Microsoft Sentinel Analytic Rules
cloudbrothers.infoAzure Sentinel RepoToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeBack to homepage

Reconnaissance

Overview

Rule NameidRequired data connectors
API - Anomaly Detection2c59e609-e0a0-4e8e-adc5-ab4224be8a3642CrunchAPIProtection
API - API Scrapingd944d564-b6fa-470d-b5ab-41b341878c5e42CrunchAPIProtection
API - Invalid host access28500be7-cfcf-40e1-bad4-bc524e9283e242CrunchAPIProtection
API - Kiterunner detection421b38ec-4295-4aed-8299-c92e268ad66342CrunchAPIProtection
Suspicious AWS CLI Command Execution8c2dc344-9352-4ca1-8863-b1b7a5e09e59AWS
App Gateway WAF - Scanner Detection9b8dd8fd-f192-42eb-84f6-541920400a7aWAF
BitSight - diligence risk category detected161ed3ac-b242-4b13-8c6b-58716e5e9972BitSight
BitSight - drop in company ratingsd8844f11-3a36-4b97-9062-1e6d57c00e37BitSight
BitSight - drop in the headline ratingb11fdc35-6368-4cc0-8128-52cd2e2cdda0BitSight
Compromised Cards3db2904c-a93e-4ea5-a1bb-11b3ea5ec0bbCBSPollingIDAzureFunctions
Domain Infringement0faddbac-0004-40fa-9046-a1ead13e005aCBSPollingIDAzureFunctions
Header: Web Server Exposedd6793fa2-c1db-4323-9bdb-a1e8d1990f5cHVPollingIDAzureFunctions
Phishingc3771865-b647-46a7-9be5-a96c418cebc0CBSPollingIDAzureFunctions
SPF Not Configuredf78c03ec-4397-42f6-9c51-a54421817fd8HVPollingIDAzureFunctions
SPF Policy Set to Soft Fail32f4eb88-0d23-4185-8579-f1645412e9deHVPollingIDAzureFunctions
Subdomain Infringement20ffc702-b7b2-4041-8f08-10ede8906cbfCBSPollingIDAzureFunctions
Rare client observed with high reverse DNS lookup count - Anomaly based (ASIM DNS Solution)0fe6bde4-b215-480c-99b4-84a96edcdbd7
Rare client observed with high reverse DNS lookup count - Static threshold based (ASIM DNS Solution)77b7c820-5f60-4779-8bdb-f06e21add5f1
Flare Cloud bucket result9cb7c337-f172-4af6-b0e8-b6b7552d762dFlare
Flare Darkweb result9cb7c337-f173-4af6-b0e8-b6b7552d762dFlare
Flare Google Dork result found9cb7c337-f174-4af6-b0e8-b6b7552d762dFlare
Flare Host result9cb7c337-f175-4af6-b0e8-b6b7552d762dFlare
Flare Paste result9cb7c337-f177-4af6-b0e8-b6b7552d762dFlare
Flare Source Code found9cb7c337-f178-4af6-b0e8-b6b7552d762dFlare
Dataverse - Suspicious use of Web API8a6ecba2-ccfe-4c8c-b086-fa3e6ff7fa86Dataverse
AzureActiveDirectory
Network Port Sweep from External Network (ASIM Network Session schema)cd8faa84-4464-4b4e-96dc-b22f50c27541AWSS3
MicrosoftThreatProtection
SecurityEvents
WindowsSecurityEvents
WindowsForwardedEvents
Zscaler
MicrosoftSysmonForLinux
PaloAltoNetworks
AzureMonitor(VMInsights)
AzureFirewall
AzureNSG
CiscoASA
CiscoAsaAma
Corelight
AIVectraStream
CheckPoint
Fortinet
CiscoMeraki
OCI - Multiple rejects on rare ports482c24b9-a700-4b2a-85d3-1c42110ba78cOracleCloudInfrastructureLogsConnector
OCI - SSH scannere087d4fb-af0b-4e08-a067-b9ba9e5f8840OracleCloudInfrastructureLogsConnector
PaloAlto - Possible port scan3575a9c0-51c9-11ec-bf63-0242ac130002CefAma
Disks Alerts From Prancer8c484ef9-d758-4827-9920-f4f77158f03ePrancerLogData
Flow Logs Alerts for Prancer59336232-1bbc-4f66-90dd-5ac3708e4405PrancerLogData
NetworkSecurityGroups Alert From Prancera8babf91-b844-477c-8abf-d31e3df74933PrancerLogData
PAC high severity7caa1c03-d20b-42f2-ac95-5232f6e570daPrancerLogData
Registries Alerts for Prancer08706063-c15e-4d96-beae-9e8d92ccefbbPrancerLogData
Sites Alerts for Prancerbbeb2f26-cb99-4e4b-900f-24ce9809142dPrancerLogData
Storage Accounts Alerts From Prancer4adf2b5d-6b88-4b96-8cc2-a3c7fbbee10bPrancerLogData
Subnets Alerts for Prancer10be8f37-d83c-4b7e-81c2-1271c51ac09fPrancerLogData
Vaults Alerts for Prancer0b76eef3-5dc0-41b1-9f67-fffa7783f5f6PrancerLogData
VirtualNetworkPeerings Alerts From Prancer6bd031cf-78d0-4edd-8191-60f84b6eef7aPrancerLogData
Virtual Machines Alerts for Prancerc13b025c-ea31-4e4b-8e08-955b8fa91fa0PrancerLogData
Theom Critical Risksbb9051ef-0e72-4758-a143-80c25ee452f0Theom
Theom High Risks74b80987-0a62-448c-8779-47b02e17d3cfTheom
Theom Insightsd200da84-0191-44ce-ad9e-b85e64c84c89Theom
Theom Low Riskscf7fb616-ac80-40ce-ad18-aa18912811f8Theom
Theom Medium Risks4cb34832-f73a-49f2-8d38-c2d135c5440bTheom
Suspicious link sharing pattern1218175f-c534-421c-8070-5dcaabf28067