Microsoft Sentinel Analytic Rules
cloudbrothers.infoAzure Sentinel RepoToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeBack to homepage
  1. Microsoft Sentinel Analytics Rules
  2. /
  3. Tactics
  4. /
  5. Reconnaissance

Reconnaissance

Overview

Rule NameidRequired data connectors
API - Anomaly Detection2c59e609-e0a0-4e8e-adc5-ab4224be8a3642CrunchAPIProtection
API - API Scrapingd944d564-b6fa-470d-b5ab-41b341878c5e42CrunchAPIProtection
API - Invalid host access28500be7-cfcf-40e1-bad4-bc524e9283e242CrunchAPIProtection
API - Kiterunner detection421b38ec-4295-4aed-8299-c92e268ad66342CrunchAPIProtection
Suspicious AWS CLI Command Execution8c2dc344-9352-4ca1-8863-b1b7a5e09e59AWS
App Gateway WAF - Scanner Detection9b8dd8fd-f192-42eb-84f6-541920400a7aWAF
BitSight - diligence risk category detected161ed3ac-b242-4b13-8c6b-58716e5e9972BitSight
BitSight - drop in company ratingsd8844f11-3a36-4b97-9062-1e6d57c00e37BitSight
BitSight - drop in the headline ratingb11fdc35-6368-4cc0-8128-52cd2e2cdda0BitSight
Contrast ADR - DLP SQL Injection Correlation1aac7737-d52f-483d-b225-6a27c1b29a9eContrastADR
CyberBlindSpot - Any Issue Detectedabe1a662-d00d-482e-aa68-9394622ae02eCTM360CBSConnectorDefinition
HackerView - Any Issue Detectedabe1a663-d00d-482e-aa68-9394622ae03eCTM360HackerViewConnectorDefinition
Cyble Advisory Alerts Advisory1932DCFD-A32E-49F9-A212-5BCD084FBD78CybleVisionAlerts
Cyble Vision Alerts Assets0012714c-c595-4dcd-8949-4a5c1d49aaa8CybleVisionAlerts
CybleVision Alerts Cyber Crime Forum Alertsb78c4641-cc16-48e0-9d05-c9b36a55d214CybleVisionAlerts
Cyble Vision Alerts Darkweb Data Breaches588a2ee5-978a-43f7-9c10-6d76d82026efCybleVisionAlerts
CybleVision Alerts Darkweb Marketplace Alertse80eedb4-cbae-45cc-b1be-a2a8dc31af3bCybleVisionAlerts
Cyble Vision Alerts Darkweb Ransomware Leak6deaf986-a25b-47b4-afbe-667901aa313bCybleVisionAlerts
Cyble Vision Alerts Website Defacement Keyword754dbb50-8dc2-4b8b-86d8-a890a020ddc3CybleVisionAlerts
Cyble Vision Alerts Discord Keyword601a5859-0dc2-452d-8d1e-66dc651c16d5CybleVisionAlerts
Cyble Vision Alerts Flash Report2c86652a-bbbe-4a32-8b1c-4b53aad0750eCybleVisionAlerts
Cyble Vision Alerts Hacktivism6649e5a0-0365-452f-84b3-448a0aec7a59CybleVisionAlerts
Cyble Vision Alerts IOC’Sc8cf42d5-8684-435f-9c4d-9dd0cc47eaecCybleVisionAlerts
Cyble Vision Alerts IP Risk Score1e7c8d9f-1d42-42b3-b6ce-12a637e05f16CybleVisionAlerts
Cyble Vision Alerts Leaked Credentials224a63ae-e278-4a11-b7c2-02ec3e17b56cCybleVisionAlerts
CybleVision Alerts Mobile Apps6d55fefc-b334-4b79-b11c-667746b5bddeCybleVisionAlerts
Cyble Vision Alerts News Feed Alertd205a93f-b2e3-4708-a359-5e0c88ee3e59CybleVisionAlerts
Cyble Vision Alerts OSINT Mention Detected9ff985d8-57a8-4302-a8e6-34fa96c3c505CybleVisionAlerts
Cyble Vision Alerts Pastebindd37e041-3973-482a-aa8c-f484b4178940CybleVisionAlerts
Cyble Vision Alerts Phishing Domain Detectedeb1d45fe-1b19-4b54-b146-971f282a6fd9CybleVisionAlerts
Cyble Vision Alerts Postman API Exposure Detection99ca8956-5aad-4542-9fbc-8254182b424dCybleVisionAlerts
Cyble Vision Alerts Social Media Monitoring231c2c16-3742-4cfb-a8e1-c1a7d09f080aCybleVisionAlerts
CybleVision Alerts Stealer Logse0bf55c2-35ef-47ab-8846-5087618ae805CybleVisionAlerts
Cyble Vision Alerts Discovered Subdomain7a0f79cc-8d28-44b5-ac1e-6176565bb7b8CybleVisionAlerts
Cyble Vision Alerts Suspicious Domainc56fcb78-b708-4a92-bad4-d50b1e15c42cCybleVisionAlerts
CybleVision Alerts Telegram Mentions4238f545-8b6f-4f7c-80b5-14cca2cebc99CybleVisionAlerts
Cyble Vision Alerts TOR Linksb9df1ec4-a572-4448-8da1-1bc4b7e1687fCybleVisionAlerts
Cyble Vision Alerts Vulnerability0e0cdda9-4536-4cc9-91cf-736e8957ed26CybleVisionAlerts
Cyble Vision Alerts Cyble Web Applications359ddb25-eab1-4ef5-8303-ed3a9b680690CybleVisionAlerts
CYFIRMA - Attack Surface - Weak Certificate Exposure - High Rule3b5a1c0e-7f3a-4d47-8416-6c0b8b91e9ceCyfirmaAttackSurfaceAlertsConnector
CYFIRMA - Attack Surface - Weak Certificate Exposure - Medium Rule5a617ff2-3e3d-44e7-b761-9f0d542ae191CyfirmaAttackSurfaceAlertsConnector
CYFIRMA - Attack Surface - Configuration High Rule30206b45-75d2-4c6a-87c5-f0861c1f2870CyfirmaAttackSurfaceAlertsConnector
CYFIRMA - Attack Surface - Configuration Medium Rulee1f88d08-5c32-4d35-a8ce-2f21cdb4b6deCyfirmaAttackSurfaceAlertsConnector
CYFIRMA - Attack Surface - Malicious Domain/IP Reputation High Rule7ff6f6d7-9672-4567-99fc-cb8a58c3bce7CyfirmaAttackSurfaceAlertsConnector
CYFIRMA - Attack Surface - Malicious Domain/IP Reputation Medium Rule70f137e4-e4ef-4635-92de-10c4f5b0fcd0CyfirmaAttackSurfaceAlertsConnector
CYFIRMA - Brand Intelligence - Executive/People Impersonation High Rule159d26a1-591c-4f70-b1ca-2843c881aaecCyfirmaBrandIntelligenceAlertsDC
CYFIRMA - Brand Intelligence - Executive/People Impersonation Medium Rule59aa22f2-5b4f-4679-b289-003228255413CyfirmaBrandIntelligenceAlertsDC
CYFIRMA - Brand Intelligence - Social Media Handle Impersonation Detected High Rule22f49d67-7da7-4809-8d07-89e4478aa6b0CyfirmaBrandIntelligenceAlertsDC
CYFIRMA - Brand Intelligence - Social Media Handle Impersonation Detected Medium Rule710f4755-490d-4fa7-aef0-43b5a66edc7bCyfirmaBrandIntelligenceAlertsDC
CYFIRMA - High severity Malicious Network Indicators with Block Action Rule58ae2c87-fc07-434b-aacf-f66d25b25e7eCyfirmaCyberIntelligenceDC
CYFIRMA - Medium severity Malicious Network Indicators with Block Action Rule4e7d1851-5aab-478d-b348-4b83dc2b03d9CyfirmaCyberIntelligenceDC
CYFIRMA - High severity Malicious Network Indicators with Monitor Action Rule8317de44-09e4-4a04-8fae-c38c1b72064bCyfirmaCyberIntelligenceDC
CYFIRMA - Medium severity Malicious Network Indicators with Monitor Action Rule52c2f8d4-1dc8-4141-9152-614c036390a0CyfirmaCyberIntelligenceDC
CYFIRMA - High severity TOR Node Network Indicators - Block Recommended Rulefa53ac37-a646-4106-91b6-ce478a1b5323CyfirmaCyberIntelligenceDC
CYFIRMA - Medium severity TOR Node Network Indicators - Block Recommended Ruleaba36dc3-af43-4ab6-9349-3d1e37f1d4f3CyfirmaCyberIntelligenceDC
CYFIRMA - High severity TOR Node Network Indicators - Monitor Recommended Rule6f107cf8-02f9-4440-b5d8-1235293e5ad7CyfirmaCyberIntelligenceDC
CYFIRMA - Medium severity TOR Node Network Indicators - Monitor Recommended Rulee41b7640-9ba6-42d6-a4c9-1ab6932a0b14CyfirmaCyberIntelligenceDC
CYFIRMA - Social and Public Exposure - Confidential Files Information Exposure Rule67e9c4aa-a2fa-4e4e-9272-1a8da41475c6CyfirmaDigitalRiskAlertsConnector
CYFIRMA - Social and Public Exposure - Confidential Files Information Exposure Rulea2984be5-8d69-4139-b98f-e89c9c421c27CyfirmaDigitalRiskAlertsConnector
CYFIRMA - Social and Public Exposure - Social Media Threats Activity Detected Rule4fe04459-13f1-4ff7-9b7c-f9be0c2aad6dCyfirmaDigitalRiskAlertsConnector
CYFIRMA - Social and Public Exposure - Social Media Threats Activity Detected Ruleb8149f2f-54da-4f7b-98e1-c01ca47e1e55CyfirmaDigitalRiskAlertsConnector
Rare client observed with high reverse DNS lookup count - Anomaly based (ASIM DNS Solution)0fe6bde4-b215-480c-99b4-84a96edcdbd7
Rare client observed with high reverse DNS lookup count - Static threshold based (ASIM DNS Solution)77b7c820-5f60-4779-8bdb-f06e21add5f1
Flare Cloud bucket result9cb7c337-f172-4af6-b0e8-b6b7552d762dFlare
Flare Google Dork result found9cb7c337-f174-4af6-b0e8-b6b7552d762dFlare
Flare Host result9cb7c337-f175-4af6-b0e8-b6b7552d762dFlare
Flare Paste result9cb7c337-f177-4af6-b0e8-b6b7552d762dFlare
Flare Source Code found9cb7c337-f178-4af6-b0e8-b6b7552d762dFlare
Dataverse - Suspicious use of Web API8a6ecba2-ccfe-4c8c-b086-fa3e6ff7fa86Dataverse
AzureActiveDirectory
Network Port Sweep from External Network (ASIM Network Session schema)cd8faa84-4464-4b4e-96dc-b22f50c27541AWSS3
MicrosoftThreatProtection
SecurityEvents
WindowsSecurityEvents
WindowsForwardedEvents
Zscaler
MicrosoftSysmonForLinux
PaloAltoNetworks
AzureMonitor(VMInsights)
AzureFirewall
AzureNSG
CiscoASA
CiscoAsaAma
Corelight
AIVectraStream
CheckPoint
Fortinet
CiscoMeraki
OCI - Multiple rejects on rare ports482c24b9-a700-4b2a-85d3-1c42110ba78cOracleCloudInfrastructureLogsConnector
OCI - SSH scannere087d4fb-af0b-4e08-a067-b9ba9e5f8840OracleCloudInfrastructureLogsConnector
Palo Alto - possible nmap scan on with top 100 option4d61bb9a-7f6d-45b1-ac0e-517e2a92f6fdCefAma
PaloAlto - Possible port scan3575a9c0-51c9-11ec-bf63-0242ac130002CefAma
Disks Alerts From Prancer8c484ef9-d758-4827-9920-f4f77158f03ePrancerLogData
Flow Logs Alerts for Prancer59336232-1bbc-4f66-90dd-5ac3708e4405PrancerLogData
NetworkSecurityGroups Alert From Prancera8babf91-b844-477c-8abf-d31e3df74933PrancerLogData
PAC high severity7caa1c03-d20b-42f2-ac95-5232f6e570daPrancerLogData
Registries Alerts for Prancer08706063-c15e-4d96-beae-9e8d92ccefbbPrancerLogData
Sites Alerts for Prancerbbeb2f26-cb99-4e4b-900f-24ce9809142dPrancerLogData
Storage Accounts Alerts From Prancer4adf2b5d-6b88-4b96-8cc2-a3c7fbbee10bPrancerLogData
Subnets Alerts for Prancer10be8f37-d83c-4b7e-81c2-1271c51ac09fPrancerLogData
Vaults Alerts for Prancer0b76eef3-5dc0-41b1-9f67-fffa7783f5f6PrancerLogData
VirtualNetworkPeerings Alerts From Prancer6bd031cf-78d0-4edd-8191-60f84b6eef7aPrancerLogData
Virtual Machines Alerts for Prancerc13b025c-ea31-4e4b-8e08-955b8fa91fa0PrancerLogData
BTP - Failed access attempts across multiple BAS subaccounts74b243a6-3046-48aa-8b03-e43b3c529cc1SAPBTPAuditEvents
TacitRed - High Confidence Compromiseb2c3d4e5-f6a7-8901-bcde-f23456789012TacitRedThreatIntel
Theom Critical Risksbb9051ef-0e72-4758-a143-80c25ee452f0Theom
Theom High Risks74b80987-0a62-448c-8779-47b02e17d3cfTheom
Theom Insightsd200da84-0191-44ce-ad9e-b85e64c84c89Theom
Theom Low Riskscf7fb616-ac80-40ce-ad18-aa18912811f8Theom
Theom Medium Risks4cb34832-f73a-49f2-8d38-c2d135c5440bTheom
XbowMediumFindingsb3c5e2f9-6a8d-4127-9b2e-4f6a8c9d0e12XbowSecurityConnector
XbowNewAssetDiscoverede4c6a8b2-9d7f-4285-a1e3-6b9c2e4f1a85XbowSecurityConnector
Suspicious link sharing pattern1218175f-c534-421c-8070-5dcaabf28067