| A365 AI Agents - Hard-coded credentials in Tools or Actions |
CredentialAccess, InitialAccess |
🔗 GitHub Only |
| A365 AI Agents - HTTP Requests to Non-HTTPS Endpoints |
CommandAndControl, CredentialAccess |
🔗 GitHub Only |
| A365 AI Agents - HTTP Requests to Non-standard Ports |
CommandAndControl, Exfiltration |
🔗 GitHub Only |
| A365 AI Agents - MCP Tool Configured |
Execution |
🔗 GitHub Only |
| A365 AI Agents - Missing Tools in Instructions |
Impact, DefenseEvasion |
🔗 GitHub Only |
| A365 AI Agents - Orphaned Agents with Disabled Owners |
Persistence, DefenseEvasion |
🔗 GitHub Only |
| A365 AI Agents - Publicly Shared |
- |
🔗 GitHub Only |
| A365 AI Agents - Published Agents with Short Instructions |
Impact, DefenseEvasion |
🔗 GitHub Only |
| A365 AI Agents - Published Agents without Instructions |
Impact, DefenseEvasion |
🔗 GitHub Only |
| Abnormally Large JPEG Filed Downloaded from New Source |
InitialAccess |
🔗 GitHub Only |
| Abnormally long DNS URI queries |
CommandAndControl, Exfiltration |
📦 Windows Server DNS |
| Abuse.ch Recent Threat Feed |
Execution, Persistence, Privilege escalation, Credential Access, Discovery, Impact, Exploit, Malware, component, Ransomware |
🔗 GitHub Only |
| Abuse.ch Recent Threat Feed (1) |
Execution, Persistence, Privilege escalation, Credential Access, Discovery, Impact, Exploit, Malware, component, Ransomware |
🔗 GitHub Only |
| Abusing settingcontent-ms |
- |
🔗 GitHub Only |
| Accessibility Features |
- |
🔗 GitHub Only |
| Account Added to Privileged PIM Group |
Persistence, PrivilegeEscalation |
🔗 GitHub Only |
| Account Brute Force |
- |
📦 Microsoft Defender XDR |
| Account brute force |
- |
🔗 GitHub Only |
| Account brute force (1) |
- |
🔗 GitHub Only |
| Account Creation |
- |
📦 Microsoft Defender XDR |
| Account MFA Modifications |
DefenseEvasion, Persistence |
🔗 GitHub Only |
| Acronis - Agent failed updating more than twice in a day |
- |
📦 Acronis Cyber Protect Cloud |
| Acronis - Agents offline for 2 days or more |
DefenseEvasion |
📦 Acronis Cyber Protect Cloud |
| Acronis - ASZ defence: Unauthorized operation is detected and blocked |
- |
📦 Acronis Cyber Protect Cloud |
| Acronis - Audit Log |
- |
📦 Acronis Cyber Protect Cloud |
| Acronis - Cloud Connection Errors |
- |
📦 Acronis Cyber Protect Cloud |
| Acronis - Endpoints Accessing Malicious URLs |
Execution |
📦 Acronis Cyber Protect Cloud |
| Acronis - Endpoints Infected by Ransomware |
Impact |
📦 Acronis Cyber Protect Cloud |
| Acronis - Endpoints with Backup issues |
- |
📦 Acronis Cyber Protect Cloud |
| Acronis - Endpoints with EDR Incidents |
- |
📦 Acronis Cyber Protect Cloud |
| Acronis - Endpoints with high failed login attempts |
- |
📦 Acronis Cyber Protect Cloud |
| Acronis - Inboxes with Malicious Content |
InitialAccess |
📦 Acronis Cyber Protect Cloud |
| Acronis - Login from Abnormal IP - Low Occurrence |
InitialAccess |
📦 Acronis Cyber Protect Cloud |
| Acronis - Protection Service Errors |
- |
📦 Acronis Cyber Protect Cloud |
| AcroRd-Exploits |
- |
🔗 GitHub Only |
| Active Directory Account lockout and unlocks |
Initial Access |
📄 Standalone Content |
| Active Directory Sensitive Group Modifications |
Privilege escalation, Credential Access |
🔗 GitHub Only |
| AD Account Lockout |
Impact |
📦 Windows Security Events |
| AD Account Lockout |
Impact |
🔗 GitHub Only |
| AD FS Database Local SQL Statements |
Collection |
🔗 GitHub Only |
| Add malicious user to Admins and RDP users group via PowerShell |
Persistence |
🔗 GitHub Only |
| Add uncommon credential type to application [Nobelium] |
Privilege escalation |
🔗 GitHub Only |
| AddedCredentialFromContryXAndSigninFromCountryY |
Persistence |
🔗 GitHub Only |
| ADFSDomainTrustMods[Nobelium] |
Defense evasion |
🔗 GitHub Only |
| Admin consent granted to application |
CredentialAccess, Persistence |
📄 Standalone Content |
| Admin privilege granted (Okta) |
Persistence |
📦 Okta Single Sign-On |
| Admin SaaS account detected |
PrivilegeEscalation |
📦 Authomize |
| Admin Submission Trend (FN) |
InitialAccess |
📦 Microsoft Defender XDR |
| Admin Submission Trend (FN) |
InitialAccess |
🔗 GitHub Only |
| Admin Submission Trend (FP) |
InitialAccess |
📦 Microsoft Defender XDR |
| Admin Submission Trend (FP) |
InitialAccess |
🔗 GitHub Only |
| Admin Submissions by Detection Type |
InitialAccess |
📦 Microsoft Defender XDR |
| Admin Submissions by Detection Type |
InitialAccess |
🔗 GitHub Only |
| Admin Submissions by DetectionMethod (Phish FP) |
InitialAccess |
📦 Microsoft Defender XDR |
| Admin Submissions by DetectionMethod (Phish FP) |
InitialAccess |
🔗 GitHub Only |
| Admin Submissions by DetectionMethod (Spam FP) |
InitialAccess |
📦 Microsoft Defender XDR |
| Admin Submissions by DetectionMethod (Spam FP) |
InitialAccess |
🔗 GitHub Only |
| Admin Submissions by Grading verdict (FN-FP) |
InitialAccess |
📦 Microsoft Defender XDR |
| Admin Submissions by Grading verdict (FN-FP) |
InitialAccess |
🔗 GitHub Only |
| Admin Submissions by Submission State (FN) |
InitialAccess |
📦 Microsoft Defender XDR |
| Admin Submissions by Submission State (FN) |
InitialAccess |
🔗 GitHub Only |
| Admin Submissions by Submission State (FP) |
InitialAccess |
📦 Microsoft Defender XDR |
| Admin Submissions by Submission State (FP) |
InitialAccess |
🔗 GitHub Only |
| Admin Submissions by Submission Type (FN) |
InitialAccess |
📦 Microsoft Defender XDR |
| Admin Submissions by Submission Type (FN) |
InitialAccess |
🔗 GitHub Only |
| Admin Submissions by Submission Type (FP) |
InitialAccess |
📦 Microsoft Defender XDR |
| Admin Submissions by Submission Type (FP) |
InitialAccess |
🔗 GitHub Only |
| Administrators Authenticating to Another Microsoft Entra ID Tenant |
InitialAccess |
🔗 GitHub Only |
| Affected rows stateful anomaly on database - hunting query |
Impact |
📦 Azure SQL Database solution for sentinel |
| AI Agents - MCP Tool Configured |
Execution |
🔗 GitHub Only |
| AI Agents - Orphaned Agents with Disabled Owners |
Persistence, DefenseEvasion |
🔗 GitHub Only |
| AI Agents - Unpublished Unmodified (30d) |
- |
🔗 GitHub Only |
| AIR investigation actions insight |
InitialAccess |
📦 Microsoft Defender XDR |
| AIR investigation actions insight |
InitialAccess |
🔗 GitHub Only |
| Alert Events from Internal IP Address |
- |
🔗 GitHub Only |
| Alerts On Host |
Persistence, Discovery, LateralMovement, Collection |
📄 Standalone Content |
| Alerts related to account |
Persistence, Discovery, LateralMovement, Collection |
🔗 GitHub Only |
| Alerts related to File |
Persistence, Discovery, LateralMovement, Collection |
📄 Standalone Content |
| Alerts related to IP |
Persistence, Discovery, LateralMovement, Collection |
📄 Standalone Content |
| Alerts Related to Log4j Vulnerability |
InitialAccess |
📦 Microsoft Defender XDR |
| Alerts related to Log4j vulnerability |
Vulnerability |
🔗 GitHub Only |
| Alerts With This Process |
Persistence, Discovery, LateralMovement, Collection |
🔗 GitHub Only |
| alt-data-streams |
Defense evasion |
🔗 GitHub Only |
| Anomalies on users tagged as VIP |
- |
📦 UEBA Essentials |
| Anomalous .NET runtime loading for fileless payload |
DefenseEvasion, Execution |
📄 Standalone Content |
| Anomalous access to other users' mailboxes |
Collection |
📦 Microsoft 365 |
| Anomalous action performed in tenant by privileged user |
- |
📦 UEBA Essentials |
| Anomalous Activity Role Assignment |
PrivilegeEscalation |
📦 UEBA Essentials |
| Anomalous AWS Console Login Without MFA from Uncommon Country |
InitialAccess, CredentialAccess |
📦 UEBA Essentials |
| Anomalous Azure Operation Hunting Model |
LateralMovement, CredentialAccess |
📦 Azure Activity |
| Anomalous Code Execution on a Virtual Machine |
Execution |
📦 UEBA Essentials |
| Anomalous connection from highly privileged user |
- |
📦 UEBA Essentials |
| Anomalous Database Export Activity |
Collection |
📦 UEBA Essentials |
| Anomalous Database Vulnerability Baseline Removal |
DefenseEvasion |
📦 UEBA Essentials |
| Anomalous Device Models |
- |
🔗 GitHub Only |
| Anomalous Entra High-Privilege Role Modification |
Persistence |
📦 UEBA Essentials |
| Anomalous Failed Logon |
CredentialAccess |
📦 UEBA Essentials |
| Anomalous First-Time Device Logon |
InitialAccess, LateralMovement |
📦 UEBA Essentials |
| Anomalous GCP IAM Activity |
PrivilegeEscalation, Persistence, CredentialAccess |
📦 UEBA Essentials |
| Anomalous Geo Location Logon |
InitialAccess |
📦 UEBA Essentials |
| Anomalous High-Privileged Role Assignment |
Persistence |
📦 UEBA Essentials |
| Anomalous High-Score Activity Triage |
- |
📦 UEBA Essentials |
| Anomalous Key Vault Modification by High-Privilege User |
- |
📦 UEBA Essentials |
| Anomalous login activity originated from Botnet, Tor proxy or C2 |
- |
📦 UEBA Essentials |
| Anomalous Microsoft Entra ID Account Creation |
Persistence |
📦 UEBA Essentials |
| Anomalous Microsoft Entra ID apps based on authentication location |
InitialAccess |
📄 Standalone Content |
| Anomalous non-interactive token issuance after interactive sign-in (AiTM pattern) |
InitialAccess, CredentialAccess |
📄 Standalone Content |
| Anomalous Okta First-Time or Uncommon Actions |
InitialAccess, CredentialAccess, Persistence |
📦 UEBA Essentials |
| Anomalous Password Reset |
Impact |
📦 UEBA Essentials |
| Anomalous Payload Delivered from ISO files |
Execution |
📦 Microsoft Defender XDR |
| Anomalous Query Execution Time |
Impact |
📦 Azure SQL Database solution for sentinel |
| Anomalous Query Execution Time |
InitialAccess |
📦 Azure SQL Database solution for sentinel |
| Anomalous RDP Activity |
LateralMovement |
📦 UEBA Essentials |
| Anomalous Resource Access |
LateralMovement |
📦 UEBA Essentials |
| Anomalous Resource Creation and related Network Activity |
Impact |
📄 Standalone Content |
| Anomalous Sign-in by New or Dormant Account |
Persistence |
📦 UEBA Essentials |
| Anomalous sign-in location by user account and authenticating application |
InitialAccess |
📄 Standalone Content |
| Anomalous sign-in location by user account and authenticating application - with sign-in details |
InitialAccess |
📄 Standalone Content |
| anomalous-payload-delivered-from-iso-file |
Execution |
🔗 GitHub Only |
| Anomaly Detection Trend Analysis |
- |
📦 UEBA Essentials |
| Anomaly of MailItemAccess by GraphAPI [Nobelium] |
Exfiltration |
🔗 GitHub Only |
| Anomaly of MailItemAccess by Other Users Mailbox [Nobelium] |
Collection |
🔗 GitHub Only |
| Anomaly Template Distribution by Tactics and Techniques |
- |
📦 UEBA Essentials |
| Anomolous Sign Ins Based on Time |
InitialAccess |
🔗 GitHub Only |
| Antivirus detections |
- |
🔗 GitHub Only |
| Antivirus detections (1) |
- |
🔗 GitHub Only |
| Apache - Rare files requested |
InitialAccess |
📦 ApacheHTTPServer |
| Apache - Rare URLs requested |
InitialAccess |
📦 ApacheHTTPServer |
| Apache - Rare user agents |
InitialAccess |
📦 ApacheHTTPServer |
| Apache - Rare user agents with client errors |
InitialAccess |
📦 ApacheHTTPServer |
| Apache - Requests to unexisting files |
InitialAccess |
📦 ApacheHTTPServer |
| Apache - Top files requested with errors |
InitialAccess |
📦 ApacheHTTPServer |
| Apache - Top Top files requested |
InitialAccess |
📦 ApacheHTTPServer |
| Apache - Top URLs with client errors |
Impact, InitialAccess |
📦 ApacheHTTPServer |
| Apache - Top URLs with server errors |
Impact, InitialAccess |
📦 ApacheHTTPServer |
| Apache - Unexpected Post Requests |
Persistence, CommandAndControl |
📦 ApacheHTTPServer |
| ApexOne - Behavior monitoring actions by files |
Execution |
📦 Trend Micro Apex One |
| ApexOne - Behavior monitoring event types by users |
Privilege Escalation, Persistence |
📦 Trend Micro Apex One |
| ApexOne - Behavior monitoring operations by users |
Execution |
📦 Trend Micro Apex One |
| ApexOne - Behavior monitoring triggered policy by command line |
Execution |
📦 Trend Micro Apex One |
| ApexOne - Channel type by users |
CommandandControl |
📦 Trend Micro Apex One |
| ApexOne - Data loss prevention action by IP |
Collection |
📦 Trend Micro Apex One |
| ApexOne - Rare application protocols by Ip address |
InitialAccess |
📦 Trend Micro Apex One |
| ApexOne - Spyware detection |
Execution |
📦 Trend Micro Apex One |
| ApexOne - Suspicious files events |
Execution |
📦 Trend Micro Apex One |
| ApexOne - Top sources with alerts |
Execution, InitialAccess, PrivilegeEscalation, DefenseEvasion, CommandAndControl, Exfiltration |
📦 Trend Micro Apex One |
| app-armor-stopped |
- |
🔗 GitHub Only |
| Application Granted EWS Permissions |
Collection, PrivilegeEscalation |
📦 Cloud Identity Threat Protection Essentials |
| Application not using client credentials |
Impact |
📦 SenservaPro |
| Application registration or update with external redirect URI |
CredentialAccess |
📄 Standalone Content |
| AppLocker Policy Design Assistant |
- |
🔗 GitHub Only |
| Approved Access Packages Details |
DefenseEvasion, Persistence |
🔗 GitHub Only |
| Appspot Phishing Abuse |
InitialAccess |
📦 Microsoft Defender XDR |
| Appspot Phishing Abuse |
InitialAccess |
📦 Microsoft Defender XDR |
| Appspot Phishing Abuse |
InitialAccess |
🔗 GitHub Only |
| APT Baby Shark |
- |
🔗 GitHub Only |
| apt sofacy |
- |
🔗 GitHub Only |
| apt sofacy zebrocy |
- |
🔗 GitHub Only |
| apt ta17 293a ps |
- |
🔗 GitHub Only |
| apt tropictrooper |
- |
🔗 GitHub Only |
| apt unidentified nov 18 |
- |
🔗 GitHub Only |
| apt unidentified nov 18 (1) |
- |
🔗 GitHub Only |
| APT29 thinktanks |
- |
🔗 GitHub Only |
| ARS Ransomware Event triggered |
Ransomware |
🔗 GitHub Only |
| ASR rules categorized detection graph |
- |
🔗 GitHub Only |
| ateral Movement Risk - Role Chain Length |
PrivilegeEscalation |
📦 Authomize |
| ATP policy status check |
DefenseEvasion |
📦 Microsoft Defender XDR |
| ATP policy status check |
DefenseEvasion |
🔗 GitHub Only |
| Attacked more than x times average |
InitialAccess |
📦 Microsoft Defender XDR |
| Attacked more than x times average |
InitialAccess |
🔗 GitHub Only |
| Attempted VBScript Stored in Non-Run CurrentVersion Registry Key Value |
DefenseEvasion |
📦 Cyborg Security HUNTER |
| Audit Email Preview-Download action |
PrivilegeEscalation |
📦 Microsoft Defender XDR |
| Audit Email Preview-Download action |
PrivilegeEscalation |
🔗 GitHub Only |
| Authentication failures by time and authentication type |
InitialAccess |
📦 Microsoft Defender XDR |
| Authentication failures by time and authentication type |
InitialAccess |
🔗 GitHub Only |
| Automated email notifications and suspicious sign-in activity |
InitialAccess |
📦 Microsoft Defender XDR |
| Automated email notifications and suspicious sign-in activity |
InitialAccess |
🔗 GitHub Only |
| AV Detections with Source |
- |
🔗 GitHub Only |
| AV Detections with USB Disk Drive |
- |
🔗 GitHub Only |
| AWS Security Hub - CloudTrail trails without log file validation |
DefenseEvasion |
📦 AWS Security Hub |
| AWS Security Hub - EC2 instances with public IPv4 address |
InitialAccess, Exfiltration |
📦 AWS Security Hub |
| AWS Security Hub - IAM users with console password and no MFA |
PrivilegeEscalation, CredentialAccess, DefenseEvasion |
📦 AWS Security Hub |
| AWSCloudTrail - Activity in unused or unsupported cloud regions |
DefenseEvasion |
📦 Amazon Web Services |
| AWSCloudTrail - AWS STS token suspicious activity from EC2 |
CredentialAccess, LateralMovement |
📦 Amazon Web Services |
| AWSCloudTrail - EC2 Instance Launched Without Key Pair |
Execution |
📦 Amazon Web Services |
| AWSCloudTrail - ECR Container Image Low Severity Findings |
Execution |
📦 Amazon Web Services |
| AWSCloudTrail - ECR Container Image Medium Severity Findings |
Execution |
📦 Amazon Web Services |
| AWSCloudTrail - Failed Brute Force on S3 Bucket |
Discovery |
📦 Amazon Web Services |
| AWSCloudTrail - High Volume of Enumeration Events |
Discovery |
📦 Amazon Web Services |
| AWSCloudTrail - IAM AccessDenied discovery events |
Discovery |
📦 Amazon Web Services |
| AWSCloudTrail - IAM Assume Role Brute Force |
CredentialAccess, PrivilegeEscalation |
📦 Amazon Web Services |
| AWSCloudTrail - IAM CreateLoginProfile Activity |
Persistence, PrivilegeEscalation |
📦 Amazon Web Services |
| AWSCloudTrail - IAM login profile updated |
Persistence |
📦 Amazon Web Services |
| AWSCloudTrail - IAM New Access Key Created for User |
Persistence, PrivilegeEscalation |
📦 Amazon Web Services |
| AWSCloudTrail - IAM Policy Change Activity |
PrivilegeEscalation, DefenseEvasion |
📦 Amazon Web Services |
| AWSCloudTrail - IAM Policy with Excessive Wildcard Permissions |
PrivilegeEscalation |
📦 Amazon Web Services |
| AWSCloudTrail - IAM Privilege Escalation by Instance Profile Attachment |
PrivilegeEscalation |
📦 Amazon Web Services |
| AWSCloudTrail - IAM Privileged Role Attached to Instance |
PrivilegeEscalation |
📦 Amazon Web Services |
| AWSCloudTrail - IAM Risky Role Name Created |
Persistence, PrivilegeEscalation |
📦 Amazon Web Services |
| AWSCloudTrail - IAM suspicious STS AssumeRole from unseen identity |
InitialAccess, DefenseEvasion, PrivilegeEscalation |
📦 Amazon Web Services |
| AWSCloudTrail - IAM user and group object changes |
PrivilegeEscalation, DefenseEvasion |
📦 Amazon Web Services |
| AWSCloudTrail - Lambda function code updated |
Execution, Persistence |
📦 Amazon Web Services |
| AWSCloudTrail - Lambda function throttled |
Impact |
📦 Amazon Web Services |
| AWSCloudTrail - Lambda layer imported from external account |
Persistence, DefenseEvasion |
📦 Amazon Web Services |
| AWSCloudTrail - Multiple Failed Login Attempts Without MFA |
CredentialAccess |
📦 Amazon Web Services |
| AWSCloudTrail - Network ACL entry deleted |
DefenseEvasion |
📦 Amazon Web Services |
| AWSCloudTrail - RDS Master Password Changed |
Persistence, PrivilegeEscalation |
📦 Amazon Web Services |
| AWSCloudTrail - Root User New Access Key Created |
Persistence, PrivilegeEscalation |
📦 Amazon Web Services |
| AWSCloudTrail - Route table attribute modifications |
DefenseEvasion |
📦 Amazon Web Services |
| AWSCloudTrail - S3 Bucket Deleted |
Impact |
📦 Amazon Web Services |
| AWSCloudTrail - S3 Bucket Encryption Configuration Modified |
Impact |
📦 Amazon Web Services |
| AWSCloudTrail - S3 Bucket Versioning Suspended |
Impact |
📦 Amazon Web Services |
| AWSCloudTrail - STS token suspicious activity from ECS |
CredentialAccess, LateralMovement |
📦 Amazon Web Services |
| AWSCloudTrail - STS token suspicious activity from Glue |
CredentialAccess, LateralMovement |
📦 Amazon Web Services |
| AWSCloudTrail - STS Token Suspicious Activity from Kubernetes Worker Node |
CredentialAccess, LateralMovement |
📦 Amazon Web Services |
| AWSCloudTrail - STS Token Suspicious Activity from Lambda |
CredentialAccess, LateralMovement |
📦 Amazon Web Services |
| AWSCloudTrail - Subnet attribute modifications |
DefenseEvasion |
📦 Amazon Web Services |
| AWSCloudTrail - VPC attribute modifications |
DefenseEvasion |
📦 Amazon Web Services |
| Azure CloudShell Usage |
Execution |
📄 Standalone Content |
| Azure DevOps - Build Check Deleted |
DefenseEvasion |
📦 AzureDevOpsAuditing |
| Azure DevOps - Build Deleted After Pipeline Modification |
Persistence |
📦 AzureDevOpsAuditing |
| Azure DevOps - Internal Upstream Package Feed Added |
InitialAccess |
📦 AzureDevOpsAuditing |
| Azure DevOps - New Agent Pool Created |
DefenseEvasion |
📦 AzureDevOpsAuditing |
| Azure DevOps - New Package Feed Created |
InitialAccess |
📦 AzureDevOpsAuditing |
| Azure DevOps - New PAT Operation |
DefenseEvasion |
📦 AzureDevOpsAuditing |
| Azure DevOps - New Release Approver |
DefenseEvasion |
📦 AzureDevOpsAuditing |
| Azure DevOps - New Release Pipeline Created |
Persistence, Execution, PrivilegeEscalation |
📦 AzureDevOpsAuditing |
| Azure DevOps - Variable Created and Deleted |
DefenseEvasion |
📦 AzureDevOpsAuditing |
| Azure DevOps Display Name Changes |
Persistence, DefenseEvasion |
📦 AzureDevOpsAuditing |
| Azure DevOps Pull Request Policy Bypassing |
Execution |
📦 AzureDevOpsAuditing |
| Azure DevOps- Addtional Org Admin added |
Persistence, DefenseEvasion |
📦 AzureDevOpsAuditing |
| Azure DevOps- Guest users access enabled |
Persistence, DefenseEvasion |
📦 AzureDevOpsAuditing |
| Azure DevOps- Microsoft Entra ID Protection Conditional Access Disabled |
Persistence, DefenseEvasion |
📦 AzureDevOpsAuditing |
| Azure DevOps- Project visibility changed to public |
Collection |
📦 AzureDevOpsAuditing |
| Azure DevOps- Public project created |
Persistence, DefenseEvasion |
📦 AzureDevOpsAuditing |
| Azure DevOps- Public project enabled by admin |
Persistence, DefenseEvasion |
📦 AzureDevOpsAuditing |
| Azure Key Vault Access Policy Manipulation |
CredentialAccess |
📦 Cloud Service Threat Protection Essentials |
| Azure Machine Learning Write Operations |
InitialAccess, Execution, Impact |
📦 Azure Activity |
| Azure Network Security Group NSG Administrative Operations |
Impact |
📦 Azure Activity |
| Azure RBAC AKS created role details |
Persistence |
📦 Azure kubernetes Service |
| Azure Resources Assigned Public IP Addresses |
Impact |
📦 Cloud Service Threat Protection Essentials |
| Azure secure score admin MFA V2 |
Impact |
📦 SenservaPro |
| Azure secure score block legacy authentication |
CredentialAccess |
📦 SenservaPro |
| Azure secure score integrated apps |
Exfiltration |
📦 SenservaPro |
| Azure secure score MFA registration V2 |
CredentialAccess |
📦 SenservaPro |
| Azure secure score one admin |
Impact |
📦 SenservaPro |
| Azure secure score PW age policy new |
CredentialAccess |
📦 SenservaPro |
| Azure secure score role overlap |
Impact |
📦 SenservaPro |
| Azure Secure Score Self Service Password Reset |
Impact |
📦 SenservaPro |
| Azure secure score sign in risk policy |
Impact |
📦 SenservaPro |
| Azure secure score user risk policy |
Impact |
📦 SenservaPro |
| Azure Storage File Create and Delete |
Exfiltration |
🔗 GitHub Only |
| Azure Storage File Create, Access, Delete |
Exfiltration |
🔗 GitHub Only |
| Azure Storage file upload from VPS Providers |
LateralMovement |
🔗 GitHub Only |
| Azure storage key enumeration |
Discovery |
📦 Azure Activity |
| Azure Storage Mass File Deletion |
Impact |
🔗 GitHub Only |
| Azure Virtual Network Subnets Administrative Operations |
Impact |
📦 Azure Activity |
| Azure VM Run Command executed from Azure IP address |
LateralMovement, CredentialAccess |
📦 Azure Activity |
| Azure VM Run Command linked with MDE |
LateralMovement, CredentialAccess |
🔗 GitHub Only |
| Azure WAF Log4j CVE-2021-44228 hunting |
InitialAccess |
📦 Apache Log4j Vulnerability Detection |
| AzureActivity Administration From VPS Providers |
InitialAccess |
📦 Azure Activity |