Reconnaissance
| Rule Name | id | Required data connectors |
|---|---|---|
| API - Anomaly Detection | 2c59e609-e0a0-4e8e-adc5-ab4224be8a36 | 42CrunchAPIProtection |
| API - API Scraping | d944d564-b6fa-470d-b5ab-41b341878c5e | 42CrunchAPIProtection |
| API - Invalid host access | 28500be7-cfcf-40e1-bad4-bc524e9283e2 | 42CrunchAPIProtection |
| API - Kiterunner detection | 421b38ec-4295-4aed-8299-c92e268ad663 | 42CrunchAPIProtection |
| Suspicious AWS CLI Command Execution | 8c2dc344-9352-4ca1-8863-b1b7a5e09e59 | AWS |
| App Gateway WAF - Scanner Detection | 9b8dd8fd-f192-42eb-84f6-541920400a7a | WAF |
| BitSight - diligence risk category detected | 161ed3ac-b242-4b13-8c6b-58716e5e9972 | BitSight |
| BitSight - drop in company ratings | d8844f11-3a36-4b97-9062-1e6d57c00e37 | BitSight |
| BitSight - drop in the headline rating | b11fdc35-6368-4cc0-8128-52cd2e2cdda0 | BitSight |
| Auto Generated Page (High) | ffa30df1-7604-47c3-90f8-df81cd36abda | CBSPollingIDAzureFunctions |
| Auto Generated Page (Informational) | c33d1539-832a-4310-bfc3-b0014e7c82bf | CBSPollingIDAzureFunctions |
| Auto Generated Page (Medium) | b5c9c09d-0bbc-4af1-b842-62f9c0f72f32 | CBSPollingIDAzureFunctions |
| Baiting News Site (High) | 73d7402f-fab0-4d54-a1f5-ecb87a31559c | CBSPollingIDAzureFunctions |
| Baiting News Site (Informational) | e621eb5b-2612-4c0e-84f2-036a6694d619 | CBSPollingIDAzureFunctions |
| Baiting News Site (Low) | 3f89fb35-5f8e-49d2-9aac-b6e21ecab1b9 | CBSPollingIDAzureFunctions |
| Baiting News Site (Medium) | 77c966c0-0ed4-49c2-bb52-6f0a644bcc56 | CBSPollingIDAzureFunctions |
| Dark Web (High) | e5ee49ee-9a10-4e6b-a8df-d8c35209ac33 | CBSPollingIDAzureFunctions |
| Dark Web (Informational) | ab55aff7-7f23-43e8-a93c-6c417647f032 | CBSPollingIDAzureFunctions |
| Dark Web (Low) | 5c05df18-604a-428c-b677-39305bde35a3 | CBSPollingIDAzureFunctions |
| Dark Web (Medium) | 7b6a3f8d-c460-44d3-adb4-16abba92aef1 | CBSPollingIDAzureFunctions |
| Domain Infringement (High) | 65c57477-dcc6-447f-b76d-429d2ad11cbd | CBSPollingIDAzureFunctions |
| Domain Infringement (Informational) | 891724c5-8f42-41d0-aa3e-a58947cf4d3a | CBSPollingIDAzureFunctions |
| Domain Infringement (Low) | 755d21cf-527f-46d3-b9c0-9005419a7eb4 | CBSPollingIDAzureFunctions |
| Domain Infringement (Medium) | 873f6a0f-68b7-4181-87c9-402b575458d9 | CBSPollingIDAzureFunctions |
| Domain Infringement | 0faddbac-0004-40fa-9046-a1ead13e005a | CBSPollingIDAzureFunctions |
| Hacker Chatter (High) | c7d8a054-015a-467f-af1e-886d99617888 | CBSPollingIDAzureFunctions |
| Hacker Chatter (Informational) | 603d0bc0-dfcc-480f-a7d7-66d80b7a54c1 | CBSPollingIDAzureFunctions |
| Hacker Chatter (Low) | 6cc71818-6cba-44cf-bf5c-4dbce1f5d21a | CBSPollingIDAzureFunctions |
| Hacker Chatter (Medium) | 2463fcd3-9661-47f5-b7e4-d8e0c84783aa | CBSPollingIDAzureFunctions |
| Header: Web Server Exposed | d6793fa2-c1db-4323-9bdb-a1e8d1990f5c | HVPollingIDAzureFunctions |
| Subdomain Infringement (High) | 35813b4c-b91d-4817-8838-bfbec77e27f1 | CBSPollingIDAzureFunctions |
| Subdomain Infringement (Informational) | d873e524-0149-4835-ba9d-c550506d2a8d | CBSPollingIDAzureFunctions |
| Subdomain Infringement (Low) | 005dd8a4-4fc0-4f8a-90f9-1423fcf5594c | CBSPollingIDAzureFunctions |
| Subdomain Infringement (Medium) | fd64c2d1-8d2b-4b70-8f95-e7b34da56830 | CBSPollingIDAzureFunctions |
| Subdomain Infringement | 20ffc702-b7b2-4041-8f08-10ede8906cbf | CBSPollingIDAzureFunctions |
| CYFIRMA - Attack Surface - Weak Certificate Exposure - High Rule | 3b5a1c0e-7f3a-4d47-8416-6c0b8b91e9ce | CyfirmaAttackSurfaceAlertsConnector |
| CYFIRMA - Attack Surface - Weak Certificate Exposure - Medium Rule | 5a617ff2-3e3d-44e7-b761-9f0d542ae191 | CyfirmaAttackSurfaceAlertsConnector |
| CYFIRMA - Attack Surface - Configuration High Rule | 30206b45-75d2-4c6a-87c5-f0861c1f2870 | CyfirmaAttackSurfaceAlertsConnector |
| CYFIRMA - Attack Surface - Configuration Medium Rule | e1f88d08-5c32-4d35-a8ce-2f21cdb4b6de | CyfirmaAttackSurfaceAlertsConnector |
| CYFIRMA - Attack Surface - Malicious Domain/IP Reputation High Rule | 7ff6f6d7-9672-4567-99fc-cb8a58c3bce7 | CyfirmaAttackSurfaceAlertsConnector |
| CYFIRMA - Attack Surface - Malicious Domain/IP Reputation Medium Rule | 70f137e4-e4ef-4635-92de-10c4f5b0fcd0 | CyfirmaAttackSurfaceAlertsConnector |
| CYFIRMA - Brand Intelligence - Executive/People Impersonation High Rule | 159d26a1-591c-4f70-b1ca-2843c881aaec | CyfirmaBrandIntelligenceAlertsDC |
| CYFIRMA - Brand Intelligence - Executive/People Impersonation Medium Rule | 59aa22f2-5b4f-4679-b289-003228255413 | CyfirmaBrandIntelligenceAlertsDC |
| CYFIRMA - Brand Intelligence - Social Media Handle Impersonation Detected High Rule | 22f49d67-7da7-4809-8d07-89e4478aa6b0 | CyfirmaBrandIntelligenceAlertsDC |
| CYFIRMA - Brand Intelligence - Social Media Handle Impersonation Detected Medium Rule | 710f4755-490d-4fa7-aef0-43b5a66edc7b | CyfirmaBrandIntelligenceAlertsDC |
| CYFIRMA - High severity Malicious Network Indicators with Block Action Rule | 58ae2c87-fc07-434b-aacf-f66d25b25e7e | CyfirmaCyberIntelligenceDC |
| CYFIRMA - Medium severity Malicious Network Indicators with Block Action Rule | 4e7d1851-5aab-478d-b348-4b83dc2b03d9 | CyfirmaCyberIntelligenceDC |
| CYFIRMA - High severity Malicious Network Indicators with Monitor Action Rule | 8317de44-09e4-4a04-8fae-c38c1b72064b | CyfirmaCyberIntelligenceDC |
| CYFIRMA - Medium severity Malicious Network Indicators with Monitor Action Rule | 52c2f8d4-1dc8-4141-9152-614c036390a0 | CyfirmaCyberIntelligenceDC |
| CYFIRMA - High severity TOR Node Network Indicators - Block Recommended Rule | fa53ac37-a646-4106-91b6-ce478a1b5323 | CyfirmaCyberIntelligenceDC |
| CYFIRMA - Medium severity TOR Node Network Indicators - Block Recommended Rule | aba36dc3-af43-4ab6-9349-3d1e37f1d4f3 | CyfirmaCyberIntelligenceDC |
| CYFIRMA - High severity TOR Node Network Indicators - Monitor Recommended Rule | 6f107cf8-02f9-4440-b5d8-1235293e5ad7 | CyfirmaCyberIntelligenceDC |
| CYFIRMA - Medium severity TOR Node Network Indicators - Monitor Recommended Rule | e41b7640-9ba6-42d6-a4c9-1ab6932a0b14 | CyfirmaCyberIntelligenceDC |
| CYFIRMA - Social and Public Exposure - Confidential Files Information Exposure Rule | 67e9c4aa-a2fa-4e4e-9272-1a8da41475c6 | CyfirmaDigitalRiskAlertsConnector |
| CYFIRMA - Social and Public Exposure - Confidential Files Information Exposure Rule | a2984be5-8d69-4139-b98f-e89c9c421c27 | CyfirmaDigitalRiskAlertsConnector |
| CYFIRMA - Social and Public Exposure - Social Media Threats Activity Detected Rule | 4fe04459-13f1-4ff7-9b7c-f9be0c2aad6d | CyfirmaDigitalRiskAlertsConnector |
| CYFIRMA - Social and Public Exposure - Social Media Threats Activity Detected Rule | b8149f2f-54da-4f7b-98e1-c01ca47e1e55 | CyfirmaDigitalRiskAlertsConnector |
| Rare client observed with high reverse DNS lookup count - Anomaly based (ASIM DNS Solution) | 0fe6bde4-b215-480c-99b4-84a96edcdbd7 | |
| Rare client observed with high reverse DNS lookup count - Static threshold based (ASIM DNS Solution) | 77b7c820-5f60-4779-8bdb-f06e21add5f1 | |
| Flare Cloud bucket result | 9cb7c337-f172-4af6-b0e8-b6b7552d762d | Flare |
| Flare Darkweb result | 9cb7c337-f173-4af6-b0e8-b6b7552d762d | Flare |
| Flare Google Dork result found | 9cb7c337-f174-4af6-b0e8-b6b7552d762d | Flare |
| Flare Host result | 9cb7c337-f175-4af6-b0e8-b6b7552d762d | Flare |
| Flare Paste result | 9cb7c337-f177-4af6-b0e8-b6b7552d762d | Flare |
| Flare Source Code found | 9cb7c337-f178-4af6-b0e8-b6b7552d762d | Flare |
| Dataverse - Suspicious use of Web API | 8a6ecba2-ccfe-4c8c-b086-fa3e6ff7fa86 | Dataverse AzureActiveDirectory |
| Network Port Sweep from External Network (ASIM Network Session schema) | cd8faa84-4464-4b4e-96dc-b22f50c27541 | AWSS3 MicrosoftThreatProtection SecurityEvents WindowsSecurityEvents WindowsForwardedEvents Zscaler MicrosoftSysmonForLinux PaloAltoNetworks AzureMonitor(VMInsights) AzureFirewall AzureNSG CiscoASA CiscoAsaAma Corelight AIVectraStream CheckPoint Fortinet CiscoMeraki |
| OCI - Multiple rejects on rare ports | 482c24b9-a700-4b2a-85d3-1c42110ba78c | OracleCloudInfrastructureLogsConnector |
| OCI - SSH scanner | e087d4fb-af0b-4e08-a067-b9ba9e5f8840 | OracleCloudInfrastructureLogsConnector |
| PaloAlto - Possible port scan | 3575a9c0-51c9-11ec-bf63-0242ac130002 | CefAma |
| Disks Alerts From Prancer | 8c484ef9-d758-4827-9920-f4f77158f03e | PrancerLogData |
| Flow Logs Alerts for Prancer | 59336232-1bbc-4f66-90dd-5ac3708e4405 | PrancerLogData |
| NetworkSecurityGroups Alert From Prancer | a8babf91-b844-477c-8abf-d31e3df74933 | PrancerLogData |
| PAC high severity | 7caa1c03-d20b-42f2-ac95-5232f6e570da | PrancerLogData |
| Registries Alerts for Prancer | 08706063-c15e-4d96-beae-9e8d92ccefbb | PrancerLogData |
| Sites Alerts for Prancer | bbeb2f26-cb99-4e4b-900f-24ce9809142d | PrancerLogData |
| Storage Accounts Alerts From Prancer | 4adf2b5d-6b88-4b96-8cc2-a3c7fbbee10b | PrancerLogData |
| Subnets Alerts for Prancer | 10be8f37-d83c-4b7e-81c2-1271c51ac09f | PrancerLogData |
| Vaults Alerts for Prancer | 0b76eef3-5dc0-41b1-9f67-fffa7783f5f6 | PrancerLogData |
| VirtualNetworkPeerings Alerts From Prancer | 6bd031cf-78d0-4edd-8191-60f84b6eef7a | PrancerLogData |
| Virtual Machines Alerts for Prancer | c13b025c-ea31-4e4b-8e08-955b8fa91fa0 | PrancerLogData |
| BTP - Failed access attempts across multiple BAS subaccounts | 74b243a6-3046-48aa-8b03-e43b3c529cc1 | SAPBTPAuditEvents |
| Theom Critical Risks | bb9051ef-0e72-4758-a143-80c25ee452f0 | Theom |
| Theom High Risks | 74b80987-0a62-448c-8779-47b02e17d3cf | Theom |
| Theom Insights | d200da84-0191-44ce-ad9e-b85e64c84c89 | Theom |
| Theom Low Risks | cf7fb616-ac80-40ce-ad18-aa18912811f8 | Theom |
| Theom Medium Risks | 4cb34832-f73a-49f2-8d38-c2d135c5440b | Theom |
| Suspicious link sharing pattern | 1218175f-c534-421c-8070-5dcaabf28067 |