-9072-6cffe3641b34 |
| Full Admin policy created and then attached to Roles, Users or Groups | 826bb2f8-7894-4785-9a6b-a8a855d8366f | AWS AWSS3 | 826bb2f8-7894-4785-9a6b-a8a855d8366f |
| Privilege escalation with AdministratorAccess managed policy | 139e7116-3884-4246-9978-c8f740770bdf | AWS | 139e7116-3884-4246-9978-c8f740770bdf |
| Privilege escalation with admin managed policy | 49ce5322-60d7-4b02-ad79-99f650aa5790 | AWS | 49ce5322-60d7-4b02-ad79-99f650aa5790 |
| Privilege escalation with FullAccess managed policy | afb4191b-a142-4065-a0da-f721ee3d006c | AWS | afb4191b-a142-4065-a0da-f721ee3d006c |
| Privilege escalation via CloudFormation policy | 719d5204-10ab-4b1f-aee1-da7326750260 | AWS | 719d5204-10ab-4b1f-aee1-da7326750260 |
| Privilege escalation via CRUD DynamoDB policy | b9be2aa6-911d-4131-8658-d2a537ed49f4 | AWS | b9be2aa6-911d-4131-8658-d2a537ed49f4 |
| Privilege escalation via CRUD IAM policy | e20d35a3-4fec-4c8b-81b1-fc33b41990b0 | AWS | e20d35a3-4fec-4c8b-81b1-fc33b41990b0 |
| Privilege escalation via CRUD KMS policy | d7c39e15-997f-49e5-a782-73bf07db8aa5 | AWS | d7c39e15-997f-49e5-a782-73bf07db8aa5 |
| Privilege escalation via CRUD Lambda policy | d0953d50-3dc1-4fa3-80fa-4d3e973a0959 | AWS | d0953d50-3dc1-4fa3-80fa-4d3e973a0959 |
| Privilege escalation via CRUD S3 policy | fc3061bb-319c-4fe9-abe2-f59899a6d907 | AWS | fc3061bb-319c-4fe9-abe2-f59899a6d907 |
| Privilege escalation via DataPipeline policy | 48896551-1c28-4a09-8388-e51e5a927d23 | AWS | 48896551-1c28-4a09-8388-e51e5a927d23 |
| Privilege escalation via EC2 policy | a2b2a984-c820-4d93-830e-139bffd81fa3 | AWS | a2b2a984-c820-4d93-830e-139bffd81fa3 |
| Privilege escalation via Glue policy | 370f0e5e-da1d-4a14-8ced-d1d7ab66a8d7 | AWS | 370f0e5e-da1d-4a14-8ced-d1d7ab66a8d7 |
| Privilege escalation via Lambda policy | 8e01c41d-bd4c-4bbe-aed5-18592735052d | AWS | 8e01c41d-bd4c-4bbe-aed5-18592735052d |
| Privilege escalation via SSM policy | c668c09f-5a49-43f9-b249-6b89a31ec8fb | AWS | c668c09f-5a49-43f9-b249-6b89a31ec8fb |
| NRT Login to AWS Management Console without MFA | 0ee2aafb-4500-4e36-bcb1-e90eec2f0b9b | AWS AWSS3 | 0ee2aafb-4500-4e36-bcb1-e90eec2f0b9b |
| Jira - Global permission added | 5b0cec45-4a91-4f08-bb1b-392427e8f440 | JiraAuditAPI | 5b0cec45-4a91-4f08-bb1b-392427e8f440 |
| Jira - New site admin user | b894593a-2b4c-4573-bc47-78715224a6f5 | JiraAuditAPI | b894593a-2b4c-4573-bc47-78715224a6f5 |
| Powershell Empire Cmdlets Executed in Command Line | ef88eb96-861c-43a0-ab16-f3835a97c928 | SecurityEvents WindowsSecurityEvents WindowsForwardedEvents | ef88eb96-861c-43a0-ab16-f3835a97c928 |
| Admin SaaS account detected | 87419138-d75f-450d-aca4-1dc802e32540 | Authomize | 87419138-d75f-450d-aca4-1dc802e32540 |
| Lateral Movement Risk - Role Chain Length | 25bef734-4399-4c55-9579-4ebabd9cccf6 | Authomize | 25bef734-4399-4c55-9579-4ebabd9cccf6 |
| Detect AWS IAM Users | 077eb06a-c011-47f7-8d92-dfc2b1e1d71b | Authomize | 077eb06a-c011-47f7-8d92-dfc2b1e1d71b |
| Empty group with entitlements | c4d442a8-8227-4735-ac13-d84704e1b371 | Authomize | c4d442a8-8227-4735-ac13-d84704e1b371 |
| IaaS policy not attached to any identity | 57bae0c4-50b7-4552-9de9-19dfecddbace | Authomize | 57bae0c4-50b7-4552-9de9-19dfecddbace |
| New direct access policy was granted against organizational policy | d7ee7bb5-d712-4d44-b201-b13379924934 | Authomize | d7ee7bb5-d712-4d44-b201-b13379924934 |
| Refactor AWS policy based on activities in the last 60 days | 642de064-c67b-4eb7-98bd-3f8cd51f282c | Authomize | 642de064-c67b-4eb7-98bd-3f8cd51f282c |
| Stale IAAS policy attachment to role | ccdf3f87-7890-4549-9d0f-8f43c1d2751d | Authomize | ccdf3f87-7890-4549-9d0f-8f43c1d2751d |
| Unused IaaS Policy | e0ae5f9e-865b-41f5-98bb-c04113888e85 | Authomize | e0ae5f9e-865b-41f5-98bb-c04113888e85 |
| AWS Security Hub - Detect IAM Policies allowing full administrative privileges | de1f71d2-d127-439d-a8a2-e64d3187298a | AWSSecurityHub | de1f71d2-d127-439d-a8a2-e64d3187298a |
| AWS Security Hub - Detect root user lacking MFA | 6b3b9b1d-0d5d-4d4a-9f0f-8d1e2c7a5f44 | AWSSecurityHub | 6b3b9b1d-0d5d-4d4a-9f0f-8d1e2c7a5f44 |
| AWS Security Hub - Detect IAM root user Access Key existence | 171cbece-be87-4467-8754-63d82b3d3dfb | AWSSecurityHub | 171cbece-be87-4467-8754-63d82b3d3dfb |
| Suspicious granting of permissions to an account | b2c15736-b9eb-4dae-8b02-3016b6a45a32 | AzureActivity BehaviorAnalytics | b2c15736-b9eb-4dae-8b02-3016b6a45a32 |
| Front Door Premium WAF - SQLi Detection | 16da3a2a-af29-48a0-8606-d467c180fe18 | WAF | 16da3a2a-af29-48a0-8606-d467c180fe18 |
| AFD WAF - Code Injection | ded8168e-c806-4772-af30-10576e0a7529 | WAF | ded8168e-c806-4772-af30-10576e0a7529 |
| AFD WAF - Path Traversal Attack | a4d99328-e4e6-493d-b0d5-57e6f9ddae77 | WAF | a4d99328-e4e6-493d-b0d5-57e6f9ddae77 |
| App GW WAF - Code Injection | 912a18fc-6165-446b-8740-81ae6c3f75ee | WAF | 912a18fc-6165-446b-8740-81ae6c3f75ee |
| App GW WAF - Path Traversal Attack | b6c3a8a6-d22c-4882-9c57-abc01690938b | WAF | b6c3a8a6-d22c-4882-9c57-abc01690938b |
| App Gateway WAF - SQLi Detection | bdb2cd63-99f2-472e-b1b9-acba473b6744 | WAF | bdb2cd63-99f2-472e-b1b9-acba473b6744 |
| Bitglass - New admin user | 8c8602e6-315d-400f-9d1e-23bbdee1dbfe | Bitglass | 8c8602e6-315d-400f-9d1e-23bbdee1dbfe |
| Box - User logged in as admin | b2197d7f-4731-483c-89de-d48606b872da | BoxDataConnector | b2197d7f-4731-483c-89de-d48606b872da |
| Box - User role changed to owner | 174c31c9-22ec-42e5-8226-814391c08200 | BoxDataConnector | 174c31c9-22ec-42e5-8226-814391c08200 |
| Privileged Account Permissions Changed | 0433c8a3-9aa6-4577-beef-2ea23be41137 | AzureActiveDirectory BehaviorAnalytics | 0433c8a3-9aa6-4577-beef-2ea23be41137 |
| User Added to Admin Role | 2a09f8cb-deb7-4c40-b08b-9137667f1c0b | AzureActiveDirectory | 2a09f8cb-deb7-4c40-b08b-9137667f1c0b |
| CiscoISE - ISE administrator password has been reset | e63b4d90-d0a8-4609-b187-babfcc7f86d7 | SyslogAma | e63b4d90-d0a8-4609-b187-babfcc7f86d7 |
| CiscoISE - Command executed with the highest privileges from new IP | 1fa0da3e-ec99-484f-aadb-93f59764e158 | SyslogAma | 1fa0da3e-ec99-484f-aadb-93f59764e158 |
| CiscoISE - Command executed with the highest privileges by new user | e71890a2-5f61-4790-b1ed-cf1d92d3e398 | SyslogAma | e71890a2-5f61-4790-b1ed-cf1d92d3e398 |
| CiscoISE - Device PostureStatus changed to non-compliant | 548a2eda-d3eb-46cc-8d4b-1601551629e4 | SyslogAma | 548a2eda-d3eb-46cc-8d4b-1601551629e4 |
| Cisco Duo - Admin user created | 0724cb01-4866-483d-a149-eb400fe1daa8 | CiscoDuoSecurity | 0724cb01-4866-483d-a149-eb400fe1daa8 |
| CTERA Mass Permissions Changes Detection Analytic | 90502ac9-19a2-41f0-ba81-e352de90b61b | CTERA | 90502ac9-19a2-41f0-ba81-e352de90b61b |
| CyberArk - Sensitive Safe/Permission/Entitlement Changes (with customData) | |||
| CYFIRMA - Attack Surface - Domain/IP Vulnerability Exposure High Rule | fbe4f5e0-d93e-4c93-8cf9-925eb8ea7f2e | CyfirmaAttackSurfaceAlertsConnector | fbe4f5e0-d93e-4c93-8cf9-925eb8ea7f2e |
| CYFIRMA - Attack Surface - Domain/IP Vulnerability Exposure Medium Rule | a2f2c91b-5796-45e4-82c7-61763e6c2c9c | CyfirmaAttackSurfaceAlertsConnector | a2f2c91b-5796-45e4-82c7-61763e6c2c9c |
| CYFIRMA - High severity File Hash Indicators with Block Action and Malware | 990fc0dc-e7a5-4f6d-bc24-8569652cd773 | CyfirmaCyberIntelligenceDC | 990fc0dc-e7a5-4f6d-bc24-8569652cd773 |
| CYFIRMA - Medium severity File Hash Indicators with Block Action and Malware | 24dcff02-123c-4e10-a531-2a22a609120a | CyfirmaCyberIntelligenceDC | 24dcff02-123c-4e10-a531-2a22a609120a |
| CYFIRMA - High Severity Asset based Vulnerabilities Rule Alert | 123fad02-6d9e-439e-8241-7a2fffa7e0a5 | CyfirmaVulnerabilitiesIntelDC | 123fad02-6d9e-439e-8241-7a2fffa7e0a5 |
| CYFIRMA - Medium Severity Asset based Vulnerabilities Rule Alert | 6306f2d9-34a3-409a-850d-175b7bdd1ab1 | CyfirmaVulnerabilitiesIntelDC | 6306f2d9-34a3-409a-850d-175b7bdd1ab1 |
| CYFIRMA - High Severity Attack Surface based Vulnerabilities Rule Alert | 6cc62c46-dd44-46d7-8681-8422f780eabd | CyfirmaVulnerabilitiesIntelDC | 6cc62c46-dd44-46d7-8681-8422f780eabd |
| CYFIRMA - Medium Severity Attack Surface based Vulnerabilities Rule | 4c1b282b-62f1-4783-bf40-94c44f0ae630 | CyfirmaVulnerabilitiesIntelDC | 4c1b282b-62f1-4783-bf40-94c44f0ae630 |
| Dynatrace - Problem detection | 415978ff-074e-4203-824a-b06153d77bf7 | DynatraceProblems | 415978ff-074e-4203-824a-b06153d77bf7 |
| Dynatrace Application Security - Attack detection | 1b0b2065-8bac-5a00-83c4-1b58f69ac212 | DynatraceAttacks | 1b0b2065-8bac-5a00-83c4-1b58f69ac212 |
| Dynatrace Application Security - Code-Level runtime vulnerability detection | 305093b4-0fa2-57bc-bced-caea782a6e9c | DynatraceRuntimeVulnerabilities | 305093b4-0fa2-57bc-bced-caea782a6e9c |
| Dynatrace Application Security - Non-critical runtime vulnerability detection | ff0af873-a2f2-4233-8412-0ef4e00b0156 | DynatraceRuntimeVulnerabilities | ff0af873-a2f2-4233-8412-0ef4e00b0156 |
| Dynatrace Application Security - Third-Party runtime vulnerability detection | af99b078-124b-543a-9a50-66ef87c09f6a | DynatraceRuntimeVulnerabilities | af99b078-124b-543a-9a50-66ef87c09f6a |
| Egress Defend - Dangerous Attachment Detected | a0e55dd4-8454-4396-91e6-f28fec3d2cab | EgressDefend | a0e55dd4-8454-4396-91e6-f28fec3d2cab |
| Threats detected by Eset | 2d8a60aa-c15e-442e-9ce3-ee924889d2a6 | EsetSMC | 2d8a60aa-c15e-442e-9ce3-ee924889d2a6 |
| Component Object Model Hijacking - Vault7 trick | 1aaff41f-4e18-45b1-bb34-de6eb4943cf2 | MicrosoftThreatProtection | 1aaff41f-4e18-45b1-bb34-de6eb4943cf2 |
| Access Token Manipulation - Create Process with Token | 8df80270-b4fa-4a7a-931e-8d17c0b321ae | MicrosoftThreatProtection | 8df80270-b4fa-4a7a-931e-8d17c0b321ae |
| Hijack Execution Flow - DLL Side-Loading | 3084b487-fad6-4000-9544-6085b9657290 | MicrosoftThreatProtection | 3084b487-fad6-4000-9544-6085b9657290 |
| Oracle suspicious command execution | e6c5ff42-0f42-4cec-994a-dabb92fe36e1 | MicrosoftThreatProtection | e6c5ff42-0f42-4cec-994a-dabb92fe36e1 |
| GitHub Security Vulnerability in Repository | 5436f471-b03d-41cb-b333-65891f887c43 | 5436f471-b03d-41cb-b333-65891f887c43 | |
| Google DNS - CVE-2021-40444 exploitation | 6758c671-e9ee-495d-b6b0-92ffd08a8c3b | GCPDNSDataConnector | 6758c671-e9ee-495d-b6b0-92ffd08a8c3b |
| Google DNS - CVE-2021-34527 (PrintNightmare) external exploit | e632e73a-06c4-47f6-8bed-b2498aa6e30f | GCPDNSDataConnector | e632e73a-06c4-47f6-8bed-b2498aa6e30f |
| Google DNS - CVE-2020-1350 (SIGRED) exploitation pattern | 1267d53d-f5fd-418b-b8da-34453a5994c2 | GCPDNSDataConnector | 1267d53d-f5fd-418b-b8da-34453a5994c2 |
| GCP IAM - High privileged role added to service account | 86112c4b-2535-4178-aa0e-ed9e32e3f054 | GCPIAMDataConnector | 86112c4b-2535-4178-aa0e-ed9e32e3f054 |
| Illusive Incidents Analytic Rule | 1a7dbcf6-21a2-4255-84b2-c8dbbdca4630 | Illusive illusiveAttackManagementSystemAma CefAma | 1a7dbcf6-21a2-4255-84b2-c8dbbdca4630 |
| Detect Print Processors Registry Driver Key Creation/Modification | 7edde3d4-9859-4a00-b93c-b19ddda55320 | CrowdStrikeFalconEndpointProtection MicrosoftThreatProtection SentinelOne VMwareCarbonBlack CiscoSecureEndpoint TrendMicroApexOne TrendMicroApexOneAma | 7edde3d4-9859-4a00-b93c-b19ddda55320 |
| Detect Registry Run Key Creation/Modification | dd041e4e-1ee2-41ec-ba4e-82a71d628260 | CrowdStrikeFalconEndpointProtection MicrosoftThreatProtection SentinelOne VMwareCarbonBlack CiscoSecureEndpoint TrendMicroApexOne TrendMicroApexOneAma | dd041e4e-1ee2-41ec-ba4e-82a71d628260 |
| McAfee ePO - Multiple threats on same host | f53e5168-afdb-4fad-b29a-bb9cb71ec460 | SyslogAma | f53e5168-afdb-4fad-b29a-bb9cb71ec460 |
| McAfee ePO - Threat was not blocked | 6d70a26a-c119-45b7-b4c6-44ac4fd1bcb7 | SyslogAma | 6d70a26a-c119-45b7-b4c6-44ac4fd1bcb7 |
| Dataverse - Bulk record ownership re-assignment or sharing | 6e480329-84bc-409a-b97b-22e8102af3ca | Dataverse | 6e480329-84bc-409a-b97b-22e8102af3ca |
| Dataverse - Hierarchy security manipulation | 2df0adf5-92a8-4ee0-a123-3eb5be1eed02 | Dataverse | 2df0adf5-92a8-4ee0-a123-3eb5be1eed02 |
| Dataverse - Login by a sensitive privileged user | f327816b-9328-4b17-9290-a02adc2f4928 | Dataverse | f327816b-9328-4b17-9290-a02adc2f4928 |
| Dataverse - New Dataverse application user activity type | 5c768e7d-7e5e-4d57-80d4-3f50c96fbf70 | Dataverse | 5c768e7d-7e5e-4d57-80d4-3f50c96fbf70 |
| Dataverse - New non-interactive identity granted access | 682e230c-e5da-4085-8666-701d1f1be7de | Dataverse AzureActiveDirectory | 682e230c-e5da-4085-8666-701d1f1be7de |
| Dataverse - Suspicious security role modifications | e44a58b2-b63a-4eb9-92da-85660d73495c | Dataverse | e44a58b2-b63a-4eb9-92da-85660d73495c |
| F&O - Bank account change following network alias reassignment | dccbdb5b-2ce7-4931-bfbe-f1ad6523ee64 | Dynamics365Finance | dccbdb5b-2ce7-4931-bfbe-f1ad6523ee64 |
| F&O - Non-interactive account mapped to self or sensitive privileged user | 5b7cc7f9-fe54-4138-9fb0-d650807345d3 | Dynamics365Finance | 5b7cc7f9-fe54-4138-9fb0-d650807345d3 |
| Power Platform - Account added to privileged Microsoft Entra roles | 71d829d6-eb50-4a17-8a64-655fae8d71e1 | AzureActiveDirectory | 71d829d6-eb50-4a17-8a64-655fae8d71e1 |
| Modified domain federation trust settings | 95dc4ae3-e0f2-48bd-b996-cdd22b90f9af | AzureActiveDirectory | 95dc4ae3-e0f2-48bd-b996-cdd22b90f9af |
| Admin promotion after Role Management Application Permission Grant | f80d951a-eddc-4171-b9d0-d616bb83efdc | AzureActiveDirectory | f80d951a-eddc-4171-b9d0-d616bb83efdc |
| Azure RBAC (Elevate Access) | 132fdff4-c044-4855-a390-c1b71e0f833b | AzureActiveDirectory | 132fdff4-c044-4855-a390-c1b71e0f833b |
| Bulk Changes to Privileged Account Permissions | 218f60de-c269-457a-b882-9966632b9dc6 | AzureActiveDirectory | 218f60de-c269-457a-b882-9966632b9dc6 |
| Conditional Access - Dynamic Group Exclusion Changes | c385944b-17b9-4b2b-921e-0e8d0341a675 | AzureActiveDirectory | c385944b-17b9-4b2b-921e-0e8d0341a675 |
| Credential added after admin consented to Application | 707494a5-8e44-486b-90f8-155d1797a8eb | AzureActiveDirectory | 707494a5-8e44-486b-90f8-155d1797a8eb |
| NRT Modified domain federation trust settings | 8540c842-5bbc-4a24-9fb2-a836c0e55a51 | AzureActiveDirectory | 8540c842-5bbc-4a24-9fb2-a836c0e55a51 |
| NRT Privileged Role Assigned Outside PIM | 14f6da04-2f96-44ee-9210-9ccc1be6401e | AzureActiveDirectory | 14f6da04-2f96-44ee-9210-9ccc1be6401e |
| NRT User added to Microsoft Entra ID Privileged Groups | 70fc7201-f28e-4ba7-b9ea-c04b96701f13 | AzureActiveDirectory | 70fc7201-f28e-4ba7-b9ea-c04b96701f13 |
| Privileged Role Assigned Outside PIM | 269435e3-1db8-4423-9dfc-9bf59997da1c | AzureActiveDirectory | 269435e3-1db8-4423-9dfc-9bf59997da1c |
| Rare application consent | 83ba3057-9ea3-4759-bf6a-933f2e5bc7ee | AzureActiveDirectory | 83ba3057-9ea3-4759-bf6a-933f2e5bc7ee |
| Suspicious Service Principal creation activity | 6852d9da-8015-4b95-8ecf-d9572ee0395d | AzureActiveDirectory | 6852d9da-8015-4b95-8ecf-d9572ee0395d |
| User added to Microsoft Entra ID Privileged Groups | 4d94d4a9-dc96-410a-8dea-4d4d4584188b | AzureActiveDirectory | 4d94d4a9-dc96-410a-8dea-4d4d4584188b |
| Cross-Cloud Suspicious Compute resource creation in GCP | 5c847e47-0a07-4c01-ab99-5817ad6cb11e | GCPAuditLogsDefinition AWSS3 | 5c847e47-0a07-4c01-ab99-5817ad6cb11e |
| Cross-Cloud Suspicious user activity observed in GCP Envourment | 58e306fe-1c49-4b8f-9b0e-15f25e8f0cd7 | GCPAuditLogsDefinition AzureActiveDirectoryIdentityProtection MicrosoftThreatProtection MicrosoftDefenderAdvancedThreatProtection MicrosoftCloudAppSecurity | 58e306fe-1c49-4b8f-9b0e-15f25e8f0cd7 |
| User impersonation by Identity Protection alerts | 11c3d541-5fa5-49df-8218-d1c98584473b | AWS AzureActiveDirectoryIdentityProtection | 11c3d541-5fa5-49df-8218-d1c98584473b |
| High-Risk Cross-Cloud User Impersonation | f4a28082-2808-4783-9736-33c1ae117475 | AWS AzureActiveDirectory | f4a28082-2808-4783-9736-33c1ae117475 |
| User Session Impersonation(Okta) | 35846296-4052-4de2-8098-beb6bb5f2203 | OktaSSO OktaSSOv2 | 35846296-4052-4de2-8098-beb6bb5f2203 |
| Ping Federate - Abnormal password resets for user | 6145efdc-4724-42a6-9756-5bd1ba33982e | CefAma | 6145efdc-4724-42a6-9756-5bd1ba33982e |
| Radiflow - Exploit Detected | 6c028ebd-03ca-41cb-bce7-5727ddb43731 | RadiflowIsid | 6c028ebd-03ca-41cb-bce7-5727ddb43731 |
| Radiflow - Platform Alert | ff0c781a-b30f-4acf-9cf1-75d7383d66d1 | RadiflowIsid | ff0c781a-b30f-4acf-9cf1-75d7383d66d1 |
| RecordedFuture Threat Hunting Url All Actors | 3f6f0d1a-f2f9-4e01-881a-c55a4a71905b | ThreatIntelligenceUploadIndicatorsAPI | 3f6f0d1a-f2f9-4e01-881a-c55a4a71905b |
| Red Canary Threat Detection | 6d263abb-6445-45cc-93e9-c593d3d77b89 | RedCanaryDataConnector | 6d263abb-6445-45cc-93e9-c593d3d77b89 |
| Critical Risks | 1eebfaf3-40e1-4bc2-9f42-049b7b8ceb60 | RidgeBotDataConnector CefAma | 1eebfaf3-40e1-4bc2-9f42-049b7b8ceb60 |
| Vulerabilities | d096643d-6789-4c74-8893-dd3fc8a94069 | RidgeBotDataConnector CefAma | d096643d-6789-4c74-8893-dd3fc8a94069 |
| Samsung Knox - Application Privilege Escalation or Change Events | 215e89ca-cdbc-4661-b8b2-7041f6ecc7fb | SamsungDCDefinition | 215e89ca-cdbc-4661-b8b2-7041f6ecc7fb |
| BTP - Trust and authorization Identity Provider monitor | 62357c23-ecdc-4edc-9349-8338063af1ef | SAPBTPAuditEvents | 62357c23-ecdc-4edc-9349-8338063af1ef |
| BTP - User added to sensitive privileged role collection | 5acbe4cb-a379-4acc-9ad3-28dc48ad33d3 | SAPBTPAuditEvents | 5acbe4cb-a379-4acc-9ad3-28dc48ad33d3 |
| SAP LogServ - HANA DB - Assign Admin Authorizations | 4981469b-8618-43a7-b44c-5744594fa494 | SAPLogServ | 4981469b-8618-43a7-b44c-5744594fa494 |
| SAP LogServ - HANA DB - User Admin actions | a9e4b02a-5a8c-4c59-9836-a204d1028632 | SAPLogServ | a9e4b02a-5a8c-4c59-9836-a204d1028632 |
| Threat Essentials - NRT User added to Microsoft Entra ID Privileged Groups | 0a627f29-f0dd-4924-be92-c3d6dac84367 | AzureActiveDirectory | 0a627f29-f0dd-4924-be92-c3d6dac84367 |
| Semperis DSP RBAC Changes | e5edf3f3-de53-45e6-b0d7-1ce1c048df4a | SemperisDSP | e5edf3f3-de53-45e6-b0d7-1ce1c048df4a |
| Semperis DSP Recent sIDHistory changes on AD objects | 64796da3-6383-4de2-9c97-866c83c459ae | SemperisDSP | 64796da3-6383-4de2-9c97-866c83c459ae |
| Semperis DSP Well-known privileged SIDs in sIDHistory | ddd75d93-5b8b-4349-babe-c4e15343c5a3 | SemperisDSP | ddd75d93-5b8b-4349-babe-c4e15343c5a3 |
| Semperis DSP Zerologon vulnerability | 85c1f9e4-6f14-46bf-82d5-dbe495b92aab | SemperisDSP | 85c1f9e4-6f14-46bf-82d5-dbe495b92aab |
| Sentinel One - Admin login from new location | 382f37b3-b49a-492f-b436-a4717c8c5c3e | SentinelOne | 382f37b3-b49a-492f-b436-a4717c8c5c3e |
| Sentinel One - New admin created | e73d293d-966c-47ec-b8e0-95255755f12c | SentinelOne | e73d293d-966c-47ec-b8e0-95255755f12c |
| Silverfort - Certifried Incident | 9ae540c9-c926-4100-8f07-1eac22596292 | SilverfortAma | 9ae540c9-c926-4100-8f07-1eac22596292 |
| Silverfort - NoPacBreach Incident | bdfd2c45-10a0-44e7-a90a-ba7b6bdd9ff2 | SilverfortAma | bdfd2c45-10a0-44e7-a90a-ba7b6bdd9ff2 |
| SlackAudit - User role changed to admin or owner | be6c5fc9-2ac3-43e6-8fb0-cb139e04e43e | SlackAuditAPI | be6c5fc9-2ac3-43e6-8fb0-cb139e04e43e |
| SlackAudit - User login after deactivated. | e6e99dcb-4dff-48d2-8012-206ca166b36b | SlackAuditAPI | e6e99dcb-4dff-48d2-8012-206ca166b36b |
| Snowflake - User granted admin privileges | 5ed33eee-0ab6-4bf5-9e9b-6100db83d39a | Snowflake | 5ed33eee-0ab6-4bf5-9e9b-6100db83d39a |
| New Sonrai Ticket | bcc3362d-b6f9-4de0-b41c-707fafd5a416 | SonraiDataConnector | bcc3362d-b6f9-4de0-b41c-707fafd5a416 |
| Sonrai Ticket Assigned | 37a8d052-a3db-4dc6-9dca-9390cac6f486 | SonraiDataConnector | 37a8d052-a3db-4dc6-9dca-9390cac6f486 |
| Sonrai Ticket Closed | f5d467de-b5a2-4b4f-96db-55e27c733594 | SonraiDataConnector | f5d467de-b5a2-4b4f-96db-55e27c733594 |
| Sonrai Ticket Escalation Executed | 0d29c93e-b83f-4dfb-bbbb-76824b77eeca | SonraiDataConnector | 0d29c93e-b83f-4dfb-bbbb-76824b77eeca |
| Sonrai Ticket Escalation Executed | 822fff15-ea68-4d0f-94ee-b4482ddb6f3a | SonraiDataConnector | 822fff15-ea68-4d0f-94ee-b4482ddb6f3a |
| Sonrai Ticket Reopened | b60129ab-ce22-4b76-858d-3204932a13cc | SonraiDataConnector | b60129ab-ce22-4b76-858d-3204932a13cc |
| Sonrai Ticket Risk Accepted | 080191e8-271d-4ae6-85ce-c7bcd4b06b40 | SonraiDataConnector | 080191e8-271d-4ae6-85ce-c7bcd4b06b40 |
| Sonrai Ticket Snoozed | 10e6c454-5cad-4f86-81ce-800235cb050a | SonraiDataConnector | 10e6c454-5cad-4f86-81ce-800235cb050a |
| Sonrai Ticket Updated | af9b8eb1-a8ef-40aa-92a4-1fc73a1479c7 | SonraiDataConnector | af9b8eb1-a8ef-40aa-92a4-1fc73a1479c7 |
| Theom - Overprovisioned Roles Shadow DB | fb7769d0-e622-4479-95b4-f6266a5b41e2 | Theom | fb7769d0-e622-4479-95b4-f6266a5b41e2 |
| Theom - Shadow DB with atypical accesses | 02bff937-ca52-4f52-a9cd-b826f8602694 | Theom | 02bff937-ca52-4f52-a9cd-b826f8602694 |
| ApexOne - Device access permissions was changed | b463b952-67b8-11ec-90d6-0242ac120003 | CefAma | b463b952-67b8-11ec-90d6-0242ac120003 |
| ApexOne - Possible exploit or execute operation | e289d762-6cc2-11ec-90d6-0242ac120003 | CefAma | e289d762-6cc2-11ec-90d6-0242ac120003 |
| vCenter - Root impersonation | f1fcb22c-b459-42f2-a7ee-7276b5f1309c | CustomLogsAma | f1fcb22c-b459-42f2-a7ee-7276b5f1309c |
| VMware vCenter - Root login | 03e8a895-b5ba-49a0-aed3-f9a997d92fbe | CustomLogsAma | 03e8a895-b5ba-49a0-aed3-f9a997d92fbe |
| VMware ESXi - Root impersonation | 23a3cf72-9497-408e-8144-87958a60d31a | SyslogAma | 23a3cf72-9497-408e-8144-87958a60d31a |
| VMware ESXi - Root login | deb448a8-6a9d-4f8c-8a95-679a0a2cd62c | SyslogAma | deb448a8-6a9d-4f8c-8a95-679a0a2cd62c |
| VMware ESXi - Shared or stolen root account | 9c496d6c-42a3-4896-9b6c-00254386928f | SyslogAma | 9c496d6c-42a3-4896-9b6c-00254386928f |
| Potential Fodhelper UAC Bypass | 56f3f35c-3aca-4437-a1fb-b7a84dc4af00 | SecurityEvents WindowsSecurityEvents | 56f3f35c-3aca-4437-a1fb-b7a84dc4af00 |
| Application ID URI Changed | 9fb2ee72-959f-4c2b-bc38-483affc539e4 | AzureActiveDirectory | 9fb2ee72-959f-4c2b-bc38-483affc539e4 |
| Application Redirect URL Update | a1080fc1-13d1-479b-8340-255f0290d96c | AzureActiveDirectory | a1080fc1-13d1-479b-8340-255f0290d96c |
| Changes to Application Logout URL | 492fbe35-cbac-4a8c-9059-826782e6915a | AzureActiveDirectory | 492fbe35-cbac-4a8c-9059-826782e6915a |
| Changes to Application Ownership | cc5780ce-3245-4bba-8bc1-e9048c2257ce | AzureActiveDirectory | cc5780ce-3245-4bba-8bc1-e9048c2257ce |
| Changes to PIM Settings | 0ed0fe7c-af29-4990-af7f-bb5ccb231198 | AzureActiveDirectory | 0ed0fe7c-af29-4990-af7f-bb5ccb231198 |
| End-user consent stopped due to risk-based consent | 009b9bae-23dd-43c4-bcb9-11c4ba7c784a | AzureActiveDirectory | 009b9bae-23dd-43c4-bcb9-11c4ba7c784a |
| Service Principal Assigned App Role With Sensitive Access | dd78a122-d377-415a-afe9-f22e08d2112c | AzureActiveDirectory | dd78a122-d377-415a-afe9-f22e08d2112c |
| Service Principal Assigned Privileged Role | 84cccc86-5c11-4b3a-aca6-7c8f738ed0f7 | AzureActiveDirectory | 84cccc86-5c11-4b3a-aca6-7c8f738ed0f7 |
| Suspicious linking of existing user to external User | 22a320c2-e1e5-4c74-a35b-39fc9cdcf859 | AzureActiveDirectory | 22a320c2-e1e5-4c74-a35b-39fc9cdcf859 |
| URL Added to Application from Unknown Domain | 017e095a-94d8-430c-a047-e51a11fb737b | AzureActiveDirectory | 017e095a-94d8-430c-a047-e51a11fb737b |
| Application Gateway WAF - SQLi Detection | 68c0b6bb-6bd9-4ef4-9011-08998c8ef90f | WAF | 68c0b6bb-6bd9-4ef4-9011-08998c8ef90f |
| Email access via active sync | 2f561e20-d97b-4b13-b02d-18b34af6e87c | SecurityEvents MicrosoftThreatProtection WindowsSecurityEvents WindowsForwardedEvents | 2f561e20-d97b-4b13-b02d-18b34af6e87c |
| Detecting Impossible travel with mailbox permission tampering & Privilege Escalation attempt | 1399664f-9434-497c-9cde-42e4d74ae20e | AzureSecurityCenter Office365 AzureActivity AzureActiveDirectory | 1399664f-9434-497c-9cde-42e4d74ae20e |
| Potential Fodhelper UAC Bypass (ASIM Version) | ac9e233e-44d4-45eb-b522-6e47445f6582 | ac9e233e-44d4-45eb-b522-6e47445f6582 | |
| M365D Alerts Correlation to non-Microsoft Network device network activity involved in successful sign-in Activity | 779731f7-8ba0-4198-8524-5701b7defddc | OfficeATP PaloAltoNetworks Fortinet CheckPoint Zscaler | 779731f7-8ba0-4198-8524-5701b7defddc |
| Suspicious Login from deleted guest account | defe4855-0d33-4362-9557-009237623976 | AzureActiveDirectory | defe4855-0d33-4362-9557-009237623976 |
| Suspicious modification of Global Administrator user properties | 48602a24-67cf-4362-b258-3f4249e55def | AzureActiveDirectory BehaviorAnalytics | 48602a24-67cf-4362-b258-3f4249e55def |
| Detect PIM Alert Disabling activity | 1f3b4dfd-21ff-4ed3-8e27-afc219e05c50 | AzureActiveDirectory | 1f3b4dfd-21ff-4ed3-8e27-afc219e05c50 |
| COM Event System Loading New DLL | 02f6c2e5-219d-4426-a0bf-ad67abc63d53 | SecurityEvents | 02f6c2e5-219d-4426-a0bf-ad67abc63d53 |
| Group created then added to built in domain local or global group | a7564d76-ec6b-4519-a66b-fcc80c42332b | SecurityEvents WindowsSecurityEvents WindowsForwardedEvents | a7564d76-ec6b-4519-a66b-fcc80c42332b |
| Possible Resource-Based Constrained Delegation Abuse | 2937bc6b-7cda-4fba-b452-ea43ba8e835f | SecurityEvents | 2937bc6b-7cda-4fba-b452-ea43ba8e835f |
| Solorigate Named Pipe | 11b4c19d-2a79-4da3-af38-b067e1273dee | SecurityEvents WindowsSecurityEvents WindowsForwardedEvents | 11b4c19d-2a79-4da3-af38-b067e1273dee |
| Account added and removed from privileged groups | 7efc75ce-e2a4-400f-a8b1-283d3b0f2c60 | SecurityEvents WindowsSecurityEvents WindowsForwardedEvents | 7efc75ce-e2a4-400f-a8b1-283d3b0f2c60 |
| User account added to built in domain local or global group | a35f2c18-1b97-458f-ad26-e033af18eb99 | SecurityEvents WindowsSecurityEvents WindowsForwardedEvents | a35f2c18-1b97-458f-ad26-e033af18eb99 |
| User account created and deleted within 10 mins | 4b93c5af-d20b-4236-b696-a28b8c51407f | SecurityEvents WindowsSecurityEvents WindowsForwardedEvents | 4b93c5af-d20b-4236-b696-a28b8c51407f |
| User account enabled and disabled within 10 mins | 3d023f64-8225-41a2-9570-2bd7c2c4535e | SecurityEvents WindowsSecurityEvents WindowsForwardedEvents | 3d023f64-8225-41a2-9570-2bd7c2c4535e |
| New user created and added to the built-in administrators group | aa1eff90-29d4-49dc-a3ea-b65199f516db | SecurityEvents WindowsSecurityEvents WindowsForwardedEvents | aa1eff90-29d4-49dc-a3ea-b65199f516db |
| Service Principal Name (SPN) Assigned to User Account | 875d0eb1-883a-4191-bd0e-dbfdeb95a464 | SecurityEvents | 875d0eb1-883a-4191-bd0e-dbfdeb95a464 |
| User joining Zoom meeting from suspicious timezone | 58fc0170-0877-4ea8-a9ff-d805e361cfae | 58fc0170-0877-4ea8-a9ff-d805e361cfae |