Browse: 🏠 · Solutions · Connectors · Methods · Tables · Content · Parsers · ASIM Parsers · ASIM Products · 📊
This query determines rare activity by a high-value account on a system or service. If any account with rare activity is found, the query retrieves related activity from that account on the same day and summarizes the information.
| Attribute | Value |
|---|---|
| Type | Hunting Query |
| Solution | Standalone Content |
| ID | 431cccd3-2dff-46ee-b34b-61933e45f556 |
| Tactics | PrivilegeEscalation, Discovery |
| Techniques | T1078, T1087 |
| Required Connectors | AzureActiveDirectory, Office365, AWS, SecurityEvents, AzureMonitor(IIS) |
| Source | View on GitHub |
This content item queries data from the following tables:
| Table | Selection Criteria | Transformations | Ingestion API | Lake-Only |
|---|---|---|---|---|
AWSCloudTrail |
✓ | ✓ | ? | |
Event |
✓ | ✓ | ? | |
OfficeActivity |
✓ | ✗ | ? | |
SecurityAlert |
✓ | ✗ | ? | |
SecurityEvent |
EventID in "4624,4625,4720,4726,4728,4732,4756,7045" |
✓ | ✓ | ? |
SigninLogs |
✓ | ✗ | ? | |
W3CIISLog |
✓ | ✗ | ? |
The following connectors provide data for this content item:
Solutions: Amazon Web Services, IoTOTThreatMonitoringwithDefenderforIoT, Microsoft Defender for Cloud, Microsoft Defender for Cloud Apps, Microsoft Defender for Identity, Microsoft Defender for Office 365, Microsoft Entra ID, Microsoft Entra ID Protection, Microsoft Exchange Security - Exchange On-Premises, MicrosoftDefenderForEndpoint, MicrosoftPurviewInsiderRiskManagement, Windows Security Events
Browse: 🏠 · Solutions · Connectors · Methods · Tables · Content · Parsers · ASIM Parsers · ASIM Products · 📊