| D3 Smart SOAR - High or critical severity incident detected |
High |
📦 D3SmartSOAR |
| Darktrace AI Analyst |
High |
📦 Darktrace |
| Darktrace Model Breach |
Medium |
📦 Darktrace |
| Darktrace System Status |
Informational |
📦 Darktrace |
| Dataminr - urgent alerts detected |
Medium |
📦 Dataminr Pulse |
| Dataverse - Anomalous application user activity |
Medium |
📦 Microsoft Business Applications |
| Dataverse - Audit log data deletion |
Low |
📦 Microsoft Business Applications |
| Dataverse - Audit logging disabled |
Low |
📦 Microsoft Business Applications |
| Dataverse - Bulk record ownership re-assignment or sharing |
Medium |
📦 Microsoft Business Applications |
| Dataverse - Executable uploaded to SharePoint document management site |
Low |
📦 Microsoft Business Applications |
| Dataverse - Export activity from terminated or notified employee |
Medium |
📦 Microsoft Business Applications |
| Dataverse - Guest user exfiltration following Power Platform defense impairment |
High |
📦 Microsoft Business Applications |
| Dataverse - Hierarchy security manipulation |
Medium |
📦 Microsoft Business Applications |
| Dataverse - Honeypot instance activity |
Medium |
📦 Microsoft Business Applications |
| Dataverse - Login by a sensitive privileged user |
High |
📦 Microsoft Business Applications |
| Dataverse - Login from IP in the block list |
High |
📦 Microsoft Business Applications |
| Dataverse - Login from IP not in the allow list |
High |
📦 Microsoft Business Applications |
| Dataverse - Malware found in SharePoint document management site |
Medium |
📦 Microsoft Business Applications |
| Dataverse - Mass deletion of records |
Medium |
📦 Microsoft Business Applications |
| Dataverse - Mass download from SharePoint document management |
Low |
📦 Microsoft Business Applications |
| Dataverse - Mass export of records to Excel |
Low |
📦 Microsoft Business Applications |
| Dataverse - Mass record updates |
Medium |
📦 Microsoft Business Applications |
| Dataverse - New Dataverse application user activity type |
Medium |
📦 Microsoft Business Applications |
| Dataverse - New non-interactive identity granted access |
Informational |
📦 Microsoft Business Applications |
| Dataverse - New sign-in from an unauthorized domain |
Medium |
📦 Microsoft Business Applications |
| Dataverse - New user agent type that was not used before |
Low |
📦 Microsoft Business Applications |
| Dataverse - New user agent type that was not used with Office 365 |
Low |
📦 Microsoft Business Applications |
| Dataverse - Organization settings modified |
Informational |
📦 Microsoft Business Applications |
| Dataverse - Removal of blocked file extensions |
Medium |
📦 Microsoft Business Applications |
| Dataverse - SharePoint document management site added or updated |
Informational |
📦 Microsoft Business Applications |
| Dataverse - Suspicious security role modifications |
Medium |
📦 Microsoft Business Applications |
| Dataverse - Suspicious use of TDS endpoint |
Low |
📦 Microsoft Business Applications |
| Dataverse - Suspicious use of Web API |
Medium |
📦 Microsoft Business Applications |
| Dataverse - Terminated employee exfiltration over email |
High |
📦 Microsoft Business Applications |
| Dataverse - Terminated employee exfiltration to USB drive |
High |
📦 Microsoft Business Applications |
| Dataverse - TI map IP to DataverseActivity |
Medium |
📦 Microsoft Business Applications |
| Dataverse - TI map URL to DataverseActivity |
Medium |
📦 Microsoft Business Applications |
| Dataverse - Unusual sign-in following disabled IP address-based cookie binding protection |
Medium |
📦 Microsoft Business Applications |
| Dataverse - User bulk retrieval outside normal activity |
Low |
📦 Microsoft Business Applications |
| Datawiza - massive errors detected |
Medium |
📦 Datawiza |
| DCOM Lateral Movement |
Medium |
📦 FalconFriday |
| DDoS attack detected |
High |
📦 Azure Firewall |
| DDoS Attack IP Addresses - Percent Threshold |
Medium |
📦 Azure DDoS Protection |
| DDoS Attack IP Addresses - PPS Threshold |
Medium |
📦 Azure DDoS Protection |
| Defender Alert Evidence |
High |
📦 Vectra XDR |
| Deimos Component Execution |
High |
📦 Microsoft Defender XDR |
| Deleted a Custom Field Mapping profile |
Medium |
📦 SOC Prime CCF |
| Deleted a Tenant |
Medium |
📦 SOC Prime CCF |
| Deletion of data on multiple drives using cipher exe |
Medium |
📦 Microsoft Defender XDR |
| Denial of Service (Microsoft Defender for IoT) |
High |
📦 IoTOTThreatMonitoringwithDefenderforIoT |
| Detaching Backups Started |
Informational |
📦 Veeam |
| Detect .NET runtime being loaded in JScript for code execution |
Medium |
📦 FalconFriday |
| Detect AWS IAM Users |
High |
📦 Authomize |
| Detect CoreBackUp Deletion Activity from related Security Alerts |
Medium |
📦 Microsoft Defender for Cloud |
| Detect DNS queries reporting multiple errors from different clients - Anomaly Based (ASIM DNS Solution) |
Medium |
📦 DNS Essentials |
| Detect DNS queries reporting multiple errors from different clients - Static threshold based (ASIM DNS Solution) |
Medium |
📦 DNS Essentials |
| Detect excessive NXDOMAIN DNS queries - Anomaly based (ASIM DNS Solution) |
Medium |
📦 DNS Essentials |
| Detect excessive NXDOMAIN DNS queries - Static threshold based (ASIM DNS Solution) |
Medium |
📦 DNS Essentials |
| Detect instances of multiple client errors occurring within a brief period of time (ASIM Web Session) |
Medium |
📦 Web Session Essentials |
| Detect instances of multiple server errors occurring within a brief period of time (ASIM Web Session) |
Medium |
📦 Web Session Essentials |
| Detect known risky user agents (ASIM Web Session) |
Medium |
📦 Web Session Essentials |
| Detect Local File Inclusion(LFI) in web requests (ASIM Web Session) |
High |
📦 Web Session Essentials |
| Detect Malicious Usage of Recovery Tools to Delete Backup Files |
High |
📦 Malware Protection Essentials |
| Detect PIM Alert Disabling activity |
Medium |
📄 Standalone Content |
| Detect port misuse by anomaly based detection (ASIM Network Session schema) |
Medium |
📦 Network Session Essentials |
| Detect port misuse by static threshold (ASIM Network Session schema) |
Medium |
📦 Network Session Essentials |
| Detect potential file enumeration activity (ASIM Web Session) |
Medium |
📦 Web Session Essentials |
| Detect Potential Kerberoast Activities |
Medium |
📦 Microsoft Defender XDR |
| Detect potential presence of a malicious file with a double extension (ASIM Web Session) |
Medium |
📦 Web Session Essentials |
| Detect presence of private IP addresses in URLs (ASIM Web Session) |
Medium |
📦 Web Session Essentials |
| Detect presence of uncommon user agents in web requests (ASIM Web Session) |
Medium |
📦 Web Session Essentials |
| Detect Print Processors Registry Driver Key Creation/Modification |
Medium |
📦 Malware Protection Essentials |
| Detect Registry Run Key Creation/Modification |
Medium |
📦 Malware Protection Essentials |
| Detect requests for an uncommon resources on the web (ASIM Web Session) |
Low |
📦 Web Session Essentials |
| Detect Suspicious Commands Initiated by Webserver Processes |
High |
📦 Microsoft Defender XDR |
| Detect threat information in web requests (ASIM Web Session) |
High |
📦 Web Session Essentials |
| Detect unauthorized data transfers using timeseries anomaly (ASIM Web Session) |
Medium |
📦 Web Session Essentials |
| Detect URLs containing known malicious keywords or commands (ASIM Web Session) |
High |
📦 Web Session Essentials |
| Detect web requests to potentially harmful files (ASIM Web Session) |
Medium |
📦 Web Session Essentials |
| Detect Windows Allow Firewall Rule Addition/Modification |
Medium |
📦 Malware Protection Essentials |
| Detect Windows Update Disabled from Registry |
Medium |
📦 Malware Protection Essentials |
| Detecting Impossible travel with mailbox permission tampering & Privilege Escalation attempt |
Medium |
📄 Standalone Content |
| Detecting Macro Invoking ShellBrowserWindow COM Objects |
Medium |
📦 Endpoint Threat Protection Essentials |
| Detecting UAC bypass - ChangePK and SLUI registry tampering |
Medium |
📦 FalconFriday |
| Detecting UAC bypass - elevated COM interface |
Medium |
📦 FalconFriday |
| Detecting UAC bypass - modify Windows Store settings |
Medium |
📦 FalconFriday |
| Dev-0228 File Path Hashes November 2021 |
High |
📄 Standalone Content |
| Dev-0228 File Path Hashes November 2021 (ASIM Version) |
High |
📄 Standalone Content |
| Dev-0270 Malicious Powershell usage |
High |
📦 Dev 0270 Detection and Hunting |
| DEV-0270 New User Creation |
High |
📦 Dev 0270 Detection and Hunting |
| Dev-0270 Registry IOC - September 2022 |
High |
📦 Dev 0270 Detection and Hunting |
| Dev-0270 WMIC Discovery |
High |
📦 Dev 0270 Detection and Hunting |
| Dev-0530 File Extension Rename |
High |
📄 Standalone Content |
| Device Alert Surge |
High |
📦 Morphisec |
| Device Registration from Malicious IP |
High |
📦 Okta Single Sign-On |
| Digital Guardian - Bulk exfiltration to external domain |
Medium |
📦 Digital Guardian Data Loss Prevention |
| Digital Guardian - Exfiltration to external domain |
Medium |
📦 Digital Guardian Data Loss Prevention |
| Digital Guardian - Exfiltration to online fileshare |
High |
📦 Digital Guardian Data Loss Prevention |
| Digital Guardian - Exfiltration to private email |
High |
📦 Digital Guardian Data Loss Prevention |
| Digital Guardian - Exfiltration using DNS protocol |
High |
📦 Digital Guardian Data Loss Prevention |
| Digital Guardian - Incident with not blocked action |
High |
📦 Digital Guardian Data Loss Prevention |
| Digital Guardian - Multiple incidents from user |
High |
📦 Digital Guardian Data Loss Prevention |
| Digital Guardian - Possible SMTP protocol abuse |
High |
📦 Digital Guardian Data Loss Prevention |
| Digital Guardian - Sensitive data transfer over insecure channel |
Medium |
📦 Digital Guardian Data Loss Prevention |
| Digital Guardian - Unexpected protocol |
High |
📦 Digital Guardian Data Loss Prevention |
| Digital Shadows Incident Creation for exclude-app |
Medium |
📦 Digital Shadows |
| Digital Shadows Incident Creation for include-app |
Medium |
📦 Digital Shadows |
| Disable or Modify Windows Defender |
Medium |
📦 FalconFriday |
| Disabling Security Services via Registry |
Medium |
📦 Microsoft Defender XDR |
| Discord CDN Risky File Download ⚠️ |
Medium |
📦 Zscaler Internet Access |
| Discord CDN Risky File Download (ASIM Web Session Schema) |
Medium |
📄 Standalone Content |
| Disks Alerts From Prancer ⚠️ |
High |
📦 Prancer PenSuiteAI Integration |
| Distributed Password cracking attempts in Microsoft Entra ID |
Medium |
📦 Microsoft Entra ID |
| DNS events related to mining pools |
Low |
📦 Windows Server DNS |
| DNS events related to mining pools (ASIM DNS Schema) |
Low |
📄 Standalone Content |
| DNS events related to ToR proxies |
Low |
📦 Windows Server DNS |
| DNS events related to ToR proxies (ASIM DNS Schema) |
Low |
📄 Standalone Content |
| Doppelpaymer Stop Services |
High |
📦 Microsoft Defender XDR |
| DopplePaymer Procdump |
High |
📦 Microsoft Defender XDR |
| Dragos Notifications |
Medium |
📦 Dragos |
| Drop attempts stateful anomaly on database |
Medium |
📦 Azure SQL Database solution for sentinel |
| DSRM Account Abuse |
High |
📄 Standalone Content |
| Dumping LSASS Process Into a File |
High |
📦 Endpoint Threat Protection Essentials |
| Dynatrace - Problem detection |
Informational |
📦 Dynatrace |
| Dynatrace Application Security - Attack detection |
High |
📦 Dynatrace |
| Dynatrace Application Security - Code-Level runtime vulnerability detection |
Medium |
📦 Dynatrace |
| Dynatrace Application Security - Non-critical runtime vulnerability detection |
Informational |
📦 Dynatrace |
| Dynatrace Application Security - Third-Party runtime vulnerability detection |
Medium |
📦 Dynatrace |