Loading data…
472
Active Solutions
416
Active Connectors
1938
Tables
6518
Content Items
564
Parsers
209
ASIM Parsers
SolutionStatusPublisherSupport First PublishedPopularityConnectorsTablesContent
1PasswordActive1PasswordPartner2023-12-01🟢 High3119
42Crunch API ProtectionActive42Crunch API ProtectionPartner2022-09-211112
A365 ObservabilityActiveMicrosoft CorporationMicrosoft2026-02-25⚪ Very Low100
AbnormalSecurityActiveAbnormal SecurityPartner2021-10-20🟡 Low2110
AbuseIPDBActiveMicrosoft CorporationMicrosoft2022-05-23🟡 Low003
Acronis Cyber Protect CloudActiveAcronis International GmbHPartner2025-10-28⚪ Very Low0017
AgariUnpublishedAgariPartner2022-05-02130
AgileSec Analytics ConnectorActiveInfoSecGlobalPartner⚪ Very Low111
AI Analyst DarktraceActiveDarktracePartner2022-05-02211
AIShield AI Security MonitoringActiveAIShieldPartner2022-01-11⚪ Very Low1142
Akamai Security EventsActiveMicrosoft CorporationMicrosoft2022-03-23🟢 High211
ALC-WebCTRLActiveMicrosoft CorporationMicrosoft2021-11-18⚪ Very Low110
Alibaba CloudActiveMicrosoft CorporationMicrosoft2022-06-27⚪ Very Low111
Alibaba Cloud ActionTrailActiveMicrosoft CorporationMicrosoft2025-07-03⚪ Very Low110
Alibaba Cloud NetworkingActiveMicrosoft CorporationMicrosoft2026-02-12⚪ Very Low100
Alsid For ADUnpublishedAlsidPartner2022-05-061314 (+1 🔍)
Amazon Web ServicesActiveMicrosoft CorporationMicrosoft2022-05-26🟢 High35100
Amazon Web Services NetworkFirewallActiveMicrosoft CorporationMicrosoft2025-03-20🟡 Low130
Amazon Web Services Route 53ActiveMicrosoft CorporationMicrosoft2025-03-21🟡 Low110
AnvilogicActiveAnvilogicPartner2025-06-20⚪ Very Low111
Apache Log4j Vulnerability DetectionActiveMicrosoft CorporationMicrosoft2021-12-15🔵 Medium0017
ApacheHTTPServerActiveMicrosoft CorporationMicrosoft2021-10-27🔵 Medium1122
📦archTISUnpublished000
ARGOSCloudSecurityActiveARGOS Cloud SecurityPartner2022-08-16⚪ Very Low112
AristaAwakeSecurityActiveArista - Awake SecurityPartner2021-10-18⚪ Very Low114
ArmisActiveArmis CorporationPartner2022-08-02🟡 Low434
ArmorbloxActiveArmorbloxPartner2021-10-18113
Aruba ClearPassActiveMicrosoft CorporationMicrosoft2022-05-23🟢 High211
AtlassianConfluenceAuditActiveMicrosoft CorporationMicrosoft2022-01-24🔵 Medium331
AtlassianJiraAuditActiveMicrosoft CorporationMicrosoft2022-01-10🔵 Medium2229
Attacker Tools Threat Protection EssentialsActiveMicrosoft CorporationMicrosoft2022-11-16🟡 Low006
Australian Cyber Security CentreActiveMicrosoft CorporationMicrosoft2022-11-23⚪ Very Low001
Auth0ActiveMicrosoft CorporationMicrosoft2022-08-18🟢 High222
AuthomizeUnpublishedAuthomizePartner2023-06-151128
AWS CloudFrontActiveMicrosoft CorporationMicrosoft2025-03-20🟢 High110
AWS EKSActiveMicrosoft CorporationMicrosoft2024-03-04⚪ Very Low110
AWS ELBActiveMicrosoft CorporationMicrosoft2026-03-20⚪ Very Low163
AWS Security HubActiveMicrosoft CorporationMicrosoft2025-03-12🟢 High1111
AWS Systems ManagerActiveMicrosoft CorporationMicrosoft🔵 Medium007
AWS VPC Flow LogsUnpublishedMicrosoft CorporationMicrosoft2025-07-30110
AWS_AccessLogsActiveMicrosoft CorporationMicrosoft2025-02-06🟡 Low110
AWS_IAMActiveMicrosoft CorporationMicrosoft2022-09-28🟢 High004
AWSAthenaActiveMicrosoft CorporationMicrosoft2022-11-18🔵 Medium001
Azure ActivityActiveMicrosoft CorporationMicrosoft2022-04-18🟢 High1131
Azure Batch AccountActiveMicrosoft CorporationMicrosoft2022-06-30🟢 High110
Azure Cloud NGFW By Palo Alto NetworksActivePalo Alto NetworksPartner2023-11-03🟢 High117
Azure Cognitive SearchActiveMicrosoft CorporationMicrosoft2022-06-28🟢 High110
📦Azure Data Lake Storage Gen1ActiveMicrosoft CorporationMicrosoft2022-06-24🟢 High110
Azure DDoS ProtectionActiveMicrosoft CorporationMicrosoft2022-05-13🟢 High113
Azure Event HubsActiveMicrosoft CorporationMicrosoft2022-06-01🟢 High110
Azure FirewallActiveMicrosoft CorporationMicrosoft2022-05-23🟢 High11023
Azure Key VaultActiveMicrosoft CorporationMicrosoft2022-05-02🟢 High115
Azure kubernetes ServiceActiveMicrosoft CorporationMicrosoft2022-06-01🔵 Medium133
Azure Logic AppsActiveMicrosoft CorporationMicrosoft2022-06-24🟢 High110
Azure Network Security GroupsActiveMicrosoft CorporationMicrosoft2022-05-23🟢 High110
Azure Resource GraphActiveMicrosoft CorporationMicrosoft2025-06-20🟢 High100
Azure Service BusActiveMicrosoft CorporationMicrosoft2022-06-29🟢 High110
Azure SQL Database solution for sentinelActiveMicrosoft CorporationMicrosoft2022-08-19🟢 High1119
Azure StorageActiveMicrosoft CorporationMicrosoft2022-05-12🟢 High150
Azure Stream AnalyticsActiveMicrosoft CorporationMicrosoft2022-06-24⚪ Very Low110
Azure Web Application Firewall (WAF)ActiveMicrosoft CorporationMicrosoft2022-05-18🟢 High1114
AzureDevOpsAuditingActiveMicrosoft CorporationMicrosoft2022-09-20🟢 High1137
AzureSecurityBenchmarkActiveMicrosoft CorporationMicrosoft2022-06-17🟢 High005
Barracuda CloudGen FirewallActiveCommunityCommunity2021-05-02🟢 High111 (+1 🔍)
Barracuda WAFActiveBarracudaPartner2022-05-13130
BETTER Mobile Threat Defense (MTD)ActiveBetter Mobile Security Inc.Partner2022-05-02⚪ Very Low141
Beyond Security beSECUREUnpublishedBeyond SecurityPartner2022-05-02130
BeyondTrustPMCloudActiveBeyondTrustPartner2025-10-31⚪ Very Low121
BigIDActiveBigIDPartner2025-10-07⚪ Very Low120
BitglassActiveMicrosoft CorporationMicrosoft2021-10-23🟡 Low1122
BitSightActiveBitSight SupportPartner2023-02-2011118
BitwardenActiveBitwarden IncPartner2024-05-12🔵 Medium134
Blackberry CylancePROTECTActiveMicrosoft CorporationMicrosoft2022-05-20🟡 Low111 (+1 🔍)
BlacklensActiveblacklens.io SupportPartner2025-12-31⚪ Very Low111
BlinkOpsActiveBlink SupportPartner2025-05-05🟡 Low002
BloodHound EnterpriseActiveSpecterOpsPartner2023-05-0411108
BoxActiveMicrosoft CorporationMicrosoft2022-05-20🔵 Medium2222
Broadcom SymantecDLPActiveMicrosoft CorporationMicrosoft2022-05-02⚪ Very Low211
Business Email Compromise - Financial FraudActiveMicrosoft CorporationMicrosoft2023-08-04⚪ Very Low0020
CensysUnpublishedCensys SupportPartner2026-03-050012
Check PointActiveCheck PointPartner2021-08-13🟡 Low002
Check Point CloudGuard CNAPPActiveCheck PointPartner2024-11-12🟡 Low110
Check Point Cyberint AlertsActiveCheck PointPartner2025-03-18⚪ Very Low1111
Check Point Cyberint IOCActiveCyberintPartner2025-04-29🟡 Low110
CheckPhish by BolsterActiveMicrosoft CorporationMicrosoft2022-10-12⚪ Very Low001
Cisco ACIActiveMicrosoft CorporationMicrosoft2021-07-03🟡 Low111
Cisco ETDActiveCisco SystemsPartner2024-03-04⚪ Very Low111
Cisco Firepower EStreamerActiveCiscoPartner2022-05-25🔵 Medium213
Cisco ISEActiveMicrosoft CorporationMicrosoft2021-07-03🟢 High1125
Cisco Meraki Events via REST APIActiveMicrosoft CorporationMicrosoft2023-07-12🔵 Medium130
Cisco SD-WANActiveCisco SystemsPartner2023-06-01🔵 Medium128 (+4 🔍)
Cisco Secure Cloud AnalyticsActiveMicrosoft CorporationMicrosoft2021-10-20⚪ Very Low111
Cisco Secure EndpointActiveMicrosoft CorporationMicrosoft2021-10-28🟡 Low2323
Cisco UCSActiveMicrosoft CorporationMicrosoft2022-05-02⚪ Very Low111
CiscoASAActiveMicrosoft CorporationMicrosoft2022-05-23🟢 High226
CiscoDuoSecurityActiveCisco SystemsPartner2022-01-07⚪ Very Low1122
CiscoMerakiActiveMicrosoft CorporationMicrosoft2021-09-08🟢 High337
CiscoSEGActiveMicrosoft CorporationMicrosoft2021-06-23🟡 Low2123
CiscoUmbrellaActiveMicrosoft CorporationMicrosoft2022-04-01🟢 High21226
CiscoWSAActiveMicrosoft CorporationMicrosoft2021-06-29⚪ Very Low1123
Citrix ADCActiveMicrosoft CorporationMicrosoft2022-06-02🟢 High111 (+1 🔍)
Citrix Analytics CCFUnpublishedCitrix Systems, Inc.Partner2026-01-21161
Citrix Analytics for SecurityActiveCitrix SystemsPartner2022-05-06141
Citrix Web App FirewallActiveCitrix SystemsPartner2022-05-06🟡 Low211
ClarotyActiveMicrosoft CorporationMicrosoft2021-10-23🔵 Medium2122
Claroty xDomeActivexDome Customer SupportPartner2024-02-01🔵 Medium110
Cloud Identity Threat Protection EssentialsActiveMicrosoft CorporationMicrosoft2022-11-16🔵 Medium0010
Cloud Service Threat Protection EssentialsActiveMicrosoft CorporationMicrosoft2022-11-16⚪ Very Low002
CloudflareActiveCloudflarePartner2021-10-20🟢 High2222
Cloudflare CCFActiveCloudflarePartner2025-09-30⚪ Very Low1122
CofenseIntelligenceUnpublishedCofense SupportPartner2023-05-26121
CofenseTriageUnpublishedCofense SupportPartner2023-03-24131
CognniActiveCognniPartner2022-05-06⚪ Very Low1116
CognyteLuminarActiveCognyte LuminarPartner2023-09-15⚪ Very Low110
CohesitySecurityActiveCohesityPartner2022-10-10🟡 Low115
Common Event FormatActiveMicrosoft CorporationMicrosoft2022-05-30🟢 High211
Commvault Security IQActiveCommvaultPartner2023-08-17⚪ Very Low114
ContinuousDiagnostics&MitigationActiveMicrosoft CorporationMicrosoft2022-08-24⚪ Very Low003
Contrast ProtectActiveContrast ProtectPartner2021-10-20215
ContrastADRActiveContrast SecurityPartner2025-01-18⚪ Very Low2417
CorelightActiveCorelightPartner2022-06-01⚪ Very Low1108153
Cortex XDRActiveMicrosoft CorporationMicrosoft2023-07-12🔵 Medium254
CriblActiveCriblPartner2024-08-01🔵 Medium144
CrowdStrike Falcon Endpoint ProtectionActiveMicrosoft CorporationMicrosoft2022-06-01🟢 High6309 (+1 🔍)
CTERAActiveCTERAPartner2024-07-28⚪ Very Low1110
📦CTM360ActiveCyber Threat Management 360Partner2023-10-23⚪ Very Low490 (+9 🔍)
CustomLogsAmaActiveMicrosoft CorporationMicrosoft2024-07-21🟢 High1160
CyberArk Privilege Access Manager (PAM) EventsActiveCyberarkPartner2022-05-02🔵 Medium211
CyberArkAuditActiveCyberArk SupportPartner2024-03-01🟢 High213
CyberArkEPMActiveCyberArk SupportPartner2022-04-101122
CybersecurityMaturityModelCertification(CMMC)2.0ActiveMicrosoft CorporationMicrosoft2022-01-06🟢 High006
Cybersixgill-Actionable-AlertsActiveCybersixgillPartner2023-02-27⚪ Very Low115
Cyble VisionActiveCyble SupportPartner2025-05-05🟡 Low1192 (+1 🔍)
Cyborg Security HUNTERActiveCyborg SecurityPartner2023-07-03⚪ Very Low1110
CyeraDSPMActiveCyera IncPartner2026-02-27⚪ Very Low150
Cyfirma Attack SurfaceActiveCYFIRMAPartner2025-03-27⚪ Very Low1612
Cyfirma Brand IntelligenceActiveCYFIRMAPartner2025-03-27⚪ Very Low1510
Cyfirma Compromised AccountsActiveCYFIRMAPartner2025-05-15🟡 Low113
Cyfirma Cyber IntelligenceActiveCYFIRMAPartner2025-05-15🟡 Low1436
Cyfirma Digital RiskActiveCYFIRMAPartner2025-03-27⚪ Very Low1714
Cyfirma Vulnerabilities IntelActiveCYFIRMAPartner2025-05-15⚪ Very Low114
CyjaxUnpublishedCyjaxPartner2026-03-24118
CynerioActiveCynerioPartner2023-03-29⚪ Very Low116 (+2 🔍)
Cyren-SentinelOne-ThreatIntelligenceActiveData443 Risk Mitigation, Inc.Partner2026-02-17⚪ Very Low001
CyrenThreatIntelligenceActiveData443 Risk Mitigation, Inc.Partner2025-11-16⚪ Very Low114
CywareActiveCywarePartner2024-03-18⚪ Very Low004
D3SmartSOARActiveD3 SecurityPartner2026-02-18⚪ Very Low111
DarktraceActiveDarktracePartner2022-05-02🟢 High114
DatabahnActiveDatabahnPartner2026-02-06⚪ Very Low130
Datalake2SentinelActiveOrange CyberdefensePartner2024-01-15🔵 Medium110
Dataminr PulseActiveDataminr SupportPartner2023-04-12🔵 Medium1110
DatawizaActiveDatawiza Technology Inc.Partner2025-11-10⚪ Very Low111
Delinea Secret ServerActiveDelineaPartner2022-05-06🔵 Medium211
Dev 0270 Detection and HuntingActiveMicrosoft CorporationMicrosoft2022-11-29🟡 Low004
DEV-0537DetectionandHuntingActiveMicrosoft CorporationMicrosoft2022-04-07001
Digital Guardian Data Loss PreventionActiveMicrosoft CorporationMicrosoft2021-07-23🔵 Medium1122
Digital ShadowsActiveDigital ShadowsPartner🔵 Medium114
DNS EssentialsActiveMicrosoft CorporationMicrosoft2023-01-14🔵 Medium0021
DomainToolsActiveDomainToolsPartner2022-10-20🔵 Medium009
DoppelActiveDoppelPartner2024-11-20🟡 Low111
DORA ComplianceActiveMicrosoft CorporationMicrosoft2025-10-08⚪ Very Low001
DPDP ComplianceActiveMicrosoft CorporationMicrosoft2026-01-26⚪ Very Low001
DragosActiveDragos IncPartner2025-01-23🟡 Low115
DruvaDataSecurityCloudActiveDruva IncPartner2024-12-24🟢 High135
Dynamics 365ActiveMicrosoft CorporationMicrosoft2023-01-17🟢 High110
DynatraceActiveDynatracePartner2022-10-18🔵 Medium8816
EatonForeseerActiveMicrosoft CorporationMicrosoft2022-06-28🟡 Low002
EclecticIQActiveMicrosoft CorporationMicrosoft2022-09-30⚪ Very Low002
Egress DefendUnpublishedegress1589289169584Partner2023-07-27124 (+1 🔍)
Egress IrisActiveEgress Software Technologies LtdPartner2024-03-11131
Elastic SearchUnpublishedMicrosoft CorporationMicrosoft2022-09-30001
ElasticAgentActiveMicrosoft CorporationMicrosoft2021-11-12⚪ Very Low110 (+1 🔍)
EndaceActiveEndacePartner2025-03-24⚪ Very Low001
Endpoint Threat Protection EssentialsActiveMicrosoft CorporationMicrosoft2022-11-16🔵 Medium0029
Entrust identity as ServiceActiveMicrosoft CorporationMicrosoft2023-05-22🟡 Low005
Ermes Browser SecurityActiveErmes Cyber Security S.p.A.Partner2023-09-29⚪ Very Low110
ESET InspectActiveESET EnterprisePartner2022-06-01110
ESET Protect PlatformUnpublishedESET Enterprise IntegrationsPartner2024-10-29121
Eset Security Management CenterUnpublishedEsetPartner2022-05-11113
ESETPROTECTActiveESET NetherlandsPartner2021-10-20114
Exabeam Advanced AnalyticsActiveMicrosoft CorporationMicrosoft2022-05-20🔵 Medium111
ExtraHopActiveExtraHop SupportPartner2025-02-11🔵 Medium113
ExtraHop Reveal(x)ActiveExtraHopPartner2022-05-19⚪ Very Low211
F5 Big-IPActiveF5 NetworksPartner2022-05-25🔵 Medium132
F5 NetworksActiveF5Partner2022-05-12🔵 Medium210
FalconFridayActiveFalconForcePartner2021-10-18⚪ Very Low0030
📦Farsight DNSDBActive000 (+4 🔍)
FeedlyActiveFeedly IncPartner2023-08-01⚪ Very Low110
FireEye Network SecurityActiveMicrosoft CorporationMicrosoft2022-06-01🟡 Low211
FlareActiveFlarePartner2021-10-20🔵 Medium1110
Forcepoint CASBActiveCommunityCommunity2022-05-19⚪ Very Low211
Forcepoint CSGActiveCommunityCommunity2022-05-10🟡 Low211
Forcepoint DLPActiveCommunityCommunity2022-05-09🔵 Medium111
Forcepoint NGFWActiveCommunityCommunity2022-05-25⚪ Very Low212
Forescout (Legacy)ActiveMicrosoft CorporationMicrosoft2022-06-01⚪ Very Low111
Forescout eyeInspect for OT SecurityUnpublishedForescout TechnologiesPartner2025-07-10121
ForescoutHostPropertyMonitorActiveForescout TechnologiesPartner2022-06-28⚪ Very Low133
ForgeRock Common Audit for CEFUnpublishedForgerockPartner2022-05-04111
Fortinet FortiGate Next-Generation Firewall connector for Microsoft SentinelActiveMicrosoft CorporationMicrosoft2021-08-13🟢 High214
Fortinet FortiNDR CloudActiveFortinetPartner2024-01-15🔵 Medium132
Fortinet FortiWeb Cloud WAF-as-a-Service connector for Microsoft SentinelActiveMicrosoft CorporationMicrosoft2022-05-23🔵 Medium217
Garrison ULTRAActiveGarrisonPartner2024-10-04⚪ Very Low110
GDPR Compliance & Data SecurityActiveMicrosoft CorporationMicrosoft2025-10-08⚪ Very Low001
Gigamon ConnectorActiveGigamonPartner🟡 Low111
GitHubActiveMicrosoft CorporationMicrosoft2021-10-18🟢 High4429
GitLabActiveMicrosoft CorporationMicrosoft2022-04-27🔵 Medium1112
Global Secure AccessActiveMicrosoft CorporationMicrosoft2024-04-08🟢 High0010
Google ApigeeActiveMicrosoft CorporationMicrosoft2021-10-28🔵 Medium223
Google Cloud Platform Audit LogsActiveMicrosoft CorporationMicrosoft2023-03-29🔵 Medium2112
Google Cloud Platform BigQueryActiveMicrosoft CorporationMicrosoft2023-03-02🔵 Medium003
Google Cloud Platform Cloud MonitoringActiveMicrosoft CorporationMicrosoft2022-07-01🟡 Low221
Google Cloud Platform Cloud RunActiveMicrosoft CorporationMicrosoft2021-07-30🟡 Low110
Google Cloud Platform Compute EngineActiveMicrosoft CorporationMicrosoft2022-07-07⚪ Very Low110
Google Cloud Platform Firewall LogsActiveMicrosoft CorporationMicrosoft2024-11-03⚪ Very Low110
Google Cloud Platform Load Balancer LogsActiveMicrosoft CorporationMicrosoft2025-02-12🔵 Medium110
Google Cloud Platform Security Command CenterActiveMicrosoft CorporationMicrosoft2023-09-11🟡 Low1110
Google Cloud Platform VPC Flow LogsActiveMicrosoft CorporationMicrosoft2025-02-12🟢 High110
Google Kubernetes EngineActiveMicrosoft CorporationMicrosoft2025-04-04⚪ Very Low160
Google Threat IntelligenceActiveGooglePartner2024-10-26🔵 Medium0016
GoogleCloudPlatformCDNActiveMicrosoft CorporationMicrosoft2025-03-07🟢 High110
GoogleCloudPlatformDNSActiveMicrosoft CorporationMicrosoft2022-07-07⚪ Very Low2223
GoogleCloudPlatformIAMActiveMicrosoft CorporationMicrosoft2021-07-30🟢 High2225
GoogleCloudPlatformIDSActiveMicrosoft CorporationMicrosoft2022-07-07🟡 Low110
GoogleCloudPlatformNATActiveMicrosoft CorporationMicrosoft2025-05-29⚪ Very Low120
GoogleCloudPlatformResourceManagerActiveMicrosoft CorporationMicrosoft2025-03-07🟡 Low110
GoogleCloudPlatformSQLActiveMicrosoft CorporationMicrosoft2021-07-30⚪ Very Low110
📦GoogleDirectoryUnpublished000 (+3 🔍)
GoogleWorkspaceReportsActiveMicrosoft CorporationMicrosoft2022-01-24🔵 Medium22324 (+2 🔍)
GravityZoneUnpublishedBitdefender SRLPartner2026-04-21110
GreyNoiseThreatIntelligenceActiveGreyNoisePartner2023-09-05⚪ Very Low116
📦Group-IBUnpublished000 (+23 🔍)
HalcyonActiveHalcyonPartner2025-12-22⚪ Very Low110
HIPAA ComplianceActiveMicrosoft CorporationMicrosoft2025-10-08⚪ Very Low001
HolmSecurityActiveHolm SecurityPartner2022-07-18🔵 Medium120
📦HoneyTokensUnpublished000
HYASActiveHYASPartner2021-10-20⚪ Very Low0025
HYAS ProtectActiveHYASPartner2023-09-26111
ibossActiveibossPartner2022-02-15🟡 Low213
Illumio CoreActiveMicrosoftMicrosoft2022-05-26211
Illumio InsightActiveIllumioPartner2025-08-10⚪ Very Low220
IllumioSaaSActiveIllumioPartner2024-05-13🔵 Medium2315
📦Illusive Active DefenseUnpublished000 (+2 🔍)
Illusive PlatformActiveIllusive NetworksPartner2022-05-25⚪ Very Low213
Imperva WAF GatewayUnpublishedImpervaPartner2022-05-02110
ImpervaCloudWAFActiveMicrosoft CorporationMicrosoft2021-09-28🔵 Medium2322
InfobloxActiveInfobloxPartner2024-07-15🟡 Low52027
Infoblox Cloud Data ConnectorActiveInfobloxPartner2021-10-202121
Infoblox NIOSActiveMicrosoft CorporationMicrosoft2022-04-01🟢 High1125
Infoblox SOC InsightsUnpublishedInfobloxPartner2024-03-063212
📦InsightVMUnpublished000
Integration for Atlassian BeaconActiveDEFEND Ltd.Partner2023-09-22⚪ Very Low112
Intel471ActiveIntel 471Partner2023-06-21002
IONIXActiveIONIXPartner2022-05-02🔵 Medium212
IoTOTThreatMonitoringwithDefenderforIoTActiveMicrosoft CorporationMicrosoft2021-10-26🔵 Medium1123 (+1 🔍)
IPinfoActiveIPinfoPartner2024-05-02⚪ Very Low20200
IPQualityScoreActiveIPQS Plugins TeamPartner2021-10-20🔵 Medium005
IronNet IronDefenseUnpublishedMicrosoft CorporationMicrosoft2021-10-18113 (+3 🔍)
ISC BindActiveMicrosoft CorporationMicrosoft2022-09-20⚪ Very Low111
IslandActiveIslandPartner2023-05-02🟡 Low352
Ivanti Unified Endpoint ManagementActiveMicrosoft CorporationMicrosoft2022-07-05🔵 Medium111
Jamf ProtectActiveJamf Software, LLCPartner2022-10-10🟢 High1312
JBossActiveMicrosoft CorporationMicrosoft2021-10-20🟡 Low111
JoeSandboxActiveStefan BühlmannPartner2025-09-12⚪ Very Low112
Joshua-CyberiskvisionActiveJoshua CyberiskvisionPartner2022-01-10⚪ Very Low009
Juniper SRXActiveMicrosoft CorporationMicrosoft2022-05-02🟢 High111
JuniperIDPActiveMicrosoft CorporationMicrosoft2021-03-31🔵 Medium111
Keeper SecurityActiveKeeper SecurityPartner2025-06-03🟢 High113
KnowBe4 DefendUnpublishedknowbe41678478380097Partner2025-02-05125
KQL TrainingActiveCommunityCommunity2022-11-30🔵 Medium002
Lastpass Enterprise Activity MonitoringActiveThe Collective ConsultingPartner2021-10-20🔵 Medium1110
Legacy IOC based Threat ProtectionActiveMicrosoft CorporationMicrosoft2022-12-19🔵 Medium0010
LookoutActiveLookoutPartner2021-10-18🔵 Medium2212
Lookout Cloud Security Platform for Microsoft SentinelActiveLookoutPartner2023-02-17113
Lumen Defender Threat FeedActiveLumen Technologies, Inc.Partner2025-09-122110
📦MailGuard 365ActiveMailGuard 365Partner2023-05-09⚪ Very Low110 (+4 🔍)
MailRiskActiveSecure PracticePartner2023-03-16⚪ Very Low110
Malware Protection EssentialsActiveMicrosoft CorporationMicrosoft2023-09-25🟡 Low0014
MarkLogicAuditActiveMicrosoft CorporationMicrosoft2022-08-01⚪ Very Low111
MaturityModelForEventLogManagementM2131ActiveMicrosoft CorporationMicrosoft2021-12-05🟡 Low0016
McAfee ePolicy OrchestratorActiveMicrosoft CorporationMicrosoft2021-03-251126
McAfee Network Security PlatformActiveMicrosoft CorporationMicrosoft2021-06-29111
meshStackActivemeshcloud GmbHPartner2025-12-15⚪ Very Low110
Microsoft 365ActiveMicrosoft CorporationMicrosoft2022-05-23🟢 High1139 (+1 🔍)
Microsoft 365 AssetsActiveMicrosoft CorporationMicrosoft2025-06-20100
Microsoft Business ApplicationsActiveMicrosoft CorporationMicrosoft2023-04-19🟢 High4472
Microsoft CopilotActiveMicrosoftMicrosoft2025-10-01⚪ Very Low117
Microsoft Defender for CloudActiveMicrosoft CorporationMicrosoft2022-05-17🟢 High211
Microsoft Defender for Cloud AppsActiveMicrosoft CorporationMicrosoft2022-05-02🟢 High122
Microsoft Defender for IdentityActiveMicrosoft CorporationMicrosoft2022-04-20🟢 High110
Microsoft Defender for Office 365ActiveMicrosoft CorporationMicrosoft2022-05-17🟢 High116
Microsoft Defender Threat IntelligenceActiveMicrosoft CorporationMicrosoft2023-03-23🟢 High008
Microsoft Defender XDRActiveMicrosoft CorporationMicrosoft2022-05-02🟢 High122371 (+3 🔍)
Microsoft Entra IDActiveMicrosoft CorporationMicrosoft2022-05-16🟢 High11288
Microsoft Entra ID AssetsActiveMicrosoft CorporationMicrosoft2025-06-20⚪ Very Low100
Microsoft Entra ID ProtectionActiveMicrosoft CorporationMicrosoft2022-05-18🟢 High116
Microsoft Exchange Security - Exchange On-PremisesActiveCommunityCommunity2022-12-21🟢 High8613
Microsoft Exchange Security - Exchange OnlineActiveCommunityCommunity2022-12-21🟢 High1110
Microsoft PowerBIActiveMicrosoft CorporationMicrosoft2022-05-23🟢 High111
Microsoft ProjectActiveMicrosoftMicrosoft2022-05-23🟢 High110
Microsoft PurviewActiveMicrosoft CorporationMicrosoft2021-11-23🟢 High113
Microsoft Purview Information ProtectionActiveMicrosoft CorporationMicrosoft2023-01-06🟢 High110
Microsoft Sysmon For LinuxActiveMicrosoft CorporationMicrosoft2021-10-27⚪ Very Low110
Microsoft Windows SQL Server Database AuditActiveCommunityCommunity2022-11-29🔵 Medium009
MicrosoftDefenderForEndpointActiveMicrosoft CorporationMicrosoft2022-01-31🟢 High1127
MicrosoftPurviewInsiderRiskManagementActiveMicrosoft CorporationMicrosoft2021-10-20🟢 High1112
MimecastActiveMimecastPartner2024-09-10🟢 High51130
MimecastAuditActiveMimecastPartner2022-02-24⚪ Very Low112
MimecastSEGActiveMimecastPartner2022-02-24🟡 Low1210
MimecastTIRegionalActiveMimecastPartner2023-08-23⚪ Very Low111
MimecastTTPActiveMimecastPartner2022-02-24⚪ Very Low134
MinemeldActiveMicrosoft CorporationMicrosoft2022-10-11⚪ Very Low002
MiroActiveMiroPartner⚪ Very Low220
MISP2SentinelActiveCommunityCommunity2023-07-29🟢 High110
MongoDBAtlasActiveMongoDBPartner2025-08-22⚪ Very Low110
MongoDBAuditActiveMicrosoft CorporationMicrosoft2022-06-01🟡 Low111
MorphisecActiveMorphisecPartner2022-05-05🔵 Medium114
MulesoftActiveMicrosoft CorporationMicrosoft2022-07-12🟢 High111
Multi Cloud Attack Coverage Essentials - Resource AbuseActiveMicrosoft CorporationMicrosoft2023-11-22⚪ Very Low009
NasuniActiveNasuniPartner2023-07-07⚪ Very Low113
NC Protect Data ConnectorActivearchTISPartner2021-10-20🔵 Medium111
NCSC-NL NDN Cyber Threat Intelligence SharingActiveMicrosoft CorporationMicrosoft2025-05-19⚪ Very Low001
NetApp Ransomware ResilienceUnpublishedNetAppPartner2026-02-16007
NetClean ProActiveActiveNetCleanPartner2022-06-30112
NetskopeActiveNetskopePartner2022-05-05🔵 Medium111 (+1 🔍)
Netskopev2ActiveNetskopePartner2024-03-18🔵 Medium32837
NetskopeWebTxActiveNetskopePartner2026-02-10⚪ Very Low1112
Network Session EssentialsActiveMicrosoft CorporationMicrosoft2022-11-11🟢 High0038
Network Threat Protection EssentialsActiveMicrosoft CorporationMicrosoft2022-11-16🔵 Medium005
Netwrix AuditorActiveMicrosoft CorporationMicrosoft2022-06-17🔵 Medium211
Neustar IP GeoPointActiveMicrosoft CorporationMicrosoft2022-09-30⚪ Very Low001
NGINX HTTP ServerActiveMicrosoft CorporationMicrosoft2021-12-16🟢 High1122
NISTSP80053ActiveMicrosoft CorporationMicrosoft2022-02-24🔵 Medium005
Noname API Security Solution for Microsoft SentinelActiveNoname SecurityPartner2022-12-01110
NordPassActiveNordPassPartner2025-04-22🔵 Medium1110
NozomiNetworksActiveMicrosoft CorporationMicrosoft2022-07-12🟡 Low211
NXLog BSM macOSActiveNXLogPartner2022-05-02110
NXLog FIMActiveNXLogPartner2022-08-15110
NXLog LinuxAuditActiveNXLogPartner2022-05-05110
NXLogAixAuditActiveNXLogPartner2022-05-05110 (+1 🔍)
NXLogDNSLogsActiveNXLogPartner2022-05-24111
Obsidian DatasharingActiveObsidian SecurityPartner2024-01-01⚪ Very Low120
Okta Single Sign-OnActiveMicrosoft CorporationMicrosoft2022-03-24🟢 High4324
Onapsis DefendActiveOnapsisPartner2025-07-17🔵 Medium120
Onapsis PlatformUnpublishedOnapsisPartner2022-05-11112
OneIdentityActiveOne IdentityPartner2022-05-02111 (+1 🔍)
OneLoginIAMActiveMicrosoft CorporationMicrosoft2022-08-18🟡 Low231
OneTrustActiveOneTrust, LLCPartner2025-10-24⚪ Very Low110
📦Open SystemsActiveOpen SystemsPartner2025-05-12⚪ Very Low140 (+5 🔍)
OpenAIUnpublishedMicrosoft CorporationMicrosoft2026-03-20120
OpenCTIActiveMicrosoft CorporationMicrosoft2022-09-22🔵 Medium004
OpenVPNActiveMicrosoft CorporationMicrosoft2022-08-18🟢 High111
Oracle Cloud InfrastructureActiveMicrosoft CorporationMicrosoft2022-06-01🟢 High3222
OracleDatabaseAuditActiveMicrosoft CorporationMicrosoft2021-11-05🔵 Medium1122
OracleWebLogicServerActiveMicrosoft CorporationMicrosoft2022-01-06🔵 Medium1122
Orca Security AlertsActiveOrca SecurityPartner2022-05-10🟡 Low111
OSSECActiveMicrosoft CorporationMicrosoft2022-05-19⚪ Very Low211
📦Palo Alto - XDR (Cortex)Unpublished110 (+2 🔍)
Palo Alto Cortex XDR CCPActiveMicrosoft CorporationMicrosoft2024-12-07🔵 Medium150
Palo Alto Cortex Xpanse CCFActiveMicrosoft CorporationMicrosoft2024-12-07⚪ Very Low110
Palo Alto Prisma Cloud CWPPActiveMicrosoft CorporationMicrosoft2022-06-24🔵 Medium210
PaloAlto-PAN-OSActiveMicrosoft CorporationMicrosoft2021-08-09🟢 High2116
PaloAltoCDLActiveMicrosoft CorporationMicrosoft2021-10-23🔵 Medium2122
PaloAltoPrismaCloudActiveMicrosoft CorporationMicrosoft2021-04-16🔵 Medium2424
Pathlock_TDnRActivePathlock Inc.Partner2022-02-17⚪ Very Low120
PCI DSS ComplianceActiveMicrosoft CorporationMicrosoft2022-06-29🔵 Medium001
📦PDNS Block Data ConnectorUnpublishedNominet PDNS SupportPartner2023-03-31110
Perimeter 81ActivePerimeter 81Partner2022-05-06⚪ Very Low111
PhosphorusActivePhosphorus Inc.Partner2024-08-13⚪ Very Low110
PingFederateActiveMicrosoft CorporationMicrosoft2022-06-01🔵 Medium2123
PingOneActiveMicrosoft CorporationMicrosoft2025-04-20🔵 Medium110
PostgreSQLActiveMicrosoft CorporationMicrosoft2022-06-27🟢 High111
📦Power PlatformUnpublished000
📦Prancer PenSuiteAI IntegrationActivePrancer PenSuiteAI IntegrationPartner2023-08-02⚪ Very Low110 (+14 🔍)
Proofpoint On demand(POD) Email SecurityActiveProofpoint, Inc.Partner2021-03-31⚪ Very Low2622
ProofPointTapActiveProofpoint, Inc.Partner2022-05-23⚪ Very Low286
Pulse Connect SecureActiveMicrosoft CorporationMicrosoft2022-05-02🟡 Low114
Pure StorageActivepurestoragemarketplaceadminPartner2024-02-05🔵 Medium009
Qualys VM KnowledgebaseActiveMicrosoft CorporationMicrosoft2022-05-17🟡 Low221
QualysVMActiveMicrosoft CorporationMicrosoft2020-12-14🟢 High238
QuokkaActiveQuokkaPartner2025-10-30⚪ Very Low112
RadiflowActiveRadiflowPartner2024-06-26⚪ Very Low119
Rapid7InsightVMActiveMicrosoft CorporationMicrosoft2021-07-07🔵 Medium245
Recorded FutureActiveRecorded Future Support TeamPartner2021-11-01🔵 Medium0033 (+4 🔍)
Recorded Future IdentityActiveRecorded Future Support TeamPartner2022-09-06🟡 Low009
📦Red CanaryActiveRed CanaryPartner2022-03-04110 (+1 🔍)
ReversingLabsActiveReversingLabsPartner2022-08-08⚪ Very Low006
RidgeSecurityActiveRidgeSecurityPartner2023-10-23⚪ Very Low112
RiskIQActiveMicrosoft CorporationMicrosoft2021-10-20🟡 Low0027
RSA SecurIDActiveMicrosoft CorporationMicrosoft2021-09-07🟡 Low111
RSAIDPlus_AdminLogs_ConnectorActiveRSA Support TeamPartner2025-10-14⚪ Very Low112
RubrikSecurityCloudActiveRubrikPartner2022-07-19🟢 High2519
SailPointIdentityNowActiveSailPointPartner2021-10-26🟢 High126
SalemCyberUnpublishedSalem CyberPartner2023-07-21002
Salesforce Service CloudActiveMicrosoft CorporationMicrosoft2022-05-16🟢 High225
Samsung Knox Asset IntelligenceActiveSamsung Electronics Co., Ltd.Partner2025-01-15🔵 Medium168
📦SAPUnpublished120 (+3 🔍)
SAP BTPActiveMicrosoft CorporationMicrosoft2023-04-04🔵 Medium1116
SAP ETD CloudActiveSAPPartner2025-02-17⚪ Very Low124
SAP LogServActiveSAPPartner2025-02-17🟢 High115
SAP S4 Cloud Public EditionActiveSAPPartner2025-09-12⚪ Very Low110
SecurityBridge AppActiveSecurityBridgePartner2022-02-17⚪ Very Low232
SecurityScorecard Cybersecurity RatingsActiveSecurityScorecardPartner2022-10-01331
SecurityThreatEssentialSolutionActiveMicrosoft CorporationMicrosoft2022-03-30🔵 Medium009
Semperis Directory Services ProtectorActiveSemperisPartner2021-10-181113 (+2 🔍)
SemperisLightningActiveSemperisPartner2026-03-01⚪ Very Low170
SenservaProActiveSenservaPartner2022-06-011133
SentinelOneActiveMicrosoft CorporationMicrosoft2024-11-26🟢 High2623
SentinelSOARessentialsActiveMicrosoft CorporationMicrosoft2022-06-27🟢 High0028 (+1 🔍)
SeraphicSecurityActiveSeraphic SecurityPartner2023-07-31⚪ Very Low110
ServicenowActiveMicrosoft CorporationMicrosoft2022-09-19🟢 High003
ServiceNow TISCActiveServiceNowPartner2025-01-15⚪ Very Low008
SevcoSecurityUnpublishedMicrosoft CorporationMicrosoft2023-05-01110
ShadowByte AriaActiveShadowbytePartner2021-12-24⚪ Very Low002
ShodanActiveMicrosoft CorporationMicrosoft2023-02-20🟡 Low003
SIGNL4ActiveDerdackPartner2021-12-10⚪ Very Low121
SilverfortActiveSilverfortPartner2024-09-01🔵 Medium115
SINEC Security GuardActiveSiemens AGPartner2024-07-15111
SlackAuditActiveMicrosoft CorporationMicrosoft2021-03-24⚪ Very Low3321
SlashNextActiveSlashNextPartner2022-08-12122
SlashNext SIEMActiveSlashNextPartner2023-05-26001
SnowflakeActiveMicrosoft CorporationMicrosoft2021-10-23🟢 High21122
SOC HandbookActiveCommunityCommunity2022-11-30🟢 High0013
SOC Prime CCFActiveSOC PrimePartner2025-09-25⚪ Very Low113
SOC-Process-FrameworkActiveMicrosoft CorporationMicrosoft2022-04-08🟡 Low0020
SOCRadarUnpublishedSOCRadarPartner2026-02-080011
SonicWall FirewallActiveSonicWallPartner2022-05-06🟢 High214
SonraiSecurityActiveSonraiPartner2021-10-18⚪ Very Low1110
Sophos Cloud OptixActiveSophosPartner2022-05-02110
Sophos Endpoint ProtectionActiveMicrosoft CorporationMicrosoft2021-07-07🟢 High231
Sophos XG FirewallActiveMicrosoft CorporationMicrosoft2021-10-20🟢 High114
SOX IT ComplianceActiveMicrosoft CorporationMicrosoft2025-12-11⚪ Very Low001
SpyCloud Enterprise ProtectionActiveSpycloudPartner2023-09-09⚪ Very Low0010
Squadra Technologies SecRmmActiveSquadra TechnologiesPartner2022-05-09112
SquidProxyActiveMicrosoft CorporationMicrosoft2022-05-16🔵 Medium111
Styx IntelligenceUnpublishedStyx IntelligencePartner2025-02-07110
Symantec Endpoint ProtectionActiveMicrosoft CorporationMicrosoft2022-07-01🔵 Medium114
Symantec Integrated Cyber DefenseActiveMicrosoft CorporationMicrosoft2022-06-02⚪ Very Low110
Symantec VIPActiveMicrosoft CorporationMicrosoft2022-05-16🟡 Low114
SymantecProxySGActiveMicrosoft CorporationMicrosoft2021-05-25🟢 High114
📦SynackActive000
SynqlyIntegrationConnectorActiveSynqlyPartner2026-01-30⚪ Very Low1100
SyslogActiveMicrosoft CorporationMicrosoft2022-05-23🟢 High2118
TacitRed-Defender-ThreatIntelligenceActiveData443 Risk Mitigation, Inc.Partner2025-11-10⚪ Very Low001
TacitRed-IOC-CrowdStrikeActiveData443 Risk Mitigation, Inc.Partner2025-11-25⚪ Very Low001
TacitRed-SentinelOneActiveData443 Risk Mitigation, Inc.Partner2025-12-01⚪ Very Low001
TacitRedThreatIntelligenceActiveData443 Risk Mitigation, Inc.Partner2025-01-01⚪ Very Low113
TalonActiveTalon SecurityPartner2023-01-25⚪ Very Low111
TaniumActiveTanium Inc.Partner2022-05-16🔵 Medium11010
Team Cymru ScoutActiveTeam CymruPartner2024-07-16🟡 Low11428
TeamsActiveMicrosoft CorporationMicrosoft2022-02-01🔵 Medium003
Tenable AppActiveTenablePartner2024-06-06🟢 High2720
📦TenableADUnpublished120 (+15 🔍)
TenableIOActiveTenablePartner2022-06-01🟢 High123 (+2 🔍)
📦TestSolutionUnpublished000
TheHiveActiveMicrosoft CorporationMicrosoft2021-10-23⚪ Very Low213 (+1 🔍)
TheomActiveTheomPartner2022-11-04⚪ Very Low1121
Threat IntelligenceActiveMicrosoft CorporationMicrosoft2022-05-18🟢 High5258
Threat Intelligence (NEW)ActiveMicrosoft CorporationMicrosoft2025-04-02🟢 High6459
Threat Intelligence Solution for Azure GovernmentUnpublishedMicrosoft CorporationMicrosoft2023-03-06000
ThreatAnalysis&ResponseActiveMicrosoft CorporationMicrosoft2021-10-20🟡 Low002
ThreatConnectActiveThreatConnect, Inc.Partner2023-09-11⚪ Very Low006
ThreatXCloudActiveMicrosoft CorporationMicrosoft2022-09-23⚪ Very Low002
TomcatActiveMicrosoft CorporationMicrosoft2022-01-31🔵 Medium1123
TorqActiveTorq Support TeamPartner2024-12-24🔵 Medium001
TransmitSecurityActiveTransmit SecurityPartner2024-06-10⚪ Very Low110
TrellixActiveMicrosoft CorporationMicrosoft2026-02-26⚪ Very Low111
Trend Micro Apex OneActiveMicrosoft CorporationMicrosoft2021-07-06🟡 Low2122
Trend Micro Cloud App SecurityActiveMicrosoft CorporationMicrosoft2021-09-281121 (+1 🔍)
Trend Micro Deep SecurityActiveTrend MicroPartner2022-05-10🟡 Low113
Trend Micro TippingPointActiveTrend MicroPartner2022-05-02⚪ Very Low111
Trend Micro Vision OneActiveTrend MicroPartner2022-05-11🔵 Medium142
TropicoActiveTROPICO SecurityPartner2025-12-02⚪ Very Low330
Ubiquiti UniFiActiveMicrosoft CorporationMicrosoft2022-06-01🟢 High1122
UEBA EssentialsActiveMicrosoft CorporationMicrosoft2022-06-27🔵 Medium0031
UpwindUnpublishedUpwindPartner2026-03-10110
URLhausActiveMicrosoft CorporationMicrosoft2022-09-29🟡 Low003
Vaikora-SentinelUnpublishedData443 Risk Mitigation, Inc.Partner2026-04-03114
Valence SecurityActiveValence SecurityPartner2023-11-20⚪ Very Low112
ValimailEnforceUnpublishedValimailPartner2026-03-31118
vArmour Application ControllerActivevArmour NetworksPartner2022-06-01⚪ Very Low212
Varonis PurviewActiveVaronisPartner2025-10-27⚪ Very Low110
VaronisSaaSActiveVaronisPartner2023-11-10🟡 Low111
Vectra AI DetectActiveVectra AIPartner2022-05-24🟡 Low218
Vectra AI StreamActiveVectra AIPartner2021-10-18⚪ Very Low21820
Vectra XDRActiveVectra SupportPartner2023-07-04⚪ Very Low1633
VeeamActiveVeeam SoftwarePartner2025-08-26⚪ Very Low16164
Veritas NetBackupActiveVeritas Technologies LLCPartner2023-09-25🔵 Medium002
VersasecCMSActiveVersasec SupportPartner⚪ Very Low123
VirtualMetric DataStreamActiveVirtualMetricPartner2025-09-15⚪ Very Low310
VirusTotalActiveMicrosoft CorporationMicrosoft2022-07-31🟢 High009
Visa Threat Intelligence (VTI)UnpublishedVisa Inc.Partner2026-02-20113
VMRayActiveVMRayPartner2025-07-23⚪ Very Low112
VMware Carbon Black CloudActiveMicrosoftMicrosoft2022-06-01🟢 High2106
VMware SASEUnpublishedVMware by BroadcomPartner2023-12-311416
VMware vCenterActiveMicrosoft CorporationMicrosoft2022-06-29🟢 High114
VMWareESXiActiveMicrosoft CorporationMicrosoft2022-01-12🟢 High1126
VotiroUnpublishedVotiroPartner113
Watchguard FireboxActiveWatchGuardPartner2022-05-06🔵 Medium110 (+1 🔍)
Watchlists UtilitiesActiveMicrosoft CorporationMicrosoft2022-05-23🔵 Medium0012
Web Session EssentialsActiveMicrosoft CorporationMicrosoft2023-06-29⚪ Very Low0026
Web Shells Threat ProtectionActiveMicrosoft CorporationMicrosoft2022-05-22🟡 Low009
Windows FirewallActiveMicrosoft CorporationMicrosoft2022-05-02🔵 Medium221
Windows Forwarded EventsActiveMicrosoft CorporationMicrosoft2022-05-02🔵 Medium112 (+2 🔍)
Windows Security EventsActiveMicrosoft CorporationMicrosoft2022-05-23🟢 High2172
Windows Server DNSActiveMicrosoft CorporationMicrosoft2022-05-11🟢 High2315
WireX Network Forensics PlatformActiveWireX SystemsPartner2022-05-06⚪ Very Low210
WithSecureElementsViaConnectorUnpublishedWithSecurePartner2022-11-03110
WithSecureElementsViaFunctionActiveWithSecurePartner2024-02-22🟡 Low111
WizActiveWizPartner2023-06-20🟢 High161
WorkdayActiveMicrosoft CorporationMicrosoft2024-02-15🟢 High110
Workplace from FacebookActiveMicrosoft CorporationMicrosoft2022-05-18🟡 Low110 (+1 🔍)
XBOWActiveXBOWPartner2026-03-04⚪ Very Low134
ZeroFoxActiveZeroFoxPartner2023-07-28🔵 Medium2214
ZeroNetworksActiveZero NetworksPartner2022-06-06🟡 Low3512
ZeroTrust(TIC3.0)ActiveMicrosoft CorporationMicrosoft2021-10-20⚪ Very Low005
Zimperium Mobile Threat DefenseActiveZimperiumPartner2022-05-02⚪ Very Low121
Zinc Open SourceActiveMicrosoft CorporationMicrosoft2022-10-03⚪ Very Low003
ZoomReportsActiveMicrosoft CorporationMicrosoft2022-05-23🟡 Low222
Zscaler Internet AccessActiveZscalerPartner2022-10-1015127 (+2 🔍)
Zscaler Private Access (ZPA)ActiveMicrosoft CorporationMicrosoft2022-01-31🟢 High1122
Active Published solution Deprecated Deprecated solution Unpublished Not on content hub
ConnectorStatusPublisher Collection MethodIngestion APISolutionTables
Dragos Notifications via Cloud SitestoreActiveDragosCCFDragos1
Microsoft Active-Directory Domain Controllers Security Event LogsActiveMicrosoftAMAMicrosoft Exchange Security - Exchange On-Premises1
1Password 🔍Active1PasswordAzure Function1Password1
1Password (Serverless) 🔍ActiveUnknown (ARM variable)CCF1Password1
1Password (Serverless)Active1PasswordCCF1Password1
[Deprecated] AI Analyst Darktrace via AMADeprecatedDarktraceAMAAI Analyst Darktrace1
[Deprecated] AI Analyst Darktrace via Legacy AgentDeprecatedDarktraceMMAAI Analyst Darktrace1
[Deprecated] Akamai Security Events via AMA 🔍DeprecatedAkamaiAMAAkamai Security Events1
[Deprecated] Akamai Security Events via Legacy Agent 🔍DeprecatedAkamaiMMAAkamai Security Events1
[Deprecated] Apache HTTP Server 🔍DeprecatedApacheMMAApacheHTTPServer1
[Deprecated] Apache Tomcat 🔍DeprecatedApacheMMATomcat1
[Deprecated] Aruba ClearPass via AMA 🔍DeprecatedAruba NetworksAMAAruba ClearPass1
[Deprecated] Aruba ClearPass via Legacy Agent 🔍DeprecatedAruba NetworksMMAAruba ClearPass1
[Deprecated] Atlassian Confluence Audit 🔍DeprecatedAtlassianAzure FunctionHTTP Data Collector APIAtlassianConfluenceAudit1
[DEPRECATED] Atlassian Jira Audit (using Azure Function) 🔶DeprecatedAtlassianAzure FunctionHTTP Data Collector APIAtlassianJiraAudit2
[DEPRECATED] Auth0 Logs (using Azure Function) 🔶DeprecatedAuth0Azure FunctionHTTP Data Collector APIAuth01
[Deprecated] Awake Security via Legacy Agent 🔍DeprecatedArista NetworksMMAAristaAwakeSecurity1
[Deprecated] Barracuda CloudGen Firewall 🔍DeprecatedBarracudaMMABarracuda CloudGen Firewall1
[Deprecated] Barracuda Web Application Firewall via Legacy Agent 🔶DeprecatedBarracudaMMABarracuda WAF3
[Deprecated] Blackberry CylancePROTECT 🔍DeprecatedBlackberryMMABlackberry CylancePROTECT1
[DEPRECATED] Box Events (using Azure Function) 🔶DeprecatedBoxAzure FunctionHTTP Data Collector APIBox2
[Deprecated] Broadcom Symantec DLP via AMA 🔍DeprecatedBroadcomAMABroadcom SymantecDLP1
[Deprecated] Broadcom Symantec DLP via Legacy Agent 🔍DeprecatedBroadcomMMABroadcom SymantecDLP1
[Deprecated] Cisco Application Centric Infrastructure 🔍DeprecatedCiscoMMACisco ACI1
[Deprecated] Cisco Firepower eStreamer via AMADeprecatedCiscoAMACisco Firepower EStreamer1
[Deprecated] Cisco Firepower eStreamer via Legacy AgentDeprecatedCiscoMMACisco Firepower EStreamer1
[Deprecated] Cisco Identity Services Engine 🔍DeprecatedCiscoMMACisco ISE1
[Deprecated] Cisco Meraki 🔍DeprecatedCiscoMMACiscoMeraki3
[Deprecated] Cisco Secure Cloud Analytics 🔍DeprecatedCiscoMMACisco Secure Cloud Analytics1
[Deprecated] Cisco Secure Email Gateway via AMA 🔍DeprecatedCiscoAMACiscoSEG1
[Deprecated] Cisco Secure Email Gateway via Legacy Agent 🔍DeprecatedCiscoMMACiscoSEG1
[DEPRECATED] Cisco Secure Endpoint (AMP) 🔶 🔍DeprecatedCiscoAzure FunctionHTTP Data Collector APICisco Secure Endpoint1
[Deprecated] Cisco UCS 🔍DeprecatedCiscoMMACisco UCS1
[Deprecated] Cisco Web Security Appliance 🔍DeprecatedCiscoMMACiscoWSA1
[Deprecated] Citrix ADC (former NetScaler) 🔍DeprecatedCitrixMMACitrix ADC1
[Deprecated] Citrix WAF (Web App Firewall) via AMA 🔍DeprecatedCitrix Systems Inc.AMACitrix Web App Firewall1
[Deprecated] Citrix WAF (Web App Firewall) via Legacy Agent 🔍DeprecatedCitrix Systems Inc.MMACitrix Web App Firewall1
[Deprecated] Claroty via AMA 🔍DeprecatedClarotyAMAClaroty1
[Deprecated] Claroty via Legacy Agent 🔍DeprecatedClarotyMMAClaroty1
[DEPRECATED] Cloudflare 🔶DeprecatedCloudflareAzure FunctionHTTP Data Collector APICloudflare1
[Deprecated] Contrast Protect via AMADeprecatedContrast SecurityAMAContrast Protect1
[Deprecated] Contrast Protect via Legacy AgentDeprecatedContrast SecurityMMAContrast Protect1
[DEPRECATED] CrowdStrike Falcon Data Replicator (CrowdStrike Managed AWS-S3) (using Azure Function)DeprecatedCrowdstrikeAzure FunctionHTTP Data Collector APICrowdStrike Falcon Endpoint Protection15
[Deprecated] CrowdStrike Falcon Endpoint Protection via AMA 🔍DeprecatedCrowdStrikeAMACrowdStrike Falcon Endpoint Protection1
[Deprecated] CrowdStrike Falcon Endpoint Protection via Legacy Agent 🔍DeprecatedCrowdStrikeMMACrowdStrike Falcon Endpoint Protection1
[Deprecated] CyberArk Enterprise Password Vault (EPV) Events via Legacy Agent 🔍DeprecatedCyber-ArkMMACyberArk Privilege Access Manager (PAM) Events1
[Deprecated] CyberArk Privilege Access Manager (PAM) Events via AMA 🔍DeprecatedCyber-ArkAMACyberArk Privilege Access Manager (PAM) Events1
[Deprecated] Delinea Secret Server via AMADeprecatedDelinea, IncAMADelinea Secret Server1
[Deprecated] Delinea Secret Server via Legacy AgentDeprecatedDelinea, IncMMADelinea Secret Server1
[Deprecated] Digital Guardian Data Loss Prevention 🔍DeprecatedDigital GuardianMMADigital Guardian Data Loss Prevention1
[Deprecated] ESET PROTECTDeprecatedESETMMAESETPROTECT1
[Deprecated] Exabeam Advanced Analytics 🔍DeprecatedExabeamMMAExabeam Advanced Analytics1
[Deprecated] ExtraHop Reveal(x) via AMA 🔍DeprecatedExtraHop NetworksAMAExtraHop Reveal(x)1
[Deprecated] ExtraHop Reveal(x) via Legacy AgentDeprecatedExtraHop NetworksMMAExtraHop Reveal(x)1
[Deprecated] F5 Networks via AMADeprecatedF5 NetworksAMAF5 Networks1
[Deprecated] F5 Networks via Legacy AgentDeprecatedF5 NetworksMMAF5 Networks1
[Deprecated] FireEye Network Security (NX) via AMA 🔍DeprecatedFireEyeAMAFireEye Network Security1
[Deprecated] FireEye Network Security (NX) via Legacy Agent 🔍DeprecatedFireEyeMMAFireEye Network Security1
[Deprecated] Forcepoint CASB via AMA 🔍DeprecatedForcepoint CASBAMAForcepoint CASB1
[Deprecated] Forcepoint CASB via Legacy Agent 🔍DeprecatedForcepoint CASBMMAForcepoint CASB1
[Deprecated] Forcepoint CSG via AMA 🔍DeprecatedForcepointAMAForcepoint CSG1
[Deprecated] Forcepoint CSG via Legacy Agent 🔍DeprecatedForcepointMMAForcepoint CSG1
[Deprecated] Forcepoint NGFW via AMA 🔍DeprecatedForcepointAMAForcepoint NGFW1
[Deprecated] Forcepoint NGFW via Legacy Agent 🔍DeprecatedForcepointMMAForcepoint NGFW1
[Deprecated] ForgeRock Identity PlatformDeprecatedForgeRock IncMMAForgeRock Common Audit for CEF1
[Deprecated] Fortinet FortiWeb Web Application Firewall via Legacy Agent 🔍DeprecatedMicrosoftMMAFortinet FortiWeb Cloud WAF-as-a-Service connector for Microsoft Sentinel1
[Deprecated] Fortinet via AMA 🔍DeprecatedFortinetAMAFortinet FortiGate Next-Generation Firewall connector for Microsoft Sentinel1
[Deprecated] Fortinet via Legacy Agent 🔍DeprecatedFortinetMMAFortinet FortiGate Next-Generation Firewall connector for Microsoft Sentinel1
[Deprecated] GitHub Enterprise Audit LogDeprecatedGitHubCCF (Legacy)GitHub2
[Deprecated] GitLab 🔍DeprecatedMicrosoftMMAGitLab1
[DEPRECATED] Google ApigeeX 🔶 🔍DeprecatedGoogleAzure FunctionHTTP Data Collector APIGoogle Apigee1
[DEPRECATED] Google Cloud Platform Cloud Monitoring 🔶 🔍DeprecatedGoogleAzure FunctionHTTP Data Collector APIGoogle Cloud Platform Cloud Monitoring1
[DEPRECATED] Google Cloud Platform DNS 🔶 🔍DeprecatedGoogleAzure FunctionHTTP Data Collector APIGoogleCloudPlatformDNS1
[DEPRECATED] Google Cloud Platform IAM 🔶 🔍DeprecatedGoogleAzure FunctionHTTP Data Collector APIGoogleCloudPlatformIAM1
[DEPRECATED] Google Workspace (G Suite) 🔶 🔍DeprecatedGoogleAzure FunctionHTTP Data Collector APIGoogleWorkspaceReports22
[Deprecated] iboss via Legacy Agent 🔍DeprecatedibossMMAiboss1
[Deprecated] Illumio Core via AMA 🔍DeprecatedIllumioAMAIllumio Core1
[Deprecated] Illumio Core via Legacy Agent 🔍DeprecatedIllumioMMAIllumio Core1
[Deprecated] Illusive Platform via AMADeprecatedillusiveAMAIllusive Platform1
[Deprecated] Illusive Platform via Legacy Agent 🔍DeprecatedillusiveMMAIllusive Platform1
[Deprecated] Infoblox Cloud Data Connector via Legacy Agent 🔍DeprecatedInfobloxMMAInfoblox Cloud Data Connector1
[Deprecated] Infoblox NIOS 🔍DeprecatedInfobloxMMAInfoblox NIOS1
[Deprecated] Infoblox SOC Insight Data Connector via Legacy AgentDeprecatedInfobloxMMAInfoblox1
[DEPRECATED] IONIX Security Logs (Push) 🔶DeprecatedIONIXREST Pull APIHTTP Data Collector APIIONIX1
[Deprecated] ISC Bind 🔍DeprecatedISCMMAISC Bind1
[Deprecated] Ivanti Unified Endpoint Management 🔍DeprecatedIvantiMMAIvanti Unified Endpoint Management1
[Deprecated] JBoss Enterprise Application Platform 🔍DeprecatedRed HatMMAJBoss1
[Deprecated] Juniper IDP 🔍DeprecatedJuniperMMAJuniperIDP1
[Deprecated] Juniper SRX 🔍DeprecatedJuniperMMAJuniper SRX1
[DEPRECATED] Lookout 🔶DeprecatedLookoutAzure FunctionHTTP Data Collector APILookout1
[Deprecated] MarkLogic Audit 🔍DeprecatedMarkLogicMMAMarkLogicAudit1
[Deprecated] McAfee ePolicy Orchestrator (ePO) 🔍DeprecatedMcAfeeMMAMcAfee ePolicy Orchestrator1
[Deprecated] McAfee Network Security Platform 🔍DeprecatedMcAfeeMMAMcAfee Network Security Platform1
[Deprecated] Microsoft Exchange Logs and Events 🔶DeprecatedMicrosoftMMAMicrosoft Exchange Security - Exchange On-Premises5
[Deprecated] Microsoft Sysmon For LinuxDeprecatedMicrosoftMMAMicrosoft Sysmon For Linux1
[Deprecated] MongoDB Audit 🔍DeprecatedMongoDBMMAMongoDBAudit1
[Deprecated] Nasuni Edge Appliance 🔍DeprecatedNasuniMMANasuni1
[Deprecated] Netwrix Auditor via AMA 🔍DeprecatedNetwrixAMANetwrix Auditor1
[Deprecated] Netwrix Auditor via Legacy Agent 🔍DeprecatedNetwrixMMANetwrix Auditor1
[Deprecated] NGINX HTTP Server 🔍DeprecatedNginxMMANGINX HTTP Server1
[Deprecated] Nozomi Networks N2OS via AMA 🔍DeprecatedNozomi NetworksAMANozomiNetworks1
[Deprecated] Nozomi Networks N2OS via Legacy Agent 🔍DeprecatedNozomi NetworksMMANozomiNetworks1
[DEPRECATED] Okta Single Sign-On (using Azure Function) 🔶DeprecatedOktaAzure FunctionHTTP Data Collector APIOkta Single Sign-On1
[Deprecated] Onapsis PlatformDeprecatedOnapsisMMAOnapsis Platform1
[DEPRECATED] OneLogin IAM Platform 🔶 🔍DeprecatedOneLoginAzure FunctionHTTP Data Collector APIOneLoginIAM3
[Deprecated] OpenVPN Server 🔍DeprecatedOpenVPNMMAOpenVPN1
[DEPRECATED] Oracle Cloud Infrastructure 🔶 🔍DeprecatedOracleAzure FunctionHTTP Data Collector APIOracle Cloud Infrastructure1
[Deprecated] Oracle Database Audit 🔍DeprecatedOracleMMAOracleDatabaseAudit1
[Deprecated] Oracle WebLogic Server 🔍DeprecatedOracleMMAOracleWebLogicServer1
[Deprecated] OSSEC via AMA 🔍DeprecatedOSSECAMAOSSEC1
[Deprecated] OSSEC via Legacy Agent 🔍DeprecatedOSSECMMAOSSEC1
[Deprecated] Palo Alto Networks (Firewall) via AMA 🔍DeprecatedPalo Alto NetworksAMAPaloAlto-PAN-OS1
[Deprecated] Palo Alto Networks (Firewall) via Legacy Agent 🔍DeprecatedPalo Alto NetworksMMAPaloAlto-PAN-OS1
[Deprecated] Palo Alto Networks Cortex Data Lake (CDL) via AMA 🔍DeprecatedPalo Alto NetworksAMAPaloAltoCDL1
[Deprecated] Palo Alto Networks Cortex Data Lake (CDL) via Legacy Agent 🔍DeprecatedPalo Alto NetworksMMAPaloAltoCDL1
[DEPRECATED] Palo Alto Prisma Cloud CSPM 🔶 🔍DeprecatedPalo AltoAzure FunctionHTTP Data Collector APIPaloAltoPrismaCloud2
[Deprecated] PingFederate via AMA 🔍DeprecatedPing IdentityAMAPingFederate1
[Deprecated] PingFederate via Legacy Agent 🔍DeprecatedPing IdentityMMAPingFederate1
[Deprecated] PostgreSQL Events 🔍DeprecatedPostgreSQLMMAPostgreSQL1
[Deprecated] Proofpoint On Demand Email Security 🔶 🔍DeprecatedProofpointAzure FunctionHTTP Data Collector APIProofpoint On demand(POD) Email Security6
[Deprecated] Proofpoint TAP 🔶 🔍DeprecatedProofpointAzure FunctionHTTP Data Collector APIProofPointTap4
[Deprecated] Pulse Connect Secure 🔍DeprecatedPulse SecureMMAPulse Connect Secure1
[DEPRECATED] Qualys Vulnerability Management 🔶 🔍DeprecatedQualysAzure FunctionHTTP Data Collector APIQualysVM2
[Deprecated] RIDGEBOT - data connector for Microsoft SentinelDeprecatedRidgeSecurityAMARidgeSecurity1
[Deprecated] RSA® SecurID (Authentication Manager) 🔍DeprecatedRSAMMARSA SecurID1
[DEPRECATED] Salesforce Service Cloud 🔶 🔍DeprecatedSalesforceAzure FunctionHTTP Data Collector APISalesforce Service Cloud2
[DEPRECATED] SentinelOne (using Azure Function) 🔶DeprecatedSentinelOneAzure FunctionHTTP Data Collector APISentinelOne6
[DEPRECATED] Slack Audit 🔶 🔍DeprecatedSlackAzure FunctionHTTP Data Collector APISlackAudit3
[DEPRECATED] Snowflake 🔶 🔍DeprecatedSnowflakeAzure FunctionHTTP Data Collector APISnowflake1
[Deprecated] SonicWall Firewall via AMA 🔍DeprecatedSonicWallAMASonicWall Firewall1
[Deprecated] SonicWall Firewall via Legacy Agent 🔍DeprecatedSonicWallMMASonicWall Firewall1
[DEPRECATED] Sophos Endpoint Protection (using Azure Function) 🔶DeprecatedSophosAzure FunctionHTTP Data Collector APISophos Endpoint Protection1
[Deprecated] Sophos XG Firewall 🔍DeprecatedSophosMMASophos XG Firewall1
[Deprecated] Squid Proxy 🔶 🔍DeprecatedSquidMMASquidProxy1
[Deprecated] Symantec Endpoint Protection 🔍DeprecatedBroadcomMMASymantec Endpoint Protection1
[Deprecated] Symantec ProxySG 🔍DeprecatedSymantecMMASymantecProxySG1
[Deprecated] Symantec VIP 🔍DeprecatedSymantecMMASymantec VIP1
[Deprecated] Trend Micro Apex One via AMA 🔍DeprecatedTrend MicroAMATrend Micro Apex One1
[Deprecated] Trend Micro Apex One via Legacy Agent 🔍DeprecatedTrend MicroMMATrend Micro Apex One1
[Deprecated] Trend Micro Deep Security via Legacy 🔍DeprecatedTrend MicroMMATrend Micro Deep Security1
[Deprecated] Trend Micro TippingPoint via Legacy 🔍DeprecatedTrend MicroMMATrend Micro TippingPoint1
[Deprecated] Ubiquiti UniFi 🔍DeprecatedUbiquitiMMAUbiquiti UniFi1
[Deprecated] vArmour Application Controller via AMADeprecatedvArmourAMAvArmour Application Controller1
[Deprecated] vArmour Application Controller via Legacy AgentDeprecatedvArmourMMAvArmour Application Controller1
[Deprecated] Vectra AI Detect via AMA 🔍DeprecatedVectra AIAMAVectra AI Detect1
[Deprecated] Vectra AI Detect via Legacy Agent 🔍DeprecatedVectra AIMMAVectra AI Detect1
[DEPRECATED] VMware Carbon Black Cloud (using Azure Function) 🔶DeprecatedVMwareAzure FunctionHTTP Data Collector APIVMware Carbon Black Cloud3
[Deprecated] VMware ESXi 🔍DeprecatedVMWareMMAVMWareESXi1
[Deprecated] VMware vCenter 🔍DeprecatedVMwareMMAVMware vCenter1
[Deprecated] Votiro Sanitization Engine LogsDeprecatedVotiroMMAVotiro1
[Deprecated] WatchGuard FireboxDeprecatedWatchGuard TechnologiesMMAWatchguard Firebox1
[Deprecated] WireX Network Forensics Platform via AMADeprecatedWireX_SystemsAMAWireX Network Forensics Platform1
[Deprecated] WireX Network Forensics Platform via Legacy Agent 🔍DeprecatedWireX_SystemsMMAWireX Network Forensics Platform1
[Deprecated] WithSecure Elements via ConnectorDeprecatedWithSecureMMAWithSecureElementsViaConnector1
[Deprecated] Zscaler Private Access 🔍DeprecatedZscalerMMAZscaler Private Access (ZPA)1
[Recommended] Infoblox Cloud Data Connector via AMAActiveInfobloxAMAInfoblox1
[Recommended] Infoblox SOC Insight Data Connector via AMAActiveInfobloxAMAInfoblox1
[Recommended] Vectra AI Stream via AMAActiveVectra AIAMAVectra AI Stream17
A365 ObservabilityActiveMicrosoftUnknownA365 Observability?
Abnormal Security (Push)ActiveAbnormal SecurityCCF PushLog Ingestion APIAbnormalSecurity9
AbnormalSecurity 🔶ActiveAbnormalSecurityAzure FunctionHTTP Data Collector APIAbnormalSecurity2
Agari Phishing Defense and Brand Protection 🔶UnpublishedAgariAzure FunctionHTTP Data Collector APIAgari3
AI Vectra Stream via Legacy Agent 🔶ActiveVectra AIMMAVectra AI Stream1
AIShieldActiveBoschREST Pull APIHTTP Data Collector APIAIShield AI Security Monitoring1
Alibaba Cloud ActionTrail (via Codeless Connector Framework)ActiveMicrosoftCCFAlibaba Cloud ActionTrail1
Alibaba Cloud Networking Data Connector (via Codeless Connector Framework)ActiveMicrosoftCCFAlibaba Cloud Networking?
AliCloudActiveAliCloudAzure FunctionHTTP Data Collector APIAlibaba Cloud1
Alsid for Active DirectoryUnpublishedAlsidMMAAlsid For AD3
Amazon Web ServicesActiveAmazonNativeAmazon Web Services1
Amazon Web Services CloudFront (via Codeless Connector Framework) (Preview)ActiveMicrosoftCCFAWS CloudFront1
Amazon Web Services Elastic Load Balancing (via Codeless Connector Framework)ActiveAmazon Web ServicesCCFAWS ELB6
Amazon Web Services NetworkFirewall (via Codeless Connector Framework)ActiveMicrosoftCCFAmazon Web Services NetworkFirewall3
Amazon Web Services S3ActiveAmazonNativeAmazon Web Services4
Amazon Web Services S3 DNS Route53 (via Codeless Connector Framework)ActiveMicrosoftCCFAmazon Web Services Route 531
Amazon Web Services S3 VPC Flow LogsUnpublishedMicrosoftCCFAWS VPC Flow Logs1
Amazon Web Services S3 WAFActiveMicrosoftCCFAmazon Web Services1
AnvilogicActiveAnvilogicCCFAnvilogic1
API Protection 🔶Active42CrunchREST Pull APIHTTP Data Collector API42Crunch API Protection1
ARGOS Cloud Security 🔶ActiveARGOS Cloud SecurityREST Pull APIHTTP Data Collector APIARGOSCloudSecurity1
Armis Activities 🔍ActiveArmisAzure FunctionUndeterminedArmis1
Armis Alerts 🔍ActiveArmisAzure FunctionUndeterminedArmis1
Armis Alerts ActivitiesActiveArmisAzure FunctionUndeterminedArmis2
Armis DevicesActiveArmisAzure FunctionUndeterminedArmis1
Armorblox 🔶ActiveArmorbloxAzure FunctionHTTP Data Collector APIArmorblox1
Atlassian Beacon Alerts 🔶ActiveDEFEND Ltd.REST Pull APIHTTP Data Collector APIIntegration for Atlassian Beacon1
Atlassian Confluence 🔍ActiveAtlassianCCFAtlassianConfluenceAudit1
Atlassian Confluence Audit (via Codeless Connector Framework)ActiveMicrosoftCCFAtlassianConfluenceAudit1
Atlassian Jira Audit (via Codeless Connector Framework)ActiveMicrosoftCCFAtlassianJiraAudit1
Auth0 Logs (via Codeless Connector Framework)ActiveMicrosoftCCFAuth01
Authomize Data Connector 🔶UnpublishedAuthomizeREST Pull APIHTTP Data Collector APIAuthomize1
Automated Logic WebCTRL ActiveAutomatedLogicAMAALC-WebCTRL1
AWS EKS Data Connector (via Codeless Connector Framework)ActiveAmazon Web ServicesCCFAWS EKS1
AWS S3 Server Access Logs (via Codeless Connector Framework)ActiveMicrosoftCCFAWS_AccessLogs1
AWS Security Hub Findings (via Codeless Connector Framework)ActiveMicrosoftCCFAWS Security Hub1
Azure ActivityActiveMicrosoftAzure DiagnosticsAzure Activity1
Azure Batch Account 🔶ActiveMicrosoftAzure DiagnosticsAzure Batch Account1
Azure CloudNGFW By Palo Alto Networks 🔶ActivePalo Alto NetworksREST Pull APIHTTP Data Collector APIAzure Cloud NGFW By Palo Alto Networks1
Azure Cognitive Search 🔶ActiveMicrosoftAzure DiagnosticsAzure Cognitive Search1
🔌Azure Data Lake Storage Gen1 🔶 🔍ActiveMicrosoftAzure DiagnosticsAzure Data Lake Storage Gen11
Azure DDoS Protection 🔶ActiveMicrosoftAzure DiagnosticsAzure DDoS Protection1
Azure DevOps Audit Logs (via Codeless Connector Platform)ActiveMicrosoftCCFAzureDevOpsAuditing1
Azure Event Hub 🔶ActiveMicrosoftAzure DiagnosticsAzure Event Hubs1
Azure Firewall 🔶ActiveMicrosoftAzure DiagnosticsAzure Firewall10
Azure Key Vault 🔶ActiveMicrosoftAzure DiagnosticsAzure Key Vault1
Azure Kubernetes Service (AKS) 🔶ActiveMicrosoftAzure DiagnosticsAzure kubernetes Service3
Azure Logic Apps 🔶ActiveMicrosoftAzure DiagnosticsAzure Logic Apps1
Azure Resource GraphActiveMicrosoftUnknownAzure Resource Graph?
Azure Service Bus 🔶ActiveMicrosoftAzure DiagnosticsAzure Service Bus1
Azure SQL Databases 🔶ActiveMicrosoftAzure DiagnosticsAzure SQL Database solution for sentinel1
Azure Storage AccountActiveMicrosoftAzure DiagnosticsAzure Storage5
Azure Stream Analytics 🔶ActiveMicrosoftAzure DiagnosticsAzure Stream Analytics1
Azure Web Application Firewall (WAF) 🔶ActiveMicrosoftAzure DiagnosticsAzure Web Application Firewall (WAF)1
BETTER Mobile Threat Defense (MTD) 🔶ActiveBETTER MobileREST Pull APIHTTP Data Collector APIBETTER Mobile Threat Defense (MTD)4
Beyond Security beSECURE 🔶 🔍UnpublishedBeyond SecurityREST Pull APIHTTP Data Collector APIBeyond Security beSECURE3
BeyondTrust PM CloudActiveBeyondTrustAzure FunctionHTTP Data Collector APIBeyondTrustPMCloud2
BigID DSPM connectorActiveBigIDCCFBigID2
Bitglass 🔶ActiveBitglassAzure FunctionHTTP Data Collector APIBitglass1
Bitsight data connectorActiveBitSight Technologies, Inc.Azure FunctionLog Ingestion APIBitSight11
Bitwarden Event LogsActiveBitwarden IncCCFBitwarden3
blacklens.ioActivesnapSEC GmbHREST Pull APIHTTP Data Collector APIBlacklens1
Bloodhound EnterpriseActiveSpecterOpsAzure FunctionHTTP Data Collector APIBloodHound Enterprise1
Box Events (via Codeless Connector Framework) 🔶ActiveMicrosoftCCFBox2
Check Point CloudGuard CNAPP Connector for Microsoft SentinelActiveCheckPointCCFCheck Point CloudGuard CNAPP1
Check Point Cyberint Alerts Connector (via Codeless Connector Platform)ActiveCheckpoint CyberintCCFCheck Point Cyberint Alerts1
Check Point Cyberint IOC ConnectorActiveCheckpoint CyberintCCFCheck Point Cyberint IOC1
Cisco ASA via Legacy Agent 🔍ActiveCiscoMMACiscoASA1
Cisco ASA/FTD via AMAActiveMicrosoftAMACiscoASA2
Cisco Cloud Security 🔶ActiveCiscoAzure FunctionHTTP Data Collector APICiscoUmbrella12
Cisco Cloud Security (using elastic premium plan) 🔶ActiveCiscoAzure FunctionHTTP Data Collector APICiscoUmbrella12
Cisco Duo Security 🔶ActiveCiscoAzure FunctionHTTP Data Collector APICiscoDuoSecurity1
Cisco ETD 🔶ActiveCiscoAzure FunctionHTTP Data Collector APICisco ETD1
Cisco Meraki (using REST API)ActiveMicrosoftCCFCisco Meraki Events via REST API3
Cisco Meraki (using REST API) 🔍ActiveMicrosoftCCF (Legacy)CiscoMeraki3
Cisco Meraki (using REST API) 🔍ActiveMicrosoftCCF (Legacy)CiscoMeraki3
Cisco Secure Endpoint (via Codeless Connector Framework)ActiveMicrosoftCCFCisco Secure Endpoint2
Cisco Software Defined WAN 🔶ActiveCiscoAMACisco SD-WAN2
Citrix Analytics (via Codeless Connector Framework)UnpublishedCitrixCCF PushLog Ingestion APICitrix Analytics CCF6
CITRIX SECURITY ANALYTICS 🔶ActiveCITRIXREST Pull APIHTTP Data Collector APICitrix Analytics for Security4
Claroty xDomeActiveClarotyMMAClaroty xDome1
Cloudflare (Using Blob Container) (via Codeless Connector Framework)ActiveMicrosoftCCFCloudflare1
Cofense Intelligence Threat Indicators Ingestion 🔶UnpublishedCofenseAzure FunctionHTTP Data Collector APICofenseIntelligence2
Cofense Triage Threat Indicators Ingestion 🔶UnpublishedCofenseAzure FunctionHTTP Data Collector APICofenseTriage3
Cognni 🔶ActiveCognniREST Pull APIHTTP Data Collector APICognni1
CohesityActiveCohesityAzure FunctionHTTP Data Collector APICohesitySecurity1
Common Event Format (CEF)ActiveAnyMMACommon Event Format1
Common Event Format (CEF) via AMA 🔍ActiveMicrosoftAMACommon Event Format1
CommvaultSecurityIQActiveCommvaultAzure FunctionLog Ingestion APICommvault Security IQ1
Contrast ADR Push ConnectorActiveContrast SecurityCCF PushLog Ingestion APIContrastADR2
ContrastADR 🔶 🔍ActiveContrast SecurityAzure FunctionHTTP Data Collector APIContrastADR2
Corelight Connector Exporter 🔶ActiveCorelightREST Pull APIHTTP Data Collector APICorelight108
Cortex XDR - IncidentsActiveDEFEND Ltd.CCFCortex XDR1
Cribl 🔶ActiveCriblREST Pull APIHTTP Data Collector APICribl4
CrowdStrike API Data Connector (via Codeless Connector Framework)ActiveMicrosoftCCFCrowdStrike Falcon Endpoint Protection5
CrowdStrike Falcon Adversary Intelligence ActiveCrowdStrikeAzure FunctionHTTP Data Collector APICrowdStrike Falcon Endpoint Protection1
CrowdStrike Falcon Data Replicator (AWS S3) (via Codeless Connector Framework)ActiveMicrosoftCCFCrowdStrike Falcon Endpoint Protection10
CTERA SyslogActiveCTERA Networks LtdAMACTERA1
🔌CTM360 CyberBlindSpot (Serverless) 🔍ActiveCTM360CCFCTM3606
🔌CTM360 HackerView (Serverless) 🔍ActiveCTM360CCFCTM3601
Custom logs via AMA 🔶ActiveMicrosoftAMACustomLogsAma16
🔌Cyber Blind Spot Integration 🔶 🔍ActiveCTM360Azure FunctionHTTP Data Collector APICTM3601
CyberArk AuditActiveMicrosoftCCFCyberArkAudit1
CyberArkAuditActiveCyberArkAzure FunctionLog Ingestion APICyberArkAudit1
CyberArkEPM 🔶ActiveCyberArkAzure FunctionHTTP Data Collector APICyberArkEPM1
Cybersixgill Actionable AlertsActiveCybersixgillAzure FunctionHTTP Data Collector APICybersixgill-Actionable-Alerts1
Cyble Vision AlertsActiveCybleCCFCyble Vision1
Cyborg Security HUNTER Hunt PackagesActiveCyborg SecurityAMACyborg Security HUNTER1
Cyera DSPM Microsoft Sentinel Data ConnectorActiveCyera IncCCFCyeraDSPM5
CYFIRMA Attack SurfaceActiveMicrosoftCCFCyfirma Attack Surface6
CYFIRMA Brand IntelligenceActiveMicrosoftCCFCyfirma Brand Intelligence5
CYFIRMA Compromised AccountsActiveMicrosoftCCFCyfirma Compromised Accounts1
CYFIRMA Cyber IntelligenceActiveMicrosoftCCFCyfirma Cyber Intelligence4
CYFIRMA Digital RiskActiveMicrosoftCCFCyfirma Digital Risk7
CYFIRMA Vulnerabilities IntelligenceActiveMicrosoftCCFCyfirma Vulnerabilities Intel1
Cyjax Threat Intelligence IOC ConnectorUnpublishedCyjaxAzure FunctionHTTP Data Collector APICyjax1
Cynerio Security Events 🔶ActiveCynerioREST Pull APIHTTP Data Collector APICynerio1
Cyren Threat Intelligence 🔶ActiveCyrenCCFCyrenThreatIntelligence1
D3 Smart SOAR IncidentsActiveD3 SecurityCCFD3SmartSOAR1
Darktrace Connector for Microsoft Sentinel REST API 🔶ActiveDarktraceREST Pull APIHTTP Data Collector APIDarktrace1
DataBahnActiveDataBahnCCF PushLog Ingestion APIDatabahn3
Datalake2SentinelActiveOrange CyberdefenseREST Pull APIDatalake2Sentinel1
Dataminr Pulse Alerts Data ConnectorActiveDataminrAzure FunctionLog Ingestion APIDataminr Pulse1
Datawiza DAP 🔶ActiveDatawizaREST Pull APIHTTP Data Collector APIDatawiza1
Derdack SIGNL4 🔶ActiveDerdackREST Pull APIHTTP Data Collector APISIGNL42
Digital Shadows Searchlight 🔶ActiveDigital ShadowsAzure FunctionHTTP Data Collector APIDigital Shadows1
DNSActiveMicrosoftMMAWindows Server DNS2
Doppel Data ConnectorActiveDoppelREST Pull APIHTTP Data Collector APIDoppel1
Druva Events ConnectorActiveMicrosoftCCFDruvaDataSecurityCloud3
Dynamics 365ActiveMicrosoftNativeDynamics 3651
Dynamics 365 Finance and OperationsActiveMicrosoftCCFMicrosoft Business Applications1
Dynatrace Attacks V1ActiveDynatraceCCF (Legacy)Dynatrace2
Dynatrace Attacks V2ActiveDynatraceCCFDynatrace2
Dynatrace Audit Logs V1ActiveDynatraceCCF (Legacy)Dynatrace2
Dynatrace Audit Logs V2ActiveDynatraceCCFDynatrace2
Dynatrace Problems V1ActiveDynatraceCCF (Legacy)Dynatrace2
Dynatrace Problems V2ActiveDynatraceCCFDynatrace2
Dynatrace Runtime Vulnerabilities V1ActiveDynatraceCCF (Legacy)Dynatrace2
Dynatrace Runtime Vulnerabilities V2ActiveDynatraceCCFDynatrace2
Egress Defend 🔶UnpublishedEgress Software TechnologiesCCF (Legacy)Egress Defend2
Egress Iris Connector 🔶ActiveEgress Software TechnologiesCCF (Legacy)Egress Iris3
Elastic AgentActiveElasticMMAElasticAgent1
Ermes Browser Security EventsActiveErmes Cyber Security S.p.A.CCFErmes Browser Security1
ESET Inspect 🔶ActiveESET NetherlandsAzure FunctionHTTP Data Collector APIESET Inspect1
ESET Protect PlatformUnpublishedESETAzure FunctionLog Ingestion APIESET Protect Platform2
Eset Security Management Center 🔶UnpublishedEsetMMAEset Security Management Center1
Exchange Security Insights On-Premises Collector 🔶ActiveMicrosoftREST Pull APIHTTP Data Collector APIMicrosoft Exchange Security - Exchange On-Premises1
Exchange Security Insights Online Collector 🔶ActiveMicrosoftAzure FunctionHTTP Data Collector APIMicrosoft Exchange Security - Exchange Online1
ExtraHop Detections Data ConnectorActiveExtraHopAzure FunctionLog Ingestion APIExtraHop1
F5 BIG-IP 🔶ActiveF5 NetworksREST Pull APIHTTP Data Collector APIF5 Big-IP3
Feedly IoC 🔶ActiveFeedlyCCFFeedly1
Flare Push ConnectorActiveFlare SystemsCCF PushLog Ingestion APIFlare1
Forcepoint DLP 🔶 🔍ActiveForcepointREST Pull APIHTTP Data Collector APIForcepoint DLP1
ForescoutActiveForescoutMMAForescout (Legacy)1
Forescout eyeInspect for OT Security 🔍UnpublishedForescoutREST Pull APIHTTP Data Collector APIForescout eyeInspect for OT Security2
Forescout Host Property Monitor 🔶ActiveForescoutREST Pull APIHTTP Data Collector APIForescoutHostPropertyMonitor3
Fortinet FortiNDR Cloud 🔶ActiveFortinetAzure FunctionHTTP Data Collector APIFortinet FortiNDR Cloud3
Fortinet FortiWeb Web Application Firewall via AMAActiveMicrosoftAMAFortinet FortiWeb Cloud WAF-as-a-Service connector for Microsoft Sentinel1
Garrison ULTRA Remote LogsActiveGarrisonREST Pull APIHTTP Data Collector APIGarrison ULTRA1
GCP Cloud Run (via Codeless Connector Framework)ActiveMicrosoftCCFGoogle Cloud Platform Cloud Run1
GCP Cloud SQL (via Codeless Connector Framework)ActiveMicrosoftCCFGoogleCloudPlatformSQL1
GCP Pub/Sub Audit LogsActiveMicrosoftCCFGoogle Cloud Platform Audit Logs1
GCP Pub/Sub Audit Logs 🔍ActiveMicrosoftCCFGoogle Cloud Platform Audit Logs1
GCP Pub/Sub Firewall LogsActiveMicrosoftCCFGoogle Cloud Platform Firewall Logs1
GCP Pub/Sub Load Balancer Logs (via Codeless Connector Platform).ActiveMicrosoftCCFGoogle Cloud Platform Load Balancer Logs1
GCP Pub/Sub VPC Flow Logs (via Codeless Connector Framework)ActiveMicrosoftCCFGoogle Cloud Platform VPC Flow Logs1
Gigamon AMX ConnectorActiveGigamonDefinitionCCF PushLog Ingestion APIGigamon Connector1
GitHub (using Webhooks)ActiveMicrosoftAzure FunctionUndeterminedGitHub1
GitHub (using Webhooks) V2 🔶ActiveMicrosoftAzure FunctionUndeterminedGitHub2
GitHub Enterprise Audit Log (via Codeless Connector Framework)ActiveMicrosoftCCFGitHub1
Google ApigeeX (via Codeless Connector Framework)ActiveMicrosoftCCFGoogle Apigee1
Google Cloud Platform CDN (via Codeless Connector Framework)ActiveMicrosoftCCFGoogleCloudPlatformCDN1
Google Cloud Platform Cloud IDS (via Codeless Connector Framework)ActiveMicrosoftCCFGoogleCloudPlatformIDS1
Google Cloud Platform Cloud Monitoring (via Codeless Connector Framework)ActiveMicrosoftCCFGoogle Cloud Platform Cloud Monitoring1
Google Cloud Platform Compute Engine (via Codeless Connector Framework)ActiveMicrosoftCCFGoogle Cloud Platform Compute Engine1
Google Cloud Platform DNS (via Codeless Connector Framework)ActiveMicrosoftCCFGoogleCloudPlatformDNS1
Google Cloud Platform IAM (via Codeless Connector Framework)ActiveMicrosoftCCFGoogleCloudPlatformIAM1
Google Cloud Platform NAT (via Codeless Connector Framework)ActiveMicrosoftCCFGoogleCloudPlatformNAT2
Google Cloud Platform Resource Manager (via Codeless Connector Framework)ActiveMicrosoftCCFGoogleCloudPlatformResourceManager1
Google Kubernetes Engine (via Codeless Connector Framework)ActiveMicrosoftCCFGoogle Kubernetes Engine6
Google Security Command CenterActiveMicrosoftUnknownGoogle Cloud Platform Security Command Center1
Google Workspace Activities (via Codeless Connector Framework)ActiveMicrosoftCCFGoogleWorkspaceReports1
GravityZone Data ConnectorUnpublishedBitdefenderUnknown (Custom Log)GravityZone1
GreyNoise Threat IntelligenceActiveGreyNoise, Inc. and BlueCycle LLCAzure FunctionGreyNoiseThreatIntelligence1
🔌HackerView Intergration 🔶 🔍ActiveCTM360Azure FunctionHTTP Data Collector APICTM3601
Halcyon ConnectorActiveHalcyonCCF PushLog Ingestion APIHalcyon1
Holm Security Asset Data 🔶ActiveHolm SecurityAzure FunctionHTTP Data Collector APIHolmSecurity2
HYAS Protect 🔶ActiveHYASAzure FunctionHTTP Data Collector APIHYAS Protect1
iboss via AMAActiveibossAMAiboss1
IIS Logs of Microsoft Exchange ServersActiveMicrosoftAMAMicrosoft Exchange Security - Exchange On-Premises1
Illumio InsightsActiveMicrosoftCCFIllumio Insight1
Illumio Insights SummaryActiveIllumioCCFIllumio Insight1
Illumio SaaSActiveIllumioAzure FunctionLog Ingestion APIIllumioSaaS2
Illumio Saas 🔍ActiveMicrosoftCCFIllumioSaaS1
Imperva Cloud WAF 🔶ActiveImpervaAzure FunctionHTTP Data Collector APIImpervaCloudWAF3
Imperva Cloud WAF (via Codeless Connector Framework) 🔶ActiveMicrosoftCCFImpervaCloudWAF3
Imperva WAF GatewayUnpublishedImpervaMMAImperva WAF Gateway1
Infoblox Data Connector via REST API 🔶ActiveInfobloxAzure FunctionHTTP Data Collector APIInfoblox18
Infoblox SOC Insight Data Connector via REST API 🔶ActiveInfobloxREST Pull APIHTTP Data Collector APIInfoblox1
InfoSecGlobal Data Connector 🔶ActiveInfoSecGlobalREST Pull APIHTTP Data Collector APIAgileSec Analytics Connector1
IONIX Security Logs (via Codeless Connector Framework) 🔶ActiveIONIXCCFIONIX1
IPinfo Abuse Data ConnectorActiveIPinfoAzure FunctionLog Ingestion APIIPinfo1
IPinfo ASN Data ConnectorActiveIPinfoAzure FunctionLog Ingestion APIIPinfo1
IPinfo Carrier Data ConnectorActiveIPinfoAzure FunctionLog Ingestion APIIPinfo1
IPinfo Company Data ConnectorActiveIPinfoAzure FunctionLog Ingestion APIIPinfo1
IPinfo Core Data ConnectorActiveIPinfoAzure FunctionLog Ingestion APIIPinfo1
IPinfo Country ASN Data ConnectorActiveIPinfoAzure FunctionLog Ingestion APIIPinfo1
IPinfo Domain Data ConnectorActiveIPinfoAzure FunctionLog Ingestion APIIPinfo1
IPinfo Iplocation Data ConnectorActiveIPinfoAzure FunctionLog Ingestion APIIPinfo1
IPinfo Iplocation Extended Data ConnectorActiveIPinfoAzure FunctionLog Ingestion APIIPinfo1
IPinfo Plus Data ConnectorActiveIPinfoAzure FunctionLog Ingestion APIIPinfo1
IPinfo Privacy Data ConnectorActiveIPinfoAzure FunctionLog Ingestion APIIPinfo1
IPinfo Privacy Extended Data ConnectorActiveIPinfoAzure FunctionLog Ingestion APIIPinfo1
IPinfo ResProxy Data ConnectorActiveIPinfoAzure FunctionLog Ingestion APIIPinfo1
IPinfo RIRWHOIS Data ConnectorActiveIPinfoAzure FunctionLog Ingestion APIIPinfo1
IPinfo RWHOIS Data ConnectorActiveIPinfoAzure FunctionLog Ingestion APIIPinfo1
IPinfo WHOIS ASN Data ConnectorActiveIPinfoAzure FunctionLog Ingestion APIIPinfo1
IPinfo WHOIS MNT Data ConnectorActiveIPinfoAzure FunctionLog Ingestion APIIPinfo1
IPinfo WHOIS NET Data ConnectorActiveIPinfoAzure FunctionLog Ingestion APIIPinfo1
IPinfo WHOIS ORG Data ConnectorActiveIPinfoAzure FunctionLog Ingestion APIIPinfo1
IPinfo WHOIS POC Data ConnectorActiveIPinfoAzure FunctionLog Ingestion APIIPinfo1
IronNet IronDefenseUnpublishedIronNetMMAIronNet IronDefense1
Island Enterprise Browser Admin Events (Legacy)ActiveIslandCCFIsland1
Island Enterprise Browser User Events (Legacy)ActiveIslandCCFIsland1
Island Enterprise Browser V2ActiveIslandCCFIsland3
Jamf Protect Push ConnectorActiveJamfCCF PushLog Ingestion APIJamf Protect3
JoeSandboxThreatIntelligenceActiveJoe Security LLCAzure FunctionHTTP Data Collector APIJoeSandbox1
Keeper Security Push ConnectorActiveKeeper SecurityCCF PushLog Ingestion APIKeeper Security1
KnowBe4 Defend 🔶UnpublishedKnowBe4CCF (Legacy)KnowBe4 Defend2
LastPass Enterprise - Reporting (Polling CCP) 🔶ActiveThe Collective Consulting BVCCF (Legacy)Lastpass Enterprise Activity Monitoring1
Lookout Cloud Security for Microsoft Sentinel 🔶ActiveLookoutAzure FunctionHTTP Data Collector APILookout Cloud Security Platform for Microsoft Sentinel1
Lookout Mobile Threat Detection Connector (via Codeless Connector Framework) (Preview)ActiveMicrosoftCCFLookout1
Lumen Defender Threat Feed Data Connector V2ActiveLumen Technologies, Inc.Azure FunctionLumen Defender Threat Feed1
Lumen Defender Threat Feed Data Connector V2 (using Azure Functions Flex Consumption Plan with Private Networking)ActiveLumen Technologies, Inc.Azure FunctionLumen Defender Threat Feed1
Luminar IOCs and Leaked CredentialsActiveCognyte Technologies Israel LtdAzure FunctionHTTP Data Collector APICognyteLuminar1
🔌MailGuard 365 🔶 🔍ActiveMailGuard365REST Pull APIHTTP Data Collector APIMailGuard 3651
MailRisk by Secure PracticeActiveSecure PracticeCCFMailRisk1
meshStack Event LogsActivemeshcloudCCFmeshStack1
Microsoft 365 (formerly, Office 365)ActiveMicrosoftNativeMicrosoft 3651
Microsoft 365 Assets (formerly, Office 365)ActiveMicrosoftNativeMicrosoft 365 Assets?
Microsoft 365 Insider Risk ManagementActiveMicrosoftNativeMicrosoftPurviewInsiderRiskManagement1
Microsoft CopilotActiveMicrosoftCCFMicrosoft Copilot1
Microsoft DataverseActiveMicrosoftUnknownMicrosoft Business Applications1
Microsoft Defender for Cloud AppsActiveMicrosoftNativeMicrosoft Defender for Cloud Apps2
Microsoft Defender for EndpointActiveMicrosoftNativeMicrosoftDefenderForEndpoint1
Microsoft Defender for IdentityActiveMicrosoftNativeMicrosoft Defender for Identity1
Microsoft Defender for IoTActiveMicrosoftNativeIoTOTThreatMonitoringwithDefenderforIoT1
Microsoft Defender for Office 365 (Preview)ActiveMicrosoftNativeMicrosoft Defender for Office 3651
Microsoft Defender Threat IntelligenceActiveMicrosoftNativeThreat Intelligence3
Microsoft Defender XDRActiveMicrosoftNativeMicrosoft Defender XDR22
Microsoft Entra IDActiveMicrosoftNativeMicrosoft Entra ID12
Microsoft Entra ID AssetsActiveMicrosoftNativeMicrosoft Entra ID Assets?
Microsoft Entra ID ProtectionActiveMicrosoftNativeMicrosoft Entra ID Protection1
Microsoft Exchange Admin Audit Logs by Event LogsActiveMicrosoftAMAMicrosoft Exchange Security - Exchange On-Premises1
Microsoft Exchange HTTP Proxy Logs 🔶ActiveMicrosoftREST Pull APIHTTP Data Collector APIMicrosoft Exchange Security - Exchange On-Premises1
Microsoft Exchange Logs and EventsActiveMicrosoftAMAMicrosoft Exchange Security - Exchange On-Premises1
Microsoft Exchange Message Tracking Logs 🔶ActiveMicrosoftREST Pull APIHTTP Data Collector APIMicrosoft Exchange Security - Exchange On-Premises1
Microsoft Power AutomateActiveMicrosoftUnknownMicrosoft Business Applications1
Microsoft Power Platform Admin ActivityActiveMicrosoftUnknownMicrosoft Business Applications1
Microsoft PowerBIActiveMicrosoftNativeMicrosoft PowerBI1
Microsoft ProjectActiveMicrosoftNativeMicrosoft Project1
Microsoft PurviewActiveMicrosoftAzure DiagnosticsMicrosoft Purview1
Microsoft Purview Information ProtectionActiveMicrosoftNativeMicrosoft Purview Information Protection1
🔌Microsoft Sentinel for SAPUnpublishedMicrosoftUnknownSAP2
Mimecast Audit 🔶ActiveMimecastAzure FunctionLog Ingestion APIMimecast2
Mimecast Awareness TrainingActiveMimecastAzure FunctionLog Ingestion APIMimecast4
Mimecast Cloud IntegratedActiveMimecastAzure FunctionLog Ingestion APIMimecast1
Mimecast Intelligence for Microsoft - Microsoft SentinelDeprecatedMimecastAzure FunctionHTTP Data Collector APIMimecastTIRegional1
Mimecast Secure Email GatewayActiveMimecastAzure FunctionLog Ingestion APIMimecast2
Mimecast Secure Email Gateway 🔶DeprecatedMimecastAzure FunctionHTTP Data Collector APIMimecastSEG2
Mimecast Targeted Threat Protection 🔶ActiveMimecastAzure FunctionLog Ingestion APIMimecast6
Miro Audit Logs (Enterprise Plan)ActiveMiroCCFMiro1
Miro Content Logs (Enterprise Plan + Enterprise Guard)ActiveMiroCCFMiro1
MISP2SentinelActiveMISP project & cudeso.beREST Pull APIMISP2Sentinel1
MongoDB Atlas LogsActiveMongoDBAzure FunctionLog Ingestion APIMongoDBAtlas1
Morphisec API Data Connector (via Codeless Connector Framework)ActiveMorphisecCCFMorphisec1
MuleSoft Cloudhub 🔶ActiveMuleSoftAzure FunctionHTTP Data Collector APIMulesoft1
NC Protect 🔶ActivearchTISREST Pull APIHTTP Data Collector APINC Protect Data Connector1
Netclean ProActive Incidents 🔶ActiveNetClean TechnologiesREST Pull APIHTTP Data Collector APINetClean ProActive1
Netskope 🔶ActiveNetskopeAzure FunctionHTTP Data Collector APINetskope1
Netskope Alerts and Events (via Codeless Connector Framework)ActiveNetskopeCCFNetskopev29
Netskope Data Connector 🔶ActiveNetskopeAzure FunctionHTTP Data Collector APINetskopev217
Netskope Web Transaction Connector (via Blob Storage)ActiveNetskopeCCFNetskopeWebTx1
Netskope Web Transactions Data Connector 🔶ActiveNetskopeAzure FunctionHTTP Data Collector APINetskopev22
Network Security Groups 🔶ActiveMicrosoftAzure DiagnosticsAzure Network Security Groups1
Noname Security for Microsoft Sentinel 🔶ActiveNoname SecurityREST Pull APIHTTP Data Collector APINoname API Security Solution for Microsoft Sentinel1
NordPassActiveNordPassAzure FunctionLog Ingestion APINordPass1
NXLog AIX Audit 🔶ActiveNXLogREST Pull APIHTTP Data Collector APINXLogAixAudit1
NXLog BSM macOS 🔶ActiveNXLogREST Pull APIHTTP Data Collector APINXLog BSM macOS1
NXLog DNS Logs 🔶ActiveNXLogREST Pull APIHTTP Data Collector APINXLogDNSLogs1
NXLog FIM 🔶ActiveNXLogREST Pull APIHTTP Data Collector APINXLog FIM1
NXLog LinuxAudit 🔶ActiveNXLogREST Pull APIHTTP Data Collector APINXLog LinuxAudit1
Obsidian Datasharing ConnectorActiveObsidian SecurityCCF PushLog Ingestion APIObsidian Datasharing2
Okta Single Sign-On (Polling CCP) 🔍ActiveOktaCCF (Legacy)Okta Single Sign-On1
Okta Single Sign-On (using Azure Functions) 🔶 🔍ActiveOktaCCFOkta Single Sign-On2
Okta Single Sign-On (via Codeless Connector Framework) 🔶ActiveMicrosoftCCFOkta Single Sign-On2
Onapsis Defend Integration 🔍ActiveOnapsis PlatformCCF PushLog Ingestion APIOnapsis Defend2
One Identity SafeguardActiveOne Identity LLC.MMAOneIdentity1
OneLogin IAM Platform (via Codeless Connector Framework)ActiveMicrosoftCCFOneLoginIAM2
OneTrustActiveOneTrustCCF PushLog Ingestion APIOneTrust1
🔌Open Systems Data Connector 🔶 🔍ActiveOpen SystemsAzure FunctionHTTP Data Collector APIOpen Systems4
OpenAI (via Codeless Connector Framework)UnpublishedMicrosoftCCFOpenAI2
Oracle Cloud Infrastructure (via CCP) – Preview 🔶 🔍ActiveMicrosoftCCFOracle Cloud Infrastructure1
Oracle Cloud Infrastructure (via Codeless Connector Framework) 🔶ActiveMicrosoftCCFOracle Cloud Infrastructure1
Orca Security Alerts 🔶ActiveOrca SecurityREST Pull APIHTTP Data Collector APIOrca Security Alerts1
Palo Alto Cortex XDRActiveMicrosoftCCFCortex XDR5
Palo Alto Cortex Xpanse (via Codeless Connector Framework)ActiveMicrosoftCCFPalo Alto Cortex Xpanse CCF1
🔌Palo Alto Networks Cortex XDR 🔍UnpublishedPalo Alto NetworksMMAPalo Alto - XDR (Cortex)1
Palo Alto Prisma Cloud CSPM (via Codeless Connector Framework)ActiveMicrosoftCCFPaloAltoPrismaCloud2
Palo Alto Prisma Cloud CWPP (using REST API) 🔶ActiveMicrosoftCCFPalo Alto Prisma Cloud CWPP1
Palo Alto Prisma Cloud CWPP (using REST API) 🔶 🔍ActiveMicrosoftREST Pull APIHTTP Data Collector APIPalo Alto Prisma Cloud CWPP1
Pathlock Inc.: Threat Detection and Response for SAPActivePathlock Inc.CCF PushLog Ingestion APIPathlock_TDnR2
🔌PDNS Block Data Connector 🔶 🔍UnpublishedNominetAzure FunctionHTTP Data Collector APIPDNS Block Data Connector1
Perimeter 81 Activity Logs 🔶ActivePerimeter 81REST Pull APIHTTP Data Collector APIPerimeter 811
Phosphorus DevicesActivePhosphorus Inc.CCF (Legacy)Phosphorus1
Ping One (via Codeless Connector Framework)ActiveMicrosoftCCFPingOne1
🔌Prancer Data Connector 🔶 🔍ActivePrancerREST Pull APIHTTP Data Collector APIPrancer PenSuiteAI Integration1
Premium Microsoft Defender Threat IntelligenceActiveMicrosoftNativeThreat Intelligence3
Proofpoint On Demand Email Security (via Codeless Connector Platform)ActiveProofpointCCFProofpoint On demand(POD) Email Security2
Proofpoint TAP (via Codeless Connector Platform)ActiveProofpointCCFProofPointTap4
QscoutAppEventsConnector (via Codeless Connector Framework)ActiveQuokkaCCFQuokka1
Qualys Knowledge Base (via Codeless Connector Framework)ActiveMicrosoftCCFQualys VM Knowledgebase1
Qualys VM KnowledgeBase 🔶ActiveQualysAzure FunctionHTTP Data Collector APIQualys VM Knowledgebase2
Qualys Vulnerability Management (via Codeless Connector Framework)ActiveMicrosoftCCFQualysVM1
Radiflow iSID via AMAActiveRadiflowAMARadiflow1
Rapid7 Insight Platform Vulnerability Management Reports 🔶ActiveRapid7Azure FunctionHTTP Data Collector APIRapid7InsightVM2
Rapid7 Insight Platform Vulnerability Management Reports (via Codeless Connector Framework)ActiveMicrosoftCCFRapid7InsightVM2
🔌Red Canary Threat Detection 🔶 🔍ActiveRed CanaryREST Pull APIHTTP Data Collector APIRed Canary1
RSA ID Plus Admin Logs ConnectorActiveRSACCFRSAIDPlus_AdminLogs_Connector1
Rubrik Security Cloud data connector 🔶ActiveRubrik, IncAzure FunctionHTTP Data Collector APIRubrikSecurityCloud4
Rubrik Security Cloud Protection Status (using Codeless Connector Framework)ActiveRubrik, IncCCFRubrikSecurityCloud1
SaaS Security 🔶ActiveValence SecurityREST Pull APIHTTP Data Collector APIValence Security1
SailPoint IdentityNow 🔶ActiveSailPointAzure FunctionHTTP Data Collector APISailPointIdentityNow2
Salesforce Service Cloud (via Codeless Connector Framework)ActiveMicrosoftCCFSalesforce Service Cloud1
Samsung Knox Asset IntelligenceActiveSamsungREST Pull APIHTTP Data Collector APISamsung Knox Asset Intelligence6
SAP BTPActiveMicrosoftCCFSAP BTP1
SAP Enterprise Threat Detection, cloud editionActiveSAPCCFSAP ETD Cloud2
SAP LogServ (RISE), S/4HANA Cloud private edition 🔍ActiveSAP SECCF PushLog Ingestion APISAP LogServ1
SAP S/4HANA Cloud Public EditionActiveSAPCCFSAP S4 Cloud Public Edition1
Security Events via Legacy AgentActiveMicrosoftMMAWindows Security Events1
SecurityBridge Solution for SAPActiveSecurityBridge Group GmbHCCF PushLog Ingestion APISecurityBridge App2
SecurityBridge Threat Detection for SAP 🔍ActiveSecurityBridgeMMASecurityBridge App1
SecurityScorecard Cybersecurity Ratings 🔶ActiveSecurityScorecardAzure FunctionHTTP Data Collector APISecurityScorecard Cybersecurity Ratings1
SecurityScorecard Factor 🔶ActiveSecurityScorecardAzure FunctionHTTP Data Collector APISecurityScorecard Cybersecurity Ratings1
SecurityScorecard Issue 🔶ActiveSecurityScorecardAzure FunctionHTTP Data Collector APISecurityScorecard Cybersecurity Ratings1
Semperis Directory Services ProtectorActiveSEMPERISMMASemperis Directory Services Protector1
Semperis Lightning LogsActiveSemperisAzure FunctionLog Ingestion APISemperisLightning7
SenservaPro (Preview) 🔶ActiveSenservaREST Pull APIHTTP Data Collector APISenservaPro1
SentinelOne (via Codeless Connector Framework)ActiveMicrosoftCCFSentinelOne5
Seraphic Web SecurityActiveSeraphicCCF (Legacy)SeraphicSecurity1
Sevco Platform - Devices 🔶UnpublishedSevco SecurityREST Pull APIHTTP Data Collector APISevcoSecurity1
Silverfort Admin ConsoleActiveSilverfortAMASilverfort1
SINEC Security GuardActiveSiemens AGREST Pull APIHTTP Data Collector APISINEC Security Guard1
Slack 🔶 🔍ActiveSlackCCFSlackAudit1
SlackAudit (via Codeless Connector Framework)ActiveMicrosoftCCFSlackAudit1
SlashNext Function App 🔶ActiveSlashNextAzure FunctionHTTP Data Collector APISlashNext2
Snowflake (via Codeless Connector Framework)ActiveMicrosoftCCFSnowflake10
SOC Prime Platform Audit Logs Data ConnectorActiveMicrosoftCCFSOC Prime CCF1
Sonrai Data Connector 🔶ActiveSonraiREST Pull APIHTTP Data Collector APISonraiSecurity1
Sophos Cloud Optix 🔶ActiveSophosREST Pull APIHTTP Data Collector APISophos Cloud Optix1
Sophos Endpoint Protection (via Codeless Connector Platform)ActiveMicrosoftCCFSophos Endpoint Protection2
Squadra Technologies secRMM 🔶ActiveSquadra TechnologiesREST Pull APIHTTP Data Collector APISquadra Technologies SecRmm1
StyxView Alerts (via Codeless Connector Platform) 🔍UnpublishedStyx IntelligenceCCFStyx Intelligence1
Subscription-based Microsoft Defender for Cloud (Legacy)ActiveMicrosoftNativeMicrosoft Defender for Cloud1
Symantec Integrated Cyber Defense Exchange 🔶ActiveSymantecREST Pull APIHTTP Data Collector APISymantec Integrated Cyber Defense1
Synqly Integration ConnectorActiveSynqlyCCF PushLog Ingestion APISynqlyIntegrationConnector10
Syslog via AMAActiveMicrosoftAMASyslog1
Syslog via Legacy AgentActiveMicrosoftMMASyslog1
TacitRed Compromised Credentials 🔶ActiveTacitRedCCFTacitRedThreatIntelligence1
Talon Insights 🔶ActiveTalon SecurityREST Pull APIHTTP Data Collector APITalon1
Tanium's CCF Push Connector 🔶ActiveTanium Inc.CCF PushLog Ingestion APITanium10
Team Cymru Scout Data ConnectorActiveTeam Cymru ScoutAzure FunctionLog Ingestion APITeam Cymru Scout14
Tenable Identity ExposureActiveTenableMMATenable App2
Tenable Vulnerability ManagementActiveTenableAzure FunctionLog Ingestion APITenable App5
🔌Tenable.ad 🔍UnpublishedTenableMMATenableAD2
Tenable.io Vulnerability Management 🔶ActiveTenableAzure FunctionHTTP Data Collector APITenableIO2
Tenant-based Microsoft Defender for CloudActiveMicrosoftNativeMicrosoft Defender for Cloud1
TheHive (via Codeless Connector Framework)ActiveTheHiveCCFTheHive?
TheHive Project - TheHive 🔶 🔍ActiveTheHive ProjectAzure FunctionHTTP Data Collector APITheHive1
Theom 🔶ActiveTheomREST Pull APIHTTP Data Collector APITheom1
Threat intelligence - TAXIIActiveMicrosoftNativeThreat Intelligence3
Threat intelligence - TAXII Export (Preview)ActiveMicrosoftNativeThreat Intelligence (NEW)1
Threat Intelligence PlatformsActiveMicrosoftNativeThreat Intelligence4
Threat Intelligence Upload API (Preview) 🔍ActiveMicrosoftUnknownThreat Intelligence3
Transmit Security Connector 🔶ActiveTransmitSecurityAzure FunctionHTTP Data Collector APITransmitSecurity1
Trellix Endpoint Security (via Codeless Connector Framework)ActiveMicrosoftCCFTrellix1
Trend Micro Cloud App Security 🔶ActiveTrend MicroAzure FunctionHTTP Data Collector APITrend Micro Cloud App Security1
Trend Vision One 🔶ActiveTrend MicroAzure FunctionHTTP Data Collector APITrend Micro Vision One4
Tropico Security - AlertsActiveTropico SecurityCCFTropico1
Tropico Security - EventsActiveTropico SecurityCCFTropico1
Tropico Security - IncidentsActiveTropico SecurityCCFTropico1
Upwind Logs Loader (Ingestion API)UnpublishedUpwindAzure FunctionLog Ingestion APIUpwind1
Vaikora AI Agent Behavioral Signals 🔶UnpublishedData443 Risk Mitigation, Inc.CCFVaikora-Sentinel1
Valimail Enforce Configuration EventsUnpublishedValimmailCCFValimailEnforce1
Varonis Purview Push ConnectorActiveVaronisCCF PushLog Ingestion APIVaronis Purview1
Varonis SaaS 🔶ActiveVaronisAzure FunctionHTTP Data Collector APIVaronisSaaS1
Vectra XDRActiveVectraAzure FunctionLog Ingestion APIVectra XDR6
Veeam Data Connector (using Azure Functions)ActiveVeeamAzure FunctionHTTP Data Collector APIVeeam6
VersasecCmsActiveVersasec ABCCFVersasecCMS2
VirtualMetric DataStream for Microsoft SentinelActiveVirtualMetricAMAVirtualMetric DataStream1
VirtualMetric DataStream for Microsoft Sentinel data lakeActiveVirtualMetricAMAVirtualMetric DataStream1
VirtualMetric Director ProxyActiveVirtualMetricAzure FunctionHTTP Data Collector APIVirtualMetric DataStream1
Visa Threat IntelligenceUnpublishedMicrosoftCCFVisa Threat Intelligence (VTI)1
VMRayThreatIntelligenceActiveVMRayAzure FunctionHTTP Data Collector APIVMRay1
VMware Carbon Black Cloud via AWS S3 🔍ActiveMicrosoftCCFVMware Carbon Black Cloud7
VMware SD-WAN and SASE ConnectorUnpublishedVMware by BroadcomAzure FunctionLog Ingestion APIVMware SASE4
Windows DNS Events via AMAActiveMicrosoftAMAWindows Server DNS1
Windows Firewall 🔍ActiveMicrosoftMMAWindows Firewall1
Windows Firewall Events via AMAActiveMicrosoftAMAWindows Firewall1
Windows Forwarded EventsActiveMicrosoftAMAWindows Forwarded Events1
Windows Security Events via AMAActiveMicrosoftAMAWindows Security Events1
WithSecure Elements API (Azure Function)ActiveWithSecureAzure FunctionLog Ingestion APIWithSecureElementsViaFunction1
Wiz 🔶ActiveWizAzure FunctionHTTP Data Collector APIWiz6
Workday User ActivityActiveMicrosoftCCFWorkday1
Workplace from FacebookActiveFacebookAzure FunctionHTTP Data Collector APIWorkplace from Facebook1
XBOW Security Platform (via Azure Function)ActiveXBOWAzure FunctionLog Ingestion APIXBOW3
Zero Networks Segment (Push)ActiveZero NetworksCCF PushLog Ingestion APIZeroNetworks4
Zero Networks Segment AuditActiveZero NetworksCCFZeroNetworks1
Zero Networks Segment Audit 🔍ActiveZero NetworksCCF (Legacy)ZeroNetworks1
ZeroFox CTI 🔶ActiveZeroFoxAzure FunctionHTTP Data Collector APIZeroFox20
ZeroFox Enterprise - Alerts (Polling CCF) 🔶ActiveZeroFox EnterpriseCCFZeroFox1
Zimperium Mobile Threat Defense 🔶 🔍ActiveZimperiumREST Pull APIHTTP Data Collector APIZimperium Mobile Threat Defense2
Zoom ReportsActiveZoomAzure FunctionHTTP Data Collector APIZoomReports1
Zoom Reports Connector (via Codeless Connector Framework)ActiveMicrosoftCCFZoomReports1
Zscaler Internet Access Cloud NSS Audit Log Push ConnectorActiveZscalerCCF PushLog Ingestion APIZscaler Internet Access1
Zscaler Internet Access Cloud NSS CASB Activity Log Push ConnectorActiveZscalerCCF PushLog Ingestion APIZscaler Internet Access1
Zscaler Internet Access Cloud NSS CASB Cloud Storage Log Push ConnectorActiveZscalerCCF PushLog Ingestion APIZscaler Internet Access1
Zscaler Internet Access Cloud NSS CASB Collaboration Log Push ConnectorActiveZscalerCCF PushLog Ingestion APIZscaler Internet Access1
Zscaler Internet Access Cloud NSS CASB CRM Log Push ConnectorActiveZscalerCCF PushLog Ingestion APIZscaler Internet Access1
Zscaler Internet Access Cloud NSS CASB Email Log Push ConnectorActiveZscalerCCF PushLog Ingestion APIZscaler Internet Access1
Zscaler Internet Access Cloud NSS CASB File Sharing Log Push ConnectorActiveZscalerCCF PushLog Ingestion APIZscaler Internet Access1
Zscaler Internet Access Cloud NSS CASB ITSM Log Push ConnectorActiveZscalerCCF PushLog Ingestion APIZscaler Internet Access1
Zscaler Internet Access Cloud NSS CASB Repo Log Push ConnectorActiveZscalerCCF PushLog Ingestion APIZscaler Internet Access1
Zscaler Internet Access Cloud NSS DNS Log Push ConnectorActiveZscalerCCF PushLog Ingestion APIZscaler Internet Access1
Zscaler Internet Access Cloud NSS Email DLP Log Push ConnectorActiveZscalerCCF PushLog Ingestion APIZscaler Internet Access1
Zscaler Internet Access Cloud NSS Endpoint DLP Log Push ConnectorActiveZscalerCCF PushLog Ingestion APIZscaler Internet Access1
Zscaler Internet Access Cloud NSS Firewall Log Push ConnectorActiveZscalerCCF PushLog Ingestion APIZscaler Internet Access1
Zscaler Internet Access Cloud NSS Tunnel Log Push ConnectorActiveZscalerCCF PushLog Ingestion APIZscaler Internet Access1
Zscaler Internet Access Cloud NSS Web Log Push ConnectorActiveZscalerCCF PushLog Ingestion APIZscaler Internet Access1
Active Published connector Deprecated Deprecated connector Unpublished Not on content hub 🔶 Custom Logs v1 (classic, may not be accurate) 🔍 Not listed in solution JSON
TableDiscovered ViaCategory SolutionsConnectorsAzure MonitorDefender XDR
AACAudit 📖DocsAudit00YesNo
AACHttpRequest 📖DocsAzure Resources00YesNo
AADB2CRequestLogs 📖DocsEntra00YesNo
AADCustomSecurityAttributeAuditLogs 📖DocsEntra00YesNo
AADDomainServicesAccountLogon 📖DocsEntra00YesNo
AADDomainServicesAccountManagement 📖DocsEntra00YesNo
AADDomainServicesDirectoryServiceAccess 📖DocsEntra00YesNo
AADDomainServicesDNSAuditsDynamicUpdatesDocsEntra00NoNo
AADDomainServicesDNSAuditsGeneralDocsEntra00NoNo
AADDomainServicesLogonLogoff 📖DocsEntra00YesNo
AADDomainServicesPolicyChange 📖DocsEntra00YesNo
AADDomainServicesPrivilegeUse 📖DocsEntra00YesNo
AADDomainServicesSystemSecurity 📖DocsEntra00YesNo
AADFirstPartyToFirstPartySignInLogsDocsEntra00NoNo
AADGraphActivityLogs 📖DocsEntra00YesNo
AADManagedIdentitySignInLogs 📖ConnectorEntra51YesNo
AADNonInteractiveUserSignInLogs 📖ConnectorEntra121YesNo
AADProvisioningLogs 📖ConnectorEntra11YesNo
AADRiskyServicePrincipals 📖ConnectorEntra11YesNo
AADRiskyUsers 📖ConnectorEntra11YesNo
AADServicePrincipalRiskEvents 📖ConnectorEntra11YesNo
AADServicePrincipalSignInLogs 📖ConnectorEntra61YesNo
AADSignInEventsBeta 📖ContentEntra10NoYes
AADSpnSignInEventsBeta 📖ContentEntra00NoYes
AADUserInfo_CL 📖Schema00NoNo
AADUserRiskEvents 📖ConnectorEntra71YesNo
ABAPAuditLog 📖ConnectorSecurity44YesNo
ABAPAuditLog_CLConnector11NoNo
ABAPAuthorizationDetails 📖DocsSecurity00YesNo
ABAPChangeDocsLog 📖DocsSecurity00YesNo
ABAPChangeDocsLog_CLConnector11NoNo
ABAPTableDataLog 📖DocsSecurity00YesNo
ABAPUserDetails 📖DocsSecurity00YesNo
ABNORMAL_CASES_CL 📖Connector11NoNo
ABNORMAL_SECURITY_ABUSE_MAILBOX_CL 📖Connector11NoNo
ABNORMAL_SECURITY_ATO_CASE_CL 📖Connector11NoNo
ABNORMAL_SECURITY_AUDIT_LOG_CL 📖Connector11NoNo
ABNORMAL_SECURITY_CASE_CL 📖Connector11NoNo
ABNORMAL_SECURITY_POSTURE_CHANGE_CL 📖Connector11NoNo
ABNORMAL_SECURITY_REMEDIATION_CL 📖Connector11NoNo
ABNORMAL_SECURITY_THREAT_LOG_CL 📖Connector11NoNo
ABNORMAL_SECURITY_VENDOR_CASE_CL 📖Connector11NoNo
ABNORMAL_THREAT_MESSAGES_CL 🔶 📖Connector11NoNo
AbnormalSecurityLogs_CL 📖Connector11NoNo
ABSBotRequests 📖DocsAzure Resources00YesNo
ACICollaborationAudit 📖DocsAudit, Azure Resources00YesNo
ACLTransactionLogs 📖DocsAudit, Azure Resources00YesNo
ACLUserDefinedLogs 📖DocsApplications, Audit, Azure Resources00YesNo
ACRConnectedClientList 📖DocsAudit, Azure Resources00YesNo
ACREntraAuthenticationAuditLog 📖DocsAudit, Azure Resources00YesNo
ACSAdvancedMessagingOperations 📖DocsAzure Resources00YesNo
ACSAuthIncomingOperations 📖DocsAzure Resources00YesNo
ACSBillingUsage 📖DocsAzure Resources00YesNo
ACSCallAutomationIncomingOperations 📖DocsAzure Resources00YesNo
ACSCallAutomationMediaSummary 📖DocsAzure Resources00YesNo
ACSCallAutomationStreamingUsage 📖DocsAzure Resources00YesNo
ACSCallClientMediaStatsTimeSeries 📖DocsAzure Resources00YesNo
ACSCallClientOperations 📖DocsAzure Resources00YesNo
ACSCallClientServiceRequestAndOutcome 📖DocsAzure Resources00YesNo
ACSCallClosedCaptionsSummary 📖DocsAzure Resources00YesNo
ACSCallDiagnostics 📖DocsAzure Resources00YesNo
ACSCallDiagnosticsUpdates 📖DocsAzure Resources00YesNo
ACSCallingMetrics 📖DocsAzure Resources00YesNo
ACSCallRecordingIncomingOperations 📖DocsAzure Resources00YesNo
ACSCallRecordingSummary 📖DocsAzure Resources00YesNo
ACSCallSummary 📖DocsAzure Resources00YesNo
ACSCallSummaryUpdates 📖DocsAzure Resources00YesNo
ACSCallSurvey 📖DocsAzure Resources00YesNo
ACSChatIncomingOperations 📖DocsAzure Resources00YesNo
ACSEmailSendMailOperational 📖DocsAzure Resources00YesNo
ACSEmailStatusUpdateOperational 📖DocsAzure Resources00YesNo
ACSEmailUserEngagementOperational 📖DocsAzure Resources00YesNo
ACSJobRouterIncomingOperations 📖DocsAzure Resources00YesNo
ACSOptOutManagementOperations 📖DocsAzure Resources00YesNo
ACSRoomsIncomingOperations 📖DocsAzure Resources00YesNo
ACSSMSIncomingOperations 📖DocsAzure Resources00YesNo
ADAssessmentRecommendation 📖DocsWorkloads00YesNo
AddonAzureBackupAlerts 📖DocsAzure Resources, IT & Management Tools00YesNo
AddonAzureBackupJobs 📖DocsAzure Resources, IT & Management Tools00YesNo
AddonAzureBackupPolicy 📖DocsAzure Resources, IT & Management Tools00YesNo
AddonAzureBackupProtectedInstance 📖DocsAzure Resources, IT & Management Tools00YesNo
AddonAzureBackupStorage 📖DocsAzure Resources, IT & Management Tools00YesNo
ADFActivityRun 📖DocsAzure Resources00YesNo
ADFAirflowSchedulerLogsDocs00NoNo
ADFAirflowTaskLogsDocs00NoNo
ADFAirflowWebLogsDocs00NoNo
ADFAirflowWorkerLogsDocs00NoNo
ADFPipelineRun 📖DocsAzure Resources00YesNo
ADFSandboxActivityRun 📖DocsAzure Resources00YesNo
ADFSandboxPipelineRun 📖DocsAzure Resources00YesNo
ADFSSignInLogs 📖ConnectorAudit, Security21YesNo
ADFSSISIntegrationRuntimeLogsDocs00NoNo
ADFSSISPackageEventMessageContextDocs00NoNo
ADFSSISPackageEventMessagesDocs00NoNo
ADFSSISPackageExecutableStatisticsDocs00NoNo
ADFSSISPackageExecutionComponentPhasesDocs00NoNo
ADFSSISPackageExecutionDataStatisticsDocs00NoNo
ADFTriggerRun 📖DocsAzure Resources00YesNo
ADOAuditLogs_CL 📖Connector11NoNo
ADPAuditDocs00NoNo
ADPDiagnosticsDocs00NoNo
ADPRequestsDocs00NoNo
ADReplicationResult 📖DocsWorkloads00YesNo
ADSecurityAssessmentRecommendation 📖DocsWorkloads00YesNo
ADTDataHistoryOperation 📖DocsAzure Resources00YesNo
ADTDigitalTwinsOperation 📖DocsAzure Resources00YesNo
ADTEventRoutesOperation 📖DocsAzure Resources00YesNo
ADTModelsOperation 📖DocsAzure Resources00YesNo
ADTQueryOperation 📖DocsAzure Resources00YesNo
ADXCommandDocs00NoNo
ADXJournal 📖DocsAzure Resources00YesNo
ADXQueryDocs00NoNo
ADXTableDetails 📖ContentAzure Resources00YesNo
ADXTableUsageStatisticsDocs00NoNo
AegDataPlaneRequests 📖DocsAudit, Azure Resources00YesNo
AegDeliveryFailureLogs 📖DocsAzure Resources00YesNo
AegPublishFailureLogs 📖DocsAzure Resources00YesNo
AEWAssignmentBlobLogs 📖DocsAudit, Azure Resources00YesNo
AEWAuditLogs 📖DocsAudit, Azure Resources00YesNo
AEWComputePipelinesLogs 📖DocsAudit, Azure Resources00YesNo
AEWExperimentAssignmentSummary 📖DocsApplications00YesNo
AEWExperimentScorecardMetricPairs 📖DocsApplications00YesNo
AEWExperimentScorecards 📖DocsApplications00YesNo
AFDAccessLogDocs00NoNo
AFDClassicCdnAccessLogDocs00NoNo
AFDHealthProbeLogDocs00NoNo
AFDWebApplicationFirewallLogDocs00NoNo
AFSAuditLogs 📖DocsAudit, Azure Resources00YesNo
agari_apdpolicy_log_CL 🔶 📖Connector11NoNo
agari_apdtc_log_CL 🔶 📖Connector11NoNo
agari_bpalerts_log_CL 📖Connector11NoNo
AGCAccessLogs 📖DocsAzure Resources, Network00YesNo
AGCFirewallLogs 📖DocsAudit, Azure Resources, Network00YesNo
AggregatedSecurityAlert 📖DocsSecurity00YesNo
AgriFoodApplicationAuditLogs 📖DocsAudit, Azure Resources00YesNo
AgriFoodFarmManagementLogs 📖DocsAzure Resources00YesNo
AgriFoodFarmOperationLogs 📖DocsAzure Resources00YesNo
AgriFoodInsightLogs 📖DocsAzure Resources00YesNo
AgriFoodJobProcessedLogs 📖DocsAzure Resources00YesNo
AgriFoodModelInferenceLogs 📖DocsAzure Resources00YesNo
AgriFoodProviderAuthLogs 📖DocsAzure Resources00YesNo
AgriFoodSatelliteLogs 📖DocsAzure Resources00YesNo
AgriFoodSensorManagementLogs 📖DocsAzure Resources00YesNo
AgriFoodWeatherLogs 📖DocsAzure Resources00YesNo
AGSGrafanaLoginEvents 📖DocsAudit, Azure Resources00YesNo
AGSGrafanaUsageInsightsEvents 📖DocsAudit, Azure Resources00YesNo
AGSUpdateEvents 📖DocsAudit, Azure Resources00YesNo
AGWAccessLogs 📖ContentAudit, Azure Resources, Network10YesNo
AGWFirewallLogs 📖ContentAudit, Azure Resources, Network10YesNo
AGWPerformanceLogs 📖DocsAudit, Azure Resources, Network00YesNo
AHCIDiagnosticLogs 📖DocsAzure Resources00YesNo
AHDSDeidAuditLogs 📖DocsAudit, Azure Resources00YesNo
AHDSDicomAuditLogs 📖DocsAudit, Azure Resources00YesNo
AHDSDicomDiagnosticLogs 📖DocsAzure Resources00YesNo
AHDSMedTechDiagnosticLogs 📖DocsAzure Resources00YesNo
AIAgentsInfo 📖ContentXDR00NoYes
AirflowDagProcessingLogsDocs00NoNo
AIShield_CL 📖Connector11NoNo
AIX_Audit_CL 🔶Connector11NoNo
AKSAudit 📖DocsAudit, Azure Resources, Containers00YesNo
AKSAuditAdmin 📖DocsAudit, Azure Resources, Containers00YesNo
AKSControlPlane 📖DocsAzure Resources, Containers00YesNo
ALBHealthEvent 📖DocsAzure Monitor, Azure Resources00YesNo
Alert 📖ContentAzure Monitor00YesNo
AlertEvidence 📖ConnectorInternal71YesYes
AlertHistory 📖DocsAzure Monitor00YesNo
AlertInfo 📖ContentInternal10YesYes
Alerts_data_CL 📖Schema00NoNo
alertscompromisedcredentialdata_CL 🔶 📖Connector11NoNo
alertsctepdata_CL 🔶 📖Connector11NoNo
alertsdlpdata_CL 🔶 📖Connector11NoNo
alertsmalsitedata_CL 🔶 📖Connector11NoNo
alertsmalwaredata_CL 🔶 📖Connector11NoNo
alertspolicydata_CL 🔶 📖Connector11NoNo
alertsquarantinedata_CL 🔶 📖Connector11NoNo
alertsremediationdata_CL 🔶 📖Connector11NoNo
alertssecurityassessmentdata_CL 🔶 📖Connector11NoNo
alertsubadata_CL 🔶 📖Connector11NoNo
AliCloud_CL 📖Connector11NoNo
AliCloudActionTrailLogs_CL 📖Connector11NoNo
AlsidForADLog_CL 📖Connector11NoNo
AMATelemetryEventsDocs00NoNo
AmlComputeClusterEvent 📖DocsAzure Resources00YesNo
AmlComputeClusterNodeEvent 📖DocsAzure Resources00YesNo
AmlComputeCpuGpuUtilization 📖DocsAzure Resources00YesNo
AmlComputeInstanceEvent 📖DocsAudit, Azure Resources00YesNo
AmlComputeJobEvent 📖DocsAzure Resources00YesNo
AmlDataLabelEvent 📖DocsAudit, Azure Resources00YesNo
AmlDataSetEvent 📖DocsAudit, Azure Resources00YesNo
AmlDataStoreEvent 📖DocsAudit, Azure Resources00YesNo
AmlDeploymentEvent 📖DocsAudit, Azure Resources00YesNo
AmlEnvironmentEvent 📖DocsAudit, Azure Resources00YesNo
AmlInferencingEvent 📖DocsAudit, Azure Resources00YesNo
AmlModelsEvent 📖DocsAudit, Azure Resources00YesNo
AmlOnlineEndpointConsoleLog 📖DocsAudit, Azure Resources00YesNo
AmlOnlineEndpointEventLog 📖DocsAudit, Azure Resources00YesNo
AmlOnlineEndpointTrafficLog 📖DocsAudit, Azure Resources00YesNo
AmlPipelineEvent 📖DocsAudit, Azure Resources00YesNo
AmlRegistryReadEventsLog 📖DocsAudit, Azure Resources00YesNo
AmlRegistryWriteEventsLog 📖DocsAudit, Azure Resources00YesNo
AmlRunEvent 📖DocsAudit, Azure Resources00YesNo
AmlRunStatusChangedEvent 📖DocsAzure Resources00YesNo
AMSKeyDeliveryRequests 📖DocsAudit, Azure Resources00YesNo
AMSLiveEventOperations 📖DocsAudit, Azure Resources00YesNo
AMSMediaAccountHealth 📖DocsAudit, Azure Resources00YesNo
AMSStreamingEndpointRequests 📖DocsAudit, Azure Resources00YesNo
AMWMetricsUsageDetails 📖DocsAzure Monitor, Azure Resources00YesNo
ANFFileAccessDocs00NoNo
Anomalies 📖ContentInternal120YesNo
Anvilogic_Alerts_CL 📖Connector11NoNo
AOIDatabaseQuery 📖DocsAudit, Azure Resources00YesNo
AOIDigestionDocs00NoNo
AOIStorage 📖DocsAudit, Azure Resources00YesNo
ApacheHTTPServer_CL 📖Connector22NoNo
apifirewall_log_1_CL 🔶 📖Connector11NoNo
ApigeeX_CL 🔶 📖Connector11NoNo
ApigeeXV2_CL 📖Schema00NoNo
ApiManagementGatewayLlmLogDocs00NoNo
ApiManagementGatewayLogs 📖DocsAzure Resources00YesNo
ApiManagementWebSocketConnectionLogs 📖DocsAzure Resources00YesNo
APIMDevPortalAuditDiagnosticLogDocs00NoNo
AppAvailabilityResults 📖DocsApplications00YesNo
AppBrowserTimings 📖DocsApplications00YesNo
AppCenterErrorDocs00NoNo
AppDependencies 📖DocsLow value00YesNo
AppEnvSessionConsoleLogs 📖DocsAudit, Azure Resources00YesNo
AppEnvSessionLifecycleLogs 📖DocsAudit, Azure Resources00YesNo
AppEnvSessionPoolEventLogs 📖DocsAudit, Azure Resources00YesNo
AppEnvSpringAppConsoleLogs 📖DocsAudit, Azure Resources00YesNo
AppEvents 📖DocsLow value00YesNo
AppExceptions 📖DocsLow value00YesNo
AppGenAIContent 📖DocsApplications00YesNo
AppMetrics 📖DocsLow value00YesNo
AppPageViews 📖DocsApplications00YesNo
AppPerformanceCounters 📖DocsLow value00YesNo
AppPlatformContainerEventLogs 📖DocsAzure Resources00YesNo
AppPlatformIngressLogs 📖DocsAzure Resources00YesNo
AppPlatformLogsforSpring 📖DocsAzure Resources00YesNo
AppPlatformSystemLogs 📖DocsAzure Resources00YesNo
AppRequests 📖DocsLow value00YesNo
AppServiceAntivirusScanAuditLogs 📖ContentAzure Resources10YesNo
AppServiceAppLogs 📖ContentLow value00YesNo
AppServiceAuditLogs 📖ContentAzure Resources00YesNo
AppServiceAuthenticationLogs 📖DocsAzure Resources00YesNo
AppServiceConsoleLogs 📖ContentLow value00YesNo
AppServiceEnvironmentPlatformLogsDocs00NoNo
AppServiceFileAuditLogs 📖DocsAzure Resources00YesNo
AppServiceHTTPLogs 📖ContentAzure Resources20YesNo
AppServiceIPSecAuditLogsContent00NoNo
AppServicePlatformLogs 📖ContentAzure Resources00YesNo
AppServiceServerlessSecurityPluginData 📖DocsSecurity00YesNo
AppSystemEvents 📖DocsApplications00YesNo
AppTraces 📖DocsLow value00YesNo
ArcK8sAudit 📖DocsAudit, Azure Resources, Containers00YesNo
ArcK8sAuditAdmin 📖DocsAudit, Azure Resources, Containers00YesNo
ArcK8sControlPlane 📖DocsAzure Resources, Containers00YesNo
ARGOS_CL 🔶 📖Connector11NoNo
argsentdc_CL 📖Connector11NoNo
Armis_Activities_CL 📖Connector12NoNo
Armis_Alerts_CL 📖Connector12NoNo
Armis_Devices_CL 📖Connector11NoNo
Armorblox_CL 🔶 📖Connector11NoNo
ASCAuditLogs 📖DocsAudit, Azure Resources00YesNo
ASCDeviceEvents 📖DocsAudit, Azure Resources00YesNo
ASimAlertEventLogs 📖DocsNormalized00YesNo
ASimAuditEventLogs 📖ConnectorNormalized64YesNo
ASimAuthenticationEventLogs 📖ConnectorNormalized43YesNo
ASimAuthenticationEventLogs_CL 📖Connector11NoNo
ASimDhcpEventLogs 📖ConnectorNormalized11YesNo
ASimDnsActivityLogs 📖ConnectorNormalized43YesNo
ASimFileEventLogs 📖ConnectorNormalized43YesNo
ASimFileEventLogs_CL 📖Connector11NoNo
ASimNetworkSessionLogs 📖ConnectorNormalized65YesNo
ASimProcessEventLogs 📖ConnectorNormalized43YesNo
ASimProcessEventLogs_CL 📖Connector11NoNo
ASimRegistryEventLogs 📖ConnectorNormalized33YesNo
ASimRegistryEventLogs_CL 📖Connector11NoNo
ASimUserManagementActivityLogs 📖ConnectorNormalized22YesNo
ASimUserManagementLogs_CL 📖Connector11NoNo
ASimWebSessionLogs 📖ConnectorNormalized32YesNo
ASRJobs 📖DocsAudit00YesNo
ASRReplicatedItems 📖DocsAudit00YesNo
ASRv2HealthEvents 📖DocsAudit00YesNo
ASRv2JobEvents 📖DocsAudit00YesNo
ASRv2ProtectedItems 📖DocsAudit00YesNo
ASRv2ReplicationExtensions 📖DocsAudit00YesNo
ASRv2ReplicationPolicies 📖DocsAudit00YesNo
ASRv2ReplicationVaults 📖DocsAudit00YesNo
ATCExpressRouteCircuitIpfix 📖DocsAzure Resources00YesNo
ATCMicrosoftPeeringMetadata 📖DocsAzure Resources00YesNo
ATCPrivatePeeringMetadata 📖DocsAzure Resources00YesNo
atlassian_beacon_alerts_CL 🔶 📖ConnectorInternal11NoNo
AtlassianConfluenceNativePoller_CLConnector11NoNo
Audit_CL 📖Connector11NoNo
AuditLogs 📖ConnectorAzure Resources, Security211YesNo
Audits_Data_CL 📖Connector11NoNo
Auth0AM_CL 🔶 📖Connector11NoNo
Auth0Logs_CL 📖Connector11NoNo
Authomize_v2_CL 🔶 📖Connector11NoNo
AutoConnectASC_CLContent10NoNo
AutoscaleEvaluationsLog 📖DocsAzure Monitor, Azure Resources, Virtual Machines00YesNo
AutoscaleScaleActionsLog 📖DocsAzure Monitor, Azure Resources, Virtual Machines00YesNo
AVNMConnectivityConfigurationChange 📖DocsAudit, Azure Resources, Network00YesNo
AVNMIPAMPoolAllocationChange 📖DocsAudit, Azure Resources, Network00YesNo
AVNMNetworkGroupMembershipChange 📖DocsAudit, Azure Resources, Network00YesNo
AVNMRuleCollectionChange 📖DocsAudit, Azure Resources, Network00YesNo
AVSEsxiFirewallSyslogDocs00NoNo
AVSEsxiSyslogDocs00NoNo
AVSNsxEdgeSyslogDocs00NoNo
AVSNsxManagerSyslogDocs00NoNo
AVSSyslogDocs00NoNo
AVSVcSyslogDocs00NoNo
AVSvSphereClientDocs00NoNo
Awareness_Performance_Details_CL 📖Connector11NoNo
Awareness_SafeScore_Details_CL 📖Connector11NoNo
Awareness_User_Data_CL 📖Connector11NoNo
Awareness_Watchlist_Details_CL 📖Connector11NoNo
AWSALBAccessLogs 📖ConnectorAWS11YesNo
AWSALBAccessLogs_CL 📖ConnectorAWS11NoNo
AwsBucketAPILogs_CLContentAWS10NoNo
AWSCloudFront_AccessLog_CLConnectorAWS11NoNo
AWSCloudTrail 📖ConnectorAWS142YesNo
AWSCloudWatch 📖ConnectorAWS11YesNo
AWSEKSDocsAWS00NoNo
AWSEKSLogs 📖DocsAWS00YesNo
AWSEKSLogs_CL 📖ConnectorAWS11NoNo
AWSELBFlowLogsConnectorAWS11NoNo
AWSELBFlowLogs_CL 📖ConnectorAWS11NoNo
AWSGuardDuty 📖ConnectorAWS31YesNo
AWSNetworkFirewall_AlertLog_CL 📖Schema00NoNo
AWSNetworkFirewall_FlowLog_CL 📖Schema00NoNo
AWSNetworkFirewall_TlsLog_CL 📖Schema00NoNo
AWSNetworkFirewallAlert 📖ConnectorAWS11YesNo
AWSNetworkFirewallFlow 📖ConnectorAWS11YesNo
AWSNetworkFirewallTls 📖ConnectorAWS11YesNo
AWSNLBAccessLogs 📖ConnectorAWS11YesNo
AWSNLBAccessLogs_CL 📖ConnectorAWS11NoNo
AWSRoute53Resolver 📖ConnectorAWS11YesNo
AWSS3ServerAccess 📖ConnectorAWS11YesNo
AWSSecurityHubFindings 📖ConnectorAWS11YesNo
AWSVPCFlow 📖ConnectorAWS62YesNo
AWSWAF 📖ConnectorAWS11YesNo
AZFWApplicationRule 📖ConnectorSecurity31YesNo
AZFWApplicationRuleAggregation 📖DocsSecurity00YesNo
AZFWDnsFlowTrace 📖DocsSecurity00YesNo
AZFWDnsQuery 📖ConnectorSecurity21YesNo
AZFWFatFlow 📖ConnectorSecurity11YesNo
AZFWFlowTrace 📖ConnectorAzure Resources11YesNo
AZFWIdpsSignature 📖ConnectorSecurity11YesNo
AZFWInternalFqdnResolutionFailure 📖ConnectorSecurity11YesNo
AZFWNatRule 📖ConnectorSecurity11YesNo
AZFWNatRuleAggregation 📖DocsSecurity00YesNo
AZFWNetworkRule 📖ConnectorSecurity31YesNo
AZFWNetworkRuleAggregation 📖DocsSecurity00YesNo
AZFWThreatIntel 📖ConnectorSecurity11YesNo
AZKVAuditLogs 📖DocsAudit, Azure Resources00YesNo
AZKVPolicyEvaluationDetailsLogs 📖DocsAudit, Azure Resources00YesNo
AZMSApplicationMetricLogs 📖DocsAudit, Azure Resources00YesNo
AZMSArchiveLogs 📖DocsAudit, Azure Resources00YesNo
AZMSAutoscaleLogs 📖DocsAudit, Azure Resources00YesNo
AZMSCustomerManagedKeyUserLogs 📖DocsAudit, Azure Resources00YesNo
AZMSDiagnosticErrorLogs 📖DocsAudit00YesNo
AZMSHybridConnectionsEvents 📖DocsAudit, Azure Resources00YesNo
AZMSKafkaCoordinatorLogs 📖DocsAudit, Azure Resources00YesNo
AZMSKafkaUserErrorLogs 📖DocsAudit, Azure Resources00YesNo
AZMSOperationalLogs 📖DocsAudit, Azure Resources00YesNo
AZMSRunTimeAuditLogs 📖DocsAudit00YesNo
AZMSVnetConnectionEvents 📖DocsAudit, Azure Resources00YesNo
AzureActivity 📖ConnectorAudit, Azure Resources, Security191YesNo
AzureAssessmentRecommendation 📖DocsWorkloads00YesNo
AzureAttestationDiagnostics 📖DocsAzure Resources00YesNo
AzureBackupOperations 📖DocsAudit00YesNo
AzureDevOpsAuditingContent30NoNo
AzureDiagnostics 🔶 📖ConnectorVarious3615YesNo
AzureLoadTestingOperation 📖DocsAudit, Azure Resources00YesNo
AzureLogAnalyticsIngestionDiagnosticLogsDocs00NoNo
AzureMetrics 📖ConnectorLow value22YesNo
AzureMetricsV2 📖DocsAzure Monitor, Azure Resources00YesNo
AzureMonitorPipelineLogErrors 📖DocsAzure Resources00YesNo
AzureNetworkAnalytics_CL 🔶 📖Content50NoNo
Barracuda_CL 🔶Connector11NoNo
barracuda_CL 🔶 📖Connector11NoNo
BehaviorAnalytics 📖ContentInternal130YesNo
BehaviorEntities 📖DocsSecurity, XDR00YesYes
BehaviorInfo 📖DocsSecurity, XDR00YesYes
beSECURE_Audit_CL 🔶 📖Connector11NoNo
beSECURE_ScanEvent_CL 🔶 📖Connector11NoNo
beSECURE_ScanResults_CL 🔶 📖Connector11NoNo
BetterMTDAppLog_CL 🔶 📖Connector11NoNo
BetterMTDDeviceLog_CL 📖Connector11NoNo
BetterMTDIncidentLog_CL 📖Connector11NoNo
BetterMTDNetflowLog_CL 🔶 📖Connector11NoNo
BeyondTrustPM_ActivityAudits_CL 📖Connector11NoNo
BeyondTrustPM_ClientEvents_CL 📖Connector11NoNo
BHEAttackPathsData_CL 📖Connector11NoNo
BHEAttackPathsTimelineData_CL 📖Content10NoNo
BHEAuditLogsData_CL 📖Content10NoNo
BHEFindingTrendsData_CL 📖Content10NoNo
BHEPostureHistory_CL 📖Schema00NoNo
BHEPostureHistoryData_CLContent10NoNo
BHEPostureStatsData_CL 📖Schema00NoNo
BHETierZeroAssetsData_CL 📖Content10NoNo
BigIDDSPMAssetStore_CLConnector11NoNo
BigIDDSPMCatalog_CLConnector11NoNo
BitglassLogs_CL 🔶 📖Connector11NoNo
BitsightAlerts_data_CL 📖Connector11NoNo
BitsightBreaches_data_CL 📖Connector11NoNo
BitsightCompany_details_CL 📖Connector11NoNo
BitsightCompany_rating_details_CL 📖Connector11NoNo
BitsightDiligence_historical_statistics_CL 📖Connector11NoNo
BitsightDiligence_statistics_CL 📖Connector11NoNo
BitsightFindings_data_CL 📖Connector11NoNo
BitsightFindings_summary_CL 📖Connector11NoNo
BitsightGraph_data_CL 📖Connector11NoNo
BitsightIndustrial_statistics_CL 📖Connector11NoNo
BitsightObservation_statistics_CL 📖Connector11NoNo
BitsightPortfolio_Companies_CL 📖Schema00NoNo
BitwardenEventLogs_CL 📖Connector11NoNo
BitwardenGroups_CL 📖Connector11NoNo
BitwardenMembers_CL 📖Connector11NoNo
blacklens_CL 📖Connector11NoNo
BlockchainApplicationLog 📖DocsAzure Resources00YesNo
BlockchainProxyLog 📖DocsAzure Resources00YesNo
BloodHoundLogs_CL 📖Schema00NoNo
BoxEvents_CL 🔶 📖Connector12NoNo
BoxEventsV2_CL 📖Connector12NoNo
BSMmacOS_CL 🔶 📖Connector11NoNo
CampaignInfo 📖DocsSecurity, XDR00YesYes
CanaryTokens_CLContent10NoNo
CarbonBlack_Alerts_CL 📖Connector51NoNo
CarbonBlack_Watchlist_CL 📖Connector11NoNo
CarbonBlackAuditLogs_CL 🔶 📖Connector11NoNo
CarbonBlackEvents_CL 🔶 📖Connector11NoNo
CarbonBlackNotifications_CL 🔶 📖Connector11NoNo
CassandraAudit 📖DocsAudit00YesNo
CassandraLogsDocs00NoNo
CBS_BreachedCredentials_AzureV2_CL 📖Connector11NoNo
CBS_BreachedCredentials_CL 📖Schema00NoNo
CBS_CompromisedCards_AzureV2_CL 📖Connector11NoNo
CBS_CompromisedCards_CL 📖Schema00NoNo
CBS_DomainInfringement_AzureV2_CL 📖Connector11NoNo
CBS_DomainInfringement_CL 📖Schema00NoNo
CBS_Log_CL 📖Schema00NoNo
CBS_MalwareLogs_AzureV2_CL 📖Connector11NoNo
CBS_MalwareLogs_CL 📖Schema00NoNo
CBS_SubdomainInfringement_AzureV2_CL 📖Connector11NoNo
CBS_SubdomainInfringement_CL 📖Schema00NoNo
CBSLog_Azure_1_CL 🔶 📖Connector11NoNo
CBSLog_AzureV2_CL 📖Connector11NoNo
CCFApplicationLogs 📖DocsAudit, Azure Resources00YesNo
CDBCassandraRequests 📖DocsAudit, Azure Resources00YesNo
CDBControlPlaneRequests 📖DocsAudit, Azure Resources00YesNo
CDBDataPlaneRequests 📖DocsAudit, Azure Resources00YesNo
CDBDataPlaneRequests15M 📖DocsAudit, Azure Resources00YesNo
CDBDataPlaneRequests5M 📖DocsAudit, Azure Resources00YesNo
CDBGremlinRequests 📖DocsAudit, Azure Resources00YesNo
CDBMongoRequests 📖DocsAudit, Azure Resources00YesNo
CDBPartitionKeyRUConsumption 📖DocsAudit, Azure Resources00YesNo
CDBPartitionKeyStatistics 📖DocsAudit, Azure Resources00YesNo
CDBQueryRuntimeStatistics 📖DocsAudit, Azure Resources00YesNo
CDBTableApiRequests 📖DocsAudit, Azure Resources00YesNo
Censys_Certificate_IOC_CL 🔶 📖Content10NoNo
Censys_Host_History_Data_CL 🔶 📖Content10NoNo
Censys_Host_IOC_CL 🔶 📖Content10NoNo
Censys_Host_Services_CL 🔶 📖Content10NoNo
Censys_Web_Property_Endpoint_CL 🔶 📖Content10NoNo
Censys_Web_Property_IOC_CL 🔶 📖Content10NoNo
Censys_Web_Property_Threat_CL 🔶 📖Content10NoNo
Censys_Web_Property_Vuln_CL 🔶 📖Content10NoNo
CensysCert_CL 📖Schema00NoNo
CensysCertificate_CL 🔶 📖Content10NoNo
CensysCertificateAlert_CL 🔶 📖Content10NoNo
CensysHost_CL 🔶 📖Content10NoNo
CensysHostAlert_CL 🔶 📖Content10NoNo
CensysRelatedInfrastructure_CL 🔶 📖ContentInternal10NoNo
CensysRescanHost_CL 🔶 📖Content10NoNo
CensysRescanHostAlert_CL 🔶 📖Content10NoNo
CensysRescanWebProperty_CL 🔶 📖Content10NoNo
CensysRescanWebPropertyAlert_CL 🔶 📖Content10NoNo
CensysWebProperty_CL 🔶Content10NoNo
Censyswebproperty_CL 📖Schema00NoNo
CensysWebPropertyAlert_CL 🔶 📖Content10NoNo
ChaosStudioExperimentEventLogs 📖DocsAudit, Azure Resources00YesNo
CIEventsAudit 📖DocsAudit, Azure Resources00YesNo
CIEventsOperational 📖DocsAzure Resources00YesNo
Cisco_Umbrella_audit_CL 🔶 📖Connector12NoNo
Cisco_Umbrella_cloudfirewall_CL 🔶 📖Connector12NoNo
Cisco_Umbrella_dlp_CL 🔶 📖Connector12NoNo
Cisco_Umbrella_dns_CL 🔶 📖Connector12NoNo
Cisco_Umbrella_fileevent_CL 🔶 📖Connector12NoNo
Cisco_Umbrella_firewall_CL 🔶 📖Connector12NoNo
Cisco_Umbrella_intrusion_CL 🔶 📖Connector12NoNo
Cisco_Umbrella_ip_CL 🔶 📖Connector12NoNo
Cisco_Umbrella_proxy_CL 🔶 📖Connector12NoNo
Cisco_Umbrella_ravpnlogs_CL 🔶 📖Connector12NoNo
Cisco_Umbrella_ztaflow_CL 🔶 📖Connector12NoNo
Cisco_Umbrella_ztna_CL 🔶 📖Connector12NoNo
CiscoDuo_CL 🔶 📖Connector21NoNo
CiscoETD_CL 🔶 📖Connector11NoNo
CiscoMerakiNativePoller_CL 📖Connector13NoNo
CiscoSDWANNetflow_CL 🔶 📖Connector11NoNo
CiscoSecureEndpoint_CL 🔶 📖Connector11NoNo
CiscoSecureEndpointAuditLogsV2_CL 📖Connector11NoNo
CiscoSecureEndpointEventsV2_CL 📖Connector11NoNo
CitrixAnalytics_CVAD_Events_V1_CL 📖Connector11NoNo
CitrixAnalytics_indicatorEventDetails_CL 🔶 📖Connector11NoNo
CitrixAnalytics_indicatorEventDetails_V1_CL 📖Connector11NoNo
CitrixAnalytics_indicatorSummary_CL 🔶 📖Connector11NoNo
CitrixAnalytics_indicatorSummary_V1_CL 📖Connector11NoNo
CitrixAnalytics_riskScoreChange_CL 🔶 📖Connector11NoNo
CitrixAnalytics_riskScoreChange_V1_CL 📖Connector11NoNo
CitrixAnalytics_SPA_Events_V1_CL 📖Connector11NoNo
CitrixAnalytics_userProfile_CL 🔶 📖Connector11NoNo
CitrixAnalytics_userProfile_V1_CL 📖Connector11NoNo
Cloud_Integrated_CL 📖Connector11NoNo
CloudAppEvents 📖ConnectorSecurity, XDR51YesYes
CloudAuditEvents 📖DocsXDR00NoYes
CloudDnsEvents 📖DocsXDR00NoYes
Cloudflare_CL 🔶 📖Connector21NoNo
CloudflareV2_CL 📖Connector21NoNo
CloudGuard_SecurityEvents_CL 📖Connector11NoNo
CloudHsmServiceOperationAuditLogs 📖DocsAudit, Azure Resources00YesNo
CloudPolicyEnforcementEvents 📖DocsXDR00NoYes
CloudProcessEvents 📖DocsXDR00NoYes
CloudStorageAggregatedEvents 📖DocsXDR00NoYes
Cofense_Triage_failed_indicators_CL 🔶 📖Connector11NoNo
CognniIncidents_CL 🔶 📖Connector11NoNo
Cohesity_CL 📖Connector11NoNo
CommonSecurityLog 📖ConnectorSyslog/CEF81111YesNo
Communication_Data_CL 🔶 📖Content10NoNo
CommunicationComplianceActivity 📖DocsAudit, Security00YesNo
CommvaultAlerts_CL 📖Connector11NoNo
ComputerGroup 📖DocsAzure Monitor, IT & Management Tools, Virtual Machines00YesNo
ConfidentialWatchlist 📖DocsSecurity00YesNo
ConfigurationChange 📖ContentIT & Management Tools40YesNo
ConfigurationData 📖ContentIT & Management Tools20YesNo
Confluence_Audit_CL 📖Connector11NoNo
Confluence_Audit_v2_CL 📖Schema00NoNo
ConfluenceAuditLogs_CL 📖Connector11NoNo
ContainerAppConsoleLogs 📖DocsAudit, Azure Resources00YesNo
ContainerAppSystemLogs 📖DocsAudit, Azure Resources00YesNo
ContainerEvent 📖DocsAudit, Azure Resources00YesNo
ContainerImageInventory 📖DocsContainers00YesNo
ContainerInstanceLog 📖DocsAudit, Azure Resources00YesNo
ContainerInventory 📖ConnectorContainers11YesNo
ContainerLog 📖DocsLow value00YesNo
ContainerLogV2 📖DocsLow value00YesNo
ContainerNetworkLogs 📖DocsContainers00YesNo
ContainerNodeInventory 📖DocsContainers00YesNo
ContainerRegistryLoginEvents 📖ContentContainers00YesNo
ContainerRegistryRepositoryEvents 📖ContentContainers00YesNo
ContainerServiceLog 📖DocsContainers00YesNo
ContrastADR_CL 🔶 📖Connector11NoNo
ContrastADRAttackEvents_CL 📖Connector11NoNo
ContrastADRIncident_CL 🔶Connector11NoNo
ContrastADRIncidents_CL 📖Connector11NoNo
CopilotActivity 📖ConnectorAudit, Security11YesNo
CoreAzureBackup 📖ContentAzure Resources, IT & Management Tools10YesNo
Corelight_CL 🔶 📖Connector11NoNo
Corelight_v2_anomaly_CL 📖Schema00NoNo
Corelight_v2_bacnet_CL 🔶 📖Connector11NoNo
Corelight_v2_capture_loss_CL 🔶 📖Connector11NoNo
Corelight_v2_cip_CL 🔶 📖Connector11NoNo
Corelight_v2_conn_agg_CL 🔶 📖Content10NoNo
Corelight_v2_conn_CL 🔶 📖Connector11NoNo
Corelight_v2_conn_long_CL 🔶 📖Connector11NoNo
Corelight_v2_conn_red_CL 🔶 📖Connector11NoNo
Corelight_v2_corelight_burst_CL 🔶 📖Connector11NoNo
Corelight_v2_corelight_metrics_disk_CL 🔶 📖Content10NoNo
Corelight_v2_corelight_metrics_iface_CL 🔶 📖Content10NoNo
Corelight_v2_corelight_metrics_memory_CL 🔶 📖Content10NoNo
Corelight_v2_corelight_metrics_system_CL 🔶 📖Content10NoNo
Corelight_v2_corelight_metrics_zeek_doctor_CL 🔶 📖Content10NoNo
Corelight_v2_corelight_overall_capture_loss_CL 🔶 📖Connector11NoNo
Corelight_v2_corelight_profiling_CL 🔶 📖Connector11NoNo
Corelight_v2_datared_CL 🔶 📖Connector11NoNo
Corelight_v2_dce_rpc_CL 🔶 📖Connector11NoNo
Corelight_v2_dga_CL 🔶 📖Connector11NoNo
Corelight_v2_dhcp_CL 🔶 📖Connector11NoNo
Corelight_v2_dnp3_CL 🔶 📖Connector11NoNo
Corelight_v2_dns_agg_CL 🔶 📖Content10NoNo
Corelight_v2_dns_CL 🔶 📖Connector11NoNo
Corelight_v2_dns_red_CL 🔶 📖Connector11NoNo
Corelight_v2_dpd_CL 🔶 📖Connector11NoNo
Corelight_v2_encrypted_dns_CL 🔶 📖Connector11NoNo
Corelight_v2_enip_CL 🔶 📖Connector11NoNo
Corelight_v2_enip_debug_CL 🔶 📖Connector11NoNo
Corelight_v2_enip_list_identity_CL 🔶 📖Connector11NoNo
Corelight_v2_etc_viz_CL 🔶 📖Connector11NoNo
Corelight_v2_files_agg_CL 🔶 📖Content10NoNo
Corelight_v2_files_CL 🔶 📖Connector11NoNo
Corelight_v2_files_red_CL 🔶 📖Connector11NoNo
Corelight_v2_first_seen_CL 📖Schema00NoNo
Corelight_v2_ftp_CL 🔶 📖Connector11NoNo
Corelight_v2_generic_dns_tunnels_CL 🔶 📖Connector11NoNo
Corelight_v2_generic_icmp_tunnels_CL 🔶 📖Connector11NoNo
Corelight_v2_http2_CL 🔶 📖Connector11NoNo
Corelight_v2_http_agg_CL 🔶 📖Content10NoNo
Corelight_v2_http_CL 🔶 📖Connector11NoNo
Corelight_v2_http_red_CL 🔶 📖Connector11NoNo
Corelight_v2_icmp_specific_tunnels_CL 🔶 📖Connector11NoNo
Corelight_v2_intel_CL 🔶 📖Connector11NoNo
Corelight_v2_ipsec_CL 🔶 📖Connector11NoNo
Corelight_v2_irc_CL 🔶 📖Connector11NoNo
Corelight_v2_iso_cotp_CL 🔶 📖Connector11NoNo
Corelight_v2_kerberos_CL 🔶 📖Connector11NoNo
Corelight_v2_known_certs_CL 🔶 📖Connector11NoNo
Corelight_v2_known_devices_CL 🔶 📖Connector11NoNo
Corelight_v2_known_domains_CL 🔶 📖Connector11NoNo
Corelight_v2_known_hosts_CL 🔶 📖Connector11NoNo
Corelight_v2_known_names_CL 🔶 📖Connector11NoNo
Corelight_v2_known_remotes_CL 🔶 📖Connector11NoNo
Corelight_v2_known_services_CL 🔶 📖Connector11NoNo
Corelight_v2_known_users_CL 🔶 📖Connector11NoNo
Corelight_v2_local_subnets_CL 🔶 📖Connector11NoNo
Corelight_v2_local_subnets_dj_CL 🔶 📖Connector11NoNo
Corelight_v2_local_subnets_graphs_CL 🔶 📖Connector11NoNo
Corelight_v2_log4shell_CL 🔶 📖Connector11NoNo
Corelight_v2_modbus_CL 🔶 📖Connector11NoNo
Corelight_v2_mqtt_connect_CL 🔶 📖Connector11NoNo
Corelight_v2_mqtt_publish_CL 🔶 📖Connector11NoNo
Corelight_v2_mqtt_subscribe_CL 🔶 📖Connector11NoNo
Corelight_v2_mysql_CL 🔶 📖Connector11NoNo
Corelight_v2_notice_CL 🔶 📖Connector11NoNo
Corelight_v2_ntlm_CL 🔶 📖Connector11NoNo
Corelight_v2_ntp_CL 🔶 📖Connector11NoNo
Corelight_v2_ocsp_CL 🔶 📖Connector11NoNo
Corelight_v2_openflow_CL 🔶 📖Connector11NoNo
Corelight_v2_packet_filter_CL 🔶 📖Connector11NoNo
Corelight_v2_pe_CL 🔶 📖Connector11NoNo
Corelight_v2_profinet_CL 🔶 📖Connector11NoNo
Corelight_v2_profinet_dce_rpc_CL 🔶 📖Connector11NoNo
Corelight_v2_profinet_debug_CL 🔶 📖Connector11NoNo
Corelight_v2_radius_CL 🔶 📖Connector11NoNo
Corelight_v2_rdp_CL 🔶 📖Connector11NoNo
Corelight_v2_reporter_CL 🔶 📖Connector11NoNo
Corelight_v2_rfb_CL 🔶 📖Connector11NoNo
Corelight_v2_s7comm_CL 🔶 📖Connector11NoNo
Corelight_v2_signatures_CL 🔶 📖Connector11NoNo
Corelight_v2_sip_CL 🔶 📖Connector11NoNo
Corelight_v2_smartpcap_CL 🔶 📖Connector11NoNo
Corelight_v2_smartpcap_stats_CL 🔶 📖Connector11NoNo
Corelight_v2_smb_files_CL 🔶 📖Connector11NoNo
Corelight_v2_smb_mapping_CL 🔶 📖Connector11NoNo
Corelight_v2_smtp_CL 🔶 📖Connector11NoNo
Corelight_v2_smtp_links_CL 🔶 📖Connector11NoNo
Corelight_v2_snmp_CL 🔶 📖Connector11NoNo
Corelight_v2_socks_CL 🔶 📖Connector11NoNo
Corelight_v2_software_CL 🔶 📖Connector11NoNo
Corelight_v2_specific_dns_tunnels_CL 🔶 📖Connector11NoNo
Corelight_v2_ssh_CL 🔶 📖Connector11NoNo
Corelight_v2_ssl_agg_CL 🔶 📖Content10NoNo
Corelight_v2_ssl_CL 🔶 📖Connector11NoNo
Corelight_v2_ssl_red_CL 🔶 📖Connector11NoNo
Corelight_v2_stats_CL 🔶 📖Connector11NoNo
Corelight_v2_stepping_CL 🔶 📖Connector11NoNo
Corelight_v2_stun_CL 🔶 📖Connector11NoNo
Corelight_v2_stun_nat_CL 🔶 📖Connector11NoNo
Corelight_v2_suricata_corelight_CL 🔶 📖Connector11NoNo
Corelight_v2_suricata_eve_CL 🔶 📖Connector11NoNo
Corelight_v2_suricata_stats_CL 🔶 📖Connector11NoNo
Corelight_v2_suricata_zeek_stats_CL 🔶 📖Connector11NoNo
Corelight_v2_syslog_CL 🔶 📖Connector11NoNo
Corelight_v2_tds_CL 🔶 📖Connector11NoNo
Corelight_v2_tds_rpc_CL 🔶 📖Connector11NoNo
Corelight_v2_tds_sql_batch_CL 🔶 📖Connector11NoNo
Corelight_v2_traceroute_CL 🔶 📖Connector11NoNo
Corelight_v2_tunnel_CL 🔶 📖Connector11NoNo
Corelight_v2_unknown_smartpcap_CL 🔶 📖Connector11NoNo
Corelight_v2_util_stats_CL 🔶 📖Connector11NoNo
Corelight_v2_vpn_CL 🔶 📖Connector11NoNo
Corelight_v2_weird_agg_CL 📖Schema00NoNo
Corelight_v2_weird_CL 🔶 📖Connector11NoNo
Corelight_v2_weird_red_CL 🔶 📖Connector11NoNo
Corelight_v2_weird_stats_CL 🔶 📖Connector11NoNo
Corelight_v2_wireguard_CL 🔶 📖Connector11NoNo
Corelight_v2_x509_CL 🔶 📖Connector11NoNo
Corelight_v2_x509_red_CL 🔶 📖Connector11NoNo
Corelight_v2_zeek_doctor_CL 🔶 📖Connector11NoNo
CortexXDR_Incidents_CL 📖Schema00NoNo
CortexXpanseAlerts_CL 📖Connector11NoNo
CosmosDBPostgresLogsDocs00NoNo
CriblAccess_CL 🔶 📖Connector11NoNo
CriblAudit_CL 🔶 📖Connector11NoNo
CriblInternal_CL 🔶 📖Connector11NoNo
CriblUIAccess_CL 🔶 📖Connector11NoNo
CrowdStrike_Additional_Events_CL 📖ConnectorCrowdstrike12NoNo
Crowdstrike_Alerts_CLContentCrowdstrike10NoNo
CrowdStrike_Audit_Events_CL 📖ConnectorCrowdstrike11NoNo
CrowdStrike_Auth_Events_CL 📖ConnectorCrowdstrike11NoNo
CrowdStrike_DNS_Events_CL 📖ConnectorCrowdstrike11NoNo
CrowdStrike_File_Events_CL 📖ConnectorCrowdstrike11NoNo
CrowdStrike_Network_Events_CL 📖ConnectorCrowdstrike11NoNo
CrowdStrike_Process_Events_CL 📖ConnectorCrowdstrike11NoNo
CrowdStrike_Registry_Events_CL 📖ConnectorCrowdstrike11NoNo
CrowdStrike_Secondary_Data_CL 📖ConnectorCrowdstrike12NoNo
CrowdStrike_User_Events_CL 📖ConnectorCrowdstrike11NoNo
CrowdStrikeAlerts 📖ConnectorCrowdstrike11YesNo
CrowdStrikeAPIActivityAuditDocsCrowdstrike00NoNo
CrowdStrikeAuthActivityAuditDocsCrowdstrike00NoNo
CrowdStrikeCases 📖ConnectorCrowdstrike11YesNo
CrowdStrikeCSPMIOAStreamingDocsCrowdstrike00NoNo
CrowdStrikeCSPMSearchStreamingDocsCrowdstrike00NoNo
CrowdStrikeCustomerIOCDocsCrowdstrike00NoNo
CrowdStrikeDetections 📖ConnectorCrowdstrike11YesNo
CrowdStrikeHosts 📖ConnectorCrowdstrike11YesNo
CrowdStrikeIncidents 📖DocsCrowdstrike00YesNo
CrowdStrikeReconNotificationSummaryDocsCrowdstrike00NoNo
CrowdStrikeRemoteResponseSessionEndDocsCrowdstrike00NoNo
CrowdStrikeRemoteResponseSessionStartDocsCrowdstrike00NoNo
CrowdstrikeReplicatorLogs_CL 📖Schema00NoNo
CrowdStrikeScheduledReportNotificationDocsCrowdstrike00NoNo
CrowdStrikeUserActivityAuditDocsCrowdstrike00NoNo
CrowdStrikeVulnerabilities 📖ConnectorCrowdstrike11YesNo
CSARequestResponseDocs00NoNo
CyberArk_AuditEvents_CL 📖Connector12NoNo
CyberArkEPM_CL 🔶 📖Connector11NoNo
CyberpionActionItems_CL 🔶 📖Connector12NoNo
CyberSixgill_Alerts_CL 📖Connector11NoNo
CybleVisionAlerts_CL 📖Connector11NoNo
CyeraAssets_CLConnector11NoNo
CyeraAssets_MS_CLConnector11NoNo
CyeraClassifications_CLConnector11NoNo
CyeraIdentities_CLConnector11NoNo
CyeraIssues_CLConnector11NoNo
CyfirmaASCertificatesAlerts_CL 📖Connector11NoNo
CyfirmaASCloudWeaknessAlerts_CL 📖Connector11NoNo
CyfirmaASConfigurationAlerts_CL 📖Connector11NoNo
CyfirmaASDomainIPReputationAlerts_CL 📖Connector11NoNo
CyfirmaASDomainIPVulnerabilityAlerts_CL 📖Connector11NoNo
CyfirmaASOpenPortsAlerts_CL 📖Connector11NoNo
CyfirmaBIDomainITAssetAlerts_CL 📖Connector11NoNo
CyfirmaBIExecutivePeopleAlerts_CL 📖Connector11NoNo
CyfirmaBIMaliciousMobileAppsAlerts_CL 📖Connector11NoNo
CyfirmaBIProductSolutionAlerts_CL 📖Connector11NoNo
CyfirmaBISocialHandlersAlerts_CL 📖Connector11NoNo
CyfirmaCampaigns_CL 📖Connector11NoNo
CyfirmaCompromisedAccounts_CL 📖Connector11NoNo
CyfirmaDBWMDarkWebAlerts_CL 📖Connector11NoNo
CyfirmaDBWMPhishingAlerts_CL 📖Connector11NoNo
CyfirmaDBWMRansomwareAlerts_CL 📖Connector11NoNo
CyfirmaIndicators_CL 📖Connector11NoNo
CyfirmaMalware_CL 📖Connector11NoNo
CyfirmaSPEConfidentialFilesAlerts_CL 📖Connector11NoNo
CyfirmaSPEPIIAndCIIAlerts_CL 📖Connector11NoNo
CyfirmaSPESocialThreatAlerts_CL 📖Connector11NoNo
CyfirmaSPESourceCodeAlerts_CL 📖Connector11NoNo
CyfirmaThreatActors_CL 📖Connector11NoNo
CyfirmaVulnerabilities_CL 📖Connector11NoNo
CyjaxAdHocEnrichment_CL 🔶 📖ContentInternal10NoNo
CyjaxDataBreaches_CL 🔶 📖ContentInternal10NoNo
CyjaxDomainMonitor_CL 🔶 📖ContentInternal10NoNo
Cymru_Scout_Account_Usage_Data_CL 📖Connector11NoNo
Cymru_Scout_Domain_Data_CL 📖Connector11NoNo
Cymru_Scout_IP_Data_Communications_CL 📖Connector11NoNo
Cymru_Scout_IP_Data_Details_CL 📖Connector11NoNo
Cymru_Scout_IP_Data_Fingerprints_CL 📖Connector11NoNo
Cymru_Scout_IP_Data_Foundation_CL 📖Connector11NoNo
Cymru_Scout_IP_Data_OpenPorts_CL 📖Connector11NoNo
Cymru_Scout_IP_Data_PDNS_CL 📖Connector11NoNo
Cymru_Scout_IP_Data_Summary_Certs_CL 📖Connector11NoNo
Cymru_Scout_IP_Data_Summary_Details_CL 📖Connector11NoNo
Cymru_Scout_IP_Data_Summary_Fingerprints_CL 📖Connector11NoNo
Cymru_Scout_IP_Data_Summary_OpenPorts_CL 📖Connector11NoNo
Cymru_Scout_IP_Data_Summary_PDNS_CL 📖Connector11NoNo
Cymru_Scout_IP_Data_x509_CL 📖Connector11NoNo
CynerioEvent_CL 🔶 📖Connector11NoNo
Cyren_Indicators_CL 🔶 📖Connector11NoNo
D3SOARIncidents_CL 📖Connector11NoNo
darktrace_model_alerts_CL 🔶 📖Connector11NoNo
databahn_alerts_CL 📖Connector11NoNo
databahn_audit_logs_CL 📖Connector11NoNo
databahn_device_inventory_CL 📖Connector11NoNo
DatabricksAccounts 📖DocsAzure Resources00YesNo
DatabricksApps 📖DocsAudit, Azure Resources00YesNo
DatabricksBrickStoreHttpGateway 📖DocsAudit, Azure Resources00YesNo
DatabricksBudgetPolicyCentral 📖DocsAudit, Azure Resources00YesNo
DatabricksCapsule8Dataplane 📖DocsAzure Resources00YesNo
DatabricksClamAVScan 📖DocsAzure Resources00YesNo
DatabricksCloudStorageMetadata 📖DocsAudit, Azure Resources00YesNo
DatabricksClusterLibraries 📖DocsAzure Resources00YesNo
DatabricksClusterPolicies 📖DocsAudit, Azure Resources00YesNo
DatabricksClusters 📖DocsAzure Resources00YesNo
DatabricksDashboards 📖DocsAudit, Azure Resources00YesNo
DatabricksDatabricksSQL 📖DocsAzure Resources00YesNo
DatabricksDataMonitoring 📖DocsAudit, Azure Resources00YesNo
DatabricksDataRooms 📖DocsAudit, Azure Resources00YesNo
DatabricksDBFS 📖DocsAzure Resources00YesNo
DatabricksDeltaPipelines 📖DocsAzure Resources00YesNo
DatabricksFeatureStore 📖DocsAzure Resources00YesNo
DatabricksFiles 📖DocsAudit, Azure Resources00YesNo
DatabricksFilesystem 📖DocsAudit, Azure Resources00YesNo
DatabricksGenie 📖DocsAzure Resources00YesNo
DatabricksGitCredentials 📖DocsAzure Resources00YesNo
DatabricksGlobalInitScripts 📖DocsAzure Resources00YesNo
DatabricksGroups 📖DocsAudit, Azure Resources00YesNo
DatabricksIAMRole 📖DocsAzure Resources00YesNo
DatabricksIngestion 📖DocsAudit, Azure Resources00YesNo
DatabricksInstancePools 📖DocsAzure Resources00YesNo
DatabricksJobs 📖DocsAzure Resources00YesNo
DatabricksLakeviewConfig 📖DocsAudit, Azure Resources00YesNo
DatabricksLineageTracking 📖DocsAudit, Azure Resources00YesNo
DatabricksMarketplaceConsumer 📖DocsAudit, Azure Resources00YesNo
DatabricksMarketplaceProvider 📖DocsAudit, Azure Resources00YesNo
DatabricksMLflowAcledArtifact 📖DocsAzure Resources00YesNo
DatabricksMLflowExperiment 📖DocsAzure Resources00YesNo
DatabricksModelRegistry 📖DocsAzure Resources00YesNo
DatabricksNotebook 📖DocsAzure Resources00YesNo
DatabricksOnlineTables 📖DocsAudit, Azure Resources00YesNo
DatabricksPartnerHub 📖DocsAzure Resources00YesNo
DatabricksPredictiveOptimization 📖DocsAudit, Azure Resources00YesNo
DatabricksRBAC 📖DocsAudit, Azure Resources00YesNo
DatabricksRemoteHistoryService 📖DocsAzure Resources00YesNo
DatabricksRepos 📖DocsAzure Resources00YesNo
DatabricksRFA 📖DocsAudit, Azure Resources00YesNo
DatabricksSecrets 📖DocsAzure Resources00YesNo
DatabricksServerlessRealTimeInference 📖DocsAzure Resources00YesNo
DatabricksSQLPermissions 📖DocsAzure Resources00YesNo
DatabricksSSH 📖DocsAzure Resources00YesNo
DatabricksTables 📖DocsAzure Resources00YesNo
DatabricksUnityCatalog 📖DocsAzure Resources00YesNo
DatabricksVectorSearch 📖DocsAudit, Azure Resources00YesNo
DatabricksWebhookNotifications 📖DocsAudit, Azure Resources00YesNo
DatabricksWebTerminal 📖DocsAzure Resources00YesNo
DatabricksWorkspace 📖DocsAzure Resources00YesNo
DatabricksWorkspaceFiles 📖DocsAudit, Azure Resources00YesNo
Datadog_Events_CLContent10NoNo
DataminrPulse_Alerts_CL 📖Connector11NoNo
DataminrPulse_Alerts_vuln_prod_CL 📖Schema00NoNo
DataminrPulse_Alerts_vuln_prod_relAlert_CL 📖Schema00NoNo
DataminrPulse_relAlerts_CL 📖Schema00NoNo
DataSecurityBehaviors 📖DocsXDR00NoYes
DataSecurityEvents 📖DocsXDR00NoYes
DataSetOutput 📖DocsAzure Resources, Virtual Machines00YesNo
DataSetRuns 📖DocsAzure Resources, Virtual Machines00YesNo
DataTransferOperations 📖DocsAzure Resources00YesNo
DataverseActivity 📖ConnectorAudit, Security11YesNo
datawizaserveraccess_CL 🔶 📖Connector11NoNo
DCPlanBillingEventLogsDocs00NoNo
DCRLogErrors 📖DocsAzure Resources00YesNo
DefenderForSqlAlertsDocs00NoNo
DefenderForSqlTelemetryDocs00NoNo
Detections_Data_CL 📖Connector11NoNo
DevCenterAgentHealthLogs 📖DocsAzure Resources00YesNo
DevCenterBillingEventLogs 📖DocsAzure Resources00YesNo
DevCenterConnectionLogs 📖DocsAudit, Azure Resources00YesNo
DevCenterDiagnosticLogs 📖DocsAudit, Azure Resources00YesNo
DevCenterResourceOperationLogs 📖DocsAzure Resources00YesNo
DeviceAppCrash 📖DocsMDE00YesNo
DeviceAppLaunch 📖DocsMDE00YesNo
DeviceBaselineComplianceAssessment 📖ContentMDE10NoYes
DeviceBaselineComplianceAssessmentKB 📖DocsMDE00NoYes
DeviceBaselineComplianceProfiles 📖DocsMDE00NoYes
DeviceBehaviorEntities 📖DocsMDE00YesNo
DeviceBehaviorInfo 📖DocsMDE00YesNo
DeviceCalendar 📖DocsMDE00YesNo
DeviceCleanup 📖DocsMDE00YesNo
DeviceConnectSession 📖DocsMDE00YesNo
DeviceCustomFileEvents 📖DocsMDE00YesNo
DeviceCustomImageLoadEvents 📖DocsMDE00YesNo
DeviceCustomNetworkEvents 📖DocsMDE00YesNo
DeviceCustomProcessEvents 📖DocsMDE00YesNo
DeviceCustomScriptEvents 📖DocsMDE00YesNo
DeviceEtw 📖DocsMDE00YesNo
DeviceEvents 📖ConnectorMDE101YesYes
DeviceFileCertificateInfo 📖ConnectorMDE11YesYes
DeviceFileEvents 📖ConnectorMDE161YesYes
DeviceHardwareHealth 📖DocsMDE00YesNo
DeviceHealth 📖DocsMDE00YesNo
DeviceHeartbeat 📖DocsMDE00YesNo
DeviceImageLoadEvents 📖ConnectorMDE31YesYes
DeviceInfo 📖ConnectorMDE61YesYes
DeviceLogonEvents 📖ConnectorMDE51YesYes
DeviceNetworkEvents 📖ConnectorMDE131YesYes
DeviceNetworkInfo 📖ConnectorMDE31YesYes
DeviceProcessEvents 📖ConnectorMDE131YesYes
DeviceRegistryEvents 📖ConnectorMDE41YesYes
DeviceSkypeHeartbeat 📖DocsMDE00YesNo
DeviceSkypeSignIn 📖DocsMDE00YesNo
DeviceTvmBrowserExtensions 📖DocsMDE00NoYes
DeviceTvmBrowserExtensionsKB 📖DocsMDE00NoYes
DeviceTvmCertificateInfo 📖DocsMDE00NoYes
DeviceTvmHardwareFirmware 📖DocsMDE00NoYes
DeviceTvmInfoGathering 📖ContentMDE00NoYes
DeviceTvmInfoGatheringKB 📖DocsMDE00NoYes
DeviceTvmSecureConfigurationAssessment 📖ContentMDE10YesYes
DeviceTvmSecureConfigurationAssessmentKB 📖DocsMDE00YesYes
DeviceTvmSoftwareEvidenceBeta 📖DocsMDE00NoYes
DeviceTvmSoftwareInventory 📖ContentMDE10YesYes
DeviceTvmSoftwareVulnerabilities 📖ContentMDE10YesYes
DeviceTvmSoftwareVulnerabilitiesKB 📖ContentMDE10YesYes
DFPPurchaseLogsDocs00NoNo
DHAppReliability 📖DocsDesktop Analytics00YesNo
DHDriverReliability 📖DocsDesktop Analytics00YesNo
DHLogonFailures 📖DocsDesktop Analytics00YesNo
DHLogonMetrics 📖DocsDesktop Analytics00YesNo
DHOSCrashData 📖DocsDesktop Analytics00YesNo
DHOSReliability 📖DocsDesktop Analytics00YesNo
DHWipAppLearning 📖DocsDesktop Analytics00YesNo
DigitalShadows_CL 🔶 📖Connector11NoNo
DisruptionAndResponseEvents 📖DocsXDR00NoYes
DNS_Summarized_Logs_ip_CL 🔶 📖ContentInternal10NoNo
DNS_Summarized_Logs_sourceInfo_CL 🔶 📖ContentInternal10NoNo
DnsAuditEvents 📖DocsSecurity00YesNo
DnsEvents 📖ConnectorNetwork151YesNo
DnsInventory 📖ConnectorNetwork11YesNo
DNSQueryLogs 📖DocsAzure Resources00YesNo
Domain_Data_CL 🔶 📖Content10NoNo
DomainToolsDomainEnrichment_CL 📖Schema00NoNo
DoppelTable_CL 📖Connector11NoNo
dossier_atp_CL 🔶 📖Connector11NoNo
dossier_atp_threat_CL 🔶 📖Connector11NoNo
dossier_dns_CL 🔶 📖Connector11NoNo
dossier_geo_CL 🔶 📖Connector11NoNo
dossier_infoblox_web_cat_CL 🔶 📖Connector11NoNo
dossier_inforank_CL 🔶 📖Connector11NoNo
dossier_malware_analysis_v3_CL 🔶 📖Connector11NoNo
dossier_nameserver_CL 🔶 📖Connector11NoNo
dossier_nameserver_matches_CL 🔶 📖Connector11NoNo
dossier_ptr_CL 🔶 📖Connector11NoNo
dossier_rpz_feeds_CL 🔶 📖Connector11NoNo
dossier_rpz_feeds_records_CL 🔶 📖Connector11NoNo
dossier_threat_actor_CL 🔶 📖Connector11NoNo
dossier_tld_risk_CL 🔶 📖Connector11NoNo
dossier_whitelist_CL 🔶 📖Connector11NoNo
dossier_whois_CL 🔶 📖Connector11NoNo
DragosAlerts_CL 📖Connector11NoNo
DruvaInsyncEvents_CLConnector11NoNo
DruvaPlatformEvents_CLConnector11NoNo
DruvaSecurityEvents_CLConnector11NoNo
DSMDataClassificationLogs 📖ContentAzure Resources, Security00YesNo
DSMDataLabelingLogs 📖ContentAzure Resources, Security00YesNo
DummyHydrationFactDocs00NoNo
DuoSecurityAdministration_CL 📖Schema00NoNo
DuoSecurityAdministrator_CLContent00NoNo
DuoSecurityAuthentication_CL 🔶 📖Content10NoNo
DuoSecurityOfflineEnrollment_CL 📖Schema00NoNo
DuoSecurityTelephony_CL 🔶 📖Content00NoNo
DuoSecurityTrustMonitor_CL 🔶 📖Content10NoNo
DurableTaskSchedulerLogs 📖DocsAudit, Azure Resources00YesNo
DynamicEventCollection 📖DocsSecurity00YesNo
Dynamics365ActivityConnector51NoNo
DynatraceAttacks_CLConnector12NoNo
DynatraceAttacksV2_CL 📖Connector12NoNo
DynatraceAuditLogs_CLConnector12NoNo
DynatraceAuditLogsV2_CL 📖Connector12NoNo
DynatraceProblems_CLConnector12NoNo
DynatraceProblemsV2_CL 📖Connector12NoNo
DynatraceSecurityProblems_CLConnector12NoNo
DynatraceSecurityProblemsV2_CL 📖Connector12NoNo
EdgeActionConsoleLog 📖DocsAudit00YesNo
EdgeActionServiceLog 📖DocsAudit00YesNo
EGNFailedHttpDataPlaneOperations 📖DocsAzure Resources00YesNo
EGNFailedMqttConnections 📖DocsAzure Resources00YesNo
EGNFailedMqttPublishedMessages 📖DocsAzure Resources00YesNo
EGNFailedMqttSubscriptions 📖DocsAzure Resources00YesNo
EGNMqttDisconnections 📖DocsAzure Resources00YesNo
EGNSuccessfulHttpDataPlaneOperations 📖DocsAzure Resources00YesNo
EGNSuccessfulMqttConnections 📖DocsAudit, Azure Resources00YesNo
EgressDefend_CL 🔶 📖Connector33NoNo
EgressEvents_CLConnector11NoNo
ElasticAgentLogs_CLConnector11NoNo
EmailAttachmentInfo 📖ConnectorDefender41YesYes
EmailEvents 📖ConnectorDefender111YesYes
EmailPostDeliveryEvents 📖ConnectorDefender11YesYes
EmailUrlInfo 📖ConnectorDefender81YesYes
EnrichedMicrosoft365AuditLogs 📖ContentIT & Management Tools, Network, Security10YesNo
Entities_Data_CL 📖Connector11NoNo
Entity_Scoring_Data_CL 📖Connector11NoNo
EntraIdSignInEvents 📖DocsXDR00NoYes
EntraIdSpnSignInEvents 📖DocsXDR00NoYes
ErmesBrowserSecurityEvents_CLConnector11NoNo
eset_CL 🔶 📖Connector11NoNo
ESETInspect_CL 🔶 📖Connector11NoNo
ESIExchangeConfig_CL 🔶 📖Connector11NoNo
ESIExchangeOnlineConfig_CL 🔶 📖Connector11NoNo
ETWEvent 📖DocsVirtual Machines00YesNo
Event 📖ConnectorWindows174YesNo
eventsapplicationdata_CL 🔶 📖Connector11NoNo
eventsauditdata_CL 🔶 📖Connector11NoNo
eventsconnectiondata_CL 🔶 📖Connector11NoNo
eventsincidentdata_CL 🔶 📖Connector11NoNo
eventsnetworkdata_CL 🔶 📖Connector11NoNo
eventspagedata_CL 🔶 📖Connector11NoNo
ExchangeAssessmentRecommendation 📖DocsWorkloads00YesNo
ExchangeHttpProxy_CL 🔶 📖Connector12NoNo
ExchangeOnlineAssessmentRecommendation 📖DocsWorkloads00YesNo
ExposureGraphEdges 📖DocsXDR00NoYes
ExposureGraphNodes 📖DocsXDR00NoYes
ExtraHop_Detections_CL 📖Connector11NoNo
F5Telemetry_ASM_CL 🔶 📖Connector11NoNo
F5Telemetry_AVR_CLContent10NoNo
F5Telemetry_LTM_CL 🔶 📖Connector11NoNo
F5Telemetry_system_CL 🔶 📖Connector11NoNo
Failed_Indicators_CL 📖Schema00NoNo
Failed_Range_To_Ingest_CL 🔶 📖Connector11NoNo
FailedIngestion 📖DocsAzure Resources00YesNo
feedly_indicators_CL 🔶 📖Connector11NoNo
FileMaliciousContentInfo 📖DocsSecurity, XDR00YesYes
FinanceOperationsActivity_CL 📖Connector11NoNo
Fingerprints_Data_CL 🔶 📖Content10NoNo
Firework_CL 📖Schema00NoNo
FireworkV2_CL 📖Connector11NoNo
fluentbit_CL 🔶 📖Connector11NoNo
FncEventsDetections_CL 🔶 📖Connector11NoNo
FncEventsObservation_CL 🔶 📖Connector11NoNo
FncEventsSuricata_CL 🔶 📖Connector11NoNo
ForcepointDLPEvents_CL 🔶 📖Connector11NoNo
ForescoutComplianceStatus_CL 📖Connector11NoNo
ForescoutHostProperties_CL 🔶 📖Connector11NoNo
ForescoutOtAlert_CL 📖Connector11NoNo
ForescoutOtAsset_CL 📖Connector11NoNo
ForescoutPolicyStatus_CL 📖Connector11NoNo
FSPGPGBouncerDocs00NoNo
FunctionAppLogs 📖DocsLow value00YesNo
Garrison_ULTRARemoteLogs_CL 📖Connector11NoNo
GCAssets_CLContent10NoNo
GCIncidents_CLContent10NoNo
GCP_CDNV2_CL 📖Schema00NoNo
GCP_CLOUDIDSV2_CL 📖Schema00NoNo
GCP_DNS_CL 🔶 📖ConnectorGCP11NoNo
GCP_IAM_CL 🔶 📖ConnectorGCP51NoNo
GCP_MONITORING_CL 🔶 📖ConnectorGCP11NoNo
GCP_MONITORINGV2_CL 📖Schema00NoNo
GCPApigee 📖ConnectorGCP11YesNo
GCPAuditLogs 📖ConnectorGCP22YesNo
GCPCDN 📖ConnectorGCP11YesNo
GCPCloudRun 📖ConnectorGCP11YesNo
GCPCloudSQL 📖ConnectorGCP11YesNo
GCPComputeEngine 📖ConnectorGCP11YesNo
GCPDNS 📖ConnectorGCP11YesNo
GCPFirewallLogs 📖ConnectorGCP11YesNo
GCPIAM 📖ConnectorGCP11YesNo
GCPIDS 📖ConnectorGCP11YesNo
GCPLoadBalancer 📖DocsGCP00YesNo
GCPLoadBalancerLogs_CLConnectorGCP11NoNo
GCPMonitoring 📖ConnectorGCP11YesNo
GCPNAT 📖ConnectorGCP11YesNo
GCPNATAudit 📖ConnectorGCP11YesNo
GCPResourceManager 📖ConnectorGCP11YesNo
GCPVPCFlow 📖ConnectorGCP11YesNo
GIBTechTable_CLContent10NoNo
GIBTIAAPTThreatActor_CLContent10NoNo
GIBTIAAPTThreatReports_CLContent10NoNo
GIBTIAAttacksDDoS_CLContent10NoNo
GIBTIAAttacksDeface_CLContent10NoNo
GIBTIAAttacksPhishingKit_CLContent10NoNo
GIBTIABPPhishing_CLContent10NoNo
GIBTIABPPhishingKit_CLContent10NoNo
GIBTIACompromisedCard_CLContent10NoNo
GIBTIACompromisedIMEI_CLContent10NoNo
GIBTIACompromisedMule_CLContent10NoNo
GIBTIAHIThreatActor_CLContent10NoNo
GIBTIAHIThreatReports_CLContent10NoNo
GIBTIAMalwareCNC_CLContent10NoNo
GIBTIAOSIGitLeak_CLContent10NoNo
GIBTIAOSIPublicLeak_CLContent10NoNo
GIBTIAOSIVulnerability_CLContent10NoNo
GIBTIASuspiciousIPOpenProxy_CLContent10NoNo
GIBTIASuspiciousIPSocksProxy_CLContent10NoNo
GIBTIASuspiciousIPTorNode_CLContent10NoNo
GIBTIATargetedMalware_CLContent10NoNo
Gigamon_CL 📖Schema00NoNo
GigamonV2_CL 📖Connector11NoNo
GitHub_CLContent20NoNo
GitHubAdvancedSecurityAlerts_CL 🔶 📖Connector11NoNo
GitHubAuditLogPolling_CLConnector31NoNo
GitHubAuditLogsV2_CL 📖Connector12NoNo
GitHubRepoLogs_CLContent20NoNo
githubscanaudit_CL 📖Connector12NoNo
GKEAPIServer 📖ConnectorSecurity11YesNo
GKEApplication 📖ConnectorSecurity11YesNo
GKEAudit 📖ConnectorSecurity11YesNo
GKEControllerManager 📖ConnectorSecurity11YesNo
GKEHPADecision 📖ConnectorSecurity11YesNo
GKEScheduler 📖ConnectorSecurity11YesNo
GoogleCloudSCC 📖ConnectorGCP11YesNo
GoogleWorkspaceReports 📖ConnectorGCP11YesNo
GoogleWorkspaceReports_CL 🔶ConnectorGCP11NoNo
GraphApiAuditEvents 📖DocsXDR00NoYes
GreyNoiseIPCommunity_CLContent10NoNo
GreyNoiseIPContext_CLContent10NoNo
GreyNoiseIPRIOT_CLContent10NoNo
Guardian_CL 🔶 📖Content10NoNo
GWorkspace_ReportsAPI_access_transparency_CL 🔶Connector11NoNo
GWorkspace_ReportsAPI_admin_CL 🔶 📖Connector11NoNo
GWorkspace_ReportsAPI_calendar_CL 🔶 📖Connector11NoNo
GWorkspace_ReportsAPI_chat_CL 🔶Connector11NoNo
GWorkspace_ReportsAPI_chrome_CL 🔶Connector11NoNo
GWorkspace_ReportsAPI_context_aware_access_CL 🔶Connector11NoNo
GWorkspace_ReportsAPI_data_studio_CL 🔶Connector11NoNo
GWorkspace_ReportsAPI_drive_CL 🔶 📖Connector11NoNo
GWorkspace_ReportsAPI_gcp_CL 🔶ConnectorGCP11NoNo
GWorkspace_ReportsAPI_gplus_CL 🔶Connector11NoNo
GWorkspace_ReportsAPI_groups_CL 🔶Connector11NoNo
GWorkspace_ReportsAPI_groups_enterprise_CL 🔶Connector11NoNo
GWorkspace_ReportsAPI_jamboard_CL 🔶Connector11NoNo
GWorkspace_ReportsAPI_keep_CL 🔶Connector11NoNo
GWorkspace_ReportsAPI_login_CL 🔶 📖Connector11NoNo
GWorkspace_ReportsAPI_meet_CL 🔶Connector11NoNo
GWorkspace_ReportsAPI_mobile_CL 🔶 📖Connector11NoNo
GWorkspace_ReportsAPI_rules_CL 🔶Connector11NoNo
GWorkspace_ReportsAPI_saml_CL 🔶Connector11NoNo
GWorkspace_ReportsAPI_token_CL 🔶 📖Connector11NoNo
GWorkspace_ReportsAPI_user_accounts_CL 🔶 📖Connector11NoNo
GzSecurityEvents_CL 📖Connector11NoNo
HackerViewLog_Azure_1_CL 🔶 📖Connector11NoNo
HackerViewLog_AzureV2_CL 📖Connector11NoNo
HalcyonEvents_CL 📖Connector11NoNo
HDInsightAmbariClusterAlerts 📖DocsAzure Resources00YesNo
HDInsightAmbariSystemMetrics 📖DocsAzure Resources00YesNo
HDInsightGatewayAuditLogs 📖DocsAudit, Azure Resources00YesNo
HDInsightHadoopAndYarnLogs 📖DocsAzure Resources00YesNo
HDInsightHadoopAndYarnMetrics 📖DocsAzure Resources00YesNo
HDInsightHBaseLogs 📖DocsAzure Resources00YesNo
HDInsightHBaseMetrics 📖DocsAzure Resources00YesNo
HDInsightHiveAndLLAPLogs 📖DocsAzure Resources00YesNo
HDInsightHiveAndLLAPMetrics 📖DocsAzure Resources00YesNo
HDInsightHiveQueryAppStats 📖DocsAzure Resources00YesNo
HDInsightHiveTezAppStats 📖DocsAzure Resources00YesNo
HDInsightJupyterNotebookEvents 📖DocsAzure Resources00YesNo
HDInsightKafkaLogs 📖DocsAzure Resources00YesNo
HDInsightKafkaMetrics 📖DocsAzure Resources00YesNo
HDInsightOozieLogs 📖DocsAzure Resources00YesNo
HDInsightRangerAuditLogs 📖DocsAudit, Azure Resources00YesNo
HDInsightSecurityLogs 📖DocsAzure Resources, Security00YesNo
HDInsightSparkApplicationEvents 📖DocsAzure Resources00YesNo
HDInsightSparkBlockManagerEvents 📖DocsAzure Resources00YesNo
HDInsightSparkEnvironmentEvents 📖DocsAzure Resources00YesNo
HDInsightSparkExecutorEvents 📖DocsAzure Resources00YesNo
HDInsightSparkExtraEvents 📖DocsAzure Resources00YesNo
HDInsightSparkJobEvents 📖DocsAzure Resources00YesNo
HDInsightSparkLogs 📖DocsAzure Resources00YesNo
HDInsightSparkSQLExecutionEvents 📖DocsAzure Resources00YesNo
HDInsightSparkStageEvents 📖DocsAzure Resources00YesNo
HDInsightSparkStageTaskAccumulables 📖DocsAzure Resources00YesNo
HDInsightSparkTaskEvents 📖DocsAzure Resources00YesNo
HDInsightStormLogs 📖DocsAzure Resources00YesNo
HDInsightStormMetrics 📖DocsAzure Resources00YesNo
HDInsightStormTopologyMetrics 📖DocsAzure Resources00YesNo
Health_Data_CL 📖Connector11NoNo
HealthStateChangeEventDocs00NoNo
Heartbeat 📖ConnectorEndpoint111YesNo
Host_Name_Info_CL 🔶 📖Content10NoNo
http_proxy_oab_CL 🔶 📖Content10NoNo
HuntingBookmark 📖ContentSecurity10YesNo
HYASProtectDnsSecurityLogs_CL 🔶 📖Connector11NoNo
Identity_Data_CL 🔶 📖Content10NoNo
IdentityAccountInfo 📖DocsXDR00NoYes
IdentityDirectoryEvents 📖ConnectorSecurity, XDR31YesYes
IdentityEvents 📖DocsXDR00NoYes
IdentityInfo 📖ContentInternal180NoYes
IdentityLogonEvents 📖ConnectorSecurity, XDR21YesYes
IdentityQueryEvents 📖ConnectorSecurity, XDR11YesYes
Illumio_Auditable_Events_CL 📖Connector11NoNo
Illumio_Flow_Events_CL 📖Connector11NoNo
Illumio_Workloads_Summarized_API_CL 📖Content10NoNo
IllumioFlowEventsV2_CL 📖Connector11NoNo
IllumioInsights_CLConnector11NoNo
IllumioInsightsSummary_CL 📖Connector11NoNo
IlumioInsights 📖DocsSecurity00YesNo
ImpervaWAFCloud_CL 🔶 📖Connector12NoNo
ImpervaWAFCloudV2_CL 📖Connector12NoNo
Incident_Enrich_Data_CL 🔶 📖Content10NoNo
IncidentFileActions_CLContent00NoNo
IncidentProcessActions_CLContent00NoNo
Infoblox_Config_Insight_Details_CL 📖Schema00NoNo
Infoblox_Config_Insights_CL 📖Schema00NoNo
Infoblox_Failed_Indicators_CL 🔶 📖Connector11NoNo
InfobloxInsight_CL 🔶 📖ConnectorInternal21NoNo
InfobloxInsightAssets_CL 🔶 📖ContentInternal20NoNo
InfobloxInsightComments_CL 🔶 📖ContentInternal20NoNo
InfobloxInsightEvents_CL 🔶 📖ContentInternal20NoNo
InfobloxInsightIndicators_CL 🔶 📖ContentInternal20NoNo
InformationProtectionLogs_CL 🔶 📖Content60NoNo
InfoSecAnalytics_CL 🔶 📖Connector11NoNo
InsightsMetrics 📖ContentLow value10YesNo
IntegrationTable_CL 📖Connector11NoNo
IntegrationTableIncidents_CL 📖Connector11NoNo
IntuneAuditLogs 📖ContentIntune10YesNo
IntuneDeviceComplianceOrg 📖ContentIntune00YesNo
IntuneDevices 📖ContentIntune10YesNo
IntuneOperationalLogs 📖ContentIntune10YesNo
iocsent_CLConnector11NoNo
IP_Space_Info_CL 🔶 📖Content10NoNo
Ipinfo_Abuse_CL 📖Connector11NoNo
Ipinfo_ASN_CL 📖Connector11NoNo
Ipinfo_Carrier_CL 📖Connector11NoNo
Ipinfo_Company_CL 📖Connector11NoNo
Ipinfo_CORE_CL 📖Connector11NoNo
Ipinfo_Country_CL 📖Connector11NoNo
Ipinfo_Domain_CL 📖Connector11NoNo
Ipinfo_Location_CL 📖Connector11NoNo
Ipinfo_Location_extended_CL 📖Connector11NoNo
Ipinfo_PLUS_CL 📖Connector11NoNo
Ipinfo_Privacy_CL 📖Connector11NoNo
Ipinfo_Privacy_extended_CL 📖Connector11NoNo
Ipinfo_RESIDENTIAL_PROXY_CL 📖Connector11NoNo
Ipinfo_RIRWHOIS_CL 📖Connector11NoNo
Ipinfo_RWHOIS_CL 📖Connector11NoNo
Ipinfo_WHOIS_ASN_CL 📖Connector11NoNo
Ipinfo_WHOIS_MNT_CL 📖Connector11NoNo
Ipinfo_WHOIS_NET_CL 📖Connector11NoNo
Ipinfo_WHOIS_ORG_CL 📖Connector11NoNo
Ipinfo_WHOIS_POC_CL 📖Connector11NoNo
Island_Admin_CLConnector11NoNo
Island_AdminEvents_V2_CLConnector11NoNo
Island_SystemEvents_V2_CLConnector11NoNo
Island_User_CLConnector11NoNo
Island_UserEvents_V2_CLConnector11NoNo
jamfprotect_CL 🔶 📖Content10NoNo
jamfprotectalerts_CL 📖Connector11NoNo
jamfprotecttelemetryv1_CL 📖Schema00NoNo
jamfprotecttelemetryv2_CL 📖Connector11NoNo
jamfprotectunifiedlogs_CL 📖Connector11NoNo
JBossEvent_CLConnector11NoNo
JBossLogs_CLConnector11NoNo
Jira_Audit_CL 🔶 📖Connector11NoNo
Jira_Audit_v2_CL 📖Connector12NoNo
JuniperIDP_CLConnector22NoNo
KeeperSecurityEventNewLogs_CL 📖Connector11NoNo
KnowBe4Defend_CL 🔶 📖Connector33NoNo
KubeEvents 📖ConnectorContainers11YesNo
KubeEvents_CLContent10NoNo
KubeHealthDocs00NoNo
KubeMonAgentEvents 📖DocsContainers00YesNo
KubeNodeInventory 📖DocsContainers00YesNo
KubePodInventory 📖DocsContainers00YesNo
KubePVInventory 📖DocsContainers00YesNo
KubeServices 📖DocsContainers00YesNo
LAJobLogs 📖DocsAzure Resources00YesNo
LAQueryLogs 📖ContentAudit40YesNo
LastPassNativePoller_CL 🔶 📖Connector11NoNo
LASummaryLogs 📖ContentAzure Resources00YesNo
LIATrackingEvents 📖DocsAzure Resources00YesNo
LightningAttackPathLinks_CL 📖Connector11NoNo
LightningAttackPaths_CL 📖Connector11NoNo
LightningIndicatorExecutions_CL 📖Connector11NoNo
LightningIOEResults_CL 📖Connector11NoNo
LightningIOEsMetadata_CL 📖Connector11NoNo
LightningTier0Attackers_CL 📖Connector11NoNo
LightningTier0Nodes_CL 📖Connector11NoNo
LinuxAudit_CL 🔶 📖Connector11NoNo
LinuxAuditLog 📖DocsSecurity00YesNo
Lockdown_Data_CL 📖Connector11NoNo
LogicAppWorkflowRuntime 📖DocsAzure Resources00YesNo
Lookout_CL 🔶 📖Connector11NoNo
LookoutCloudSecurity_CL 🔶 📖Connector11NoNo
LookoutMtdV2_CL 📖Connector11NoNo
M365SecureScore_CLContent00NoNo
M365SecureScoreControls_CLContent10NoNo
MAApplication 📖DocsDesktop Analytics00YesNo
MAApplicationHealth 📖DocsDesktop Analytics00YesNo
MAApplicationHealthAlternativeVersions 📖DocsDesktop Analytics00YesNo
MAApplicationHealthIssues 📖DocsDesktop Analytics00YesNo
MAApplicationInstance 📖DocsDesktop Analytics00YesNo
MAApplicationInstanceReadiness 📖DocsDesktop Analytics00YesNo
MAApplicationReadiness 📖DocsDesktop Analytics00YesNo
MADeploymentPlan 📖DocsDesktop Analytics00YesNo
MADevice 📖DocsDesktop Analytics00YesNo
MADeviceNotEnrolled 📖DocsDesktop Analytics00YesNo
MADeviceNRT 📖DocsDesktop Analytics00YesNo
MADeviceReadiness 📖DocsDesktop Analytics00YesNo
MADriverInstanceReadiness 📖DocsDesktop Analytics00YesNo
MADriverReadiness 📖DocsDesktop Analytics00YesNo
MailGuard365_Threats_CL 🔶 📖Connector11NoNo
maillog_CL 🔶Connector11NoNo
MailRiskEmails_CL 📖Schema00NoNo
MailRiskEventEmails_CL 📖Connector11NoNo
Malware_Data_CL 🔶 📖Connector11NoNo
Malware_data_CL 📖Schema00NoNo
MAOfficeAddin 📖DocsDesktop Analytics00YesNo
MAOfficeAddinHealthEventNRT 📖DocsDesktop Analytics00YesNo
MAOfficeAddinInstance 📖DocsDesktop Analytics00YesNo
MAOfficeAddinReadiness 📖DocsDesktop Analytics00YesNo
MAOfficeAppInstance 📖DocsDesktop Analytics00YesNo
MAOfficeAppReadiness 📖DocsDesktop Analytics00YesNo
MAOfficeBuildInfo 📖DocsDesktop Analytics00YesNo
MAOfficeCurrencyAssessment 📖DocsDesktop Analytics00YesNo
MAOfficeSuiteInstance 📖DocsDesktop Analytics00YesNo
MAProposedPilotDevices 📖DocsDesktop Analytics00YesNo
MarkLogicAudit_CL 📖Connector22NoNo
MAWindowsBuildInfo 📖DocsDesktop Analytics00YesNo
MAWindowsCurrencyAssessment 📖DocsDesktop Analytics00YesNo
MAWindowsCurrencyAssessmentDailyCounts 📖DocsDesktop Analytics00YesNo
MAWindowsDeploymentStatus 📖DocsDesktop Analytics00YesNo
McasShadowItReporting 📖ConnectorSecurity11YesNo
MCCEventLogs 📖DocsAzure Resources00YesNo
MCVPAuditLogs 📖DocsAzure Resources00YesNo
MCVPOperationLogs 📖DocsAzure Resources00YesNo
MDBALogTable_CL 📖Connector11NoNo
MDCDetectionDNSEvents 📖DocsSecurity00YesNo
MDCDetectionFimEvents 📖DocsSecurity00YesNo
MDCDetectionGatingValidationEvents 📖DocsSecurity00YesNo
MDCDetectionK8SApiEvents 📖DocsSecurity00YesNo
MDCDetectionProcessV2Events 📖DocsSecurity00YesNo
MDCFileIntegrityMonitoringEvents 📖DocsSecurity00YesNo
MDECustomCollectionDeviceFileEventsDocs00NoNo
MDfEExposureScore_CLContent10NoNo
MDfERecommendations_CLContent10NoNo
MDfESecureScore_CLContent00NoNo
MDfEVulnerabilitiesList_CLContent10NoNo
MDPResourceLog 📖DocsAzure Resources00YesNo
meraki_CL 📖Connector24NoNo
MerakiConfigurationChanges_CLContent10NoNo
MerakiSecurityEvents_CLContent10NoNo
MeshControlPlane 📖DocsAzure Resources, Containers00YesNo
meshStackEventLogs_CLConnector11NoNo
message_CL 🔶Connector11NoNo
MessageEvents 📖ContentXDR10NoYes
MessagePostDeliveryEvents 📖ContentXDR10NoYes
MessageTrackingLog_CL 🔶 📖Connector12NoNo
MessageUrlInfo 📖ContentXDR10NoYes
MicrosoftAzureBastionAuditLogs 📖ContentAzure Resources00YesNo
MicrosoftDataShareReceivedSnapshotLog 📖DocsAzure Resources00YesNo
MicrosoftDataShareSentSnapshotLog 📖DocsAzure Resources00YesNo
MicrosoftGraphActivityLogs 📖ContentMicrosoft Graph00YesNo
MicrosoftHealthcareApisAuditLogs 📖DocsAudit, Azure Resources00YesNo
MicrosoftPurviewInformationProtection 📖ConnectorAudit, Security41YesNo
MicrosoftServicePrincipalSignInLogs 📖DocsAudit, Security00YesNo
MimecastAudit_CL 🔶 📖Connector11NoNo
MimecastDLP_CL 🔶 📖Connector11NoNo
MimecastSIEM_CL 🔶 📖Connector11NoNo
MimecastTTPAttachment_CL 🔶 📖Connector11NoNo
MimecastTTPImpersonation_CL 🔶 📖Connector11NoNo
MimecastTTPUrl_CL 🔶 📖Connector11NoNo
MiroAuditLogs_CL 📖Connector11NoNo
MiroContentLogs_CL 📖Connector11NoNo
MNFDeviceUpdates 📖DocsNetwork00YesNo
MNFSystemSessionHistoryUpdates 📖DocsNetwork00YesNo
MNFSystemStateMessageUpdates 📖DocsNetwork00YesNo
MongoDBAudit_CL 📖Connector22NoNo
MorphisecAlerts_CL 📖Connector11NoNo
MPCIngestionLogs 📖DocsAudit00YesNo
MPTOperationDocs00NoNo
MuleSoft_Cloudhub_CL 🔶 📖Connector11NoNo
MuleSoftAuditLogs_CLContent10NoNo
MySqlAuditLogs 📖DocsAudit, Azure Resources00YesNo
MySqlErrorLogsDocs00NoNo
MySqlSlowLogs 📖DocsAudit, Azure Resources00YesNo
NatGatewayFlowlogsV1Docs00NoNo
NCBMBreakGlassAuditLogs 📖DocsAzure Resources, Security00YesNo
NCBMSecurityDefenderLogs 📖DocsAzure Resources, Security00YesNo
NCBMSecurityLogs 📖DocsAzure Resources, Security00YesNo
NCBMSystemLogs 📖DocsAzure Resources00YesNo
NCCIDRACLogs 📖DocsAzure Resources00YesNo
NCCKubernetesAPIAuditLogs 📖DocsAzure Resources00YesNo
NCCKubernetesLogs 📖DocsAzure Resources00YesNo
NCCPlatformOperationsLogs 📖DocsAzure Resources00YesNo
NCCVMOrchestrationLogs 📖DocsAzure Resources00YesNo
NCMClusterOperationsLogs 📖DocsAzure Resources00YesNo
NCProtectUAL_CL 🔶 📖Connector11NoNo
NCSStorageAlerts 📖DocsAzure Resources00YesNo
NCSStorageAudits 📖DocsAzure Resources00YesNo
NCSStorageLogs 📖DocsAzure Resources00YesNo
net_assets_CL 🔶 📖Connector11NoNo
NetBackupAlerts_CL 🔶 📖Content10NoNo
Netclean_Incidents_CL 🔶 📖Connector11NoNo
netflow_CLContent00NoNo
Netskope_Alerts_CL 🔶 📖Content20NoNo
Netskope_CL 🔶 📖Connector11NoNo
Netskope_Events_CL 🔶 📖Content20NoNo
Netskope_WebTX_CL 🔶 📖Content20NoNo
Netskope_WebTx_metrics_CL 🔶 📖Connector11NoNo
NetskopeAlerts_CL 📖Connector11NoNo
NetskopeEventsApplication_CL 📖Connector11NoNo
NetskopeEventsAudit_CL 📖Connector11NoNo
NetskopeEventsConnection_CL 📖Connector11NoNo
NetskopeEventsDLP_CL 📖Connector11NoNo
NetskopeEventsEndpoint_CL 📖Connector11NoNo
NetskopeEventsInfrastructure_CL 📖Connector11NoNo
NetskopeEventsNetwork_CL 📖Connector11NoNo
NetskopeEventsPage_CL 📖Connector11NoNo
NetskopeWebTransactions_CL 📖Connector21NoNo
NetskopeWebtxData_CL 🔶 📖Connector11NoNo
NetskopeWebtxErrors_CL 🔶 📖Connector11NoNo
NetworkAccessAlerts 📖DocsIT & Management Tools, Network, Security00YesNo
NetworkAccessConnectionEvents 📖DocsIT & Management Tools, Network, Security00YesNo
NetworkAccessGenerativeAIInsights 📖ContentIT & Management Tools, Network, Security10YesNo
NetworkAccessTraffic 📖ConnectorIT & Management Tools, Network, Security21YesNo
NetworkCustomAnalytics_CLContentInternal10NoNo
NetworkCustomAnalytics_country_CLContentInternal10NoNo
NetworkCustomAnalytics_ip_CLContentInternal10NoNo
NetworkCustomAnalytics_protocol_CL 🔶 📖ContentInternal10NoNo
NetworkCustomAnalytics_rule_CLContentInternal10NoNo
NetworkCustomAnalytics_source_port_CLContentInternal10NoNo
NetworkCustomAnalytics_sourceInfo_CLContentInternal10NoNo
NetworkCustomAnalytics_threat_CLContentInternal10NoNo
NetworkCustomAnalytics_threat_ioc_CLContentInternal10NoNo
NetworkMonitoring 📖DocsNetwork00YesNo
NetworkSessions 📖DocsSecurity00YesNo
NetworkSummary_Country_CLContent10NoNo
NetworkSummary_IP_CLContent10NoNo
NetworkSummary_Protocol_CL 📖Content10NoNo
NetworkSummary_Result_CLContent10NoNo
NetworkSummary_Rule_CLContent10NoNo
NetworkSummary_Source_Port_CLContent10NoNo
NetworkSummary_SourceInfo_CLContent10NoNo
NetworkSummary_Threat_CLContent10NoNo
NetworkSummary_Threat_IOC_CLContent10NoNo
NexposeInsightVMCloud_assets_CL 🔶 📖Connector11NoNo
NexposeInsightVMCloud_vulnerabilities_CL 🔶 📖Connector11NoNo
NGINX_CL 📖Connector22NoNo
NginxUpstreamUpdateLogs 📖DocsAzure Resources00YesNo
NGXOperationLogs 📖DocsAzure Resources00YesNo
NGXSecurityLogs 📖DocsAzure Resources00YesNo
NonameAPISecurityAlert_CL 🔶 📖Connector11NoNo
NordPassEventLogs_CL 📖Connector11NoNo
NSPAccessLogs 📖DocsAudit, Azure Resources, Network, Security00YesNo
NTAInsights 📖DocsNetwork00YesNo
NTAIpDetails 📖DocsNetwork00YesNo
NTANetAnalytics 📖DocsNetwork00YesNo
NTARuleRecommendation 📖DocsNetwork00YesNo
NTATopologyDetails 📖DocsNetwork00YesNo
NWConnectionMonitorDNSResult 📖DocsNetwork00YesNo
NWConnectionMonitorPathResult 📖DocsNetwork00YesNo
NWConnectionMonitorTestResult 📖DocsNetwork00YesNo
NXLog_DNS_Server_CL 🔶 📖Connector11NoNo
NXLogFIM_CL 🔶 📖Connector11NoNo
O365API_CLContent10NoNo
OAuthAppInfo 📖DocsXDR00NoYes
ObsidianActivity_CL 📖Connector11NoNo
ObsidianThreat_CL 📖Connector11NoNo
OCI_Logs_CL 🔶 📖Connector11NoNo
OCI_LogsV2_CL 🔶 📖Connector12NoNo
OEPAirFlowTask 📖DocsAzure Resources00YesNo
OEPAuditLogs 📖DocsAudit, Azure Resources00YesNo
OEPDataplaneLogs 📖DocsAzure Resources00YesNo
OEPElasticOperator 📖DocsAzure Resources00YesNo
OEPElasticsearch 📖DocsAzure Resources00YesNo
OEWAuditLogs 📖DocsAudit, Azure Resources00YesNo
OEWExperimentAssignmentSummary 📖DocsApplications00YesNo
OEWExperimentScorecardMetricPairs 📖DocsApplications00YesNo
OEWExperimentScorecards 📖DocsApplications00YesNo
OfficeActivity 📖ConnectorOffice 365261YesNo
OGOAuditLogs 📖DocsAudit00YesNo
Okta_CL 🔶 📖Connector13NoNo
Okta_Events_CLContent10NoNo
OktaNativePoller_CLConnector11NoNo
OktaSystemLogs 📖DocsSecurity00YesNo
OktaV2_CL 📖Connector12NoNo
OLPSupplyChainEntityOperations 📖DocsAzure Resources00YesNo
OLPSupplyChainEvents 📖DocsAzure Resources00YesNo
Onapsis_Defend_CL 📖Connector11NoNo
OneLogin_CL 🔶 📖Connector11NoNo
OneLoginEventsV2_CL 📖Connector12NoNo
OneLoginUsersV2_CL 📖Connector12NoNo
OnePasswordEventLogs_CL 📖Connector13NoNo
OneTrustMetadataV3_CL 📖Connector11NoNo
Open_Ports_Data_CL 🔶 📖Content10NoNo
OpenAIAuditLogs_CL 📖Connector11NoNo
OpenAIChatCompletions_CL 📖Connector11NoNo
OpenSystemsAuthenticationLogs_CL 🔶Connector11NoNo
OpenSystemsFirewallLogs_CL 🔶Connector11NoNo
OpenSystemsProxyLogs_CL 🔶Connector11NoNo
OpenSystemsZtnaLogs_CL 🔶Connector11NoNo
Operation 📖ContentAzure Monitor120YesNo
OracleCloudDatabase 📖DocsAudit00YesNo
OracleWebLogicServer_CL 📖Connector22NoNo
OrcaAlerts_CL 🔶 📖Connector11NoNo
OTelEvents 📖DocsApplications00YesNo
OTelLogs 📖DocsApplications00YesNo
OTelResources 📖DocsApplications00YesNo
OTelSpans 📖DocsApplications00YesNo
OTelTraces 📖DocsApplications00YesNo
OTelTracesAgent 📖DocsApplications00YesNo
PaloAltoCortexXDR_Alerts_CL 📖Connector21NoNo
PaloAltoCortexXDR_Audit_Agent_CL 📖Connector21NoNo
PaloAltoCortexXDR_Audit_Management_CL 📖Connector21NoNo
PaloAltoCortexXDR_Endpoints_CL 📖Connector21NoNo
PaloAltoCortexXDR_Incidents_CL 📖Connector22NoNo
PaloAltoPrismaCloudAlert_CL 🔶 📖Connector11NoNo
PaloAltoPrismaCloudAlertV2_CL 📖Connector11NoNo
PaloAltoPrismaCloudAudit_CL 🔶 📖Connector11NoNo
PaloAltoPrismaCloudAuditV2_CL 📖Connector11NoNo
Pathlock_TDnR_CL 📖Connector11NoNo
PDNS_Data_CL 🔶 📖Content10NoNo
PDNSBlockData_CL 🔶Connector11NoNo
Perf 📖ContentLow value30YesNo
PerfInsightsFindings 📖DocsAzure Resources, Virtual Machines00YesNo
PerfInsightsImpactedResources 📖DocsAzure Resources, Virtual Machines00YesNo
PerfInsightsRun 📖DocsAzure Resources, Virtual Machines00YesNo
Perimeter81_CL 🔶 📖Connector11NoNo
PFTitleAuditLogs 📖DocsAudit, Azure Resources00YesNo
PGSQLAutovacuumStats 📖DocsAudit, Azure Resources00YesNo
PGSQLDbTransactionsStats 📖DocsAudit, Azure Resources00YesNo
PGSQLPgBouncer 📖DocsAudit, Azure Resources00YesNo
PGSQLPgStatActivitySessions 📖DocsAudit, Azure Resources00YesNo
PGSQLQueryStoreQueryText 📖DocsAudit, Azure Resources00YesNo
PGSQLQueryStoreRuntime 📖DocsAudit, Azure Resources00YesNo
PGSQLQueryStoreWaits 📖DocsAudit, Azure Resources00YesNo
PGSQLServerLogs 📖DocsAudit, Azure Resources00YesNo
Phosphorus_CLConnector11NoNo
PingOne_AuditActivitiesV2_CLConnector11NoNo
PipelineTestVehiclesDocs00NoNo
PipelineTestVehiclesInternalUseOnlyDocs00NoNo
PostgreSQL_CL 📖Connector22NoNo
PowerAppsActivity 📖DocsAudit, Security00YesNo
PowerAutomateActivity 📖ConnectorAudit, Security11YesNo
PowerBIActivity 📖ConnectorAudit, Security11YesNo
PowerBIDatasetsTenant 📖DocsAzure Resources00YesNo
PowerBIDatasetsWorkspace 📖DocsAzure Resources00YesNo
PowerPlatformAdminActivity 📖ConnectorAudit, Security11YesNo
PowerPlatformConnectorActivity 📖DocsAudit, Security00YesNo
PowerPlatformDlpActivity 📖DocsAudit, Security00YesNo
prancer_CL 🔶 📖Connector11NoNo
Prisma_CLContent10NoNo
PrismaCloudCompute_CL 🔶Connector12NoNo
ProcessInvestigatorDocs00NoNo
ProjectActivity 📖ConnectorSecurity11YesNo
ProofpointPOD_maillog_CL 🔶 📖Connector11NoNo
ProofpointPOD_message_CL 🔶 📖Connector11NoNo
ProofpointPODMailLog_CL 📖Connector12NoNo
ProofpointPODMessage_CL 📖Connector12NoNo
ProofPointTAPClicksBlocked_CL 🔶 📖Connector11NoNo
ProofPointTAPClicksBlockedV2_CL 📖Connector11NoNo
ProofPointTAPClicksPermitted_CL 🔶 📖Connector11NoNo
ProofPointTAPClicksPermittedV2_CL 📖Connector11NoNo
ProofPointTAPMessagesBlocked_CL 🔶 📖Connector11NoNo
ProofPointTAPMessagesBlockedV2_CL 📖Connector11NoNo
ProofPointTAPMessagesDelivered_CL 🔶 📖Connector11NoNo
ProofPointTAPMessagesDeliveredV2_CL 📖Connector11NoNo
ProtectionStatus 📖ContentSecurity20YesNo
Proto_By_IP_Data_CL 🔶 📖Content10NoNo
PurviewDataSensitivityLogs 📖ConnectorAzure Resources, Security31YesNo
PurviewScanStatusLogs 📖DocsAzure Resources00YesNo
PurviewSecurityLogs 📖DocsAzure Resources00YesNo
QscoutAppEvents_CL 📖Connector11NoNo
QualysHostDetection_CL 🔶 📖Connector11NoNo
QualysHostDetectionV2_CL 🔶 📖Connector11NoNo
QualysHostDetectionV3_CL 📖Connector51NoNo
QualysKB_CL 🔶 📖Connector11NoNo
QualysKnowledgeBase 📖ConnectorSecurity12YesNo
Rapid7InsightVMCloudAssets 📖ConnectorSecurity11YesNo
Rapid7InsightVMCloudVulnerabilities 📖ConnectorSecurity11YesNo
RecordedFutureIdentity_PlaybookAlertResults_CL 📖Content10NoNo
RecordedFuturePlaybookAlerts_CLContent10NoNo
RecordedFuturePortalAlerts_CLContent10NoNo
RecordedFutureThreatMap_CLContentInternal10NoNo
RecordedFutureThreatMapMalware_CLContentInternal10NoNo
RedCanaryDetections_CL 🔶 📖Connector11NoNo
REDConnectionEvents 📖DocsAudit, Azure Resources00YesNo
RemoteNetworkHealthLogs 📖DocsIT & Management Tools, Network, Security00YesNo
Report_links_data_CL 🔶 📖Connector11NoNo
ResourceManagementPublicAccessLogs 📖DocsAzure Resources00YesNo
RetinaNetworkFlowLogs 📖DocsContainers00YesNo
RLTiCloudQuotas_CLContentInternal10NoNo
RomeDetectionEventDocs00NoNo
RSAIDPlus_AdminLogs_CL 📖Connector11NoNo
Rubrik_Anomaly_Data_CL 🔶 📖Connector11NoNo
Rubrik_Events_Data_CL 🔶 📖Connector11NoNo
Rubrik_Ransomware_Data_CL 🔶 📖Connector11NoNo
Rubrik_ThreatHunt_Data_CL 🔶 📖Connector11NoNo
RubrikProtectionStatus_CL 📖Connector11NoNo
SailPointIDN_Events_CL 🔶 📖Connector11NoNo
SailPointIDN_Triggers_CL 🔶 📖Connector11NoNo
SalemAlerts_CLContent10NoNo
SalesforceAuditTrailDocs00NoNo
SalesforceLoginHistoryDocs00NoNo
SalesforceServiceCloud_CL 🔶 📖Connector11NoNo
SalesforceServiceCloudV2_CL 📖Connector12NoNo
Samsung_Knox_Application_CL 📖Connector11NoNo
Samsung_Knox_Audit_CL 📖Connector11NoNo
Samsung_Knox_Network_CL 📖Connector11NoNo
Samsung_Knox_Process_CL 📖Connector11NoNo
Samsung_Knox_System_CL 📖Connector11NoNo
Samsung_Knox_User_CL 📖Connector11NoNo
SAPBTPAuditLog_CL 📖Connector11NoNo
SAPETDAlerts_CL 📖Connector11NoNo
SAPETDInvestigations_CL 📖Connector11NoNo
SAPLogServ_CL 📖Connector11NoNo
SCCMAssessmentRecommendation 📖DocsWorkloads00YesNo
SCGPoolExecutionLog 📖DocsAudit, Azure Monitor00YesNo
SCGPoolRequestLog 📖DocsAudit00YesNo
SCOMAssessmentRecommendation 📖DocsWorkloads00YesNo
secRMM_CL 🔶 📖Connector11NoNo
SecureScoreControlsDocs00NoNo
SecureScoresContent10NoNo
SecurityAlert 📖ConnectorInternal5210YesNo
SecurityAttackPathData 📖DocsSecurity00YesNo
SecurityBaseline 📖ContentSecurity70YesNo
SecurityBaselineSummary 📖ContentSecurity10YesNo
SecurityBridge_CL 📖Connector11NoNo
SecurityBridgeLogs_CL 📖Connector22NoNo
SecurityDetection 📖DocsSecurity00YesNo
SecurityEvent 📖ConnectorWindows306YesNo
SecurityIncidentConnectorInternal342NoNo
SecurityIoTRawEvent 📖DocsSecurity00YesNo
SecurityNestedRecommendationContent40NoNo
SecurityRecommendation 📖ContentSecurity60YesNo
SecurityRegulatoryComplianceContent50NoNo
SecurityScorecardFactor_CL 🔶 📖Connector11NoNo
SecurityScorecardIssues_CL 🔶 📖Connector11NoNo
SecurityScorecardRatings_CL 🔶 📖Connector11NoNo
Seg_Cg_CL 📖Connector11NoNo
Seg_Dlp_CL 📖Connector11NoNo
SenservaPro_CL 🔶 📖Connector11NoNo
SentinelAlibabaCloudAPIGatewayLogs 📖DocsSecurity00YesNo
SentinelAlibabaCloudVPCFlowLogs 📖DocsSecurity00YesNo
SentinelAlibabaCloudWAFLogs 📖DocsSecurity00YesNo
SentinelAudit 📖DocsInternal00YesNo
SentinelBehaviorEntities 📖ContentSecurity10YesNo
SentinelBehaviorInfo 📖ContentSecurity10YesNo
SentinelHealth 📖ContentSecurity10YesNo
SentinelImpervaWAFCloudV2Logs 📖ConnectorSecurity12YesNo
SentinelOne_CL 🔶 📖Connector11NoNo
SentinelOneActivities_CL 📖Connector12NoNo
SentinelOneAgents_CL 📖Connector12NoNo
SentinelOneAlerts_CL 📖Connector12NoNo
SentinelOneGroups_CL 📖Connector12NoNo
SentinelOneThreats_CL 📖Connector12NoNo
SentinelTheHiveDataDocs00NoNo
SeraphicWebSecurity_CLConnector11NoNo
Service_Name_Info_CL 🔶 📖Content10NoNo
ServiceFabricOperationalEvent 📖DocsAzure Resources00YesNo
ServiceFabricReliableActorEvent 📖DocsAzure Resources00YesNo
ServiceFabricReliableServiceEvent 📖DocsAzure Resources00YesNo
ServiceMapDocs00NoNo
Sevco_Devices_CL 🔶 📖Connector11NoNo
SfBAssessmentRecommendation 📖DocsWorkloads00YesNo
SfBOnlineAssessmentRecommendation 📖DocsWorkloads00YesNo
ShadowByteAriaForums_CLContent10NoNo
SharePointOnlineAssessmentRecommendation 📖DocsWorkloads00YesNo
SignalRServiceDiagnosticLogs 📖DocsAzure Resources00YesNo
SigninLogs 📖ConnectorAzure Resources, Security351YesNo
SIGNL4_CL 🔶Connector11NoNo
SINECSecurityGuard_CL 📖Connector11NoNo
SlackAudit_CL 🔶 📖Connector11NoNo
SlackAuditNativePoller_CL 🔶Connector12NoNo
SlackAuditV2_CL 📖Connector12NoNo
SlashNext_CLContent10NoNo
Snowflake_CL 🔶 📖Connector11NoNo
SnowflakeLoad_CL 📖Connector11NoNo
SnowflakeLogin_CL 📖Connector11NoNo
SnowflakeMaterializedView_CL 📖Connector11NoNo
SnowflakeQuery_CL 📖Connector11NoNo
SnowflakeRoleGrant_CL 📖Connector11NoNo
SnowflakeRoles_CL 📖Connector11NoNo
SnowflakeTables_CL 📖Connector11NoNo
SnowflakeTableStorageMetrics_CL 📖Connector11NoNo
SnowflakeUserGrant_CL 📖Connector11NoNo
SnowflakeUsers_CL 📖Connector11NoNo
SOCPrimeAuditLogs_CL 📖Connector11NoNo
SOCRadar_Alarms_CL 📖Content10NoNo
SOCRadarAuditLog_CL 📖Content10NoNo
Sonrai_Tickets_CL 🔶 📖Connector11NoNo
SophosCloudOptix_CL 🔶 📖Connector11NoNo
SophosEP_CL 🔶 📖Connector11NoNo
SophosEPAlerts_CL 📖Connector11NoNo
SophosEPEvents_CL 📖Connector11NoNo
SPAssessmentRecommendation 📖DocsWorkloads00YesNo
SpyCloudBreachDataWatchlist_CL 🔶 📖Content10NoNo
SQLAssessmentRecommendation 📖DocsWorkloads00YesNo
SqlAtpStatusDocs00NoNo
SQLSecurityAuditEvents 📖DocsAzure Resources00YesNo
SqlThreatProtectionLoginAuditsDocs00NoNo
SqlVulnerabilityAssessmentResult 📖DocsWorkloads00YesNo
SqlVulnerabilityAssessmentScanStatusDocs00NoNo
SquidProxy_CL 🔶 📖Connector22NoNo
StorageBlobLogs 📖ConnectorAzure Resources51YesNo
StorageCacheOperationEvents 📖DocsAzure Resources00YesNo
StorageCacheUpgradeEvents 📖DocsAzure Resources00YesNo
StorageCacheWarningEvents 📖DocsAzure Resources00YesNo
StorageFileLogs 📖ConnectorAzure Resources31YesNo
StorageInsightsAccountPropertiesDailyDocs00NoNo
StorageInsightsDailyMetricsDocs00NoNo
StorageInsightsHourlyMetricsDocs00NoNo
StorageInsightsMonthlyMetricsDocs00NoNo
StorageInsightsWeeklyMetricsDocs00NoNo
StorageMalwareScanningResults 📖DocsAzure Resources, Security00YesNo
StorageMoverCopyLogsFailed 📖DocsAzure Resources00YesNo
StorageMoverCopyLogsTransferred 📖DocsAzure Resources00YesNo
StorageMoverJobRunLogs 📖DocsAzure Resources00YesNo
StorageQueueLogs 📖ConnectorAzure Resources11YesNo
StorageTableLogs 📖ConnectorAzure Resources21YesNo
StyxViewAlerts_CL 📖Connector11NoNo
SucceededIngestion 📖DocsAzure Resources00YesNo
Summary_Details_CL 🔶 📖Content10NoNo
Summary_Details_Top_Certs_Data_CL 🔶 📖Content10NoNo
Summary_Details_Top_Fingerprints_Data_CL 🔶 📖Content10NoNo
Summary_Details_Top_Open_Ports_Data_CL 🔶 📖Content10NoNo
Summary_Details_Top_Pdns_Data_CL 🔶 📖Content10NoNo
SVMPoolExecutionLog 📖DocsAudit, Azure Monitor00YesNo
SVMPoolRequestLog 📖DocsAudit00YesNo
SymantecICDx_CL 🔶 📖Connector11NoNo
SynapseBigDataPoolApplicationsEnded 📖DocsAzure Resources00YesNo
SynapseBuiltinSqlPoolRequestsEnded 📖DocsAzure Resources00YesNo
SynapseDXCommand 📖DocsAzure Resources00YesNo
SynapseDXFailedIngestion 📖DocsAzure Resources00YesNo
SynapseDXIngestionBatching 📖DocsAzure Resources00YesNo
SynapseDXQuery 📖DocsAzure Resources00YesNo
SynapseDXSucceededIngestion 📖DocsAzure Resources00YesNo
SynapseDXTableDetails 📖DocsAzure Resources00YesNo
SynapseDXTableUsageStatistics 📖DocsAzure Resources00YesNo
SynapseGatewayApiRequests 📖DocsAzure Resources00YesNo
SynapseIntegrationActivityRuns 📖DocsAzure Resources00YesNo
SynapseIntegrationPipelineRuns 📖DocsAzure Resources00YesNo
SynapseIntegrationTriggerRuns 📖DocsAzure Resources00YesNo
SynapseLinkEvent 📖DocsAzure Resources00YesNo
SynapseRbacOperations 📖DocsAzure Resources00YesNo
SynapseScopePoolScopeJobsEnded 📖DocsAzure Resources00YesNo
SynapseScopePoolScopeJobsStateChange 📖DocsAzure Resources00YesNo
SynapseSqlPoolDmsWorkers 📖DocsAzure Resources00YesNo
SynapseSqlPoolExecRequests 📖DocsAzure Resources00YesNo
SynapseSqlPoolRequestSteps 📖DocsAzure Resources00YesNo
SynapseSqlPoolSqlRequests 📖DocsAzure Resources00YesNo
SynapseSqlPoolWaits 📖DocsAzure Resources00YesNo
Syslog 📖ConnectorSyslog/CEF5538YesNo
TacitRed_Findings_CL 🔶 📖Connector11NoNo
Talon_CL 🔶 📖Connector11NoNo
talon_CL 🔶Content00NoNo
TaniumComplyCompliance_CL 🔶 📖Connector11NoNo
TaniumComplyVulnerabilities_CL 🔶 📖Connector11NoNo
TaniumDefenderHealth_CL 🔶 📖Connector11NoNo
TaniumDiscoverUnmanagedAssets_CL 🔶 📖Connector11NoNo
TaniumHighUptime_CL 🔶 📖Connector11NoNo
TaniumMainAsset_CL 📖Schema00NoNo
TaniumPatchCoverageStatus_CL 🔶 📖Connector11NoNo
TaniumPatchListApplicability_CL 🔶 📖Connector11NoNo
TaniumPatchListCompliance_CL 🔶 📖Connector11NoNo
TaniumSCCMClientHealth_CL 🔶 📖Connector11NoNo
TaniumThreatResponse_CL 🔶 📖Connector11NoNo
Tenable_ad_CL 📖Connector33NoNo
Tenable_IE_CL 📖Connector33NoNo
Tenable_IO_Assets_CL 🔶 📖Connector11NoNo
Tenable_IO_Vuln_CL 🔶 📖Connector11NoNo
Tenable_VM_Asset_CL 📖Connector11NoNo
Tenable_VM_Compliance_CL 📖Connector11NoNo
Tenable_VM_Vuln_CL 📖Connector11NoNo
Tenable_WAS_Asset_CL 📖Connector11NoNo
Tenable_WAS_Vuln_CL 📖Connector11NoNo
TheHive_CL 🔶 📖Connector11NoNo
TheHiveData_CL 📖Schema00NoNo
TheomAlerts_CL 🔶 📖Connector11NoNo
Thinkst_Canary_CLContent10NoNo
ThreatIntelExportOperation 📖ConnectorSecurity11YesNo
ThreatIntelIndicators 📖ConnectorInternal159YesNo
ThreatIntelligenceIndicator 📖ConnectorSecurity2714YesNo
ThreatIntelObjects 📖ConnectorSecurity15YesNo
tide_lookup_data_CL 🔶 📖ContentInternal10NoNo
Tomcat_CL 📖Connector32NoNo
Top_Asns_By_IP_Data_CL 🔶 📖Content10NoNo
Top_Country_Codes_By_IP_Data_CL 🔶 📖Content10NoNo
Top_Services_By_IP_Data_CL 🔶 📖Content10NoNo
Top_Tags_By_IP_Data_CL 🔶 📖Content10NoNo
TOUserAudits 📖DocsAudit, Azure Resources00YesNo
TOUserDiagnostics 📖DocsAzure Resources00YesNo
TransmitSecurityActivity_CL 🔶Connector11NoNo
TransmitSecurityAdminActivity_CL 📖Schema00NoNo
TransmitSecurityUserActivity_CL 📖Schema00NoNo
TrellixEvents_CL 📖Connector11NoNo
TrendMicro_XDR_Health_Check_CL 📖Content00NoNo
TrendMicro_XDR_OAT_CL 🔶 📖Connector11NoNo
TrendMicro_XDR_OAT_Health_Check_CLContent00NoNo
TrendMicro_XDR_RCA_Result_CL 🔶 📖Connector11NoNo
TrendMicro_XDR_RCA_Task_CL 🔶 📖Connector11NoNo
TrendMicro_XDR_WORKBENCH_CL 🔶 📖Connector11NoNo
TrendMicroCAS_CL 🔶 📖Connector11NoNo
Tropico_Alerts_CL 📖Connector11NoNo
Tropico_Events_CL 📖Connector11NoNo
Tropico_Incidents_CL 📖Connector11NoNo
TSIIngress 📖DocsAzure Resources00YesNo
Ttp_Attachment_CL 📖Connector11NoNo
Ttp_Impersonation_CL 📖Connector11NoNo
Ttp_Url_CL 📖Connector11NoNo
UAApp 📖DocsDesktop Analytics00YesNo
UAComputer 📖DocsDesktop Analytics00YesNo
UAComputerRank 📖DocsDesktop Analytics00YesNo
UADriver 📖DocsDesktop Analytics00YesNo
UADriverProblemCodes 📖DocsDesktop Analytics00YesNo
UAFeedback 📖DocsDesktop Analytics00YesNo
UAIESiteDiscovery 📖DocsDesktop Analytics00YesNo
UAOfficeAddIn 📖DocsDesktop Analytics00YesNo
UAProposedActionPlan 📖DocsDesktop Analytics00YesNo
UASysReqIssue 📖DocsDesktop Analytics00YesNo
UAUpgradedComputer 📖DocsDesktop Analytics00YesNo
Ubiquiti_CLConnector22NoNo
UCClientDocs00NoNo
UCClientReadinessStatusDocs00NoNo
UCClientUpdateStatusDocs00NoNo
UCDeviceAlertDocs00NoNo
UCDOAggregatedStatus 📖DocsDesktop Analytics00YesNo
UCDOStatus 📖DocsDesktop Analytics00YesNo
UCServiceUpdateStatusDocs00NoNo
UCUpdateAlertDocs00NoNo
Update 📖ContentIT & Management Tools, Security40YesNo
UpdateRunProgress 📖DocsIT & Management Tools00YesNo
UpdateSummary 📖ContentVirtual Machines10YesNo
UpwindLogsAssets_CL 📖Connector11NoNo
UrlClickEvents 📖ConnectorSecurity, XDR41YesYes
Usage 📖ContentAzure Monitor90YesNo
UserAccessAnalytics 📖ContentSecurity00YesNo
UserPeerAnalytics 📖ContentInternal00YesNo
Users_CLContent00NoNo
Vaikora_AgentSignals_CL 🔶 📖Connector11NoNo
ValenceAlert_CL 🔶 📖Connector11NoNo
ValimailEnforceEvents_CL 📖Connector11NoNo
VaronisAlerts_CL 🔶 📖Connector11NoNo
VaronisResources_CL 📖Connector11NoNo
vcenter_CL 📖Connector22NoNo
VCoreMongoRequests 📖DocsAudit00YesNo
vectra_beacon_CL 📖Connector11NoNo
vectra_dcerpc_CL 📖Connector11NoNo
vectra_dhcp_CL 📖Connector11NoNo
vectra_dns_CL 📖Connector11NoNo
vectra_http_CL 📖Connector11NoNo
vectra_isession_CL 📖Connector11NoNo
vectra_kerberos_CL 📖Connector11NoNo
vectra_ldap_CL 📖Connector11NoNo
vectra_match_CL 📖Schema00NoNo
vectra_ntlm_CL 📖Connector11NoNo
vectra_radius_CL 📖Connector11NoNo
vectra_rdp_CL 📖Connector11NoNo
vectra_smbfiles_CL 📖Connector11NoNo
vectra_smbmapping_CL 📖Connector11NoNo
vectra_smtp_CL 📖Connector11NoNo
vectra_ssh_CL 📖Connector11NoNo
vectra_ssl_CL 📖Connector11NoNo
vectra_x509_CL 📖Connector11NoNo
VectraStream_CL 🔶 📖Connector22NoNo
VeeamAuthorizationEvents_CL 📖Connector11NoNo
VeeamCovewareFindings_CL 📖Connector11NoNo
VeeamMalwareEvents_CL 📖Connector11NoNo
VeeamOneTriggeredAlarms_CL 📖Connector11NoNo
VeeamSecurityComplianceAnalyzer_CL 📖Connector11NoNo
VeeamSessions_CL 📖Connector11NoNo
VersasecCmsErrorLogs_CL 📖Connector11NoNo
VersasecCmsSysLogs_CL 📖Connector11NoNo
VIAudit 📖DocsAudit00YesNo
VIIndexing 📖DocsAzure Resources00YesNo
VisaThreatIntelligenceIOC_CL 📖Connector11NoNo
VMBoundPort 📖DocsVMinsights00YesNo
VMComputer 📖ContentVMinsights10YesNo
VMConnection 📖ContentVMinsights100YesNo
VMProcess 📖ContentVMinsights10YesNo
vmray_emails_CL 📖Schema00NoNo
VMware_CWS_DLPLogs_CL 📖Connector11NoNo
VMware_CWS_Health_CL 📖Connector11NoNo
VMware_CWS_Weblogs_CL 📖Connector11NoNo
VMware_SDWAN_EFSAPI_Health_CL 📖Schema00NoNo
VMware_SDWAN_FirewallLogs_CL 📖Content10NoNo
VMware_VECO_EventLogs_CL 📖Connector11NoNo
VMware_VECO_SearchAPI_Health_CL 📖Schema00NoNo
VTDomainReport_CLContent10NoNo
VTFileReport_CLContent10NoNo
VTIPReport_CLContent10NoNo
VTURLReport_CLContent20NoNo
Vulns_AssetID_List_CLContent10NoNo
W3CIISLog 📖ConnectorIT & Management Tools, Virtual Machines82YesNo
WaaSDeploymentStatus 📖DocsDesktop Analytics00YesNo
WaaSInsiderStatus 📖DocsDesktop Analytics00YesNo
WaaSUpdateStatus 📖DocsDesktop Analytics00YesNo
Watchlist 📖ContentInternal50YesNo
WDAVStatus 📖DocsDesktop Analytics00YesNo
WDAVThreat 📖DocsDesktop Analytics00YesNo
web_assets_CL 🔶 📖Connector11NoNo
WebPubSubConnectivity 📖DocsAzure Resources00YesNo
WebPubSubHttpRequest 📖DocsAzure Resources00YesNo
WebPubSubMessaging 📖DocsAzure Resources00YesNo
WebSession_Summarized_DstIP_CL 🔶 📖ContentInternal10NoNo
WebSession_Summarized_SrcInfo_CL 🔶 📖ContentInternal10NoNo
WebSession_Summarized_SrcIP_CL 🔶 📖ContentInternal10NoNo
WebSession_Summarized_ThreatInfo_CL 🔶 📖ContentInternal10NoNo
Whois_Data_CL 🔶 📖Content10NoNo
Windows365AuditLogs 📖DocsAudit00YesNo
WindowsClientAssessmentRecommendation 📖DocsWorkloads00YesNo
WindowsEvent 📖ConnectorWindows101YesNo
WindowsFirewall 📖ConnectorWindows71YesNo
WindowsServerAssessmentRecommendation 📖DocsWorkloads00YesNo
WireData 📖ContentSecurity, Virtual Machines30YesNo
WizAuditLogs_CL 🔶 📖Connector11NoNo
WizAuditLogsV2_CL 🔶 📖Connector11NoNo
WizIssues_CL 🔶 📖Connector11NoNo
WizIssuesV2_CL 🔶 📖Connector11NoNo
WizVulnerabilities_CL 🔶 📖Connector11NoNo
WizVulnerabilitiesV2_CL 🔶 📖Connector11NoNo
WorkloadDiagnosticLogs 📖DocsAzure Monitor, Workloads00YesNo
WorkloadMonitoringPerf 📖DocsWorkloads00YesNo
Workplace_Facebook_CL 📖Connector11NoNo
WOUserAudits 📖DocsAudit, Azure Resources00YesNo
WOUserDiagnostics 📖DocsAzure Resources00YesNo
WsSecurityEvents_CL 📖Connector11NoNo
WUDOAggregatedStatus 📖DocsDesktop Analytics00YesNo
WUDOStatus 📖DocsDesktop Analytics00YesNo
WVDAgentHealthStatus 📖DocsVirtual Machines00YesNo
WVDAutoscaleEvaluationPooled 📖DocsAzure Virtual Desktop00YesNo
WVDCheckpoints 📖DocsAzure Virtual Desktop00YesNo
WVDConnectionGraphicsDataPreview 📖DocsAzure Virtual Desktop00YesNo
WVDConnectionNetworkData 📖DocsAzure Virtual Desktop00YesNo
WVDConnections 📖DocsAzure Virtual Desktop00YesNo
WVDErrors 📖DocsAzure Virtual Desktop00YesNo
WVDFeeds 📖DocsAzure Virtual Desktop00YesNo
WVDHostRegistrations 📖DocsAzure Virtual Desktop00YesNo
WVDManagement 📖DocsAzure Virtual Desktop00YesNo
WVDMultiLinkAdd 📖DocsAzure Virtual Desktop00YesNo
WVDSessionHostManagement 📖DocsAzure Virtual Desktop00YesNo
X509_Data_CL 🔶 📖Content10NoNo
XbowAssessments_CL 📖Connector11NoNo
XbowAssets_CL 📖Connector11NoNo
XbowFindings_CL 📖Connector11NoNo
ZeroFox_CTI_advanced_dark_web_CL 🔶 📖Connector11NoNo
ZeroFox_CTI_botnet_CL 🔶 📖Connector11NoNo
ZeroFox_CTI_breaches_CL 🔶 📖Connector11NoNo
ZeroFox_CTI_C2_CL 🔶 📖Connector11NoNo
ZeroFox_CTI_compromised_credentials_CL 🔶 📖Connector11NoNo
ZeroFox_CTI_credit_cards_CL 🔶 📖Connector11NoNo
ZeroFox_CTI_dark_web_CL 🔶 📖Connector11NoNo
ZeroFox_CTI_discord_CL 🔶 📖Connector11NoNo
ZeroFox_CTI_disruption_CL 🔶 📖Connector11NoNo
ZeroFox_CTI_email_addresses_CL 🔶 📖Connector11NoNo
ZeroFox_CTI_exploits_CL 🔶 📖Connector11NoNo
ZeroFox_CTI_irc_CL 🔶 📖Connector11NoNo
ZeroFox_CTI_malware_CL 🔶 📖Connector11NoNo
ZeroFox_CTI_national_ids_CL 🔶 📖Connector11NoNo
ZeroFox_CTI_phishing_CL 🔶 📖Connector11NoNo
ZeroFox_CTI_phone_numbers_CL 🔶 📖Connector11NoNo
ZeroFox_CTI_ransomware_CL 🔶 📖Connector11NoNo
ZeroFox_CTI_telegram_CL 🔶 📖Connector11NoNo
ZeroFox_CTI_threat_actors_CL 🔶 📖Connector11NoNo
ZeroFox_CTI_vulnerabilities_CL 🔶 📖Connector11NoNo
ZeroFoxAlertPoller_CL 🔶 📖Connector11NoNo
ZimperiumMitigationLog_CL 🔶 📖Connector11NoNo
ZimperiumThreatLog_CL 🔶 📖Connector11NoNo
ZNAccessOrchestratorAudit_CL 📖Schema00NoNo
ZNAccessOrchestratorAuditNativePoller_CL 📖Schema00NoNo
ZNAudit_CLConnector11NoNo
ZNIdentityActivity_CLConnector11NoNo
ZNNetworkActivity_CLConnector11NoNo
ZNRPCActivity_CLConnector11NoNo
ZNSegmentAudit_CL 📖Schema00NoNo
ZNSegmentAuditNativePoller_CLConnector12NoNo
Zoom_CL 📖Connector11NoNo
ZoomV2_CLConnector11NoNo
ZPA_CL 📖Connector22NoNo
ZTSGraphDocs00NoNo
ZTSJobStatusDocs00NoNo
ZTSMetadataDocs00NoNo
ZTSRequest 📖DocsAudit, Azure Resources, Network00YesNo
🔶 Custom Logs v1 (classic, may not be accurate) 📖 Table schema available
NameTypeSourceSolutionDescription
1Password - Changes to firewall rulesAnalytic Rule📦 Solution1PasswordThis will alert when changes have been made to the firewall rules. Once this analytics rule is triggered it will group all related future alerts for upto an hour when all related entities are the same...
1Password - Changes to SSO configurationAnalytic Rule📦 Solution1PasswordThis will alert when changes have been made to the SSO configuration. Once this analytics rule is triggered it will group all related future alerts for upto an hour when all related entities are the s...
1Password - Disable MFA factor or type for all user accountsAnalytic Rule📦 Solution1PasswordThis will alert when the MFA factor or type for all user accounts are disabled. Once this analytics rule is triggered it will group all related future alerts for upto an hour when all related entities...
1Password - Log Ingestion FailureAnalytic Rule📦 Solution1PasswordThis will alert when the log ingestion for the OnePasswordEventLogs_CL logs is failing. The alert is based on the healthevents that are created every 5 minutes and will trigger if no logs have been re...
1Password - Manual account creationAnalytic Rule📦 Solution1PasswordThis will alert when a new account was created manually within 1Password. This should only be used when a 1Password integration via a SCIM Bridge has been implemented. Ref: https://support.1password....
1Password - New service account integration createdAnalytic Rule📦 Solution1PasswordThis will alert when a new integration has been created. Once this analytics rule is triggered it will group all related future alerts for upto an hour when all related entities are the same. Ref: ht...
1Password - Non-privileged vault user permission changeAnalytic Rule📦 Solution1PasswordThis will alert when user permissions have changed within a non-privileged vault which have been implemented by an actor that was not the target user account. Once this analytics rule is triggered it ...
1Password - Potential insider privilege escalation via groupAnalytic Rule📦 Solution1PasswordThis will alert when an actor grants, or updates their own permissions via a group. Once this analytics rule is triggered it will group all related future alerts for upto an hour when all related enti...
1Password - Potential insider privilege escalation via vaultAnalytic Rule📦 Solution1PasswordThis will alert when an actor grants, or updates their own permissions via a vault. Once this analytics rule is triggered it will group all related future alerts for upto an hour when all related enti...
1Password - Privileged vault permission changeAnalytic Rule📦 Solution1PasswordThis will alert when permissions have changed within a privileged vault. Once this analytics rule is triggered it will group all related future alerts for upto an hour when all related entities are th...
1Password - Secret extraction post vault access change by administratorAnalytic Rule📦 Solution1PasswordThis will alert when a secret extraction has occurred after an administrator has changed their own vault access permissions within that same vault. Ref: https://1password.com/ Ref: https://github.com/...
1Password - Service account integration token adjustmentAnalytic Rule📦 Solution1PasswordThis will alert when a service account integration token has been created, renamed, verified, or revoked. Once this analytics rule is triggered it will group all related future alerts for upto an hour...
1Password - Successful anomalous sign-inAnalytic Rule📦 Solution1PasswordThis will alert when a new successful MFA confirmed sign-in has occurred from a location that was not seen within the last 14 days. Ref: https://1password.com/ Ref: https://github.com/securehats/
1Password - User account MFA settings changedAnalytic Rule📦 Solution1PasswordThis will alert when a user creates, updates, or disables the user account MFA settings. Once this analytics rule is triggered it will group all related future alerts for upto an hour when all related...
1Password - User added to privileged groupAnalytic Rule📦 Solution1PasswordThis will alert when a user is added to a privileged group which has been implemented by an actor that was not the target user account. Once the analytics rule is triggered it will group all related f...
1Password - Vault export post account creationAnalytic Rule📦 Solution1PasswordThis will alert when a successful vault export has occurred within 14 days of a new account being created within 1Password. Ref: https://1password.com/ Ref: https://github.com/securehats/
1Password - Vault export prior to account suspension or deletionAnalytic Rule📦 Solution1PasswordThis will alert when a successful vault export has occurred within the last 14 days prior to an account being suspended or deleted from 1Password. Ref: https://1password.com/ Ref: https://github.com/...
1Password - Vault exportAnalytic Rule📦 Solution1PasswordThis will alert when a successful vault export has occurred within 1Password. Ref: https://1password.com/ Ref: https://github.com/securehats/
1PasswordWorkbook📦 Solution1Password
API - Account TakeoverAnalytic Rule📦 Solution42Crunch API Protection42Crunch API protection against account takeover
API - Anomaly DetectionAnalytic Rule📦 Solution42Crunch API Protection42Crunch API protection anomaly detection
API - API ScrapingAnalytic Rule📦 Solution42Crunch API Protection42Crunch API protection against API scraping
API - BOLAAnalytic Rule📦 Solution42Crunch API Protection42Crunch API protection against BOLA
API - Rate limitingAnalytic Rule📦 Solution42Crunch API Protection42Crunch API protection against first-time access
API - Invalid host accessAnalytic Rule📦 Solution42Crunch API Protection42Crunch API protection against invalid host access
API - JWT validationAnalytic Rule📦 Solution42Crunch API Protection42Crunch API protection against JWT validation
API - Kiterunner detectionAnalytic Rule📦 Solution42Crunch API Protection42Crunch API protection against Kiterunner enumeration
API - Password CrackingAnalytic Rule📦 Solution42Crunch API Protection42Crunch API protection against password cracking
API - Rate limitingAnalytic Rule📦 Solution42Crunch API Protection42Crunch API protection against rate limiting
API - Suspicious LoginAnalytic Rule📦 Solution42Crunch API Protection42Crunch API protection against suspicious login
42CrunchAPIProtectionWorkbookWorkbook📦 Solution42Crunch API Protection
AbuseIPDB Blacklist Ip To Threat IntelligencePlaybook📦 SolutionAbuseIPDBBy every day reccurence, this playbook gets triggered and performs the following actions: 1. Gets [list](https://docs.abuseipdb.com/#blacklist-endpoint) of the most reported IP addresses form the Blac...
AbuseIPDB Enrich Incident By IP InfoPlaybook📦 SolutionAbuseIPDBOnce a new sentinal incident is created, this playbook gets triggered and performs the following actions: 1. [Gets Information](https://docs.abuseipdb.com/#check-endpoint) from AbuseIPDB by IP`s, prov...
AbuseIPDB Report IPs To AbuseIPDB After User Response In MSTeamsPlaybook📦 SolutionAbuseIPDBWhen a new sentinel incident is created, this playbook gets triggered and performs the following actions: 1. Sends an adaptive card to the Teams channel where the analyst can choose an action to be ta...
Acronis - Login from Abnormal IP - Low OccurrenceAnalytic Rule📦 SolutionAcronis Cyber Protect CloudSuspicious login from an IP address observed up to two times in the last two weeks.
Acronis - Multiple Endpoints Accessing Malicious URLsAnalytic Rule📦 SolutionAcronis Cyber Protect CloudMultiple endpoints accessing malicious URLs could indicate an ongoing phishing attack, with several employees interacting with those URLs.
Acronis - Multiple Endpoints Infected by RansomwareAnalytic Rule📦 SolutionAcronis Cyber Protect CloudDetects when three or more distinct endpoints report ransomware detections within a single day.
Acronis - Multiple Inboxes with Malicious Content DetectedAnalytic Rule📦 SolutionAcronis Cyber Protect CloudMany inboxes containing malicious content could indicate a potential ongoing phishing attack.
Acronis - Agent failed updating more than twice in a dayHunting Query📦 SolutionAcronis Cyber Protect CloudThe following devices have failed agent updates more than two times.
Acronis - Agents offline for 2 days or moreHunting Query📦 SolutionAcronis Cyber Protect CloudQuery to find agents that have been offline for two days or longer.
Acronis - Audit LogHunting Query📦 SolutionAcronis Cyber Protect CloudRecords user and system operations in the management portal and Cyber Protect console, including scripting, quota, and email archiving events.
Acronis - Cloud Connection ErrorsHunting Query📦 SolutionAcronis Cyber Protect CloudVarious errors related to S3 or Azure cloud connections.
Acronis - Endpoints Accessing Malicious URLsHunting Query📦 SolutionAcronis Cyber Protect CloudMultiple endpoints accessing malicious URLs could indicate an ongoing phishing attack, with several employees interacting with those URLs.
Acronis - Endpoints Infected by RansomwareHunting Query📦 SolutionAcronis Cyber Protect CloudDetected and blocked ransomware.
Acronis - Endpoints with Backup issuesHunting Query📦 SolutionAcronis Cyber Protect CloudEndpoints experiencing various backup-related issues.
Acronis - Endpoints with EDR IncidentsHunting Query📦 SolutionAcronis Cyber Protect CloudA high number of endpoints with multiple incidents could indicate an ongoing attack.
Acronis - Endpoints with high failed login attemptsHunting Query📦 SolutionAcronis Cyber Protect CloudMultiple endpoints with a high number of failed login attempts could indicate a password spraying attack, where an attacker tries different credentials across several machines.
Acronis - Inboxes with Malicious ContentHunting Query📦 SolutionAcronis Cyber Protect CloudMany inboxes containing malicious content could indicate a potential ongoing phishing attack.
Acronis - Login from Abnormal IP - Low OccurrenceHunting Query📦 SolutionAcronis Cyber Protect CloudSuspicious login from an IP address observed up to two times.
Acronis - Protection Service ErrorsHunting Query📦 SolutionAcronis Cyber Protect CloudVarious errors related to Active Protection or CPS malfunctions.
Acronis - ASZ defence: Unauthorized operation is detected and blockedHunting Query📦 SolutionAcronis Cyber Protect CloudAn attempt to modify the protected Acronis Secure Zone partition was blocked.
InfoSecGlobalWorkbook📦 SolutionAgileSec Analytics Connector
AIA-DarktraceWorkbook📦 SolutionAI Analyst Darktrace
Guardian- Ban Topic Policy Violation DetectionAnalytic Rule📦 SolutionAIShield AI Security MonitoringThis alert creates an incident when Ban Topic Policy Violation detected from the Guardian.
Guardian- BII Detection Policy Violation DetectionAnalytic Rule📦 SolutionAIShield AI Security MonitoringThis alert creates an incident when BII Detection Policy Violation detected from the Guardian.
Guardian- Block Competitor Policy Violation DetectionAnalytic Rule📦 SolutionAIShield AI Security MonitoringThis alert creates an incident when a Block Competitor Policy Violation is detected from the Guardian.
Guardian- Blocks specific strings of text Policy Violation DetectionAnalytic Rule📦 SolutionAIShield AI Security MonitoringThis alert creates an incident when Blocks specific strings of text Policy Violation detected from the Guardian.
Guardian- Code Detection Policy Violation DetectionAnalytic Rule📦 SolutionAIShield AI Security MonitoringThis alert creates an incident when Code Detection Policy Violation detected from the Guardian.
Guardian- Content Access Control Allowed List Policy Violation DetectionAnalytic Rule📦 SolutionAIShield AI Security MonitoringThis alert creates an incident when Content Access Control Allowed List Policy Violation detected from the Guardian.
Guardian- Content Access Control Blocked List Policy Violation DetectionAnalytic Rule📦 SolutionAIShield AI Security MonitoringThis alert creates an incident when Content Access Control Blocked List Policy Violation detected from the Guardian.
Guardian- Content Safety Profanity Policy Violation DetectionAnalytic Rule📦 SolutionAIShield AI Security MonitoringThis alert creates an incident when Content Safety Profanity Policy Violation detected from the Guardian.
Guardian- Content Safety Toxicity Policy Violation Detection.Analytic Rule📦 SolutionAIShield AI Security MonitoringThis alert creates an incident when Content Safety Toxicity Policy Violation detected from the Guardian
Guardian- Gender Bias Policy Violation DetectionAnalytic Rule📦 SolutionAIShield AI Security MonitoringThis alert creates an incident when Gender Bias Policy Violation detected from the Guardian.
AIShield - Image classification AI Model Evasion high suspicious vulnerability detectionAnalytic Rule📦 SolutionAIShield AI Security MonitoringThis alert creates an incident when Image classification AI Model Evasion high suspicious, high severity vulnerability detected from the AIShield.
AIShield - Image classification AI Model Evasion low suspicious vulnerability detectionAnalytic Rule📦 SolutionAIShield AI Security MonitoringThis alert creates an incident when Image classification AI Model Evasion low suspicious, high severity vulnerability detected from the AIShield.
AIShield - Image classification AI Model extraction high suspicious vulnerability detectionAnalytic Rule📦 SolutionAIShield AI Security MonitoringThis alert creates an incident when Image classification AI Model extraction high suspicious, high severity vulnerability detected from the AIShield.
AIShield - Image Segmentation AI Model extraction high suspicious vulnerability detectionAnalytic Rule📦 SolutionAIShield AI Security MonitoringThis alert creates an incident when Image Segmentation AI Model extraction high suspicious, high severity vulnerability detected from the AIShield.
Guardian- Input Output Relevance Policy Violation DetectionAnalytic Rule📦 SolutionAIShield AI Security MonitoringThis alert creates an incident when Input Output Relevance Policy Violation detected from the Guardian.
Guardian- Input Rate Limiter Policy Violation DetectionAnalytic Rule📦 SolutionAIShield AI Security MonitoringThis alert creates an incident when Input Rate Limiter Policy Violation detected from the Guardian.
Guardian- Invisible Text Policy Violation DetectionAnalytic Rule📦 SolutionAIShield AI Security MonitoringThis alert creates an incident when Invisible Text Policy Violation detected from the Guardian.
Guardian- Additional check JSON Policy Violation DetectionAnalytic Rule📦 SolutionAIShield AI Security MonitoringThis alert creates an incident when Additional check JSON Policy Violation detected from the Guardian.
Guardian- Language Detection Policy Violation DetectionAnalytic Rule📦 SolutionAIShield AI Security MonitoringThis alert creates an incident when Language Detection Policy Violation detected from the Guardian.
Guardian- Malicious URL Policy Violation DetectionAnalytic Rule📦 SolutionAIShield AI Security MonitoringThis alert creates an incident when Malicious URL Policy Violation detected from the Guardian.
AIShield - Natural language processing AI model extraction high suspicious vulnerability detectionAnalytic Rule📦 SolutionAIShield AI Security MonitoringThis alert creates an incident when Natural language processing AI Model extraction high suspicious, high severity vulnerability detected from the AIShield.'
Guardian- No LLM Output Policy Violation DetectionAnalytic Rule📦 SolutionAIShield AI Security MonitoringThis alert creates an incident when No LLM Output Policy Violation detected from the Guardian.
Guardian- Not Safe For Work Policy Violation DetectionAnalytic Rule📦 SolutionAIShield AI Security MonitoringThis alert creates an incident when Not Safe For Work Policy Violation detected from the Guardian.
Guardian- Privacy Protection PII Policy Violation DetectionAnalytic Rule📦 SolutionAIShield AI Security MonitoringThis alert creates an incident when Privacy Protection PII Policy Violation detected from the Guardian
Guardian- Racial Bias Policy Violation DetectionAnalytic Rule📦 SolutionAIShield AI Security MonitoringThis alert creates an incident when Racial Bias Policy Violation detected from the Guardian.
Guardian- Regex Policy Violation DetectionAnalytic Rule📦 SolutionAIShield AI Security MonitoringThis alert creates an incident when Regex Policy Violation detected from the Guardian.
Guardian- Same Input/Output Language Detection Policy Violation DetectionAnalytic Rule📦 SolutionAIShield AI Security MonitoringThis alert creates an incident when Same Input/Output Language Detection Policy Violation detected from the Guardian.
Guardian- Secrets Policy Violation DetectionAnalytic Rule📦 SolutionAIShield AI Security MonitoringThis alert creates an incident when Secrets Policy Violation detected from the Guardian.
Guardian- Security Integrity Checks Prompt Injection Policy Violation DetectionAnalytic Rule📦 SolutionAIShield AI Security MonitoringThis alert creates an incident when Security Integrity Checks Prompt Injection Policy Violation detected from the Guardian.
Guardian- Sentiment Policy Violation DetectionAnalytic Rule📦 SolutionAIShield AI Security MonitoringThis alert creates an incident when Sentiment Policy Violation detected from the Guardian.
Guardian- Special PII Detection Policy Violation DetectionAnalytic Rule📦 SolutionAIShield AI Security MonitoringThis alert creates an incident when Special PII Detection Policy Violation detected from the Guardian.
AIShield - Tabular classification AI Model Evasion high suspicious vulnerability detectionAnalytic Rule📦 SolutionAIShield AI Security MonitoringThis alert creates an incident when Tabular classification AI Model Evasion high suspicious, high severity vulnerability detected from the AIShield.
AIShield - Tabular classification AI Model Evasion low suspicious vulnerability detectionAnalytic Rule📦 SolutionAIShield AI Security MonitoringThis alert creates an incident when Tabular classification AI Model Evasion Low suspicious, medium severity vulnerability detected from the AIShield.
AIShield - Tabular classification AI Model extraction high suspicious vulnerability detectionAnalytic Rule📦 SolutionAIShield AI Security MonitoringThis alert creates an incident when Tabular classification AI Model extraction high suspicious, high severity vulnerability detected from the AIShield.
AIShield - Timeseries Forecasting AI Model extraction high suspicious vulnerability detectionAnalytic Rule📦 SolutionAIShield AI Security MonitoringThis alert creates an incident when Timeseries Forecasting AI Model extraction high suspicious, high severity vulnerability detected from the AIShield.
Guardian- Token Limit Policy Violation DetectionAnalytic Rule📦 SolutionAIShield AI Security MonitoringThis alert creates an incident when Token Limit Policy Violation detected from the Guardian.
Guardian- URL Detection Policy Violation DetectionAnalytic Rule📦 SolutionAIShield AI Security MonitoringThis alert creates an incident when URL Detection Policy Violation detected from the Guardian.
Guardian- URL Reachability Policy Violation DetectionAnalytic Rule📦 SolutionAIShield AI Security MonitoringThis alert creates an incident when URL Reachability Policy Violation detected from the Guardian.
AIShieldWorkbook📦 SolutionAIShield AI Security Monitoring
GuardianDashboardWorkbook📦 SolutionAIShield AI Security Monitoring
AIShieldParser📦 SolutionAIShield AI Security Monitoring
GuardianParser📦 SolutionAIShield AI Security Monitoring
AkamaiSIEMEventParser📦 SolutionAkamai Security Events
AliCloudParser📦 SolutionAlibaba Cloud
Alsid Active Directory attacks pathwaysAnalytic Rule📦 SolutionAlsid For ADSearches for triggered Indicators of Exposures related to Active Directory attacks pathways
Alsid DCShadowAnalytic Rule📦 SolutionAlsid For ADSearches for DCShadow attacks
Alsid DCSyncAnalytic Rule📦 SolutionAlsid For ADSearches for DCSync attacks
Alsid Golden TicketAnalytic Rule📦 SolutionAlsid For ADSearches for Golden Ticket attacks
Alsid Indicators of AttackAnalytic Rule📦 SolutionAlsid For ADSearches for triggered Indicators of Attack
Alsid Indicators of ExposuresAnalytic Rule📦 SolutionAlsid For ADSearches for triggered Indicators of Exposures
Alsid LSASS MemoryAnalytic Rule📦 SolutionAlsid For ADSearches for OS Credentials dumping attacks
Alsid Password GuessingAnalytic Rule📦 SolutionAlsid For ADSearches for bruteforce Password Guessing attacks
Alsid Password issuesAnalytic Rule📦 SolutionAlsid For ADSearches for triggered Indicators of Exposures related to password issues
Alsid Password SprayingAnalytic Rule📦 SolutionAlsid For ADSearches for Password spraying attacks
Alsid privileged accounts issuesAnalytic Rule📦 SolutionAlsid For ADSearches for triggered Indicators of Exposures related to privileged accounts issues
Alsid user accounts issuesAnalytic Rule📦 SolutionAlsid For ADSearches for triggered Indicators of Exposures related to user accounts issues
AlsidIoAWorkbook📦 SolutionAlsid For AD
AlsidIoEWorkbook📦 SolutionAlsid For AD
afad_parser 🔍Parser📦 SolutionAlsid For AD
Successful API executed from a Tor exit nodeAnalytic Rule📦 SolutionAmazon Web ServicesA successful API execution was detected from an IP address categorized as a TOR exit node by Threat Intelligence.
Changes to internet facing AWS RDS Database instancesAnalytic Rule📦 SolutionAmazon Web ServicesAmazon Relational Database Service (RDS) is scalable relational database in the cloud. If your organization have one or more AWS RDS Databases running, monitoring changes to especially internet facing...
Changes to Amazon VPC settingsAnalytic Rule📦 SolutionAmazon Web ServicesAmazon Virtual Private Cloud (Amazon VPC) lets you provision a logically isolated section of the AWS Cloud where you can launch AWS resources in a virtual network that you define. This identifies chan...
Changes made to AWS CloudTrail logsAnalytic Rule📦 SolutionAmazon Web ServicesAttackers often try to hide their steps by deleting or stopping the collection of logs that could show their activity. This alert identifies any manipulation of AWS CloudTrail, Cloudwatch/EventBridge ...
AWS Config Service Resource Deletion AttemptsAnalytic Rule📦 SolutionAmazon Web ServicesDetects attempts to remove a part of the AWS Config Service.The Threat Actor may manipulate the Config services decrease the visibility into the security posture of an account and / or its workload in...
Login to AWS Management Console without MFAAnalytic Rule📦 SolutionAmazon Web ServicesMulti-Factor Authentication (MFA) helps you to prevent credential compromise. This alert identifies logins to the AWS Management Console without MFA. You can limit this detection to trigger for admins...
CloudFormation policy created then used for privilege escalationAnalytic Rule📦 SolutionAmazon Web ServicesDetected creation of new Cloudformation policy and usage of one of the attach policy events (AttachUserPolicy/AttachRolePolicy/AttachGroupPolicy). This might indicate a privilege escalation technique ...
Creation of CRUD DynamoDB policy and then privilege escalation.Analytic Rule📦 SolutionAmazon Web ServicesDetected creation of new CRUD DynamoDB policy and usage of one of the attach policy operations (AttachUserPolicy/AttachRolePolicy/AttachGroupPolicy). This might indicate a privilege escalation techniq...
Creation of new CRUD IAM policy and then privilege escalation.Analytic Rule📦 SolutionAmazon Web ServicesDetected creation of new CRUD IAM policy and usage of one of the attach policy operations (AttachUserPolicy/AttachRolePolicy/AttachGroupPolicy). This might indicate a privilege escalation technique th...
Creation of CRUD KMS policy and then privilege escalationAnalytic Rule📦 SolutionAmazon Web ServicesDetected creation of new CRUD KMS policy and usage of one of the attach policy operations (AttachUserPolicy/AttachRolePolicy/AttachGroupPolicy). This might indicate a privilege escalation technique th...
Created CRUD S3 policy and then privilege escalationAnalytic Rule📦 SolutionAmazon Web ServicesDetected creation of new CRUD S3 policy and afterwards used one of the attach policy operations (AttachUserPolicy/AttachRolePolicy/AttachGroupPolicy). This might indicate a privilege escalation techni...
Creation of CRUD Lambda policy and then privilege escalationAnalytic Rule📦 SolutionAmazon Web ServicesDetected creation of new CRUD Lambda policy and usage of the attach policy events (AttachUserPolicy/AttachRolePolicy/AttachGroupPolicy). This might indicate a privilege escalation technique that attac...
Creation of DataPipeline policy and then privilege escalation.Analytic Rule📦 SolutionAmazon Web ServicesDetected creation of new Datapipeline policy and usage of the attach policy operations (AttachUserPolicy/AttachRolePolicy/AttachGroupPolicy). This might indicate a privilege escalation technique that ...
Creation of EC2 policy and then privilege escalationAnalytic Rule📦 SolutionAmazon Web ServicesDetected creation of new EC2 policy and afterwards used one of the attach policy operations (AttachUserPolicy/AttachRolePolicy/AttachGroupPolicy). This might indicate a privilege escalation technique ...
Creation of Glue policy and then privilege escalationAnalytic Rule📦 SolutionAmazon Web ServicesDetected creation of new Glue policy and usage one of the attach policy operations (AttachUserPolicy/AttachRolePolicy/AttachGroupPolicy). This might indicate a privilege escalation technique that atta...
Creation of Lambda policy and then privilege escalationAnalytic Rule📦 SolutionAmazon Web ServicesDetected creation of new Lambda policy and usage of one of the attach policy operations (AttachUserPolicy/AttachRolePolicy/AttachGroupPolicy). This might indicate a privilege escalation technique that...
Creation of SSM policy and then privilege escalationAnalytic Rule📦 SolutionAmazon Web ServicesDetected creation of new SSM policy and afterwards used one of the attach policy operations (AttachUserPolicy/AttachRolePolicy/AttachGroupPolicy). This might indicate a privilege escalation technique ...
Creating keys with encrypt policy without MFAAnalytic Rule📦 SolutionAmazon Web ServicesDetection of KMS keys where action kms:Encrypt is accessible for everyone (also outside of your organization). This is an idicator that your account is compromised and the attacker uses the encryption...
Monitor AWS Credential abuse or hijackingAnalytic Rule📦 SolutionAmazon Web ServicesLooking for GetCallerIdentity Events where the UserID Type is AssumedRole An attacker who has assumed the role of a legitimate account can call the GetCallerIdentity function to determine what account...
EC2 Startup Shell Script ChangedAnalytic Rule📦 SolutionAmazon Web ServicesDetects changes to the EC2 startup script. The shell script will be executed as root/SYSTEM every time the specific instances are booted up. ref : https://github.com/RhinoSecurityLabs/pacu/blob/master...
ECR image scan findings high or criticalAnalytic Rule📦 SolutionAmazon Web ServicesAWS ECR Image scan detected critical or high-severity vulnerabilities in your container image.
Automatic image scanning disabled for ECRAnalytic Rule📦 SolutionAmazon Web ServicesImage Scanning for ECR was disabled, which could lead to missing vulnerable container images in your environment. Attackers could disable the Image Scanning for defense evasion purposes.
Full Admin policy created and then attached to Roles, Users or GroupsAnalytic Rule📦 SolutionAmazon Web ServicesIdentity and Access Management (IAM) securely manages access to AWS services and resources. Identifies when a policy is created with Full Administrators Access (Allow-Action:*,Resource:*). This poli...
GuardDuty detector disabled or suspendedAnalytic Rule📦 SolutionAmazon Web ServicesGuardDuty Detector was disabled or suspended, possibly by an attacker trying to avoid detection of its malicious activities. Verify with the user identity that this activity is legitimate.
AWS Guard Duty AlertAnalytic Rule📦 SolutionAmazon Web ServicesAmazon GuardDuty is a threat detection service that continuously monitors your AWS accounts and workloads for malicious activity and delivers detailed security findings for visibility and remediation....
Changes to AWS Security Group ingress and egress settingsAnalytic Rule📦 SolutionAmazon Web ServicesA Security Group acts as a virtual firewall of an instance to control inbound and outbound traffic. Hence, ingress and egress settings changes to AWS Security Group should be monitored as these can e...
Changes to AWS Elastic Load Balancer security groupsAnalytic Rule📦 SolutionAmazon Web ServicesElastic Load Balancer distributes incoming traffic across multiple instances in multiple availability Zones. This increases the fault tolerance of your applications. Unwanted changes to Elastic Load ...
Tampering to AWS CloudTrail logsAnalytic Rule📦 SolutionAmazon Web ServicesAttackers often try to hide their steps by deleting or stopping the collection of logs that could show their activity. This alert identifies any manipulation of AWS CloudTrail, Cloudwatch/EventBridge...
Network ACL with all the open ports to a specified CIDRAnalytic Rule📦 SolutionAmazon Web ServicesDetected network ACL with all the ports open to a specified CIDR. This could lead to potential lateral movements or initial access attacks. Make sure to mitigate this risk.
Suspicious overly permissive KMS key policy createdAnalytic Rule📦 SolutionAmazon Web ServicesAn overly permissive key policy was created, resulting in KMS keys where the kms:Encrypt action is accessible to everyone (even outside of the organization). This could mean that your account is compr...
Privilege escalation with AdministratorAccess managed policyAnalytic Rule📦 SolutionAmazon Web ServicesDetected usage of AttachUserPolicy/AttachGroupPolicy/AttachRolePolicy on AdministratorAccess managed policy. Attackers could use these events for privilege escalation. Verify these actions with the us...
Privilege escalation with admin managed policyAnalytic Rule📦 SolutionAmazon Web ServicesDetected usage of AttachUserPolicy/AttachGroupPolicy/AttachRolePolicy on admin managed policy. Attackers could use these operations for privilege escalation. Verify these actions with the user.
Privilege escalation with FullAccess managed policyAnalytic Rule📦 SolutionAmazon Web ServicesDetected usage of AttachUserPolicy/AttachGroupPolicy/AttachRolePolicy on FullAccess managed policy. Attackers could use these operations for privilege escalation. Verify these actions with the user.
Privilege escalation via CloudFormation policyAnalytic Rule📦 SolutionAmazon Web ServicesDetected usage of AttachUserPolicy/AttachGroupPolicy/AttachRolePolicy on CloudFormation policy. Attackers could use these events for privilege escalation. Verify these actions with the user.
Privilege escalation via CRUD DynamoDB policyAnalytic Rule📦 SolutionAmazon Web ServicesDetected usage of AttachUserPolicy/AttachGroupPolicy/AttachRolePolicy by CRUD DynamoDB Policy. Attackers could use these operations for privilege escalation. Verify these actions with the user.
Privilege escalation via CRUD IAM policyAnalytic Rule📦 SolutionAmazon Web ServicesDetected usage of AttachUserPolicy/AttachGroupPolicy/AttachRolePolicy by CRUD IAM policy. Attackers could use these operations for privilege escalation. Verify these actions with the user.
Privilege escalation via CRUD KMS policyAnalytic Rule📦 SolutionAmazon Web ServicesDetected usage of AttachUserPolicy/AttachGroupPolicy/AttachRolePolicy by CRUD KMS policy. Attackers could use these operations for privilege escalation. Verify these actions with the user.
Privilege escalation via CRUD Lambda policyAnalytic Rule📦 SolutionAmazon Web ServicesDetected usage of AttachUserPolicy/AttachGroupPolicy/AttachRolePolicy by CRUD Lambda policy. Attackers could use these operations for privilege escalation. Verify these actions with the user.
Privilege escalation via CRUD S3 policyAnalytic Rule📦 SolutionAmazon Web ServicesDetected usage of AttachUserPolicy/AttachGroupPolicy/AttachRolePolicy by CRUD S3 Policy. Attackers could use these operations for privilege escalation. Verify these actions with the user.
Privilege escalation via DataPipeline policyAnalytic Rule📦 SolutionAmazon Web ServicesDetected usage of AttachUserPolicy/AttachGroupPolicy/AttachRolePolicy on Datapipeline policy. Attackers could use these operations for privilege escalation. Verify these actions with the user.
Privilege escalation via EC2 policyAnalytic Rule📦 SolutionAmazon Web ServicesDetected usage of AttachUserPolicy/AttachGroupPolicy/AttachRolePolicy on EC2 policy. Attackers could use these operations for privilege escalation. Verify these actions with the user.
Privilege escalation via Glue policyAnalytic Rule📦 SolutionAmazon Web ServicesDetected usage of AttachUserPolicy/AttachGroupPolicy/AttachRolePolicy on Glue policy. Attackers could use these operations for privilege escalation. Verify these actions with the user.
Privilege escalation via Lambda policyAnalytic Rule📦 SolutionAmazon Web ServicesDetected usage of AttachUserPolicy/AttachGroupPolicy/AttachRolePolicy on Lambda policy. Attackers could use these operations for privilege escalation. Verify these actions with the user.
Privilege escalation via SSM policyAnalytic Rule📦 SolutionAmazon Web ServicesDetected usage of AttachUserPolicy/AttachGroupPolicy/AttachRolePolicy on SSM Policy. Attackers could use these operations for privilege escalation. Verify these actions with the user.
RDS instance publicly exposedAnalytic Rule📦 SolutionAmazon Web ServicesDetected publicly exposed RDS instance, which could lead to a leakage of sensitive data.
Successful brute force attack on S3 Bucket.Analytic Rule📦 SolutionAmazon Web ServicesA successful brute force attack on an S3 bucket was detected. Verify these actions, and if needed, remediate the compromise.
S3 bucket access point publicly exposedAnalytic Rule📦 SolutionAmazon Web ServicesDetected S3 bucket publicly exposed via access point, which could lead to sensitive information leakage to the public. Verify the S3 object configurations.
S3 bucket exposed via ACLAnalytic Rule📦 SolutionAmazon Web ServicesDetected S3 bucket publicly exposed via ACL, which could lead for sensitive information leakage to the public. Verify the S3 object configurations.
S3 bucket exposed via policyAnalytic Rule📦 SolutionAmazon Web ServicesDetected S3 bucket publicly exposed via policy, this could lead for sensitive information leakage to the public. Verify the S3 object configurations.
S3 Object Exfiltration from Anonymous UserAnalytic Rule📦 SolutionAmazon Web ServicesIdentify attempted exfiltration of S3 Bucket objects by an anonymous User
S3 object publicly exposedAnalytic Rule📦 SolutionAmazon Web ServicesDetected S3 bucket that's publicly exposed, which could lead to sensitive information leakage to the public. Verify the S3 object configurations.
S3 bucket suspicious ransomware activityAnalytic Rule📦 SolutionAmazon Web ServicesSuspicious S3 bucket activity indicating ransomware was detected. An attacker might download all the objects in a compromised S3 bucket, encrypt them with his own key, then upload them back to the sam...
SAML update identity providerAnalytic Rule📦 SolutionAmazon Web ServicesAttackers could update the SAML provider in order to create unauthorized but valid tokens and represent them to services that trust SAML tokens from the environment. These tokens can then be used to a...
Policy version set to defaultAnalytic Rule📦 SolutionAmazon Web ServicesAn attacker with SetDefaultPolicyVersion permissions could escalate privileges through existing policy versions that are not currently in use. More about this API at https://docs.aws.amazon.com/IAM/la...
SSM document is publicly exposedAnalytic Rule📦 SolutionAmazon Web ServicesDetected a SSM document that is publicly exposed, which could lead to sensitive information leakage to the public. Verify the object configurations.
Suspicious command sent to EC2Analytic Rule📦 SolutionAmazon Web ServicesAn attacker with the necessary permissions could be executing code remotely on a machine and saving the output to his own S3 bucket. Verify this action with the user identity.
Unauthorized EC2 Instance Setup AttemptAnalytic Rule📦 SolutionAmazon Web ServicesA User without access tried to Run an Instance. It might be to launch a malicious Instance in AWS subscription. Ref: https://stratus-red-team.cloud/attack-techniques/AWS/aws.execution.ec2-launch-unusu...
Creation of Access Key for IAM UserAnalytic Rule📦 SolutionAmazon Web ServicesEstablishes persistence by creating an access key on an existing IAM user. This type of action should be validated by Account Admin of AWS Account. Ref : https://stratus-red-team.cloud/attack-techniqu...
User IAM EnumerationAnalytic Rule📦 SolutionAmazon Web ServicesDetects enumeration of accounts configuration via api call to list different instances and services within a short period of time. WL Scanner of Cloud Account such as Wiz and threshold can be adjusted
NRT Login to AWS Management Console without MFAAnalytic Rule📦 SolutionAmazon Web ServicesMulti-Factor Authentication (MFA) helps you to prevent credential compromise. This alert identifies logins to the AWS Management Console without MFA. You can limit this detection to trigger for admini...
Suspicious AWS CLI Command ExecutionAnalytic Rule📦 SolutionAmazon Web ServicesThis detection focuses on identifying potentially suspicious activities involving the execution of AWS Command Line Interface (CLI) commands, particularly focusing on reconnaissance operations.
Suspicious AWS EC2 Compute Resource DeploymentsAnalytic Rule📦 SolutionAmazon Web ServicesThis detection focused on Suspicious deployment of AWS EC2 resource (virtual machine) scale sets was detected. This behavior might indicate that the threat actor is deploying computing resources for c...
IAM assume role policy brute forceHunting Query📦 SolutionAmazon Web ServicesSeveral failed "assume role" attempts occurred on existing roles in the account. This could be an attacker trying to escalate privileges and move laterally by assuming roles in a compromised account. ...
Bucket versioning suspendedHunting Query📦 SolutionAmazon Web ServicesDetected Bucket versioning suspended event. Attackers could use this technique to be able to ransom buckets without the option for the victim to have a backup.
New access key created to userHunting Query📦 SolutionAmazon Web ServicesAn attacker with the CreateAccessKey permissions on other users can create an access Key ID and secret access key belonging to another user in the AWS environment for privilege escalation.
CreateLoginProfile detectedHunting Query📦 SolutionAmazon Web ServicesAn attacker could use CreateLoginProfile permissions on other users for privilege escalation by creating a password to a victim user without a login profile to use to login to the AWS Console.
Suspicious EC2 launched without a key pairHunting Query📦 SolutionAmazon Web ServicesAn attacker with limited permissions, or a sophisticated attacker disguising his activity, may have launched an EC2 instance without a key pair, allowing him to execute code on the machine using the U...
ECR image scan findings lowHunting Query📦 SolutionAmazon Web ServicesAWS ECR Image scan detected low severity vulnerabilities in your container image.
ECR image scan findings mediumHunting Query📦 SolutionAmazon Web ServicesAWS ECR image scan detected medium severity vulnerabilities in your container image.
Excessive execution of discovery eventsHunting Query📦 SolutionAmazon Web ServicesSeveral enumeration API calls were executed by the same identity. This could be an attacker trying to enumerate the compromised user/token permissions. Verify with the user identity that this activity...
Failed brute force on S3 bucketHunting Query📦 SolutionAmazon Web ServicesDetected failed brute attempt on S3 bucket. If it is not an anonymous principle, verify with the user.
Multiple failed login attempts to an existing user without MFAHunting Query📦 SolutionAmazon Web ServicesFailed brute force attempt detected on an existing user without MFA configurations.
IAM AccessDenied discovery eventsHunting Query📦 SolutionAmazon Web ServicesThe following detection identifies excessive AccessDenied events within an hour timeframe. It is possible that an access key to AWS may have been stolen and is being misused to perform discovery event...
Changes made to AWS IAM objectsHunting Query📦 SolutionAmazon Web ServicesIdentity and Access Management (IAM) securely manages access to AWS services and resources. This query looks for when an API call is made to change an IAM, particularly those related to new objects be...
Changes made to AWS IAM policyHunting Query📦 SolutionAmazon Web ServicesThis query looks for when an API call is made to change an IAM, particularly those related to new policies being attached to users and roles, as well as changes to access methods and changes to accou...
IAM Privilege Escalation by Instance Profile attachmentHunting Query📦 SolutionAmazon Web ServicesAn instance profile is a container for an IAM role that you can use to pass role information to an EC2 instance when the instance start. Identifies when existing role is removed and new/existing high ...
Lambda function throttledHunting Query📦 SolutionAmazon Web ServicesDetected Lambda function throttled. Attacker could use this technique to result in Denial of Service. More about this API at https://docs.aws.amazon.com/lambda/latest/dg/API_PutFunctionConcurrency.htm...
Lambda layer imported from external accountHunting Query📦 SolutionAmazon Web ServicesDetected an external account adding lambda layer, which attackers could use to inject a backdoor inside the lambda function. If this is the case, make sure to remove the layer from the function.
Lambda UpdateFunctionCodeHunting Query📦 SolutionAmazon Web ServicesThis analytic is designed to detect an IAM user updating AWS lambda code via AWS CLI to gain persistent, further access into your AWS environment and to facilitate panting backdoors. An attacker may u...
Login profile updatedHunting Query📦 SolutionAmazon Web ServicesAn attacker could use UpdateLoginProfile permissions for privilege escalation by changing the victim user password. More about this API at https://docs.aws.amazon.com/IAM/latest/APIReference/API_Updat...
Modification of route-table attributesHunting Query📦 SolutionAmazon Web ServicesAn attacker could modify route-table attributes in order to access resources he couldn't access before.
Modification of subnet attributesHunting Query📦 SolutionAmazon Web ServicesAn attacker could modify subnet attributes in order to access resources he couldn't access before.
Modification of vpc attributesHunting Query📦 SolutionAmazon Web ServicesAn attacker could modify vpc attributesin order to access resources he couldn't access before.
Network ACL deletedHunting Query📦 SolutionAmazon Web ServicesAn attacker could delete a network ACL and gain access to an instance from anywhere. Verify this action with the entity.
New AccessKey created for Root userHunting Query📦 SolutionAmazon Web ServicesAttackers with the CreateAccessKey permissions for other users can create an access Key ID and secret access key belonging to another user in the AWS environment for privilege escalation.
CreatePolicyVersion with excessive permissionsHunting Query📦 SolutionAmazon Web ServicesA policy with excessive permissions detected. Attacker could use that policy to escalate privileges and for malicious activities. Verify the policy creation with the entity.
Privileged role attached to InstanceHunting Query📦 SolutionAmazon Web ServicesIdentity and Access Management (IAM) securely manages access to AWS services and resources. Identifies when a Privileged role is attached to an existing instance or new instance at deployment. This i...
RDS instance master password changedHunting Query📦 SolutionAmazon Web ServicesDetected change of the RDS Master password. Verify if this was intentional, or if it was caused by a malicious actor.
Risky role name createdHunting Query📦 SolutionAmazon Web ServicesDetections of risky role names could indicate that a malicious framework was executed in your environment.
S3 bucket has been deletedHunting Query📦 SolutionAmazon Web ServicesDetected deletion of a S3 bucket. An attacker could delete S3 objects for impact and Denail of service purposes.
S3 bucket encryption modifiedHunting Query📦 SolutionAmazon Web ServicesDetected modification of bucket encryption. An attacker could modify encryption of existing buckets for denial of service attacks.
Suspicious activity of STS token related to EC2Hunting Query📦 SolutionAmazon Web ServicesSuspicious activity of the STS token of an EC2 machine hosted by ECS (for example, by SSRF) indicates a possible token hijacking. An attacker may have stolen the token and could abuse its permissions ...
Suspicious activity of STS token related to ECSHunting Query📦 SolutionAmazon Web ServicesSuspicious activity of the STS token of an EC2 machine hosted by ECS (for example, by SSRF) indicates a possible token hijacking. An attacker may have stolen the token and could abuse its permissions ...
Suspicious activity of STS token related to GlueHunting Query📦 SolutionAmazon Web ServicesSuspicious activity of the STS token of a Glue endpoint machine hosted by ECS (for example, by SSRF) indicates a possible token hijacking. An attacker may have stolen the token and could abuse its per...
Suspicious activity of STS Token related to Kubernetes worker nodeHunting Query📦 SolutionAmazon Web ServicesSuspicious activity of the STS token of an EC2 machine hosted by EKS (for example, by SSRF) indicates a possible token hijacking. An attacker may have stolen the token and could abuse its permissions ...
Suspicious activity of STS token related to LambdaHunting Query📦 SolutionAmazon Web ServicesSuspicious activity of the STS token of a Lambda function (for example, by SSRF) indicates a possible token hijacking. An attacker may have stolen the token and could abuse its permissions to escalate...
Suspicious credential token access of valid IAM RolesHunting Query📦 SolutionAmazon Web ServicesAdversaries may generate temporary credentials of existing privileged IAM roles to access AWS resources that were not previously accessible to perform malicious actions. The credentials may be generat...
Unused or Unsupported Cloud RegionsHunting Query📦 SolutionAmazon Web ServicesAdversaries may create cloud instances in unused geographic service regions in order to evade detection. Access is usually obtained through compromising accounts used to manage cloud infrastructure. R...
AmazonWebServicesNetworkActivitiesWorkbook📦 SolutionAmazon Web Services
AmazonWebServicesUserActivitiesWorkbook📦 SolutionAmazon Web Services
Anvilogic AlertAnalytic Rule📦 SolutionAnvilogicAlert generated by Anvilogic.
Azure WAF matching for Log4j vuln(CVE-2021-44228)Analytic Rule📦 SolutionApache Log4j Vulnerability DetectionThis query will alert on a positive pattern match by Azure WAF for CVE-2021-44228 log4j vulnerability exploitation attempt. If possible, it then decodes the malicious command for further analysis. Re...
Vulnerable Machines related to log4j CVE-2021-44228Analytic Rule📦 SolutionApache Log4j Vulnerability DetectionThis query uses the Azure Defender Security Nested Recommendations data to find machines vulnerable to log4j CVE-2021-44228. Log4j is an open-source Apache logging library that is used in many Java-ba...
Log4j vulnerability exploit aka Log4Shell IP IOCAnalytic Rule📦 SolutionApache Log4j Vulnerability DetectionIdentifies a match across various data feeds for IP IOCs related to the Log4j vulnerability exploit aka Log4Shell described in CVE-2021-44228. References: https://cve.mitre.org/cgi-bin/cvename.cgi?na...
User agent search for log4j exploitation attemptAnalytic Rule📦 SolutionApache Log4j Vulnerability DetectionThis query uses various log sources having user agent data to look for log4j CVE-2021-44228 exploitation attempt based on user agent pattern. Log4j is an open-source Apache logging library that is use...
Possible exploitation of Apache log4j component detectedHunting Query📦 SolutionApache Log4j Vulnerability DetectionQuery detects remote code execution vulnerability in the Log4j component of Apache. Attackers may attempt to launch arbitrary code by passing specific commands to a server, which are then logged and e...
Suspicious Base64 download activity detectedHunting Query📦 SolutionApache Log4j Vulnerability DetectionQuery detects Base64 obfuscated scripts for malicious file execution. This technique is used by attackers to exploit a remote code execution vulnerability in the Apache Log4j to evade detection.
Possible Container Miner related artifacts detectedHunting Query📦 SolutionApache Log4j Vulnerability DetectionQuery uses syslog data to alert on artifacts from container images used in digital cryptocurrency mining, often seen post Log4j vulnerability (CVE-2021-44228) exploitation.
Suspicious manipulation of firewall detected via Syslog dataHunting Query📦 SolutionApache Log4j Vulnerability DetectionThis query searches for any suspicious manipulation of firewall often performed by attackers after exploiting remote code execution vulnerability in Log4j component of Apache for C2 communications or ...
Possible Linux attack toolkit detected via Syslog dataHunting Query📦 SolutionApache Log4j Vulnerability DetectionThis query searches for usage of attack toolkits associated with massive scanning or exploitation of remote code execution vulnerability in Log4j component of Apache.
Malicious Connection to LDAP port for CVE-2021-44228 vulnerabilityHunting Query📦 SolutionApache Log4j Vulnerability DetectionThis query detects exploitation attempts for CVE-2021-44228 involving log4j vulnerability by looking for connections to default LDAP ports.
Network Connection to New External LDAP ServerHunting Query📦 SolutionApache Log4j Vulnerability DetectionThis query detects outbound network connections using the LDAP protocol to external IP addresses that have not had an LDAP network connection in the past 14 days. This could indicate exploitation of C...
Linux security related process termination activity detectedHunting Query📦 SolutionApache Log4j Vulnerability DetectionThis query alerts on attempts to terminate security monitoring processes on the host. Attackers often try to terminate such processes post-compromise to exploit the Log4j vulnerability.
Suspicious Shell script detectedHunting Query📦 SolutionApache Log4j Vulnerability DetectionThis query detects post-compromise suspicious shell scripts that attackers use for downloading and executing malicious files. This technique is often used by attackers and was recently used to exploit...
Azure WAF Log4j CVE-2021-44228 huntingHunting Query📦 SolutionApache Log4j Vulnerability DetectionThis hunting query searches possible exploitation attempts for CVE-2021-44228 involving log4j vulnerability in Azure Web Application Firewall logs.
Log4jImpactAssessmentWorkbook📦 SolutionApache Log4j Vulnerability Detection
Log4jPostCompromiseHuntingWorkbook📦 SolutionApache Log4j Vulnerability Detection
Log4jIndicatorProcessorPlaybook📦 SolutionApache Log4j Vulnerability DetectionThese playbooks automate the ingest of threat indicators into the ThreatIntelligenceIndicator table of an Microsoft Sentinel workspace. Sample data for Log4j IOC can be found at https://raw.githubuser...
Apache - Command in URIAnalytic Rule📦 SolutionApacheHTTPServerDetects command in URI
Apache - Apache 2.4.49 flaw CVE-2021-41773Analytic Rule📦 SolutionApacheHTTPServerDetects using Apache 2.4.49 flaw CVE-2021-41773
Apache - Known malicious user agentAnalytic Rule📦 SolutionApacheHTTPServerDetects known malicious user agents
Apache - Multiple client errors from single IPAnalytic Rule📦 SolutionApacheHTTPServerDetects multiple client errors from one source in short timeframe
Apache - Multiple server errors from single IPAnalytic Rule📦 SolutionApacheHTTPServerDetects multiple server errors from one source in short timeframe
Apache - Private IP in URLAnalytic Rule📦 SolutionApacheHTTPServerDetects requests to unusual URL
Apache - Put suspicious fileAnalytic Rule📦 SolutionApacheHTTPServerDetects PUT or POST of suspicious file
Apache - Request from private IPAnalytic Rule📦 SolutionApacheHTTPServerDetects requests from private IP
Apache - Requests to rare filesAnalytic Rule📦 SolutionApacheHTTPServerShows requests to rare files
Apache - Request to sensitive filesAnalytic Rule📦 SolutionApacheHTTPServerDetects request to sensitive files.
Apache - Top files requested with errorsHunting Query📦 SolutionApacheHTTPServerQuery shows list of files with error requests.
Apache - Top Top files requestedHunting Query📦 SolutionApacheHTTPServerQuery shows list of files requested
Apache - Rare files requestedHunting Query📦 SolutionApacheHTTPServerQuery detects rare files requested
Apache - Rare user agents with client errorsHunting Query📦 SolutionApacheHTTPServerQuery shows rare user agent strings with client errors
Apache - Rare URLs requestedHunting Query📦 SolutionApacheHTTPServerQuery shows rare URLs requested.
Apache - Rare user agentsHunting Query📦 SolutionApacheHTTPServerQuery shows rare user agents
Apache - Requests to unexisting filesHunting Query📦 SolutionApacheHTTPServerQuery shows list of requests to unexisting files
Apache - Unexpected Post RequestsHunting Query📦 SolutionApacheHTTPServerQuery detects Unexpected Post Requests
Apache - Top URLs with client errorsHunting Query📦 SolutionApacheHTTPServerQuery shows URLs list with client errors.
Apache - Top URLs with server errorsHunting Query📦 SolutionApacheHTTPServerQuery shows URLs list with server errors.
ApacheHTTPServerWorkbook📦 SolutionApacheHTTPServer
ApacheHTTPServerParser📦 SolutionApacheHTTPServer
ARGOS Cloud Security - Exploitable Cloud ResourcesAnalytic Rule📦 SolutionARGOSCloudSecurityExploitable Cloud Security Issues are ones that expose cloud resources to the internet and allow initial access to your environment.
ARGOSCloudSecurityWorkbookWorkbook📦 SolutionARGOSCloudSecurity
Awake Security - High Match Counts By DeviceAnalytic Rule📦 SolutionAristaAwakeSecurityThis query searches for devices with unexpectedly large number of activity match.
Awake Security - High Severity Matches By DeviceAnalytic Rule📦 SolutionAristaAwakeSecurityThis query searches for devices with high severity event(s).
Awake Security - Model With Multiple DestinationsAnalytic Rule📦 SolutionAristaAwakeSecurityThis query searches for devices with multiple possibly malicious destinations.
AristaAwakeSecurityWorkbookWorkbook📦 SolutionAristaAwakeSecurity
Armis Update Alert StatusPlaybook📦 SolutionArmisArmis Update Alert Status playbook would be responsible to update the Alert status from the sentinel to the Armis Portal
ArmisActivitiesParser📦 SolutionArmis
ArmisAlertsParser📦 SolutionArmis
ArmisDeviceParser📦 SolutionArmis
Armorblox Needs Review AlertAnalytic Rule📦 SolutionArmorbloxThis rule generates an alert for an Armorblox incident where the remediation action is "Needs Review".
ArmorbloxOverviewWorkbook📦 SolutionArmorblox
Needs-Review-Incident-Email-NotificationPlaybook📦 SolutionArmorbloxThis playbook will send an email notification when a new incident is created in Microsoft Sentinel.
ArubaClearPassParser📦 SolutionAruba ClearPass
ConfluenceAuditParser📦 SolutionAtlassianConfluenceAudit
Jira - Global permission addedAnalytic Rule📦 SolutionAtlassianJiraAuditDetects when global permission added.
Jira - New site admin userAnalytic Rule📦 SolutionAtlassianJiraAuditDetects new site admin user.
Jira - New user createdAnalytic Rule📦 SolutionAtlassianJiraAuditDetects when new user was created.
Jira - Permission scheme updatedAnalytic Rule📦 SolutionAtlassianJiraAuditDetects when permission scheme was updated.
Jira - New site admin userAnalytic Rule📦 SolutionAtlassianJiraAuditDetects new site admin user.
Jira - Project roles changedAnalytic Rule📦 SolutionAtlassianJiraAuditDetects when project roles were changed.
Jira - User's password changed multiple timesAnalytic Rule📦 SolutionAtlassianJiraAuditDetects when user's password was changed multiple times from different IP addresses.
Jira - User removed from groupAnalytic Rule📦 SolutionAtlassianJiraAuditDetects when a user was removed from group.
Jira - User removed from projectAnalytic Rule📦 SolutionAtlassianJiraAuditDetects when a user was removed from project.
Jira - Workflow scheme copiedAnalytic Rule📦 SolutionAtlassianJiraAuditDetects when workflow scheme was copied.
Jira - Blocked tasksHunting Query📦 SolutionAtlassianJiraAuditQuery searches for blocked tasks.
Jira - New usersHunting Query📦 SolutionAtlassianJiraAuditQuery searches for new users created.
Jira - Project versions releasedHunting Query📦 SolutionAtlassianJiraAuditQuery searches for project versions released.
Jira - Updated projectsHunting Query📦 SolutionAtlassianJiraAuditQuery searches for updated projects.
Jira - Project versionsHunting Query📦 SolutionAtlassianJiraAuditQuery searches for project versions.
Jira - Updated usersHunting Query📦 SolutionAtlassianJiraAuditQuery searches for updated users.
Jira - Updated workflowsHunting Query📦 SolutionAtlassianJiraAuditQuery searches for updated workflows.
Jira - Updated workflow schemesHunting Query📦 SolutionAtlassianJiraAuditQuery searches for updated workflow schemes.
Jira - Users' IP addressesHunting Query📦 SolutionAtlassianJiraAuditQuery searches for users' IP addresses.
Jira - Workflow schemes added to projectsHunting Query📦 SolutionAtlassianJiraAuditQuery searches for workflow schemes added to projects.
AtlassianJiraAuditWorkbook📦 SolutionAtlassianJiraAudit
Sync Jira to Sentinel - public commentsPlaybook📦 SolutionAtlassianJiraAuditThis Playbook will sync the public comments from JIRA to Microsoft Sentinel.
Create And Update Jira IssuePlaybook📦 SolutionAtlassianJiraAuditThis playbook will create or update incident in Jira. When incident is created, playbook will run and create issue in Jira. When incident is updated, playbook will run and add update to comment sectio...
Sync Jira to Sentinel - Assigned UserPlaybook📦 SolutionAtlassianJiraAuditThis Playbook will sync the assigned user from JIRA to Microsoft Sentinel.
Sync Jira from Sentinel - Create incidentPlaybook📦 SolutionAtlassianJiraAuditThis Playbook will create JIRA incidents for every Microsoft Sentinel which is created. It includes additional information such as tactics, affected user etc.
Sync Jira to Sentinel - StatusPlaybook📦 SolutionAtlassianJiraAuditThis Playbook will sync the status from JIRA to Microsoft Sentinel.
Create Jira Issue alert-triggerPlaybook📦 SolutionAtlassianJiraAuditThis playbook will open a Jira Issue when a new incident is opened in Microsoft Sentinel.
Create Jira Issue incident-triggerPlaybook📦 SolutionAtlassianJiraAuditThis playbook will open a Jira Issue when a new incident is opened in Microsoft Sentinel.
JiraAuditParser📦 SolutionAtlassianJiraAudit
Probable AdFind Recon Tool UsageAnalytic Rule📦 SolutionAttacker Tools Threat Protection EssentialsThis query identifies the host and account that executed AdFind, by hash and filename, in addition to the flags commonly utilized by various threat actors during the reconnaissance phase.
Credential Dumping Tools - Service InstallationAnalytic Rule📦 SolutionAttacker Tools Threat Protection EssentialsThis query detects the installation of a Windows service that contains artifacts from credential dumping tools such as Mimikatz.
Credential Dumping Tools - File ArtifactsAnalytic Rule📦 SolutionAttacker Tools Threat Protection EssentialsThis query detects the creation of credential dumping tools files. Several credential dumping tools export files with hardcoded file names. Ref: https://jpcertcc.github.io/ToolAnalysisResultSheet/
Powershell Empire Cmdlets Executed in Command LineAnalytic Rule📦 SolutionAttacker Tools Threat Protection EssentialsThis query identifies use of PowerShell Empire's cmdlets within the command line data of the PowerShell process, indicating potential use of the post-exploitation tool.
Cobalt Strike DNS BeaconingHunting Query📦 SolutionAttacker Tools Threat Protection EssentialsCobalt Strike is a famous Pen Test tool that is used by pen testers as well as attackers alike To compromise an environment. The query tries to detect suspicious DNS queries known from Cobalt Strike...
Potential Impacket ExecutionHunting Query📦 SolutionAttacker Tools Threat Protection EssentialsThis hunting query identifies execution of Impacket tool. Impacket is a popular tool used by attackers for remote service execution, Kerberos manipulation and Windows credential dumping.
AusCtisExportTaggedIndicatorsPlaybook📦 SolutionAustralian Cyber Security CentreThis playbook gets triggered every hour and perform the following actions: 1. Get all the threat intelligence indicators from Microsoft Sentinel Workspace with given tag. 2. Filter all the indicators ...
Auth0Parser📦 SolutionAuth0
Auth0AMParser📦 SolutionAuth0
Access to AWS without MFAAnalytic Rule📦 SolutionAuthomizeThis detects users with access to AWS (IAM or Federated via Okta) without enabled MFA. This is a default definition by Authomize and can be updated using the edit modal.
Admin password not updated in 30 daysAnalytic Rule📦 SolutionAuthomizeThe policy detects an administrative account where the password of the account was not updated in the last 30 days.
Admin SaaS account detectedAnalytic Rule📦 SolutionAuthomizeThe rule detects internal admins accounts, it's recommended to review any new administrative permission.
AWS role with admin privilegesAnalytic Rule📦 SolutionAuthomizeThe policy detects the creation of new AWS roles with administrative privileges. The policy configuration allows limiting the policy to specific accounts.
AWS role with shadow admin privilegesAnalytic Rule📦 SolutionAuthomizeThe policy detect the creation of new AWS roles with shadow admin privileges. The policy configuration allows limiting the policy to specific accounts.
Lateral Movement Risk - Role Chain LengthAnalytic Rule📦 SolutionAuthomizeThe policy detects chains of more than 3 roles in the account, this is a misconfiguration that can enable lateral movement.
Detect AWS IAM UsersAnalytic Rule📦 SolutionAuthomizeThe policy detects IAM users across your AWS accounts, a practice that should be kept only for a small number of accounts. This is a default definition by Authomize and can be updated using the edit m...
Empty group with entitlementsAnalytic Rule📦 SolutionAuthomizeThe rule detects empty groups with entitlements.
IaaS admin detectedAnalytic Rule📦 SolutionAuthomizeThe policy detects admin users in AWS or Azure.
IaaS policy not attached to any identityAnalytic Rule📦 SolutionAuthomizeThe rule detects AWS policies that are not attached to any identities, meaning they can be deleted.
IaaS shadow admin detectedAnalytic Rule📦 SolutionAuthomizeThe policy detects shadow admin users in AWS or Azure.
New direct access policy was granted against organizational policyAnalytic Rule📦 SolutionAuthomizeThis policy detects when access was granted directly (not via groups). This policy is defined by default by Authomize to track AWS only. It is possible to edit the existing policy or create more versi...
New service account gained access to IaaS resourceAnalytic Rule📦 SolutionAuthomizeThis policy detects when an application or service account gained new access to your assets. This policy is defined by Authomize and can be edited to change the configuration.
Password Exfiltration over SCIM applicationAnalytic Rule📦 SolutionAuthomizeThis rule detects suspicious sync events that occurred to applications using SCIM for user provisioning.
Privileged Machines Exposed to the InternetAnalytic Rule📦 SolutionAuthomizeThese are AWS Ec2 machines that are exposed to the internet. You can further filter by tags so that you can, for example, find exposed machines that are also "privileged".
Refactor AWS policy based on activities in the last 60 daysAnalytic Rule📦 SolutionAuthomizeThis is a recommended update to IAM policy on AWS. Review the policy and apply it according to change control process. Authomize will have a recommended policy to be downloaded.
Stale AWS policy attachment to identityAnalytic Rule📦 SolutionAuthomizeThe policy detects 'AWS policies' attached to IAM users or roles that have not used it during the last X days. It is recommended to remove unused policies from identities to reduce risk.
Stale IAAS policy attachment to roleAnalytic Rule📦 SolutionAuthomizeThe rule detects 'IaaS policies' attached to a role that has not used them during the past X days. It is recommended to remove unused policies from identities to reduce risk.
Unused IaaS PolicyAnalytic Rule📦 SolutionAuthomizeThe policy detects 'IaaS policies' that no one in the account has been using during the last X days.
User assigned to a default admin roleAnalytic Rule📦 SolutionAuthomizeThe policy detects users that were assigned to one of the systems default admin roles.
User without MFAAnalytic Rule📦 SolutionAuthomizeThe policy detects user accounts without mutli-factor authentication
Admin SaaS account detectedHunting Query📦 SolutionAuthomizedetects internal admins accounts, it's recommended to review any new administrative permission.
ateral Movement Risk - Role Chain LengthHunting Query📦 SolutionAuthomizedetects chains of more than 3 roles in the account, this is a misconfiguration that can enable lateral movement.
IaaS admin detectedHunting Query📦 SolutionAuthomizedetects admin users in AWS or Azure.
IaaS shadow admin detectedHunting Query📦 SolutionAuthomizedetects shadow admin users in AWS or Azure.
Password Exfiltration over SCIM applicationHunting Query📦 SolutionAuthomizedetects suspicious sync events that occurred to applications using SCIM for user provisioning.
Privileged Machines Exposed to the InternetHunting Query📦 SolutionAuthomizedetects AWS instances which are exposed to the internet and can assume privileged roles. This is a default definition by Authomize and can be updated using the edit model.
AuthomizeWorkbook📦 SolutionAuthomize
AWSALBAccessLogsDataParser📦 SolutionAWS ELB
AWSELBFlowLogsDataParser📦 SolutionAWS ELB
AWSNLBAccessLogsDataParser📦 SolutionAWS ELB
AWS Security Hub - Detect CloudTrail trails lacking KMS encryptionAnalytic Rule📦 SolutionAWS Security HubThis query detects AWS CloudTrail trails that are not configured to use server-side encryption with a customer managed KMS key using AWS Security Hub control CloudTrail.2 findings. Unencrypted CloudT...
AWS Security Hub - Detect EC2 Security groups allowing unrestricted high-risk portsAnalytic Rule📦 SolutionAWS Security HubThis query detects EC2 Security Groups that allow unrestricted (0.0.0.0/0 or ::/0) ingress to high-risk ports using AWS Security Hub control EC2.19 findings. Publicly exposed management, database, and...
AWS Security Hub - Detect IAM Policies allowing full administrative privilegesAnalytic Rule📦 SolutionAWS Security HubThis query detects AWS IAM policies that allow full administrative ("*") privileges in violation of AWS Security Hub control IAM.1. Overly permissive policies increase the risk of privilege escalation...
AWS Security Hub - Detect root user lacking MFAAnalytic Rule📦 SolutionAWS Security HubThis query detects AWS accounts where the root user does not have multi-factor authentication (MFA) enabled, using AWS Security Hub control IAM.9 findings. Lack of MFA on the root user increases the r...
AWS Security Hub - Detect IAM root user Access Key existenceAnalytic Rule📦 SolutionAWS Security HubThis query detects AWS Security Hub control IAM.4 findings indicating that an AWS account root user Access Key exists. A root user Access Key presents a high risk of privilege abuse and should be remo...
AWS Security Hub - Detect SQS Queue lacking encryption at restAnalytic Rule📦 SolutionAWS Security HubThis query detects Amazon SQS queues without server-side encryption at rest enabled, using AWS Security Hub control SQS.1 findings. Lack of encryption for SQS queues can expose sensitive message conte...
AWS Security Hub - Detect SQS Queue policy allowing public accessAnalytic Rule📦 SolutionAWS Security HubThis query detects Amazon SQS queues with access policies that allow public (unauthenticated or cross-account unrestricted) access, using AWS Security Hub control SQS.3 findings. Publicly accessible q...
AWS Security Hub - Detect SSM documents public sharing enabledAnalytic Rule📦 SolutionAWS Security HubThis query detects AWS accounts where public sharing is enabled, using AWS Security Hub control SSM.7 findings. Allowing public sharing of SSM documents can expose automation content and enable unauth...
AWS Security Hub - CloudTrail trails without log file validationHunting Query📦 SolutionAWS Security HubThis query finds CloudTrail trails with log file validation disabled using AWS Security Hub findings.
AWS Security Hub - EC2 instances with public IPv4 addressHunting Query📦 SolutionAWS Security HubThis query finds EC2 instances that have a public IPv4 address using AWS Security Hub findings (control EC2.9).
AWS Security Hub - IAM users with console password and no MFAHunting Query📦 SolutionAWS Security HubThis query identifies IAM users in AWS Security Hub findings (control IAM.5) who have a console password but do not have multi-factor authentication (MFA) enabled.
AWS Systems Manager - Get Missing Patches for EC2 InstancesPlaybook📦 SolutionAWS Systems ManagerWhen an incident is created in Microsoft Sentinel, this playbook gets triggered and perform the following actions: 1. Get the Hostnames and Private IP addresses from incident entities. 2. Get the Inst...
AWS Systems Manager - Get Missing Patches for EC2 Instances for given HostnamePlaybook📦 SolutionAWS Systems ManagerThe playbook can be triggered manually from a Host Entity to get the missing patches on a managed EC2 instance. This playbook performs the following actions: 1. Get the Hostname from the Host Entity. ...
AWS Systems Manager - Get Missing Patches for EC2 Instances for given Private IPPlaybook📦 SolutionAWS Systems ManagerThe playbook can be triggered manually from an IP Entity to get the missing patches on a managed EC2 instance. This playbook performs the following actions: Get the Private IP from the IP Entity. 2. G...
AWS Systems Manager - Run Automation RunbookPlaybook📦 SolutionAWS Systems ManagerWhen a new sentinel incident is created, this playbook gets triggered and runs the specified AWS Systems Manager Automation Runbook. The playbook will wait for the runbook execution to complete and th...
AWS Systems Manager - Stop Managed EC2 InstancesPlaybook📦 SolutionAWS Systems ManagerThis playbook can be used by SOC Analysts to stop malicious or compromised EC2 instances in AWS. This playbook uses AWS Systems Manager API to stop the EC2 instances. The playbook can be triggered fro...
AWS Systems Manager - Stop Managed EC2 Instances Host Entity TriggerPlaybook📦 SolutionAWS Systems ManagerThis playbook can be used by SOC Analysts to stop malicious or compromised EC2 instances in AWS. The playbook can be triggered from a Host entity context in an incident. The playbook takes the Hostnam...
AWS Systems Manager - Stop Managed EC2 Instances IP Entity TriggerPlaybook📦 SolutionAWS Systems ManagerThis playbook can be used by SOC Analysts to stop malicious or compromised EC2 instances in AWS. The playbook can be triggered from an IP entity context in an incident. The playbook takes the private ...
AWS - Disable S3 Bucket Public AccessPlaybook📦 SolutionAWS_IAMThis playbook disables public access AWS S3 bucket. It is triggered by an incident in Microsoft Sentinel and perform the following actions: 1. Get the Bucket Name from incident entities. 2. Call the A...
AWS IAM - Add tag to userPlaybook📦 SolutionAWS_IAMOnce a new Microsoft Sentinel incident is created, this playbook gets triggered and performs the following actions: 1. Gets users from the incident. 2. [Adds tag](https://docs.aws.amazon.com/IAM/lates...
AWS IAM - Delete access keysPlaybook📦 SolutionAWS_IAMOnce a new Microsoft Sentinel incident is created, this playbook gets triggered and performs the following actions: 1. Gets users from the incident. 2. [Get list of access keys](https://docs.aws.amazo...
AWS IAM - Enrich incident with user infoPlaybook📦 SolutionAWS_IAMOnce a new Microsoft Sentinel incident is created, this playbook gets triggered and performs the following actions: 1. Gets users from the incident. 2. Obtains information about users in AWS IAM. 3. A...
AWS Athena - Execute Query and Get ResultsPlaybook📦 SolutionAWSAthenaWhen a new sentinel incident is created, this playbook gets triggered and performs the following actions: 1. It executes the query specified during playbook setup on given database. 2. Downloads the q...
Microsoft Entra ID Hybrid Health AD FS New ServerAnalytic Rule📦 SolutionAzure ActivityThis detection uses AzureActivity logs (Administrative category) to identify the creation or update of a server instance in an Microsoft Entra ID Hybrid Health AD FS service. A threat actor can create...
Microsoft Entra ID Hybrid Health AD FS Service DeleteAnalytic Rule📦 SolutionAzure ActivityThis detection uses AzureActivity logs (Administrative category) to identify the deletion of an Microsoft Entra ID Hybrid Health AD FS service instance in a tenant. A threat actor can create a new AD ...
Microsoft Entra ID Hybrid Health AD FS Suspicious ApplicationAnalytic Rule📦 SolutionAzure ActivityThis detection uses AzureActivity logs (Administrative category) to identify a suspicious application adding a server instance to an Microsoft Entra ID Hybrid Health AD FS service or deleting the AD F...
Suspicious number of resource creation or deployment activitiesAnalytic Rule📦 SolutionAzure ActivityIndicates when an anomalous number of VM creations or deployment activities occur in Azure via the AzureActivity log. This query generates the baseline pattern of cloud resource creation by an individ...
Creation of expensive computes in AzureAnalytic Rule📦 SolutionAzure ActivityIdentifies the creation of large size or expensive VMs (with GPUs or with a large number of virtual CPUs) in Azure. An adversary may create new or update existing virtual machines to evade defenses or...
Suspicious granting of permissions to an accountAnalytic Rule📦 SolutionAzure ActivityIdentifies IPs from which users grant access to other users on Azure resources and alerts when a previously unseen source IP address is used.
Azure Machine Learning Write OperationsAnalytic Rule📦 SolutionAzure ActivityShows the most prevalent users who perform write operations on Azure Machine Learning resources. List the common source IP address for each of those accounts. If an operation is not from those IP addr...
New CloudShell UserAnalytic Rule📦 SolutionAzure ActivityIdentifies when a user creates an Azure CloudShell for the first time. Monitor this activity to ensure only the expected users are using CloudShell.
Suspicious Resource deploymentAnalytic Rule📦 SolutionAzure ActivityIdentifies when a rare Resource and ResourceGroup deployment occurs by a previously unseen caller.
NRT Microsoft Entra ID Hybrid Health AD FS New ServerAnalytic Rule📦 SolutionAzure ActivityThis detection uses AzureActivity logs (Administrative category) to identify the creation or update of a server instance in an Microsoft Entra ID Hybrid Health AD FS service. A threat actor can create...
NRT Creation of expensive computes in AzureAnalytic Rule📦 SolutionAzure ActivityIdentifies the creation of large size or expensive VMs (with GPUs or with a large number of virtual CPUs) in Azure. An adversary may create new or update existing virtual machines to evade defenses or...
Rare subscription-level operations in AzureAnalytic Rule📦 SolutionAzure ActivityThis query looks for a few sensitive subscription-level events based on Azure Activity Logs. For example, this monitors for the operation name 'Create or Update Snapshot', which is used for creating b...
Subscription moved to another tenantAnalytic Rule📦 SolutionAzure ActivityThis detection uses AzureActivity logs (Security category) to identify when a subscription is moved to another tenant. A threat actor may move a subscription into their own tenant to circumvent local ...
Mass Cloud resource deletions Time Series AnomalyAnalytic Rule📦 SolutionAzure ActivityThis query generates the baseline pattern of cloud resource deletions by an individual and generates an anomaly when any unusual spike is detected. These anomalies from unusual or privileged users cou...
Microsoft Sentinel Analytics Rules Administrative OperationsHunting Query📦 SolutionAzure ActivityIdentifies Microsoft Sentinel Analytics Rules administrative operations
Anomalous Azure Operation Hunting ModelHunting Query📦 SolutionAzure ActivityThis query identifies Azure Operation anomalies during threat hunts. It detects new callers, IPs, IP ranges, and anomalous operations. Initially set for Run Command operations, it can be configured fo...
Azure storage key enumerationHunting Query📦 SolutionAzure ActivityAzure's storage key listing can expose secrets, PII, and grant VM access. Monitoring for anomalous accounts or IPs is crucial. The query generates IP clusters, correlates activities, and flags unexpec...
AzureActivity Administration From VPS ProvidersHunting Query📦 SolutionAzure ActivityLooks for administrative actions in AzureActivity from known VPS provider network ranges. This is not an exhaustive list of VPS provider ranges but covers some of the most prevalent providers observed...
Azure Network Security Group NSG Administrative OperationsHunting Query📦 SolutionAzure ActivityIdentifies a set of Azure NSG administrative and operational detection queries for hunting activities.
Azure VM Run Command executed from Azure IP addressHunting Query📦 SolutionAzure ActivityIdentifies any Azure VM Run Command operation executed from an Azure IP address. Run Command allows an attacker or legitimate user to execute arbitrary PowerShell on a target VM. This technique has be...
Microsoft Sentinel Connectors Administrative OperationsHunting Query📦 SolutionAzure ActivityIdentifies a set of Microsoft Sentinel Data Connectors for administrative and operational detection queries for hunting activities.
Microsoft Sentinel Workbooks Administrative OperationsHunting Query📦 SolutionAzure ActivityIdentifies set of Microsoft Sentinel Workbooks administrative operational detection queries for hunting activites
Azure Virtual Network Subnets Administrative OperationsHunting Query📦 SolutionAzure ActivityIdentifies a set of Azure Virtual Network Subnets for administrative and operational detection queries for hunting activities.
Common deployed resourcesHunting Query📦 SolutionAzure ActivityThis query identifies common deployed resources in Azure, like resource names and groups. It can be used with other suspicious deployment signals to evaluate if a resource is commonly deployed or uniq...
Creation of an anomalous number of resourcesHunting Query📦 SolutionAzure ActivityLooks for anomalous number of resources creation or deployment activities in azure activity log. It is best to run this query on a look back period which is at least 7 days.
Granting permissions to accountHunting Query📦 SolutionAzure ActivityShows the most prevalent users who grant access to others on Azure resources. List the common source IP address for each of those accounts. If an operation is not from those IP addresses, it may be wo...
Azure Machine Learning Write OperationsHunting Query📦 SolutionAzure ActivityShows the most prevalent users who perform write operations on Azure Machine Learning resources. List the common source IP address for each of those accounts. If an operation is not from those IP addr...
Port opened for an Azure ResourceHunting Query📦 SolutionAzure ActivityIdentifies what ports may have been opened for a given Azure Resource over the last 7 days
Rare Custom Script ExtensionHunting Query📦 SolutionAzure ActivityThe Custom Script Extension in Azure executes scripts on VMs, useful for post-deployment tasks. Scripts can be from various sources and could be used maliciously. The query identifies rare custom scri...
AzureActivityWorkbook📦 SolutionAzure Activity
AzureServiceHealthWorkbookWorkbook📦 SolutionAzure Activity
Palo Alto - potential beaconing detectedAnalytic Rule📦 SolutionAzure Cloud NGFW By Palo Alto NetworksIdentifies beaconing patterns from Palo Alto Network traffic logs based on recurrent timedelta patterns. The query leverages various KQL functions to calculate time deltas and then compares it with to...
CloudNGFW By Palo Alto Networks - possible internal to external port scanningAnalytic Rule📦 SolutionAzure Cloud NGFW By Palo Alto NetworksIdentifies a list of internal Source IPs (10.x.x.x Hosts) that have triggered 10 or more non-graceful tcp server resets from one or more Destination IPs which results in an "app = incomplete" designat...
CloudNGFW By Palo Alto Networks - Threat signatures from Unusual IP addressesAnalytic Rule📦 SolutionAzure Cloud NGFW By Palo Alto NetworksIdentifies Palo Alto Threat signatures from unusual IP addresses which are not historically seen. This detection is also leveraged and required for MDE and PAN Fusion scenario https://docs.microsoft....
Palo Alto - high-risk portsHunting Query📦 SolutionAzure Cloud NGFW By Palo Alto NetworksIdentifies network connections whose ports are frequent targets of attacks and should not cross network boundaries or reach untrusted public networks. Consider updating the firewall policies to block ...
Palo Alto - potential beaconing detectedHunting Query📦 SolutionAzure Cloud NGFW By Palo Alto NetworksIdentifies beaconing patterns from PAN traffic logs based on recurrent timedelta patterns. Reference Blog:https://techcommunity.microsoft.com/t5/microsoft-sentinel-blog/detect-network-beaconing-via-i...
CloudNGFW-NetworkThreatWorkbook📦 SolutionAzure Cloud NGFW By Palo Alto Networks
CloudNGFW-OverviewWorkbook📦 SolutionAzure Cloud NGFW By Palo Alto Networks
DDoS Attack IP Addresses - Percent ThresholdAnalytic Rule📦 SolutionAzure DDoS ProtectionIdentifies IP addresses that generate over 5% of traffic during DDoS attack mitigation
DDoS Attack IP Addresses - PPS ThresholdAnalytic Rule📦 SolutionAzure DDoS ProtectionIdentifies IP addresses that generates maximal traffic rate over 10k PPS during DDoS attack mitigation
AzDDoSStandardWorkbookWorkbook📦 SolutionAzure DDoS Protection
Abnormal Deny Rate for Source IPAnalytic Rule📦 SolutionAzure FirewallIdentifies abnormal deny rate for specific source IP to destination IP based on the normal average and standard deviation learned during a configured period. This can indicate potential exfiltration, ...
Abnormal Port to ProtocolAnalytic Rule📦 SolutionAzure FirewallIdentifies communication for well known protocol over a non-standard port based on learning period activity. This can indicate malicious communication (C2) or exfiltration by attackers trying to commu...
DDoS attack detectedAnalytic Rule📦 SolutionAzure FirewallIdentifies DDoS attack in Azure Firewall IDPS logs.
Elevation of Privilege attempt detectedAnalytic Rule📦 SolutionAzure FirewallIdentifies Elevation of Privilege attempt Azure Firewall IDPS logs.
High severity malicious activity detectedAnalytic Rule📦 SolutionAzure FirewallIdentifies high severity malicious activity in Azure Firewall IDPS logs.
Medium severity malicious activity detectedAnalytic Rule📦 SolutionAzure FirewallIdentifies medium severity malicious activity in Azure Firewall IDPS logs.
Multiple Sources Affected by the Same TI DestinationAnalytic Rule📦 SolutionAzure FirewallIdentifies multiple machines trying to reach out to the same destination blocked by TI in Azure Firewall. This can indicate attack on the organization by the same attack group. Configurable Parameter...
Port ScanAnalytic Rule📦 SolutionAzure FirewallIdentifies a source IP scanning multiple open ports on Azure Firewall. This can indicate malicious scanning of ports by an attacker, trying to reveal open ports in the organization that can be comprom...
Port SweepAnalytic Rule📦 SolutionAzure FirewallIdentifies a source IP scanning same open ports on the Azure Firewall IPs. This can indicate malicious scanning of port by an attacker, trying to reveal IPs with specific ports open in the organizatio...
Web Application attack detectedAnalytic Rule📦 SolutionAzure FirewallIdentifies Web application attack in Azure Firewall IDPS logs.
Several deny actions registeredAnalytic Rule📦 SolutionAzure FirewallIdentifies attack pattern when attacker tries to move, or scan, from resource to resource on the network and creates an incident when a source has more than 1 registered deny action in Azure Firewall.
First Time Source IP to Destination Using PortHunting Query📦 SolutionAzure FirewallIdentifies the first time a source IP communicates with a destination using a specific port based on learning period activity. Configurable Parameters: - Learning period time - learning period for th...
First Time Source IP to DestinationHunting Query📦 SolutionAzure FirewallIdentifies the first time a source IP communicates with a destination based on a configurable learning period. Configurable Parameters: - Learning period time - learning period for threshold calculati...
Source IP Abnormally Connects to Multiple DestinationsHunting Query📦 SolutionAzure FirewallIdentifies source IP that abnormally connects to multiple destinations according to learning period activity. This can indicate initial access attempts by attackers, trying to jump between different m...
Uncommon Port for OrganizationHunting Query📦 SolutionAzure FirewallIdentifies abnormal ports used in the organization based on learning period activity. This can indicate exfiltration attack or C2 control from machines in the organization by using new a port that has...
Uncommon Port to IPHunting Query📦 SolutionAzure FirewallIdentifies abnormal ports used by machines to connect to a destination IP based on learning period activity. This can indicate exfiltration attack or C2 control from machines in the organization by us...
AzureFirewallWorkbook-StructuredLogsWorkbook📦 SolutionAzure Firewall
AzureFirewallWorkbookWorkbook📦 SolutionAzure Firewall
Azure Firewall - Add IP Address to Threat Intel Allow listPlaybook📦 SolutionAzure FirewallThis playbook allows the SOC to automatically response to Microsoft Sentinel incidents which includes IPs, by adding the IPs to the TI Allow list in Azure Firewall Policy.
BlockIP-Azure Firewall New RulePlaybook📦 SolutionAzure FirewallThis playbook uses the Azure Firewall connector to add IP Address to the Deny Network Rules collection based on the Microsoft Sentinel Incident
Block IP - Azure Firewall IP groupsPlaybook📦 SolutionAzure FirewallThis playbook allows blocking/allowing IPs in Azure Firewall. It allows to make changes on IP groups, which are attached to rules, instead of make direct changes on Azure Firewall. It also allows usin...
Block IP - Azure Firewall IP groups - Entity triggerPlaybook📦 SolutionAzure FirewallThis playbook interacts with relevant stackholders, such incident response team, to approve blocking/allowing IPs in Azure Firewall. Playbook also involves TI statistics from VirusTotal. It allows to ...
BlockIP-Azure Firewall New Rule - Entity triggerPlaybook📦 SolutionAzure FirewallThis playbook uses the Azure Firewall connector to add IP Address to the Deny Network Rules collection based on the Microsoft Sentinel Incident
Mass secret retrieval from Azure Key VaultAnalytic Rule📦 SolutionAzure Key VaultIdentifies mass secret retrieval from Azure Key Vault observed by a single user. Mass secret retrival crossing a certain threshold is an indication of credential dump operations or mis-configured app...
Sensitive Azure Key Vault operationsAnalytic Rule📦 SolutionAzure Key VaultIdentifies when sensitive Azure Key Vault operations are used. This includes: VaultDelete, KeyDelete, SecretDelete, SecretPurge, KeyPurge, SecretBackup, KeyBackup. Any Backup operations should match w...
NRT Sensitive Azure Key Vault operationsAnalytic Rule📦 SolutionAzure Key VaultIdentifies when sensitive Azure Key Vault operations are used. This includes: VaultDelete, KeyDelete, SecretDelete, SecretPurge, KeyPurge, SecretBackup, KeyBackup. Any Backup operations should match w...
Azure Key Vault access TimeSeries anomalyAnalytic Rule📦 SolutionAzure Key VaultIdentifies a sudden increase in count of Azure Key Vault secret or vault access operations by CallerIPAddress. The query leverages a built-in KQL anomaly detection algorithm to find large deviations f...
AzureKeyVaultWorkbookWorkbook📦 SolutionAzure Key Vault
Determine users with cluster admin roleHunting Query📦 SolutionAzure kubernetes ServiceThis query determines the cluster-admin role assigned to users and applied to resources across the entire cluster .
Azure RBAC AKS created role detailsHunting Query📦 SolutionAzure kubernetes ServiceQuery get the details of role created for kube-audit.
AksSecurityWorkbook📦 SolutionAzure kubernetes Service
Credential errors stateful anomaly on databaseAnalytic Rule📦 SolutionAzure SQL Database solution for sentinelThis query batches of distinct SQL queries that failed with error codes that might indicate malicious attempts to gain illegitimate access to the data. When Brute Force attacks are attempted, majority...
Firewall errors stateful anomaly on databaseAnalytic Rule📦 SolutionAzure SQL Database solution for sentinelThis query batches of distinct SQL queries that failed with error codes that might indicate malicious attempts to gain illegitimate access to the data. When attacker attempts to scan or gain access to...
Syntax errors stateful anomaly on databaseAnalytic Rule📦 SolutionAzure SQL Database solution for sentinelThis query batches of distinct SQL queries that failed with error codes that might indicate malicious attempts to gain illegitimate access to the data. When blind type of attacks are performed (such a...
Drop attempts stateful anomaly on databaseAnalytic Rule📦 SolutionAzure SQL Database solution for sentinelThis query detects batches of distinct SQL queries that execute (or attempt to) commands that could indicate potential security issues - such as attempts to drop tables or databases (e.g. for data van...
Execution attempts stateful anomaly on databaseAnalytic Rule📦 SolutionAzure SQL Database solution for sentinelThis query detects batches of distinct SQL queries that execute (or attempt to) commands that could indicate potential security issues - such as attempts to execute shell commands (e.g. for running il...
Firewall rule manipulation attempts stateful anomaly on databaseAnalytic Rule📦 SolutionAzure SQL Database solution for sentinelThis query detects batches of distinct SQL queries that execute (or attempt to) commands that could indicate potential security issues - such as attempts to manipulate firewall rules (e.g. for allowin...
OLE object manipulation attempts stateful anomaly on databaseAnalytic Rule📦 SolutionAzure SQL Database solution for sentinelThis query detects batches of distinct SQL queries that execute (or attempt to) commands that could indicate potential security issues - such as attempts to manipulate OLE objects (e.g. for running ma...
Outgoing connection attempts stateful anomaly on databaseAnalytic Rule📦 SolutionAzure SQL Database solution for sentinelThis query detects batches of distinct SQL queries that execute (or attempt to) commands that could indicate potential security issues - such as attempts to access external sites or resources (e.g. fo...
Affected rows stateful anomaly on databaseAnalytic Rule📦 SolutionAzure SQL Database solution for sentinelGoal: To detect anomalous data change/deletion. This query detects SQL queries that changed/deleted a large number of rows, which is significantly higher than normal for this database. The detection i...
Response rows stateful anomaly on databaseAnalytic Rule📦 SolutionAzure SQL Database solution for sentinelGoal: To detect anomalous data exfiltration. This query detects SQL queries that accessed a large number of rows, which is significantly higher than normal for this database. The calculation is made ...
Anomalous Query Execution TimeHunting Query📦 SolutionAzure SQL Database solution for sentinelThis hunting query will detect SQL queries that have affected an unusual number of rows for the given user and application combination. It will calculate the prevalence for each row count impacted to ...
Boolean Blind SQL InjectionHunting Query📦 SolutionAzure SQL Database solution for sentinelThis hunting query will detect instances where a balanced boolean query, e.g. "true=true", is observed in an SQL query sent to the server. Balanced boolean queries are commonly used by attackers to te...
Anomalous Query Execution TimeHunting Query📦 SolutionAzure SQL Database solution for sentinelThis hunting query will detect SQL queries that took an unusually long period of time to execute based on a calculated average execution time. The query groups based on the application and the usernam...
Prevalence Based SQL Query Size AnomalyHunting Query📦 SolutionAzure SQL Database solution for sentinelApplications using SQL will generally make repeated similar requests for data as users interact with the application, this hunting query will find instances where an unusual number of tokens have been...
Suspicious SQL Stored ProceduresHunting Query📦 SolutionAzure SQL Database solution for sentinelThis hunting query will detect SQL queries where suspicious stored procedures are called. Suspicious procedures included in the query are based on data seen by the MSTIC Deception honeypot.
Time Based SQL Query Size AnomalyHunting Query📦 SolutionAzure SQL Database solution for sentinelThis hunting query uses series decompose anomaly to identify periods of time where a given user account and application combination is used to send an anomalous number of parameters or SQL query token...
Affected rows stateful anomaly on database - hunting queryHunting Query📦 SolutionAzure SQL Database solution for sentinelGoal: To detect anomalous data change/deletion. This query detects SQL queries that changed/deleted a large number of rows, which is significantly higher than normal for this database. This is a hunti...
Response rows stateful anomaly on database - hunting queryHunting Query📦 SolutionAzure SQL Database solution for sentinelGoal: To detect anomalous data exfiltration. This query detects SQL queries that accessed a large number of rows, which is significantly higher than normal for this database. This is a hunting query, ...
Workbook-AzureSQLSecurityWorkbook📦 SolutionAzure SQL Database solution for sentinel
Front Door Premium WAF - SQLi DetectionAnalytic Rule📦 SolutionAzure Web Application Firewall (WAF)Identifies a match for a SQL Injection attack in the Front Door Premium WAF logs. The threshold value in the query can be changed as per your infrastructure's requirements. References: https://owasp.o...
Front Door Premium WAF - XSS DetectionAnalytic Rule📦 SolutionAzure Web Application Firewall (WAF)Identifies a match for an XSS attack in the Front Door Premium WAF logs. The threshold value in the query can be changed as per your infrastructure's requirements. References: https://owasp.org/www-p...
AFD WAF - Code InjectionAnalytic Rule📦 SolutionAzure Web Application Firewall (WAF)Identifies a match for a Code Injection based attack in the AFD WAF logs. The threshold value in the query can be changed as per your infrastructure's requirements. References: https://owasp.org/www-c...
AFD WAF - Path Traversal AttackAnalytic Rule📦 SolutionAzure Web Application Firewall (WAF)Identifies a match for a Path Traversal based attack in the AFD WAF logs. The threshold value in the query can be changed as per your infrastructure's requirements. References: https://owasp.org/www-c...
App GW WAF - Code InjectionAnalytic Rule📦 SolutionAzure Web Application Firewall (WAF)Identifies a match for a Code Injection based attack in the App Gateway WAF logs. The threshold value in the query can be changed as per your infrastructure's requirements. References: https://owasp.o...
App GW WAF - Path Traversal AttackAnalytic Rule📦 SolutionAzure Web Application Firewall (WAF)Identifies a match for a Path Traversal based attack in the App Gateway WAF logs. The threshold value in the query can be changed as per your infrastructure's requirements. References: https://owasp.o...
App Gateway WAF - Scanner DetectionAnalytic Rule📦 SolutionAzure Web Application Firewall (WAF)Identifies a match for a Scanner detection user agent based attack in the App Gateway WAF logs. The threshold value in the query can be changed as per your infrastructure's requirements. References: h...
App Gateway WAF - SQLi DetectionAnalytic Rule📦 SolutionAzure Web Application Firewall (WAF)Identifies a match for a SQL Injection attack in the App Gateway WAF logs. The threshold value in the query can be changed as per your infrastructure's requirements. References: https://owasp.org/Top1...
App Gateway WAF - XSS DetectionAnalytic Rule📦 SolutionAzure Web Application Firewall (WAF)Identifies a match for an XSS attack in the App Gateway WAF logs. The threshold value in the query can be changed as per your infrastructure's requirements. References: https://owasp.org/www-communit...
A potentially malicious web request was executed against a web serverAnalytic Rule📦 SolutionAzure Web Application Firewall (WAF)Detects unobstructed Web Application Firewall (WAF) activity in sessions where the WAF blocked incoming requests by computing the ratio between blocked requests and unobstructed WAF requests in these ...
WebApplicationFirewallFirewallEventsWorkbook📦 SolutionAzure Web Application Firewall (WAF)
WebApplicationFirewallGatewayAccessEventsWorkbook📦 SolutionAzure Web Application Firewall (WAF)
WebApplicationFirewallOverviewWorkbook📦 SolutionAzure Web Application Firewall (WAF)
WebApplicationFirewallWAFTypeEventsWorkbook📦 SolutionAzure Web Application Firewall (WAF)
Azure DevOps Agent Pool Created Then DeletedAnalytic Rule📦 SolutionAzureDevOpsAuditingAs well as adding build agents to an existing pool to execute malicious activity within a pipeline, an attacker could create a complete new agent pool and use this for execution. Azure DevOps allows f...
Azure DevOps Audit Stream DisabledAnalytic Rule📦 SolutionAzureDevOpsAuditingAzure DevOps allow for audit logs to be streamed to external storage solutions such as SIEM solutions. An attacker looking to hide malicious Azure DevOps activity from defenders may look to disable da...
Azure DevOps Audit Detection for known malicious toolingAnalytic Rule📦 SolutionAzureDevOpsAuditingAzure DevOps has been targeted over the years with a handful of toolkits. This detection will look for some common signs known for a few of these tools.
Azure DevOps New Extension AddedAnalytic Rule📦 SolutionAzureDevOpsAuditingExtensions add additional features to Azure DevOps. An attacker could use a malicious extension to conduct malicious activity. This query looks for new extensions that are not from a configurable lis...
Azure DevOps PAT used with BrowserAnalytic Rule📦 SolutionAzureDevOpsAuditingPersonal Access Tokens (PATs) are used as an alternate password to authenticate into Azure DevOps. PATs are intended for programmatic access use in code or applications. This can be prone to attacker...
Azure DevOps Pipeline modified by a new userAnalytic Rule📦 SolutionAzureDevOpsAuditingThere are several potential pipeline steps that could be modified by an attacker to inject malicious code into the build cycle. A likely attacker path is the modification to an existing pipeline that ...
Azure DevOps Retention ReducedAnalytic Rule📦 SolutionAzureDevOpsAuditingAzureDevOps retains items such as run records and produced artifacts for a configurable amount of time. An attacker looking to reduce the footprint left by their malicious activity may look to reduce ...
Azure DevOps Variable Secret Not SecuredAnalytic Rule📦 SolutionAzureDevOpsAuditingCredentials used in the build process may be stored as Azure DevOps variables. To secure these variables they should be stored in KeyVault or marked as Secrets. This detection looks for new variables...
Azure DevOps Build Variable Modified by New UserAnalytic Rule📦 SolutionAzureDevOpsAuditingVariables can be configured and used at any stage of the build process in Azure DevOps to inject values. An attacker with the required permissions could modify or add to these variables to conduct mal...
Azure DevOps Administrator Group MonitoringAnalytic Rule📦 SolutionAzureDevOpsAuditingThis detection monitors for additions to projects or project collection administration groups in an Azure DevOps Organization.
Azure DevOps Pull Request Policy Bypassing - Historic allow listAnalytic Rule📦 SolutionAzureDevOpsAuditingThis detection builds an allow list of historic PR policy bypasses and compares to recent history, flagging pull request bypasses that are not manually in the allow list and not historically included ...
Azure DevOps Service Connection Addition/Abuse - Historic allow listAnalytic Rule📦 SolutionAzureDevOpsAuditingThis detection builds an allow list of historic service connection use by Builds and Releases and compares to recent history, flagging growth of service connection use which are not manually included ...
Azure DevOps Personal Access Token (PAT) misuseAnalytic Rule📦 SolutionAzureDevOpsAuditingThis Alert detects whenever a PAT is used in ways that PATs are not normally used. May require an allow list and baselining. Reference - https://docs.microsoft.com/azure/devops/organizations/accounts/...
Azure DevOps Pipeline Created and Deleted on the Same DayAnalytic Rule📦 SolutionAzureDevOpsAuditingAn attacker with access to Azure DevOps could create a pipeline to inject artifacts used by other pipelines, or to create a malicious software build that looks legitimate by using a pipeline that inco...
Azure DevOps Service Connection AbuseAnalytic Rule📦 SolutionAzureDevOpsAuditingFlags builds/releases that use a large number of service connections if they aren't manually in the allow list. This is to determine if someone is hijacking a build/release and adding many service con...
External Upstream Source Added to Azure DevOps FeedAnalytic Rule📦 SolutionAzureDevOpsAuditingThe detection looks for new external sources added to an Azure DevOps feed. An allow list can be customized to explicitly allow known good sources. An attacker could look to add a malicious feed in o...
New Agent Added to Pool by New User or Added to a New OS TypeAnalytic Rule📦 SolutionAzureDevOpsAuditingAs seen in attacks such as SolarWinds attackers can look to subvert a build process by controlling build servers. Azure DevOps uses agent pools to execute pipeline tasks. An attacker could insert com...
New PA, PCA, or PCAS added to Azure DevOpsAnalytic Rule📦 SolutionAzureDevOpsAuditingIn order for an attacker to be able to conduct many potential attacks against Azure DevOps they will need to gain elevated permissions. This detection looks for users being granted key administrative...
NRT Azure DevOps Audit Stream DisabledAnalytic Rule📦 SolutionAzureDevOpsAuditingAzure DevOps allow for audit logs to be streamed to external storage solutions such as SIEM solutions. An attacker looking to hide malicious Azure DevOps activity from defenders may look to disable da...
Azure DevOps- Addtional Org Admin addedHunting Query📦 SolutionAzureDevOpsAuditingThis hunting query identifies Azure DevOps activities where additional organization admin is added
Azure DevOps - Build Check DeletedHunting Query📦 SolutionAzureDevOpsAuditingThis query searches for removal of build checks from the Azure DevOps pipeline. Removal of build checks are rare and may be indication of build pipeline compromise.
Azure DevOps - Build Deleted After Pipeline ModificationHunting Query📦 SolutionAzureDevOpsAuditingAttackers may delete builds after modifying pipelines to minimize traces. This query spots such deletions within an hour of pipeline changes, aiding in system footprint reduction.
Azure DevOps - Internal Upstream Package Feed AddedHunting Query📦 SolutionAzureDevOpsAuditingAttackers may introduce upstream packages into the build process to insert malicious code. This query searches for such malicious activity. If an environment has low number of events, it can be upgrad...
Azure DevOps - New Agent Pool CreatedHunting Query📦 SolutionAzureDevOpsAuditingCompromised agent pools in pipelines can allow build process breaches. While creating agent pools isn't inherently malicious, their infrequent creation makes them notable for Azure DevOps monitoring.
Azure DevOps - New Package Feed CreatedHunting Query📦 SolutionAzureDevOpsAuditingThis query identifies users who created new package feed to Azure DevOps pipelines, having no prior history of feed creation, suggesting possible unauthorized activity and requiring verification.
Azure DevOps - New PAT OperationHunting Query📦 SolutionAzureDevOpsAuditingUsing PATs for new operations may signal misuse. This query flags unfamiliar PAT-based operations, potentially indicating malicious use of a stolen PAT.
Azure DevOps - New Release ApproverHunting Query📦 SolutionAzureDevOpsAuditingRelease approvals in Azure Pipelines, often user-authorized, can be self-approved by attackers using compromised accounts. This query identifies unusual approvers, aiding in the detection of unauthori...
Azure DevOps - New Release Pipeline CreatedHunting Query📦 SolutionAzureDevOpsAuditingThis query identifies users who created new package feed to Azure DevOps pipelines, having no prior history of feed creation, suggesting possible unauthorized activity and requiring verification.
Azure DevOps - Variable Created and DeletedHunting Query📦 SolutionAzureDevOpsAuditingThe query detects additions and removals of variables in build processes in a short span of time, possibly indicating malicious activity. Promoting to a detection if few such events occur.
Azure DevOps Display Name ChangesHunting Query📦 SolutionAzureDevOpsAuditingShows all users with more than 1 display name in recent history. This is to hunt for users maliciously changing their display name as a masquerading technique
Azure DevOps Pull Request Policy BypassingHunting Query📦 SolutionAzureDevOpsAuditingLooks for users bypassing Update Policies in repos
Azure DevOps- Microsoft Entra ID Protection Conditional Access DisabledHunting Query📦 SolutionAzureDevOpsAuditingThis hunting query identifies Azure DevOps activities where organization Microsoft Entra ID ConditionalAccess policy disable by the admin
Azure DevOps- Guest users access enabledHunting Query📦 SolutionAzureDevOpsAuditingThis hunting query identifies Azure DevOps activities where organization Guest Access policy is enabled by the admin
Azure DevOps- Project visibility changed to publicHunting Query📦 SolutionAzureDevOpsAuditingThis hunting query identifies Azure DevOps activities where organization project visibility changed to public project
Azure DevOps- Public project createdHunting Query📦 SolutionAzureDevOpsAuditingThis hunting query identifies Azure DevOps activities where a public project is created
Azure DevOps- Public project enabled by adminHunting Query📦 SolutionAzureDevOpsAuditingThis hunting query identifies Azure DevOps activities where organization public projects policy enabled by the admin
ADOAuditLogsParser📦 SolutionAzureDevOpsAuditing
Azure Security Benchmark Posture ChangedAnalytic Rule📦 SolutionAzureSecurityBenchmarkThis alert is designed to monitor Azure policies aligned with the Azure Security Benchmark Regulatory Compliance initiative. The alert triggers when policy compliance falls below 70% within a 1 week t...
AzureSecurityBenchmarkWorkbook📦 SolutionAzureSecurityBenchmark
Notify-GovernanceComplianceTeamPlaybook📦 SolutionAzureSecurityBenchmarkThis Security Orchestration, Automation, & Response (SOAR) capability is designed for configuration with the solution's analytics rules. When analytics rules trigger this automation notifies the gover...
Create-AzureDevOpsTaskPlaybook📦 SolutionAzureSecurityBenchmarkThis playbook will create the Azure DevOps task filled with the Microsoft Sentinel incident details.
Create Jira IssuePlaybook📦 SolutionAzureSecurityBenchmarkThis playbook will open a Jira Issue when a new incident is opened in Microsoft Sentinel.
Barracuda 🔍Workbook📦 SolutionBarracuda CloudGen Firewall
CGFWFirewallActivityParser📦 SolutionBarracuda CloudGen Firewall
BETTER_MTD_WorkbookWorkbook📦 SolutionBETTER Mobile Threat Defense (MTD)
BeyondTrustPMCloudWorkbook📦 SolutionBeyondTrustPMCloud
Bitglass - Multiple files shared with external entityAnalytic Rule📦 SolutionBitglassDetects when multiple files shared with external entity.
Bitglass - Impossible travel distanceAnalytic Rule📦 SolutionBitglassDetects logins from different geo locations.
Bitglass - Multiple failed loginsAnalytic Rule📦 SolutionBitglassDetects multiple failed logins.
Bitglass - New admin userAnalytic Rule📦 SolutionBitglassDetects new admin user.
Bitglass - Login from new deviceAnalytic Rule📦 SolutionBitglassDetects when a user logins from new device.
Bitglass - New risky userAnalytic Rule📦 SolutionBitglassDetects new risky user.
Bitglass - The SmartEdge endpoint agent was uninstalledAnalytic Rule📦 SolutionBitglassDetects when SmartEdge endpoint agent was uninstalled.
Bitglass - Suspicious file uploadsAnalytic Rule📦 SolutionBitglassDetects suspicious file upload activity.
Bitglass - User login from new geo locationAnalytic Rule📦 SolutionBitglassDetects user login from new geo location.
Bitglass - User Agent string has changed for userAnalytic Rule📦 SolutionBitglassDetects when User Agent string has changed for user.
Bitglass - Applications usedHunting Query📦 SolutionBitglassQuery searches for applications used.
Bitglass - Insecure web protocolHunting Query📦 SolutionBitglassQuery searches for usage of http protocol.
Bitglass - Login failuresHunting Query📦 SolutionBitglassQuery searches for login failures.
Bitglass - New applicationsHunting Query📦 SolutionBitglassQuery searches for new applications configured.
Bitglass - New usersHunting Query📦 SolutionBitglassQuery searches for new users.
Bitglass - Privileged login failuresHunting Query📦 SolutionBitglassQuery searches for privileged login failures.
Bitglass - Risky usersHunting Query📦 SolutionBitglassQuery searches for risky users.
Bitglass - Risky usersHunting Query📦 SolutionBitglassQuery searches for risky users.
Bitglass - Uncategorized resourcesHunting Query📦 SolutionBitglassQuery searches for uncategorized resources.
Bitglass - User devicesHunting Query📦 SolutionBitglassQuery searches for user devices.
BitglassWorkbook📦 SolutionBitglass
BitglassParser📦 SolutionBitglass
BitSight - compromised systems detectedAnalytic Rule📦 SolutionBitSightRule helps to detect whenever there is a compromised systems found in BitSight.
BitSight - diligence risk category detectedAnalytic Rule📦 SolutionBitSightRule helps to detect whenever there is a diligence risk category found in BitSight.
BitSight - drop in company ratingsAnalytic Rule📦 SolutionBitSightRule helps to detect when there is a drop of 10% or more in BitSight company ratings.
BitSight - drop in the headline ratingAnalytic Rule📦 SolutionBitSightRule helps to detect if headline ratings is drop in BitSight.
BitSight - new alert foundAnalytic Rule📦 SolutionBitSightRule helps to detect a new alerts generated in BitSight.
BitSight - new breach foundAnalytic Rule📦 SolutionBitSightRule helps to detect a new breach generated in BitSight.
BitSightWorkbookWorkbook📦 SolutionBitSight
BitSightAlertsParser📦 SolutionBitSight
BitSightBreachesParser📦 SolutionBitSight
BitSightCompanyDetailsParser📦 SolutionBitSight
BitSightCompanyRatingsParser📦 SolutionBitSight
BitSightDiligenceHistoricalStatisticsParser📦 SolutionBitSight
BitSightDiligenceStatisticsParser📦 SolutionBitSight
BitSightFindingsDataParser📦 SolutionBitSight
BitSightFindingsSummaryParser📦 SolutionBitSight
BitSightGraphDataParser📦 SolutionBitSight
BitSightIndustrialStatisticsParser📦 SolutionBitSight
BitSightObservationStatisticsParser📦 SolutionBitSight
BitwardenEventLogsAuthenticationWorkbook📦 SolutionBitwarden
BitwardenEventLogsOrganizationWorkbook📦 SolutionBitwarden
BitwardenEventLogsVaultItemsWorkbook📦 SolutionBitwarden
BitwardenEventLogsParser📦 SolutionBitwarden
CylancePROTECT-old 🔍Parser📦 SolutionBlackberry CylancePROTECT
CylancePROTECTParser📦 SolutionBlackberry CylancePROTECT
blacklens InsightsAnalytic Rule📦 SolutionBlacklensCreates incidents from blacklens.io Attack Surface Management alerts ingested into the blacklens_CL table. Alert severity is mapped dynamically from the source data.
Retrieve Alert from Microsoft Sentinel and Trigger a Blink Workflow via WebhookPlaybook📦 SolutionBlinkOpsSend a webhook request to a Blink workflow trigger whenever a new alert is created in Microsoft Sentinel
Retrieve Incident from Microsoft Sentinel and Trigger a Blink Workflow via WebhookPlaybook📦 SolutionBlinkOpsSend a webhook request to a Blink workflow trigger whenever a new Incident is created in Microsoft Sentinel
BloodHound Attack Path Finding - Add Key Credential Link Privileges on Tier Zero ObjectsAnalytic Rule📦 SolutionBloodHound EnterpriseBloodHound Attack Path Finding - Add Key Credential Link Privileges on Tier Zero Objects
BloodHound Attack Path Finding - Add Member Privileges on Tier Zero Security GroupsAnalytic Rule📦 SolutionBloodHound EnterpriseBloodHound Attack Path Finding - Add Member Privileges on Tier Zero Security Groups
BloodHound Attack Path Finding - Add Members to Tier Zero GroupAnalytic Rule📦 SolutionBloodHound EnterpriseBloodHound Attack Path Finding - Add Members to Tier Zero Group
BloodHound Attack Path Finding - AddOwner Role on Tier Zero ResourceAnalytic Rule📦 SolutionBloodHound EnterpriseBloodHound Attack Path Finding - AddOwner Role on Tier Zero Resource
BloodHound Attack Path Finding - Add Owner to Tier Zero Object via MS Graph App RoleAnalytic Rule📦 SolutionBloodHound EnterpriseBloodHound Attack Path Finding - Add Owner to Tier Zero Object via MS Graph App Role
BloodHound Attack Path Finding - Add Secret to Tier Zero PrincipalAnalytic Rule📦 SolutionBloodHound EnterpriseBloodHound Attack Path Finding - Add Secret to Tier Zero Principal
BloodHound Attack Path Finding - AddSelf Privilege on Tier Zero Security GroupsAnalytic Rule📦 SolutionBloodHound EnterpriseBloodHound Attack Path Finding - AddSelf Privilege on Tier Zero Security Groups
BloodHound Attack Path Finding - Admins on Tier Zero ComputersAnalytic Rule📦 SolutionBloodHound EnterpriseBloodHound Attack Path Finding - Admins on Tier Zero Computers
BloodHound Attack Path Finding - AKS Contributor Role on Tier Zero Managed ClusterAnalytic Rule📦 SolutionBloodHound EnterpriseBloodHound Attack Path Finding - AKS Contributor Role on Tier Zero Managed Cluster
BloodHound Attack Path Finding - AllExtended Privileges on Tier Zero ObjectsAnalytic Rule📦 SolutionBloodHound EnterpriseBloodHound Attack Path Finding - AllExtended Privileges on Tier Zero Objects
BloodHound Attack Path Finding - App Admin Control of Tier Zero PrincipalAnalytic Rule📦 SolutionBloodHound EnterpriseBloodHound Attack Path Finding - App Admin Control of Tier Zero Principal
BloodHound Attack Path Finding - Avere Contributor Role on Tier Zero Virtual MachineAnalytic Rule📦 SolutionBloodHound EnterpriseBloodHound Attack Path Finding - Avere Contributor Role on Tier Zero Virtual Machine
BloodHound Attack Path Finding - Large Default Groups With Resource-Based Constrained Delegation PrivilegesAnalytic Rule📦 SolutionBloodHound EnterpriseBloodHound Attack Path Finding - Large Default Groups With Resource-Based Constrained Delegation Privileges
BloodHound Attack Path Finding - Add Resource-Based Constrained Delegation Privileges on Tier Zero ComputersAnalytic Rule📦 SolutionBloodHound EnterpriseBloodHound Attack Path Finding - Add Resource-Based Constrained Delegation Privileges on Tier Zero Computers
BloodHound Attack Path Finding - Tier Zero Computer Vulnerable to Coercion-Based NTLM Relay to ADCS (ESC8) AttackAnalytic Rule📦 SolutionBloodHound EnterpriseBloodHound Attack Path Finding - Tier Zero Computer Vulnerable to Coercion-Based NTLM Relay to ADCS (ESC8) Attack
BloodHound Attack Path Finding - Tier Zero Computer Vulnerable to Coercion-Based NTLM Relay to LDAP AttackAnalytic Rule📦 SolutionBloodHound EnterpriseBloodHound Attack Path Finding - Tier Zero Computer Vulnerable to Coercion-Based NTLM Relay to LDAP Attack
BloodHound Attack Path Finding - Tier Zero Computer Vulnerable to Coercion-Based NTLM Relay to LDAPS AttackAnalytic Rule📦 SolutionBloodHound EnterpriseBloodHound Attack Path Finding - Tier Zero Computer Vulnerable to Coercion-Based NTLM Relay to LDAPS Attack
BloodHound Attack Path Finding - Computers Vulnerable to Coercion-Based NTLM Relay to SMB AttackAnalytic Rule📦 SolutionBloodHound EnterpriseBloodHound Attack Path Finding - Computers Vulnerable to Coercion-Based NTLM Relay to SMB Attack
BloodHound Attack Path Finding - Cloud App Admin Over Tier Zero PrincipalAnalytic Rule📦 SolutionBloodHound EnterpriseBloodHound Attack Path Finding - Cloud App Admin Over Tier Zero Principal
BloodHound Attack Path Finding - Command Execution on Tier Zero Virtual MachineAnalytic Rule📦 SolutionBloodHound EnterpriseBloodHound Attack Path Finding - Command Execution on Tier Zero Virtual Machine
BloodHound Attack Path Finding - Constrained Delegation on Tier Zero ComputersAnalytic Rule📦 SolutionBloodHound EnterpriseBloodHound Attack Path Finding - Constrained Delegation on Tier Zero Computers
BloodHound Attack Path Finding - Contributor Role on Tier Zero Automation AccountAnalytic Rule📦 SolutionBloodHound EnterpriseBloodHound Attack Path Finding - Contributor Role on Tier Zero Automation Account
BloodHound Attack Path Finding - Contributor Role on Tier Zero ResourceAnalytic Rule📦 SolutionBloodHound EnterpriseBloodHound Attack Path Finding - Contributor Role on Tier Zero Resource
BloodHound Attack Path Finding - DCOM Users on Tier Zero ComputersAnalytic Rule📦 SolutionBloodHound EnterpriseBloodHound Attack Path Finding - DCOM Users on Tier Zero Computers
BloodHound Attack Path Finding - ForceChangePassword Privileges on Tier Zero ObjectsAnalytic Rule📦 SolutionBloodHound EnterpriseBloodHound Attack Path Finding - ForceChangePassword Privileges on Tier Zero Objects
BloodHound Attack Path Finding - GenericAll Privileges on Tier Zero ObjectsAnalytic Rule📦 SolutionBloodHound EnterpriseBloodHound Attack Path Finding - GenericAll Privileges on Tier Zero Objects
BloodHound Attack Path Finding - GenericWrite Privileges on Tier Zero ObjectsAnalytic Rule📦 SolutionBloodHound EnterpriseBloodHound Attack Path Finding - GenericWrite Privileges on Tier Zero Objects
BloodHound Attack Path Finding - Get Certifcates on Tier Zero Key VaultAnalytic Rule📦 SolutionBloodHound EnterpriseBloodHound Attack Path Finding - Get Certifcates on Tier Zero Key Vault
BloodHound Attack Path Finding - Get Keys on Tier Zero Key VaultAnalytic Rule📦 SolutionBloodHound EnterpriseBloodHound Attack Path Finding - Get Keys on Tier Zero Key Vault
BloodHound Attack Path Finding - Get Secrets on Tier Zero Key VaultAnalytic Rule📦 SolutionBloodHound EnterpriseBloodHound Attack Path Finding - Get Secrets on Tier Zero Key Vault
BloodHound Attack Path Finding - Kerberoastable User AccountsAnalytic Rule📦 SolutionBloodHound EnterpriseBloodHound Attack Path Finding - Kerberoastable User Accounts
BloodHound Attack Path Finding - Kerberos Delegation on Tier Zero ObjectsAnalytic Rule📦 SolutionBloodHound EnterpriseBloodHound Attack Path Finding - Kerberos Delegation on Tier Zero Objects
BloodHound Attack Path Finding - Key Vault Contributor Role on Tier Zero ResourceAnalytic Rule📦 SolutionBloodHound EnterpriseBloodHound Attack Path Finding - Key Vault Contributor Role on Tier Zero Resource
BloodHound Attack Path Finding - Large Default Groups in DCOM Users GroupsAnalytic Rule📦 SolutionBloodHound EnterpriseBloodHound Attack Path Finding - Large Default Groups in DCOM Users Groups
BloodHound Attack Path Finding - Large Default Groups in Local Administrator GroupsAnalytic Rule📦 SolutionBloodHound EnterpriseBloodHound Attack Path Finding - Large Default Groups in Local Administrator Groups
BloodHound Attack Path Finding - Large Default Groups in PS Remote Users GroupsAnalytic Rule📦 SolutionBloodHound EnterpriseBloodHound Attack Path Finding - Large Default Groups in PS Remote Users Groups
BloodHound Attack Path Finding - Large Default Groups in SQL Admins GroupsAnalytic Rule📦 SolutionBloodHound EnterpriseBloodHound Attack Path Finding - Large Default Groups in SQL Admins Groups
BloodHound Attack Path Finding - Large Default Groups With Add Key Credential Link PrivilegesAnalytic Rule📦 SolutionBloodHound EnterpriseBloodHound Attack Path Finding - Large Default Groups With Add Key Credential Link Privileges
BloodHound Attack Path Finding - Large Default Groups With Add Member PrivilegesAnalytic Rule📦 SolutionBloodHound EnterpriseBloodHound Attack Path Finding - Large Default Groups With Add Member Privileges
BloodHound Attack Path Finding - Large Default Groups With Add Self PrivilegesAnalytic Rule📦 SolutionBloodHound EnterpriseBloodHound Attack Path Finding - Large Default Groups With Add Self Privileges
BloodHound Attack Path Finding - Large Default Groups With All Extended PrivilegesAnalytic Rule📦 SolutionBloodHound EnterpriseBloodHound Attack Path Finding - Large Default Groups With All Extended Privileges
BloodHound Attack Path Finding - Large Default Groups With ForceChangePassword PrivilegesAnalytic Rule📦 SolutionBloodHound EnterpriseBloodHound Attack Path Finding - Large Default Groups With ForceChangePassword Privileges
BloodHound Attack Path Finding - Large Default Groups With GenericAll PrivilegesAnalytic Rule📦 SolutionBloodHound EnterpriseBloodHound Attack Path Finding - Large Default Groups With GenericAll Privileges
BloodHound Attack Path Finding - Large Default Groups With GenericWrite PrivilegesAnalytic Rule📦 SolutionBloodHound EnterpriseBloodHound Attack Path Finding - Large Default Groups With GenericWrite Privileges
BloodHound Attack Path Finding - Large Default Groups With Limited Ownership PrivilegesAnalytic Rule📦 SolutionBloodHound EnterpriseBloodHound Attack Path Finding - Large Default Groups With Limited Ownership Privileges
BloodHound Attack Path Finding - Large Default Groups With Ownership PrivilegesAnalytic Rule📦 SolutionBloodHound EnterpriseBloodHound Attack Path Finding - Large Default Groups With Ownership Privileges
BloodHound Attack Path Finding - Large Default Groups With RDP AccessAnalytic Rule📦 SolutionBloodHound EnterpriseBloodHound Attack Path Finding - Large Default Groups With RDP Access
BloodHound Attack Path Finding - Large Default Groups With Read GMSA Password PrivilegesAnalytic Rule📦 SolutionBloodHound EnterpriseBloodHound Attack Path Finding - Large Default Groups With Read GMSA Password Privileges
BloodHound Attack Path Finding - Large Default Groups With Read LAPS Password PrivilegesAnalytic Rule📦 SolutionBloodHound EnterpriseBloodHound Attack Path Finding - Large Default Groups With Read LAPS Password Privileges
BloodHound Attack Path Finding - Large Default Groups With WriteAccountRestrictions PrivilegesAnalytic Rule📦 SolutionBloodHound EnterpriseBloodHound Attack Path Finding - Large Default Groups With WriteAccountRestrictions Privileges
BloodHound Attack Path Finding - Large Default Groups With WriteDacl PrivilegeAnalytic Rule📦 SolutionBloodHound EnterpriseBloodHound Attack Path Finding - Large Default Groups With WriteDacl Privilege
BloodHound Attack Path Finding - Large Default Groups With WriteGpLink PrivilegeAnalytic Rule📦 SolutionBloodHound EnterpriseBloodHound Attack Path Finding - Large Default Groups With WriteGpLink Privilege
BloodHound Attack Path Finding - Large Default Groups With WriteOwnerLimitedRights PrivilegesAnalytic Rule📦 SolutionBloodHound EnterpriseBloodHound Attack Path Finding - Large Default Groups With WriteOwnerLimitedRights Privileges
BloodHound Attack Path Finding - Large Default Groups With WriteOwner PrivilegesAnalytic Rule📦 SolutionBloodHound EnterpriseBloodHound Attack Path Finding - Large Default Groups With WriteOwner Privileges
BloodHound Attack Path Finding - Large Default Groups With WriteServicePrincipalName PrivilegesAnalytic Rule📦 SolutionBloodHound EnterpriseBloodHound Attack Path Finding - Large Default Groups With WriteServicePrincipalName Privileges
BloodHound Attack Path Finding - Large Default Group With SyncLapsPassword PrivilegesAnalytic Rule📦 SolutionBloodHound EnterpriseBloodHound Attack Path Finding - Large Default Group With SyncLapsPassword Privileges
BloodHound Attack Path Finding - Legacy SID History on Tier Zero ObjectsAnalytic Rule📦 SolutionBloodHound EnterpriseBloodHound Attack Path Finding - Legacy SID History on Tier Zero Objects
BloodHound Attack Path Finding - Limited Ownership Privileges on Tier Zero ObjectsAnalytic Rule📦 SolutionBloodHound EnterpriseBloodHound Attack Path Finding - Limited Ownership Privileges on Tier Zero Objects
BloodHound Attack Path Finding - Logic App Contributor Role on Tier Zero Logic AppAnalytic Rule📦 SolutionBloodHound EnterpriseBloodHound Attack Path Finding - Logic App Contributor Role on Tier Zero Logic App
BloodHound Attack Path Finding - Logons From Tier Zero UsersAnalytic Rule📦 SolutionBloodHound EnterpriseBloodHound Attack Path Finding - Logons From Tier Zero Users
BloodHound Attack Path Finding - Non Tier Zero Principals With ADCS ESC10 Scenario A PrivilegesAnalytic Rule📦 SolutionBloodHound EnterpriseBloodHound Attack Path Finding - Non Tier Zero Principals With ADCS ESC10 Scenario A Privileges
BloodHound Attack Path Finding - Non Tier Zero Principals With ADCS ESC13 Privileges Against Tier Zero GroupAnalytic Rule📦 SolutionBloodHound EnterpriseBloodHound Attack Path Finding - Non Tier Zero Principals With ADCS ESC13 Privileges Against Tier Zero Group
BloodHound Attack Path Finding - Non Tier Zero Principals With ADCS ESC1 PrivilegesAnalytic Rule📦 SolutionBloodHound EnterpriseBloodHound Attack Path Finding - Non Tier Zero Principals With ADCS ESC1 Privileges
BloodHound Attack Path Finding - Non Tier Zero Resource Assigned to Tier Zero Service PrincipalAnalytic Rule📦 SolutionBloodHound EnterpriseBloodHound Attack Path Finding - Non Tier Zero Resource Assigned to Tier Zero Service Principal
BloodHound Attack Path Finding - Owner Role on Tier Zero ResourceAnalytic Rule📦 SolutionBloodHound EnterpriseBloodHound Attack Path Finding - Owner Role on Tier Zero Resource
BloodHound Attack Path Finding - Ownership of Tier Zero PrincipalAnalytic Rule📦 SolutionBloodHound EnterpriseBloodHound Attack Path Finding - Ownership of Tier Zero Principal
BloodHound Attack Path Finding - Ownership Privileges on Tier Zero ObjectsAnalytic Rule📦 SolutionBloodHound EnterpriseBloodHound Attack Path Finding - Ownership Privileges on Tier Zero Objects
BloodHound Attack Path Finding - PS Remote Users on Tier Zero ComputersAnalytic Rule📦 SolutionBloodHound EnterpriseBloodHound Attack Path Finding - PS Remote Users on Tier Zero Computers
BloodHound Attack Path Finding - RDP Users on Tier Zero ComputersAnalytic Rule📦 SolutionBloodHound EnterpriseBloodHound Attack Path Finding - RDP Users on Tier Zero Computers
BloodHound Attack Path Finding - Read GMSA Password Privileges on Tier Zero ObjectsAnalytic Rule📦 SolutionBloodHound EnterpriseBloodHound Attack Path Finding - Read GMSA Password Privileges on Tier Zero Objects
BloodHound Attack Path Finding - ReadLapsPassword Privileges on Tier Zero ObjectsAnalytic Rule📦 SolutionBloodHound EnterpriseBloodHound Attack Path Finding - ReadLapsPassword Privileges on Tier Zero Objects
BloodHound Attack Path Finding - AS-REP Roastable User AccountsAnalytic Rule📦 SolutionBloodHound EnterpriseBloodHound Attack Path Finding - AS-REP Roastable User Accounts
BloodHound Attack Path Finding - Reset a Tier Zero User's PasswordAnalytic Rule📦 SolutionBloodHound EnterpriseBloodHound Attack Path Finding - Reset a Tier Zero User's Password
BloodHound Attack Path Finding - SQL Admin Users on Tier Zero ComputersAnalytic Rule📦 SolutionBloodHound EnterpriseBloodHound Attack Path Finding - SQL Admin Users on Tier Zero Computers
BloodHound Attack Path Finding - SyncLapsPassword Privileges on Tier Zero ObjectsAnalytic Rule📦 SolutionBloodHound EnterpriseBloodHound Attack Path Finding - SyncLapsPassword Privileges on Tier Zero Objects
BloodHound Attack Path Finding - Non-Tier Zero AD User Synced to Tier Zero Entra UserAnalytic Rule📦 SolutionBloodHound EnterpriseBloodHound Attack Path Finding - Non-Tier Zero AD User Synced to Tier Zero Entra User
BloodHound Attack Path Finding - Tier Zero SMSA Installed on Non-Tier Zero ComputerAnalytic Rule📦 SolutionBloodHound EnterpriseBloodHound Attack Path Finding - Tier Zero SMSA Installed on Non-Tier Zero Computer
BloodHound Attack Path Finding - Non-Tier Zero Computer Hosting EnterpriseCA Trusted for NT AuthenticationAnalytic Rule📦 SolutionBloodHound EnterpriseBloodHound Attack Path Finding - Non-Tier Zero Computer Hosting EnterpriseCA Trusted for NT Authentication
BloodHound Attack Path Finding - Non-Tier Zero Entra User Synced to Tier Zero AD UserAnalytic Rule📦 SolutionBloodHound EnterpriseBloodHound Attack Path Finding - Non-Tier Zero Entra User Synced to Tier Zero AD User
BloodHound Attack Path Finding - Tier Zero Group Control via MS Graph App RoleAnalytic Rule📦 SolutionBloodHound EnterpriseBloodHound Attack Path Finding - Tier Zero Group Control via MS Graph App Role
BloodHound Attack Path Finding - Non-Tier Zero Principal Can Grant Tier Zero App RolesAnalytic Rule📦 SolutionBloodHound EnterpriseBloodHound Attack Path Finding - Non-Tier Zero Principal Can Grant Tier Zero App Roles
BloodHound Attack Path Finding - Non-Tier Zero Principal Can Grant Tier Zero Entra ID RoleAnalytic Rule📦 SolutionBloodHound EnterpriseBloodHound Attack Path Finding - Non-Tier Zero Principal Can Grant Tier Zero Entra ID Role
BloodHound Attack Path Finding - Non-Tier Zero Principals With ADCS ESC10 Scenario B PrivilegesAnalytic Rule📦 SolutionBloodHound EnterpriseBloodHound Attack Path Finding - Non-Tier Zero Principals With ADCS ESC10 Scenario B Privileges
BloodHound Attack Path Finding - Non-Tier Zero Principals With ADCS ESC3 PrivilegesAnalytic Rule📦 SolutionBloodHound EnterpriseBloodHound Attack Path Finding - Non-Tier Zero Principals With ADCS ESC3 Privileges
BloodHound Attack Path Finding - Non-Tier Zero Principals With ADCS ESC4 PrivilegesAnalytic Rule📦 SolutionBloodHound EnterpriseBloodHound Attack Path Finding - Non-Tier Zero Principals With ADCS ESC4 Privileges
BloodHound Attack Path Finding - Non-Tier Zero Principals With ADCS ESC6 Scenario A PrivilegesAnalytic Rule📦 SolutionBloodHound EnterpriseBloodHound Attack Path Finding - Non-Tier Zero Principals With ADCS ESC6 Scenario A Privileges
BloodHound Attack Path Finding - Non-Tier Zero Principals With ADCS ESC6 Scenario B PrivilegesAnalytic Rule📦 SolutionBloodHound EnterpriseBloodHound Attack Path Finding - Non-Tier Zero Principals With ADCS ESC6 Scenario B Privileges
BloodHound Attack Path Finding - Non-Tier Zero Principals With ADCS ESC9 Scenario A PrivilegesAnalytic Rule📦 SolutionBloodHound EnterpriseBloodHound Attack Path Finding - Non-Tier Zero Principals With ADCS ESC9 Scenario A Privileges
BloodHound Attack Path Finding - Non-Tier Zero Principals With ADCS ESC9 Scenario B PrivilegesAnalytic Rule📦 SolutionBloodHound EnterpriseBloodHound Attack Path Finding - Non-Tier Zero Principals With ADCS ESC9 Scenario B Privileges
BloodHound Attack Path Finding - Non-Tier Zero Principals With DCSync PrivilegesAnalytic Rule📦 SolutionBloodHound EnterpriseBloodHound Attack Path Finding - Non-Tier Zero Principals With DCSync Privileges
BloodHound Attack Path Finding - Non-Tier Zero Principal Trusted for Unconstrained DelegationAnalytic Rule📦 SolutionBloodHound EnterpriseBloodHound Attack Path Finding - Non-Tier Zero Principal Trusted for Unconstrained Delegation
BloodHound Attack Path Finding - Tier Zero Service Principal Control via MS Graph App RoleAnalytic Rule📦 SolutionBloodHound EnterpriseBloodHound Attack Path Finding - Tier Zero Service Principal Control via MS Graph App Role
BloodHound Attack Path Finding - User Access Admin Role on Tier Zero ResourceAnalytic Rule📦 SolutionBloodHound EnterpriseBloodHound Attack Path Finding - User Access Admin Role on Tier Zero Resource
BloodHound Attack Path Finding - VM Admin Login Role on Tier Zero SystemAnalytic Rule📦 SolutionBloodHound EnterpriseBloodHound Attack Path Finding - VM Admin Login Role on Tier Zero System
BloodHound Attack Path Finding - VM Contributor Role on Tier Zero SystemAnalytic Rule📦 SolutionBloodHound EnterpriseBloodHound Attack Path Finding - VM Contributor Role on Tier Zero System
BloodHound Attack Path Finding - Website Contributor Role on Tier Zero ResourceAnalytic Rule📦 SolutionBloodHound EnterpriseBloodHound Attack Path Finding - Website Contributor Role on Tier Zero Resource
BloodHound Attack Path Finding - Write Account Restrictions Privileges on Tier Zero ObjectsAnalytic Rule📦 SolutionBloodHound EnterpriseBloodHound Attack Path Finding - Write Account Restrictions Privileges on Tier Zero Objects
BloodHound Attack Path Finding - WriteDacl Privileges on Tier Zero ObjectsAnalytic Rule📦 SolutionBloodHound EnterpriseBloodHound Attack Path Finding - WriteDacl Privileges on Tier Zero Objects
BloodHound Attack Path Finding - WriteGpLink Privileges on Tier Zero ObjectsAnalytic Rule📦 SolutionBloodHound EnterpriseBloodHound Attack Path Finding - WriteGpLink Privileges on Tier Zero Objects
BloodHound Attack Path Finding - WriteOwnerLimitedRights Privileges on Tier Zero ObjectsAnalytic Rule📦 SolutionBloodHound EnterpriseBloodHound Attack Path Finding - WriteOwnerLimitedRights Privileges on Tier Zero Objects
BloodHound Attack Path Finding - WriteOwner Privileges on Tier Zero ObjectsAnalytic Rule📦 SolutionBloodHound EnterpriseBloodHound Attack Path Finding - WriteOwner Privileges on Tier Zero Objects
BloodHound Attack Path Finding - WriteServicePrincipalName Privileges on Tier Zero ObjectsAnalytic Rule📦 SolutionBloodHound EnterpriseBloodHound Attack Path Finding - WriteServicePrincipalName Privileges on Tier Zero Objects
BloodHoundEnterpriseAttackPathDetailsWorkbook📦 SolutionBloodHound Enterprise
BloodHoundEnterpriseAttackPathOverviewWorkbook📦 SolutionBloodHound Enterprise
BloodHoundEnterpriseAuditLogsWorkbook📦 SolutionBloodHound Enterprise
BloodHoundEnterpriseTierZeroSearchWorkbook📦 SolutionBloodHound Enterprise
BloodHoundFindingTrendsWorkbook📦 SolutionBloodHound Enterprise
BloodHoundPostureHistoryWorkbook📦 SolutionBloodHound Enterprise
Box - Abmormal user activityAnalytic Rule📦 SolutionBoxDetects spikes (deviations from avarage) in user activity.
Box - Executable file in folderAnalytic Rule📦 SolutionBoxDetects executable files in folders.
Box - Forbidden file type downloadedAnalytic Rule📦 SolutionBoxDetects when new user downloads forbidden file types.
Box - Inactive user loginAnalytic Rule📦 SolutionBoxDetects user login after long inactivity period.
Box - Item shared to external entityAnalytic Rule📦 SolutionBoxDetects when an item was shared to external entity.
Box - Many items deleted by userAnalytic Rule📦 SolutionBoxDetects when a user deletes many items in short period of time.
Box - New external userAnalytic Rule📦 SolutionBoxDetects when new user created with SourceLogin containing non-corporate domain.
Box - File containing sensitive dataAnalytic Rule📦 SolutionBoxDetects files which potentialy may contain sensitive data such as passwords, authentication tokens, secret keys.
Box - User logged in as adminAnalytic Rule📦 SolutionBoxDetects when user logged in as admin.
Box - User role changed to ownerAnalytic Rule📦 SolutionBoxDetects when user collaboration role is changed to owner.
Box - IP list for admin usersHunting Query📦 SolutionBoxQuery shows iplist for admin users. You can check for suspicious IPs or new IPs.
Box - Deleted usersHunting Query📦 SolutionBoxQuery shows deleted user accounts.
Box - Inactive admin usersHunting Query📦 SolutionBoxQuery shows inactive admin accounts (admin users which last login time is more than 30 days).
Box - Inactive usersHunting Query📦 SolutionBoxQuery shows inactive user accounts (users which last login time is more than 30 days).
Box - New usersHunting Query📦 SolutionBoxQuery shows new user accounts.
Box - Suspicious or sensitive filesHunting Query📦 SolutionBoxQuery searches for potentially suspicious files or files which can contain sensitive information such as passwords, secrets.
Box - Downloaded data volume per userHunting Query📦 SolutionBoxQuery shows downloaded data volume per user.
Box - New usersHunting Query📦 SolutionBoxQuery shows user permissions(groups) changes.
Box - Users with owner permissionsHunting Query📦 SolutionBoxQuery shows users with newly added owner permissions.
Box - Uploaded data volume per userHunting Query📦 SolutionBoxQuery shows uploaded data volume per user.
BoxWorkbook📦 SolutionBox
BoxEventsParser📦 SolutionBox
SymantecDLPParser📦 SolutionBroadcom SymantecDLP
Account Elevated to New RoleAnalytic Rule📦 SolutionBusiness Email Compromise - Financial FraudDetects an account that is elevated to a new role where that account has not had that role in the last 14 days. Role elevations are a key mechanism for gaining permissions, monitoring which users ha...
Authentication Method Changed for Privileged AccountAnalytic Rule📦 SolutionBusiness Email Compromise - Financial FraudIdentifies authentication methods being changed for a privileged account. This could be an indication of an attacker adding an auth method to the account so they can have continued access. Ref : https...
Malicious BEC Inbox RuleAnalytic Rule📦 SolutionBusiness Email Compromise - Financial FraudOften times after the initial compromise in a BEC attack the attackers create inbox rules to delete emails that contain certain keywords related to their BEC attack. This is done so as to limit abili...
Privileged Account Permissions ChangedAnalytic Rule📦 SolutionBusiness Email Compromise - Financial FraudDetects changes to permissions assigned to admin users. Threat actors may try and increase permission scope by adding additional roles to already privileged accounts. Review any modifications to ensur...
Suspicious access of BEC related documentsAnalytic Rule📦 SolutionBusiness Email Compromise - Financial FraudThis query looks for users with suspicious spikes in the number of files accessed that relate to topics commonly accessed as part of Business Email Compromise (BEC) attacks. The query looks for access...
Suspicious access of BEC related documents in AWS S3 bucketsAnalytic Rule📦 SolutionBusiness Email Compromise - Financial FraudThis query looks for users with suspicious spikes in the number of files accessed that relate to topics commonly accessed as part of Business Email Compromise (BEC) attacks. The query looks for access...
User Added to Admin RoleAnalytic Rule📦 SolutionBusiness Email Compromise - Financial FraudDetects a user being added to a new privileged role. Monitor these additions to ensure the users are made eligible for these roles are intended to have these levels of access. Ref: https://docs.micr...
S3 Bucket outbound Data transfer anomalyHunting Query📦 SolutionBusiness Email Compromise - Financial FraudIdentifies S3 data transfer spikes using GetObject API, BytesTransferredOut, and KQL anomaly detection. Investigate sudden action frequency increases. Adjust scorethreshold to 3+ to reduce noise.
Suspicious Data Access to S3 Bucket from Unknown IPHunting Query📦 SolutionBusiness Email Compromise - Financial FraudThis query identifies unusual access to cloud storage, particularly from IPs not historically seen accessing the bucket or downloading files. It can be limited to private buckets with sensitive files ...
Email Forwarding Configuration with SAP downloadHunting Query📦 SolutionBusiness Email Compromise - Financial FraudThis query detects external email forwarding with SAP download for sensitive financial transactions. Such activity by attackers may lead to financial gain, IP theft, or operational disruption.
Login attempts using Legacy AuthHunting Query📦 SolutionBusiness Email Compromise - Financial FraudThis query identifies use of legacy authentication in Microsoft Entra ID sign-in activity, which can bypass Azure Conditional Access policies. It includes UEBA logs IdentityInfo and BehaviorAnalytics ...
Microsoft Entra ID signins from new locationsHunting Query📦 SolutionBusiness Email Compromise - Financial FraudThis query identifies new Microsoft Entra ID sign-in locations compared to historical data, potentially indicating password spraying or brute force attacks. It includes UEBA logs IdentityInfo and Beha...
Office Mail Rule Creation with suspicious archive mail move activityHunting Query📦 SolutionBusiness Email Compromise - Financial FraudHunting query to detect new inbox rule creation with activity of mail moved from inbox to archive folder within 12minutes.Though such activities could be legitimate some attackers may use these techni...
Risky Sign-in with new MFA methodHunting Query📦 SolutionBusiness Email Compromise - Financial FraudThis query identifies new MFA methods added to an account within 6 hours of a medium or high risk sign-in session. It includes UEBA logs IdentityInfo and BehaviorAnalytics for context.
High count download from a SAP Privileged accountHunting Query📦 SolutionBusiness Email Compromise - Financial FraudThis query detects high counts of download from a sensitive SAP Privileged account. A pre-built watchlist is leveraged to identify the privileged users that are under extra restrictions.
Successful Signin From Non-Compliant DeviceHunting Query📦 SolutionBusiness Email Compromise - Financial FraudDetects successful sign ins from devices marked non-compliant. Best practice is to block sign ins from non-complaint devices, however if allowed monitor these events to ensure they do not lead to othe...
User Accounts - New Single Factor AuthHunting Query📦 SolutionBusiness Email Compromise - Financial FraudIdentifies users whose single Factor Auth Events in scenarios where it has not been seen before, or where only multi factor auth has been observed.
User Accounts - Unusual authentications occurring when countries do not conduct normal business operations.Hunting Query📦 SolutionBusiness Email Compromise - Financial FraudIdentifies users whose single Factor Auth Events in scenarios where it has not been seen before, or where only multi factor auth has been observed.
User detection added to privilege groups based in WatchlistHunting Query📦 SolutionBusiness Email Compromise - Financial FraudBased on a Watchlist Detects when a user has been added to a privileged group/role. We can exclude from the wathclist the users for whom we do not want this alert to be triggered
User Login IP Address TeleportationHunting Query📦 SolutionBusiness Email Compromise - Financial FraudThis query identifies users logging in from two different countries within a specified time window, potentially indicating VPN use. It includes UEBA logs IdentityInfo and BehaviorAnalytics for context...
CensysWorkbook📦 SolutionCensys
Censys Add Incident CommentPlaybook📦 SolutionCensysThis playbook is triggered via HTTP request and is designed to be used as a sub-playbook by other Censys playbooks (CensysIncidentEnrichment, CensysEntityEnrichmentHost, CensysEntityEnrichmentCertific...
Censys Alert EnrichmentPlaybook📦 SolutionCensysThis playbook is triggered by a Microsoft Sentinel Alert. It extracts IP addresses, domains, and certificate file hashes (SHA256) from alert entities, then queries the Censys API to retrieve enrichmen...
Censys Alert RescanPlaybook📦 SolutionCensysThis playbook is triggered manually via HTTP request from a workbook or automation. It accepts input parameters including IOC Type (Host or Web Property), IP, Port, Protocol, Transport Protocol, Hostn...
Censys Entity Enrichment - CertificatePlaybook📦 SolutionCensysThis playbook is triggered automatically when a FileHash entity is detected in a Microsoft Sentinel incident, based on an automation rule. Upon triggering, it extracts the FileHash (certificate finger...
Censys Entity Enrichment - HostPlaybook📦 SolutionCensysThis playbook is triggered automatically when an IP entity is detected in a Microsoft Sentinel incident, based on an automation rule. Upon triggering, it extracts the IP address from the entity and qu...
Censys Entity Enrichment - Web PropertyPlaybook📦 SolutionCensysThis playbook is triggered automatically when a DNS entity (domain name) is detected in a Microsoft Sentinel incident, based on an automation rule. Upon triggering, it extracts the domain name from th...
Censys Host HistoryPlaybook📦 SolutionCensysThis playbook is triggered manually via HTTP request, typically invoked from a Microsoft Sentinel workbook. It retrieves historical timeline data for a specified host (IP address) from the Censys API ...
Censys Incident EnrichmentPlaybook📦 SolutionCensysThis playbook will be triggered when any automation rule is attached or manually invoked. This will fetch associated IPs, Host(Domains) and SHAs from incident and make associated API calls to retrieve...
Censys Ad-Hoc IOC LookupPlaybook📦 SolutionCensysThis playbook will be triggered from the workbook. This will fetch associated IPs, Host(Domains) and SHAs from user input provided in the Ad-Hoc IOC Lookup Dashboard and make API calls to retrieve Cen...
Censys Related InfrastructurePlaybook📦 SolutionCensysThis playbook retrieves related infrastructure details for Censys entities (hosts, certificates, or web properties) using the Censys Pivot Analysis API. It accepts an IOC Value (hosts, certificates, o...
Censys RescanPlaybook📦 SolutionCensysThis playbook will be triggered manually. This will fetch associated IPs from the incident and make API calls to retrieve Censys data and enrich the incident with additional information as Incident co...
CheckPointWorkbook📦 SolutionCheck Point
checkpoint-add-host-to-groupPlaybook📦 SolutionCheck PointThis playbook will create Check Point objects and add to block group
Check Point Exposure Management - Alert Ingestion AnomalyAnalytic Rule📦 SolutionCheck Point Cyberint AlertsDetects when no Check Point Exposure Management alerts have been ingested into the argsentdc_CL table for an extended period. This may indicate a failure in the CCP data connector or the Importer play...
CPEMAlertOverviewWorkbook📦 SolutionCheck Point Cyberint Alerts
Check Point EM - Importer (Alerts → Sentinel Incidents)Playbook📦 SolutionCheck Point Cyberint AlertsQueries the argsentdc_CL custom table (populated by the CCP data connector) for recent alerts and creates corresponding Microsoft Sentinel incidents.
Check Point Exposure Management - Manual Status Update (Sentinel → Argos)Playbook📦 SolutionCheck Point Cyberint AlertsOn-demand playbook that reads the current Sentinel incident status and pushes it to the corresponding alert(s). Triggered manually from the incident actions menu.
Check Point Exposure Management - Exporter (Sentinel → Argos)Playbook📦 SolutionCheck Point Cyberint AlertsWhen a Sentinel incident status changes, this playbook pushes the update to the corresponding alert(s). Includes tag-based loop prevention to avoid circular sync with Importer.
Check Point Exposure Management - Credential Leak Validation and ResponsePlaybook📦 SolutionCheck Point Cyberint AlertsWhen a new Microsoft Sentinel incident is created for leaked credentials, this playbook queries the Check Point Exposure Management credential leak API for the affected domain, enriches the incident w...
Check Point Exposure Management - Phishing TakedownPlaybook📦 SolutionCheck Point Cyberint AlertsWhen a new Microsoft Sentinel incident is created for a phishing website alert, this playbook extracts the phishing URL, evaluates confidence and severity thresholds, submits a takedown request to Che...
Check Point Exposure Management - Vulnerability Exploitation MonitoringPlaybook📦 SolutionCheck Point Cyberint AlertsWhen a new Microsoft Sentinel incident is created containing CVE identifiers, this playbook enriches each CVE using the Check Point CVE Intelligence API (EPSS, CPEM score, exploitation evidence, PoC a...
Check Point Exposure Management - Fetch Attachments On-DemandPlaybook📦 SolutionCheck Point Cyberint AlertsOn-demand playbook that fetches alert attachments and analysis report for a Sentinel incident, surfacing the results as an incident comment.
Check Point Exposure Management - IOC Enrichment and TriagePlaybook📦 SolutionCheck Point Cyberint AlertsWhen a new Microsoft Sentinel incident is created, this playbook enriches IOC entities (IPs, domains, file hashes, URLs) using the Check Point Exposure Management threat intelligence API and adds enri...
CPEMAlertsParser📦 SolutionCheck Point Cyberint Alerts
CheckPhish - Get URL reputationPlaybook📦 SolutionCheckPhish by BolsterThis playbooks will be used to submit URL to CheckPhish and gets the repution of URL (Scan result)
CiscoACIEventParser📦 SolutionCisco ACI
CiscoETDWorkbook📦 SolutionCisco ETD
Block URL - Cisco FirepowerPlaybook📦 SolutionCisco Firepower EStreamerThis playbook allows blocking of FQDNs in Cisco Firepower, using a **Network Group object**. This allows making changes to a Network Group selected members, instead of making Access List Entries. The ...
Block IP - Cisco FirepowerPlaybook📦 SolutionCisco Firepower EStreamerThis playbook allows blocking of IPs in Cisco Firepower, using a **Network Group object**. This allows making changes to a Network Group selected members, instead of making Access List Entries. The Ne...
Block IP - Take Action from Teams - Cisco FirepowerPlaybook📦 SolutionCisco Firepower EStreamerThis playbook allows blocking of IPs in Cisco Firepower, using a **Network Group object**. This allows making changes to a Network Group selected members, instead of making Access List Entries. The Ne...
CiscoISE - ISE administrator password has been resetAnalytic Rule📦 SolutionCisco ISEDetects when the ISE administrator password has been reset.
CiscoISE - Attempt to delete local store logsAnalytic Rule📦 SolutionCisco ISEDetects when attempt to delete local store logs failed.
CiscoISE - Backup failedAnalytic Rule📦 SolutionCisco ISEDetects when backup activity failed.
CiscoISE - Certificate has expiredAnalytic Rule📦 SolutionCisco ISEDetects certificate expiration.
CiscoISE - Command executed with the highest privileges from new IPAnalytic Rule📦 SolutionCisco ISEDetects command execution with PrivilegeLevel - 15 from new source.
CiscoISE - Command executed with the highest privileges by new userAnalytic Rule📦 SolutionCisco ISEDetects command execution with PrivilegeLevel - 15 by user for wich there was no such activity detected earlier.
CiscoISE - Device changed IP in last 24 hoursAnalytic Rule📦 SolutionCisco ISEDetects when device changes IP address in last 24 hours.
CiscoISE - Device PostureStatus changed to non-compliantAnalytic Rule📦 SolutionCisco ISEDetects when device changes PostureStatus from "Compliant".
CiscoISE - Log collector was suspendedAnalytic Rule📦 SolutionCisco ISEDetects when log collector was suspended.
CiscoISE - Log files deletedAnalytic Rule📦 SolutionCisco ISEDetects log file deleting activity.
CiscoISE - Authentication attempts to suspended user accountHunting Query📦 SolutionCisco ISESearch authentication attempts to suspended user account.
CiscoISE - Dynamic authorization failedHunting Query📦 SolutionCisco ISESearch for dynamic authorization failed events.
CiscoISE - Expired certificate in the client certificates chainHunting Query📦 SolutionCisco ISESearch for expired certificates in the client certificates chain.
CiscoISE - Failed authentication eventsHunting Query📦 SolutionCisco ISESearch for failed authentication events.
CiscoISE - Failed login attempts via SSH CLI (users)Hunting Query📦 SolutionCisco ISESearch for Failed login attempts via SSH CLI users.
CiscoISE - Guest authentication failedHunting Query📦 SolutionCisco ISESearch Guest authentication failed events.
CiscoISE - Guest authentication succeededHunting Query📦 SolutionCisco ISESearch for successful Guest authentication events.
CiscoISE - Rare or new useragentHunting Query📦 SolutionCisco ISESearch for rare useragent values.
CiscoISE - Sources with high number of 'Failed Authentication' eventsHunting Query📦 SolutionCisco ISESearch sources with high number of Failed Authentication events.
CiscoISE - Attempts to suspend the log collectorHunting Query📦 SolutionCisco ISESearch for attempts to suspend the log collector.
CiscoISEWorkbook📦 SolutionCisco ISE
CiscoISE-False Positives Clear PoliciesPlaybook📦 SolutionCisco ISEThis playbook gets triggered when a new sentinel incident is created 1.For each MAC address (MACAddress provided in the alert custom entities) in the incident checks if it is was rejected in Cisco ISE...
CiscoISE-SuspendGuestUserPlaybook📦 SolutionCisco ISEWhen a new sentinel incident is created, this playbook gets triggered and performs the following actions: 1. For each Account in the incident suspends user in Cisco ISE by its name. 2. Adds comment to...
CiscoISE-TakeEndpointActionFromTeamsPlaybook📦 SolutionCisco ISEWhen a new sentinel incident is created, this playbook gets triggered and performs the following actions: 1. Sends an adaptive card to the Teams channel where the analyst can choose an action to be ta...
CiscoISEEventParser📦 SolutionCisco ISE
Cisco SDWAN - Intrusion EventsAnalytic Rule📦 SolutionCisco SD-WANThis Analytic rule will monitor Intrusion events in Cisco syslog data based on the provided Signature ID. This will create an incident if that Signature ID is found in the specified time range.
Cisco SDWAN - IPS Event ThresholdAnalytic Rule📦 SolutionCisco SD-WANThis analytic rule will monitor specific IPS event in the data.
Cisco SDWAN - Maleware EventsAnalytic Rule📦 SolutionCisco SD-WANThis analytic rule will monitor Malware Events in Syslog and Netflow Data
Cisco SDWAN - Monitor Critical IPsAnalytic Rule📦 SolutionCisco SD-WANThis analytic rule will monitor critical IPs in Syslog and Netflow Data.
CiscoSDWANWorkbook📦 SolutionCisco SD-WAN
CiscoSDWANIntrusionLogicAPPPlaybook📦 SolutionCisco SD-WANThis playbook provides an end-to-end example of adding a comment in the generated incident.
CiscoSDWANLogicAPPPlaybook📦 SolutionCisco SD-WANThis playbook provides an end-to-end example of sending an email, posting a message to the Microsoft Teams channel, and creating 3rd party ticket for the suspicious activity found in the data.
CiscoSDWANReportPlaybook📦 SolutionCisco SD-WANThis playbook provides an end-to-end example of sending an email for suspicious activity found in the data.
CiscoSDWANNetflow 🔍Parser📦 SolutionCisco SD-WAN
CiscoSyslogFW6LogSummary 🔍Parser📦 SolutionCisco SD-WAN
CiscoSyslogUTD 🔍Parser📦 SolutionCisco SD-WAN
MapNetflowUsername 🔍Parser📦 SolutionCisco SD-WAN
StealthwatchEventParser📦 SolutionCisco Secure Cloud Analytics
Cisco SE High Events Last HourAnalytic Rule📦 SolutionCisco Secure EndpointFind events from Cisco Secure Endpoint that are of High severity in the last hour.
Cisco SE - Connection to known C2 serverAnalytic Rule📦 SolutionCisco Secure EndpointThis rule is triggered when connection to known C2 is detected from host.
Cisco SE - Dropper activity on hostAnalytic Rule📦 SolutionCisco Secure EndpointDetects possible dropper activity on host.
Cisco SE - Generic IOCAnalytic Rule📦 SolutionCisco Secure EndpointThis rule is triggered when generic IOC is observed on host.
Cisco SE - Malware execusion on hostAnalytic Rule📦 SolutionCisco Secure EndpointDetects malware execution on host.
Cisco SE - Malware outbreakAnalytic Rule📦 SolutionCisco Secure EndpointDetects possible malware outbreak.
Cisco SE - Multiple malware on hostAnalytic Rule📦 SolutionCisco Secure EndpointThis rule triggers when multiple malware where detected on host.
Cisco SE - Policy update failureAnalytic Rule📦 SolutionCisco Secure EndpointDetects policy updates failures.
Cisco SE - Ransomware ActivityAnalytic Rule📦 SolutionCisco Secure EndpointThis rule is triggered when possible ransomware activity is detected on host.
Cisco SE - Unexpected binary fileAnalytic Rule📦 SolutionCisco Secure EndpointDetects binary files in uncommon locations.
Cisco SE - Possible webshellAnalytic Rule📦 SolutionCisco Secure EndpointDetects possible webshell on host.
Cisco SE - Infected hostsHunting Query📦 SolutionCisco Secure EndpointQuery searches for infected hosts.
Cisco SE - Infected usersHunting Query📦 SolutionCisco Secure EndpointQuery searches for infected users.
Cisco SE - User LoginsHunting Query📦 SolutionCisco Secure EndpointQuery searches for user logins to management console.
Cisco SE - Malicious filesHunting Query📦 SolutionCisco Secure EndpointQuery searches for malicious files.
Cisco SE - Modified agents on hostsHunting Query📦 SolutionCisco Secure EndpointQuery searches for hosts with modified agent settings.
Cisco SE - Rare scanned filesHunting Query📦 SolutionCisco Secure EndpointQuery searches for rare scanned files.
Cisco SE - Scanned filesHunting Query📦 SolutionCisco Secure EndpointQuery searches for scanned files.
Cisco SE - Suspicious powershel downloadsHunting Query📦 SolutionCisco Secure EndpointQuery searches for suspicious powershell downloads.
Cisco SE - Uncommon application behaviorHunting Query📦 SolutionCisco Secure EndpointQuery searches for uncommon application behavior events.
Cisco SE - Vulnerable applicationsHunting Query📦 SolutionCisco Secure EndpointQuery searches for vulnerable applications on hosts.
Cisco Secure Endpoint OverviewWorkbook📦 SolutionCisco Secure Endpoint
CiscoSecureEndpointParser📦 SolutionCisco Secure Endpoint
CiscoUCSParser📦 SolutionCisco UCS
Cisco ASA - average attack detection rate increaseAnalytic Rule📦 SolutionCiscoASAThis will help you determine if Cisco ASA devices are under heavier attack than normal over the last hour versus the previous 6 hours based on DeviceEventClassID 733100 References: https://www.cisco.c...
Cisco ASA - threat detection message firedAnalytic Rule📦 SolutionCiscoASAIdentifies when the Cisco ASA Threat Detection engine fired an alert based on malicious activity occurring on the network inicated by DeviceEventClassID 733101-733105 Resources: https://www.cisco.com/...
CiscoWorkbook📦 SolutionCiscoASA
Block IP - Cisco ASAPlaybook📦 SolutionCiscoASAThis playbook allows blocking/allowing of IPs in Cisco ASA, using a Network Object Group. The Network Object Group itself should be part of an Access Control Entry.
Cisco ASA - Create or remove access rules on an interface for IP AddressesPlaybook📦 SolutionCiscoASAThis playbook allows blocking/unblocking of IPs in Cisco ASA, using **Access Control Entries** which will be created in an access control list.
Cisco ASA - Create or Inbound Access Rule On InterfacePlaybook📦 SolutionCiscoASAThis playbook allows blocking/unblocking of IPs in Cisco ASA, using **Access Rules** which will be created on an interface.
Cisco Duo - Admin user deletedAnalytic Rule📦 SolutionCiscoDuoSecurityDetects when admin user is deleted.
Cisco Duo - Multiple admin 2FA failuresAnalytic Rule📦 SolutionCiscoDuoSecurityDetects when multiple admin 2FA failures occurs.
Cisco Duo - Admin password resetAnalytic Rule📦 SolutionCiscoDuoSecurityDetects when admin's password was reset.
Cisco Duo - AD sync failedAnalytic Rule📦 SolutionCiscoDuoSecurityDetects when AD syncronization failed.
Cisco Duo - Multiple user login failuresAnalytic Rule📦 SolutionCiscoDuoSecurityDetects when multiple user login failures occurs.
Cisco Duo - Multiple users deletedAnalytic Rule📦 SolutionCiscoDuoSecurityDetects when multiple users were deleted.
Cisco Duo - New access deviceAnalytic Rule📦 SolutionCiscoDuoSecurityDetects new access device.
Cisco Duo - Admin user createdAnalytic Rule📦 SolutionCiscoDuoSecurityDetects when new admin user is created.
Cisco Duo - Authentication device new locationAnalytic Rule📦 SolutionCiscoDuoSecurityDetects new location of authentication device.
Cisco Duo - Unexpected authentication factorAnalytic Rule📦 SolutionCiscoDuoSecurityDetects when unexpected authentication factor used.
Cisco Duo - Admin failure authenticationsHunting Query📦 SolutionCiscoDuoSecurityQuery searches for administrator issue completing secondary authentication.
Cisco Duo - Delete actionsHunting Query📦 SolutionCiscoDuoSecurityQuery searches for delete actions performed by admin users.
Cisco Duo - Admin failure authenticationsHunting Query📦 SolutionCiscoDuoSecurityQuery searches admin failure authentication events.
Cisco Duo - Authentication errorsHunting Query📦 SolutionCiscoDuoSecurityQuery searches for authentication errors.
Cisco Duo - Authentication error reasonsHunting Query📦 SolutionCiscoDuoSecurityQuery searches for authentication error reasons.
Cisco Duo - Deleted usersHunting Query📦 SolutionCiscoDuoSecurityQuery searches for deleted users.
Cisco Duo - Fraud authenticationsHunting Query📦 SolutionCiscoDuoSecurityQuery searches for fraud authentication events.
Cisco Duo - New usersHunting Query📦 SolutionCiscoDuoSecurityQuery searches for new users created.
Cisco Duo - Devices with vulnerable OSHunting Query📦 SolutionCiscoDuoSecurityQuery searches for devices with vulnerable OS.
Cisco Duo - Devices with unsecure settingsHunting Query📦 SolutionCiscoDuoSecurityQuery searches for devices with unsecure settings.
CiscoDuoWorkbook📦 SolutionCiscoDuoSecurity
CiscoDuoParser📦 SolutionCiscoDuoSecurity
CiscoMerakiWorkbookWorkbook📦 SolutionCiscoMeraki
Block Device Client - Cisco MerakiPlaybook📦 SolutionCiscoMerakiThis playbook checks if malicious device client is blocked by Cisco Meraki network.
Block IP Address - Cisco MerakiPlaybook📦 SolutionCiscoMerakiThis playbook checks if malicious IP address is blocked or unblocked by Cisco Meraki MX network.
Block URL - Cisco MerakiPlaybook📦 SolutionCiscoMerakiThis playbook checks if malicious URL is blocked in Cisco Meraki network.
IP Address Enrichment - Cisco MerakiPlaybook📦 SolutionCiscoMerakiThis playbook checks if malicious IP address is blocked or unblocked by Cisco Meraki MX network.
URL Enrichment - Cisco MerakiPlaybook📦 SolutionCiscoMerakiThis playbook checks if malicious URL is blocked or unblocked by Cisco Meraki network.
CiscoMerakiParser📦 SolutionCiscoMeraki
Cisco SEG - DLP policy violationAnalytic Rule📦 SolutionCiscoSEGDetects DLP policy violation.
Cisco SEG - Malicious attachment not blockedAnalytic Rule📦 SolutionCiscoSEGDetects mails with malicious attachments which were not blocked.
Cisco SEG - Multiple large emails sent to external recipientAnalytic Rule📦 SolutionCiscoSEGDetects possible data exfiltration.
Cisco SEG - Multiple suspiciuos attachments receivedAnalytic Rule📦 SolutionCiscoSEGDetects possibly phishing emails.
Cisco SEG - Possible outbreakAnalytic Rule📦 SolutionCiscoSEGDetects possible outbreak activity.
Cisco SEG - Potential phishing linkAnalytic Rule📦 SolutionCiscoSEGDetects mails with suspicious links.
Cisco SEG - Suspicious linkAnalytic Rule📦 SolutionCiscoSEGDetects mails with suspicious links.
Cisco SEG - Suspicious sender domainAnalytic Rule📦 SolutionCiscoSEGDetects suspicious sender domain age.
Cisco SEG - Unexpected linkAnalytic Rule📦 SolutionCiscoSEGDetects mails with suspicious links.
Cisco SEG - Unexpected attachmentAnalytic Rule📦 SolutionCiscoSEGDetects possibly malicious attachments.
Cisco SEG - Unscannable attacmentAnalytic Rule📦 SolutionCiscoSEGDetects unscannable attachments in mails.
Cisco SEG - Dropped incoming mailsHunting Query📦 SolutionCiscoSEGQuery searches for dropped mails.
Cisco SEG - Dropped outgoing mailsHunting Query📦 SolutionCiscoSEGQuery searches for dropped outgoing mails.
Cisco SEG - DKIM failuresHunting Query📦 SolutionCiscoSEGQuery searches for mails with DKIM failure status.
Cisco SEG - DMARK failuresHunting Query📦 SolutionCiscoSEGQuery searches for mails with DMARK failure status.
Cisco SEG - SPF failuresHunting Query📦 SolutionCiscoSEGQuery searches for mails with SPF failure status.
Cisco SEG - Failed incoming TLS connectionsHunting Query📦 SolutionCiscoSEGQuery searches failed TLS incoming connections.
Cisco SEG - Failed outgoing TLS connectionsHunting Query📦 SolutionCiscoSEGQuery searches failed TLS outgoing connections.
Cisco SEG - Insecure protocolHunting Query📦 SolutionCiscoSEGQuery searches for connections with insecure protocol.
Cisco SEG - Sources of spam mailsHunting Query📦 SolutionCiscoSEGQuery searches for sources of spam mails.
Cisco SEG - Top users receiving spam mailsHunting Query📦 SolutionCiscoSEGQuery searches for top users receiving spam mails.
CiscoSEGWorkbook📦 SolutionCiscoSEG
CiscoSEGEventParser📦 SolutionCiscoSEG
Cisco Cloud Security - Connection to non-corporate private networkAnalytic Rule📦 SolutionCiscoUmbrellaIP addresses of broadband links that usually indicates users attempting to access their home network, for example for a remote session to a home computer.
Cisco Cloud Security - Connection to Unpopular Website DetectedAnalytic Rule📦 SolutionCiscoUmbrellaDetects first connection to an unpopular website (possible malicious payload delivery).
Cisco Cloud Security - Crypto Miner User-Agent DetectedAnalytic Rule📦 SolutionCiscoUmbrellaDetects suspicious user agent strings used by crypto miners in proxy logs.
Cisco Cloud Security - Empty User Agent DetectedAnalytic Rule📦 SolutionCiscoUmbrellaRule helps to detect empty and unusual user agent indicating web browsing activity by an unusual process other than a web browser.
Cisco Cloud Security - Hack Tool User-Agent DetectedAnalytic Rule📦 SolutionCiscoUmbrellaDetects suspicious user agent strings used by known hack tools
Cisco Cloud Security - Windows PowerShell User-Agent DetectedAnalytic Rule📦 SolutionCiscoUmbrellaRule helps to detect Powershell user-agent activity by an unusual process other than a web browser.
Cisco Cloud Security - Rare User Agent DetectedAnalytic Rule📦 SolutionCiscoUmbrellaRule helps to detect a rare user-agents indicating web browsing activity by an unusual process other than a web browser.
Cisco Cloud Security - Request Allowed to harmful/malicious URI categoryAnalytic Rule📦 SolutionCiscoUmbrellaIt is reccomended that these Categories shoud be blocked by policies because they provide harmful/malicious content..
Cisco Cloud Security - Request to blocklisted file typeAnalytic Rule📦 SolutionCiscoUmbrellaDetects request to potentially harmful file types (.ps1, .bat, .vbs, etc.).
Cisco Cloud Security - URI contains IP addressAnalytic Rule📦 SolutionCiscoUmbrellaMalware can use IP address to communicate with C2.
Cisco Cloud Security - Anomalous FQDNs for domainHunting Query📦 SolutionCiscoUmbrellaLarge number of FQDNs for domain may be indicator of suspicious domain.
Cisco Cloud Security - 'Blocked' User-Agents.Hunting Query📦 SolutionCiscoUmbrellaShows User-Agent values which requests were blocked
Cisco Cloud Security - DNS Errors.Hunting Query📦 SolutionCiscoUmbrellaShows error DNS requests.
Cisco Cloud Security - DNS requests to unreliable categories.Hunting Query📦 SolutionCiscoUmbrellaShows requests to URI categories which heavily are used in Initial Access stage by threat actiors and may contain malicious content.
Cisco Cloud Security - Higher values of count of the Same BytesIn sizeHunting Query📦 SolutionCiscoUmbrellaCalculate the count of BytesIn per Source-Destination pair over 24 hours. Higher values may indicate beaconing.
Cisco Cloud Security - High values of Uploaded DataHunting Query📦 SolutionCiscoUmbrellaA normal user activity consists mostly of downloading data. Uploaded data is usually small unless there is a file/data upload to a website. Calculate the sum of BytesOut per Source-Destination pair ov...
Cisco Cloud Security - Possible connection to C2.Hunting Query📦 SolutionCiscoUmbrellaCalculate the count of BytesIn per Source-Destination pair over 12/24 hours. Higher values may indicate beaconing. C2 servers reply with the same data, making BytesIn value the same.
Cisco Cloud Security - Possible data exfiltrationHunting Query📦 SolutionCiscoUmbrellaA normal user activity consists mostly of downloading data. Uploaded data is usually small unless there is a file/data upload to a website. Calculate the sum of BytesOut per Source-Destination pair ov...
Cisco Cloud Security - Proxy 'Allowed' to unreliable categories.Hunting Query📦 SolutionCiscoUmbrellaShows allowed requests to URI categories which heavily are used in Initial Access stage by threat actiors and may contain malicious content.
Cisco Cloud Security - Requests to uncategorized resourcesHunting Query📦 SolutionCiscoUmbrellaShows requests to URL where UrlCategory is not set.
CiscoUmbrellaWorkbook📦 SolutionCiscoUmbrella
CiscoUmbrella-AddIpToDestinationListPlaybook📦 SolutionCiscoUmbrellaThis playbook creates a team notification and once acted on team notification it adds the IP to Cisco Cloud Security's destination list and also add's comment to incident. For more details, click [her...
CiscoUmbrella-AssignPolicyToIdentityPlaybook📦 SolutionCiscoUmbrellaThis playbook provides an automated way to associate an identity to an existing policy in Cisco Cloud Security. For more details, click [here](https://github.com/Azure/Azure-Sentinel/blob/master/Solut...
CiscoUmbrella-BlockDomainPlaybook📦 SolutionCiscoUmbrellaThis playbook showcases an example of triggering an incident within a targeted Teams channel and opening up a ticket within Service Now. Additionally The playbook will also list playbooks that can be ...
CiscoUmbrella-GetDomainInfoPlaybook📦 SolutionCiscoUmbrellaThis playbook is used to get Security Information about a particular domain. It provides details such as security scores, reputation and other security-related metadata that can help assess if the dom...
Cisco_UmbrellaParser📦 SolutionCiscoUmbrella
Cisco WSA - Access to unwanted siteAnalytic Rule📦 SolutionCiscoWSADetects when users attempting to access sites from high risk category.
Cisco WSA - Unexpected uploadsAnalytic Rule📦 SolutionCiscoWSADetects unexpected file uploads.
Cisco WSA - Multiple errors to resource from risky categoryAnalytic Rule📦 SolutionCiscoWSADetects multiple connection errors to resource from risky category.
Cisco WSA - Multiple errors to URLAnalytic Rule📦 SolutionCiscoWSADetects multiple connection errors to URL.
Cisco WSA - Multiple infected filesAnalytic Rule📦 SolutionCiscoWSADetects multiple infected files on same source.
Cisco WSA - Multiple attempts to download unwanted fileAnalytic Rule📦 SolutionCiscoWSADetects when multiple attempts to download unwanted file occur.
Cisco WSA - Suspected protocol abuseAnalytic Rule📦 SolutionCiscoWSADetects possible protocol abuse.
Cisco WSA - Internet access from public IPAnalytic Rule📦 SolutionCiscoWSADetects internet access from public IP.
Cisco WSA - Unexpected file typeAnalytic Rule📦 SolutionCiscoWSADetects unexpected file type.
Cisco WSA - Unexpected URLAnalytic Rule📦 SolutionCiscoWSADetects unexpected URL.
Cisco WSA - Unscannable file or scan errorAnalytic Rule📦 SolutionCiscoWSADetects unscanned downloaded file.
Cisco WSA - Blocked filesHunting Query📦 SolutionCiscoWSAQuery searches for blocked files.
Cisco WSA - Rare aplicationsHunting Query📦 SolutionCiscoWSAQuery searches for rare applications.
Cisco WSA - Top aplicationsHunting Query📦 SolutionCiscoWSAQuery searches for top applications.
Cisco WSA - Top URLsHunting Query📦 SolutionCiscoWSAQuery searches for top URLs.
Cisco WSA - Uncategorized URLsHunting Query📦 SolutionCiscoWSAQuery searches for uncategorized URLs.
Cisco WSA - Uploaded filesHunting Query📦 SolutionCiscoWSAQuery searches for uploaded files.
Cisco WSA - Rare URL with errorHunting Query📦 SolutionCiscoWSAQuery searches for rare URLs with errors.
Cisco WSA - URL shortenersHunting Query📦 SolutionCiscoWSAQuery searches connections to Url shorteners resources.
Cisco WSA - Potentially risky resourcesHunting Query📦 SolutionCiscoWSAQuery searches for potentially risky resources.
Cisco WSA - User errorsHunting Query📦 SolutionCiscoWSAQuery searches for user errors during accessing resource.
CiscoWSAWorkbook📦 SolutionCiscoWSA
CiscoWSAEventParser📦 SolutionCiscoWSA
CitrixADCEventParser📦 SolutionCitrix ADC
CitrixADCEventOld 🔍Parser📦 SolutionCitrix ADC
CitrixAnalyticsWorkbook📦 SolutionCitrix Analytics CCF
CitrixWorkbook📦 SolutionCitrix Analytics for Security
CitrixWAFWorkbook📦 SolutionCitrix Web App Firewall
Claroty - Asset DownAnalytic Rule📦 SolutionClarotyTriggers asset is down.
Claroty - Critical baseline deviationAnalytic Rule📦 SolutionClarotyDetects when critical deviation from baseline occurs.
Claroty - Login to uncommon locationAnalytic Rule📦 SolutionClarotyDetects user login to uncommon location.
Claroty - Multiple failed logins by userAnalytic Rule📦 SolutionClarotyDetects multiple failed logins by same user.
Claroty - Multiple failed logins to same destinationsAnalytic Rule📦 SolutionClarotyDetects multiple failed logins to same destinations.
Claroty - New AssetAnalytic Rule📦 SolutionClarotyTriggers when a new asset has been added into the environment.
Claroty - Policy violationAnalytic Rule📦 SolutionClarotyDetects policy violations.
Claroty - Suspicious activityAnalytic Rule📦 SolutionClarotyDetects suspicious behavior that is generally indicative of malware.
Claroty - Suspicious file transferAnalytic Rule📦 SolutionClarotyDetects suspicious file transfer activity.
Claroty - Threat detectedAnalytic Rule📦 SolutionClarotyDetects Collection of known malware commands and control servers.
Claroty - Baseline deviationHunting Query📦 SolutionClarotyQuery searches for baseline deviation events.
Claroty - Conflict assetsHunting Query📦 SolutionClarotyQuery searches for conflicting assets.
Claroty - Critical EventsHunting Query📦 SolutionClarotyQuery searches for critical severity events.
Claroty - PLC loginsHunting Query📦 SolutionClarotyQuery searches for PLC login security alerts.
Claroty - Network scan sourcesHunting Query📦 SolutionClarotyQuery searches for sources of network scans.
Claroty - Network scan targetsHunting Query📦 SolutionClarotyQuery searches for targets of network scans.
Claroty - User failed loginsHunting Query📦 SolutionClarotyQuery searches for login failure events.
Claroty - Unapproved accessHunting Query📦 SolutionClarotyQuery searches for unapproved access events.
Claroty - Unresolved alertsHunting Query📦 SolutionClarotyQuery searches for alerts with unresolved status.
Claroty - Write and Execute operationsHunting Query📦 SolutionClarotyQuery searches for operations with Write and Execute accesses.
ClarotyOverviewWorkbook📦 SolutionClaroty
ClarotyEventParser📦 SolutionClaroty
Multi-Factor Authentication Disabled for a UserAnalytic Rule📦 SolutionCloud Identity Threat Protection EssentialsMulti-Factor Authentication (MFA) helps prevent credential compromise. This alert identifies when an attempt has been made to deactivate MFA for a user.
New External User Granted Admin RoleAnalytic Rule📦 SolutionCloud Identity Threat Protection EssentialsThis query will detect instances where a newly invited external user is granted an administrative role. By default this query will alert on any granted administrative role, however this can be modifie...
Application Granted EWS PermissionsHunting Query📦 SolutionCloud Identity Threat Protection EssentialsThis query finds AD applications with EWS permissions to read user mailboxes. Threat actors could misuse these for persistent mailbox access. Ensure these permissions are legitimately granted and nece...
Detect Disabled Account Sign-in Attempts by Account NameHunting Query📦 SolutionCloud Identity Threat Protection EssentialsThis query searches for failed attempts to sign-in to disabled accounts summarized by account name. This query has also been updated to include UEBA logs IdentityInfo and BehaviorAnalytics for contex...
Detect Disabled Account Sign-in Attempts by IP AddressHunting Query📦 SolutionCloud Identity Threat Protection EssentialsThis query searches for failed sign-in attempts to disabled accounts summarized by the IP originating IP address.
Sign-ins from Nord VPN ProvidersHunting Query📦 SolutionCloud Identity Threat Protection EssentialsThis query tracks sign-ins via Nord VPN using a daily-updated API. Investigate unfamiliar sign-ins from VPNs unless common in your organization. It now includes UEBA logs IdentityInfo and BehaviorAnal...
Sign-ins From VPS ProvidersHunting Query📦 SolutionCloud Identity Threat Protection EssentialsThis query finds successful logons from known VPS providers with suspicious token patterns. It's not exhaustive but covers prevalent providers. Now includes UEBA logs IdentityInfo and BehaviorAnalytic...
Interactive STS refresh token modificationsHunting Query📦 SolutionCloud Identity Threat Protection EssentialsThis query monitors STS refresh token changes by Service Principals/Applications excluding DirectorySync. It could be due to admins adjusting tokens or for improved login experience. Includes an allow...
Suspicious Sign-ins to Privileged AccountHunting Query📦 SolutionCloud Identity Threat Protection EssentialsThis query identifies sign-ins from non-compliant or MFA-less devices to privileged accounts using a pre-built watchlist. Microsoft Sentinel offers customizable watchlist templates for your environmen...
User Granted Access and Grants Access to Other UsersHunting Query📦 SolutionCloud Identity Threat Protection EssentialsThis query identifies when a new user is granted access and starts granting access to other users. This can help you identify rogue or malicious user behavior.
Azure Key Vault Access Policy ManipulationHunting Query📦 SolutionCloud Service Threat Protection EssentialsThis query identifies instances where a user is added and subsequently removed from an Azure Key Vault access policy within a short duration, which could indicate attempts to credential access and per...
Azure Resources Assigned Public IP AddressesHunting Query📦 SolutionCloud Service Threat Protection EssentialsThis query identifies instances when public IP addresses are assigned to Azure Resources and show connections to those resources.
Cloudflare - Bad client IPAnalytic Rule📦 SolutionCloudflareDetects requests from IP with bad reputation index.
Cloudflare - Empty user agentAnalytic Rule📦 SolutionCloudflareDetects requests where user agent is empty.
Cloudflare - Multiple error requests from single sourceAnalytic Rule📦 SolutionCloudflareDetects multiple failure requests from single source in short timeframe.
Cloudflare - Multiple user agents for single sourceAnalytic Rule📦 SolutionCloudflareDetects requests with different user agents from one source in short timeframe.
Cloudflare - Client request from country in blocklistAnalytic Rule📦 SolutionCloudflareDetects requests from countries which are in blocklist.
Cloudflare - Unexpected POST requestsAnalytic Rule📦 SolutionCloudflareDetects post requests to unusual extensions.
Cloudflare - Unexpected client requestAnalytic Rule📦 SolutionCloudflareDetects client requests to unusual client request.
Cloudflare - Unexpected URIAnalytic Rule📦 SolutionCloudflareDetects client requests to unusual URI.
Cloudflare - WAF Allowed threatAnalytic Rule📦 SolutionCloudflareDetects WAF "Allowed" action on threat events.
Cloudflare - XSS probing pattern in requestAnalytic Rule📦 SolutionCloudflareDetects XSS probing patterns.
Cloudflare - Client errorsHunting Query📦 SolutionCloudflareQuery searches for client related errors.
Cloudflare - Client TLS errorsHunting Query📦 SolutionCloudflareQuery searches for client TLS errors.
Cloudflare - Files requestedHunting Query📦 SolutionCloudflareQuery searches for files requested.
Cloudflare - Rare user agentsHunting Query📦 SolutionCloudflareQuery searches rare user agent strings.
Cloudflare - Server errorsHunting Query📦 SolutionCloudflareQuery searches for server related errors.
Cloudflare - Server TLS errorsHunting Query📦 SolutionCloudflareQuery searches for server TLS errors.
Cloudflare - Top Network rulesHunting Query📦 SolutionCloudflareQuery searches top network rules triggered.
Cloudflare - Top WAF rulesHunting Query📦 SolutionCloudflareQuery searches top WAF rules triggered.
Cloudflare - Unexpected countriesHunting Query📦 SolutionCloudflareQuery searches requests by country and helps to identify requests coming from unexpected countries.
Cloudflare - Unexpected edge responseHunting Query📦 SolutionCloudflareQuery searches for unexpected EdgeResponseStatus values.
CloudflareWorkbook📦 SolutionCloudflare
CloudflareParser📦 SolutionCloudflare
Cloudflare - Bad client IPAnalytic Rule📦 SolutionCloudflare CCFDetects requests from IP with bad reputation index.
Cloudflare - Empty user agentAnalytic Rule📦 SolutionCloudflare CCFDetects requests where user agent is empty.
Cloudflare - Multiple error requests from single sourceAnalytic Rule📦 SolutionCloudflare CCFDetects multiple failure requests from single source in short timeframe.
Cloudflare - Multiple user agents for single sourceAnalytic Rule📦 SolutionCloudflare CCFDetects requests with different user agents from one source in short timeframe.
Cloudflare - Client request from country in blocklistAnalytic Rule📦 SolutionCloudflare CCFDetects requests from countries which are in blocklist.
Cloudflare - Unexpected POST requestsAnalytic Rule📦 SolutionCloudflare CCFDetects post requests to unusual extensions.
Cloudflare - Unexpected client requestAnalytic Rule📦 SolutionCloudflare CCFDetects client requests to unusual client request.
Cloudflare - Unexpected URIAnalytic Rule📦 SolutionCloudflare CCFDetects client requests to unusual URI.
Cloudflare - WAF Allowed threatAnalytic Rule📦 SolutionCloudflare CCFDetects WAF "Allowed" action on threat events.
Cloudflare - XSS probing pattern in requestAnalytic Rule📦 SolutionCloudflare CCFDetects XSS probing patterns.
Cloudflare - Client errorsHunting Query📦 SolutionCloudflare CCFQuery searches for client related errors.
Cloudflare - Client TLS errorsHunting Query📦 SolutionCloudflare CCFQuery searches for client TLS errors.
Cloudflare - Files requestedHunting Query📦 SolutionCloudflare CCFQuery searches for files requested.
Cloudflare - Rare user agentsHunting Query📦 SolutionCloudflare CCFQuery searches rare user agent strings.
Cloudflare - Server errorsHunting Query📦 SolutionCloudflare CCFQuery searches for server related errors.
Cloudflare - Server TLS errorsHunting Query📦 SolutionCloudflare CCFQuery searches for server TLS errors.
Cloudflare - Top Network rulesHunting Query📦 SolutionCloudflare CCFQuery searches top network rules triggered.
Cloudflare - Top WAF rulesHunting Query📦 SolutionCloudflare CCFQuery searches top WAF rules triggered.
Cloudflare - Unexpected countriesHunting Query📦 SolutionCloudflare CCFQuery searches requests by country and helps to identify requests coming from unexpected countries.
Cloudflare - Unexpected edge responseHunting Query📦 SolutionCloudflare CCFQuery searches for unexpected EdgeResponseStatus values.
CloudflareWorkbook📦 SolutionCloudflare CCF
CloudflareParser📦 SolutionCloudflare CCF
CofenseIntelligenceThreatIndicatorsWorkbook📦 SolutionCofenseIntelligence
CofenseTriageThreatIndicatorsWorkbook📦 SolutionCofenseTriage
Cognni Incidents for Highly Sensitive Business InformationAnalytic Rule📦 SolutionCognniDisplay incidents in which highly sensitive business information was placed at risk by user sharing.
Cognni Incidents for Highly Sensitive Financial InformationAnalytic Rule📦 SolutionCognniDisplay incidents in which highly sensitive financial information was placed at risk by user sharing.
Cognni Incidents for Highly Sensitive Governance InformationAnalytic Rule📦 SolutionCognniDisplay incidents in which highly sensitive governance information was placed at risk by user sharing.
Cognni Incidents for Highly Sensitive HR InformationAnalytic Rule📦 SolutionCognniDisplay incidents in which highly sensitive HR information was placed at risk by user sharing.
Cognni Incidents for Highly Sensitive Legal InformationAnalytic Rule📦 SolutionCognniDisplay incidents in which highly sensitive legal information was placed at risk by user sharing.
Cognni Incidents for Low Sensitivity Business InformationAnalytic Rule📦 SolutionCognniDisplay incidents in which low sensitivity business information] was placed at risk by user sharing.
Cognni Incidents for Low Sensitivity Financial InformationAnalytic Rule📦 SolutionCognniDisplay incidents in which low sensitivity financial information was placed at risk by user sharing.
Cognni Incidents for Low Sensitivity Governance InformationAnalytic Rule📦 SolutionCognniDisplay incidents in which low sensitivity governance information] was placed at risk by user sharing.
Cognni Incidents for Low Sensitivity HR InformationAnalytic Rule📦 SolutionCognniDisplay incidents in which low sensitive HR information was placed at risk by user sharing.
Cognni Incidents for Low Sensitivity Legal InformationAnalytic Rule📦 SolutionCognniDisplay incidents in which low sensitivity legal information was placed at risk by user sharing.
Cognni Incidents for Medium Sensitivity Business InformationAnalytic Rule📦 SolutionCognniDisplay incidents in which medium sensitivity business information was placed at risk by user sharing.
Cognni Incidents for Medium Sensitivity Financial InformationAnalytic Rule📦 SolutionCognniDisplay incidents in which medium sensitive financial information was placed at risk by user sharing.
Cognni Incidents for Medium Sensitivity Governance InformationAnalytic Rule📦 SolutionCognniDisplay incidents in which medium sensitivity governance information was placed at risk by user sharing.
Cognni Incidents for Medium Sensitivity HR InformationAnalytic Rule📦 SolutionCognniDisplay incidents in which medium sensitivity HR information was placed at risk by user sharing.
Cognni Incidents for Medium Sensitivity Legal InformationAnalytic Rule📦 SolutionCognniDisplay incidents in which medium sensitivity legal information was placed at risk by user sharing.
CognniIncidentsWorkbookWorkbook📦 SolutionCognni
Close Cohesity Helios IncidentPlaybook📦 SolutionCohesitySecurityThis playbook closes the corresponding Cohesity DataHawk (Helios) ticket.
Cohesity Create or Update ServiceNow incidentPlaybook📦 SolutionCohesitySecurityThis playbook creates and updates the incident in the ServiceNow platform.
Delete Cohesity incident blobsPlaybook📦 SolutionCohesitySecurityThis playbook deletes the blobs on Azure storage created by an incident that is generated by Cohesity function apps.
Restore From Last Cohesity SnapshotPlaybook📦 SolutionCohesitySecurityThis playbook restores the latest good Data Hawk (Helios) snapshot.
Cohesity Incident EmailPlaybook📦 SolutionCohesitySecurityThis playbook sends an email to the recipient with the details related to the incidents.
CEFOverviewWorkbookWorkbook📦 SolutionCommon Event Format
Commvault Cloud AlertAnalytic Rule📦 SolutionCommvault Security IQThis query identifies Alerts from Commvault Cloud.
Commvault Disable Data Aging Logic App PlaybookPlaybook📦 SolutionCommvault Security IQThis Logic App executes when called upon by an Automation Rule. Accessing the KeyVault to retrieve various credentials, it executes a specific runbook depending on the use case.
Commvault Disable SAML Provider Logic App PlaybookPlaybook📦 SolutionCommvault Security IQThis Logic App executes when called upon by an Automation Rule. Accessing the KeyVault to retrieve various credentials, it executes a specific runbook depending on the use case.
Commvault Disable User Logic App PlaybookPlaybook📦 SolutionCommvault Security IQThis Logic App executes when called upon by an Automation Rule. Accessing the KeyVault to retrieve various credentials, it executes a specific runbook depending on the use case.
CDM_ContinuousDiagnostics&Mitigation_PostureChangedAnalytic Rule📦 SolutionContinuousDiagnostics&MitigationThis alert is designed to monitor Azure policies aligned with the Continuous Diagnostics & Mitigation (CDM) Program. The alert triggers when policy compliance falls below 70% within a 1 week timeframe...
CDM_ContinuousDiagnostics&Mitigation_PostureHunting Query📦 SolutionContinuousDiagnostics&MitigationThis hunting query is designed to monitor Azure policies aligned with the Continuous Diagnostics & Mitigation (CDM) Program. It provides a policy check assessment of current CDM policy status across c...
ContinuousDiagnostics&MitigationWorkbook📦 SolutionContinuousDiagnostics&Mitigation
Contrast BlocksAnalytic Rule📦 SolutionContrast ProtectCreates Incidents for Blocked events sourced from the Contrast Protect agent.
Contrast ExploitsAnalytic Rule📦 SolutionContrast ProtectCreates Incidents for Exploit events sourced from the Contrast Protect agent.
Contrast ProbesAnalytic Rule📦 SolutionContrast ProtectCreates Incidents for Probed events sourced from the Contrast Protect agent.
Contrast SuspiciousAnalytic Rule📦 SolutionContrast ProtectCreates Incidents for Suspicious events sourced from the Contrast Protect agent.
ContrastProtectWorkbook📦 SolutionContrast Protect
Contrast ADR - EDR Alert CorrelationAnalytic Rule📦 SolutionContrastADRCorrelates Contrast ADR incidents with specific high-risk attack patterns including command injection, deserialization attacks, and file upload vulnerabilities. This rule identifies confirmed security...
Contrast ADR - WAF Alert CorrelationAnalytic Rule📦 SolutionContrastADRCorrelates Contrast ADR security alerts with WAF logs to identify confirmed attack attempts that were either exploited or blocked. This rule helps security teams prioritize incidents by focusing on at...
Contrast ADR - Exploited Attack EventAnalytic Rule📦 SolutionContrastADRDetects successful exploitation of security vulnerabilities across all environments as identified by Contrast ADR. This rule captures confirmed exploited attacks that bypassed application security con...
Contrast ADR - Exploited Attack in ProductionAnalytic Rule📦 SolutionContrastADRDetects successful exploitation of security vulnerabilities in production environments as identified by Contrast ADR. This rule triggers on confirmed exploited attacks in production systems, requiring...
Contrast ADR - DLP SQL Injection CorrelationAnalytic Rule📦 SolutionContrastADRDetects successful SQL injection attacks identified by Contrast ADR and correlates them with WAF/DLP logs. This rule identifies critical database security breaches that have bypassed initial defenses ...
Contrast ADR - Security Incident AlertAnalytic Rule📦 SolutionContrastADRMonitors Contrast ADR security incidents across all applications and environments. This rule creates alerts for all security incidents detected by Contrast Security ADR, providing comprehensive visibi...
ContrastADR_Command_Injection_WorkbookWorkbook📦 SolutionContrastADR
ContrastADR_Cross_Site_Scripting_WorkbookWorkbook📦 SolutionContrastADR
ContrastADR_Expression_Language_Injection_WorkbookWorkbook📦 SolutionContrastADR
ContrastADR_HTTP_Method_Tampering_WorkbookWorkbook📦 SolutionContrastADR
ContrastADR_JNDI_Injection_WorkbookWorkbook📦 SolutionContrastADR
ContrastADR_Path_Traversal_WorkbookWorkbook📦 SolutionContrastADR
ContrastADR_SQL_Injection_WorkbookWorkbook📦 SolutionContrastADR
ContrastADR_Untrusted_Deserialization_WorkbookWorkbook📦 SolutionContrastADR
ContrastADR_XML External_Entity_Injection_Injection_WorkbookWorkbook📦 SolutionContrastADR
Contrast_alert_event_parserParser📦 SolutionContrastADR
Contrast_incident_parserParser📦 SolutionContrastADR
Corelight - C2 DGA Detected Via Repetitive FailuresAnalytic Rule📦 SolutionCorelightDetects large amounts of DNS resolution failures.
Corelight - External Proxy DetectedAnalytic Rule📦 SolutionCorelightDetects external proxy usage.
Corelight - Forced External Outbound SMBAnalytic Rule📦 SolutionCorelightDetects SMB requests that originate internally and communicate with an external IP address.
Corelight - Multiple Compressed Files Transferred over HTTPAnalytic Rule📦 SolutionCorelightDetects compressed archives transferre over HTTP.
Corelight - Multiple files sent over HTTP with abnormal requestsAnalytic Rule📦 SolutionCorelightDetects sources sending multiple compressed files greater than 10MBs sent over HTTP in a short amount of time.
Corelight - Network Service Scanning Multiple IP AddressesAnalytic Rule📦 SolutionCorelightIdentify scanning of services that may be available on the internal network.
Corelight - Possible WebshellAnalytic Rule📦 SolutionCorelightDetects post requests to unusual extensions.
Corelight - Possible Webshell (Rare PUT or POST)Analytic Rule📦 SolutionCorelightDetects rare post requests to a single webserver location.
Corelight - SMTP Email containing NON Ascii Characters within the SubjectAnalytic Rule📦 SolutionCorelightDetects where an emails contain non ascii characters within the Subject.
Corelight - Possible Typo Squatting or Punycode Phishing HTTP RequestAnalytic Rule📦 SolutionCorelightDetects when an HTTP request was made to a domain that was using unicode/punycode.
Corelight - Abnormal Email SubjectHunting Query📦 SolutionCorelightQuery searches for emails with NON-Ascii characters within the Subject .
Corelight - Compressed Files Transferred over HTTPHunting Query📦 SolutionCorelightQuery searches for top sources which transferred compressed archives over HTTP.
Corelight - Top sources of data transferredHunting Query📦 SolutionCorelightQuery searches for top sources by transferred data over period of time.
Corelight - External Facing ServicesHunting Query📦 SolutionCorelightQuery searches for external facing services.
Corelight - Files in logsHunting Query📦 SolutionCorelightQuery searches for files which where seen in logs over period of time.
Corelight - File uploads by sourceHunting Query📦 SolutionCorelightQuery searches for files uploaded over period of time by each source.
Corelight - Multiple Remote SMB Connections from single clientHunting Query📦 SolutionCorelightDetects when a single source is connecting to many different SMB or file shares.
Corelight - Obfuscated binary filenamesHunting Query📦 SolutionCorelightQuery searches for downloaded obfuscated binary file names.
Corelight - Rare PUT or POSTHunting Query📦 SolutionCorelightQuery searches for rare post requests to a single location.
Corelight - Repetitive DNS FailuresHunting Query📦 SolutionCorelightQuery searches for repetitive DNS resolution failures from single host.
CorelightWorkbook📦 SolutionCorelight
Corelight_Alert_AggregationsWorkbook📦 SolutionCorelight
Corelight_AWS_VPC_FlowWorkbook📦 SolutionCorelight
Corelight_Data_ExplorerWorkbook📦 SolutionCorelight
Corelight_Security_WorkflowWorkbook📦 SolutionCorelight
Corelight_Sensor_OverviewWorkbook📦 SolutionCorelight
CorelightParser📦 SolutionCorelight
corelight_anomalyParser📦 SolutionCorelight
corelight_bacnetParser📦 SolutionCorelight
corelight_capture_lossParser📦 SolutionCorelight
corelight_cipParser📦 SolutionCorelight
corelight_connParser📦 SolutionCorelight
corelight_conn_aggParser📦 SolutionCorelight
corelight_conn_longParser📦 SolutionCorelight
corelight_conn_redParser📦 SolutionCorelight
corelight_corelight_burstParser📦 SolutionCorelight
corelight_corelight_metrics_diskParser📦 SolutionCorelight
corelight_corelight_metrics_ifaceParser📦 SolutionCorelight
corelight_corelight_metrics_memoryParser📦 SolutionCorelight
corelight_corelight_metrics_systemParser📦 SolutionCorelight
corelight_corelight_metrics_zeek_doctorParser📦 SolutionCorelight
corelight_corelight_overall_capture_lossParser📦 SolutionCorelight
corelight_corelight_profilingParser📦 SolutionCorelight
corelight_dataredParser📦 SolutionCorelight
corelight_dce_rpcParser📦 SolutionCorelight
corelight_dgaParser📦 SolutionCorelight
corelight_dhcpParser📦 SolutionCorelight
corelight_dnp3Parser📦 SolutionCorelight
corelight_dnsParser📦 SolutionCorelight
corelight_dns_aggParser📦 SolutionCorelight
corelight_dns_redParser📦 SolutionCorelight
corelight_dpdParser📦 SolutionCorelight
corelight_encrypted_dnsParser📦 SolutionCorelight
corelight_enipParser📦 SolutionCorelight
corelight_enip_debugParser📦 SolutionCorelight
corelight_enip_list_identityParser📦 SolutionCorelight
corelight_etc_vizParser📦 SolutionCorelight
corelight_filesParser📦 SolutionCorelight
corelight_files_aggParser📦 SolutionCorelight
corelight_files_redParser📦 SolutionCorelight
corelight_first_seenParser📦 SolutionCorelight
corelight_ftpParser📦 SolutionCorelight
corelight_generic_dns_tunnelsParser📦 SolutionCorelight
corelight_generic_icmp_tunnelsParser📦 SolutionCorelight
corelight_httpParser📦 SolutionCorelight
corelight_http2Parser📦 SolutionCorelight
corelight_http_aggParser📦 SolutionCorelight
corelight_http_redParser📦 SolutionCorelight
corelight_icmp_specific_tunnelsParser📦 SolutionCorelight
corelight_intelParser📦 SolutionCorelight
corelight_ipsecParser📦 SolutionCorelight
corelight_ircParser📦 SolutionCorelight
corelight_iso_cotpParser📦 SolutionCorelight
corelight_kerberosParser📦 SolutionCorelight
corelight_known_certsParser📦 SolutionCorelight
corelight_known_devicesParser📦 SolutionCorelight
corelight_known_domainsParser📦 SolutionCorelight
corelight_known_hostsParser📦 SolutionCorelight
corelight_known_namesParser📦 SolutionCorelight
corelight_known_remotesParser📦 SolutionCorelight
corelight_known_servicesParser📦 SolutionCorelight
corelight_known_usersParser📦 SolutionCorelight
corelight_local_subnetsParser📦 SolutionCorelight
corelight_local_subnets_djParser📦 SolutionCorelight
corelight_local_subnets_graphsParser📦 SolutionCorelight
corelight_log4shellParser📦 SolutionCorelight
corelight_modbusParser📦 SolutionCorelight
corelight_mqtt_connectParser📦 SolutionCorelight
corelight_mqtt_publishParser📦 SolutionCorelight
corelight_mqtt_subscribeParser📦 SolutionCorelight
corelight_mysqlParser📦 SolutionCorelight
corelight_noticeParser📦 SolutionCorelight
corelight_ntlmParser📦 SolutionCorelight
corelight_ntpParser📦 SolutionCorelight
corelight_ocspParser📦 SolutionCorelight
corelight_openflowParser📦 SolutionCorelight
corelight_packet_filterParser📦 SolutionCorelight
corelight_peParser📦 SolutionCorelight
corelight_profinetParser📦 SolutionCorelight
corelight_profinet_dce_rpcParser📦 SolutionCorelight
corelight_profinet_debugParser📦 SolutionCorelight
corelight_radiusParser📦 SolutionCorelight
corelight_rdpParser📦 SolutionCorelight
corelight_reporterParser📦 SolutionCorelight
corelight_rfbParser📦 SolutionCorelight
corelight_s7commParser📦 SolutionCorelight
corelight_signaturesParser📦 SolutionCorelight
corelight_sipParser📦 SolutionCorelight
corelight_smartpcapParser📦 SolutionCorelight
corelight_smartpcap_statsParser📦 SolutionCorelight
corelight_smb_filesParser📦 SolutionCorelight
corelight_smb_mappingParser📦 SolutionCorelight
corelight_smtpParser📦 SolutionCorelight
corelight_smtp_linksParser📦 SolutionCorelight
corelight_snmpParser📦 SolutionCorelight
corelight_socksParser📦 SolutionCorelight
corelight_softwareParser📦 SolutionCorelight
corelight_specific_dns_tunnelsParser📦 SolutionCorelight
corelight_sshParser📦 SolutionCorelight
corelight_sslParser📦 SolutionCorelight
corelight_ssl_aggParser📦 SolutionCorelight
corelight_ssl_redParser📦 SolutionCorelight
corelight_statsParser📦 SolutionCorelight
corelight_steppingParser📦 SolutionCorelight
corelight_stunParser📦 SolutionCorelight
corelight_stun_natParser📦 SolutionCorelight
corelight_suricata_corelightParser📦 SolutionCorelight
corelight_suricata_eveParser📦 SolutionCorelight
corelight_suricata_statsParser📦 SolutionCorelight
corelight_suricata_zeek_statsParser📦 SolutionCorelight
corelight_suri_aggregationsParser📦 SolutionCorelight
corelight_syslogParser📦 SolutionCorelight
corelight_tdsParser📦 SolutionCorelight
corelight_tds_rpcParser📦 SolutionCorelight
corelight_tds_sql_batchParser📦 SolutionCorelight
corelight_tracerouteParser📦 SolutionCorelight
corelight_tunnelParser📦 SolutionCorelight
corelight_unknown_smartpcapParser📦 SolutionCorelight
corelight_util_statsParser📦 SolutionCorelight
corelight_vpnParser📦 SolutionCorelight
corelight_weirdParser📦 SolutionCorelight
corelight_weird_aggParser📦 SolutionCorelight
corelight_weird_redParser📦 SolutionCorelight
corelight_weird_statsParser📦 SolutionCorelight
corelight_wireguardParser📦 SolutionCorelight
corelight_x509Parser📦 SolutionCorelight
corelight_x509_redParser📦 SolutionCorelight
corelight_zeek_doctorParser📦 SolutionCorelight
CorelightAggregationsEnrichment1Watchlist📦 SolutionCorelight
CorelightAggregationsEnrichment2Watchlist📦 SolutionCorelight
CorelightDNSPortDescWatchlist📦 SolutionCorelight
CorelightGeoCountriesWatchlist📦 SolutionCorelight
CorelightInferencesDescWatchlist📦 SolutionCorelight
Cortex XDR Incident - HighAnalytic Rule📦 SolutionCortex XDRA new incident was created in the Cortex XDR portal with a severity "High". Click on the events for incident details.
Cortex XDR Incident - LowAnalytic Rule📦 SolutionCortex XDRA new incident was created in the Cortex XDR portal with a severity "Low". Click on the events for incident details.
Cortex XDR Incident - MediumAnalytic Rule📦 SolutionCortex XDRA new incident was created in the Cortex XDR portal with a severity "Medium". Click on the events for incident details.
PaloAltoCortexXDRParser📦 SolutionCortex XDR
CriblAccessParser📦 SolutionCribl
CriblAuditParser📦 SolutionCribl
CriblInternalParser📦 SolutionCribl
CriblUIAccessParser📦 SolutionCribl
Critical or High Severity Detections by UserAnalytic Rule📦 SolutionCrowdStrike Falcon Endpoint ProtectionCreates an incident when a large number of Critical/High severity CrowdStrike Falcon sensor detections is triggered by a single user
Critical Severity DetectionAnalytic Rule📦 SolutionCrowdStrike Falcon Endpoint ProtectionCreates an incident when a CrowdStrike Falcon sensor detection is triggered with a Critical Severity
CrowdStrikeFalconEndpointProtectionWorkbook📦 SolutionCrowdStrike Falcon Endpoint Protection
Crowdstrike API authenticationPlaybook📦 SolutionCrowdStrike Falcon Endpoint ProtectionThis is Crowdstrike base template which is used to generate access token and this is used in actual crowdstrike templates. This playbook gets triggered when a new Http request is created and this is b...
Isolate endpoint - CrowdstrikePlaybook📦 SolutionCrowdStrike Falcon Endpoint ProtectionWhen a new Microsoft Sentinel incident is created, this playbook gets triggered and performs below actions:
Endpoint enrichment - CrowdstrikePlaybook📦 SolutionCrowdStrike Falcon Endpoint ProtectionWhen a new Microsoft Sentinel incident is created, this playbook gets triggered and performs below actions:
CrowdStrikeFalconEventStreamParser📦 SolutionCrowdStrike Falcon Endpoint Protection
CrowdStrikeReplicatorParser📦 SolutionCrowdStrike Falcon Endpoint Protection
CrowdStrikeReplicatorV2Parser📦 SolutionCrowdStrike Falcon Endpoint Protection
CrowdStrikeReplicator_future 🔍Parser📦 SolutionCrowdStrike Falcon Endpoint Protection
Antivirus Detected an Infected FileAnalytic Rule📦 SolutionCTERAMonitors CTERA platform to detect files infected with viruses identified by the antivirus engine on Edge Filers.
CTERA Mass Access Denied Detection AnalyticAnalytic Rule📦 SolutionCTERAThis analytic rule detects and alerts when access denied operations generated by the CTERA Edge Filer goes over a predefined threshold
CTERA Mass Deletions Detection AnalyticAnalytic Rule📦 SolutionCTERAThis analytic rule detects and alerts when large amount of deletion operations generated by the CTERA Edge Filer
CTERA Mass Permissions Changes Detection AnalyticAnalytic Rule📦 SolutionCTERAThis analytic rule detects and alerts when access denied operations generated by the CTERA Edge Filer goes over a predefined threshold
Ransom Protect Detected a Ransomware AttackAnalytic Rule📦 SolutionCTERAMonitors CTERA platform to detect potential ransomware attacks detected by CTERA Ransom Protect AI engine.
Ransom Protect User BlockedAnalytic Rule📦 SolutionCTERADetects malicious users blocked by CTERA Ransom Protect AI engine.
CTERA Batch Access Denied DetectionHunting Query📦 SolutionCTERAThis query detects access denied events generated by the CTERA Edge Filer
CTERA Batch File Deletions DetectionHunting Query📦 SolutionCTERAThis query detects file deletions generated by the CTERA Edge Filer.
CTERA Permission Change DetectionHunting Query📦 SolutionCTERAThis query detects permission changes generated by the CTERA Edge Filer.
CTERA_WorkbookWorkbook📦 SolutionCTERA
CyberBlindSpot - Any Issue Detected 🔍Analytic Rule📦 SolutionCTM360Generic alert that triggers when ANY CyberBlindSpot issue/incident is detected in the logs. Extracts nested metadata from RawPayload.
HackerView - Any Issue Detected 🔍Analytic Rule📦 SolutionCTM360Generic alert that triggers when ANY HackerView issue/incident is detected in the logs. Extracts nested metadata from RawPayload.
CBSLog_Parser 🔍Parser📦 SolutionCTM360
CBS_BreachedCredentials_Parser 🔍Parser📦 SolutionCTM360
CBS_CompromisedCards_Parser 🔍Parser📦 SolutionCTM360
CBS_DomainInfringement_Parser 🔍Parser📦 SolutionCTM360
CBS_MalwareLogs_Parser 🔍Parser📦 SolutionCTM360
CBS_SubdomainInfringement_Parser 🔍Parser📦 SolutionCTM360
HackerViewLog_Parser 🔍Parser📦 SolutionCTM360
CyberArkEPVWorkbook📦 SolutionCyberArk Privilege Access Manager (PAM) Events
CyberArk - High-Risk Actions Outside Business HoursAnalytic Rule📦 SolutionCyberArkAuditDetects privileged or destructive actions (delete/disable/rotate/elevate/etc.) occurring outside standard business hours. Useful for insider misuse or compromised admin detection.
CyberArk - Multiple Failed Actions Followed by Success (15m)Analytic Rule📦 SolutionCyberArkAuditDetects 3+ failed actions against an account followed by a success in a short window, indicating brute-force or credential guessing.
CyberArk - Sensitive Safe/Permission/Entitlement Changes (with customData)Analytic Rule📦 SolutionCyberArkAuditAlerts on control-plane modifications: safes, permissions, roles, entitlements, policy changes. Leverages customData fields such as changeType/role/permission/policy/entitlement to reduce misses.
CyberArkEPM - Attack attempt not blockedAnalytic Rule📦 SolutionCyberArkEPMThis rule triggers on attack attempt which was not blocked by CyberArkEPM.
CyberArkEPM - MSBuild usage as LOLBinAnalytic Rule📦 SolutionCyberArkEPMDetects usage of msbuild tool as LOLBin.
CyberArkEPM - Multiple attack typesAnalytic Rule📦 SolutionCyberArkEPMThis rule triggers on multiple attack attemts triggered by same user.
CyberArkEPM - Uncommon Windows process started from System folderAnalytic Rule📦 SolutionCyberArkEPMDetects when uncommon windows proccess is started from System folder.
CyberArkEPM - Possible execution of Powershell EmpireAnalytic Rule📦 SolutionCyberArkEPMDetects possible execution of Powershell Empire.
CyberArkEPM - Process started from different locationsAnalytic Rule📦 SolutionCyberArkEPMDetects when process started from different locations on a host.
CyberArkEPM - Uncommon process Internet accessAnalytic Rule📦 SolutionCyberArkEPMDetects access to the Internet by uncommon processes.
CyberArkEPM - Renamed Windows binaryAnalytic Rule📦 SolutionCyberArkEPMDetects renamed windows binaries.
CyberArkEPM - Unexpected executable extensionAnalytic Rule📦 SolutionCyberArkEPMDetects Windows executable with unexpected extension.
CyberArkEPM - Unexpected executable locationAnalytic Rule📦 SolutionCyberArkEPMDetects program run from unexpected location.
CyberArkEPM - Elevation requestsHunting Query📦 SolutionCyberArkEPMQuery shows elevation requests.
CyberArkEPM - Powershell downloadsHunting Query📦 SolutionCyberArkEPMQuery shows powershell downloads.
CyberArkEPM - Powershell scripts execution parametersHunting Query📦 SolutionCyberArkEPMQuery shows powershell scripts execution parameters.
CyberArkEPM - Processes with Internet access attemptsHunting Query📦 SolutionCyberArkEPMQuery shows processes which attempted to access Internet.
CyberArkEPM - Processes run as adminHunting Query📦 SolutionCyberArkEPMQuery shows processes run as admin.
CyberArkEPM - Process hash changedHunting Query📦 SolutionCyberArkEPMQuery shows processes which hash has been changed recently.
CyberArkEPM - Rare process run by usersHunting Query📦 SolutionCyberArkEPMQuery shows rare process run by users.
CyberArkEPM - Rare process vendorsHunting Query📦 SolutionCyberArkEPMQuery shows rare process vendors.
CyberArkEPM - Scripts executed on hostsHunting Query📦 SolutionCyberArkEPMQuery shows scripts which where executed on hosts.
CyberArkEPM - Suspicious activity attemptsHunting Query📦 SolutionCyberArkEPMQuery shows suspicious activity attempts.
CyberArkEPMWorkbook📦 SolutionCyberArkEPM
CyberArkEPMParser📦 SolutionCyberArkEPM
CMMC 2.0 Level 1 (Foundational) Readiness PostureAnalytic Rule📦 SolutionCybersecurityMaturityModelCertification(CMMC)2.0CMMC 2.0 Level 1 (Foundational) assessments have deviated from configured threshold baselines. This alert is triggered when CMMC2.0 policy compliance is assessed below 70% compliance in 7 days.
CMMC 2.0 Level 2 (Advanced) Readiness PostureAnalytic Rule📦 SolutionCybersecurityMaturityModelCertification(CMMC)2.0CMMC 2.0 Level 2 (Advanced) assessments have deviated from configured threshold baselines. This alert is triggered when CMMC2.0 policy compliance is assessed below 70% compliance in 7 days.
CybersecurityMaturityModelCertification_CMMCV2Workbook📦 SolutionCybersecurityMaturityModelCertification(CMMC)2.0
Create-AzureDevOpsTaskPlaybook📦 SolutionCybersecurityMaturityModelCertification(CMMC)2.0This playbook will create the Azure DevOps task filled with the Microsoft Sentinel incident details.
Create Jira IssuePlaybook📦 SolutionCybersecurityMaturityModelCertification(CMMC)2.0This playbook will open a Jira Issue when a new incident is opened in Microsoft Sentinel.
Notify_GovernanceComplianceTeamPlaybook📦 SolutionCybersecurityMaturityModelCertification(CMMC)2.0This playbook will create the Azure DevOps task filled with the Microsoft Sentinel incident details.
Cybersixgill Actionable alertsHunting Query📦 SolutionCybersixgill-Actionable-AlertsView Cybersixgill Actionable alerts for last 30 days
ActionableAlertsDashboardWorkbook📦 SolutionCybersixgill-Actionable-Alerts
ActionableAlertsListWorkbook📦 SolutionCybersixgill-Actionable-Alerts
Cybersixgill-Alert-Status-UpdatePlaybook📦 SolutionCybersixgill-Actionable-AlertsThis playbook will update status of Cybersixgill Alerts when respective incident status is updated in Microsoft Sentinel
Delete-Cybersixgill-AlertPlaybook📦 SolutionCybersixgill-Actionable-AlertsThis playbook will delete Alert on Cybersixgill portal when resective Incident is deleted in Microsoft Sentinel
Cyble Advisory Alerts Advisory 🔍Analytic Rule📦 SolutionCyble VisionGenerates Microsoft Sentinel incidents from Cyble Advisory service alerts. Advisory alerts provide intelligence and context related to monitored keywords.Severity is normalized using MappedSeverity fo...
Cyble Vision Alerts AssetsAnalytic Rule📦 SolutionCyble VisionScheduled rule that creates incidents for asset alerts using saved parser Alerts_assets. Mandatory custom details: MappedSeverity, Status, AlertID, Service.
Cyble Vision Alerts BitbucketAnalytic Rule📦 SolutionCyble VisionDetects exposed secrets in Bitbucket repositories using the Alerts_bit_bucket parser. Creates one incident per matched secret. Includes decoder, detector, commit, file, and repository context for SOC ...
Cyble Vision Alerts Cloud StorageAnalytic Rule📦 SolutionCyble VisionDetects cloud storage objects/paths discovered in ingestion (uses Alerts_cloud_storage parser). Creates incidents for discovered S3/GCS/Azure blob objects, includes bucket/object/url, size and workflo...
Cyble Vision Alerts Compromised Endpoint CookiesAnalytic Rule📦 SolutionCyble VisionDetects compromised browser cookies associated with monitored entities. Identifies exposed authentication cookies with future expiry, enabling potential session hijacking or persistent unauthorized ac...
Cyble Vision Alerts Compromised FilesAnalytic Rule📦 SolutionCyble VisionDetects compromised files containing credential or logon data (stealer logs) related to monitored entities. Uses Alerts_compromised_files parser to expose file paths, log objects, and extracted email ...
CybleVision Alerts Cyber Crime Forum AlertsAnalytic Rule📦 SolutionCyble VisionDetects discussions, marketplace posts, threat actor activity, and intelligence mentions from cybercrime forums. Extracts discussion metadata, topic details, URLs, emails, phone numbers, and content u...
Cyble Vision Alerts Darkweb Data BreachesAnalytic Rule📦 SolutionCyble VisionDetects darkweb credential leakage and data breach records from CybleVision. Extracts leaked username, email, password hashes, registration dates, and metadata using the Alerts_DarkwebDataBreaches par...
CybleVision Alerts Darkweb Marketplace AlertsAnalytic Rule📦 SolutionCyble VisionDetects stolen credentials, financial information, stealer logs, and related payloads listed on Darkweb marketplaces such as RussianMarket. Extracts card data, victim info, metadata, and marketplace c...
Cyble Vision Alerts Darkweb Ransomware LeakAnalytic Rule📦 SolutionCyble VisionA ransomware threat actor has posted victim data on the dark web. This alert includes leaked documents, threat actor name, victim organization, timestamps, and extracted text content for SOC triage.
Cyble Vision Alerts Website Defacement ContentAnalytic Rule📦 SolutionCyble VisionTriggers when monitored websites show new or suspicious content referencing known defacement patterns. Supports investigation into potential web compromise incidents.
Cyble Vision Alerts Website Defacement KeywordAnalytic Rule📦 SolutionCyble VisionTriggers when monitored defacement keywords appear on a website, indicating potential early signs of website compromise or defacement-related activity.
Cyble Vision Alerts Website Defacement URLAnalytic Rule📦 SolutionCyble VisionDetects suspicious or unexpected changes to monitored URLs which may indicate website tampering or defacement.
Cyble Vision Alerts Discord KeywordAnalytic Rule📦 SolutionCyble VisionTriggers when monitored keywords or risky content appear in Discord channels. Useful for detecting data leakage, impersonation, abuse or reputational threats originating from social platforms.
Cyble Vision Alerts DockerAnalytic Rule📦 SolutionCyble VisionDetects Docker Hub container entries related to monitored keywords. Uses Alerts_docker parser. Includes metadata such as developer, stars, downloads, and image URL. Raises one incident per alert.
Cyble Vision Alerts Domain Expiry AlertAnalytic Rule📦 SolutionCyble VisionTriggers when a monitored domain is about to expire. Expired domains risk service disruption, takeover, or misuse by adversaries.
Cyble Vision Alerts Domain WatchlistAnalytic Rule📦 SolutionCyble VisionTriggers when monitored domain DNS records change (A, NS, MX, TXT, SOA). DNS record changes may indicate misconfiguration, domain takeover attempts, or infrastructure shifts requiring review.
Cyble Vision Alerts Flash ReportAnalytic Rule📦 SolutionCyble VisionDetects new threat intelligence flash reports from CybleVision. Extracts company-level context and report identifiers for triage.
Cyble Vision Alerts GithubAnalytic Rule📦 SolutionCyble VisionThis alert generates incidents for Github
Cyble Vision Alerts HacktivismAnalytic Rule📦 SolutionCyble VisionDetects hacktivist activity (Telegram posts, defacements, site takedowns, etc.) using the Alerts_Hacktivism parser. Extracts post content, attacker/team,domains, links, IPs, media and metadata for tri...
Cyble Vision Alerts I2P MonitoringAnalytic Rule📦 SolutionCyble VisionTriggers when I2P content is detected related to monitored keywords. Useful for identifying extremist narratives, radicalization indicators, or harmful ideological campaigns spreading through I2P hidd...
Cyble Vision Alerts IOC'SAnalytic Rule📦 SolutionCyble VisionDetects malicious Indicators of Compromise such as IPs, domains, URLs, and hashes. Extracts IOC type, behaviour tags, risk rating, and timestamps using Alerts_IOCs parser. Triggers an incident with ma...
Cyble Vision Alerts IP Risk ScoreAnalytic Rule📦 SolutionCyble VisionTriggers when the risk score for a monitored IP increases significantly. This may indicate new malicious behavior or updated threat intelligence classification.
Cyble Vision Alerts Leaked CredentialsAnalytic Rule📦 SolutionCyble VisionDetects leaked credentials identified by CybleVision ingestion and triggers an incident with mapped entities, severity, and details.
Cyble Vision Alerts Malicious Ads DetectedAnalytic Rule📦 SolutionCyble VisionGenerates an incident when Cyble Intelligence detects a malicious advertisement, malvertising activity, or redirect attempting to impersonate a legitimate brand.
CybleVision Alerts Mobile AppsAnalytic Rule📦 SolutionCyble VisionDetects suspicious, unauthorized or impersonating mobile applications from 3rd-party marketplaces using CybleVision data. Extracts metadata, screenshots, developer, package name, and detailed app attr...
Cyble Vision Alerts News Feed AlertAnalytic Rule📦 SolutionCyble VisionTriggers when monitored keywords are found in external news feeds. Helps analysts track relevant cybersecurity news, advisories, or threat intelligence updates tied to monitored entities.
Cyble Vision Alerts New Vulnerability DetectedAnalytic Rule📦 SolutionCyble VisionA newly detected CVE has been associated with a monitored keyword or asset. This may indicate exposure to newly published or exploited vulnerabilities.
Cyble Vision Alerts OSINT Mention DetectedAnalytic Rule📦 SolutionCyble VisionTriggers when Cyble detects an OSINT mention related to monitored keywords, entities, or brand identifiers. OSINT findings may indicate data leaks, expose content, targeting activity, impersonation, o...
Cyble Vision Alerts OT/ICS Threat Activity DetectedAnalytic Rule📦 SolutionCyble VisionThis alert indicates detection of OT/ICS-related network activity involving industrial control protocols (e.g., IEC104). May indicate probing, reconnaissance, or attempted access against critical infr...
Cyble Vision Alerts PastebinAnalytic Rule📦 SolutionCyble VisionCyble detected a paste containing references to monitored keywords or domains. Pastebin/Gist exposure may indicate data leakage or threat actor activity referencing the organization.
Cyble Vision Alerts Phishing Domain DetectedAnalytic Rule📦 SolutionCyble VisionCyble detected a phishing website impersonating a monitored brand. This alert provides landing page, host, screenshot, status and configured keyword for SOC triage.
Cyble Vision Alerts Physical Threat AlertAnalytic Rule📦 SolutionCyble VisionCreates an incident for physical threats identified by Cyble Intelligence such as explosions, safety incidents, riots, or violence. Each alert generates a single incident for SOC evaluation.
Cyble Vision Alerts Postman API Exposure DetectionAnalytic Rule📦 SolutionCyble VisionDetects exposed Postman requests, collections or endpoints referencing monitored entities. Alerts analysts to possible API enumeration, leaked endpoints, or unintended exposure.
Cyble Vision Alerts Product Vulnerability DetectedAnalytic Rule📦 SolutionCyble VisionDetects product vulnerability updates (CVE) for monitored products. Triggers SOC triage when a product vulnerability is reported or updated for a monitored product/version.
Cyble Vision Alerts Social Media MonitoringAnalytic Rule📦 SolutionCyble VisionDetects and CybleVision 'social_media_monitoring' alerts into a single incident.
Cyble Vision Alerts SSL Certificate ExpiryAnalytic Rule📦 SolutionCyble VisionGenerates Microsoft Sentinel incidents for SSL certificates nearing expiry as detected by Cyble. These alerts help identify certificate hygiene risks that may lead to service disruption or security is...
CybleVision Alerts Stealer LogsAnalytic Rule📦 SolutionCyble VisionDetects credential theft and information-stealer malware logs. Extracts stolen credentials, URLs, device info, IPs, domains, and metadata using the Alerts_StealerLogs parser.
Cyble Vision Alerts Discovered SubdomainAnalytic Rule📦 SolutionCyble VisionTriggers when a new subdomain is detected for a monitored keyword/domain.
Cyble Vision Alerts Suspicious DomainAnalytic Rule📦 SolutionCyble VisionThis Rule generates Cyble Vision Alerts for Service - Suspicious Domain severity LOW
CybleVision Alerts Telegram MentionsAnalytic Rule📦 SolutionCyble VisionDetects mentions of monitored keywords across Telegram channels and groups. Extracts message content, URLs, chat metadata, user identity, and timestamps.
Cyble Vision Alerts TOR LinksAnalytic Rule📦 SolutionCyble VisionDetects Tor marketplace, darkweb link, and onion domain alerts from CybleVision. Uses the Alerts_TorLinks parser to extract onion URLs, search engines, search keywords, content, and identifiers. Incid...
Cyble Vision Alerts VulnerabilityAnalytic Rule📦 SolutionCyble VisionDetects SSL/TLS and application vulnerabilities from CybleVision. Extracts host, IP, port, severity, vulnerability ID and first-seen metadata using the Alerts_Vulnerability parser. Incidents grouped p...
Cyble Vision Alerts Cyble Web ApplicationsAnalytic Rule📦 SolutionCyble VisionCreates an incident for each discovered or exposed web application detected by Cyble Intelligence. Useful for SOC teams to investigate externally facing login portals, misconfigurations, and exposed i...
CybleVisionAlertsWorkbookWorkbook📦 SolutionCyble Vision
CybleVisionAlert_Status_UpdatePlaybook📦 SolutionCyble VisionThis Logic App updates Cyble alert status and severity based on Microsoft Sentinel incident changes. It supports automatic updates via automation rules and interprets user-applied tags to determine th...
Cyble-IOC_Enrichment-PlaybookPlaybook📦 SolutionCyble VisionThis playbook leverages the Cyble API to enrich IP, Domain, Url & Hash indicators, found in Microsoft Sentinel incidents, with the following context: Risk Score, Confidence, etc. The enrichment conten...
Cyble-ThreatIntelligence-Ingest-PlaybookPlaybook📦 SolutionCyble VisionThis playbook imports IoC lists from Cyble and stores them as Threat Intelligence Indicators in Microsoft Sentinel, for detection purposes. This playbook depends on Cyble-ThreatIntelligence-Ingest tha...
Alerts_advisoryParser📦 SolutionCyble Vision
Alerts_assetsParser📦 SolutionCyble Vision
Alerts_bit_bucketParser📦 SolutionCyble Vision
Alerts_cloud_storageParser📦 SolutionCyble Vision
Alerts_compromised_endpoints_cookiesParser📦 SolutionCyble Vision
Alerts_compromised_filesParser📦 SolutionCyble Vision
Alerts_cyber_crime_forumsParser📦 SolutionCyble Vision
Alerts_darkweb_data_breachesParser📦 SolutionCyble Vision
Alerts_darkweb_marketplacesParser📦 SolutionCyble Vision
Alerts_darkweb_ransomwareParser📦 SolutionCyble Vision
Alerts_defacement_contentParser📦 SolutionCyble Vision
Alerts_defacement_keywordParser📦 SolutionCyble Vision
Alerts_defacement_urlParser📦 SolutionCyble Vision
Alerts_discordParser📦 SolutionCyble Vision
Alerts_dockerParser📦 SolutionCyble Vision
Alerts_domain_expiryParser📦 SolutionCyble Vision
Alerts_domain_watchlistParser📦 SolutionCyble Vision
Alerts_flash_reportParser📦 SolutionCyble Vision
Alerts_githubParser📦 SolutionCyble Vision
Alerts_hacktivismParser📦 SolutionCyble Vision
Alerts_i2pParser📦 SolutionCyble Vision
Alerts_iocsParser📦 SolutionCyble Vision
Alerts_ip_risk_scoreParser📦 SolutionCyble Vision
Alerts_leaked_credentialsParser📦 SolutionCyble Vision
Alerts_malicious_adsParser📦 SolutionCyble Vision
Alerts_mobile_appsParser📦 SolutionCyble Vision
Alerts_news_feedParser📦 SolutionCyble Vision
Alerts_new_vulnerabilityParser📦 SolutionCyble Vision
Alerts_osintParser📦 SolutionCyble Vision
Alerts_ot_icsParser📦 SolutionCyble Vision
Alerts_pastebinParser📦 SolutionCyble Vision
Alerts_phishingParser📦 SolutionCyble Vision
Alerts_physical_threatsParser📦 SolutionCyble Vision
Alerts_postmanParser📦 SolutionCyble Vision
Alerts_product_vulnerabilityParser📦 SolutionCyble Vision
Alerts_ransomware_updatesParser📦 SolutionCyble Vision
Alerts_social_media_monitoringParser📦 SolutionCyble Vision
Alerts_ssl_expiryParser📦 SolutionCyble Vision
Alerts_stealer_logsParser📦 SolutionCyble Vision
Alerts_subdomainsParser📦 SolutionCyble Vision
Alerts_suspicious_domainsParser📦 SolutionCyble Vision
Alerts_telegram_mentionsParser📦 SolutionCyble Vision
Alerts_tor_linksParser📦 SolutionCyble Vision
Alerts_vulnerabilityParser📦 SolutionCyble Vision
Alerts_web_applicationsParser📦 SolutionCyble Vision
Attempted VBScript Stored in Non-Run CurrentVersion Registry Key ValueHunting Query📦 SolutionCyborg Security HUNTERIdentify potential new registry key name that is a non-autorun and non-run key in the HKLM\Software\Microsoft\Windows\CurrentVersion\ registry key containing VBScript in the key value value.
Excessive Windows Discovery and Execution Processes - Potential Malware InstallationHunting Query📦 SolutionCyborg Security HUNTERUtilizes a list of commonly abused LOLB an attacker or malware would execute in quick succession. The presence of multiple executions of the programs within the list can be indicative of an infection ...
LSASS Memory Dumping using WerFault.exe - Command IdentificationHunting Query📦 SolutionCyborg Security HUNTERIdentifies WerFault.exe creating a memory dump of lsass.exe (Local Security Authority Subsystem Service, a process responsible for the enforcement of security policies on Windows systems, which genera...
Metasploit / Impacket PsExec Process Creation ActivityHunting Query📦 SolutionCyborg Security HUNTERMeant to detect process creations containing names consistent with the schema used by Metasploit or Impacket's PsExec tool. Metasploit and Impacket's PsExec tooling is used by malicious actors for lat...
Potential Maldoc Execution Chain ObservedHunting Query📦 SolutionCyborg Security HUNTERDetect the aftermath of a successfully delivered and executed maldoc (Microsoft Office). Indicates an Office document was opened from an email or download/link, spawned a suspicious execution, and att...
Powershell Encoded Command ExecutionHunting Query📦 SolutionCyborg Security HUNTERLooks for valid variations of the -EncodedCommand parameter. Commonly used to encode or obfuscate commands, and not all occurrences are malicious.
PowerShell Pastebin DownloadHunting Query📦 SolutionCyborg Security HUNTERDetects PowerShell commands downloading and execute code hosted on Pastebin and other services. This technique has been used by malicious actors to distribute malware, in particular it has been used b...
Prohibited Applications Spawning cmd.exe or powershell.exeHunting Query📦 SolutionCyborg Security HUNTERHunts for commonly utilized Microsoft programs (Word, Excel, Publisher, etc) and other programs known to malicious launch powershell or cmd, such as Internet Explorer, Chrome and Firefox.
Proxy VBScript Execution via CurrentVersion Registry KeyHunting Query📦 SolutionCyborg Security HUNTERIdentifies VBScript proxy execution through a registry key in \Microsoft\Windows\CurrentVersion.
Rundll32 or cmd Executing Application from Explorer - Potential Malware Execution ChainHunting Query📦 SolutionCyborg Security HUNTERIdentifies when rundll32 or cmd.exe is utilized to launch a malicious DLL or executable from explorer.exe. Indicative of a cmd window or LNK file executing a program or malware due to a user clicking ...
CYFIRMA - Attack Surface - Weak Certificate Exposure - High RuleAnalytic Rule📦 SolutionCyfirma Attack Surface"This alert indicates that a weak or insecure SSL/TLS certificate has been detected on a public-facing asset monitored by Cyfirma. Such certificates do not meet modern encryption standards and are co...
CYFIRMA - Attack Surface - Weak Certificate Exposure - Medium RuleAnalytic Rule📦 SolutionCyfirma Attack SurfaceThis alert indicates that a weak or insecure SSL/TLS certificate has been detected on a public-facing asset monitored by Cyfirma. Such certificates do not meet modern encryption standards and are con...
CYFIRMA - Attack Surface - Cloud Weakness High RuleAnalytic Rule📦 SolutionCyfirma Attack Surface"This rule detects cloud storage buckets (e.g., AWS S3) that are publicly accessible without authentication. Such misconfigurations can lead to data exfiltration, compliance violations, and reputatio...
CYFIRMA - Attack Surface - Cloud Weakness Medium RuleAnalytic Rule📦 SolutionCyfirma Attack Surface"This rule detects cloud storage buckets (e.g., AWS S3) that are publicly accessible without authentication. Such misconfigurations can lead to data exfiltration, compliance violations, and reputatio...
CYFIRMA - Attack Surface - Configuration High RuleAnalytic Rule📦 SolutionCyfirma Attack SurfaceThis alert is generated when CYFIRMA detects a critical misconfiguration in a public-facing asset or service. Such misconfigurations may include exposed admin interfaces, default credentials, open di...
CYFIRMA - Attack Surface - Configuration Medium RuleAnalytic Rule📦 SolutionCyfirma Attack SurfaceThis alert is generated when CYFIRMA detects a critical misconfiguration in a public-facing asset or service. Such misconfigurations may include exposed admin interfaces, default credentials, open di...
CYFIRMA - Attack Surface - Malicious Domain/IP Reputation High RuleAnalytic Rule📦 SolutionCyfirma Attack Surface"This alert is raised when CYFIRMA detects a critical reputation score for an IP address linked to your infrastructure. The IP has been previously associated with hacking activity and web application...
CYFIRMA - Attack Surface - Malicious Domain/IP Reputation Medium RuleAnalytic Rule📦 SolutionCyfirma Attack Surface"This alert is raised when CYFIRMA detects a critical reputation score for an IP address linked to your infrastructure. The IP has been previously associated with hacking activity and web application...
CYFIRMA - Attack Surface - Domain/IP Vulnerability Exposure High RuleAnalytic Rule📦 SolutionCyfirma Attack Surface"This rule is triggered when CYFIRMA identifies publicly exposed vulnerabilities on domains or IP addresses within your organization's attack surface. These vulnerabilities may include outdated softwa...
CYFIRMA - Attack Surface - Domain/IP Vulnerability Exposure Medium RuleAnalytic Rule📦 SolutionCyfirma Attack Surface"This rule is triggered when CYFIRMA identifies publicly exposed vulnerabilities on domains or IP addresses within your organization's attack surface. These vulnerabilities may include outdated softwa...
CYFIRMA - Attack Surface - Open Ports High RuleAnalytic Rule📦 SolutionCyfirma Attack Surface"This rule is triggered when CYFIRMA identifies open and publicly accessible ports on internet-facing assets. Exposed services may include SSH, RDP, HTTP, or other potentially sensitive ports, increas...
CYFIRMA - Attack Surface - Open Ports Medium RuleAnalytic Rule📦 SolutionCyfirma Attack Surface"This rule is triggered when CYFIRMA identifies open and publicly accessible ports on internet-facing assets. Exposed services may include SSH, RDP, HTTP, or other potentially sensitive ports, increas...
CYFIRMA - Brand Intelligence - Domain Impersonation High RuleAnalytic Rule📦 SolutionCyfirma Brand Intelligence"This analytics rule detects high-risk domain impersonation activity, where newly registered or existing domains closely resemble the legitimate brand name or organizational assets. These suspicious ...
CYFIRMA - Brand Intelligence - Domain Impersonation Medium RuleAnalytic Rule📦 SolutionCyfirma Brand Intelligence"This analytics rule detects high-risk domain impersonation activity, where newly registered or existing domains closely resemble the legitimate brand name or organizational assets. These suspicious ...
CYFIRMA - Brand Intelligence - Executive/People Impersonation High RuleAnalytic Rule📦 SolutionCyfirma Brand Intelligence"This rule detects potential impersonation of executive or high-profile individuals across digital platforms such as social media. Such impersonation can be used to mislead stakeholders, perform soci...
CYFIRMA - Brand Intelligence - Executive/People Impersonation Medium RuleAnalytic Rule📦 SolutionCyfirma Brand Intelligence"This rule detects potential impersonation of executive or high-profile individuals across digital platforms such as social media. Such impersonation can be used to mislead stakeholders, perform soci...
CYFIRMA - Brand Intelligence - Malicious Mobile App High RuleAnalytic Rule📦 SolutionCyfirma Brand Intelligence"This analytic rule detects instances where malicious or unauthorized mobile applications are discovered mimicking legitimate brand assets. Such impersonations may be distributed through unofficial a...
CYFIRMA - Brand Intelligence - Malicious Mobile App Medium RuleAnalytic Rule📦 SolutionCyfirma Brand Intelligence"This analytic rule detects instances where malicious or unauthorized mobile applications are discovered mimicking legitimate brand assets. Such impersonations may be distributed through unofficial a...
CYFIRMA - Brand Intelligence - Product/Solution High RuleAnalytic Rule📦 SolutionCyfirma Brand Intelligence"This alert is raised when CYFIRMA detects a critical reputation score for an IP address linked to your infrastructure. The IP has been previously associated with hacking activity and web application...
CYFIRMA - Brand Intelligence - Product/Solution Medium RuleAnalytic Rule📦 SolutionCyfirma Brand Intelligence"This alert is raised when CYFIRMA detects a critical reputation score for an IP address linked to your infrastructure. The IP has been previously associated with hacking activity and web application...
CYFIRMA - Brand Intelligence - Social Media Handle Impersonation Detected High RuleAnalytic Rule📦 SolutionCyfirma Brand Intelligence"Detects high-severity alerts related to impersonation of official social media handles associated with your brand. These spoofed accounts may be used for phishing, disinformation, or fraud campaigns...
CYFIRMA - Brand Intelligence - Social Media Handle Impersonation Detected Medium RuleAnalytic Rule📦 SolutionCyfirma Brand Intelligence"Detects high-severity alerts related to impersonation of official social media handles associated with your brand. These spoofed accounts may be used for phishing, disinformation, or fraud campaigns...
CYFIRMA - Compromised Employees Detection RuleAnalytic Rule📦 SolutionCyfirma Compromised Accounts"Identifies and alerts on internal employee accounts that have been compromised, based on CYFIRMA's threat intelligence. This rule captures the latest exposure of user credentials, IP addresses, hostn...
CYFIRMA - Customer Accounts Leaks Detection RuleAnalytic Rule📦 SolutionCyfirma Compromised Accounts"Detects recent leaks of customer account credentials based on CYFIRMA's threat intelligence. This rule surfaces the latest credential exposures, including email, username, and breach metadata. It...
CYFIRMA - Public Accounts Leaks Detection RuleAnalytic Rule📦 SolutionCyfirma Compromised Accounts"Detects exposed public-facing account credentials as identified in CYFIRMA's threat intelligence feeds. This rule monitors for credentials leaked through third-party breaches, dark web sources, or pu...
CYFIRMA - High severity Command & Control Network Indicators with Block Recommendation RuleAnalytic Rule📦 SolutionCyfirma Cyber Intelligence"This analytics rule detects network-based indicators identified by CYFIRMA threat intelligence as associated with Command & Control (C2) infrastructure. These may represent attacker-controlled endpoi...
CYFIRMA - Medium severity Command & Control Network Indicators with Block Recommendation RuleAnalytic Rule📦 SolutionCyfirma Cyber Intelligence"This analytics rule detects network-based indicators identified by CYFIRMA threat intelligence as associated with Command & Control (C2) infrastructure. These may represent attacker-controlled endpoi...
CYFIRMA - High severity Command & Control Network Indicators with Monitor Recommendation RuleAnalytic Rule📦 SolutionCyfirma Cyber Intelligence"This analytics rule detects network-based indicators identified by CYFIRMA threat intelligence as associated with Command & Control (C2) infrastructure. These may represent attacker-controlled endpoi...
CYFIRMA - Medium severity Command & Control Network Indicators with Monitor Recommendation RuleAnalytic Rule📦 SolutionCyfirma Cyber Intelligence"This analytics rule detects network-based indicators identified by CYFIRMA threat intelligence as associated with Command & Control (C2) infrastructure. These may represent attacker-controlled endpoi...
CYFIRMA - High severity File Hash Indicators with Block Action RuleAnalytic Rule📦 SolutionCyfirma Cyber Intelligence"This query retrieves file hash indicators marked for blocking, with no assigned role, from the CyfirmaIndicators_CL table. It extracts MD5, SHA1, and SHA256 hashes and includes threat metadata for u...
CYFIRMA - Medium severity File Hash Indicators with Block Action RuleAnalytic Rule📦 SolutionCyfirma Cyber Intelligence"This query retrieves file hash indicators marked for blocking, with no assigned role, from the CyfirmaIndicators_CL table. It extracts MD5, SHA1, and SHA256 hashes and includes threat metadata for u...
CYFIRMA - High severity File Hash Indicators with Monitor Action RuleAnalytic Rule📦 SolutionCyfirma Cyber Intelligence"This query retrieves file hash indicators marked for Monitoring, with no assigned role, from the CyfirmaIndicators_CL table. It extracts MD5, SHA1, and SHA256 hashes and includes threat metadata for...
CYFIRMA - Medium severity File Hash Indicators with Monitor Action RuleAnalytic Rule📦 SolutionCyfirma Cyber Intelligence"This query retrieves file hash indicators marked for Monitoring, with no assigned role, from the CyfirmaIndicators_CL table. It extracts MD5, SHA1, and SHA256 hashes and includes threat metadata for...
CYFIRMA - High severity File Hash Indicators with Block Action and MalwareAnalytic Rule📦 SolutionCyfirma Cyber Intelligence"This KQL query retrieves file hash indicators (MD5, SHA1, SHA256) from the CyfirmaIndicators_CL table within the last 5 minutes. It filters records with a confidence score of 80 or higher, containin...
CYFIRMA - Medium severity File Hash Indicators with Block Action and MalwareAnalytic Rule📦 SolutionCyfirma Cyber Intelligence"This KQL query retrieves file hash indicators (MD5, SHA1, SHA256) from the CyfirmaIndicators_CL table within the last 5 minutes. It filters records with a confidence score of 80 or higher, containin...
CYFIRMA - High severity File Hash Indicators with Monitor Action and MalwareAnalytic Rule📦 SolutionCyfirma Cyber Intelligence"This KQL query retrieves file hash indicators (MD5, SHA1, SHA256) from the CyfirmaIndicators_CL table within the last 5 minutes. It filters records with a confidence score of 80 or higher, containin...
CYFIRMA - Medium severity File Hash Indicators with Monitor Action and MalwareAnalytic Rule📦 SolutionCyfirma Cyber Intelligence"This KQL query retrieves file hash indicators (MD5, SHA1, SHA256) from the CyfirmaIndicators_CL table within the last 5 minutes. It filters records with a confidence score of 80 or higher, containin...
CYFIRMA - High severity Malicious Network Indicators Associated with Malware - Block Recommended RuleAnalytic Rule📦 SolutionCyfirma Cyber Intelligence"This analytics rule detects network-based indicators identified by CYFIRMA threat intelligence as associated with Command & Control (C2) infrastructure. These may represent attacker-controlled endpoi...
CYFIRMA - Medium severity Malicious Network Indicators Associated with Malware - Block Recommended RuleAnalytic Rule📦 SolutionCyfirma Cyber Intelligence"This analytics rule detects network-based indicators identified by CYFIRMA threat intelligence as associated with Command & Control (C2) infrastructure. These may represent attacker-controlled endpoi...
CYFIRMA - High severity Malicious Network Indicators Associated with Malware - Monitor Recommended RuleAnalytic Rule📦 SolutionCyfirma Cyber Intelligence"This analytics rule detects network-based indicators identified by CYFIRMA threat intelligence as associated with Command & Control (C2) infrastructure. These may represent attacker-controlled endpoi...
CYFIRMA - Medium severity Malicious Network Indicators Associated with Malware - Monitor Recommended RuleAnalytic Rule📦 SolutionCyfirma Cyber Intelligence"This analytics rule detects network-based indicators identified by CYFIRMA threat intelligence as associated with Command & Control (C2) infrastructure. These may represent attacker-controlled endpoi...
CYFIRMA - High severity Malicious Network Indicators with Block Action RuleAnalytic Rule📦 SolutionCyfirma Cyber Intelligence"This rule detects network-based indicators such as IP addresses, domains, and URLs reported by CYFIRMA threat intelligence with a recommended action of 'Block' and no specified role. These indicator...
CYFIRMA - Medium severity Malicious Network Indicators with Block Action RuleAnalytic Rule📦 SolutionCyfirma Cyber Intelligence"This rule detects network-based indicators such as IP addresses, domains, and URLs reported by CYFIRMA threat intelligence with a recommended action of 'Block' and no specified role. These indicator...
CYFIRMA - High severity Malicious Network Indicators with Monitor Action RuleAnalytic Rule📦 SolutionCyfirma Cyber Intelligence"This rule detects high-confidence network-based indicators such as IP addresses, domains, and URLs reported by CYFIRMA threat intelligence with a recommended action of 'Monitor' and no specified role...
CYFIRMA - Medium severity Malicious Network Indicators with Monitor Action RuleAnalytic Rule📦 SolutionCyfirma Cyber Intelligence"This rule detects Network indicators such as IP addresses, domains, and URLs reported by CYFIRMA threat intelligence with a recommended action of 'Monitor' and no specified role. These indicators ma...
CYFIRMA - High severity Malicious Phishing Network Indicators - Block Recommended RuleAnalytic Rule📦 SolutionCyfirma Cyber Intelligence"This analytics rule identifies network-based indicators such as URLs, IP addresses, and domains related to phishing campaigns, as reported by CYFIRMA threat intelligence. These indicators are flagge...
CYFIRMA - Medium severity Malicious Phishing Network Indicators - Block Recommended RuleAnalytic Rule📦 SolutionCyfirma Cyber Intelligence"This analytics rule identifies network indicators such as URLs, IP addresses, and domains related to phishing campaigns, as reported by CYFIRMA threat intelligence. These indicators are flagged with...
CYFIRMA - High severity Malicious Phishing Network Indicators - Monitor Recommended RuleAnalytic Rule📦 SolutionCyfirma Cyber Intelligence"This analytics rule identifies network-based indicators such as URLs, IP addresses, and domains related to phishing campaigns, as reported by CYFIRMA threat intelligence. These indicators are flagge...
CYFIRMA - Medium severity Malicious Phishing Network Indicators - Monitor Recommended RuleAnalytic Rule📦 SolutionCyfirma Cyber Intelligence"This analytics rule identifies network-based indicators such as URLs, IP addresses, and domains related to phishing campaigns, as reported by CYFIRMA threat intelligence. These indicators are flagge...
CYFIRMA - High severity TOR Node Network Indicators - Block Recommended RuleAnalytic Rule📦 SolutionCyfirma Cyber Intelligence"This KQL query identifies network-based indicators from CYFIRMA intelligence that are associated with the role 'TOR'. These indicators may include IP addresses, domains, and URLs related to Tor netw...
CYFIRMA - Medium severity TOR Node Network Indicators - Block Recommended RuleAnalytic Rule📦 SolutionCyfirma Cyber Intelligence"This KQL query identifies network-based indicators from CYFIRMA intelligence that are associated with the role 'TOR'. These indicators may include IP addresses, domains, and URLs related to Tor netw...
CYFIRMA - High severity TOR Node Network Indicators - Monitor Recommended RuleAnalytic Rule📦 SolutionCyfirma Cyber Intelligence"This KQL query identifies network-based indicators from CYFIRMA intelligence that are associated with the role 'TOR'. These indicators may include IP addresses, domains, and URLs related to Tor netw...
CYFIRMA - Medium severity TOR Node Network Indicators - Monitor Recommended RuleAnalytic Rule📦 SolutionCyfirma Cyber Intelligence"This KQL query identifies network-based indicators from CYFIRMA intelligence that are associated with the role 'TOR'. These indicators may include IP addresses, domains, and URLs related to Tor netw...
CYFIRMA - High severity Trojan File Hash Indicators with Block Action RuleAnalytic Rule📦 SolutionCyfirma Cyber Intelligence"This KQL query extracts file hash indicators associated with Trojan activity from the CyfirmaIndicators_CL table. It specifically targets indicators containing file hashes linked to Trojan behavior ...
CYFIRMA - Medium severity Trojan File Hash Indicators with Block Action RuleAnalytic Rule📦 SolutionCyfirma Cyber Intelligence"This KQL query extracts file hash indicators associated with Trojan activity from the CyfirmaIndicators_CL table. It specifically targets indicators containing file hashes linked to Trojan behavior ...
CYFIRMA - High severity Trojan File Hash Indicators with Monitor Action RuleAnalytic Rule📦 SolutionCyfirma Cyber Intelligence"This KQL query extracts file hash indicators associated with Trojan activity from the CyfirmaIndicators_CL table. It specifically targets indicators containing file hashes linked to Trojan behavior ...
CYFIRMA - Medium severity Trojan File Hash Indicators with Monitor Action RuleAnalytic Rule📦 SolutionCyfirma Cyber Intelligence"This KQL query extracts file hash indicators associated with Trojan activity from the CyfirmaIndicators_CL table. It specifically targets indicators containing file hashes linked to Trojan behavior ...
CYFIRMA - High severity Trojan Network Indicators - Block Recommended RuleAnalytic Rule📦 SolutionCyfirma Cyber Intelligence"This analytics rule detects network-based indicators flagged by CYFIRMA threat intelligence as associated with Command & Control (C2) infrastructure. These indicators may represent attacker-controll...
CYFIRMA - Medium severity Trojan Network Indicators - Block Recommended RuleAnalytic Rule📦 SolutionCyfirma Cyber Intelligence"This analytics rule detects network-based indicators flagged by CYFIRMA threat intelligence as associated with Command & Control (C2) infrastructure. These indicators may represent attacker-controll...
CYFIRMA - High severity Trojan Network Indicators - Monitor Recommended RuleAnalytic Rule📦 SolutionCyfirma Cyber Intelligence"This analytics rule detects network-based indicators flagged by CYFIRMA threat intelligence as associated with Command & Control (C2) infrastructure. These indicators may represent attacker-controll...
CYFIRMA - Medium severity Trojan Network Indicators - Monitor Recommended RuleAnalytic Rule📦 SolutionCyfirma Cyber Intelligence"This analytics rule detects network-based indicators flagged by CYFIRMA threat intelligence as associated with Command & Control (C2) infrastructure. These indicators may represent attacker-controll...
CYFIRMA - Data Breach and Web Monitoring - Dark Web High RuleAnalytic Rule📦 SolutionCyfirma Digital Risk"Detects critical alerts from CYFIRMA related to sensitive data or credentials leaked on dark web forums. These events often indicate unauthorized access or compromise of enterprise systems, cloud en...
CYFIRMA - Data Breach and Web Monitoring - Dark Web Medium RuleAnalytic Rule📦 SolutionCyfirma Digital Risk"Detects critical alerts from CYFIRMA related to sensitive data or credentials leaked on dark web forums. These events often indicate unauthorized access or compromise of enterprise systems, cloud en...
CYFIRMA - Data Breach and Web Monitoring - Phishing Campaign Detection RuleAnalytic Rule📦 SolutionCyfirma Digital Risk"Detects phishing campaigns targeting enterprise domains, as identified through CYFIRMA's Data Breach and Dark Web Monitoring. These alerts may include malicious URLs used for credential harvesting, ...
CYFIRMA - Data Breach and Web Monitoring - Phishing Campaign Detection RuleAnalytic Rule📦 SolutionCyfirma Digital Risk"Detects phishing campaigns targeting enterprise domains, as identified through CYFIRMA's Data Breach and Dark Web Monitoring. These alerts may include malicious URLs used for credential harvesting, ...
CYFIRMA - Data Breach and Web Monitoring - Ransomware Exposure Detected RuleAnalytic Rule📦 SolutionCyfirma Digital Risk"This analytics rule detects high-severity ransomware threats targeting the organization, as reported by CYFIRMA's Dark Web and Data Breach Intelligence feeds. The alert is generated when threat acto...
CYFIRMA - Data Breach and Web Monitoring - Ransomware Exposure Detected RuleAnalytic Rule📦 SolutionCyfirma Digital Risk"This analytics rule detects high-severity ransomware threats targeting the organization, as reported by CYFIRMA's Dark Web and Data Breach Intelligence feeds. The alert is generated when threat acto...
CYFIRMA - Social and Public Exposure - Confidential Files Information Exposure RuleAnalytic Rule📦 SolutionCyfirma Digital Risk"This rule detects high-severity alerts from CYFIRMA regarding exposure of confidential files or forms linked to internal or client-related information, publicly accessible on platforms. These exposu...
CYFIRMA - Social and Public Exposure - Confidential Files Information Exposure RuleAnalytic Rule📦 SolutionCyfirma Digital Risk"This rule detects Medium-severity alerts from CYFIRMA regarding exposure of confidential files or forms linked to internal or client-related information, publicly accessible on platforms. These expo...
CYFIRMA - Social and Public Exposure - Exposure of PII/CII in Public Domain RuleAnalytic Rule📦 SolutionCyfirma Digital Risk"This analytics rule detects high severity alerts from CYFIRMA indicating exposure of Personally Identifiable Information (PII) or Confidential Information (CII) in public or unsecured sources. Such ...
CYFIRMA - Social and Public Exposure - Exposure of PII/CII in Public Domain RuleAnalytic Rule📦 SolutionCyfirma Digital Risk"This analytics rule detects high severity alerts from CYFIRMA indicating exposure of Personally Identifiable Information (PII) or Confidential Information (CII) in public or unsecured sources. Such ...
CYFIRMA - Social and Public Exposure - Social Media Threats Activity Detected RuleAnalytic Rule📦 SolutionCyfirma Digital Risk"This rule detects high-severity social threat alerts from CYFIRMA related to impersonation, fake profiles, or malicious activities on social platforms that may target executives, brands, or employees...
CYFIRMA - Social and Public Exposure - Social Media Threats Activity Detected RuleAnalytic Rule📦 SolutionCyfirma Digital Risk"This rule detects medium-severity social threat alerts from CYFIRMA related to impersonation, fake profiles, or malicious activities on social platforms that may target executives, brands, or employe...
CYFIRMA - Social and Public Exposure - Source Code Exposure on Public Repositories RuleAnalytic Rule📦 SolutionCyfirma Digital Risk"This rule triggers when CYFIRMA detects source code related to internal or enterprise domains exposed on public platforms like GitHub. Such exposure may lead to intellectual property leakage or help...
CYFIRMA - Social and Public Exposure - Source Code Exposure on Public Repositories RuleAnalytic Rule📦 SolutionCyfirma Digital Risk"This rule triggers when CYFIRMA detects source code related to internal or enterprise domains exposed on public platforms like GitHub. Such exposure may lead to intellectual property leakage or help...
CYFIRMA - High Severity Asset based Vulnerabilities Rule AlertAnalytic Rule📦 SolutionCyfirma Vulnerabilities Intel"This rule detects high severity asset-based vulnerabilities from CYFIRMA's vulnerability intelligence data. It identifies vulnerabilities with a confidence score of 80 or higher, excluding those cat...
CYFIRMA - Medium Severity Asset based Vulnerabilities Rule AlertAnalytic Rule📦 SolutionCyfirma Vulnerabilities Intel"This rule detects medium severity asset-based vulnerabilities from CYFIRMA's vulnerability intelligence data. It identifies vulnerabilities with a confidence score of 50 or higher, excluding those c...
CYFIRMA - High Severity Attack Surface based Vulnerabilities Rule AlertAnalytic Rule📦 SolutionCyfirma Vulnerabilities Intel"This rule detects high severity attack surface-based vulnerabilities from CYFIRMA's vulnerability intelligence data. It identifies vulnerabilities with a confidence score of 80 or higher, excluding ...
CYFIRMA - Medium Severity Attack Surface based Vulnerabilities RuleAnalytic Rule📦 SolutionCyfirma Vulnerabilities Intel"This rule detects medium severity attack surface-based vulnerabilities from CYFIRMA's vulnerability intelligence data. It identifies vulnerabilities with a confidence score of 50 or higher, excluding...
CyjaxWorkbook📦 SolutionCyjax
Cyjax Add Comment To IncidentPlaybook📦 SolutionCyjaxThis playbook is triggered via HTTP request and is designed to be used as a sub-playbook by other Cyjax playbooks (CyjaxIncidentEnrichment). It receives enrichment data (host, domain, hash, URL, Email...
Cyjax Ad Hoc EnrichmentPlaybook📦 SolutionCyjaxThis playbook is triggered via HTTP request and is designed to get IOC value from workbook provided by user and fetch it's related data from Cyjax and Ingest it into Log Analytics Workspace which will...
Cyjax Data BreachesPlaybook📦 SolutionCyjaxThis playbook is triggered manually from a Data Breaches Tab from Cyjax Workbook in Microsoft Sentinel. It fetches email credential breach data from Cyjax based on user provided inputs (Query, Since, ...
Cyjax Domain MonitorPlaybook📦 SolutionCyjaxThis playbook is triggered manually from a Domain Monitor Tab from Cyjax Workbook in Microsoft Sentinel. It fetches domain monitor data from Cyjax based on user provided inputs (Since, Until and Query...
Cyjax Incident EnrichmentPlaybook📦 SolutionCyjaxThis playbook is triggered manually or automatically from a incident in Microsoft Sentinel. It iterates through each entity in the incident (IP addresses, DNS/Domain names, file hashes, URL and Emails...
CyjaxCorrelateParser📦 SolutionCyjax
CyjaxThreatIndicatorParser📦 SolutionCyjax
Cynerio - IoT - Default passwordAnalytic Rule📦 SolutionCynerioUser signed in using default credentials
Cynerio - Exploitation Attempt of IoT deviceAnalytic Rule📦 SolutionCynerioExploitation Attempt of IoT device - Attack detection
Cynerio - IoT - Weak passwordAnalytic Rule📦 SolutionCynerioUser signed in using weak credentials
Cynerio - Medical device scanningAnalytic Rule📦 SolutionCynerioMedical device is scanned with vulnerability scanner
Cynerio - Suspicious Connection to External AddressAnalytic Rule📦 SolutionCynerioSuspicious Connection to External Address
CynerioOverviewWorkbookWorkbook📦 SolutionCynerio
CynerioEvent_Authentication 🔍Parser📦 SolutionCynerio
CynerioEvent_NetworkSession 🔍Parser📦 SolutionCynerio
Cyren to SentinelOne IOC AutomationPlaybook📦 SolutionCyren-SentinelOne-ThreatIntelligenceThis playbook fetches IP reputation and/or malware URL threat intelligence indicators from the Cyren CCF API feed and creates corresponding IOC indicators in SentinelOne for automated threat detection...
Cyren Feed Outage DetectionAnalytic Rule📦 SolutionCyrenThreatIntelligenceDetects when the Cyren threat intelligence feed has not ingested any data for 6 or more hours. This may indicate a connectivity issue with the data connector, API authentication problems, or upstream ...
Cyren High-Risk IP IndicatorsAnalytic Rule📦 SolutionCyrenThreatIntelligenceDetects high-risk IP indicators (risk score >= 80) from Cyren threat intelligence feeds in the last 24 hours. These IPs are associated with malicious activity such as malware distribution, phishing, o...
Cyren High-Risk URL IndicatorsAnalytic Rule📦 SolutionCyrenThreatIntelligenceDetects high-risk URL indicators (risk score >= 80) from Cyren malware URL threat intelligence feeds in the last 24 hours. These URLs are associated with malware distribution, phishing campaigns, or o...
CyrenThreatIntelligenceDashboardWorkbook📦 SolutionCyrenThreatIntelligence
Detecting Suspicious PowerShell Command ExecutionsHunting Query📦 SolutionCywareQuery identifies users denied registration for multiple webinars or recordings but successfully registered for at least one event. Threshold variable adjusts number of events user needs to be rejected...
Match Cyware Intel Watchlist Items With Common LogsHunting Query📦 SolutionCywareQuery to match common security log identifiers with IOCs held by the Cyware Intel watchlist that is created automatically by Cyware
Detecting Suspicious PowerShell Command ExecutionsHunting Query📦 SolutionCywareSpot connections to rarely accessed external domains that are present in your watchlist, which could signify data exfiltration attempts or C2 communication.
Send Microsoft Sentinel Incident To Cyware OrchestratePlaybook📦 SolutionCywareSend Microsoft Sentinel Incident To Cyware Orchestrate
D3 Smart SOAR - High or critical severity incident detectedAnalytic Rule📦 SolutionD3SmartSOARIdentifies when a D3 Smart SOAR incident with High or Critical severity is ingested. This helps security teams prioritize response to the most impactful incidents reported by D3 Smart SOAR.
Darktrace Model BreachAnalytic Rule📦 SolutionDarktraceThis rule creates Microsoft Sentinel Alerts based on Darktrace Model Breaches, fetched every 5 minutes.
Darktrace System StatusAnalytic Rule📦 SolutionDarktraceThis rule creates Microsoft Sentinel Alerts based on Darktrace system status alerts for health monitoring, fetched every 5 minutes.
Darktrace AI AnalystAnalytic Rule📦 SolutionDarktraceThis rule creates Microsoft Sentinel Incidents based on Darktrace AI Analyst Incidents, fetched every 5 minutes.
DarktraceWorkbookWorkbook📦 SolutionDarktrace
Dataminr - urgent alerts detectedAnalytic Rule📦 SolutionDataminr PulseRule helps to detect whenever there is an alert found which has urgent alert-type in Dataminr.
DataminrPulseAlertsWorkbook📦 SolutionDataminr Pulse
DataminrPulseAlertEnrichmentPlaybook📦 SolutionDataminr PulseThis playbook provides an end-to-end example of how alert enrichment works. This will extract the IP, Domain, HostName, URL or Hashes from the generated incident and call the Get alerts API of Datamin...
DataminrPulseAlertsParser📦 SolutionDataminr Pulse
DataminrPulseCyberAlertsParser📦 SolutionDataminr Pulse
DataminrPulseAssetWatchlist📦 SolutionDataminr Pulse
DataminrPulseVulnerableDomainWatchlist📦 SolutionDataminr Pulse
DataminrPulseVulnerableHashWatchlist📦 SolutionDataminr Pulse
DataminrPulseVulnerableIpWatchlist📦 SolutionDataminr Pulse
DataminrPulseVulnerableMalwareWatchlist📦 SolutionDataminr Pulse
Datawiza - massive errors detectedAnalytic Rule📦 SolutionDatawiza"This rule is designed to identify when the system is experiencing abnormal errors."
DelineaWorkbookWorkbook📦 SolutionDelinea Secret Server
DEV-0270 New User CreationAnalytic Rule📦 SolutionDev 0270 Detection and HuntingThe following query tries to detect creation of a new user using a known DEV-0270 username/password schema
Dev-0270 Malicious Powershell usageAnalytic Rule📦 SolutionDev 0270 Detection and HuntingDEV-0270 heavily uses powershell to achieve their objective at various stages of their attack. To locate powershell related activity tied to the actor, Microsoft Sentinel customers can run the followi...
Dev-0270 Registry IOC - September 2022Analytic Rule📦 SolutionDev 0270 Detection and HuntingThe query below identifies modification of registry by Dev-0270 actor to disable security feature as well as to add ransom notes
Dev-0270 WMIC DiscoveryAnalytic Rule📦 SolutionDev 0270 Detection and HuntingThe query below identifies dllhost.exe using WMIC to discover additional hosts and associated domains in the environment.
testHunting Query📦 SolutionDEV-0537DetectionandHuntingtest
Digital Guardian - Sensitive data transfer over insecure channelAnalytic Rule📦 SolutionDigital Guardian Data Loss PreventionDetects sensitive data transfer over insecure channel.
Digital Guardian - Exfiltration using DNS protocolAnalytic Rule📦 SolutionDigital Guardian Data Loss PreventionDetects exfiltration using DNS protocol.
Digital Guardian - Exfiltration to online fileshareAnalytic Rule📦 SolutionDigital Guardian Data Loss PreventionDetects exfiltration to online fileshare.
Digital Guardian - Exfiltration to private emailAnalytic Rule📦 SolutionDigital Guardian Data Loss PreventionDetects exfiltration to private email.
Digital Guardian - Exfiltration to external domainAnalytic Rule📦 SolutionDigital Guardian Data Loss PreventionDetects exfiltration to external domain.
Digital Guardian - Bulk exfiltration to external domainAnalytic Rule📦 SolutionDigital Guardian Data Loss PreventionDetects bulk exfiltration to external domain.
Digital Guardian - Multiple incidents from userAnalytic Rule📦 SolutionDigital Guardian Data Loss PreventionDetects multiple incidents from user.
Digital Guardian - Possible SMTP protocol abuseAnalytic Rule📦 SolutionDigital Guardian Data Loss PreventionDetects possible SMTP protocol abuse.
Digital Guardian - Unexpected protocolAnalytic Rule📦 SolutionDigital Guardian Data Loss PreventionDetects RDP protocol usage for data transfer which is not common.
Digital Guardian - Incident with not blocked actionAnalytic Rule📦 SolutionDigital Guardian Data Loss PreventionDetects when incident has not block action.
Digital Guardian - Incident domainsHunting Query📦 SolutionDigital Guardian Data Loss PreventionQuery searches for incident domains.
Digital Guardian - Files sent by usersHunting Query📦 SolutionDigital Guardian Data Loss PreventionQuery searches for files sent by users.
Digital Guardian - Users' incidentsHunting Query📦 SolutionDigital Guardian Data Loss PreventionQuery searches for users' incidents.
Digital Guardian - Insecure file transfer sourcesHunting Query📦 SolutionDigital Guardian Data Loss PreventionQuery searches for insecure file transfer sources.
Digital Guardian - Inspected filesHunting Query📦 SolutionDigital Guardian Data Loss PreventionQuery searches for inspected files.
Digital Guardian - New incidentsHunting Query📦 SolutionDigital Guardian Data Loss PreventionQuery searches for new incidents.
Digital Guardian - Rare destination portsHunting Query📦 SolutionDigital Guardian Data Loss PreventionQuery searches for rare destination ports.
Digital Guardian - Rare network protocolsHunting Query📦 SolutionDigital Guardian Data Loss PreventionQuery searches rare network protocols.
Digital Guardian - Rare UrlsHunting Query📦 SolutionDigital Guardian Data Loss PreventionQuery searches for rare Urls.
Digital Guardian - Urls usedHunting Query📦 SolutionDigital Guardian Data Loss PreventionQuery searches for URLs used.
DigitalGuardianWorkbook📦 SolutionDigital Guardian Data Loss Prevention
DigitalGuardianDLPEventParser📦 SolutionDigital Guardian Data Loss Prevention
Digital Shadows Incident Creation for exclude-appAnalytic Rule📦 SolutionDigital ShadowsDigital Shadows Analytic rule for generating Microsoft Sentinel incidents for the data ingested by app polling for excluded classifications
Digital Shadows Incident Creation for include-appAnalytic Rule📦 SolutionDigital ShadowsDigital Shadows Analytic rule for generating Microsoft Sentinel incidents for the data ingested by app polling for included classifications
DigitalShadowsWorkbook📦 SolutionDigital Shadows
Digital Shadows Playbook to Update Incident StatusPlaybook📦 SolutionDigital ShadowsThis playbook will update the status of Microsoft Sentinel incidents to match the status of the alerts imported from Digital Shadows SearchLight
Detect excessive NXDOMAIN DNS queries - Anomaly based (ASIM DNS Solution)Analytic Rule📦 SolutionDNS EssentialsThis rule makes use of the series decompose anomaly method to generate an alert when client requests excessive amount of DNS queries to non-existent domains. This helps in identifying possible C2 comm...
Detect excessive NXDOMAIN DNS queries - Static threshold based (ASIM DNS Solution)Analytic Rule📦 SolutionDNS EssentialsThis rule generates an alert when the configured threshold for DNS queries to non-existent domains is breached. This helps in identifying possible C2 communications. It utilizes [ASIM](https://aka.ms/...
Detect DNS queries reporting multiple errors from different clients - Anomaly Based (ASIM DNS Solution)Analytic Rule📦 SolutionDNS EssentialsThis rule makes use of the series decompose anomaly method to generate an alert when multiple clients report errors for the same DNS query. This rule monitors DNS traffic over a period of 14 days to d...
Detect DNS queries reporting multiple errors from different clients - Static threshold based (ASIM DNS Solution)Analytic Rule📦 SolutionDNS EssentialsThis rule creates an alert when multiple clients report errors for the same DNS query. This helps in identifying possible similar C2 communications originating from different clients. It utilizes [ASI...
Ngrok Reverse Proxy on Network (ASIM DNS Solution)Analytic Rule📦 SolutionDNS EssentialsThis detection identifies the top four Ngrok domains from DNS resolution. Ngrok reverse proxy can bypass network defense. While not inherently harmful, it has been used for malicious activities recent...
Potential DGA(Domain Generation Algorithm) detected via Repetitive Failures - Anomaly based (ASIM DNS Solution)Analytic Rule📦 SolutionDNS EssentialsThis rule makes use of the series decompose anomaly method to detect clients with a high NXDomain response count, which could be indicative of a DGA (cycling through possible C2 domains where most C2s...
Potential DGA(Domain Generation Algorithm) detected via Repetitive Failures - Static threshold based (ASIM DNS Solution)Analytic Rule📦 SolutionDNS EssentialsThis rule identifies clients with a high NXDomain count, which could be indicative of a DGA (cycling through possible C2 domains where most C2s are not live). An alert is generated when a new IP addre...
Rare client observed with high reverse DNS lookup count - Anomaly based (ASIM DNS Solution)Analytic Rule📦 SolutionDNS EssentialsThis rule makes use of the series decompose anomaly method to identify clients with high reverse DNS counts. This helps in detecting the possible initial phases of an attack, like discovery and reconn...
Rare client observed with high reverse DNS lookup count - Static threshold based (ASIM DNS Solution)Analytic Rule📦 SolutionDNS EssentialsThis rule identifies clients with high reverse DNS counts, which could be carrying out reconnaissance or discovery activity. This helps in detecting the possible initial phases of an attack, like disc...
[Anomaly] Anomalous Increase in DNS activity by clients (ASIM DNS Solution)Hunting Query📦 SolutionDNS EssentialsChecks for an anomalous increase in DNS activity per client in the last 24 hours as compared to the last 14 days. Please note: To enhance performance, this query uses summarized data if available.
Connection to Unpopular Website Detected (ASIM DNS Solution)Hunting Query📦 SolutionDNS EssentialsThis query lists DNS queries not found in the top 1 million queries in the past 14 days. Please note: To enhance performance, this query uses summarized data if available.
CVE-2020-1350 (SIGRED) exploitation pattern (ASIM DNS Solution)Hunting Query📦 SolutionDNS EssentialsThis query detects the exploitation pattern of the CVE-2020-1350 (SIGRED) vulnerability. This query utilizes [ASIM](https://aka.ms/AboutASIM) normalization and is applied to any source that supports t...
Top 25 DNS queries with most failures in last 24 hours (ASIM DNS Solution)Hunting Query📦 SolutionDNS EssentialsThis query searches for DNS queries that resulted in errors. This query utilizes [ASIM](https://aka.ms/AboutASIM) normalization and is applied to any source that supports the ASIM DNS schema.
Top 25 Domains with large number of Subdomains (ASIM DNS Solution)Hunting Query📦 SolutionDNS EssentialsA large number of subdomains for a domain may be an indicator of a suspicious domain. This query returns the top 25 domains by number of subdomains.
Increase in DNS Requests by client than the daily average count (ASIM DNS Solution)Hunting Query📦 SolutionDNS EssentialsChecking for a threefold increase or more in Full Name lookups per client IP for today vs. the daily average for the previous week.
Possible DNS Tunneling or Data Exfiltration Activity (ASIM DNS Solution)Hunting Query📦 SolutionDNS EssentialsTypical domain name lengths are short, whereas domain name queries used for data exfiltration or tunneling can often be very large in size. The hunting query looks for DNS queries that are more than 1...
Potential beaconing activity (ASIM DNS Solution)Hunting Query📦 SolutionDNS EssentialsThis query identifies beaconing patterns from DNS logs based on recurrent frequency patterns. Such a potential outbound beaconing pattern to untrusted public networks should be investigated for any ma...
Top 25 Sources(Clients) with high number of errors in last 24hours (ASIM DNS Solution)Hunting Query📦 SolutionDNS EssentialsThis query searches for the top 25 clients with the most errors. This query utilizes [ASIM](https://aka.ms/AboutASIM) normalization and is applied to any source that supports the ASIM DNS schema.
Unexpected top level domains (ASIM DNS Solution)Hunting Query📦 SolutionDNS EssentialsThis query looks for top-level domains that are longer than four characters. This query utilizes [ASIM](https://aka.ms/AboutASIM) normalization and is applied to any source that supports the ASIM DNS ...
DNSSolutionWorkbookWorkbook📦 SolutionDNS Essentials
Summarize Data for DNS Essentials SolutionPlaybook📦 SolutionDNS EssentialsThis playbook summarizes data for DNS Essentials Solution and ingests into custom tables.
Domain ASIM Enrichment - DomainTools Iris EnrichPlaybook📦 SolutionDomainToolsGiven a domain or set of domains associated with an alert return all Iris Enrich data for those domains and adds the enrichment data to the custom table.
DomainTools DNSDB Co-Located IP AddressesPlaybook📦 SolutionDomainToolsThis playbook uses the Farsight DNSDB connector to automatically enrich IP Addresses found in the Microsoft Sentinel incidents. This lookup will identify all the IPs that are co-located (based on Doma...
DomainTools DNSDB Co-Located HostsPlaybook📦 SolutionDomainToolsThis playbook uses the Farsight DNSDB connector to automatically enrich Domain's found in the Microsoft Sentinel incidents. This use case describes the desire to easily identify Hosts that are co-loca...
DomainTools DNSDB Historical IP AddressesPlaybook📦 SolutionDomainToolsThis playbook uses the Farsight DNSDB connector to automatically enrich IP Addresses found in the Microsoft Sentinel incidents. This use case describes the desire to identify all Addresses used as DNS...
DomainTools DNSDB Historical HostsPlaybook📦 SolutionDomainToolsThis playbook uses the Farsight DNSDB connector to automatically enrich Domain's found in the Microsoft Sentinel incidents. This use case describes the desire to identify all Hosts that resolved to a ...
IP Enrichment - DomainTools Parsed WhoisPlaybook📦 SolutionDomainToolsThis playbook uses the DomainTools Parsed Whois API. Given a ip address or set of ip addresses associated with an incident, return Whois information data for the extracted ip addresess as comments to ...
Domain Enrichment - DomainTools Iris EnrichPlaybook📦 SolutionDomainToolsGiven a domain or set of domains associated with an incident return all Iris Enrich data for those domains as comments in the incident.
Domain Enrichment - DomainTools Iris InvestigatePlaybook📦 SolutionDomainToolsGiven a domain or set of domains associated with an incident return all Iris Investigate data for those domains as comments in the incident.
DomainToolsDNSParser📦 SolutionDomainTools
DoppelWorkbook📦 SolutionDoppel
DORAComplianceWorkbook📦 SolutionDORA Compliance
DPDPComplianceWorkbook📦 SolutionDPDP Compliance
Dragos NotificationsAnalytic Rule📦 SolutionDragosFires Microsoft Sentinel alerts for Dragos Notifcations.
DragosNotificationsToSentinelParser📦 SolutionDragos
DragosPullNotificationsToSentinelParser📦 SolutionDragos
DragosPushNotificationsToSentinelParser📦 SolutionDragos
DragosSeverityToSentinelSeverityParser📦 SolutionDragos
Druva Quarantine Playbook for Enterprise WorkloadPlaybook📦 SolutionDruvaDataSecurityCloudThis playbook uses Druva-Ransomware-Response capabilities to stop the spread of ransomware and avoid reinfection or contamination spread in your enterprise workload
Druva Quarantine Playbook for inSync WorkloadsPlaybook📦 SolutionDruvaDataSecurityCloudThis playbook uses Druva-Ransomware-Response capabilities to stop the spread of ransomware and avoid reinfection or contamination spread to your inSync User based workloads.
Druva Quarantine Playbook for Shared DrivePlaybook📦 SolutionDruvaDataSecurityCloudThis playbook uses Druva-Ransomware-Response capabilities to stop the spread of ransomware and avoid reinfection or contamination spread to your shared drives.
Druva Quarantine Playbook for SharepointPlaybook📦 SolutionDruvaDataSecurityCloudThis playbook uses Druva-Ransomware-Response capabilities to stop the spread of ransomware and avoid reinfection or contamination spread in your Sharepoint
Druva Quarantine Using Resource idPlaybook📦 SolutionDruvaDataSecurityCloudThis playbook uses Druva-Ransomware-Response capabilities to stop the spread of ransomware and avoid reinfection or contamination spread to your environment.
Dynatrace Application Security - Attack detectionAnalytic Rule📦 SolutionDynatraceDynatrace has detected an ongoing attack in your environment.
Dynatrace Application Security - Code-Level runtime vulnerability detectionAnalytic Rule📦 SolutionDynatraceDetect Code-level runtime vulnerabilities in your environment
Dynatrace Application Security - Non-critical runtime vulnerability detectionAnalytic Rule📦 SolutionDynatraceDetect runtime vulnerabilities in your environment insights by snyk
Dynatrace Application Security - Third-Party runtime vulnerability detectionAnalytic Rule📦 SolutionDynatraceDetect Third-Party runtime vulnerabilities in your environment insights by snyk
Dynatrace - Problem detectionAnalytic Rule📦 SolutionDynatraceDetect application & infrastructure problems in your environment
DynatraceWorkbook📦 SolutionDynatrace
Add Dynatrace Application Security Attack Source IP Address to Threat IntelligencePlaybook📦 SolutionDynatraceThis playbook will add an attackers source ip to Threat Intelligence when a new incident is opened in Microsoft Sentinel.
Enrich Dynatrace Application Security Attack with related Microsoft Defender XDR insightsPlaybook📦 SolutionDynatraceThis playbook will enrich Dynatrace Application Security Attack with related Microsoft Defender XDR insights.
Enrich Dynatrace Application Security Attack with related Microsoft Sentinel Security AlertsPlaybook📦 SolutionDynatraceThis playbook will enrich Dynatrace Application Security Attack with related Microsoft Sentinel Security Alerts.
Enrich Dynatrace Application Security Attack IncidentPlaybook📦 SolutionDynatraceThis playbook will enriche Dynatrace Application Security Attack Incidents with additional information when new incident is opened.
Ingest Microsoft Defender XDR insights into DynatracePlaybook📦 SolutionDynatraceThis playbook will ingest Microsoft Defender XDR insights into Dynatrace.
Ingest Microsoft Sentinel Security Alerts into DynatracePlaybook📦 SolutionDynatraceThis playbook will ingest Microsoft Sentinel Security Alerts into Dynatrace.
DynatraceAttacksParser📦 SolutionDynatrace
DynatraceAuditLogsParser📦 SolutionDynatrace
DynatraceProblemsParser📦 SolutionDynatrace
DynatraceSecurityProblemsParser📦 SolutionDynatrace
EatonForeseer - Unauthorized LoginsAnalytic Rule📦 SolutionEatonForeseerDetects Unauthorized Logins into Eaton Foreseer
EatonForeseerHealthAndAccessWorkbook📦 SolutionEatonForeseer
Create Observable - EclecticIQPlaybook📦 SolutionEclecticIQThis playbook adds new observable in EclecticIQ based on the entities info present in Sentinel incident. If same type and value exists already, then it will update the observable and comment will be a...
Enrich Incident - EclecticIQPlaybook📦 SolutionEclecticIQThis playbook perform look up into EclecticIQ for the entities (Account, Host, IP, FileHash, URL) present result to Microsoft Sentinel incident
Egress Defend - Dangerous Attachment DetectedAnalytic Rule📦 SolutionEgress DefendDefend has detected a user has a suspicious file type from a suspicious sender in their mailbox.
Egress Defend - Dangerous Link ClickAnalytic Rule📦 SolutionEgress DefendDefend has detected a user has clicked a dangerous link in their mailbox.
Dangerous emails with links clickedHunting Query📦 SolutionEgress DefendThis will check for emails that Defend has identified as dangerous and a user has clicked a link.
DefendMetricsWorkbook📦 SolutionEgress Defend
DefendAuditData 🔍Parser📦 SolutionEgress Defend
PreventWorkbookWorkbook📦 SolutionEgress Iris
ElasticSearch-EnrichIncidentPlaybook📦 SolutionElastic SearchThis playbook search in Elastic Search for based on the entities (Account, Host, IP, FileHash, URL) present result to Microsoft Sentinel incident
ElasticAgentEvent 🔍Parser📦 SolutionElasticAgent
Endace - Pivot-to-VisionHunting Query📦 SolutionEndaceThis query displays a Pivot-to-Vision URL from the fields populated within the CommonSecurityLog. This KQL can be used as-is, or adapted to suite other threat-hunting and playbook functionality
Base64 encoded Windows process command-linesAnalytic Rule📦 SolutionEndpoint Threat Protection EssentialsIdentifies instances of a base64-encoded PE file header seen in the process command line parameter.
Dumping LSASS Process Into a FileAnalytic Rule📦 SolutionEndpoint Threat Protection EssentialsAdversaries may attempt to access credential material stored in the process memory of the Local Security Authority Subsystem Service (LSASS). After a user logs on, the system generates and stores a va...
Process executed from binary hidden in Base64 encoded fileAnalytic Rule📦 SolutionEndpoint Threat Protection EssentialsEncoding malicious software is a technique used to obfuscate files from detection. The first CommandLine component is looking for Python decoding base64. The second CommandLine component is looking ...
Lateral Movement via DCOMAnalytic Rule📦 SolutionEndpoint Threat Protection EssentialsThis query detects a fairly uncommon attack technique using the Windows Distributed Component Object Model (DCOM) to make a remote execution call to another computer system and gain lateral movement t...
Detecting Macro Invoking ShellBrowserWindow COM ObjectsAnalytic Rule📦 SolutionEndpoint Threat Protection EssentialsThis query detects a macro invoking ShellBrowserWindow COM Objects evade naive parent/child Office detection rules.
Malware in the recycle binAnalytic Rule📦 SolutionEndpoint Threat Protection EssentialsThe query detects Windows binaries that can be used for executing malware and have been hidden in the recycle bin. The list of these binaries is sourced from https://lolbas-project.github.io/ Referenc...
Potential Remote Desktop TunnelingAnalytic Rule📦 SolutionEndpoint Threat Protection EssentialsThis query detects remote desktop authentication attempts with a localhost source address, which can indicate a tunneled login. Ref: https://www.mandiant.com/resources/bypassing-network-restrictions-t...
Registry Persistence via AppCert DLL ModificationAnalytic Rule📦 SolutionEndpoint Threat Protection EssentialsAdversaries may establish persistence and/or elevate privileges by executing malicious content triggered by AppCert DLLs loaded into processes. Dynamic-link libraries (DLLs) that are specified in the...
Registry Persistence via AppInit DLLs ModificationAnalytic Rule📦 SolutionEndpoint Threat Protection EssentialsAdversaries may establish persistence and/or elevate privileges by executing malicious content triggered by AppInit DLLs loaded into processes. Dynamic-link libraries (DLLs) that are specified in the...
Security Event log clearedAnalytic Rule📦 SolutionEndpoint Threat Protection EssentialsChecks for event id 1102 which indicates the security event log was cleared. It uses Event Source Name "Microsoft-Windows-Eventlog" to avoid generating false positives from other sources, like AD FS s...
Suspicious Powershell Commandlet ExecutedAnalytic Rule📦 SolutionEndpoint Threat Protection EssentialsThis analytic rule detects when a suspicious PowerShell commandlet is executed on a host. Threat actors often use PowerShell to execute commands and scripts to move laterally, escalate privileges, and...
WDigest downgrade attackAnalytic Rule📦 SolutionEndpoint Threat Protection EssentialsWhen the WDigest Authentication protocol is enabled, plain text passwords are stored in the Local Security Authority Subsystem Service (LSASS) exposing them to theft. This setting will prevent WDigest...
Windows Binaries Executed from Non-Default DirectoryAnalytic Rule📦 SolutionEndpoint Threat Protection EssentialsThe query detects Windows binaries, that can be executed from a non-default directory (e.g. C:\Windows\, C:\Windows\System32 etc.). Ref: https://lolbas-project.github.io/
Windows Binaries Lolbins RenamedAnalytic Rule📦 SolutionEndpoint Threat Protection EssentialsThis query detects the execution of renamed Windows binaries (Lolbins). This is a common technique used by adversaries to evade detection. Ref: https://docs.paloaltonetworks.com/cortex/cortex-xdr/cor...
Certutil (LOLBins and LOLScripts, Normalized Process Events)Hunting Query📦 SolutionEndpoint Threat Protection EssentialsThis detection uses Normalized Process Events to hunt Certutil activities.
Windows System Shutdown/Reboot (Normalized Process Events)Hunting Query📦 SolutionEndpoint Threat Protection EssentialsThis detection uses Normalized Process Events to detect System Shutdown/Reboot (MITRE Technique: T1529).
Backup DeletionHunting Query📦 SolutionEndpoint Threat Protection EssentialsThis query detects attempts to delete backups, which could be ransomware activity to prevent file restoration and disrupt business services.
Detect Certutil (LOLBins and LOLScripts) UsageHunting Query📦 SolutionEndpoint Threat Protection EssentialsSysmon telemetry detects Certutil activities, a tool for cryptographic operations and certificate management. While legitimate, it's also used by malware.
Download of New File Using CurlHunting Query📦 SolutionEndpoint Threat Protection EssentialsThreat actors may use tools such as Curl to download additional files, communicate with C2 infrastructure, or exfiltrate data. This query looks for new files being downloaded using Curl.
Execution of File with One Character in the NameHunting Query📦 SolutionEndpoint Threat Protection EssentialsThis query detects execution of files with one character in the name (e.g, a.exe, 7.ps1, g.vbs etc.). Normally files that are executed have more characters in the name and this can indicate a malicio...
Persisting via IFEO Registry KeyHunting Query📦 SolutionEndpoint Threat Protection EssentialsThis query detects frequent creation and deletion of IFEO registry keys in a short time, a technique used by adversaries for system persistence.
Potential Microsoft Security Services TamperingHunting Query📦 SolutionEndpoint Threat Protection EssentialsThis query identifies potential tampering related to Microsoft security related products and services.
Remote Login Performed with WMIHunting Query📦 SolutionEndpoint Threat Protection EssentialsIt detects authentication attempts performed with WMI. Adversaries may abuse WMI to execute malicious commands and payloads. Ref: https://www.mandiant.com/resources/bypassing-network-restrictions-thro...
Remote Scheduled Task Creation or Update using ATSVC Named PipeHunting Query📦 SolutionEndpoint Threat Protection EssentialsThis query detects a scheduled task, created/updated remotely, using the ATSVC name pipe. Threat actors are using scheduled tasks for establishing persistence and moving laterally through the networ...
Scheduled Task Creation or Update from User Writable DirectoryHunting Query📦 SolutionEndpoint Threat Protection EssentialsThis query triggers when a scheduled task is created or updated and it is going to run programs from writable user paths.
Rundll32 (LOLBins and LOLScripts)Hunting Query📦 SolutionEndpoint Threat Protection EssentialsThis detection uses Sysmon telemetry to hunt Signed Binary Proxy Execution: Rundll32 activities.
Suspicious Powershell Commandlet ExecutionHunting Query📦 SolutionEndpoint Threat Protection EssentialsThis query searches for suspicious PowerShell commandlet executions, often used by Threat Actors to move laterally, escalate privileges, or exfiltrate data.
Unicode Obfuscation in Command LineHunting Query📦 SolutionEndpoint Threat Protection EssentialsThe query looks for Command Lines that contain non ASCII characaters. Insertion of these characters could be used to evade detections. Command lines should be reviewed to determine whether inclusion ...
Rare Windows Firewall Rule updates using NetshHunting Query📦 SolutionEndpoint Threat Protection EssentialsThis query searches for rare firewall rule changes using netsh utility by comparing rule names and program names from the previous day.
Block Risky/Compromised User From EntrustPlaybook📦 SolutionEntrust identity as ServiceThis playbook Block the risky user and update the status in comments section of triggered incident so that SOC analysts get aware of the action taken by playbook
Fetch IP Details From EntrustPlaybook📦 SolutionEntrust identity as ServiceThis playbook provides the IP details in comments section of triggered incident so that SOC analysts can directly take corrective measure to stop the attack from unknown/compromised entity
Fetch User Details From EntrustPlaybook📦 SolutionEntrust identity as ServiceThis playbook provides the user essential details in comments section of triggered incident so that SOC analysts can directly take corrective measure to stop the attack from unknown/compromised entity
Fetch IP Details From Entrust - EntityPlaybook📦 SolutionEntrust identity as ServiceThis playbook provides the IP details of user authentication and management activity in comments section of incident so that SOC analysts can directly take corrective measure to stop the attack from u...
Fetch User Details From Entrust - EntityPlaybook📦 SolutionEntrust identity as ServiceThis playbook provides the user essential details in comments section of incident so that SOC analysts can directly take corrective measure to stop the attack from unknown/compromised entity
ESETProtectPlatformParser📦 SolutionESET Protect Platform
Web sites blocked by EsetAnalytic Rule📦 SolutionEset Security Management CenterCreate alert on web sites blocked by Eset.
Threats detected by EsetAnalytic Rule📦 SolutionEset Security Management CenterEscalates threats detected by Eset.
esetSMCWorkbookWorkbook📦 SolutionEset Security Management Center
Threats detected by ESETAnalytic Rule📦 SolutionESETPROTECTEscalates threats detected by ESET.
Website blocked by ESETAnalytic Rule📦 SolutionESETPROTECTCreate alert on websites blocked by ESET.
ESETPROTECTWorkbook📦 SolutionESETPROTECT
ESETPROTECTParser📦 SolutionESETPROTECT
ExabeamEventParser📦 SolutionExabeam Advanced Analytics
Generate alerts based on ExtraHop detections recommended for triageAnalytic Rule📦 SolutionExtraHopThis analytics rule will generate alerts in Microsoft Sentinel for detections from ExtraHop that are recommended for triage.
ExtraHopDetectionsOverviewWorkbook📦 SolutionExtraHop
ExtraHopDetectionsParser📦 SolutionExtraHop
ExtraHopDetectionSummaryWorkbook📦 SolutionExtraHop Reveal(x)
F5BIGIPSystemMetricsWorkbook📦 SolutionF5 Big-IP
F5NetworksWorkbook📦 SolutionF5 Big-IP
ASR Bypassing Writing Executable ContentAnalytic Rule📦 SolutionFalconFridayThe query checks for any file which has been created/written by an Office application and shortly after renamed to one of the deny-listed "executable extensions" which are text files. (e.g. ps1, .js, ...
Microsoft Entra ID Rare UserAgent App Sign-inAnalytic Rule📦 SolutionFalconFridayThis query establishes a baseline of the type of UserAgent (i.e. browser, office application, etc) that is typically used for a particular application by looking back for a number of days. It then se...
Microsoft Entra ID UserAgent OS MissmatchAnalytic Rule📦 SolutionFalconFridayThis query extracts the operating system from the UserAgent header and compares this to the DeviceDetail information present in Microsoft Entra ID.
Certified Pre-Owned - backup of CA private key - rule 1Analytic Rule📦 SolutionFalconFridayThis query identifies someone that performs a read operation of they CA key from the file.
Certified Pre-Owned - backup of CA private key - rule 2Analytic Rule📦 SolutionFalconFridayThis query identifies someone that performs a backup of they CA key.
Certified Pre-Owned - TGTs requested with certificate authenticationAnalytic Rule📦 SolutionFalconFridayThis query identifies someone using machine certificates to request Kerberos Ticket Granting Tickets (TGTs).
Ingress Tool Transfer - CertutilAnalytic Rule📦 SolutionFalconFridayThis detection addresses most of the known ways to utilize this binary for malicious/unintended purposes. It attempts to accommodate for most detection evasion techniques, like commandline obfuscatio...
Component Object Model Hijacking - Vault7 trickAnalytic Rule📦 SolutionFalconFridayThis detection looks for the very specific value of "Attribute" in the "ShellFolder" CLSID of a COM object. This value (0xf090013d) seems to only link back to this specific persistence method. The bl...
Access Token Manipulation - Create Process with TokenAnalytic Rule📦 SolutionFalconFridayThis query detects the use of the 'runas' command and checks whether the account used to elevate privileges isn't the user's own admin account. Additionally, it will match this event to the logon eve...
DCOM Lateral MovementAnalytic Rule📦 SolutionFalconFridayThis detection looks for cases of close-time proximity between incoming network traffic on RPC/TCP, followed by the creation of a DCOM object, followed by the creation of a child process of the DCOM o...
Disable or Modify Windows DefenderAnalytic Rule📦 SolutionFalconFridayThis detection watches the commandline logs for known commands that are used to disable the Defender AV. This is based on research performed by @olafhartong on a large sample of malware for varying pu...
Hijack Execution Flow - DLL Side-LoadingAnalytic Rule📦 SolutionFalconFridayThis detection tries to identify all DLLs loaded by "high integrity" processes and cross-checks the DLL paths against FileCreate/FileModify events of the same DLL by a medium integrity process. Of cou...
Detect .NET runtime being loaded in JScript for code executionAnalytic Rule📦 SolutionFalconFridayThis query detects .NET being loaded from wscript or cscript to run .NET code, such as cactustorch and sharpshooter. All based on the DotNetToJScript by James Foreshaw documented here https://github.c...
Excessive share permissionsAnalytic Rule📦 SolutionFalconFridayThe query searches for event 5143, which is triggered when a share is created or changed and includes de share permissions. First it checks to see if this is a whitelisted share for the system (e.g. d...
Expired access credentials being used in AzureAnalytic Rule📦 SolutionFalconFridayThis query searches for logins with an expired access credential (for example an expired cookie). It then matches the IP address from which the expired credential access occurred with the IP addresses...
Match Legitimate Name or Location - 2Analytic Rule📦 SolutionFalconFridayAttackers often match or approximate the name or location of legitimate files to avoid detection rules that are based trust of on certain operating system processes. This query detects mismatches in t...
Office ASR rule triggered from browser spawned office process.Analytic Rule📦 SolutionFalconFridayThe attacker sends a spearphishing email to a user. The email contains a link which points to a website that eventually presents the user a download of an MS Office document. This document contains a ...
Suspicious Process Injection from Office applicationAnalytic Rule📦 SolutionFalconFridayThis query detects process injections using CreateRemoteThread, QueueUserAPC or SetThread context APIs, originating from an Office process (only Word/Excel/PowerPoint)that might contains macros. Perfo...
Oracle suspicious command executionAnalytic Rule📦 SolutionFalconFridayThe query searches process creation events that are indicative of an attacker spawning OS commands from an Oracle database.
Password SprayingAnalytic Rule📦 SolutionFalconFridayThis query detects a password spraying attack, where a single machine has performed a large number of failed login attempts, with a large number of different accounts. For each account, the attacker ...
Beacon Traffic Based on Common User Agents Visiting Limited Number of DomainsAnalytic Rule📦 SolutionFalconFridayThis query searches web proxy logs for a specific type of beaconing behavior by joining a number of sources together: - Traffic by actual web browsers - by looking at traffic generated by a UserAgent...
Remote Desktop Protocol - SharpRDPAnalytic Rule📦 SolutionFalconFridayThis detection monitors for the behavior that SharpRDP exhibits on the target system. The most relevant is leveraging taskmgr.exe to gain elevated execution, which means that taskmgr.exe is creating u...
Rename System UtilitiesAnalytic Rule📦 SolutionFalconFridayAttackers often use LOLBINs that are renamed to avoid detection rules that are based on filenames. This rule detects renamed LOLBINs by first searching for all the known SHA1 hashes of the LOLBINs in ...
SMB/Windows Admin SharesAnalytic Rule📦 SolutionFalconFridayThis query is based on detecting incoming RPC/TCP on the SCM, followed by the start of a child process of services.exe. Remotely interacting with the SCM triggers the RPC/TCP traffic on services.exe, ...
Suspicious named pipesAnalytic Rule📦 SolutionFalconFridayThis query looks for Named Pipe events that either contain one of the known IOCs or make use of patterns that can be linked to CobaltStrike usage.
Suspicious parentprocess relationship - Office child processes.Analytic Rule📦 SolutionFalconFridayThe attacker sends a spearphishing email to a user. The email contains a link, which points to a website that eventually presents the user a download of an MS Office document. This document contains a...
Trusted Developer Utilities Proxy ExecutionAnalytic Rule📦 SolutionFalconFridayThis detection looks at process executions - in some cases with specific command line attributes to filter a lot of common noise.
Detecting UAC bypass - elevated COM interfaceAnalytic Rule📦 SolutionFalconFridayThis query identifies processes spawned with high integrity from dllhost.exe with a command line that contains one of three specific CLSID GUIDs.
Detecting UAC bypass - modify Windows Store settingsAnalytic Rule📦 SolutionFalconFridayThis query identifies modification a specific registry key and then launching wsreset.exe that resets the Windows Store settings.
Detecting UAC bypass - ChangePK and SLUI registry tamperingAnalytic Rule📦 SolutionFalconFridayThis query identifies setting a registry key under HKCU, launching slui.exe and then ChangePK.exe.
DNSDB_Co_Located_Hosts 🔍Playbook📦 SolutionFarsight DNSDBauthor: Henry Stern, Farsight Security, Inc.
DNSDB_Co_Located_IP_Address 🔍Playbook📦 SolutionFarsight DNSDBauthor: Henry Stern, Farsight Security, Inc.
DNSDB_Historical_Address 🔍Playbook📦 SolutionFarsight DNSDBauthor: Henry Stern, Farsight Security, Inc.
DNSDB_Historical_Hosts 🔍Playbook📦 SolutionFarsight DNSDBauthor: Henry Stern, Farsight Security, Inc.
FireEyeNXEventParser📦 SolutionFireEye Network Security
Flare Cloud bucket resultAnalytic Rule📦 SolutionFlareResults found on an publicly available cloud bucket
Flare Leaked CredentialsAnalytic Rule📦 SolutionFlareSearches for Flare Leaked Credentials
Flare Google Dork result foundAnalytic Rule📦 SolutionFlareResults using a dork on google was found
Flare Host resultAnalytic Rule📦 SolutionFlareResults found relating to IP, domain or host
Flare Infected DeviceAnalytic Rule📦 SolutionFlareInfected Device found on darkweb or Telegram
Flare Paste resultAnalytic Rule📦 SolutionFlareResult found on code Snippet (paste) sharing platform
Flare Source Code foundAnalytic Rule📦 SolutionFlareResult found on Code Sharing platform
Flare SSL Certificate resultAnalytic Rule📦 SolutionFlareSSL Certificate registration found
FlareSystemsFireworkOverviewWorkbook📦 SolutionFlare
credential-warningPlaybook📦 SolutionFlareThis playbook monitors all data received from Firework looking for leaked credentials (email:password combinations). When found, this playbook will send an email to the email address warning their pas...
ForcepointCASBWorkbook📦 SolutionForcepoint CASB
ForcepointCloudSecuirtyGatewayWorkbook📦 SolutionForcepoint CSG
ForcepointDLPWorkbook📦 SolutionForcepoint DLP
ForcepointNGFWWorkbook📦 SolutionForcepoint NGFW
ForcepointNGFWAdvancedWorkbook📦 SolutionForcepoint NGFW
ForescoutEventParser📦 SolutionForescout (Legacy)
eyeInspectOTSecurityWorkbookWorkbook📦 SolutionForescout eyeInspect for OT Security
Forescout-DNS_Sniff_Event_MonitorAnalytic Rule📦 SolutionForescoutHostPropertyMonitorThis rule creates an incident when more than certain number of Dnsniff events are generated from a host
ForescoutHostPropertyMonitorWorkbookWorkbook📦 SolutionForescoutHostPropertyMonitor
Forescout-DNS_Sniff_Event_PlaybookPlaybook📦 SolutionForescoutHostPropertyMonitorThis playbook will update incident with action to perform on endpoint
ForgeRockParserParser📦 SolutionForgeRock Common Audit for CEF
FortigateWorkbook📦 SolutionFortinet FortiGate Next-Generation Firewall connector for Microsoft Sentinel
Fortinet-FortiGate-IPEnrichmentPlaybook📦 SolutionFortinet FortiGate Next-Generation Firewall connector for Microsoft SentinelThis playbook enriches the incident with address object and address group.
Fortinet-FortiGate-ResponseOnBlockIPPlaybook📦 SolutionFortinet FortiGate Next-Generation Firewall connector for Microsoft SentinelThis playbook allows the SOC users to automatically response to Microsoft Sentinel incidents which includes IPs, by adding/removing the IPs to the Microsoft Sentinel IP blocked group.
Fortinet-FortiGate-ResponseOnBlockURLPlaybook📦 SolutionFortinet FortiGate Next-Generation Firewall connector for Microsoft SentinelThis playbook allows the SOC users to automatically response to Microsoft Sentinel incidents which includes URL's, by adding the URLs to the Microsoft Sentinel URL blocked group.
FortinetFortiNdrCloudWorkbookWorkbook📦 SolutionFortinet FortiNDR Cloud
Fortinet_FortiNDR_CloudParser📦 SolutionFortinet FortiNDR Cloud
Fortiweb - WAF Allowed threatAnalytic Rule📦 SolutionFortinet FortiWeb Cloud WAF-as-a-Service connector for Microsoft SentinelDetects WAF "Allowed" action on threat events.
Fortiweb - identify owasp10 vulnerabilitiesHunting Query📦 SolutionFortinet FortiWeb Cloud WAF-as-a-Service connector for Microsoft SentinelQuery searches threats and helps to identify threats matching owaspTop10 vulnerabilities.
Fortiweb - Unexpected countriesHunting Query📦 SolutionFortinet FortiWeb Cloud WAF-as-a-Service connector for Microsoft SentinelQuery searches requests by country and helps to identify requests coming from unexpected countries.
Fortiweb-workbookWorkbook📦 SolutionFortinet FortiWeb Cloud WAF-as-a-Service connector for Microsoft Sentinel
Block IP & URL on fortiweb cloudPlaybook📦 SolutionFortinet FortiWeb Cloud WAF-as-a-Service connector for Microsoft SentinelThis Playbook Provides the automation on blocking the suspicious/malicious IP and URL on fortiweb cloud waf
Fetch Threat Intel from fortiwebcloudPlaybook📦 SolutionFortinet FortiWeb Cloud WAF-as-a-Service connector for Microsoft SentinelThis playbook provides/updates the threat intel and essential details in comments section of triggered incident so that SOC analysts can directly take corrective measure to stop the attack
FortiwebParser📦 SolutionFortinet FortiWeb Cloud WAF-as-a-Service connector for Microsoft Sentinel
GDPRComplianceAndDataSecurityWorkbook📦 SolutionGDPR Compliance & Data Security
GigamonWorkbook📦 SolutionGigamon Connector
GitHub - A payment method was removedAnalytic Rule📦 SolutionGitHubDetect activities when a payment method was removed. This query runs every day and its severity is Medium.
GitHub Activites from a New CountryAnalytic Rule📦 SolutionGitHubDetect activities from a location that was not recently or was never visited by the user or by any user in your organization.
GitHub - Oauth application - a client secret was removedAnalytic Rule📦 SolutionGitHubDetect activities when a client secret was removed. This query runs every day and its severity is Medium.
GitHub - pull request was createdAnalytic Rule📦 SolutionGitHubDetect activities when a pull request was created. This query runs every day and its severity is Medium.
GitHub - pull request was mergedAnalytic Rule📦 SolutionGitHubDetect activities when a pull request was merged. This query runs every day and its severity is Medium.
GitHub - Repository was createdAnalytic Rule📦 SolutionGitHubDetect activities when a repository was created. This query runs every day and its severity is Medium.
GitHub - Repository was destroyedAnalytic Rule📦 SolutionGitHubDetect activities when a repository was destroyed. This query runs every day and its severity is Medium.
GitHub Two Factor Auth DisableAnalytic Rule📦 SolutionGitHubTwo-factor authentication is a process where a user is prompted during the sign-in process for an additional form of identification, such as to enter a code on their cellphone or to provide a fingerpr...
GitHub - User visibility Was changedAnalytic Rule📦 SolutionGitHubDetect activities when a user visibility Was changed. This query runs every day and its severity is Medium.
GitHub - User was added to the organizationAnalytic Rule📦 SolutionGitHubDetect activities when a user was added to the organization. This query runs every day and its severity is Medium.
GitHub - User was blockedAnalytic Rule📦 SolutionGitHubDetect activities when a user was blocked on the repository. This query runs every day and its severity is Medium.
GitHub - User was invited to the repositoryAnalytic Rule📦 SolutionGitHubDetect activities when a user was invited to the repository. This query runs every day and its severity is Medium.
NRT GitHub Two Factor Auth DisableAnalytic Rule📦 SolutionGitHubTwo-factor authentication is a process where a user is prompted during the sign-in process for an additional form of identification, such as to enter a code on their cellphone or to provide a fingerpr...
GitHub Security Vulnerability in RepositoryAnalytic Rule📦 SolutionGitHubThis alerts when there is a new security vulnerability in a GitHub repository.
GitHub First Time Invite Member and Add Member to RepoHunting Query📦 SolutionGitHubThis hunting query identifies a user that add/invite a member to the organization for the first time. This technique can be leveraged by attackers to add stealth account access to the organization.
GitHub Inactive or New Account Access or UsageHunting Query📦 SolutionGitHubThis hunting query identifies Accounts that are new or inactive and have accessed or used GitHub that may be a sign of compromise.
GitHub Mass Deletion of repos or projectsHunting Query📦 SolutionGitHubThis hunting query identifies GitHub activites where there are a large number of deletions that may be a sign of compromise.
GitHub OAuth App Restrictions DisabledHunting Query📦 SolutionGitHubThis hunting query identifies GitHub OAuth Apps that have restrictions disabled that may be a sign of compromise. Attacker will want to disable such security tools in order to go undetected.
GitHub Update PermissionsHunting Query📦 SolutionGitHubThis hunting query identifies GitHub activites where permissions are updated that may be a sign of compromise.
GitHub Repo switched from private to publicHunting Query📦 SolutionGitHubThis hunting query identifies GitHub activites where a repo was changed from private to public that may be a sign of compromise.
GitHub First Time Repo DeleteHunting Query📦 SolutionGitHubThis hunting query identifies GitHub activites its the first time a user deleted a repo that may be a sign of compromise.
GitHub User Grants Access and Other User Grants AccessHunting Query📦 SolutionGitHubThis hunting query identifies Accounts in GitHub that have granted access to another account which then grants access to yet another account that may be a sign of compromise.
GitHubWorkbook📦 SolutionGitHub
GitHubAdvancedSecurityWorkbook📦 SolutionGitHub
GitHubAuditDataParser📦 SolutionGitHub
GitHubCodeScanningDataParser📦 SolutionGitHub
GitHubDependabotDataParser📦 SolutionGitHub
GitHubScanAuditParser📦 SolutionGitHub
GitHubSecretScanningDataParser📦 SolutionGitHub
Unusual AnomalyAnalytic Rule🔗 GitHubGitHub OnlyAnomaly Rules generate events in the Anomalies table. This scheduled rule tries to detect Anomalies that are not usual, they could be a type of Anomaly that has recently been activated, or an infreque...
Cisco Umbrella - Connection to non-corporate private networkAnalytic Rule🔗 GitHubGitHub OnlyIP addresses of broadband links that usually indicates users attempting to access their home network, for example for a remote session to a home computer.
Cisco Umbrella - Connection to Unpopular Website DetectedAnalytic Rule🔗 GitHubGitHub OnlyDetects first connection to an unpopular website (possible malicious payload delivery).
Cisco Umbrella - Crypto Miner User-Agent DetectedAnalytic Rule🔗 GitHubGitHub OnlyDetects suspicious user agent strings used by crypto miners in proxy logs.
Cisco Umbrella - Empty User Agent DetectedAnalytic Rule🔗 GitHubGitHub OnlyRule helps to detect empty and unusual user agent indicating web browsing activity by an unusual process other than a web browser.
Cisco Umbrella - Hack Tool User-Agent DetectedAnalytic Rule🔗 GitHubGitHub OnlyDetects suspicious user agent strings used by known hack tools
Cisco Umbrella - Windows PowerShell User-Agent DetectedAnalytic Rule🔗 GitHubGitHub OnlyRule helps to detect Powershell user-agent activity by an unusual process other than a web browser.
Cisco Umbrella - Rare User Agent DetectedAnalytic Rule🔗 GitHubGitHub OnlyRule helps to detect a rare user-agents indicating web browsing activity by an unusual process other than a web browser.
Cisco Umbrella - Request Allowed to harmful/malicious URI categoryAnalytic Rule🔗 GitHubGitHub OnlyIt is reccomended that these Categories shoud be blocked by policies because they provide harmful/malicious content..
Cisco Umbrella - Request to blocklisted file typeAnalytic Rule🔗 GitHubGitHub OnlyDetects request to potentially harmful file types (.ps1, .bat, .vbs, etc.).
Cisco Umbrella - URI contains IP addressAnalytic Rule🔗 GitHubGitHub OnlyMalware can use IP address to communicate with C2.
Suspicious VM Instance Creation Activity DetectedAnalytic Rule🔗 GitHubGitHub OnlyThis detection identifies high-severity alerts across various Microsoft security products, including Microsoft Defender XDR and Microsoft Entra ID, and correlates them with instances of Google Cloud V...
Certutil (LOLBins and LOLScripts, Normalized Process Events)Hunting Query🔗 GitHubGitHub OnlyThis detection uses Normalized Process Events to hunt Certutil activities
Cscript script daily summary breakdown (Normalized Process Events)Hunting Query🔗 GitHubGitHub Onlybreakdown of scripts running in the environment
Dev-0056 Command Line Activity November 2021 (ASIM Version)Hunting Query🔗 GitHubGitHub Only This hunting query looks for process command line activity related to activity observed by Dev-0056.The command lines this query hunts for are used as part of the threat actor's post exploitation act...
Enumeration of users and groups (Normalized Process Events)Hunting Query🔗 GitHubGitHub OnlyFinds attempts to list users or groups using the built-in Windows 'net' tool
Exchange PowerShell Snapin Added (Normalized Process Events)Hunting Query🔗 GitHubGitHub OnlyThe Exchange Powershell Snapin was loaded on a host, this allows for a Exchange server management via PowerShell. Whilst this is a legitimate administrative tool it is abused by attackers to performs ...
Host Exporting Mailbox and Removing Export (Normalized Process Events)Hunting Query🔗 GitHubGitHub OnlyThis hunting query looks for hosts exporting a mailbox from an on-prem Exchange server, followed by that same host removing the export within a short time window. This pattern has been observed by att...
Invoke-PowerShellTcpOneLine Usage (Normalized Process Events)Hunting Query🔗 GitHubGitHub OnlyInvoke-PowerShellTcpOneLine is a PowerShell script to create a simple and small reverse shell. It can be abused by attackers to exfiltrate data. This query looks for command line activity similar to I...
Nishang Reverse TCP Shell in Base64 (Normalized Process Events)Hunting Query🔗 GitHubGitHub OnlyLooks for Base64-encoded commands associated with the Nishang reverse TCP shell. Ref: https://github.com/samratashok/nishang/blob/master/Shells/Invoke-PowerShellTcp.ps1
Summary of users created using uncommon/undocumented commandline switches (Normalized Process Events)Hunting Query🔗 GitHubGitHub OnlySummarizes uses of uncommon & undocumented commandline switches to create persistence User accounts may be created to achieve persistence on a machine. Read more here: https://attack.mitre.org/wiki/Te...
Powercat Download (Normalized Process Events)Hunting Query🔗 GitHubGitHub OnlyPowercat is a PowerShell implementation of netcat. Whilst it can be used as a legitimate administrative tool it can be abused by attackers to exfiltrate data. This query looks for command line activit...
PowerShell downloads (Normalized Process Events)Hunting Query🔗 GitHubGitHub OnlyFinds PowerShell execution events that could involve a download
Entropy for Processes for a given Host (Normalized Process Events)Hunting Query🔗 GitHubGitHub OnlyEntropy calculation used to help identify Hosts where they have a high variety of processes(a high entropy process list on a given Host over time). This helps us identify rare processes on a given Hos...
SolarWinds Inventory (Normalized Process Events)Hunting Query🔗 GitHubGitHub OnlyBeyond your internal software management systems, it is possible you may not have visibility into your entire footprint of SolarWinds installations. This is intended to help use process exection info...
Suspicious enumeration using Adfind tool (Normalized Process Events)Hunting Query🔗 GitHubGitHub OnlyAttackers can use Adfind which is administrative tool to gather information about Domain controllers, ADFS Servers. They may also rename executables with other benign tools on the system. Below query ...
Uncommon processes - bottom 5% (Normalized Process Events)Hunting Query🔗 GitHubGitHub OnlyShows the rarest processes seen running for the first time. (Performs best over longer time ranges - eg 3+ days rather than 24 hours!) These new processes could be benign new programs installed on hos...
Windows System Shutdown/Reboot (Normalized Process Events)Hunting Query🔗 GitHubGitHub OnlyThis detection uses Normalized Process Events to detect System Shutdown/Reboot (MITRE Technique: T1529)
Rundll32 (LOLBins and LOLScripts, Normalized Process Events)Hunting Query🔗 GitHubGitHub OnlyThis detection uses Normalized Process Events to hunt Signed Binary Proxy Execution: Rundll32 activities
Account Added to Privileged PIM GroupHunting Query🔗 GitHubGitHub OnlyIdentifies accounts that have been added to a PIM managed privileged group
Account MFA ModificationsHunting Query🔗 GitHubGitHub OnlyIdentifies modifications to user's MFA settings. An attacker could use access to modify MFA settings to bypass MFA requirements or maintain persistence.
OAuth Application Required Resource Access UpdateHunting Query🔗 GitHubGitHub OnlyThis hunting query identifies updates to the RequiredResourceAccess property of an OAuth application. This property specifies resources that an application requires access to and the set of OAuth perm...
Approved Access Packages DetailsHunting Query🔗 GitHubGitHub OnlyThis query shows details about all approved Entra ID Governance Access Packages assignments. The results include the time the request was created and approved along with the justification text provide...
BitLocker Key RetrievalHunting Query🔗 GitHubGitHub OnlyLooks for users retrieving BitLocker keys. Enriches these logs with a summary of alerts associated with the user accessing the keys. Use this query to start looking for anomalous patterns of key retri...
Invited Guest User but not redeemed Invite for longer period.Hunting Query🔗 GitHubGitHub OnlyThis query will look for events where guest user was invited but has not accepted/redeemed invite for unusually longer period. Any invites not redeemed for longer period of time can be misused and p...
Users Authenticating to Other Microsoft Entra ID TenantsHunting Query🔗 GitHubGitHub OnlyDetects when a user has successfully authenticated to another Microsoft Entra ID tenant with an identity in your organization's tenant. Ref: https://docs.microsoft.com/azure/active-directory/fundame...
Possible SpringShell Exploitation Attempt (CVE-2022-22965)Hunting Query🔗 GitHubGitHub OnlyThis hunting query looks in Azure Web Application Firewall data to find possible SpringShell Exploitation Attempt (CVE-2022-22965). The Spring Framework is one of the most widely used lightweight ope...
Detect Enumeration Activity Using Unique Identifiers and Session AggregationHunting Query🔗 GitHubGitHub Only"This Kusto (KQL) hunting query detects blob-enumeration or file-spraying behaviour in Azure Storage by: - Aggregating requests into time-bound sessions with row_window_session(). - Defining a "us...
Azure Storage File Create, Access, DeleteHunting Query🔗 GitHubGitHub OnlyThis hunting query will identify where a file is uploaded to Azure File or Blob storage and is then accessed once before being deleted. This activity may be indicative of exfiltration activity.
Azure Storage File Create and DeleteHunting Query🔗 GitHubGitHub OnlyThis hunting query will try to identify instances where a file us uploaded to file storage and then deleted within a given threshold. By default the query will find instances where a file is uploaded ...
Storage File Seen on EndpointHunting Query🔗 GitHubGitHub OnlyFinds instances where a file uploaded to blob or file storage and it is seen on an endpoint by Microsoft Defender XDR.
Azure Storage Mass File DeletionHunting Query🔗 GitHubGitHub OnlyDetect mass file deletion events within Azure File and Blob storage. deleteWindow controls the period of time the deletions must occur in, whilst the deleteThreshold controls how many files must be de...
Azure Storage file upload from VPS ProvidersHunting Query🔗 GitHubGitHub OnlyLooks for file uploads actions to Azure File and Blob Storage from known VPS provider network ranges. This is not an exhaustive list of VPS provider ranges but covers some of the most prevalent provid...
User Account Linked to Storage Account File UploadHunting Query🔗 GitHubGitHub OnlyThis hunting query will try to identify the user account used to perform a file upload to blob storage. This query can be used to match all file upload events, or filtering can be applied on filename ...
Policy configuration changes for CloudApp EventsHunting Query🔗 GitHubGitHub Only"This query searches for any action type with high frequency that involves adding, modifying, or removing something in cloud app policies. It sees where the properties are modified such that the old v...
Abnormally Large JPEG Filed Downloaded from New SourceHunting Query🔗 GitHubGitHub OnlyThreat actors can use JPEG files to hide malware, or other malicious code from inspection. This query looks for the downloading of abnormally large JPEG files from a source where large JPEG files have...
GitHub First Time Invite Member and Add Member to RepoHunting Query🔗 GitHubGitHub OnlyThis hunting query identifies a user that add/invite a member to the organization for the first time. This technique can be leveraged by attackers to add stealth account access to the organization.
GitHub Inactive or New Account Access or UsageHunting Query🔗 GitHubGitHub OnlyThis hunting query identifies Accounts that are new or inactive and have accessed or used GitHub that may be a sign of compromise.
GitHub Mass Deletion of repos or projectsHunting Query🔗 GitHubGitHub OnlyThis hunting query identifies GitHub activites where there are a large number of deletions that may be a sign of compromise.
GitHub OAuth App Restrictions DisabledHunting Query🔗 GitHubGitHub OnlyThis hunting query identifies GitHub OAuth Apps that have restrictions disabled that may be a sign of compromise. Attacker will want to disable such security tools in order to go undetected.
GitHub Update PermissionsHunting Query🔗 GitHubGitHub OnlyThis hunting query identifies GitHub activites where permissions are updated that may be a sign of compromise.
GitHub Repo switched from private to publicHunting Query🔗 GitHubGitHub OnlyThis hunting query identifies GitHub activites where a repo was changed from private to public that may be a sign of compromise.
GitHub First Time Repo DeleteHunting Query🔗 GitHubGitHub OnlyThis hunting query identifies GitHub activites its the first time a user deleted a repo that may be a sign of compromise.
GitHub User Grants Access and Other User Grants AccessHunting Query🔗 GitHubGitHub OnlyThis hunting query identifies Accounts in GitHub that have granted access to another account which then grants access to yet another account that may be a sign of compromise.
Cross-service Azure Data Explorer queriesHunting Query🔗 GitHubGitHub OnlyUnder specific circumstances, executing KQL queries can exfiltrate information like access tokens, regarding external data functions like adx(). This query tries to list executed KQL queries that used...
New users calling sensitive WatchlistHunting Query🔗 GitHubGitHub OnlyThis hunting query looks for users who have run queries calling a watchlist template relating to sensitive data that have not previously been seen calling these watchlists.
Privileged Accounts - Failed MFAHunting Query🔗 GitHubGitHub Only Identifies failed MFA attempts from Privileged accounts. Privileged accounts list can be based on IdentityInfo UEBA table or built-in watchlist. Ref : https://docs.microsoft.com/azure/active-director...
Anomolous Sign Ins Based on TimeHunting Query🔗 GitHubGitHub OnlyIdentifies anomolies in signin events based on the volume of signin events over time. Use this to identify suspicious authentication patterns such as spikes in activity or out of hours events. Ref : h...
Azure VM Run Command linked with MDEHunting Query🔗 GitHubGitHub OnlyIdentifies any Azure VM Run Command operations and links these operations with MDE host logging. Linking these two data sources provides hunting opportunities. Logging from AzureActivity provides the ...
Critical user management operations followed by disabling of System Restore from admin accountHunting Query🔗 GitHubGitHub OnlyThis query could identify critical user management operations like user registration(Microsoft Entra ID Multi-Factor Authentication & self-service password reset (SSPR)) authentication by admin accoun...
Dormant Service Principal Update Creds and Logs InHunting Query🔗 GitHubGitHub OnlyThis query look for Service Principal accounts that are no longer used where a user has added or updated credentials for them before logging in with the Service Principal. Threat actors may look to r...
Dormant User Update MFA and Logs In - UEBAHunting Query🔗 GitHubGitHub OnlyThis query look for accounts that have not been successfully logged into recently who then add or update an MFA method before logging in. Threat actors may look to re-activate dormant accounts and use...
Dormant User Update MFA and Logs InHunting Query🔗 GitHubGitHub OnlyThis querys look for users accounts that have not been successfully logged into recently, who then have a MFA method added or updated before logging in. Threat actors may look to re-activate dormant a...
Download of New File Using CurlHunting Query🔗 GitHubGitHub OnlyThreat actors may use tools such as Curl to download additional files, communicate with C2 infrastructure, or exfiltrate data. This query looks for new files being downloaded using Curl. Curl also has...
Exchange Servers and Associated Security AlertsHunting Query🔗 GitHubGitHub OnlyThis query will dynamically identify Exchange servers using common web paths used by the application in the csUriStem. The query will then collect MDE alerts from the SecurityAlert table using the ide...
FireEye stolen red teaming tools communicationsHunting Query🔗 GitHubGitHub OnlyThis composite hunting query will highlight any HTTP traffic in CommonSecurityLog web proxies (such as ZScaler) that match known patterns used by red teaming tools potentially stolen from FireEye. Mos...
Rare firewall rule changes using netshHunting Query🔗 GitHubGitHub OnlyThis query will show rare firewall rule changes using netsh utility by comparing rule names and program names from the previous day with those from the historical chosen time frame. - This technique w...
High Risk Sign In Around Authentication Method Added or Device RegistrationHunting Query🔗 GitHubGitHub OnlyThis query shows authentication methods being added and devices registered around the time of a high risk sign in which could indicate an attempt to establish persistence on a compromised account. The...
New Location Sign in with Mail forwarding activityHunting Query🔗 GitHubGitHub OnlyThis query helps detect new Microsoft Entra ID sign in from a new location correlating with Office Activity data highlighting cases where user mails are being forwarded and shows if it is being forwa...
Successful Sign-In From Non-Compliant Device with bulk download activityHunting Query🔗 GitHubGitHub OnlyThis hunting query will help detect successful sign-ins from devices that are marked non-compliant along with bulk download activity. Attackers may attempt to get a list of accounts, groups, registrat...
Possible command injection attempts against Azure Integration RuntimesHunting Query🔗 GitHubGitHub OnlyThis hunting query looks for potential command injection attempts via the vulnerable third-party driver against Azure IR with Managed VNet or SHIR processes as well as post-exploitation activity based...
Potential SSH Tunnel to AAD Connect HostHunting Query🔗 GitHubGitHub OnlyAzure AD Connect (AAD Connect) is a critical service that handles connections between on-premise Active Directory and Azure AD. Due to the critical nature of AAD Connect threat actors may attempt to c...
Privileged Account Password ChangesHunting Query🔗 GitHubGitHub OnlyIdentifies where Privileged Accounts have updated passwords or security information. This is joined with UEBA alerts to filter to only those accounts with a high investigation priority. Ref : https://...
Privileged Accounts Locked OutHunting Query🔗 GitHubGitHub OnlyIdentifies privileged accounts that have been locked out. Verify these lockout are due to legitimate user activity and not due to threat actors attempting to access the accounts. Ref : https://docs.mi...
Recon Activity with Interactive Logon CorrelationHunting Query🔗 GitHubGitHub OnlyThis query looks at correlating different reconnaissance alerts with interactive logon logs to help analysts investigate initial possible compromise activity
SQL Alert Correlation with CommonSecurityLogs and AuditLogsHunting Query🔗 GitHubGitHub OnlyThis query combines different SQL alerts with CommonSecurityLogs and AuditLogs helping analysts /investigate any possible SQL related attacks faster thus reducing Mean Time To Respond
Storage Account Key EnumerationHunting Query🔗 GitHubGitHub OnlyThis query identifies attackers trying to enumerate the Storage keys as well as updating roles using AzureActivity,SigninLogs and AuditLogs
Storage Alerts Correlation with CommonSecurityLogs & AuditLogsHunting Query🔗 GitHubGitHub OnlyThis query combines different Storage alerts with CommonSecurityLogs and AuditLogs helping analysts investigate any possible storage related attacks faster thus reducing Mean Time To Respond
Storage Alert Correlation with CommonSecurityLogs and StorageLogsHunting Query🔗 GitHubGitHub OnlyThis query combines different Storage alerts with CommonSecurityLogs and StorageLogs helping analysts triage and investigate any possible Storage related attacks faster thus reducing Mean Time To Re...
Integrate Purview with Cloud App EventsHunting Query🔗 GitHubGitHub Only"This query searches for any files in Cloud App Events that have trigger a security alert."
Unfamiliar Signin Correlation with AzurePortal Signin Attempts and AuditLogsHunting Query🔗 GitHubGitHub OnlyThis query looks for unfamiliar Sign-in's thats not seen recently for the given user with azure portal login attempts and audit logs to help detect and reduce the analysis timeline for defenders
Alerts related to accountHunting Query🔗 GitHubGitHub OnlyAny Alerts that fired related to a given account during the range of +6h and -3d
Alerts With This ProcessHunting Query🔗 GitHubGitHub OnlyAny Alerts that fired on any host with this same process in the range of +-1d
AD Account LockoutHunting Query🔗 GitHubGitHub OnlyDetects Active Directory account lockouts
AD FS Database Local SQL StatementsHunting Query🔗 GitHubGitHub OnlyThis hunting query uses Application events from the "MSSQL$MICROSOFT##WID" provider to collect SQL statements run against an AD FS database (e.g Windows Internal Database (WID)). A threat actor might ...
Fake computer account authentication attemptHunting Query🔗 GitHubGitHub OnlyThis query detects authentication attempt from a fake computer account(username ends with $). Computer accounts are normally not authenticating via interactive logon or remote desktop neither they ar...
Suspicious command line tokens in LolBins or LolScriptsHunting Query🔗 GitHubGitHub OnlyThis query identifies Microsoft-signed Binaries and Scripts that are not system initiated. This technique is commonly used in phishing attacks
Large Scale Malware Deployment via GPO Scheduled Task ModificationHunting Query🔗 GitHubGitHub OnlyThis query detects lateral movement using GPO scheduled task usually used to deploy ransomware at scale. It monitors whether a scheduled task is modified within the Sysvol folder in GPO. Ref: https:...
Potential Local Exploitation for Privilege EscalationHunting Query🔗 GitHubGitHub OnlyThis query detects a process that runs under SYSTEM user's security context and was spawned by a process that was running under a lower security context indicating an exploitation for privilege escala...
Potential Process DoppelgangingHunting Query🔗 GitHubGitHub OnlyThis query detects Process Doppelganging, a technique that calls several APIs related to NTFS transactions which allow to substitute the PE content before the process is even created. Ref: https://att...
Remote Task Creation/Update using Schtasks ProcessHunting Query🔗 GitHubGitHub OnlyThe query detects a scheduled task, created/updated remotely, using the Schtasks process. Threat actors are using scheduled tasks for establishing persistence and moving laterally through the network...
RID HijackingHunting Query🔗 GitHubGitHub OnlyThis query detects all authentication attempts of non administrator accounts that their RID is ending in *-500. Ref: https://stealthbits.com/blog/rid-hijacking-when-guests-become-admins/
Users Opening and Reading the Local Device Identity KeyHunting Query🔗 GitHubGitHub OnlyThis detection uses Windows security events to look for users reading the local Device Identity Key (Machine Key). This information can be correlated with other events for additional context and get ...
Windows System Shutdown/Reboot(Sysmon)Hunting Query🔗 GitHubGitHub OnlyThis detection uses Sysmon telemetry to detect System Shutdown/Reboot (MITRE Technique: T1529)
Suspected Brute force attack InvestigationHunting Query🔗 GitHubGitHub OnlySummarize all the failures and success events for all users in the last 24 hours, only identify users with more than 100 failures in the set period
Administrators Authenticating to Another Microsoft Entra ID TenantHunting Query🔗 GitHubGitHub OnlyDetects when a privileged user account successfully authenticates from to another Microsoft Entra ID Tenant. Authentication attempts should be investigated to ensure the activity was legitimate and ...
Low & slow password attempts with volatile IP addressesHunting Query🔗 GitHubGitHub OnlyThis hunting query will identify instances where a single user account has seen a high incidence of failed attempts from highly volatile IP addresses Changing IP address for every password attempt is...
Multiple Entra ID Admins RemovedHunting Query🔗 GitHubGitHub OnlyLooks for multiple users that had their admin role removed by a single user within a certain period. The default threshold is 5 removals, this can be edited in the query.
Risky Sign-in with Device RegistrationHunting Query🔗 GitHubGitHub OnlyLooks for new device registrations following a risky user account sign-in. By default the query will use a 6 hour lookback period, this can be configured within the query.
Smart LockoutsHunting Query🔗 GitHubGitHub OnlyIdentifies accounts that have been locked out by smart lockout policies. Review this results for patterns that might suggest that a password spray is triggering these smart lockout events. Ref : https...
Spike in failed sign-in eventsHunting Query🔗 GitHubGitHub OnlyIdentifies spikes in failed sign-in events based on the volume of failed sign-in events over time. Use to identify patterns of suspicious behavior such as unusually high failed sign-in attempts from c...
Sign-ins from IPs that attempt sign-ins to disabled accountsHunting Query🔗 GitHubGitHub OnlyIdentifies IPs with failed attempts to sign in to one or more disabled accounts signed in successfully to another account. This analytic will additionally identify the successful signed in accounts as...
User Accounts - Blocked AccountsHunting Query🔗 GitHubGitHub OnlyAn account could be blocked/locked out due to multiple reasons. This hunting query summarize blocked/lockout accounts and checks if most recent signin events for them is after last blocked accounts Re...
User Accounts - Successful Sign in SpikesHunting Query🔗 GitHubGitHub Only Identifies measureable increase in successful sign-ins from user accounts. Spike is determined based on Time series anomaly which will look at historical baseline values. Ref : https://docs.microsoft...
Exchange Server ProxyLogon URIsHunting Query🔗 GitHubGitHub OnlyThis query will detect paths suspicious associated with ProxyLogon exploitation
Exchange Server Suspicious URIs VisitedHunting Query🔗 GitHubGitHub OnlyThis query will detect paths suspicious associated with ProxyLogon exploitation, it will then calculate the percentage of suspicious URIs the user had visited in relation to the total number of URIs t...
Suspected ProxyToken ExploitationHunting Query🔗 GitHubGitHub OnlyLooks for activity that might indicate exploitation of the ProxyToken vulnerability - CVE-2021-33766 Ref: https://www.zerodayinitiative.com/blog/2021/8/30/proxytoken-an-authentication-bypass-in-micros...
ASR rules categorized detection graphHunting Query🔗 GitHubGitHub OnlyThis query offers daily categorization of ASR rules, helping SOC analysts monitor specific categories like office-related activities or WMI among the 16 rules. It aids in tracking detection rates and...
Abuse.ch Recent Threat Feed (1)Hunting Query🔗 GitHubGitHub OnlyThis query will hunt for files matching the current abuse.ch recent threat feed based on Sha256. Currently the query is set up to analyze the last day worth of events, but this is configurable using t...
Abuse.ch Recent Threat FeedHunting Query🔗 GitHubGitHub OnlyThis query will hunt for files matching the current abuse.ch recent threat feed based on Sha256. Currently the query is set up to analyze the last day worth of events, but this is configurable using t...
Abusing settingcontent-msHunting Query🔗 GitHubGitHub OnlySample query that search for .settingcontent-ms that has been downloaded from the web. Through Microsoft Edge, Internet Explorer, Google Chrome, Mozilla Firefox, Microsoft Outlook. For questions @Mila...
APT Baby SharkHunting Query🔗 GitHubGitHub OnlyOriginal Sigma Rule: https://github.com/Neo23x0/sigma/blob/master/rules/apt/apt_babyshark.yml. Questions via Twitter: @janvonkirchheim.
apt sofacy zebrocyHunting Query🔗 GitHubGitHub OnlyOriginal Sigma Rule: https://github.com/Neo23x0/sigma/blob/master/rules/apt/apt_sofacy_zebrocy.yml. Questions via Twitter: @janvonkirchheim.
apt sofacyHunting Query🔗 GitHubGitHub OnlyOriginal Sigma Rule: https://github.com/Neo23x0/sigma/blob/master/rules/apt/apt_sofacy.yml. Questions via Twitter: @janvonkirchheim.
apt ta17 293a psHunting Query🔗 GitHubGitHub OnlyOriginal Sigma Rule: https://github.com/Neo23x0/sigma/blob/master/rules/apt/apt_ta17_293a_ps.yml. Questions via Twitter: @janvonkirchheim.
apt tropictrooperHunting Query🔗 GitHubGitHub OnlyOriginal Sigma Rule: https://github.com/Neo23x0/sigma/blob/master/rules/apt/apt_tropictrooper.yml. Questions via Twitter: @janvonkirchheim.
apt unidentified nov 18 (1)Hunting Query🔗 GitHubGitHub OnlyOriginal Sigma Rule: https://github.com/Neo23x0/sigma/blob/master/rules/apt/apt_unidentified_nov_18.yml. Questions via Twitter: @janvonkirchheim.
apt unidentified nov 18Hunting Query🔗 GitHubGitHub OnlyOriginal Sigma Rule: https://github.com/Neo23x0/sigma/blob/master/rules/apt/apt_unidentified_nov_18.yml. Questions via Twitter: @janvonkirchheim.
APT29 thinktanksHunting Query🔗 GitHubGitHub OnlyOriginal Sigma Rule: https://github.com/Neo23x0/sigma/blob/master/rules/apt/apt_apt29_thinktanks.yml. Questions via Twitter: @janvonkirchheim.
Bear Activity GTR 2019Hunting Query🔗 GitHubGitHub OnlyOriginal Sigma Rule: https://github.com/Neo23x0/sigma/blob/master/rules/apt/apt_bear_activity_gtr19.yml. Questions via Twitter: @janvonkirchheim.
c2-lookup-from-nonbrowser[Nobelium] (1)Hunting Query🔗 GitHubGitHub OnlyThis query was originally published in the threat analytics report, Solorigate supply chain attack. Please note that these attacks are currently known as the Nobelium campaign. Microsoft detects the 2...
c2-lookup-from-nonbrowser[Nobelium]Hunting Query🔗 GitHubGitHub OnlyThis query was originally published in the threat analytics report, Solorigate supply chain attack. Please note that these attacks are currently known as the Nobelium campaign. Microsoft detects the 2...
c2-lookup-response[Nobelium] (1)Hunting Query🔗 GitHubGitHub OnlyThis query was originally published in the threat analytics report, Solorigate supply chain attack. Please note that these attacks are currently known as the Nobelium campaign. Microsoft detects the 2...
c2-lookup-response[Nobelium]Hunting Query🔗 GitHubGitHub OnlyThis query was originally published in the threat analytics report, Solorigate supply chain attack. Please note that these attacks are currently known as the Nobelium campaign. Microsoft detects the 2...
Cloud HopperHunting Query🔗 GitHubGitHub OnlyOriginal Sigma Rule: https://github.com/Neo23x0/sigma/blob/master/rules/apt/apt_cloudhopper.yml. Questions via Twitter: @janvonkirchheim.
cobalt-strike-invoked-w-wmiHunting Query🔗 GitHubGitHub OnlyThis query was originally published in the threat analytics report, Ryuk ransomware. There is also a related blog. Ryuk is human-operated ransomware. Much like DoppelPaymer ransomware, Ryuk is spread ...
compromised NVIDIA certificates[Lapsus$]Hunting Query🔗 GitHubGitHub OnlySearch for the files that are using a compromised certificate associated with the Lapsus$ group. You can remove the comments to: 1. get the list of devices where there is at least one file signed with...
compromised-certificate[Nobelium]Hunting Query🔗 GitHubGitHub OnlySearch for the files that are using a compromised certificate associated with the Nobelium campaign. You can remove the comments to: 1. get the list of devices where there is at least one file signed ...
confluence-weblogic-targetedHunting Query🔗 GitHubGitHub OnlyThis query was originally published in the threat analytics report, Confluence and WebLogic abuse. 2019 has seen several seemingly related campaigns targeting Atlassian Confluence Server and Oracle We...
cypherpunk-exclusive-commandsHunting Query🔗 GitHubGitHub OnlyThis query was originally published in the threat analytics report, Cypherpunk ransomware leaves wake of tampered AVs. Cypherpunk is a human-operated ransomware campaign named after the unusual .cyphe...
cypherpunk-remote-exec-w-psexesvcHunting Query🔗 GitHubGitHub OnlyThis query was originally published in the threat analytics report, Cypherpunk ransomware leaves wake of tampered AVs. Cypherpunk is a human-operated ransomware campaign named after the unusual .cyphe...
detect-cyzfc-activity (1)Hunting Query🔗 GitHubGitHub OnlyThese queries was originally published in the threat analytics report, Attacks on gov't, think tanks, NGOs. As described further in Analysis of cyberattack on U.S. think tanks, non-profits, public sec...
detect-cyzfc-activity (2)Hunting Query🔗 GitHubGitHub OnlyThese queries was originally published in the threat analytics report, Attacks on gov't, think tanks, NGOs. As described further in Analysis of cyberattack on U.S. think tanks, non-profits, public sec...
detect-cyzfc-activity (3)Hunting Query🔗 GitHubGitHub OnlyThese queries was originally published in the threat analytics report, Attacks on gov't, think tanks, NGOs. As described further in Analysis of cyberattack on U.S. think tanks, non-profits, public sec...
detect-cyzfc-activity (4)Hunting Query🔗 GitHubGitHub OnlyThese queries was originally published in the threat analytics report, Attacks on gov't, think tanks, NGOs. As described further in Analysis of cyberattack on U.S. think tanks, non-profits, public sec...
detect-cyzfc-activityHunting Query🔗 GitHubGitHub OnlyThese queries was originally published in the threat analytics report, Attacks on gov't, think tanks, NGOs. As described further in Analysis of cyberattack on U.S. think tanks, non-profits, public sec...
DofoilNameCoinServerTrafficHunting Query🔗 GitHubGitHub OnlyThis is a query to retrieve last 30 days network connections to known Dofoil NameCoin servers. The full article is available here: https://cloudblogs.microsoft.com/microsoftsecure/2018/04/04/hunting-d...
Dopplepaymer In-Memory Malware ImplantHunting Query🔗 GitHubGitHub OnlyDopplepaymer In-Memory Malware Implant. This query identifies processes with command line launch strings. Which match the pattern used in Dopplepaymer ransomware attacks.
Dragon FlyHunting Query🔗 GitHubGitHub OnlyOriginal Sigma Rule: https://github.com/Neo23x0/sigma/blob/master/rules/apt/apt_dragonfly.yml. Questions via Twitter: @janvonkirchheim.
Elise backdoorHunting Query🔗 GitHubGitHub OnlyOriginal Sigma Rule: https://github.com/Neo23x0/sigma/blob/master/rules/apt/apt_elise.yml. Questions via Twitter: @janvonkirchheim.
Equation Group C2 CommunicationHunting Query🔗 GitHubGitHub OnlyOriginal Sigma Rule: https://github.com/Neo23x0/sigma/blob/master/rules/apt/apt_equationgroup_c2.yml. Questions via Twitter: @janvonkirchheim.
fireeye-red-team-tools-CVEs [Nobelium]Hunting Query🔗 GitHubGitHub OnlySearch for the CVEs that should be prioritized and resolved to reduce the success of the FireEye Red Team tools compromised by the Nobelium activity group. See red_team_tool_countermeasures on the off...
fireeye-red-team-tools-HASHs [Nobelium]Hunting Query🔗 GitHubGitHub OnlyThis query searches for the HASHs of the FireEye Red Team tools compromised by the Nobelium activity group. See all-hashes.csv on the official FireEye repo. References: https://github.com/fireeye/red_...
Hurricane Panda activityHunting Query🔗 GitHubGitHub OnlyOriginal Sigma Rule: https://github.com/Neo23x0/sigma/blob/master/rules/apt/apt_hurricane_panda.yml. Questions via Twitter: @janvonkirchheim.
Judgement Panda exfil activityHunting Query🔗 GitHubGitHub OnlyOriginal Sigma Rule: https://github.com/Neo23x0/sigma/blob/master/rules/apt/apt_judgement_panda_gtr19.yml. Questions via Twitter: @janvonkirchheim.
known-affected-software-orion[Nobelium]Hunting Query🔗 GitHubGitHub OnlyThis query was originally published in the threat analytics report, Solorigate supply chain attack. Please note that these attacks are currently known as the Nobelium campaign. Microsoft detects the 2...
launching-base64-powershell[Nobelium]Hunting Query🔗 GitHubGitHub OnlyThis query was originally published in the threat analytics report, Solorigate supply chain attack. Please note that these attacks are currently known as the Nobelium campaign. Microsoft detects the 2...
launching-cmd-echo[Nobelium]Hunting Query🔗 GitHubGitHub OnlyThis query was originally published in the threat analytics report, Solorigate supply chain attack. Please note that these attacks are currently known as the Nobelium campaign. Microsoft detects the 2...
locate-dll-created-locally[Nobelium]Hunting Query🔗 GitHubGitHub OnlyThis query was originally published in the threat analytics report, Solorigate supply chain attack. Please note that these attacks are currently known as the Nobelium campaign. Microsoft detects the 2...
locate-dll-loaded-in-memory[Nobelium]Hunting Query🔗 GitHubGitHub OnlyThis query was originally published in the threat analytics report, Solorigate supply chain attack. Please note that these attacks are currently known as the Nobelium campaign. Microsoft detects the 2...
MacOceanLotusBackdoorHunting Query🔗 GitHubGitHub OnlyBackdoor processes associated with OceanLotus Mac Malware Backdoor. References:. Https://blog.trendmicro.com/trendlabs-security-intelligence/new-macos-backdoor-linked-to-oceanlotus-found/. OS platform...
MacOceanLotusDropperHunting Query🔗 GitHubGitHub OnlyBackdoor processes associated with OceanLotus Mac malware backdoor dropper. References:. Https://blog.trendmicro.com/trendlabs-security-intelligence/new-macos-backdoor-linked-to-oceanlotus-found/. OS ...
OceanLotus registry activityHunting Query🔗 GitHubGitHub OnlyOriginal Sigma Rule: https://github.com/Neo23x0/sigma/blob/master/rules/apt/apt_oceanlotus_registry.yml. Questions via Twitter: @janvonkirchheim.
oceanlotus-apt32-filesHunting Query🔗 GitHubGitHub OnlyThis query was originally published in a threat analytics report about the group known to other security researchers as APT32 or OceanLotus This tracked activity group uses a wide array of malicious d...
oceanlotus-apt32-networkHunting Query🔗 GitHubGitHub OnlyThis query was originally published in a threat analytics report about the group known to other security researchers as APT32 or OceanLotus This tracked activity group uses a wide array of malicious d...
possible-affected-software-orion[Nobelium]Hunting Query🔗 GitHubGitHub OnlyThis query was originally published in the threat analytics report, Solorigate supply chain attack. Please note that these attacks are currently known as the Nobelium campaign. Microsoft detects the 2...
Ransomware hits healthcare - Alternate Data Streams useHunting Query🔗 GitHubGitHub OnlyFind use of Alternate Data Streams (ADS) for anti-forensic purposes. Alternate Data Streams execution.
Ransomware hits healthcare - Backup deletionHunting Query🔗 GitHubGitHub OnlyList alerts flagging attempts to delete backup files.
Ransomware hits healthcare - Cipher.exe tool deleting dataHunting Query🔗 GitHubGitHub Only// Look for cipher.exe deleting data from multiple drives. This is often performed as an anti-forensic measure prior to encryption.
Ransomware hits healthcare - Clearing of system logsHunting Query🔗 GitHubGitHub Only// Look for attempts to use fsutil.exe to delete file system logs that can be used as forensic artifacts.
Ransomware hits healthcare - Possible compromised accountsHunting Query🔗 GitHubGitHub OnlyIdentify accounts that have logged on to affected endpoints. Check for specific alerts.
Ransomware hits healthcare - Robbinhood activityHunting Query🔗 GitHubGitHub OnlyFind distinct evasion and execution activities. Associated with the Robbinhood ransomware campaign.
Ransomware hits healthcare - Turning off System RestoreHunting Query🔗 GitHubGitHub OnlyFind attempts to stop System Restore and. Prevent the system from creating restore points.
Ransomware hits healthcare - Vulnerable Gigabyte driversHunting Query🔗 GitHubGitHub OnlyLocate vulnerable Gigabyte drivers used by RobbinHood ransomware to turn off security tools.
RedMenshen-BPFDoor-backdoorHunting Query🔗 GitHubGitHub OnlyThis query was originally published by PWC Security Research Team. BPFDoor is custom backdoor malware used by Red Menshen. The BPFDoor allows an adversary to backdoor a system and remotely execute cod...
robbinhood-driverHunting Query🔗 GitHubGitHub OnlyThis query was originally published in the threat analytics report, Ransomware continues to hit healthcare, critical services. There is also a related blog. Robbinhood is ransomware that has been invo...
robbinhood-evasionHunting Query🔗 GitHubGitHub OnlyThis query was originally published in the threat analytics report, Ransomware continues to hit healthcare, critical services. There is also a related blog. Robbinhood is ransomware that has been invo...
snip3-aviation-targeting-emailsHunting Query🔗 GitHubGitHub OnlySnip3 is a family of related remote access trojans. Although the malware in this family contain numerous small variations, they all exhibit similar behaviors and techniques. The following query looks ...
snip3-detectsanboxie-function-callHunting Query🔗 GitHubGitHub OnlySnip3 is a family of related remote access trojans. Although the malware in this family contain numerous small variations, they all exhibit similar behaviors and techniques. The following query looks ...
snip3-encoded-powershell-structureHunting Query🔗 GitHubGitHub OnlySnip3 is a family of related remote access trojans. Although the malware in this family contain numerous small variations, they all exhibit similar behaviors and techniques. The following query looks ...
snip3-malicious-network-connectivityHunting Query🔗 GitHubGitHub OnlySnip3 is a family of related remote access trojans. Although the malware in this family contain numerous small variations, they all exhibit similar behaviors and techniques. The following query looks ...
snip3-revengerat-c2-exfiltrationHunting Query🔗 GitHubGitHub OnlySnip3 is a family of related remote access trojans. Although the malware in this family contain numerous small variations, they all exhibit similar behaviors and techniques. The following query looks ...
Star Blizzard-Domain IOCsHunting Query🔗 GitHubGitHub OnlyThis query identifies matches based on domain IOCs related to Star Blizzard against Microsoft Defender for Endpoint device network connections
Threat actor Phosphorus masquerading as conference organizers (1)Hunting Query🔗 GitHubGitHub OnlyIdentify prior activity from this campaign using IOCs shared by Microsoft's Threat Intelligence Center, or MSTIC. Read more: https://blogs.microsoft.com/on-the-issues/2020/10/28/cyberattacks-phosphoru...
Threat actor Phosphorus masquerading as conference organizers (2)Hunting Query🔗 GitHubGitHub OnlyIdentify prior activity from this campaign using IOCs shared by Microsoft's Threat Intelligence Center, or MSTIC. Read more: https://blogs.microsoft.com/on-the-issues/2020/10/28/cyberattacks-phosphoru...
Threat actor Phosphorus masquerading as conference organizersHunting Query🔗 GitHubGitHub OnlyIdentify prior activity from this campaign using IOCs shared by Microsoft's Threat Intelligence Center, or MSTIC. Read more: https://blogs.microsoft.com/on-the-issues/2020/10/28/cyberattacks-phosphoru...
WastedLocker DownloaderHunting Query🔗 GitHubGitHub OnlyThis query identifies the launch pattern associated with wastedlocker ransomware. Reference writeup: https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/wastedlocker-ransomware-us
Entra ID group adds in the last 7 daysHunting Query🔗 GitHubGitHub OnlyThis query looks for Entra ID group adds identified by Microsoft Defender for Cloud Apps. It will require an corresponding app connector in Microsoft Defender for Cloud Apps.
Entra ID role adds in the last 7 daysHunting Query🔗 GitHubGitHub OnlyThis query looks for Entra ID role adds identified by Microsoft Defender for Cloud Apps. It will require an corresponding app connector in Microsoft Defender for Cloud Apps.
File download events in the last 7 daysHunting Query🔗 GitHubGitHub OnlyThis query looks for file download events identified by Microsoft Defender for Cloud Apps. It will require an corresponding app connector in Microsoft Defender for Cloud Apps. Reference - https://lear...
Mass Downloads in the last 7 daysHunting Query🔗 GitHubGitHub OnlyThis query looks for mass downloads identified by Microsoft Defender for Cloud Apps. It will require an corresponding app connector in Microsoft Defender for Cloud Apps.
Anomaly of MailItemAccess by Other Users Mailbox [Nobelium]Hunting Query🔗 GitHubGitHub OnlyThis query looks for users accessing multiple other users' mailboxes, or accessing multiple folders in another user's mailbox. This query is inspired by an Azure Sentinel detection. Reference - https:...
HostExportingMailboxAndRemovingExport[Solarigate]Hunting Query🔗 GitHubGitHub OnlyThis hunting query looks for hosts exporting a mailbox from an on-prem Exchange server, followed by that same host removing the export within a short time window. This pattern has been observed by att...
MailItemsAccessedTimeSeries[Solarigate]Hunting Query🔗 GitHubGitHub OnlyIdentifies anomalous increases in Exchange mail items accessed operations. The query leverages KQL built-in anomaly detection algorithms to find large deviations from baseline patterns. Sudden increas...
c2-bluekeepHunting Query🔗 GitHubGitHub OnlyThis query was originally published in the threat analytics report, Exploitation of CVE-2019-0708 (BlueKeep). CVE-2019-0708, also known as BlueKeep, is a critical remote code execution vulnerability i...
C2-NamedPipeHunting Query🔗 GitHubGitHub OnlyDetects the creation of a named pipe used by known APT malware. Reference - https://docs.microsoft.com/openspecs/windows_protocols/ms-wpo/4de75e21-36fd-440a-859b-75accc74487c
check-for-shadowhammer-activity-download-domainHunting Query🔗 GitHubGitHub OnlyThis query was originally published in the threat analytics report, ShadowHammer supply chain attack Operation ShadowHammer was an attack against ASUS computer hardware, using the company's own update...
Connection to Rare DNS HostsHunting Query🔗 GitHubGitHub OnlyThis query will break down hostnames into their second and third level domain parts and analyze the volume of connections made to the destination to look for low count entries. Note that this query is...
Device network events w low count FQDNHunting Query🔗 GitHubGitHub OnlyDevice Network Events Involving Low Count FQDNs. This query reduces network events to only those with the RemoteURL column populated,. Then parses the DNS name from the URL (if needed) and finds the l...
DNSPattern [Nobelium]Hunting Query🔗 GitHubGitHub OnlyThis query looks for the DGA pattern of the domain associated with the Nobelium campaign, in order to find other domains with the same activity pattern. This query is inspired by an Azure Sentinel det...
EncodedDomainURL [Nobelium]Hunting Query🔗 GitHubGitHub OnlyLooks for a logon domain in the Microsoft Entra ID logs, encoded with the same DGA encoding used in the Nobelium campaign. See Important steps for customers to protect themselves from recent nation-s...
python-use-by-ransomware-macosHunting Query🔗 GitHubGitHub OnlyThis query was originally published in the threat analytics report, EvilQuest signals the rise of Mac ransomware. As of the time of this writing (October 2020), ransomware designed to target macOS is ...
recon-with-rundllHunting Query🔗 GitHubGitHub OnlyThis query was originally published in the threat analytics report, Trickbot: Pervasive & underestimated. Trickbot is a very prevalent piece of malware with an array of malicious capabilities. Origina...
reverse-shell-ransomware-macosHunting Query🔗 GitHubGitHub OnlyThis query was originally published in the threat analytics report, EvilQuest signals the rise of Mac ransomware. As of the time of this writing (October 2020), ransomware designed to target macOS is ...
TorHunting Query🔗 GitHubGitHub OnlyThis query looks for Tor client, or for a common Tor plugin called Meek. We query for active Tor connections, but could have alternatively looked for active Tor runs (ProcessCreateEvents) or Tor downl...
Active Directory Sensitive Group ModificationsHunting Query🔗 GitHubGitHub OnlyThis query shows all modifications to highly sensitive active directory groups (also known as Tier 0). An example of these groups include Domain Admins, Schema Admins and Enterprise Admins. More info ...
cobalt-strikeHunting Query🔗 GitHubGitHub OnlyThis query was originally published in the threat analytics report, Ransomware continues to hit healthcare, critical services. There is also a related blog. In April of 2020, security researchers obse...
doppelpaymer-procdumpHunting Query🔗 GitHubGitHub OnlyThis query was originally published in the threat analytics report, Doppelpaymer: More human-operated ransomware. There is also a related blog. DoppelPaymer is ransomware that is spread manually by hu...
identify-accounts-logged-on-to-endpoints-affected-by-cobalt-strikeHunting Query🔗 GitHubGitHub OnlyThis query was originally published in the threat analytics report, Ransomware continues to hit healthcare, critical services. It finds all user accounts that have logged on to an endpoint affected by...
lazagneHunting Query🔗 GitHubGitHub OnlyThis query was originally published in the threat analytics report, Ryuk ransomware. There is also a related blog. Ryuk is human-operated ransomware. Much like DoppelPaymer ransomware, Ryuk is spread ...
logon-attempts-after-malicious-emailHunting Query🔗 GitHubGitHub OnlyThis query finds the 10 latest logons performed by email recipients within 30 minutes after they received known malicious emails. You can use this query to check whether the accounts of the email reci...
lsass-credential-dumpingHunting Query🔗 GitHubGitHub OnlyThis query looks for signs of credential dumping based on process activity instead of targeting process names. Author: Jouni Mikkola More info: https://threathunt.blog/lsass-credential-dumping/
Private Key FilesHunting Query🔗 GitHubGitHub OnlyPrivate Key Files. This query identifies file operation with files having. One of the extensions commonly used to save a private. Key. The risk is that if an attacker were to obtain. The file, they c...
procdump-lsass-credentialsHunting Query🔗 GitHubGitHub OnlyThis query was originally published in the threat analytics report, "Exchange Server zero-days exploited in the wild". In early March 2021, Microsoft released patches for four different zero-day vulne...
wadhrama-credential-dumpHunting Query🔗 GitHubGitHub OnlyThis query was originally published in the threat analytics report, RDP ransomware persists as Wadhrama. The ransomware known as Wadhrama has been used in human-operated attacks that follow a particul...
wdigest-cachingHunting Query🔗 GitHubGitHub OnlyThis query was originally published in the threat analytics report, WDigest credential harvesting. WDigest is a legacy authentication protocol dating from Windows XP. While still used on some corporat...
ADFSDomainTrustMods[Nobelium]Hunting Query🔗 GitHubGitHub OnlyThis query will find when federation trust settings are changed for a domain or when the domain is changed from managed to federated authentication. Results will relate to when a new Active Directory ...
alt-data-streamsHunting Query🔗 GitHubGitHub OnlyThis query was originally published in the threat analytics report, Ransomware continues to hit healthcare, critical services. There is also a related blog. In April of 2020, security researchers obse...
clear-system-logsHunting Query🔗 GitHubGitHub OnlyThis query was originally published in the threat analytics report, Ransomware continues to hit healthcare, critical services. There is also a related blog. In April of 2020, security researchers obse...
deleting-data-w-cipher-toolHunting Query🔗 GitHubGitHub OnlyThis query was originally published in the threat analytics report, Ransomware continues to hit healthcare, critical services. There is also a related blog. In April of 2020, security researchers obse...
Discovering potentially tampered devices [Nobelium]Hunting Query🔗 GitHubGitHub OnlyTo evade security software and analyst tools, Nobelium malware enumerates the target system looking for certain running processes, loaded drivers, and registry keys, with the goal of disabling them. T...
doppelpaymer-stop-servicesHunting Query🔗 GitHubGitHub OnlyThis query was originally published in the threat analytics report, Doppelpaymer: More human-operated ransomware. There is also a related blog. DoppelPaymer is ransomware that is spread manually by hu...
hiding-java-class-fileHunting Query🔗 GitHubGitHub OnlyThis query was originally published in the threat analytics report, Adwind utilizes Java for cross-platform impact. Adwind is a remote access tool (RAT) that takes advantage of the cross-platform capa...
locate-files-possibly-signed-by-fraudulent-ecc-certificatesHunting Query🔗 GitHubGitHub OnlyThis query was originally published in the threat analytics report, CVE-2020-0601 certificate validation vulnerability. The Windows CryptoAPI Spoofing Vulnerability, CVE-2020-0601, can be exploited to...
MailPermissionsAddedToApplication[Nobelium]Hunting Query🔗 GitHubGitHub OnlyThis query will find applications that have been granted Mail.Read or Mail.ReadWrite permissions in which the corresponding user recently consented to. It can help identify applications that have been...
PotentialMicrosoftDefenderTampering[Solarigate]Hunting Query🔗 GitHubGitHub OnlyIdentifies potential service tampering related to Microsoft Defender services. Query insprired by Azure Sentinel detection https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/Multipl...
qakbot-campaign-process-injectionHunting Query🔗 GitHubGitHub OnlyThis query was originally published in the threat analytics report, Qakbot blight lingers, seeds ransomware Qakbot is malware that steals login credentials from banking and financial services. It has ...
qakbot-campaign-self-deletionHunting Query🔗 GitHubGitHub OnlyThis query was originally published in the threat analytics report, Qakbot blight lingers, seeds ransomware Qakbot is malware that steals login credentials from banking and financial services. It has ...
regsvr32-rundll32-image-loads-abnormal-extensionHunting Query🔗 GitHubGitHub OnlyThis query is looking for regsvr32.exe or rundll32.exe loading DLL images with other extensions than .dll. Joins the data to public network events. References: https://threathunt.blog/running-live-mal...
regsvr32-rundll32-abnormal-image-loadsHunting Query🔗 GitHubGitHub OnlyThis query is using the locations where malicious DLL images are often loaded from by regsvr32.dll and rundll32.exe. Blog: https://threathunt.blog/dll-image-loads-from-suspicious-locations-by-regsvr32...
regsvr32-rundll32-with-anomalous-parent-processHunting Query🔗 GitHubGitHub OnlyThis query looks for rundll32.exe or regsvr32.exe being spawned by abnormal processes: wscript.exe, powershell.exe, cmd.exe, pwsh.exe, cscript.exe. Blog: https://threathunt.blog/running-live-malware-f...
shimcache-flushedHunting Query🔗 GitHubGitHub OnlyThis query searches for attempts to flush Shimcache, which may indicate anti-forensic or defense evasion activity by an attacker. Author: Vaasudev_Kala Ref: https://blueteamops.medium.com/shimcache-fl...
suspicious-base64-encoded-registry-keysHunting Query🔗 GitHubGitHub OnlyLooks for suspicious base64 encoded registry keys being created. Author: Jouni Mikkola References: https://threathunt.blog/registry-hunts/
suspicious-command-interpreters-added-to-registryHunting Query🔗 GitHubGitHub OnlyLooks for suspicious addition of command interpreters to windows registry. Author: Jouni Mikkola References: https://threathunt.blog/registry-hunts/
suspicious-keywords-in-registryHunting Query🔗 GitHubGitHub OnlyLooks for suspicious keyword additions to windows registry. Author: Jouni Mikkola References: https://threathunt.blog/registry-hunts/
UpdateStsRefreshToken[Solorigate]Hunting Query🔗 GitHubGitHub OnlyThis will show Active Directory Security Token Service (STS) refresh token modifications by Service Principals and Applications other than DirectorySync. Refresh tokens are used to validate identifica...
detect-jscript-file-creationHunting Query🔗 GitHubGitHub OnlyThis query was originally published in the threat analytics report, Emulation-evading JavaScripts. Attackers in several ransomware campaigns have employed heavily obfuscated JavaScript code, in order ...
Doc attachment with link to downloadHunting Query🔗 GitHubGitHub OnlyThis query looks for a Word document attachment, from which a link was clicked, and after which there was a browser download. This query is not noisy, but most of its results are clean. It can also hs...
Dropbox downloads linked from other siteHunting Query🔗 GitHubGitHub OnlyThis query looks for user content downloads from dropbox that originate from a link/redirect from a 3rd party site. File sharing sites such as Dropbox are often used for hosting malware on a reputable...
Email link + download + SmartScreen warningHunting Query🔗 GitHubGitHub OnlyLook for links opened from outlook.exe, followed by a browser download and then a SmartScreen app warning that was ignored by the user. Read more about these events and this hunting approach in this p...
Gootkit-malwareHunting Query🔗 GitHubGitHub OnlyThis query was originally published on Twitter, by @MsftSecIntel. Gootkit is malware that started life as a banking trojan, and has since extended its capabilities to allow for a variety of malicious ...
Open email linkHunting Query🔗 GitHubGitHub OnlyQuery for links opened from mail apps - if a detection occurred right afterwards. As there are many links opened from mails, to have a successful hunt we should have some filter or join with some othe...
Pivot from detections to related downloadsHunting Query🔗 GitHubGitHub OnlyPivot from downloads detected by Windows Defender Antivirus to other files downloaded from the same sites. To learn more about the download URL info that is available and see other sample queries,. Ch...
powercat-downloadHunting Query🔗 GitHubGitHub OnlyThis query was originally published in the threat analytics report, "Exchange Server zero-days exploited in the wild". In early March 2021, Microsoft released patches for four different zero-day vulne...
Qakbot Craigslist DomainsHunting Query🔗 GitHubGitHub OnlyQakbot operators have been abusing the Craigslist messaging system to send malicious emails. These emails contain non-clickable links to malicious domains impersonating Craigslist, which the user is i...
Anomalous Device ModelsHunting Query🔗 GitHubGitHub OnlyThis query finds anomalous models discovered
Can Be Onboarded DevicesHunting Query🔗 GitHubGitHub OnlyThis query surfaces devices that were discovered by Microsoft Defender for Endpoint and can be onboarded
Commonality of Operating SystemsHunting Query🔗 GitHubGitHub OnlyThis query provides the commonality of operating systems seen in the inventory
Count and Percentage of DeviceType out of total inventoryHunting Query🔗 GitHubGitHub OnlyThis query presents statistics on count and percentage of DeviceType out of total inventory
Devices By Specific DeviceType and DeviceSubtypeHunting Query🔗 GitHubGitHub OnlyThis query finds devices by DeviceType and/or DeviceSubtype
Devices In Subnet - IPAddressV4Hunting Query🔗 GitHubGitHub OnlyThis query surfaces devices that are in a specific IPAddressV4 subnet
Devices In Subnet - IPAddressV6Hunting Query🔗 GitHubGitHub OnlyThis query surfaces devices that are in a specific IPAddressV6 subnet
Find Software By Name and VersionHunting Query🔗 GitHubGitHub OnlyThis query finds a software by name and/or version
Most Common ServicesHunting Query🔗 GitHubGitHub OnlyThis query provides the most common services discovered
NotOnboarded Devices by DeviceName PrefixHunting Query🔗 GitHubGitHub OnlyThis query searches for not onboarded devices with a specific prefix
NotOnboarded Devices by DeviceName SuffixHunting Query🔗 GitHubGitHub OnlyThis query searches for not onboarded devices with a specific Suffix
Seen Connected NetworksHunting Query🔗 GitHubGitHub OnlyThis query uncovers seen connected networks
Seen IPv4 Network SubnetsHunting Query🔗 GitHubGitHub OnlyThis query uncovers seen IPAddressV4 network subnets
Seen IPv6 Network SubnetsHunting Query🔗 GitHubGitHub OnlyThis query uncovers seen IPAddressV6 network subnets
Browser Extension Enumeration via DeviceFileEventsHunting Query🔗 GitHubGitHub OnlyIdentifies browser extension CRX files observed across endpoints. Helps in enumerating commonly installed extensions and hunting for potentially malicious ones. --- Optional Enrichment: To enrich th...
ConnectedNetworkDeviceDiscoveryHunting Query🔗 GitHubGitHub OnlyFind devices connected to a monitored network. Please Note line 5 needs to have a monitored network name put in place or commented out to pull everything.
detect-nbtscan-activityHunting Query🔗 GitHubGitHub OnlyThis query was originally published in the threat analytics report, Operation Soft Cell. Operation Soft Cell is a series of campaigns targeting users' call logs at telecommunications providers through...
Detect-Not-Active-AD-User-AccountsHunting Query🔗 GitHubGitHub Only// Detect Active Directory service accounts that are not active because their last logon was more than 14 days ago // Replace XXX on line 4 with the naming convention start of your Active Directory se...
detect-suspicious-commands-initiated-by-web-server-processesHunting Query🔗 GitHubGitHub OnlyThis query was originally published in the threat analytics report, Operation Soft Cell. Operation Soft Cell is a series of campaigns targeting users' call logs at telecommunications providers through...
DetectTorRelayConnectivityHunting Query🔗 GitHubGitHub OnlyThis advanced hunting query detects processes communicating with known Tor relay IP addresses. The public URL in the query is updated daily at 12PM and 12AM UTC. CSV source is the Tor Project API, obt...
DetectTorrentUseHunting Query🔗 GitHubGitHub OnlyCustom detection to find use of torrenting software or browsing related to torrents.
Discover hosts doing possible network scansHunting Query🔗 GitHubGitHub OnlyLooking for high volume queries against a given RemoteIP, per DeviceName, RemotePort and Process. Please change the Timestamp window according your preference/objective, as also the subnet ranges that...
doppelpaymerHunting Query🔗 GitHubGitHub OnlyThis query was originally published in the threat analytics report, Doppelpaymer: More human-operated ransomware. There is also a related blog. DoppelPaymer is ransomware that is spread manually by hu...
Enumeration of users & groups for lateral movementHunting Query🔗 GitHubGitHub OnlyThe query finds attempts to list users or groups using Net commands.
MultipleLdapsHunting Query🔗 GitHubGitHub OnlyDetect multiple Active Directory LDAP queries made in bin time Replace 10 on line 1 with your desired thershold Replace 1m on line 2 with your desired bin time
MultipleSensitiveLdapsHunting Query🔗 GitHubGitHub Only// Detect multiple sensitive Active Directory LDAP queries made in bin time // Sensitive queries defined as Roasting or sensitive objects queries // Replace 10 on line 6 with your desired thershold //...
PasswordSearchHunting Query🔗 GitHubGitHub OnlyDetect Active Directory LDAP queries that search for users with comment or description that contains the string "pass" that might suggest for the user password This LDAP query cover MetaSploit - enum_...
qakbot-campaign-esentutlHunting Query🔗 GitHubGitHub OnlyThis query was originally published in the threat analytics report, Qakbot blight lingers, seeds ransomware Qakbot is malware that steals login credentials from banking and financial services. It has ...
qakbot-campaign-outlookHunting Query🔗 GitHubGitHub OnlyThis query was originally published in the threat analytics report, Qakbot blight lingers, seeds ransomware Qakbot is malware that steals login credentials from banking and financial services. It has ...
RoastingHunting Query🔗 GitHubGitHub OnlyDetect Active Directory LDAP queries that search for Kerberoasting (SPNs) or accounts with Kerberos preauthentication not required from Azure ATP, and try to get the process initiated the LDAP query f...
SensitiveLdapsHunting Query🔗 GitHubGitHub OnlyDetect Active Directory LDAP queries that search for sensitive objects in the organization This LDAP query cover BloodHound tool
SMB shares discoveryHunting Query🔗 GitHubGitHub OnlyQuery for processes that accessed more than 10 IP addresses over port 445 (SMB) - possibly scanning for network shares. To read more about Network Share Discovery, see: https://attack.mitre.org/wiki/T...
SuspiciousEnumerationUsingAdfind[Nobelium]Hunting Query🔗 GitHubGitHub OnlyAttackers can use Adfind which is administrative tool to gather information about domain controllers or ADFS servers. They may also rename executables with other benign tools on the system. The below ...
URL DetectionHunting Query🔗 GitHubGitHub OnlyThis query finds network communication to specific URL. Please note that in line #7 it filters RemoteUrl using has operator, which looks for a "whole term" and runs faster. Example: RemoteUrl has "mic...
VulnComputersHunting Query🔗 GitHubGitHub OnlyDetect Active Directory LDAP queries that try to find operating systems that are vulnerable to specific vulnerabilities This LDAP query cover MetaSploit - enum_ad_computers tool
anomalous-payload-delivered-from-iso-fileHunting Query🔗 GitHubGitHub OnlyThis query looks for lnk file executions from other locations than C: -drive, which can relate to mounted ISO-files. Reference - https://threathunt.blog/detecting-a-payload-delivered-with-iso-files-us...
Base64 Detector and DecoderHunting Query🔗 GitHubGitHub OnlyThis query will identify strings in process command lines which match Base64 encoding format, extract the string to a column called Base64, and decode it in a column called DecodedString.
Base64encodePEFileHunting Query🔗 GitHubGitHub OnlyFinding base64 encoded PE files header seen in the command line parameters. Tags: #fileLess #powershell.
Bitsadmin ActivityHunting Query🔗 GitHubGitHub OnlyBackground Intelligent Transfer Service (BITS) is a way to reliably download files from webservers or SMB servers. This service is commonly used for legitimate purposes, but can also be used as part ...
check-for-shadowhammer-activity-implantHunting Query🔗 GitHubGitHub OnlyThis query was originally published in the threat analytics report, ShadowHammer supply chain attack Operation ShadowHammer was an attack against ASUS computer hardware, using the company's own update...
Detect Encoded PowershellHunting Query🔗 GitHubGitHub OnlyThis query will detect encoded powershell based on the parameters passed during process creation. This query will also work if the PowerShell executable is renamed or tampered with since detection is ...
Detect PowerShell v2 DowngradeHunting Query🔗 GitHubGitHub OnlyThis query looks for processes that load an older version of the system.management.automation libraries. While not inherently malicious, downgrading to PowerShell version 2 can enable an attacker to b...
detect-anomalous-process-treesHunting Query🔗 GitHubGitHub OnlyThis query generates process trees of given processes and performs anomaly detection on the process trees. It generates process trees up to 7th level. The query can be used as a template to perform an...
detect-bluekeep-related-miningHunting Query🔗 GitHubGitHub OnlyThis query was originally published in the threat analytics report, Exploitation of CVE-2019-0708 (BlueKeep). CVE-2019-0708, also known as BlueKeep, is a critical remote code execution vulnerability i...
detect-doublepulsar-executionHunting Query🔗 GitHubGitHub OnlyThis query was originally published in the threat analytics report, Motivated miners. Doublepulsar is a backdoor developed by the National Security Agency (NSA). First disclosed in 2017, it is now use...
detect-exploitation-of-cve-2018-8653Hunting Query🔗 GitHubGitHub OnlyThis query was originally published in the threat analytics report, CVE-2018-8653 scripting engine vulnerability. CVE-2018-8653 is a remote code execution vulnerability found in the scripting engine f...
detect-impacket-atexecHunting Query🔗 GitHubGitHub OnlyThis query looks for signs of impacket atexec module. Should work with others using similar technique. Author: Jouni Mikkola More info: https://threathunt.blog/impacket-part-3/
detect-impacket-dcomexecHunting Query🔗 GitHubGitHub OnlyThis query looks for signs of impacket dcomexec module. Author: Jouni Mikkola More info: https://threathunt.blog/impacket-part-2/
detect-impacket-psexec-moduleHunting Query🔗 GitHubGitHub OnlyThis query looks for signs of impacket psexec module usage. May hit other psexec-like techniques too. Author: Jouni Mikkola More info: https://threathunt.blog/impacket-psexec/
detect-impacket-wmiexecHunting Query🔗 GitHubGitHub OnlyThis query looks for signs of impacket wmiexec module usage. May hit other wmi execution-like techniques too. Author: Jouni Mikkola More info: https://threathunt.blog/impacket-part-2/
detect-malicious-rar-extractionHunting Query🔗 GitHubGitHub OnlyThis query was originally published in the threat analytics report, CVE-2018-15982 exploit attacks. CVE-2018-15982 is an exploit of Adobe Flash Player, that allows for remote execution of arbitrary co...
detect-malicious-use-of-msiexec-mimikatzHunting Query🔗 GitHubGitHub OnlyThis query was originally published in the threat analytics report, Msiexec abuse. Msiexec.exe is a Windows component that installs files with the .msi extension. These kinds of files are Windows inst...
detect-malicious-use-of-msiexecHunting Query🔗 GitHubGitHub OnlyThis query was originally published in the threat analytics report, Msiexec abuse. Msiexec.exe is a Windows component that installs files with the .msi extension. These kinds of files are Windows inst...
detect-malicious-use-of-msiexec-powershellHunting Query🔗 GitHubGitHub OnlyThis query was originally published in the threat analytics report, Msiexec abuse. Msiexec.exe is a Windows component that installs files with the .msi extension. These kinds of files are Windows inst...
detect-office-applications-spawning-msdt-CVE-2022-30190Hunting Query🔗 GitHubGitHub OnlyThis query detects possible abuse of ms-msdt MSProtocol URI scheme to load and execute malicious code via Microsoft Support Diagnostic Tool Vulnerability (CVE-2022-30190). The following query detects ...
detect-office-products-spawning-wmicHunting Query🔗 GitHubGitHub OnlyThis query was originally published in the threat analytics report, Ursnif (Gozi) continues to evolve. Windows Management Instrumentation, or WMI, is a legitimate Microsoft framework used to obtain ma...
Detect potential kerberoast activitiesHunting Query🔗 GitHubGitHub OnlyThis query aim to detect if someone requests service tickets (where count => maxcount) The query requires trimming to set a baseline level for MaxCount Mitre Technique: Kerberoasting (T1558.003) @Ma...
detect-suspicious-mshta-usageHunting Query🔗 GitHubGitHub OnlyThis query was originally published in the threat analytics report, Ursnif (Gozi) continues to evolve. Microsoft HTML Applications, or HTAs, are executable files that use the same technologies and mod...
detect-web-server-exploit-doublepulsarHunting Query🔗 GitHubGitHub OnlyThis query was originally published in the threat analytics report, Motivated miners. Doublepulsar is a backdoor developed by the National Security Agency (NSA). First disclosed in 2017, it is now use...
ExecuteBase64DecodedPayloadHunting Query🔗 GitHubGitHub OnlyProcess executed from binary hidden in Base64 encoded file. Encoding malicious software is a. Technique to obfuscate files from detection. The first and second ProcessCommandLine component is looking...
File Copy and ExecutionHunting Query🔗 GitHubGitHub OnlyThis query identifies files that are copied to a device over SMB, then executed within a specified threshold. Default is 5 seconds, but is configurable by tweaking the value for ToleranceInSeconds.
jse-launched-by-wordHunting Query🔗 GitHubGitHub OnlyThis query was originally published in the threat analytics report, Emulation-evading JavaScripts. Attackers in several ransomware campaigns have employed heavily obfuscated JavaScript code, in order ...
launch-questd-w-osascriptHunting Query🔗 GitHubGitHub OnlyThis query was originally published in the threat analytics report, EvilQuest signals the rise of Mac ransomware. As of the time of this writing (October 2020), ransomware designed to target macOS is ...
locate-shlayer-payload-decryption-activityHunting Query🔗 GitHubGitHub OnlyThis query was originally published in the threat analytics report, OSX/Shlayer sustains adware push. Shlayer is adware that spies on users' search terms, and redirects network traffic to serve the us...
locate-shlayer-payload-decrytion-activityHunting Query🔗 GitHubGitHub OnlyThis query was originally published in the threat analytics report, OSX/Shlayer sustains adware push. Shlayer is adware that spies on users' search terms, and redirects network traffic to serve the us...
locate-surfbuyer-downloader-decoding-activityHunting Query🔗 GitHubGitHub OnlyThis query was originally published in the threat analytics report, OSX/SurfBuyer adware campaign. It will return results if a shell script has furtively attempted to decode and save a file to a /tmp ...
Malware_In_recyclebinHunting Query🔗 GitHubGitHub OnlyFinding attackers hiding malware in the recycle bin. Read more here: https://azure.microsoft.com/blog/how-azure-security-center-helps-reveal-a-cyberattack/. Tags: #execution #SuspiciousPath.
Masquerading system executableHunting Query🔗 GitHubGitHub OnlyFinds legitimate system32 or syswow64 executables being run under a different name and in a different location. The rule will require tuning for your environment. MITRE: Masquerading https://attack.mi...
office-apps-launching-wsciptHunting Query🔗 GitHubGitHub OnlyThis query was originally published in the threat analytics report, Trickbot: Pervasive & underestimated. Trickbot is a very prevalent piece of malware with an array of malicious capabilities. Origina...
Possible Ransomware Related Destruction ActivityHunting Query🔗 GitHubGitHub OnlyThis query identifies common processes run by ransomware malware to destroy volume shadow copies or clean free space on a drive to prevent a file from being recovered post-encryption. To reduce false...
PowerShell downloadsHunting Query🔗 GitHubGitHub OnlyFinds PowerShell execution events that could involve a download.
powershell-activity-after-email-from-malicious-senderHunting Query🔗 GitHubGitHub OnlyMalicious emails often contain documents and other specially crafted attachments that run PowerShell commands to deliver additional payloads. If you are aware of emails coming from a known malicious s...
powershell-version-2.0-executionHunting Query🔗 GitHubGitHub OnlyFind the execution of PowerShell Version 2.0, eather to discover legacy scripts using version 2 or to find attackers trying to hide from script logging and AMSI.
PowershellCommand - uncommon commands on machineHunting Query🔗 GitHubGitHub OnlyFind which uncommon Powershell Cmdlets were executed on that machine in a certain time period. This covers all Powershell commands executed in the Powershell engine by any process.
PowershellCommand footprintHunting Query🔗 GitHubGitHub OnlyFind all machines running a given Powersehll cmdlet. This covers all Powershell commands executed in the Powershell engine by any process.
python-based-attacks-on-macosHunting Query🔗 GitHubGitHub OnlyThis query was originally published in the threat analytics report, Python abuse on macOS The Python programming language comes bundled with macOS. In threat intelligence gathered from macOS endpoints...
qakbot-campaign-suspicious-javascriptHunting Query🔗 GitHubGitHub OnlyThis query was originally published in the threat analytics report, Qakbot blight lingers, seeds ransomware Qakbot is malware that steals login credentials from banking and financial services. It has ...
reverse-shell-nishang-base64Hunting Query🔗 GitHubGitHub OnlyThis query was originally published in the threat analytics report, "Exchange Server zero-days exploited in the wild". In early March 2021, Microsoft released patches for four different zero-day vulne...
reverse-shell-nishangHunting Query🔗 GitHubGitHub OnlyThis query was originally published in the threat analytics report, "Exchange Server zero-days exploited in the wild". In early March 2021, Microsoft released patches for four different zero-day vulne...
RunMRU with non-ASCII charactersHunting Query🔗 GitHubGitHub OnlyIdentifies non-ASCII data written to the RunMRU registry key by explorer.
sql-server-abuseHunting Query🔗 GitHubGitHub OnlyThis query was originally published in the threat analytics report, SQL Server abuse. SQL Server offers a vast array of tools for automating tasks, exporting data, and running scripts. These legitimat...
umworkerprocess-unusual-subprocess-activityHunting Query🔗 GitHubGitHub OnlyThis query was originally published in the threat analytics report, "Exchange Server zero-days exploited in the wild". In early March 2021, Microsoft released patches for four different zero-day vulne...
Webserver Executing Suspicious ApplicationsHunting Query🔗 GitHubGitHub OnlyThis query looks for common webserver process names and identifies any processes launched using a scripting language (cmd, powershell, wscript, cscript), common initial profiling commands (net \ net1 ...
7-zip-prep-for-exfiltrationHunting Query🔗 GitHubGitHub OnlyThis query was originally published in the threat analytics report, "Exchange Server zero-days exploited in the wild". In early March 2021, Microsoft released patches for four different zero-day vulne...
Anomaly of MailItemAccess by GraphAPI [Nobelium]Hunting Query🔗 GitHubGitHub OnlyThis query looks for anomalies in mail item access events made by Graph API. It uses standard deviation to determine if the number of events is anomalous. The query returns all clientIDs where the amo...
Code Repo ExfiltrationHunting Query🔗 GitHubGitHub OnlyLooks for accounts that uploaded multiple code repositories to external web domain.
Data copied to other location than C driveHunting Query🔗 GitHubGitHub OnlyCheck all created files. That does not have extension ps1, bat or cmd to avoid IT Pro scripts. That are not copied to C:\ to detect all file share, external drive, data partition that are not allowed,...
detect-archive-exfiltration-to-competitorHunting Query🔗 GitHubGitHub OnlyThis query can be used to detect instances of a malicious insider creating a file archive and then emailing that archive to an external "competitor" organization.
detect-exfiltration-after-terminationHunting Query🔗 GitHubGitHub OnlyThis query can be used to explore any instances where a terminated individual (i.e. one who has an impending termination date but has not left the company) downloads a large number of files from a non...
detect-steganography-exfiltrationHunting Query🔗 GitHubGitHub OnlyThis query can be used to detect instances of malicious users who attempt to create steganographic images and then immediately browse to a webmail URL. This query would require additional investigati...
exchange-powershell-snapin-loadedHunting Query🔗 GitHubGitHub OnlyThis query was originally published in the threat analytics report, "Exchange Server zero-days exploited in the wild". In early March 2021, Microsoft released patches for four different zero-day vulne...
Files copied to USB drivesHunting Query🔗 GitHubGitHub OnlyThis query lists files copied to USB external drives with USB drive information based on FileCreated events associated with most recent USBDriveMount events befor file creations. But be aware that Adv...
MailItemsAccessed Throttling [Nobelium]Hunting Query🔗 GitHubGitHub OnlyThe MailItemsAccessed action is part of the new Advanced Audit functionality of Microsoft Defender XDR. It's part of Exchange mailbox auditing and is enabled by default for users that have an Office 3...
Map external devices (1)Hunting Query🔗 GitHubGitHub OnlyAction "PnpDeviceConnected" reports the connection of any plug and play device. Read more online on event 6416: https://docs.microsoft.com/windows/security/threat-protection/auditing/event-6416. Query...
Map external devicesHunting Query🔗 GitHubGitHub OnlyAction "PnpDeviceConnected" reports the connection of any plug and play device. Read more online on event 6416: https://docs.microsoft.com/windows/security/threat-protection/auditing/event-6416. Query...
OAuth Apps accessing user mail via GraphAPI [Nobelium]Hunting Query🔗 GitHubGitHub OnlyThis query helps you review all OAuth applications accessing user mail via Graph. It could return a significant number of results depending on how many applications are deployed in the environment.
OAuth Apps reading mail both via GraphAPI and directly [Nobelium]Hunting Query🔗 GitHubGitHub OnlyAs described in previous guidance, Nobelium may re-purpose legitimate existing OAuth Applications in the environment to their own ends. However, malicious activity patterns may be discernable from le...
OAuth Apps reading mail via GraphAPI anomaly [Nobelium]Hunting Query🔗 GitHubGitHub OnlyUse this query to review OAuth applications whose behaviour has changed as compared to a prior baseline period. The following query returns OAuth Applications accessing user mail via Graph that did no...
Password Protected Archive CreationHunting Query🔗 GitHubGitHub OnlyOne common technique leveraged by attackers is using archiving applications to package up files for exfiltration. In many cases, these archives are usually protected with a password to make analysis m...
Possible File Copy to USB DriveHunting Query🔗 GitHubGitHub OnlyThis query searches for file copies which occur within a period of time (by default 15 min) to volumes other than the C drive or UNC shares. By default, this query will search all devices. A single de...
Unusual volume of file sharing with external user.Hunting Query🔗 GitHubGitHub OnlyThis query looks for users sharing access to files with external users. This applies to SharePoint and OneDrive users. Audit event and Cloud application identifier references. Reference - https://l...
AcroRd-ExploitsHunting Query🔗 GitHubGitHub OnlyThe following query look for suspicious behaviors observed by the samples analyzed in the report.
CVE-2021-36934 usage detectionHunting Query🔗 GitHubGitHub OnlyAssuming that you have a machine that is properly BitLocker'ed, then the machine will need to be running to extract the SAM and SYSTEM files. This first query looks for any access to the HKLM that hap...
CVE-2022-22965 Network ActivityHunting Query🔗 GitHubGitHub OnlyThe following query surface network activity associated with exploitation of CVE-2022-22965.
Suspicious Tomcat Confluence Process LaunchHunting Query🔗 GitHubGitHub OnlyThe query checks for suspicious Tomcat process launches associated with likely exploitation of Confluence - CVE-2022-26134 Read more here:. https://confluence.atlassian.com/doc/confluence-security-adv...
Electron-CVE-2018-1000006Hunting Query🔗 GitHubGitHub OnlyThe query checks process command lines arguments and parent/child combinations to find machines where there have been. Attempts to exploit the Protocol Handler Vulnerability of Electron framework CVE-...
Flash-CVE-2018-4848Hunting Query🔗 GitHubGitHub OnlyThis query checks for specific processes and domain TLD used in the CVE-2018-4878 flash 0day exploit attack reported by KrCERT. CVE: CVE-2018-4878. Read more here:. Https://www.krcert.or.kr/data/secNo...
Linux-DynoRoot-CVE-2018-1111Hunting Query🔗 GitHubGitHub OnlyThe query checks process command lines arguments and parent/child combinations to find machines where there have been. Attempts to exploit a DHCP remote code command injection CVE-2018-1111. DynoRoot ...
MosaicLoaderHunting Query🔗 GitHubGitHub OnlyThis hunting query looks Malware Hides Itself Among Windows Defender Exclusions to Evade Detection
Windows Spooler Service Suspicious File CreationHunting Query🔗 GitHubGitHub OnlyThe query digs in Windows print spooler drivers folder for any file creations, MANY OF THE FILES THAT SHOULD COME UP HERE MAY BE LEGIT. Suspicious DLL is load from Spooler Service backup folder. This...
printnightmare-cve-2021-1675 usage detection (1)Hunting Query🔗 GitHubGitHub OnlyFirst query digs in print spooler drivers folder for any file creations, MANY OF THE FILES THAT SHOULD COME UP HERE MAY BE LEGIT. Unsigned files or ones that don't have any relations to printers that ...
printnightmare-cve-2021-1675 usage detectionHunting Query🔗 GitHubGitHub OnlyFirst query digs in print spooler drivers folder for any file creations, MANY OF THE FILES THAT SHOULD COME UP HERE MAY BE LEGIT. Unsigned files or ones that don't have any relations to printers that ...
SolarWinds -CVE-2021-35211Hunting Query🔗 GitHubGitHub Only//Check for network connections with SolarWInds IP's based on DeviceNetworkEvents## Query
VMWare-LPE-2022-22960Hunting Query🔗 GitHubGitHub OnlyThe query checks process command being placed into the script; CVE-2022-22960 allows a user to write to it and be executed as root. This vulnerability of VMware Workspace ONE Access, Identity Manager ...
winrar-cve-2018-20250-ace-filesHunting Query🔗 GitHubGitHub OnlyThis query was originally published in the threat analytics report, WinRAR CVE-2018-20250 exploit WinRAR is a third-party file compressing application. Versions 5.61 and earlier contained a flaw that ...
winrar-cve-2018-20250-file-creationHunting Query🔗 GitHubGitHub OnlyThis query was originally published in the threat analytics report, WinRAR CVE-2018-20250 exploit WinRAR is a third-party file compressing application. Versions 5.61 and earlier contained a flaw that ...
EmojiHuntHunting Query🔗 GitHubGitHub OnlyDid you know you can use Emojis in Windows?. Read more here: https://davidzych.com/abusing-emoji-in-windows. Check-out who in your organization has renamed his or her computer to a Pizza or to a smili...
Make FolderPath Vogon PoetryHunting Query🔗 GitHubGitHub OnlyThis is a completely stupid and pointless query that makes Vogon poetry out of a random FolderPath from the table you pass it. You can change DeviceProcessEvents for any table as long as it has a col...
Alert Events from Internal IP AddressHunting Query🔗 GitHubGitHub OnlyDetermines DeviceId from internal IP address and outputs all alerts in events table associated to the DeviceId. Example use case is Firewall determines Internal IP with suspicious network activity. Qu...
AppLocker Policy Design AssistantHunting Query🔗 GitHubGitHub OnlyOne of the challenges in making an AppLocker policy is knowing where applications launch from. This query normalizes process launch paths through aliasing, then counts the number of processes launche...
Baseline ComparisonHunting Query🔗 GitHubGitHub OnlyBaseline Comparison. Author: miflower. The purpose of this query is to perform a comparison between "known good" machines and suspected bad machines. The original concept for this query was born due t...
Crashing ApplicationsHunting Query🔗 GitHubGitHub OnlyThis query identifies crashing processes based on parameters passed to werfault.exe and attempts to find the associated process launch from DeviceProcessEvents.
Detect Azure RemoteIPHunting Query🔗 GitHubGitHub OnlyThis query is a function that consumes the publicly available Azure IP address list and checks a list of remote IP addresses against it to see if they are Azure IP addresses or not. To use this, repla...
Device Count by DNS SuffixHunting Query🔗 GitHubGitHub OnlyThis query will count the number of devices in Defender ATP based on their DNS suffix. For a full list of devices with the DNS suffix, comment out or remove the last line.
Device uptime calculationHunting Query🔗 GitHubGitHub OnlyThis query calculates device uptime based on periodic DeviceInfo which is recorded every 15 minutes regardless of device's network connectivity and uploaded once device gets online. If its interval is...
Endpoint Agent Health Status ReportHunting Query🔗 GitHubGitHub OnlyThis query will provide a report of many of the best practice configurations for Defender ATP deployment. Special Thanks to Gilad Mittelman for the initial inspiration and concept. Any tests which are...
Events surrounding alert (1)Hunting Query🔗 GitHubGitHub OnlyThis query looks for events that are near in time to a detected event. It shows how you could avoid typing exact timestamps, and replace it with a simple query to get the timestamp of your pivot event...
Events surrounding alert (2)Hunting Query🔗 GitHubGitHub OnlyThis query looks for events that are near in time to a detected event. It shows how you could avoid typing exact timestamps, and replace it with a simple query to get the timestamp of your pivot event...
Events surrounding alert (3)Hunting Query🔗 GitHubGitHub OnlyThis query looks for events that are near in time to a detected event. It shows how you could avoid typing exact timestamps, and replace it with a simple query to get the timestamp of your pivot event...
Events surrounding alertHunting Query🔗 GitHubGitHub OnlyThis query looks for events that are near in time to a detected event. It shows how you could avoid typing exact timestamps, and replace it with a simple query to get the timestamp of your pivot event...
Failed Logon AttemptHunting Query🔗 GitHubGitHub OnlySample query to detect If there are more then 3 failed logon authentications on high value assets. Update DeviceName to reflect your high value assets. For questions @MiladMSFT on Twitter or milad.asl...
File footprint (1)Hunting Query🔗 GitHubGitHub OnlyQuery #1 - Find the machines on which this file was seen. TODO - set file hash to be a SHA1 hash of your choice...
File footprintHunting Query🔗 GitHubGitHub OnlyQuery #1 - Find the machines on which this file was seen. TODO - set file hash to be a SHA1 hash of your choice...
Firewall Policy Design AssistantHunting Query🔗 GitHubGitHub OnlyThis query helps you design client firewall rules based on data stored within DeviceNetworkEvents. Folder paths are alias'ed to help represent the files making or receiving network connections without...
insider-threat-detection-queries (1)Hunting Query🔗 GitHubGitHub OnlyIntent: - Use MTP capability to look for insider threat potential risk indicators - Indicators would then serve as the building block for insider threat risk modeling in subsequent tools Definition of...
insider-threat-detection-queries (10)Hunting Query🔗 GitHubGitHub OnlyIntent: - Use MTP capability to look for insider threat potential risk indicators - Indicators would then serve as the building block for insider threat risk modeling in subsequent tools Definition of...
insider-threat-detection-queries (11)Hunting Query🔗 GitHubGitHub OnlyIntent: - Use MTP capability to look for insider threat potential risk indicators - Indicators would then serve as the building block for insider threat risk modeling in subsequent tools Definition of...
insider-threat-detection-queries (12)Hunting Query🔗 GitHubGitHub OnlyIntent: - Use MTP capability to look for insider threat potential risk indicators - Indicators would then serve as the building block for insider threat risk modeling in subsequent tools Definition of...
insider-threat-detection-queries (13)Hunting Query🔗 GitHubGitHub OnlyIntent: - Use MTP capability to look for insider threat potential risk indicators - Indicators would then serve as the building block for insider threat risk modeling in subsequent tools Definition of...
insider-threat-detection-queries (14)Hunting Query🔗 GitHubGitHub OnlyIntent: - Use MTP capability to look for insider threat potential risk indicators - Indicators would then serve as the building block for insider threat risk modeling in subsequent tools Definition of...
insider-threat-detection-queries (15)Hunting Query🔗 GitHubGitHub OnlyIntent: - Use MTP capability to look for insider threat potential risk indicators - Indicators would then serve as the building block for insider threat risk modeling in subsequent tools Definition of...
insider-threat-detection-queries (16)Hunting Query🔗 GitHubGitHub OnlyIntent: - Use MTP capability to look for insider threat potential risk indicators - Indicators would then serve as the building block for insider threat risk modeling in subsequent tools Definition of...
insider-threat-detection-queries (17)Hunting Query🔗 GitHubGitHub OnlyIntent: - Use MTP capability to look for insider threat potential risk indicators - Indicators would then serve as the building block for insider threat risk modeling in subsequent tools Definition of...
insider-threat-detection-queries (18)Hunting Query🔗 GitHubGitHub OnlyIntent: - Use MTP capability to look for insider threat potential risk indicators - Indicators would then serve as the building block for insider threat risk modeling in subsequent tools Definition of...
insider-threat-detection-queries (19)Hunting Query🔗 GitHubGitHub OnlyIntent: - Use MTP capability to look for insider threat potential risk indicators - Indicators would then serve as the building block for insider threat risk modeling in subsequent tools Definition of...
insider-threat-detection-queries (2)Hunting Query🔗 GitHubGitHub OnlyIntent: - Use MTP capability to look for insider threat potential risk indicators - Indicators would then serve as the building block for insider threat risk modeling in subsequent tools Definition of...
insider-threat-detection-queries (3)Hunting Query🔗 GitHubGitHub OnlyIntent: - Use MTP capability to look for insider threat potential risk indicators - Indicators would then serve as the building block for insider threat risk modeling in subsequent tools Definition of...
insider-threat-detection-queries (4)Hunting Query🔗 GitHubGitHub OnlyIntent: - Use MTP capability to look for insider threat potential risk indicators - Indicators would then serve as the building block for insider threat risk modeling in subsequent tools Definition of...
insider-threat-detection-queries (5)Hunting Query🔗 GitHubGitHub OnlyIntent: - Use MTP capability to look for insider threat potential risk indicators - Indicators would then serve as the building block for insider threat risk modeling in subsequent tools Definition of...
insider-threat-detection-queries (6)Hunting Query🔗 GitHubGitHub OnlyIntent: - Use MTP capability to look for insider threat potential risk indicators - Indicators would then serve as the building block for insider threat risk modeling in subsequent tools Definition of...
insider-threat-detection-queries (7)Hunting Query🔗 GitHubGitHub OnlyIntent: - Use MTP capability to look for insider threat potential risk indicators - Indicators would then serve as the building block for insider threat risk modeling in subsequent tools Definition of...
insider-threat-detection-queries (8)Hunting Query🔗 GitHubGitHub OnlyIntent: - Use MTP capability to look for insider threat potential risk indicators - Indicators would then serve as the building block for insider threat risk modeling in subsequent tools Definition of...
insider-threat-detection-queries (9)Hunting Query🔗 GitHubGitHub OnlyIntent: - Use MTP capability to look for insider threat potential risk indicators - Indicators would then serve as the building block for insider threat risk modeling in subsequent tools Definition of...
insider-threat-detection-queriesHunting Query🔗 GitHubGitHub OnlyIntent: - Use MTP capability to look for insider threat potential risk indicators - Indicators would then serve as the building block for insider threat risk modeling in subsequent tools Definition of...
Linux Agent Age ReportHunting Query🔗 GitHubGitHub OnlyThis query uses the public MDE GitHub repo as a source to estimate the time that an agent build remains supported based on the time it was uploaded. Please note that the timestamps used in this query ...
Machine info from IP address (1)Hunting Query🔗 GitHubGitHub OnlyThe following queries pivot from an IP address assigned to a machine to the relevant machine or logged-on users. To read more about it, check out this post: https://techcommunity.microsoft.com/t5/What...
Machine info from IP address (2)Hunting Query🔗 GitHubGitHub OnlyThe following queries pivot from an IP address assigned to a machine to the relevant machine or logged-on users. To read more about it, check out this post: https://techcommunity.microsoft.com/t5/What...
Machine info from IP address (3)Hunting Query🔗 GitHubGitHub OnlyThe following queries pivot from an IP address assigned to a machine to the relevant machine or logged-on users. To read more about it, check out this post: https://techcommunity.microsoft.com/t5/What...
Machine info from IP addressHunting Query🔗 GitHubGitHub OnlyThe following queries pivot from an IP address assigned to a machine to the relevant machine or logged-on users. To read more about it, check out this post: https://techcommunity.microsoft.com/t5/What...
MD AV Signature and Platform VersionHunting Query🔗 GitHubGitHub OnlyThis query will identify the Microsoft Defender Antivirus Engine version and Microsoft Defender Antivirus Security Intelligence version (and timestamp), Product update version (aka Platform Update ver...
MITRE - Suspicious EventsHunting Query🔗 GitHubGitHub OnlyDescription:. The query looks for several different MITRE techniques, grouped by risk level. A weighting is applied to each risk level and a total score calculated per machine. Techniques can be added...
Network footprint (1)Hunting Query🔗 GitHubGitHub OnlyQuery 1 shows you any network communication happened from endpoints to a specific Remote IP or Remote URL. Ensure to update RemoteIP and RemoteURL variable. For questions @MiladMSFT on Twitter or mila...
Network footprint (2)Hunting Query🔗 GitHubGitHub OnlyQuery 1 shows you any network communication happened from endpoints to a specific Remote IP or Remote URL. Ensure to update RemoteIP and RemoteURL variable. For questions @MiladMSFT on Twitter or mila...
Network footprint (3)Hunting Query🔗 GitHubGitHub OnlyQuery 1 shows you any network communication happened from endpoints to a specific Remote IP or Remote URL. Ensure to update RemoteIP and RemoteURL variable. For questions @MiladMSFT on Twitter or mila...
Network footprintHunting Query🔗 GitHubGitHub OnlyQuery 1 shows you any network communication happened from endpoints to a specific Remote IP or Remote URL. Ensure to update RemoteIP and RemoteURL variable. For questions @MiladMSFT on Twitter or mila...
Network info of machineHunting Query🔗 GitHubGitHub OnlyGet information about the netwotk adapters of the given computer in the given time. This could include the configured IP addresses, DHCP servers, DNS servers, and more.
Phish and Malware received by user vs total amount of emailHunting Query🔗 GitHubGitHub OnlyHow much phish and malware emails vs good emails received the user in the given timeframe.
ServicesHunting Query🔗 GitHubGitHub OnlyGets the service name from the registry key.
System Guard Security Level BaselineHunting Query🔗 GitHubGitHub OnlyEstablishes a baseline SystemGuardSecurityLevel and show the devices that are below that baseline. See https://techcommunity.microsoft.com/t5/Microsoft-Defender-ATP/How-insights-from-system-attestatio...
System Guard Security Level DropHunting Query🔗 GitHubGitHub OnlyGoal: Find machines in the last N days where the SystemGuardSecurityLevel value NOW is less than it was BEFORE. Step 1: Get a list of all security levels in the system where the level is not null.
wifikeysHunting Query🔗 GitHubGitHub OnlyDetect if someone run netsh and try to expose WPA keys in clear text @mattiasborg82. Blog.sec-labs.com.
backup-deletionHunting Query🔗 GitHubGitHub OnlyThis query was originally published in the threat analytics report, Ransomware continues to hit healthcare, critical services. There is also a related blog. In April of 2020, security researchers obse...
ransom-note-creation-macosHunting Query🔗 GitHubGitHub OnlyThis query was originally published in the threat analytics report, EvilQuest signals the rise of Mac ransomware. As of the time of this writing (October 2020), ransomware designed to target macOS is ...
turn-off-system-restoreHunting Query🔗 GitHubGitHub OnlyThis query was originally published in the threat analytics report, Ransomware continues to hit healthcare, critical services. There is also a related blog. In April of 2020, security researchers obse...
Unusual volume of file deletion by user.Hunting Query🔗 GitHubGitHub OnlyThis query looks for users performing file deletion activities. Spikes in file deletion observed from risky sign-in sessions are flagged here. This applies to SharePoint and OneDrive users. Audit even...
wadhrama-data-destructionHunting Query🔗 GitHubGitHub OnlyThis query was originally published in the threat analytics report, RDP ransomware persists as Wadhrama. The ransomware known as Wadhrama has been used in human-operated attacks that follow a particul...
Check for Maalware Baazar (abuse.ch) hashes in your mail flowHunting Query🔗 GitHubGitHub OnlyCheck if file hashes published in the recent abuse.ch feed are found in your mail flow scanned by Office 365 ATP.
detect-bluekeep-exploitation-attemptsHunting Query🔗 GitHubGitHub OnlyThis query was originally published in the threat analytics report, Exploitation of CVE-2019-0708 (BlueKeep). CVE-2019-0708, also known as BlueKeep, is a critical remote code execution vulnerability i...
detect-mailsniperHunting Query🔗 GitHubGitHub OnlyThis query was originally published in the threat analytics report, MailSniper Exchange attack tool. MailSniper is a tool that targets Microsoft Exchange Server. The core function is to connect to Exc...
files-from-malicious-senderHunting Query🔗 GitHubGitHub OnlyThis query checks devices for the presence of files that have been sent by a known malicious sender. To use this query, replace the email address with the address of the known malicious sender.
SuspiciousUrlClickedHunting Query🔗 GitHubGitHub OnlyIdentify emails that were send from an address external to your company and where email was send to more then 50 distinct corporate users. Update corporatedomain.com to your corporate domain to have i...
jar-attachmentsHunting Query🔗 GitHubGitHub OnlyThis query was originally published in the threat analytics report, Adwind utilizes Java for cross-platform impact. Adwind is a remote access tool (RAT) that takes advantage of the cross-platform capa...
Non_intended_user_logonHunting Query🔗 GitHubGitHub OnlyUnder some circumstances it is only allowed that users from country X logon to devices from country X. This query finds logon from users from other countries than X. The query requires a property to i...
PhishingEmailUrlRedirectorHunting Query🔗 GitHubGitHub OnlyThis query was originally published on Twitter, by @MsftSecIntel. The query helps detect emails associated with a campaign that has used open redirector URLs. The campaign's URLs begin with the distin...
SuspiciousUrlClickedHunting Query🔗 GitHubGitHub OnlyThis query correlates Microsoft Defender for Office 365 signals and Microsoft Entra ID identity data to find the relevant endpoint event BrowerLaunchedToOpen in Microsoft Defender ATP. This event refl...
User navigation to redirected URLHunting Query🔗 GitHubGitHub OnlyThis query identifies when a user clicks a link that opens a browser to navigate to a URL which uses redirection. It then filters out any redirections to URLs in the same DNS namespace as the originat...
Account brute force (1)Hunting Query🔗 GitHubGitHub OnlyQuery #1: Look for public IP addresses that failed to logon to a computer multiple times, using multiple accounts, and eventually succeeded.
Account brute forceHunting Query🔗 GitHubGitHub OnlyQuery #1: Look for public IP addresses that failed to logon to a computer multiple times, using multiple accounts, and eventually succeeded.
detect-suspicious-rdp-connectionsHunting Query🔗 GitHubGitHub OnlyThis query was originally published in the threat analytics report, Exploitation of CVE-2019-0708 (BlueKeep). CVE-2019-0708, also known as BlueKeep, is a critical remote code execution vulnerability i...
Device Logons from Unknown IPsHunting Query🔗 GitHubGitHub OnlyDevice Logons from Unknown IP Addresses. This query identifies device logons from IP addresses not associated with any machine in Defender ATP.
doppelpaymer-psexecHunting Query🔗 GitHubGitHub OnlyThis query was originally published in the threat analytics report, Doppelpaymer: More human-operated ransomware. There is also a related blog. DoppelPaymer is ransomware that is spread manually by hu...
ImpersonatedUserFootprintHunting Query🔗 GitHubGitHub OnlyMicrosoft Defender for Identity raises alert on suspicious Kerberos ticket, pointing to a potential overpass-the-hash attack. Once attackers gain credentials for a user with higher privileges, they wi...
Network Logons with Local AccountsHunting Query🔗 GitHubGitHub OnlyThis query looks for a large number of network-based authentications using local credentials coming from a single source IP address. High counts of logons involving a large number of distinct machines...
Non-local logons with -500 accountHunting Query🔗 GitHubGitHub OnlyNon-local logons with the built-in administrator (-500) account.
remote-file-creation-with-psexecHunting Query🔗 GitHubGitHub OnlyThis query was originally published in the threat analytics report, Ryuk ransomware. There is also a related blog. Ryuk is human-operated ransomware. Much like DoppelPaymer ransomware, Ryuk is spread ...
ServiceAccountsPerformingRemotePSHunting Query🔗 GitHubGitHub OnlyService Accounts Performing Remote PowerShell. Author: miflower. The purpose behind this detection is for finding service accounts that are performing remote powershell sessions. There are two phases ...
Defender for Endpoint TelemetryHunting Query🔗 GitHubGitHub OnlyView Defender for Endpoint telemetry URLs and their connection status, view trendline over 30 days. Use to investigate possible telemetry and/or connectivity issues. Jesse.esquivel@microsoft.com.
Accessibility FeaturesHunting Query🔗 GitHubGitHub OnlyThis query looks for persistence or priviledge escalation done using Windows Accessibility features. It covers some of the techniques that could be used to utilize these features for malicious purpose...
AddedCredentialFromContryXAndSigninFromCountryYHunting Query🔗 GitHubGitHub OnlyAdded credential from country X and Signed-In from country Y in a pecific time window: This query tries to find all applications that credentials were added to them from country X while the applicatio...
Create account (1)Hunting Query🔗 GitHubGitHub OnlyUser accounts may be created to achieve persistence on a machine. Read more here: https://attack.mitre.org/wiki/Technique/T1136. Tags: #CreateAccount. Query #1: Query for users being created using "ne...
Create accountHunting Query🔗 GitHubGitHub OnlyUser accounts may be created to achieve persistence on a machine. Read more here: https://attack.mitre.org/wiki/Technique/T1136. Tags: #CreateAccount. Query #1: Query for users being created using "ne...
CredentialsAddAfterAdminConsentedToApp[Nobelium]Hunting Query🔗 GitHubGitHub OnlyCredentials were added to an application by UserA, after the application was granted admin consent rights by UserB The Nobelium activity group has been observed adding credentials (x509 keys or passwo...
detect-impacket-wmipersistHunting Query🔗 GitHubGitHub OnlyThis query looks for signs of impacket wmipersist usage and should work for other wmi based persistence methods. Requires analysis. Author: Jouni Mikkola More info: https://threathunt.blog/impacket-pa...
detect-prifou-puaHunting Query🔗 GitHubGitHub OnlyThis query was originally published in the threat analytics report, ironSource PUA & unwanted apps impact millions. IronSource provides software bundling tools for many popular legitimate apps, such a...
localAdminAccountLogonHunting Query🔗 GitHubGitHub OnlyThis query looks for local admin account used to logon into the computer. This can help to detect malicious insiders that were able to add a local account to the local admin group offline.
LocalAdminGroupChangesHunting Query🔗 GitHubGitHub OnlyAuthor: alex verboon @alexverboon. Blogpost: https://www.verboon.info/2020/09/hunting-for-local-group-membership-changes.
Multiple Entra ID Admin RemovalsHunting Query🔗 GitHubGitHub OnlyLooks for multiple users that had their admin role removed by a single user within a certain period.
NewAppOrServicePrincipalCredential[Nobelium]Hunting Query🔗 GitHubGitHub OnlyThis query will find when a new credential is added to an application or service principal. The Nobelium activity group was able to gain sufficient access to add credentials to existing applications w...
qakbot-campaign-registry-editHunting Query🔗 GitHubGitHub OnlyThis query was originally published in the threat analytics report, Qakbot blight lingers, seeds ransomware Qakbot is malware that steals login credentials from banking and financial services. It has ...
Rare-process-as-a-serviceHunting Query🔗 GitHubGitHub OnlyThis query is looking for rarely seen processes which are launched as a service. Author: Jouni Mikkola More info: https://threathunt.blog/rare-process-launch-as-a-service/
detect-impacket-wmiexecHunting Query🔗 GitHubGitHub OnlyThis query looks for signs of impacket wmiexec module usage. May hit other wmi execution-like techniques too. Author: Jouni Mikkola More info: https://threathunt.blog/impacket-part-2/
rare_sch_task_with_activityHunting Query🔗 GitHubGitHub OnlyLooks for rare process launch as a scheduled task and activity done by the processes. Author: Jouni Mikkola More info: https://threathunt.blog/hunting-for-malicious-scheduled-tasks/
Risky Sign-in with Device RegistrationHunting Query🔗 GitHubGitHub OnlyLooks for a new device registration in Entra ID preceded by medium or high-risk sign-in session for the same user within maximum 6h timeframe.
Risky Sign-in with new MFA methodHunting Query🔗 GitHubGitHub OnlyLooks for a new MFA method added to an account that was preceded by medium or high risk sign-in session for the same user within maximum 6h timeframe
scheduled task creationHunting Query🔗 GitHubGitHub OnlyOriginal Sigma Rule: https://github.com/Neo23x0/sigma/blob/master/rules/windows/process_creation/win_susp_schtask_creation.yml. Questions via Twitter: @janvonkirchheim.
detect-impacket-wmiexecHunting Query🔗 GitHubGitHub OnlyThis query looks for signs of impacket wmiexec module usage. May hit other wmi execution-like techniques too. Author: Jouni Mikkola More info: https://threathunt.blog/impacket-part-2/
wadhrama-ransomwareHunting Query🔗 GitHubGitHub OnlyThis query was originally published in the threat analytics report, RDP ransomware persists as Wadhrama. The ransomware known as Wadhrama has been used in human-operated attacks that follow a particul...
Add uncommon credential type to application [Nobelium]Hunting Query🔗 GitHubGitHub OnlyThe query looks for users or service principals that attached an uncommon credential type to application. As part of the Nobelium campaign, the attacker added credentials to already existing applicati...
cve-2019-0808-c2Hunting Query🔗 GitHubGitHub OnlyThis query was originally published in the threat analytics report, Windows 7 zero-day for CVE-2019-0808 CVE-2019-0808 is a vulnerability that allows an attacker to escape the Windows security sandbox...
cve-2019-0808-nufsys-file creationHunting Query🔗 GitHubGitHub OnlyThis query was originally published in the threat analytics report, Windows 7 zero-day for CVE-2019-0808 CVE-2019-0808 is a vulnerability that allows an attacker to escape the Windows security sandbox...
cve-2019-0808-set-scheduled-taskHunting Query🔗 GitHubGitHub OnlyThis query was originally published in the threat analytics report, Windows 7 zero-day for CVE-2019-0808 CVE-2019-0808 is a vulnerability that allows an attacker to escape the Windows security sandbox...
dell-driver-vulnerability-2021Hunting Query🔗 GitHubGitHub OnlyThis query was originally published in the threat analytics report, Multiple EOP flaws in Dell driver (CVE-2021-21551). CVE-2021-21551 is a vulnerability found in dbutil_2_3.sys, a driver distributed ...
Windows Anitivirus and EDR Elevation of Privilege VulnerabilityHunting Query🔗 GitHubGitHub OnlyThe query for malicious file creations via TOCTOU Vulnerability in Leading Endpoint Detection and Response (EDR) and Antivirus (AV) Solutions. - Microsoft Defender (CVE-2022-37971) - Defender for Endp...
detect-cve-2019-0863-AngryPolarBearBug2-exploitHunting Query🔗 GitHubGitHub OnlyThis query was originally published in the threat analytics report, May 2019 0-day disclosures. In May and June of 2019, a security researcher with the online alias, SandboxEscaper, discovered and pub...
detect-cve-2019-0973-installerbypass-exploitHunting Query🔗 GitHubGitHub OnlyThis query was originally published in the threat analytics report, May 2019 0-day disclosures. In May and June of 2019, a security researcher with the online alias, SandboxEscaper, discovered and pub...
detect-cve-2019-1053-sandboxescape-exploitHunting Query🔗 GitHubGitHub OnlyThis query was originally published in the threat analytics report, May 2019 0-day disclosures. In May and June of 2019, a security researcher with the online alias, SandboxEscaper, discovered and pub...
detect-cve-2019-1069-bearlpe-exploitHunting Query🔗 GitHubGitHub OnlyThis query was originally published in the threat analytics report, May 2019 0-day disclosures. In May and June of 2019, a security researcher with the online alias, SandboxEscaper, discovered and pub...
detect-cve-2019-1129-byebear-exploitHunting Query🔗 GitHubGitHub OnlyThis query was originally published in the threat analytics report, May 2019 0-day disclosures. In May and June of 2019, a security researcher with the online alias, SandboxEscaper, discovered and pub...
locate-ALPC-local-privilege-elevation-exploitHunting Query🔗 GitHubGitHub OnlyThis query was originally published in the threat analytics report, ALPC local privilege elevation. Windows ALPC Elevation of Privilege Vulnerability, CVE-2018-8440, could be exploited to run arbitrar...
Risky Sign-in with ElevateAccessHunting Query🔗 GitHubGitHub OnlyLooks for users who had a risky sign in (based on Entra ID Identity Protection risk score) and then performed and ElevateAccess action. ElevateAccess operations can be used by Global Admins to obtain ...
SAM-Name-Changes-CVE-2021-42278Hunting Query🔗 GitHubGitHub OnlyThe following query detects possible CVE-2021-42278 exploitation by finding changes of device names in the network using Microsoft Defender for Identity
ServicePrincipalAddedToRole [Nobelium]Hunting Query🔗 GitHubGitHub OnlyOne of the indicators of compromise for the Nobelium (formerly Solorigate) campaign was that unexpected service principals have been added to privileged roles. This query looks for service principals ...
Antivirus detections (1)Hunting Query🔗 GitHubGitHub OnlyQuery for Microsoft Defender Antivirus detections. Query #1: Query for Antivirus detection events.
Antivirus detectionsHunting Query🔗 GitHubGitHub OnlyQuery for Microsoft Defender Antivirus detections. Query #1: Query for Antivirus detection events.
AV Detections with SourceHunting Query🔗 GitHubGitHub OnlyThis query shows the source of the AV detections (e.g., the website the file was downloaded from etc.). Get the list of AV detections.
AV Detections with USB Disk DriveHunting Query🔗 GitHubGitHub OnlyThis query make a best-guess detection regarding which removable media device caused an AV detection. The query is best run over 30 days to get the full USB history. Get a list of USB AV detections. T...
ExploitGuardAsrDescriptionsHunting Query🔗 GitHubGitHub OnlyExpanding on DeviceEvents output with Attack Surface Reduction (ASR) rule descriptions. The ActionType values of the ASR events already explain what rule was matched and if it was audited or blocked. ...
ExploitGuardASRStats (1)Hunting Query🔗 GitHubGitHub OnlyGet stats on ASR audit events - count events and machines per rule.
ExploitGuardASRStats (2)Hunting Query🔗 GitHubGitHub OnlyGet stats on ASR audit events - count events and machines per rule.
ExploitGuardASRStatsHunting Query🔗 GitHubGitHub OnlyGet stats on ASR audit events - count events and machines per rule.
ExploitGuardBlockOfficeChildProcess (1)Hunting Query🔗 GitHubGitHub OnlyThese queries check telemetry from the Exploit Guard rule: Rule: Block Office applications from creating child processes. (Rule ID d4f940ab-401b-4efc-aadc-ad5f3c50688a). Read more about it here: https...
ExploitGuardBlockOfficeChildProcess (2)Hunting Query🔗 GitHubGitHub OnlyThese queries check telemetry from the Exploit Guard rule: Rule: Block Office applications from creating child processes. (Rule ID d4f940ab-401b-4efc-aadc-ad5f3c50688a). Read more about it here: https...
ExploitGuardBlockOfficeChildProcess (3)Hunting Query🔗 GitHubGitHub OnlyThese queries check telemetry from the Exploit Guard rule: Rule: Block Office applications from creating child processes. (Rule ID d4f940ab-401b-4efc-aadc-ad5f3c50688a). Read more about it here: https...
ExploitGuardBlockOfficeChildProcessHunting Query🔗 GitHubGitHub OnlyThese queries check telemetry from the Exploit Guard rule: Rule: Block Office applications from creating child processes. (Rule ID d4f940ab-401b-4efc-aadc-ad5f3c50688a). Read more about it here: https...
ExploitGuardControlledFolderAccess (1)Hunting Query🔗 GitHubGitHub OnlyTotal Controlled Folder Access events.
ExploitGuardControlledFolderAccess (2)Hunting Query🔗 GitHubGitHub OnlyTotal Controlled Folder Access events.
ExploitGuardControlledFolderAccessHunting Query🔗 GitHubGitHub OnlyTotal Controlled Folder Access events.
ExploitGuardNetworkProtectionEventsHunting Query🔗 GitHubGitHub OnlySimple query to show the unique network connections that were audited or blocked by ExploitGuard. For more questions on this query, feel free to ping @FlyingBlueMonki on twitter or mattegen@microsoft....
ExploitGuardStats (1)Hunting Query🔗 GitHubGitHub OnlyGet stats on ExploitGuard blocks - count events and machines per rule.
ExploitGuardStatsHunting Query🔗 GitHubGitHub OnlyGet stats on ExploitGuard blocks - count events and machines per rule.
PUA ThreatName per ComputerHunting Query🔗 GitHubGitHub OnlyToday MDE Alerts do not show PUA/WDAV ThreatName. This is a demonstration of how to get, for example, PUA Threat Names.
SmartScreen app block ignored by userHunting Query🔗 GitHubGitHub OnlyQuery for SmartScreen application blocks on files with "Malicious" reputation, where the user has decided to run the malware nontheless. Read more about SmartScreen here: https://docs.microsoft.com/wi...
SmartScreen URL block ignored by userHunting Query🔗 GitHubGitHub OnlyQuery for SmartScreen URL blocks, where the user has decided to run the malware nontheless. An additional optional filter is applied to query only for cases where Microsoft Edge has downloaded a file ...
Windows filtering events (Firewall)Hunting Query🔗 GitHubGitHub OnlyGet all filtering events done by the Windows filtering platform. This includes any blocks done by Windows Firewall rules, but also blocks triggered by some 3rd party firewalls. When no Firewall rules ...
ARS Ransomware Event triggeredHunting Query🔗 GitHubGitHub OnlyThis rule detects when the ASR rule AsrRansomwareBlocked or AsrRansomwareAudited is triggered. No alert is generated by default. This could be the start of a ransomware attack. Additional information...
Backup deletionHunting Query🔗 GitHubGitHub OnlyThis query identifies use of wmic.exe to delete shadow copy snapshots prior to encryption.
Check for multiple signs of ransomware activityHunting Query🔗 GitHubGitHub OnlyInstead of running several queries separately, you can also use a comprehensive query that checks for multiple signs of ransomware activity to identify affected devices. The following consolidated que...
Clearing of forensic evidence from event logs using wevtutilHunting Query🔗 GitHubGitHub OnlyThis query checks for attempts to clear at least 10 log entries from event logs using wevtutil.
DarkSideHunting Query🔗 GitHubGitHub OnlyUse this query to look for running DarkSide ransomware behavior in the environment
Deletion of data on multiple drives using cipher exeHunting Query🔗 GitHubGitHub OnlyThis query checks for attempts to delete data on multiple drives using cipher.exe. This activity is typically done by ransomware to prevent recovery of data after encryption.
Discovery for highly-privileged accountsHunting Query🔗 GitHubGitHub OnlyUse this query to locate commands related to discovering highly privileged users in an environment, sometimes a precursor to ransomware
Distribution from remote locationHunting Query🔗 GitHubGitHub OnlyThis query checks for alerts related to file drop and remote execution where the file name matches PsExec and similar tools used for distribution
Fake RepliesHunting Query🔗 GitHubGitHub OnlyUse this query to find spoofed reply emails that contain certain keywords in the subject. The emails are also checked for a link to a document in Google Docs. These attacks have been observed leading ...
File Backup Deletion AlertsHunting Query🔗 GitHubGitHub OnlyThis query checks alerts related to file backup deletion and enriches with additional alert evidence information
Gootkit File DeliveryHunting Query🔗 GitHubGitHub OnlyThis query surfaces alerts related to Gootkit and enriches with command and control information, which has been observed delivering ransomware.
HTA Startup PersistenceHunting Query🔗 GitHubGitHub OnlyUse this query to locate persistence in Startup with HTA files.
IcedId attachmentsHunting Query🔗 GitHubGitHub OnlyUse this query to locate emails with subject indicators of a reply or forward, and the attachment is a .doc, or a .zip containing a .doc. Review results for suspicious emails. IcedId can lead to ranso...
IcedId DeliveryHunting Query🔗 GitHubGitHub OnlyUse this query to locate successful delivery of associated malicious downloads that can lead to ransomware
IcedId email deliveryHunting Query🔗 GitHubGitHub OnlyUse this query to locate emails and malicious downloads related to the IcedId activity that can lead to ransomware
LaZagne Credential TheftHunting Query🔗 GitHubGitHub OnlyUse this query to locate processes executing credential theft activity, often LaZagne in ransomware compromises.
Potential ransomware activity related to Cobalt StrikeHunting Query🔗 GitHubGitHub OnlyUse this query to look for alerts related to suspected ransomware and Cobalt Strike activity, a tool used in numerous ransomware campaigns
Qakbot discovery activiesHunting Query🔗 GitHubGitHub OnlyUse this query to locate injected processes launching discovery activity. Qakbot has been observed leading to ransomware in numerous instances.
Sticky KeysHunting Query🔗 GitHubGitHub OnlyA technique used in numerous ransomware attacks is a Sticky Keys hijack for privilege escalation/persistence. Surface realted alerts with this query.
Stopping multiple processes using taskkillHunting Query🔗 GitHubGitHub OnlyThis query checks for attempts to stop at least 10 separate processes using the taskkill.exe utility. Run query
Stopping processes using net stopHunting Query🔗 GitHubGitHub OnlyThis query checks for attempts to stop at least 10 separate processes using the net stop command. Run query
Suspicious Bitlocker EncryptionHunting Query🔗 GitHubGitHub OnlyLooks for potential instances of bitlocker modifying registry settings to allow encryption, where it's executed via a .bat file.
Suspicious Google Doc LinksHunting Query🔗 GitHubGitHub OnlyUse this query to find emails with message IDs that resemble IDs used in known attack emails and contain a link a document in Google Docs. These behaviors have been observed leading to ransomware atta...
Suspicious Image Load related to IcedIdHunting Query🔗 GitHubGitHub OnlyUse this query to locate suspicious load image events by rundll32.exe or regsvr32.exe, a behavior associated with IcedId, which can lead to ransomware.
Turning off services using sc exeHunting Query🔗 GitHubGitHub OnlyThis query checks for attempts to turn off at least 10 existing services using sc.exe.
Turning off System RestoreHunting Query🔗 GitHubGitHub OnlyThis query identifies attempts to stop System Restore and prevent the system from creating restore points, which can be used to recover data encrypted by ransomware
Remote Management and Montioring tool - Action1 - Create ProcessHunting Query🔗 GitHubGitHub OnlyRemote Monitoring and Management (RMM) programs are IT to manage remote endpoints. Attackers have begun to abuse these programs to persist or provide C2 channels. https://github.com/jischell-msft/Remo...
Remote Management and Montioring tool - Action1 - File SignatureHunting Query🔗 GitHubGitHub OnlyRemote Monitoring and Management (RMM) programs are IT to manage remote endpoints. Attackers have begun to abuse these programs to persist or provide C2 channels. https://github.com/jischell-msft/Remo...
Remote Management and Montioring tool - Action1 - Network ConnectionHunting Query🔗 GitHubGitHub OnlyRemote Monitoring and Management (RMM) programs are IT to manage remote endpoints. Attackers have begun to abuse these programs to persist or provide C2 channels. https://github.com/jischell-msft/Remo...
Remote Management and Montioring tool - Addigy - Network ConnectionHunting Query🔗 GitHubGitHub OnlyRemote Monitoring and Management (RMM) programs are IT to manage remote endpoints. Attackers have begun to abuse these programs to persist or provide C2 channels. https://github.com/jischell-msft/Remo...
Remote Management and Monitoring tool - AeroAdmin - Create ProcessHunting Query🔗 GitHubGitHub OnlyRemote Monitoring and Management (RMM) programs are IT to manage remote endpoints. Attackers have begun to abuse these programs to persist or provide C2 channels. https://github.com/jischell-msft/Remo...
Remote Management and Monitoring tool - AeroAdmin - File SignatureHunting Query🔗 GitHubGitHub OnlyRemote Monitoring and Management (RMM) programs are IT to manage remote endpoints. Attackers have begun to abuse these programs to persist or provide C2 channels. https://github.com/jischell-msft/Remo...
Remote Management and Monitoring tool - AeroAdmin - Network ConnectionHunting Query🔗 GitHubGitHub OnlyRemote Monitoring and Management (RMM) programs are IT to manage remote endpoints. Attackers have begun to abuse these programs to persist or provide C2 channels. https://github.com/jischell-msft/Remo...
Remote Management and Monitoring tool - Ammyy - Create ProcessHunting Query🔗 GitHubGitHub OnlyRemote Monitoring and Management (RMM) programs are IT to manage remote endpoints. Attackers have begun to abuse these programs to persist or provide C2 channels. https://github.com/jischell-msft/Remo...
Remote Management and Monitoring tool - Ammyy - File SignatureHunting Query🔗 GitHubGitHub OnlyRemote Monitoring and Management (RMM) programs are IT to manage remote endpoints. Attackers have begun to abuse these programs to persist or provide C2 channels. https://github.com/jischell-msft/Remo...
Remote Management and Monitoring tool - Ammyy - Network ConnectionHunting Query🔗 GitHubGitHub OnlyRemote Monitoring and Management (RMM) programs are IT to manage remote endpoints. Attackers have begun to abuse these programs to persist or provide C2 channels. https://github.com/jischell-msft/Remo...
Remote Management and Monitoring tool - AnyDesk - Create ProcessHunting Query🔗 GitHubGitHub OnlyRemote Monitoring and Management (RMM) programs are IT to manage remote endpoints. Attackers have begun to abuse these programs to persist or provide C2 channels. https://github.com/jischell-msft/Remo...
Remote Management and Monitoring tool - AnyDesk - File SignatureHunting Query🔗 GitHubGitHub OnlyRemote Monitoring and Management (RMM) programs are IT to manage remote endpoints. Attackers have begun to abuse these programs to persist or provide C2 channels. https://github.com/jischell-msft/Remo...
Remote Management and Monitoring tool - AnyDesk - Network ConnectionHunting Query🔗 GitHubGitHub OnlyRemote Monitoring and Management (RMM) programs are IT to manage remote endpoints. Attackers have begun to abuse these programs to persist or provide C2 channels. https://github.com/jischell-msft/Remo...
Remote Management and Monitoring tool - AnyViewer - Create ProcessHunting Query🔗 GitHubGitHub OnlyRemote Monitoring and Management (RMM) programs are IT to manage remote endpoints. Attackers have begun to abuse these programs to persist or provide C2 channels. https://github.com/jischell-msft/Remo...
Remote Management and Monitoring tool - AnyViewer - File SignatureHunting Query🔗 GitHubGitHub OnlyRemote Monitoring and Management (RMM) programs are IT to manage remote endpoints. Attackers have begun to abuse these programs to persist or provide C2 channels. https://github.com/jischell-msft/Remo...
Remote Management and Monitoring tool - AnyViewer - Network ConnectionHunting Query🔗 GitHubGitHub OnlyRemote Monitoring and Management (RMM) programs are IT to manage remote endpoints. Attackers have begun to abuse these programs to persist or provide C2 channels. https://github.com/jischell-msft/Remo...
Remote Management and Monitoring tool - Atera - Create ProcessHunting Query🔗 GitHubGitHub OnlyRemote Monitoring and Management (RMM) programs are IT to manage remote endpoints. Attackers have begun to abuse these programs to persist or provide C2 channels. https://github.com/jischell-msft/Remo...
Remote Management and Monitoring tool - Atera - File SignatureHunting Query🔗 GitHubGitHub OnlyRemote Monitoring and Management (RMM) programs are IT to manage remote endpoints. Attackers have begun to abuse these programs to persist or provide C2 channels. https://github.com/jischell-msft/Remo...
Remote Management and Monitoring tool - Atera - Network ConnectionHunting Query🔗 GitHubGitHub OnlyRemote Monitoring and Management (RMM) programs are IT to manage remote endpoints. Attackers have begun to abuse these programs to persist or provide C2 channels. https://github.com/jischell-msft/Remo...
Remote Management and Monitoring tool - AweSun - Create ProcessHunting Query🔗 GitHubGitHub OnlyRemote Monitoring and Management (RMM) programs are IT to manage remote endpoints. Attackers have begun to abuse these programs to persist or provide C2 channels. https://github.com/jischell-msft/Remo...
Remote Management and Monitoring tool - AweSun - File SignatureHunting Query🔗 GitHubGitHub OnlyRemote Monitoring and Management (RMM) programs are IT to manage remote endpoints. Attackers have begun to abuse these programs to persist or provide C2 channels. https://github.com/jischell-msft/Remo...
Remote Management and Monitoring tool - AweSun - Network ConnectionHunting Query🔗 GitHubGitHub OnlyRemote Monitoring and Management (RMM) programs are IT to manage remote endpoints. Attackers have begun to abuse these programs to persist or provide C2 channels. https://github.com/jischell-msft/Remo...
Remote Management and Monitoring tool - BarracudaRMM - Create ProcessHunting Query🔗 GitHubGitHub OnlyRemote Monitoring and Management (RMM) programs are IT to manage remote endpoints. Attackers have begun to abuse these programs to persist or provide C2 channels. https://github.com/jischell-msft/Remo...
Remote Management and Monitoring tool - BarracudaRMM - File SignatureHunting Query🔗 GitHubGitHub OnlyRemote Monitoring and Management (RMM) programs are IT to manage remote endpoints. Attackers have begun to abuse these programs to persist or provide C2 channels. https://github.com/jischell-msft/Remo...
Remote Management and Monitoring tool - BarracudaRMM - Network ConnectionHunting Query🔗 GitHubGitHub OnlyRemote Monitoring and Management (RMM) programs are IT to manage remote endpoints. Attackers have begun to abuse these programs to persist or provide C2 channels. https://github.com/jischell-msft/Remo...
Remote Management and Monitoring tool - BeyondTrust - Create ProcessHunting Query🔗 GitHubGitHub OnlyRemote Monitoring and Management (RMM) programs are IT to manage remote endpoints. Attackers have begun to abuse these programs to persist or provide C2 channels. https://github.com/jischell-msft/Remo...
Remote Management and Monitoring tool - BeyondTrust - File SignatureHunting Query🔗 GitHubGitHub OnlyRemote Monitoring and Management (RMM) programs are IT to manage remote endpoints. Attackers have begun to abuse these programs to persist or provide C2 channels. https://github.com/jischell-msft/Remo...
Remote Management and Monitoring tool - BeyondTrust - Network ConnectionHunting Query🔗 GitHubGitHub OnlyRemote Monitoring and Management (RMM) programs are IT to manage remote endpoints. Attackers have begun to abuse these programs to persist or provide C2 channels. https://github.com/jischell-msft/Remo...
Remote Management and Monitoring tool - ChromeRDP - Create ProcessHunting Query🔗 GitHubGitHub OnlyRemote Monitoring and Management (RMM) programs are IT to manage remote endpoints. Attackers have begun to abuse these programs to persist or provide C2 channels. https://github.com/jischell-msft/Remo...
Remote Management and Monitoring tool - ChromeRDP - Network ConnectionHunting Query🔗 GitHubGitHub OnlyRemote Monitoring and Management (RMM) programs are IT to manage remote endpoints. Attackers have begun to abuse these programs to persist or provide C2 channels. https://github.com/jischell-msft/Remo...
Remote Management and Monitoring tool - ConnectWise - Create ProcessHunting Query🔗 GitHubGitHub OnlyRemote Monitoring and Management (RMM) programs are IT to manage remote endpoints. Attackers have begun to abuse these programs to persist or provide C2 channels. https://github.com/jischell-msft/Remo...
Remote Management and Monitoring tool - ConnectWise - File SignatureHunting Query🔗 GitHubGitHub OnlyRemote Monitoring and Management (RMM) programs are IT to manage remote endpoints. Attackers have begun to abuse these programs to persist or provide C2 channels. https://github.com/jischell-msft/Remo...
Remote Management and Monitoring tool - ConnectWise - Network ConnectionHunting Query🔗 GitHubGitHub OnlyRemote Monitoring and Management (RMM) programs are IT to manage remote endpoints. Attackers have begun to abuse these programs to persist or provide C2 channels. https://github.com/jischell-msft/Remo...
Remote Management and Monitoring tool - DameWare - Create ProcessHunting Query🔗 GitHubGitHub OnlyRemote Monitoring and Management (RMM) programs are IT to manage remote endpoints. Attackers have begun to abuse these programs to persist or provide C2 channels. https://github.com/jischell-msft/Remo...
Remote Management and Monitoring tool - DameWare - File SignatureHunting Query🔗 GitHubGitHub OnlyRemote Monitoring and Management (RMM) programs are IT to manage remote endpoints. Attackers have begun to abuse these programs to persist or provide C2 channels. https://github.com/jischell-msft/Remo...
Remote Management and Monitoring tool - DameWare - Network ConnectionHunting Query🔗 GitHubGitHub OnlyRemote Monitoring and Management (RMM) programs are IT to manage remote endpoints. Attackers have begun to abuse these programs to persist or provide C2 channels. https://github.com/jischell-msft/Remo...
Remote Management and Monitoring tool - DattoRMM - File SignatureHunting Query🔗 GitHubGitHub OnlyRemote Monitoring and Management (RMM) programs are IT to manage remote endpoints. Attackers have begun to abuse these programs to persist or provide C2 channels. https://github.com/jischell-msft/Remo...
Remote Management and Monitoring tool - DattoRMM - Network ConnectionHunting Query🔗 GitHubGitHub OnlyRemote Monitoring and Management (RMM) programs are IT to manage remote endpoints. Attackers have begun to abuse these programs to persist or provide C2 channels. https://github.com/jischell-msft/Remo...
Remote Management and Monitoring tool - DesktopNow - Create ProcessHunting Query🔗 GitHubGitHub OnlyRemote Monitoring and Management (RMM) programs are IT to manage remote endpoints. Attackers have begun to abuse these programs to persist or provide C2 channels. https://github.com/jischell-msft/Remo...
Remote Management and Monitoring tool - DesktopNow - File SignatureHunting Query🔗 GitHubGitHub OnlyRemote Monitoring and Management (RMM) programs are IT to manage remote endpoints. Attackers have begun to abuse these programs to persist or provide C2 channels. https://github.com/jischell-msft/Remo...
Remote Management and Monitoring tool - DesktopNow - Network ConnectionHunting Query🔗 GitHubGitHub OnlyRemote Monitoring and Management (RMM) programs are IT to manage remote endpoints. Attackers have begun to abuse these programs to persist or provide C2 channels. https://github.com/jischell-msft/Remo...
Remote Management and Monitoring tool - DistantDesktop - Create ProcessHunting Query🔗 GitHubGitHub OnlyRemote Monitoring and Management (RMM) programs are IT to manage remote endpoints. Attackers have begun to abuse these programs to persist or provide C2 channels. https://github.com/jischell-msft/Remo...
Remote Management and Monitoring tool - DistantDesktop - File SignatureHunting Query🔗 GitHubGitHub OnlyRemote Monitoring and Management (RMM) programs are IT to manage remote endpoints. Attackers have begun to abuse these programs to persist or provide C2 channels. https://github.com/jischell-msft/Remo...
Remote Management and Monitoring tool - DistantDesktop - Network ConnectionHunting Query🔗 GitHubGitHub OnlyRemote Monitoring and Management (RMM) programs are IT to manage remote endpoints. Attackers have begun to abuse these programs to persist or provide C2 channels. https://github.com/jischell-msft/Remo...
Remote Management and Monitoring tool - DWService - File SignatureHunting Query🔗 GitHubGitHub OnlyRemote Monitoring and Management (RMM) programs are IT to manage remote endpoints. Attackers have begun to abuse these programs to persist or provide C2 channels. https://github.com/jischell-msft/Remo...
Remote Management and Monitoring tool - FleetDeck - Create ProcessHunting Query🔗 GitHubGitHub OnlyRemote Monitoring and Management (RMM) programs are IT to manage remote endpoints. Attackers have begun to abuse these programs to persist or provide C2 channels. https://github.com/jischell-msft/Remo...
Remote Management and Monitoring tool - FleetDeck - File SignatureHunting Query🔗 GitHubGitHub OnlyRemote Monitoring and Management (RMM) programs are IT to manage remote endpoints. Attackers have begun to abuse these programs to persist or provide C2 channels. https://github.com/jischell-msft/Remo...
Remote Management and Monitoring tool - FleetDeck - Network ConnectionHunting Query🔗 GitHubGitHub OnlyRemote Monitoring and Management (RMM) programs are IT to manage remote endpoints. Attackers have begun to abuse these programs to persist or provide C2 channels. https://github.com/jischell-msft/Remo...
Remote Management and Monitoring tool - GetScreen - Create ProcessHunting Query🔗 GitHubGitHub OnlyRemote Monitoring and Management (RMM) programs are IT to manage remote endpoints. Attackers have begun to abuse these programs to persist or provide C2 channels. https://github.com/jischell-msft/Remo...
Remote Management and Monitoring tool - GetScreen - File SignatureHunting Query🔗 GitHubGitHub OnlyRemote Monitoring and Management (RMM) programs are IT to manage remote endpoints. Attackers have begun to abuse these programs to persist or provide C2 channels. https://github.com/jischell-msft/Remo...
Remote Management and Monitoring tool - GetScreen - Network ConnectionHunting Query🔗 GitHubGitHub OnlyRemote Monitoring and Management (RMM) programs are IT to manage remote endpoints. Attackers have begun to abuse these programs to persist or provide C2 channels. https://github.com/jischell-msft/Remo...
Remote Management and Monitoring tool - IperiusRemote - Create ProcessHunting Query🔗 GitHubGitHub OnlyRemote Monitoring and Management (RMM) programs are IT to manage remote endpoints. Attackers have begun to abuse these programs to persist or provide C2 channels. https://github.com/jischell-msft/Remo...
Remote Management and Monitoring tool - IperiusRemote - File SignatureHunting Query🔗 GitHubGitHub OnlyRemote Monitoring and Management (RMM) programs are IT to manage remote endpoints. Attackers have begun to abuse these programs to persist or provide C2 channels. https://github.com/jischell-msft/Remo...
Remote Management and Monitoring tool - IperiusRemote - Network ConnectionHunting Query🔗 GitHubGitHub OnlyRemote Monitoring and Management (RMM) programs are IT to manage remote endpoints. Attackers have begun to abuse these programs to persist or provide C2 channels. https://github.com/jischell-msft/Remo...
Remote Management and Monitoring tool - ISLOnline - Create ProcessHunting Query🔗 GitHubGitHub OnlyRemote Monitoring and Management (RMM) programs are IT to manage remote endpoints. Attackers have begun to abuse these programs to persist or provide C2 channels. https://github.com/jischell-msft/Remo...
Remote Management and Monitoring tool - ISLOnline - File SignatureHunting Query🔗 GitHubGitHub OnlyRemote Monitoring and Management (RMM) programs are IT to manage remote endpoints. Attackers have begun to abuse these programs to persist or provide C2 channels. https://github.com/jischell-msft/Remo...
Remote Management and Monitoring tool - ISLOnline - Network ConnectionHunting Query🔗 GitHubGitHub OnlyRemote Monitoring and Management (RMM) programs are IT to manage remote endpoints. Attackers have begun to abuse these programs to persist or provide C2 channels. https://github.com/jischell-msft/Remo...
Remote Management and Monitoring tool - Kaseya - File SignatureHunting Query🔗 GitHubGitHub OnlyRemote Monitoring and Management (RMM) programs are IT to manage remote endpoints. Attackers have begun to abuse these programs to persist or provide C2 channels. https://github.com/jischell-msft/Remo...
Remote Management and Monitoring tool - Kaseya - Network ConnectionHunting Query🔗 GitHubGitHub OnlyRemote Monitoring and Management (RMM) programs are IT to manage remote endpoints. Attackers have begun to abuse these programs to persist or provide C2 channels. https://github.com/jischell-msft/Remo...
Remote Management and Monitoring tool - Level - Create ProcessHunting Query🔗 GitHubGitHub OnlyRemote Monitoring and Management (RMM) programs are IT to manage remote endpoints. Attackers have begun to abuse these programs to persist or provide C2 channels. https://github.com/jischell-msft/Remo...
Remote Management and Monitoring tool - Level - File SignatureHunting Query🔗 GitHubGitHub OnlyRemote Monitoring and Management (RMM) programs are IT to manage remote endpoints. Attackers have begun to abuse these programs to persist or provide C2 channels. https://github.com/jischell-msft/Remo...
Remote Management and Monitoring tool - Level - Network ConnectionHunting Query🔗 GitHubGitHub OnlyRemote Monitoring and Management (RMM) programs are IT to manage remote endpoints. Attackers have begun to abuse these programs to persist or provide C2 channels. https://github.com/jischell-msft/Remo...
Remote Management and Monitoring tool - LiteManager - Create ProcessHunting Query🔗 GitHubGitHub OnlyRemote Monitoring and Management (RMM) programs are IT to manage remote endpoints. Attackers have begun to abuse these programs to persist or provide C2 channels. https://github.com/jischell-msft/Remo...
Remote Management and Monitoring tool - LiteManager - File SignatureHunting Query🔗 GitHubGitHub OnlyRemote Monitoring and Management (RMM) programs are IT to manage remote endpoints. Attackers have begun to abuse these programs to persist or provide C2 channels. https://github.com/jischell-msft/Remo...
Remote Management and Monitoring tool - LiteManager - Network ConnectionHunting Query🔗 GitHubGitHub OnlyRemote Monitoring and Management (RMM) programs are IT to manage remote endpoints. Attackers have begun to abuse these programs to persist or provide C2 channels. https://github.com/jischell-msft/Remo...
Remote Management and Monitoring tool - LogMeIn - Create ProcessHunting Query🔗 GitHubGitHub OnlyRemote Monitoring and Management (RMM) programs are IT to manage remote endpoints. Attackers have begun to abuse these programs to persist or provide C2 channels. https://github.com/jischell-msft/Remo...
Remote Management and Monitoring tool - LogMeIn - File SignatureHunting Query🔗 GitHubGitHub OnlyRemote Monitoring and Management (RMM) programs are IT to manage remote endpoints. Attackers have begun to abuse these programs to persist or provide C2 channels. https://github.com/jischell-msft/Remo...
Remote Management and Monitoring tool - LogMeIn - Network ConnectionHunting Query🔗 GitHubGitHub OnlyRemote Monitoring and Management (RMM) programs are IT to manage remote endpoints. Attackers have begun to abuse these programs to persist or provide C2 channels. https://github.com/jischell-msft/Remo...
Remote Management and Monitoring tool - MeshCentral - Create ProcessHunting Query🔗 GitHubGitHub OnlyRemote Monitoring and Management (RMM) programs are IT to manage remote endpoints. Attackers have begun to abuse these programs to persist or provide C2 channels. https://github.com/jischell-msft/Remo...
Remote Management and Monitoring tool - MeshCentral - File SignatureHunting Query🔗 GitHubGitHub OnlyRemote Monitoring and Management (RMM) programs are IT to manage remote endpoints. Attackers have begun to abuse these programs to persist or provide C2 channels. https://github.com/jischell-msft/Remo...
Remote Management and Monitoring tool - MeshCentral - Network ConnectionHunting Query🔗 GitHubGitHub OnlyRemote Monitoring and Management (RMM) programs are IT to manage remote endpoints. Attackers have begun to abuse these programs to persist or provide C2 channels. https://github.com/jischell-msft/Remo...
Remote Management and Monitoring tool - mRemoteNG - Create ProcessHunting Query🔗 GitHubGitHub OnlyRemote Monitoring and Management (RMM) programs are IT to manage remote endpoints. Attackers have begun to abuse these programs to persist or provide C2 channels. https://github.com/jischell-msft/Remo...
Remote Management and Monitoring tool - mRemoteNG - Network ConnectionHunting Query🔗 GitHubGitHub OnlyRemote Monitoring and Management (RMM) programs are IT to manage remote endpoints. Attackers have begun to abuse these programs to persist or provide C2 channels. https://github.com/jischell-msft/Remo...
Remote Management and Monitoring tool - MSP360_CloudBerry - Create ProcessHunting Query🔗 GitHubGitHub OnlyRemote Monitoring and Management (RMM) programs are IT to manage remote endpoints. Attackers have begun to abuse these programs to persist or provide C2 channels. https://github.com/jischell-msft/Remo...
Remote Management and Monitoring tool - MSP360_CloudBerry - File SignatureHunting Query🔗 GitHubGitHub OnlyRemote Monitoring and Management (RMM) programs are IT to manage remote endpoints. Attackers have begun to abuse these programs to persist or provide C2 channels. https://github.com/jischell-msft/Remo...
Remote Management and Monitoring tool - MSP360_CloudBerry - Network ConnectionHunting Query🔗 GitHubGitHub OnlyRemote Monitoring and Management (RMM) programs are IT to manage remote endpoints. Attackers have begun to abuse these programs to persist or provide C2 channels. https://github.com/jischell-msft/Remo...
Remote Management and Monitoring tool - NAble - Create ProcessHunting Query🔗 GitHubGitHub OnlyRemote Monitoring and Management (RMM) programs are IT to manage remote endpoints. Attackers have begun to abuse these programs to persist or provide C2 channels. https://github.com/jischell-msft/Remo...
Remote Management and Monitoring tool - NAble - File SignatureHunting Query🔗 GitHubGitHub OnlyRemote Monitoring and Management (RMM) programs are IT to manage remote endpoints. Attackers have begun to abuse these programs to persist or provide C2 channels. https://github.com/jischell-msft/Remo...
Remote Management and Monitoring tool - NAble - Network ConnectionHunting Query🔗 GitHubGitHub OnlyRemote Monitoring and Management (RMM) programs are IT to manage remote endpoints. Attackers have begun to abuse these programs to persist or provide C2 channels. https://github.com/jischell-msft/Remo...
Remote Management and Monitoring tool - Naverisk - Create ProcessHunting Query🔗 GitHubGitHub OnlyRemote Monitoring and Management (RMM) programs are IT to manage remote endpoints. Attackers have begun to abuse these programs to persist or provide C2 channels. https://github.com/jischell-msft/Remo...
Remote Management and Monitoring tool - Naverisk - File SignatureHunting Query🔗 GitHubGitHub OnlyRemote Monitoring and Management (RMM) programs are IT to manage remote endpoints. Attackers have begun to abuse these programs to persist or provide C2 channels. https://github.com/jischell-msft/Remo...
Remote Management and Monitoring tool - Naverisk - Network ConnectionHunting Query🔗 GitHubGitHub OnlyRemote Monitoring and Management (RMM) programs are IT to manage remote endpoints. Attackers have begun to abuse these programs to persist or provide C2 channels. https://github.com/jischell-msft/Remo...
Remote Management and Monitoring tool - NetSupport - Create ProcessHunting Query🔗 GitHubGitHub OnlyRemote Monitoring and Management (RMM) programs are IT to manage remote endpoints. Attackers have begun to abuse these programs to persist or provide C2 channels. https://github.com/jischell-msft/Remo...
Remote Management and Monitoring tool - NetSupport - File SignatureHunting Query🔗 GitHubGitHub OnlyRemote Monitoring and Management (RMM) programs are IT to manage remote endpoints. Attackers have begun to abuse these programs to persist or provide C2 channels. https://github.com/jischell-msft/Remo...
Remote Management and Monitoring tool - NetSupport - Network ConnectionHunting Query🔗 GitHubGitHub OnlyRemote Monitoring and Management (RMM) programs are IT to manage remote endpoints. Attackers have begun to abuse these programs to persist or provide C2 channels. https://github.com/jischell-msft/Remo...
Remote Management and Monitoring tool - NinjaRMM - Create ProcessHunting Query🔗 GitHubGitHub OnlyRemote Monitoring and Management (RMM) programs are IT to manage remote endpoints. Attackers have begun to abuse these programs to persist or provide C2 channels. https://github.com/jischell-msft/Remo...
Remote Management and Monitoring tool - NinjaRMM - File SignatureHunting Query🔗 GitHubGitHub OnlyRemote Monitoring and Management (RMM) programs are IT to manage remote endpoints. Attackers have begun to abuse these programs to persist or provide C2 channels. https://github.com/jischell-msft/Remo...
Remote Management and Monitoring tool - NinjaRMM - Network ConnectionHunting Query🔗 GitHubGitHub OnlyRemote Monitoring and Management (RMM) programs are IT to manage remote endpoints. Attackers have begun to abuse these programs to persist or provide C2 channels. https://github.com/jischell-msft/Remo...
Remote Management and Monitoring tool - OptiTune - Create ProcessHunting Query🔗 GitHubGitHub OnlyRemote Monitoring and Management (RMM) programs are IT to manage remote endpoints. Attackers have begun to abuse these programs to persist or provide C2 channels. https://github.com/jischell-msft/Remo...
Remote Management and Monitoring tool - OptiTune - File SignatureHunting Query🔗 GitHubGitHub OnlyRemote Monitoring and Management (RMM) programs are IT to manage remote endpoints. Attackers have begun to abuse these programs to persist or provide C2 channels. https://github.com/jischell-msft/Remo...
Remote Management and Monitoring tool - OptiTune - Network ConnectionHunting Query🔗 GitHubGitHub OnlyRemote Monitoring and Management (RMM) programs are IT to manage remote endpoints. Attackers have begun to abuse these programs to persist or provide C2 channels. https://github.com/jischell-msft/Remo...
Remote Management and Monitoring tool - Panorama9 - Create ProcessHunting Query🔗 GitHubGitHub OnlyRemote Monitoring and Management (RMM) programs are IT to manage remote endpoints. Attackers have begun to abuse these programs to persist or provide C2 channels. https://github.com/jischell-msft/Remo...
Remote Management and Monitoring tool - Panorama9 - File SignatureHunting Query🔗 GitHubGitHub OnlyRemote Monitoring and Management (RMM) programs are IT to manage remote endpoints. Attackers have begun to abuse these programs to persist or provide C2 channels. https://github.com/jischell-msft/Remo...
Remote Management and Monitoring tool - Panorama9 - Network ConnectionHunting Query🔗 GitHubGitHub OnlyRemote Monitoring and Management (RMM) programs are IT to manage remote endpoints. Attackers have begun to abuse these programs to persist or provide C2 channels. https://github.com/jischell-msft/Remo...
Remote Management and Monitoring tool - parsec.app - Create ProcessHunting Query🔗 GitHubGitHub OnlyRemote Monitoring and Management (RMM) programs are IT to manage remote endpoints. Attackers have begun to abuse these programs to persist or provide C2 channels. https://github.com/jischell-msft/Remo...
Remote Management and Monitoring tool - parsec.app - File SignatureHunting Query🔗 GitHubGitHub OnlyRemote Monitoring and Management (RMM) programs are IT to manage remote endpoints. Attackers have begun to abuse these programs to persist or provide C2 channels. https://github.com/jischell-msft/Remo...
Remote Management and Monitoring tool - parsec.app - Network ConnectionHunting Query🔗 GitHubGitHub OnlyRemote Monitoring and Management (RMM) programs are IT to manage remote endpoints. Attackers have begun to abuse these programs to persist or provide C2 channels. https://github.com/jischell-msft/Remo...
Remote Management and Monitoring tool - PcVisit - Create ProcessHunting Query🔗 GitHubGitHub OnlyRemote Monitoring and Management (RMM) programs are IT to manage remote endpoints. Attackers have begun to abuse these programs to persist or provide C2 channels. https://github.com/jischell-msft/Remo...
Remote Management and Monitoring tool - PcVisit - File SignatureHunting Query🔗 GitHubGitHub OnlyRemote Monitoring and Management (RMM) programs are IT to manage remote endpoints. Attackers have begun to abuse these programs to persist or provide C2 channels. https://github.com/jischell-msft/Remo...
Remote Management and Monitoring tool - PcVisit - Network ConnectionHunting Query🔗 GitHubGitHub OnlyRemote Monitoring and Management (RMM) programs are IT to manage remote endpoints. Attackers have begun to abuse these programs to persist or provide C2 channels. https://github.com/jischell-msft/Remo...
Remote Management and Monitoring tool - PDQ - Create ProcessHunting Query🔗 GitHubGitHub OnlyRemote Monitoring and Management (RMM) programs are IT to manage remote endpoints. Attackers have begun to abuse these programs to persist or provide C2 channels. https://github.com/jischell-msft/Remo...
Remote Management and Monitoring tool - PDQ - File SignatureHunting Query🔗 GitHubGitHub OnlyRemote Monitoring and Management (RMM) programs are IT to manage remote endpoints. Attackers have begun to abuse these programs to persist or provide C2 channels. https://github.com/jischell-msft/Remo...
Remote Management and Monitoring tool - PDQ - Network ConnectionHunting Query🔗 GitHubGitHub OnlyRemote Monitoring and Management (RMM) programs are IT to manage remote endpoints. Attackers have begun to abuse these programs to persist or provide C2 channels. https://github.com/jischell-msft/Remo...
Remote Management and Monitoring tool - Pulseway - Create ProcessHunting Query🔗 GitHubGitHub OnlyRemote Monitoring and Management (RMM) programs are IT to manage remote endpoints. Attackers have begun to abuse these programs to persist or provide C2 channels. https://github.com/jischell-msft/Remo...
Remote Management and Monitoring tool - Pulseway - File SignatureHunting Query🔗 GitHubGitHub OnlyRemote Monitoring and Management (RMM) programs are IT to manage remote endpoints. Attackers have begun to abuse these programs to persist or provide C2 channels. https://github.com/jischell-msft/Remo...
Remote Management and Monitoring tool - Pulseway - Network ConnectionHunting Query🔗 GitHubGitHub OnlyRemote Monitoring and Management (RMM) programs are IT to manage remote endpoints. Attackers have begun to abuse these programs to persist or provide C2 channels. https://github.com/jischell-msft/Remo...
Remote Management and Monitoring tool - RealVNC - Create ProcessHunting Query🔗 GitHubGitHub OnlyRemote Monitoring and Management (RMM) programs are IT to manage remote endpoints. Attackers have begun to abuse these programs to persist or provide C2 channels. https://github.com/jischell-msft/Remo...
Remote Management and Monitoring tool - RealVNC - File SignatureHunting Query🔗 GitHubGitHub OnlyRemote Monitoring and Management (RMM) programs are IT to manage remote endpoints. Attackers have begun to abuse these programs to persist or provide C2 channels. https://github.com/jischell-msft/Remo...
Remote Management and Monitoring tool - RealVNC - Network ConnectionHunting Query🔗 GitHubGitHub OnlyRemote Monitoring and Management (RMM) programs are IT to manage remote endpoints. Attackers have begun to abuse these programs to persist or provide C2 channels. https://github.com/jischell-msft/Remo...
Remote Management and Monitoring tool - RemoteDesktopPlus - Create ProcessHunting Query🔗 GitHubGitHub OnlyRemote Monitoring and Management (RMM) programs are IT to manage remote endpoints. Attackers have begun to abuse these programs to persist or provide C2 channels. https://github.com/jischell-msft/Remo...
Remote Management and Monitoring tool - RemoteDesktopPlus - Network ConnectionHunting Query🔗 GitHubGitHub OnlyRemote Monitoring and Management (RMM) programs are IT to manage remote endpoints. Attackers have begun to abuse these programs to persist or provide C2 channels. https://github.com/jischell-msft/Remo...
Remote Management and Monitoring tool - RemotePC - Create ProcessHunting Query🔗 GitHubGitHub OnlyRemote Monitoring and Management (RMM) programs are IT to manage remote endpoints. Attackers have begun to abuse these programs to persist or provide C2 channels. https://github.com/jischell-msft/Remo...
Remote Management and Monitoring tool - RemotePC - File SignatureHunting Query🔗 GitHubGitHub OnlyRemote Monitoring and Management (RMM) programs are IT to manage remote endpoints. Attackers have begun to abuse these programs to persist or provide C2 channels. https://github.com/jischell-msft/Remo...
Remote Management and Monitoring tool - RemotePC - Network ConnectionHunting Query🔗 GitHubGitHub OnlyRemote Monitoring and Management (RMM) programs are IT to manage remote endpoints. Attackers have begun to abuse these programs to persist or provide C2 channels. https://github.com/jischell-msft/Remo...
Remote Management and Monitoring tool - RemoteUtilities - Create ProcessHunting Query🔗 GitHubGitHub OnlyRemote Monitoring and Management (RMM) programs are IT to manage remote endpoints. Attackers have begun to abuse these programs to persist or provide C2 channels. https://github.com/jischell-msft/Remo...
Remote Management and Monitoring tool - RemoteUtilities - File SignatureHunting Query🔗 GitHubGitHub OnlyRemote Monitoring and Management (RMM) programs are IT to manage remote endpoints. Attackers have begun to abuse these programs to persist or provide C2 channels. https://github.com/jischell-msft/Remo...
Remote Management and Monitoring tool - RemoteUtilities - Network ConnectionHunting Query🔗 GitHubGitHub OnlyRemote Monitoring and Management (RMM) programs are IT to manage remote endpoints. Attackers have begun to abuse these programs to persist or provide C2 channels. https://github.com/jischell-msft/Remo...
Remote Management and Monitoring tool - RPort - Create ProcessHunting Query🔗 GitHubGitHub OnlyRemote Monitoring and Management (RMM) programs are IT to manage remote endpoints. Attackers have begun to abuse these programs to persist or provide C2 channels. https://github.com/jischell-msft/Remo...
Remote Management and Monitoring tool - RPort - Network ConnectionHunting Query🔗 GitHubGitHub OnlyRemote Monitoring and Management (RMM) programs are IT to manage remote endpoints. Attackers have begun to abuse these programs to persist or provide C2 channels. https://github.com/jischell-msft/Remo...
Remote Management and Monitoring tool - RustDesk - Create ProcessHunting Query🔗 GitHubGitHub OnlyRemote Monitoring and Management (RMM) programs are IT to manage remote endpoints. Attackers have begun to abuse these programs to persist or provide C2 channels. https://github.com/jischell-msft/Remo...
Remote Management and Monitoring tool - RustDesk - Network ConnectionHunting Query🔗 GitHubGitHub OnlyRemote Monitoring and Management (RMM) programs are IT to manage remote endpoints. Attackers have begun to abuse these programs to persist or provide C2 channels. https://github.com/jischell-msft/Remo...
Remote Management and Monitoring tool - ScreenMeet - Create ProcessHunting Query🔗 GitHubGitHub OnlyRemote Monitoring and Management (RMM) programs are IT to manage remote endpoints. Attackers have begun to abuse these programs to persist or provide C2 channels. https://github.com/jischell-msft/Remo...
Remote Management and Monitoring tool - ScreenMeet - File SignatureHunting Query🔗 GitHubGitHub OnlyRemote Monitoring and Management (RMM) programs are IT to manage remote endpoints. Attackers have begun to abuse these programs to persist or provide C2 channels. https://github.com/jischell-msft/Remo...
Remote Management and Monitoring tool - ScreenMeet - Network ConnectionHunting Query🔗 GitHubGitHub OnlyRemote Monitoring and Management (RMM) programs are IT to manage remote endpoints. Attackers have begun to abuse these programs to persist or provide C2 channels. https://github.com/jischell-msft/Remo...
Remote Management and Monitoring tool - ServerEye - Create ProcessHunting Query🔗 GitHubGitHub OnlyRemote Monitoring and Management (RMM) programs are IT to manage remote endpoints. Attackers have begun to abuse these programs to persist or provide C2 channels. https://github.com/jischell-msft/Remo...
Remote Management and Monitoring tool - ServerEye - File SignatureHunting Query🔗 GitHubGitHub OnlyRemote Monitoring and Management (RMM) programs are IT to manage remote endpoints. Attackers have begun to abuse these programs to persist or provide C2 channels. https://github.com/jischell-msft/Remo...
Remote Management and Monitoring tool - ServerEye - Network ConnectionHunting Query🔗 GitHubGitHub OnlyRemote Monitoring and Management (RMM) programs are IT to manage remote endpoints. Attackers have begun to abuse these programs to persist or provide C2 channels. https://github.com/jischell-msft/Remo...
Remote Management and Monitoring tool - ShowMyPC - Create ProcessHunting Query🔗 GitHubGitHub OnlyRemote Monitoring and Management (RMM) programs are IT to manage remote endpoints. Attackers have begun to abuse these programs to persist or provide C2 channels. https://github.com/jischell-msft/Remo...
Remote Management and Monitoring tool - ShowMyPC - File SignatureHunting Query🔗 GitHubGitHub OnlyRemote Monitoring and Management (RMM) programs are IT to manage remote endpoints. Attackers have begun to abuse these programs to persist or provide C2 channels. https://github.com/jischell-msft/Remo...
Remote Management and Monitoring tool - ShowMyPC - Network ConnectionHunting Query🔗 GitHubGitHub OnlyRemote Monitoring and Management (RMM) programs are IT to manage remote endpoints. Attackers have begun to abuse these programs to persist or provide C2 channels. https://github.com/jischell-msft/Remo...
Remote Management and Monitoring tool - SimpleHelp - Create ProcessHunting Query🔗 GitHubGitHub OnlyRemote Monitoring and Management (RMM) programs are IT to manage remote endpoints. Attackers have begun to abuse these programs to persist or provide C2 channels. https://github.com/jischell-msft/Remo...
Remote Management and Monitoring tool - SimpleHelp - File SignatureHunting Query🔗 GitHubGitHub OnlyRemote Monitoring and Management (RMM) programs are IT to manage remote endpoints. Attackers have begun to abuse these programs to persist or provide C2 channels. https://github.com/jischell-msft/Remo...
Remote Management and Monitoring tool - SimpleHelp - Network ConnectionHunting Query🔗 GitHubGitHub OnlyRemote Monitoring and Management (RMM) programs are IT to manage remote endpoints. Attackers have begun to abuse these programs to persist or provide C2 channels. https://github.com/jischell-msft/Remo...
Remote Management and Monitoring tool - Splashtop - Create ProcessHunting Query🔗 GitHubGitHub OnlyRemote Monitoring and Management (RMM) programs are IT to manage remote endpoints. Attackers have begun to abuse these programs to persist or provide C2 channels. https://github.com/jischell-msft/Remo...
Remote Management and Monitoring tool - Splashtop - File SignatureHunting Query🔗 GitHubGitHub OnlyRemote Monitoring and Management (RMM) programs are IT to manage remote endpoints. Attackers have begun to abuse these programs to persist or provide C2 channels. https://github.com/jischell-msft/Remo...
Remote Management and Monitoring tool - Splashtop - Network ConnectionHunting Query🔗 GitHubGitHub OnlyRemote Monitoring and Management (RMM) programs are IT to manage remote endpoints. Attackers have begun to abuse these programs to persist or provide C2 channels. https://github.com/jischell-msft/Remo...
Remote Management and Monitoring tool - SupRemo - Create ProcessHunting Query🔗 GitHubGitHub OnlyRemote Monitoring and Management (RMM) programs are IT to manage remote endpoints. Attackers have begun to abuse these programs to persist or provide C2 channels. https://github.com/jischell-msft/Remo...
Remote Management and Monitoring tool - SupRemo - File SignatureHunting Query🔗 GitHubGitHub OnlyRemote Monitoring and Management (RMM) programs are IT to manage remote endpoints. Attackers have begun to abuse these programs to persist or provide C2 channels. https://github.com/jischell-msft/Remo...
Remote Management and Monitoring tool - SupRemo - Network ConnectionHunting Query🔗 GitHubGitHub OnlyRemote Monitoring and Management (RMM) programs are IT to manage remote endpoints. Attackers have begun to abuse these programs to persist or provide C2 channels. https://github.com/jischell-msft/Remo...
Remote Management and Monitoring tool - SyncroMSP - Create ProcessHunting Query🔗 GitHubGitHub OnlyRemote Monitoring and Management (RMM) programs are IT to manage remote endpoints. Attackers have begun to abuse these programs to persist or provide C2 channels. https://github.com/jischell-msft/Remo...
Remote Management and Monitoring tool - SyncroMSP - File SignatureHunting Query🔗 GitHubGitHub OnlyRemote Monitoring and Management (RMM) programs are IT to manage remote endpoints. Attackers have begun to abuse these programs to persist or provide C2 channels. https://github.com/jischell-msft/Remo...
Remote Management and Monitoring tool - SyncroMSP - Network ConnectionHunting Query🔗 GitHubGitHub OnlyRemote Monitoring and Management (RMM) programs are IT to manage remote endpoints. Attackers have begun to abuse these programs to persist or provide C2 channels. https://github.com/jischell-msft/Remo...
Remote Management and Monitoring tool - TacticalRMM - Create ProcessHunting Query🔗 GitHubGitHub OnlyRemote Monitoring and Management (RMM) programs are IT to manage remote endpoints. Attackers have begun to abuse these programs to persist or provide C2 channels. https://github.com/jischell-msft/Remo...
Remote Management and Monitoring tool - TacticalRMM - File SignatureHunting Query🔗 GitHubGitHub OnlyRemote Monitoring and Management (RMM) programs are IT to manage remote endpoints. Attackers have begun to abuse these programs to persist or provide C2 channels. https://github.com/jischell-msft/Remo...
Remote Management and Monitoring tool - TacticalRMM - Network ConnectionHunting Query🔗 GitHubGitHub OnlyRemote Monitoring and Management (RMM) programs are IT to manage remote endpoints. Attackers have begun to abuse these programs to persist or provide C2 channels. https://github.com/jischell-msft/Remo...
Remote Management and Monitoring tool - TeamViewer - Create ProcessHunting Query🔗 GitHubGitHub OnlyRemote Monitoring and Management (RMM) programs are IT to manage remote endpoints. Attackers have begun to abuse these programs to persist or provide C2 channels. https://github.com/jischell-msft/Remo...
Remote Management and Monitoring tool - TeamViewer - File SignatureHunting Query🔗 GitHubGitHub OnlyRemote Monitoring and Management (RMM) programs are IT to manage remote endpoints. Attackers have begun to abuse these programs to persist or provide C2 channels. https://github.com/jischell-msft/Remo...
Remote Management and Monitoring tool - TeamViewer - Network ConnectionHunting Query🔗 GitHubGitHub OnlyRemote Monitoring and Management (RMM) programs are IT to manage remote endpoints. Attackers have begun to abuse these programs to persist or provide C2 channels. https://github.com/jischell-msft/Remo...
Remote Management and Monitoring tool - TigerVNC - Create ProcessHunting Query🔗 GitHubGitHub OnlyRemote Monitoring and Management (RMM) programs are IT to manage remote endpoints. Attackers have begun to abuse these programs to persist or provide C2 channels. https://github.com/jischell-msft/Remo...
Remote Management and Monitoring tool - TigerVNC - Network ConnectionHunting Query🔗 GitHubGitHub OnlyRemote Monitoring and Management (RMM) programs are IT to manage remote endpoints. Attackers have begun to abuse these programs to persist or provide C2 channels. https://github.com/jischell-msft/Remo...
Remote Management and Monitoring tool - TightVNC - Create ProcessHunting Query🔗 GitHubGitHub OnlyRemote Monitoring and Management (RMM) programs are IT to manage remote endpoints. Attackers have begun to abuse these programs to persist or provide C2 channels. https://github.com/jischell-msft/Remo...
Remote Management and Monitoring tool - TightVNC - File SignatureHunting Query🔗 GitHubGitHub OnlyRemote Monitoring and Management (RMM) programs are IT to manage remote endpoints. Attackers have begun to abuse these programs to persist or provide C2 channels. https://github.com/jischell-msft/Remo...
Remote Management and Monitoring tool - TightVNC - Network ConnectionHunting Query🔗 GitHubGitHub OnlyRemote Monitoring and Management (RMM) programs are IT to manage remote endpoints. Attackers have begun to abuse these programs to persist or provide C2 channels. https://github.com/jischell-msft/Remo...
Remote Management and Monitoring tool - UltraViewer - Create ProcessHunting Query🔗 GitHubGitHub OnlyRemote Monitoring and Management (RMM) programs are IT to manage remote endpoints. Attackers have begun to abuse these programs to persist or provide C2 channels. https://github.com/jischell-msft/Remo...
Remote Management and Monitoring tool - UltraViewer - File SignatureHunting Query🔗 GitHubGitHub OnlyRemote Monitoring and Management (RMM) programs are IT to manage remote endpoints. Attackers have begun to abuse these programs to persist or provide C2 channels. https://github.com/jischell-msft/Remo...
Remote Management and Monitoring tool - UltraViewer - Network ConnectionHunting Query🔗 GitHubGitHub OnlyRemote Monitoring and Management (RMM) programs are IT to manage remote endpoints. Attackers have begun to abuse these programs to persist or provide C2 channels. https://github.com/jischell-msft/Remo...
Remote Management and Monitoring tool - XMReality - Create ProcessHunting Query🔗 GitHubGitHub OnlyRemote Monitoring and Management (RMM) programs are IT to manage remote endpoints. Attackers have begun to abuse these programs to persist or provide C2 channels. https://github.com/jischell-msft/Remo...
Remote Management and Monitoring tool - XMReality - File SignatureHunting Query🔗 GitHubGitHub OnlyRemote Monitoring and Management (RMM) programs are IT to manage remote endpoints. Attackers have begun to abuse these programs to persist or provide C2 channels. https://github.com/jischell-msft/Remo...
Remote Management and Monitoring tool - XMReality - Network ConnectionHunting Query🔗 GitHubGitHub OnlyRemote Monitoring and Management (RMM) programs are IT to manage remote endpoints. Attackers have begun to abuse these programs to persist or provide C2 channels. https://github.com/jischell-msft/Remo...
Remote Management and Monitoring tool - ZohoAssist - Create ProcessHunting Query🔗 GitHubGitHub OnlyRemote Monitoring and Management (RMM) programs are IT to manage remote endpoints. Attackers have begun to abuse these programs to persist or provide C2 channels. https://github.com/jischell-msft/Remo...
Remote Management and Monitoring tool - ZohoAssist - File SignatureHunting Query🔗 GitHubGitHub OnlyRemote Monitoring and Management (RMM) programs are IT to manage remote endpoints. Attackers have begun to abuse these programs to persist or provide C2 channels. https://github.com/jischell-msft/Remo...
Remote Management and Monitoring tool - ZohoAssist - Network ConnectionHunting Query🔗 GitHubGitHub OnlyRemote Monitoring and Management (RMM) programs are IT to manage remote endpoints. Attackers have begun to abuse these programs to persist or provide C2 channels. https://github.com/jischell-msft/Remo...
Remote Management and Monitoring tool - All Tools - Network ConnectionHunting Query🔗 GitHubGitHub OnlyRemote Monitoring and Management (RMM) programs are IT to manage remote endpoints. Attackers have begun to abuse these programs to persist or provide C2 channels. https://github.com/jischell-msft/Remo...
Connectivity Failures by DeviceHunting Query🔗 GitHubGitHub OnlyThis query checks for network connection failures to Microsoft Defender for Endpoint URLs. The output includes any device with 1+ connectivity failures, a list of the domains they failed to connect to...
Connectivity Failures by DomainHunting Query🔗 GitHubGitHub OnlyThis query is designed to help troubleshoot connectivity issues to Microsoft Defender for Endpoint URLs. It provides a summary of the number of failures which occurred, the number of distinct machines...
Detect CISA Alert (AA22-117A) 2021 Top Routinely Exploited VulnerabilitiesHunting Query🔗 GitHubGitHub OnlyThis advanced hunting query detects CISA Alert (AA22-117A) 2021 Top Routinely Exploited Vulnerabilities https://www.cisa.gov/uscert/ncas/alerts/aa22-117a
devices_with_vuln_and_users_received_payload (1)Hunting Query🔗 GitHubGitHub Only// Author: jan geisbauer // @janvonkirchheim // ------------------------ // 1. A list of all devices that have this vulnerability // 2. A list of all users that uses those devices // 3. If these users...
devices_with_vuln_and_users_received_payloadHunting Query🔗 GitHubGitHub Only// Author: jan geisbauer // @janvonkirchheim // ------------------------ // 1. A list of all devices that have this vulnerability // 2. A list of all users that uses those devices // 3. If these users...
Microsoft Defender AV Engine up to date infoHunting Query🔗 GitHubGitHub OnlyProvides the Engine version and total count of up to date devices, not up to date devices and count of devices whose status is not available relevant to the Engine version.
Microsoft Defender AV Platform up to date informationHunting Query🔗 GitHubGitHub OnlyProvides the Platform version and total count of up to date devices, not up to date devices and count of devices whose status is not available relevant to the Platform version.
Microsoft Defender AV Security Intelligence up to date informationHunting Query🔗 GitHubGitHub OnlyProvides the Security Intelligence version and total count of up to date devices, not up to date devices and count of devices whose status is not available relevant to the security intelligence versio...
Microsoft Defender AV detailsHunting Query🔗 GitHubGitHub OnlyThis query will identify the Microsoft Defender Antivirus Security Intelligence version, Security Intelligence up to date value, Engine version, Engine up to date value, Product version (aka Platform...
Microsoft Defender AV mode device countHunting Query🔗 GitHubGitHub OnlyProvides the Anti virus mode and device count falling under that AV mode.
Add malicious user to Admins and RDP users group via PowerShellHunting Query🔗 GitHubGitHub OnlyLook for adding a user to Administrators in remote desktop users via PowerShell.
Create new user with known DEV-0270 username and passwordHunting Query🔗 GitHubGitHub OnlySearch for the creation of a new user using a known DEV-0270 username/password schema.
Disabling Services via RegistryHunting Query🔗 GitHubGitHub OnlySearch for processes modifying the registry to disable security features.
DLLHost.exe file creation via PowerShellHunting Query🔗 GitHubGitHub OnlyIdentify masqueraded DLLHost.exe file created by PowerShell.
DLLHost.exe WMIC domain discoveryHunting Query🔗 GitHubGitHub OnlyIdentify dllhost.exe using WMIC to discover additional hosts and associated domain.
Email data exfiltration via PowerShellHunting Query🔗 GitHubGitHub OnlyIdentify email exfiltration conducted by PowerShell.
Modifying the registry to add a ransom message notificationHunting Query🔗 GitHubGitHub OnlyIdentify registry modifications that is indicative of a ransom note tied to DEV-0270.
PowerShell adding exclusion path for Microsoft Defender of ProgramDataHunting Query🔗 GitHubGitHub OnlyIdentify PowerShell creating an exclusion path of ProgramData directory for Microsoft Defender to not monitor.
Spoolsv Spawning Rundll32Hunting Query🔗 GitHubGitHub OnlyLook for the spoolsv.exe launching rundll32.exe with an empty command line
Suspicious DLLs in spool folderHunting Query🔗 GitHubGitHub OnlyLook for the creation of suspicious DLL files spawned in the \spool\ folder along with DLLs that were recently loaded afterwards from \Old.
Suspicious files in spool folderHunting Query🔗 GitHubGitHub OnlyMonitor for creation of suspicious files in the /spools/driver/ folder. This is a broad-based search that will surface any creation or modification of files in the folder targeted by this exploit. Fal...
Suspicious Spoolsv Child ProcessHunting Query🔗 GitHubGitHub OnlySurfaces suspicious spoolsv.exe behavior likely related to CVE-2021-1675
ATP policy status checkHunting Query🔗 GitHubGitHub OnlyThis query displays the configuration auditing for 'Safe Attachments for SharePoint, OneDrive, and Microsoft Teams' and 'Safe Documents' in Microsoft Defender for Office 365.
JNLP-File-AttachmentHunting Query🔗 GitHubGitHub OnlyJNLP file extensions are an uncommon file type often used to deliver malware.
Safe Attachments detectionsHunting Query🔗 GitHubGitHub OnlyThis query provides insights on the detections done by Safe Attachment detections
Authentication failures by time and authentication typeHunting Query🔗 GitHubGitHub OnlyThis query helps reviewing authentication failure count by authentication type. Update the authentication type below as DMARC, DKIM, SPM, CompAuth
CompAuth Failure TrendHunting Query🔗 GitHubGitHub OnlyThis query visualises total emails with Spoof - Composite Authentication fails summarizing the data daily.
DKIM Failure TrendHunting Query🔗 GitHubGitHub OnlyThis query visualises total emails with Spoof - DKIM fails summarizing the data daily.
DMARC Failure TrendHunting Query🔗 GitHubGitHub OnlyThis query visualises total emails with Spoof - DMARC fails summarizing the data daily.
SPF Failure TrendHunting Query🔗 GitHubGitHub OnlyThis query visualises total emails with Spoof - SPF fails summarizing the data daily.
Spoof attempts with auth failureHunting Query🔗 GitHubGitHub OnlyThis query helps in checking for spoofing attempts on the domain with Authentication failures
Top Spoof external domain detections by Sender domain (P1/P2)Hunting Query🔗 GitHubGitHub OnlyThis query visualises total emails with Phish-Spoof-external domain detections summarizing the data by the top 10 email sender P2 domain (SenderFromDomain) and sender P1 domain (SenderMailFromDomain).
Top Spoof DMARC detections by Sender domain (P1/P2)Hunting Query🔗 GitHubGitHub OnlyThis query visualises total emails with Spoof-DMARC fails detections summarizing the data by the top email sender P2 domain (SenderFromDomain) and sender P1 domain (SenderMailFromDomain).
Top Spoof intra-org detections by Sender domain (P1/P2)Hunting Query🔗 GitHubGitHub OnlyThis query visualises total emails with Phish-Spoof-internal domain detections summarizing the data by the top 10 email sender P2 domain (SenderFromDomain) and sender P1 domain (SenderMailFromDomain).
Empty Sender Phish Delivered to InboxHunting Query🔗 GitHubGitHub OnlyThis query detects delivered phishing emails where the Sender is empty based on recently observed campaigns.
Message from an Accepted Domain with DMARC TempErrorHunting Query🔗 GitHubGitHub OnlyThis query can be used as a Custom Detection Rule (CDR) to trigger when a potentially malicious email appearing to come from an Accepted Domain but DMARC had a (transient) TempError result.
Message with URL listed on OpenPhish delivered into InboxHunting Query🔗 GitHubGitHub OnlyThis query can be used as a Custom Detection Rule (CDR) to trigger when a potentially malicious email with a URL from OpenPhish was delivered to Inbox
Potential OAuth phishing email delivered into InboxHunting Query🔗 GitHubGitHub OnlyThis query can be used as a Custom Detection Rule (CDR) to trigger when a potentially malicious OAuth app URL has been delivered into an Inbox.
Potentially malicious svg file delivered to InboxHunting Query🔗 GitHubGitHub OnlyThis query can be used as a Custom Detection Rule (CDR) to trigger when a potentially malicious .SVG file has been delivered into an Inbox.
Audit Email Preview-Download actionHunting Query🔗 GitHubGitHub OnlyThis query helps report on who Previewed/Downloaded email messages using the Email entity page in Defender for Office 365
Bad email percentage of Inbound emailsHunting Query🔗 GitHubGitHub OnlyThis query visualises bad traffic (% of emails with threats) compared to total inbound emails over time summarising the data daily.
Calculate overall MDO efficacyHunting Query🔗 GitHubGitHub OnlyThis query helps calculate overall efficacy of MDO based on threats blocked pre-delivery, post-delivery cleanups, or were uncaught.
Email sender IP address Geo location informationHunting Query🔗 GitHubGitHub OnlyThis query helps getting GeoIP information of emails SenderIPv4 addresses.
Hunt for Admin email accessHunting Query🔗 GitHubGitHub OnlyThis query helps report on email access by administrators
Hunt for TABL changesHunting Query🔗 GitHubGitHub OnlyThis query helps hunting for Tenant allow/block list (TABL) changes in Defender for Office 365
Local time to UTC time conversionHunting Query🔗 GitHubGitHub OnlyAdvanced Hunting has default timezone as UTC time. Filters in Advanced Hunting also work in UTC by default whereas query results are shown in local time if user has selected local time zone in securit...
Mail item accessedHunting Query🔗 GitHubGitHub OnlyThis query helps reviewing emails accessed by end users using cloud app events data
Malicious email sendersHunting Query🔗 GitHubGitHub OnlyThis query helps hunting for emails from a sender with at least one email in quarantine
MDO daily detection summary reportHunting Query🔗 GitHubGitHub OnlyThis query helps report daily on total number of emails, total number of emails detected aby Defender for Office 365
New TABL ItemsHunting Query🔗 GitHubGitHub OnlyThis query helps identifying when new items being added to the Tenant/Allow Block List (TABL) in Defender for Office 365.
Top 10 Domains sending Malicious Emails (Malware+Phish+Spam)Hunting Query🔗 GitHubGitHub OnlyIdentifies the top 10 sender domains delivering inbound emails classified as malware, phishing, or spam. Based on Defender for Office 365 workbook: https://techcommunity.microsoft.com/blog/microsoftde...
Top 10 External Senders (Malware)Hunting Query🔗 GitHubGitHub OnlyIdentifies the top 10 external sender addresses delivering inbound emails classified as malware. If you want to exclude your own organization's domains (including subdomains), add a filter after the m...
Top 10 External Senders (Phish)Hunting Query🔗 GitHubGitHub OnlyIdentifies the top 10 external sender addresses delivering inbound emails classified as phishing. If you want to exclude your own organization's domains (including subdomains), add a filter after the ...
Top 10 External Senders (Spam)Hunting Query🔗 GitHubGitHub OnlyIdentifies the top 10 external sender addresses delivering inbound emails classified as spam. If you want to exclude your own organization's domains (including subdomains), add a filter after the spam...
Top 10 External Senders (Spam)Hunting Query🔗 GitHubGitHub OnlyIdentifies the top 10 external sender addresses delivering inbound emails classified as spam. To exclude your own organization's domains (including subdomains), add a filter after the spam filter, e.g...
Top 10 Targeted Users (Malware+Phish+Spam)Hunting Query🔗 GitHubGitHub OnlyIdentifies the top 10 users receiving inbound emails classified as malware, phishing, or spam. Based on concepts from the Defender for Office 365 solution in Sentinel: https://techcommunity.microsoft....
Top 10 Users clicking on Malicious URLs (Malware+Phish+Spam)Hunting Query🔗 GitHubGitHub OnlyVisualises the top 10 users with click attempts on URLs in emails detected as malware, phishing, or spam, helping analysts identify risky user behaviour and potential targets. Based on Defender for Of...
MDO Threat Protection Detections trend over timeHunting Query🔗 GitHubGitHub OnlyGraph of MDO detections trended over time
Total number of detections by MDOHunting Query🔗 GitHubGitHub OnlyProvides a summary of total number of detections
Automated email notifications and suspicious sign-in activityHunting Query🔗 GitHubGitHub OnlyThis query helps hunting for Automated email notifications and suspicious sign-in activity
BEC - File sharing tactics - DropboxHunting Query🔗 GitHubGitHub OnlyThis query helps hunting for BEC - File sharing tactics - Dropbox
BEC - File sharing tactics - OneDrive or SharePointHunting Query🔗 GitHubGitHub OnlyThis query helps hunting for BEC - File sharing tactics - OneDrive or SharePoint
Email bombing attacksHunting Query🔗 GitHubGitHub OnlyThis query helps reviewing recipients who are potentially victim of email bombing attacks
Emails containing links to IP addressesHunting Query🔗 GitHubGitHub OnlyThis query helps hunting for Emails containing links to IP addresses
Good emails from senders with bad patternsHunting Query🔗 GitHubGitHub OnlyThis query helps hunting for good emails from senders with bad patterns
Hunt for email bombing attacksHunting Query🔗 GitHubGitHub OnlyThis query helps to hunt for possible email bombing attacks in Microsoft Defender for Office 365.
Hunt for email conversation take over attemptsHunting Query🔗 GitHubGitHub OnlyThis query helps hunting for email conversation take over attempts
Hunt for malicious attachments using external IOC sourceHunting Query🔗 GitHubGitHub OnlyThis query helps hunt for emails with malicious attachments based on SH256 hash from external IOC source
Hunt for malicious URLs using external IOC sourceHunting Query🔗 GitHubGitHub OnlyThis query helps hunt for emails with malicious URLs based on external IOC source
Inbox rule changes which forward-redirect emailHunting Query🔗 GitHubGitHub OnlyThis query helps hunting for Inbox rule changes which forward-redirect email
MDO_CountOfRecipientsEmailaddressbySubjectHunting Query🔗 GitHubGitHub OnlyCount of recipient's email addresses by subject
MDO_CountofrecipientsemailaddressesbysubjectHunting Query🔗 GitHubGitHub OnlyCount of recipient's email addresses by subject
MDO_CountOfSendersEmailaddressbySubjectHunting Query🔗 GitHubGitHub OnlyCount of sender's email addresses by subject
MDO_SummaryOfSendersHunting Query🔗 GitHubGitHub OnlyCount of all Senders and where they were delivered
MDO_URLClickedinEmailHunting Query🔗 GitHubGitHub OnlyURLs clicked in Email
Top outbound recipient domains sending inbound emails with threatsHunting Query🔗 GitHubGitHub OnlyThis query helps hunting for top outbound recipient domains which are sending inbound emails with threats
Detections by detection methodsHunting Query🔗 GitHubGitHub OnlyThis query helps reviewing malicious email detections by detection methods
Mail reply to new domainHunting Query🔗 GitHubGitHub OnlyThis query helps reviewing mail that is likely a reply but there is no history of the people chatting and the domain is new
Mailflow by directionalityHunting Query🔗 GitHubGitHub OnlyThis query helps reviewing inbound / outbound / intra-org emails by domain per day
Malicious emails detected per dayHunting Query🔗 GitHubGitHub OnlyThis query helps reviewing Malware, Phishing, Spam emails caught per day
Sender recipient contact establishmentHunting Query🔗 GitHubGitHub OnlyThis query helps in checking the sender-recipient contact establishment status
Spam Detections (High) by delivery locationHunting Query🔗 GitHubGitHub OnlyThis query visualises emails with Spam detections (High confidence) summarizing the data by Delivery Location.
Spam Detections (Normal) by delivery locationHunting Query🔗 GitHubGitHub OnlyThis query visualises emails with Spam detections (Normal confidence) summarizing the data by Delivery Location.
Top 100 malicious email sendersHunting Query🔗 GitHubGitHub OnlyThis query helps reviewing top 100 malicious senders
Top 100 sendersHunting Query🔗 GitHubGitHub OnlyThis query helps reviewing top 100 senders in your organization in last 30 days
Zero day threatsHunting Query🔗 GitHubGitHub OnlyThis query helps reviewing zero day threats via URL and file detonations
Email containing malware accessed on a unmanaged deviceHunting Query🔗 GitHubGitHub OnlyIn this query, we are looking for emails containing malware accessed on a unmanaged device
Email containing malware sent by an internal senderHunting Query🔗 GitHubGitHub OnlyIn this query, we are looking for emails containing malware attachment sent by an internal sender
Email malware detection reportHunting Query🔗 GitHubGitHub OnlyThis query helps reviewing email malware detection cases
File Malware Detection TrendHunting Query🔗 GitHubGitHub OnlyThis query visualises total files located on SharePoint, OneDrive and Teams with Malware detections over time summarizing the data daily.
File Malware by Top Malware Families (Anti Virus)Hunting Query🔗 GitHubGitHub OnlyThis query visualises total Malware detections of files located on SharePoint, OneDrive and Teams over time summarizing the data by the various Malware families detected focusing on built-in SharePoin...
File Malware by Top Malware Families (Safe Attachments)Hunting Query🔗 GitHubGitHub OnlyThis query visualises total Malware detections of files located on SharePoint, OneDrive and Teams over time summarizing the data by the various Malware families detected focusing on Defender for Offic...
Malware Detections TrendHunting Query🔗 GitHubGitHub OnlyThis query visualises total emails with Malware detections over time summarizing the data daily.
Malware Detections by delivery locationHunting Query🔗 GitHubGitHub OnlyThis query visualises total emails with Malware detections over time summarizing the data daily by Delivery Location.
Malware Detections by Detection technology TrendHunting Query🔗 GitHubGitHub OnlyThis query visualises total emails with Malware detections over time summarizing the data daily by various Malware detection technologies/controls.
Malware Detections by Detection technologyHunting Query🔗 GitHubGitHub OnlyThis query visualises total emails with Malware detections summarizing the data by various Malware detection technologies/controls.
Malware detections by Workload LocationsHunting Query🔗 GitHubGitHub OnlyThis query visualises the amount of total Malware detections of files located on SharePoint, OneDrive and Teams, summarizing by the locations they are stored
Malware detections by Workload TypeHunting Query🔗 GitHubGitHub OnlyThis query visualises the amount of total Malware detections of files located on SharePoint, OneDrive and Teams, summarizing by the workload in which they are stored
Email Top Domains sending MalwareHunting Query🔗 GitHubGitHub OnlyThis query visualises total inbound emails with Malware detections summarizing the data by the top email sender P2 domain (SenderFromDomain)
Top Malware FamiliesHunting Query🔗 GitHubGitHub OnlyThis query visualises total emails with Malware detections summarizing the data by ThreatNames of the malware detected.
Top Users receiving MalwareHunting Query🔗 GitHubGitHub OnlyThis query visualises total inbound emails with Malware detections summarizing the data by the top recipient email address (RecipientEmailAddress)
Zero-day Malware Detections TrendHunting Query🔗 GitHubGitHub OnlyThis query visualises total emails with Malware detections over time summarizing the data daily by Malware detection technologies/controls used for detecting unknown-unique malware.
Changes to Blocked Teams Domains (NRT)Hunting Query🔗 GitHubGitHub OnlyThis query detects changes to blocked Teams domains and can be used as an NRT detection.
Changes to Blocked Teams DomainsHunting Query🔗 GitHubGitHub OnlyThis query detects changes to blocked Teams domains.
Teams communication from suspicious external usersHunting Query🔗 GitHubGitHub OnlyThis query helps hunt for communication from suspicious external users.
Teams communication to suspicious external usersHunting Query🔗 GitHubGitHub OnlyThis query helps hunt for communication with suspicious external users.
Expanding recipients into separate rowsHunting Query🔗 GitHubGitHub OnlyThis query helps hunt for recipients of Teams messages.
External malicious Teams messages sent from internal sendersHunting Query🔗 GitHubGitHub OnlyThis query helps hunt for external malicious Teams messages sent from internal senders
Hunt for malicious messages using External Threat IntelligenceHunting Query🔗 GitHubGitHub OnlyThis query helps hunt for Teams messages with malicious URLs based on external Threat Intelligence source
Inbound Teams messages by sender domainsHunting Query🔗 GitHubGitHub OnlyThis query helps reviewing volume of inbound external Teams message by sender domains
Malicious Teams messages by URL detection methodsHunting Query🔗 GitHubGitHub OnlyThis query helps reviewing malicious Teams message detections by URL detection methods
Malicious Teams messages received from external sendersHunting Query🔗 GitHubGitHub OnlyThis query helps hunt for malicious Teams messages received from external senders.
Microsoft Teams chat initiated by a suspicious external userHunting Query🔗 GitHubGitHub OnlyUse AlertInfo and AlertEvidence to collect general information and clickable links to more IOCs about suspicious external Teams messages.
Number of unique accounts performing Teams message Admin submissionsHunting Query🔗 GitHubGitHub OnlyThis query visualises number of unqiue accounts performing Teams message admin submissions as false negatives or false positives
Number of unique accounts performing Teams message User submissionsHunting Query🔗 GitHubGitHub OnlyThis query visualises number of unqiue accounts performing Teams message user submissions as false negatives or false positives
Possible partner impersonation in external Team messagesHunting Query🔗 GitHubGitHub OnlyThis query can be used as a Custom Detection Rule (CDR) to trigger when a partner email domain or email address is used in a Sender display name part of an inbound external Teams message
Possible Teams phishing activityHunting Query🔗 GitHubGitHub OnlyThis query looks for possible Teams phishing activity.
Potentially malicious URL click in TeamsHunting Query🔗 GitHubGitHub OnlyThis query provides insights on a potentially malicious URL click in Teams
Rare Domains in External Teams MessagesHunting Query🔗 GitHubGitHub OnlyDetects rare domains (seen in fewer than 3 Teams messages) appearing in external Microsoft Teams threads within the last 24 hours.
Suspicious Teams Display NameHunting Query🔗 GitHubGitHub OnlyThis query looks for Teams messages from an external user with a suspicious display name.
Teams Admin submission of Malware and Phish daily trendHunting Query🔗 GitHubGitHub OnlyThis query visualises the daily amount of admin false negative Teams message submissions by submission type of Phish or Malware
Teams Admin submission of No Threats daily trendHunting Query🔗 GitHubGitHub OnlyThis query visualises the daily amount of admin false positive Teams message submissions
Teams Admin-User Submissions Grading VerdictsHunting Query🔗 GitHubGitHub OnlyThis query visualizes Teams messages submitted by users or admins then graded in the submission process.
Teams blocked URL clicks daily trendHunting Query🔗 GitHubGitHub OnlyThis query visualizes the daily amount of blocked Url clicks performed by users on Urls in Teams messages.
Teams Malware ZAPHunting Query🔗 GitHubGitHub OnlyThis query helps hunt for Teams messages with Malware threats that have been ZAPed.
Teams Message with URL listed on OpenPhishHunting Query🔗 GitHubGitHub OnlyThis query can be used as a Custom Detection Rule (CDR) to trigger when a potentially malicious Teams message with a URL from OpenPhish was delivered.
Teams message ZAPed with the same URL in EmailHunting Query🔗 GitHubGitHub OnlyThis query helps hunt for Teams messages that have been ZAPed with the same URL in Email.
Teams messages from a specific sender by ThreadTypeHunting Query🔗 GitHubGitHub OnlyThis query helps hunt for Teams messages from a specific sender by ThreadType.
Teams messages with suspicious URL domainsHunting Query🔗 GitHubGitHub OnlyThis query helps hunt for Teams messages with suspicious URL domains.
Teams Phish ZAPHunting Query🔗 GitHubGitHub OnlyThis query helps hunt for Teams messages with Phish threats that have been ZAPed.
Teams post delivery events daily trendHunting Query🔗 GitHubGitHub OnlyThis query visualizes the daily amount of post delivery events on Teams messages.
Teams Spam ZAPHunting Query🔗 GitHubGitHub OnlyThis query helps hunt for Teams messages with Spam threats that have been ZAPed.
Teams URL clicks actions summarized by URLs clicked onHunting Query🔗 GitHubGitHub OnlyThis query visualizes user clicks in Teams summarizing the data by the various URLs and Click actions on them.
Teams URL clicks through actions on Phish or Malware URLs summarized by URLsHunting Query🔗 GitHubGitHub OnlyThis query visualizes clicks through actions on Phish or Malware URLs in Teams, summarizing the data by Urls.
Teams User submissions daily trendHunting Query🔗 GitHubGitHub OnlyThis query visualises the daily amount of user false negative and false postive Teams message submissions
Teams users clicking on suspicious URL domainsHunting Query🔗 GitHubGitHub OnlyThis query helps hunt for Teams users clicking on suspicious URL domains.
Teams Threat Intelligence Indicator Hit for Domain or URLHunting Query🔗 GitHubGitHub OnlyThis rule detects and alerts on known threats in Teams messages when a contained domain or URL matches a Microsoft Defender Threat Intelligence indicator (of type 'Domain' or 'URL')
Top 10 Attacked user by Phish messagesHunting Query🔗 GitHubGitHub OnlyTop 10 attacked users by Phish messages from external senders using Teams
Top 10 external senders sending Teams messagesHunting Query🔗 GitHubGitHub OnlyThis query visulises all up Top 10 external senders sending Teams messages
Top 10 External senders sending Teams phishing messsagesHunting Query🔗 GitHubGitHub OnlyThis query looking for top 10 External senders sending Team phishing messsages.
Top 10 sender domains - Admin Teams message submissions FNHunting Query🔗 GitHubGitHub OnlyThis query visualises Teams messages submitted by admins as false negatives, summarizing the data by top 10 sender domains of those messages
Top 10 sender domains - Teams user submissions FN or FPHunting Query🔗 GitHubGitHub OnlyThis query visualises Teams messages submitted by users as false negatives or false positives, summarizing the data by top 10 sender domains of those messages
Top 10 senders - Teams users submissions FN or FPHunting Query🔗 GitHubGitHub OnlyThis query visualises Teams messages submitted by user as false negatives or false positives, summarizing the data by top 10 indidvidual senders of those messages
Top 10 senders of Admin Teams message submissions FNHunting Query🔗 GitHubGitHub OnlyThis query visualises Teams messages submitted by admins as false negatives, summarizing the data by top 10 indidvidual senders of those messages
Top 10 senders of Admin Teams message submissions FPHunting Query🔗 GitHubGitHub OnlyThis query visualises Teams messages submitted by admins as false positives, summarizing the data by top 10 indidvidual senders of those messages
Top 10 Users clicking on malicious URLs in TeamsHunting Query🔗 GitHubGitHub OnlyThis query visualizes Top 10 Users clicking on malicious Phish or Malware URLs in Teams.
Top accounts performing Teams admin submissions FN or FPHunting Query🔗 GitHubGitHub OnlyThis query visualises the top admins performing false negative or false positive admin submissions of Teams messages
Top accounts performing Teams user submissions FN or FPHunting Query🔗 GitHubGitHub OnlyThis query visualises the top users performing false negative or false positive user submissions of Teams messages
Top domains outbound sending Malicious Teams messages inboundHunting Query🔗 GitHubGitHub OnlyThis query looking for potential partner compromise via comparing outbound Teams message traffic per target domain and looking for malicious Teams messages from the same domains as inbound.
Top External malicious SendersHunting Query🔗 GitHubGitHub OnlyTop external senders sending malicious inbound Teams messages Spam, Phish, Malware
Top External Sender domains - MalwareHunting Query🔗 GitHubGitHub OnlyTop External Sender domains sending Teams message with Malware threats
Top External Sender domains - PhishHunting Query🔗 GitHubGitHub OnlyTop External Sender domains sending Teams message with Phish threats
Top External Sender domains - SpamHunting Query🔗 GitHubGitHub OnlyTop External Sender domains sending Teams message with Spam threats
Top malicious URLs clicked by users in TeamsHunting Query🔗 GitHubGitHub OnlyThis query helps hunt for top malicious URLs clicked by users in Teams
Total number of MDO Teams protection detections dailyHunting Query🔗 GitHubGitHub OnlyThis query visulises Total number of MDO Teams protection detections daily
URL click on URLs in ZAP-d Teams messagesHunting Query🔗 GitHubGitHub OnlyThis query visualizes URL clicks on URLs in Teams messages which were acted by ZAP.
Spam and Phish allowed to inbox by Admin OverridesHunting Query🔗 GitHubGitHub OnlyThis query helps in reviewing malicious emails allowed due to admin overrides
Spam and Phish allowed to inbox by User OverridesHunting Query🔗 GitHubGitHub OnlyThis query helps in reviewing malicious emails allowed due to user overrides
Top policies performing admin overridesHunting Query🔗 GitHubGitHub OnlyThis query helps in reviewing top policies for admin overrides (Allow/Block)
Top policies performing user overridesHunting Query🔗 GitHubGitHub OnlyThis query helps in reviewing top policies for user overrides (Allow/Block)
Total Emails with Admin Overrides (Allow)Hunting Query🔗 GitHubGitHub OnlyThis query visualises the total amount of emails subject to an admin policy with action of allow, independent of action taken, summarizing the data by type of override
Total Emails with Admin Overrides (Block)Hunting Query🔗 GitHubGitHub OnlyThis query visualises the amount of emails subject to an admin policy with action of block, summarizing the data daily
Total Emails with User Overrides (Allow)Hunting Query🔗 GitHubGitHub OnlyThis query visualises the amount of emails subject to a user type policy with action of allow, summarizing the data by type of override and threats type found
Total Emails with User Overrides (Block)Hunting Query🔗 GitHubGitHub OnlyThis query visualises the amount of emails subject to a user type policy with action of block, summarizing the data daily
Appspot Phishing AbuseHunting Query🔗 GitHubGitHub OnlyThis query helps surface phishing campaigns associated with Appspot abuse.
Phish Detections TrendHunting Query🔗 GitHubGitHub OnlyThis query visualises total emails with Phish detections over time summarizing the data daily.
Phish Detections (High) by delivery locationHunting Query🔗 GitHubGitHub OnlyThis query visualises emails with Phish detections (High confidence) summarizing the data by Delivery Location.
Phish Detections (Normal) by delivery locationHunting Query🔗 GitHubGitHub OnlyThis query visualises emails with Phish detections (Normal confidence) summarizing the data by Delivery Location.
Phish Detections by delivery location trendHunting Query🔗 GitHubGitHub OnlyThis query visualises total emails with Phish detections over time summarizing the data daily by Delivery Location.
Phish Detections by Detection technology TrendHunting Query🔗 GitHubGitHub OnlyThis query visualises total emails with Phish detections over time summarizing the data daily by various Phish Detection technologies/controls
Phish Detections by Detection technologyHunting Query🔗 GitHubGitHub OnlyThis query visualises total emails with Phish detections summarizing the data by various Phish detection technologies/controls
Possible device code phishing attemptsHunting Query🔗 GitHubGitHub OnlyThis query helps hunting for possible device code Phishing attempts
Punycode lookalikesHunting Query🔗 GitHubGitHub OnlyPunycode lookalike domains in Emails and Teams messages
Email Top Domains sending PhishHunting Query🔗 GitHubGitHub OnlyThis query visualises total inbound emails with Phish detections summarizing the data by the top email sender P2 domain (SenderFromDomain).
Top Users receiving PhishHunting Query🔗 GitHubGitHub OnlyThis query visualises total inbound emails with Phish detections summarizing the data by the top recipient email address (RecipientEmailAddress)
Zero-day Phish Detections TrendHunting Query🔗 GitHubGitHub OnlyThis query visualises total emails with Phish detections over time summarizing the data daily by Phish detection technologies/controls used for detecting unknown-unique phish
Campaign with randomly named attachmentsHunting Query🔗 GitHubGitHub OnlyIn this detection,we hunt for emails with randomly named attachment names from the same sender to multiple recipients
Campaign with suspicious keywordsHunting Query🔗 GitHubGitHub OnlyIn this detection, we track emails with suspicious keywords in subjects.
Custom detection-Emails with QR from non-prevalent sendersHunting Query🔗 GitHubGitHub OnlyIn this detection, we check the sender prevalence over the last 14 days and use the same to detect malicious activity via email containing QR code
Emails delivered having URLs from QR codesHunting Query🔗 GitHubGitHub OnlyIn this query, we hunt for inbound emails delivered having URLs from QR codes
Emails with QR codes and suspicious keywords in subjectHunting Query🔗 GitHubGitHub OnlyIn this query, we hunt for inbound emails having URLs from QR codes and suspicious keywords in subject
Emails with QR codes from non-prevalent senderHunting Query🔗 GitHubGitHub OnlyIn this query, we hunt for inbound emails having URLs from QR codes and send by non-prevalent senders
Hunting for sender patternsHunting Query🔗 GitHubGitHub OnlyIn this detection approach, we correlate email from non-prevalent senders in the organization with impersonation intents
Hunting for user signals-clustersHunting Query🔗 GitHubGitHub OnlyIn this detection,we use Email reported by user as malware or phish MDO alert as a starting point to identify the scope of a campaign.
Inbound emails with QR code URLsHunting Query🔗 GitHubGitHub OnlyIn this query, we summarize volume of inbound emails with QR code URLs in last 30 days
Personalized campaigns based on the first few keywordsHunting Query🔗 GitHubGitHub OnlyIn this detection, we track emails with personalized subjects.
Personalized campaigns based on the last few keywordsHunting Query🔗 GitHubGitHub OnlyIn this detection, we track emails with personalized subjects.
Risky sign-in attempt from a non-managed deviceHunting Query🔗 GitHubGitHub OnlyIn this detection,we hunt for any sign-in attempt from a non-managed, non-compliant, untrusted device.
Suspicious sign-in attempts from QR code phishing campaignsHunting Query🔗 GitHubGitHub OnlyThis detection approach correlates a user accessing an email with image/document attachments and a risky sign-in attempt from non-trusted devices.
Group quarantine releaseHunting Query🔗 GitHubGitHub OnlyThis query helps in reviewing group Quarantine released messages by detection type. Useful to see what is leading to the largest number of messages being released.
High Confidence Phish ReleasedHunting Query🔗 GitHubGitHub OnlyThis query shows information about high confidence phish email that has been released from the Quarantine.
Quarantine Phish Reason trendHunting Query🔗 GitHubGitHub OnlyThis query visualises the amount of phish emails that are quarantined, summarized daily by the detection method
Quarantine Phish ReasonHunting Query🔗 GitHubGitHub OnlyThis query visualises the total amount of phish emails that are quarantined, summarized by the detection method
Quarantine Release Email DetailsHunting Query🔗 GitHubGitHub OnlyThis query shows information about email that has been released from the Quarantine in Defender for Office 365.
Quarantine release trendHunting Query🔗 GitHubGitHub OnlyThis query helps reviewing quarantine release trend in Defender for Office 365
Quarantine releases by Detection TypesHunting Query🔗 GitHubGitHub OnlyThis query visualises emails released from quarantine and summarizing the result by the original filter verdict
Quarantine Spam Reason trendHunting Query🔗 GitHubGitHub OnlyThis query visualises the amount of spam emails that are quarantined, summarized daily by the detection method
Quarantine Spam ReasonHunting Query🔗 GitHubGitHub OnlyThis query visualises the total amount of spam emails that are quarantined, summarized by the detection method
AIR investigation actions insightHunting Query🔗 GitHubGitHub OnlyThis query provides insights into AIR investigation actions in Microsoft Defender for Office 365.
Listing Email Remediation Actions via ExplorerHunting Query🔗 GitHubGitHub OnlyListing Email Remediation Actions performed via Explorer in Defender for Office 365
Top 10 domains sending Bulk emailHunting Query🔗 GitHubGitHub OnlyThis query visualises total inbound emails which has any Bulk complaint level.
Spam detection by delivery locationHunting Query🔗 GitHubGitHub OnlyThis query visualises total emails with Spam detections over time summarizing the data daily by Delivery Location.
Spam detection by IP and its locationHunting Query🔗 GitHubGitHub OnlyThis query visualises total emails with Spam detections summarizing the data by email sender IP address (SenderIPv4, SenderIPv6).
Bulk Emails by Sender Bulk Complaint levelHunting Query🔗 GitHubGitHub OnlyThis query visualises total inbound emails which has any Bulk complaint level.
Spam detection technologiesHunting Query🔗 GitHubGitHub OnlyThis query visualises total emails with Spam detections summarizing the data by various Spam detection technologies/controls.
Email Top 10 Domains sending SpamHunting Query🔗 GitHubGitHub OnlyThis query visualises total inbound emails with Spam detections.
Email Top 10 Targeted Users (Spam)Hunting Query🔗 GitHubGitHub OnlyThis query visualises top 10 users targeted with Spam.
Email Top 15 Domains sending Spam with Additional DetailsHunting Query🔗 GitHubGitHub OnlyThis query visualises total inbound emails with Spam detections summarizing the data by the top 15 email sender P2 domain (SenderFromDomain).
Email Top 15 Targeted Users (Spam) with Additional DetailsHunting Query🔗 GitHubGitHub OnlyThis query visualises top 15 users targeted with Spam with summarized spam detections.
Spam detection trendHunting Query🔗 GitHubGitHub OnlyThis query visualises total emails with Spam detections over time summarizing the data daily
Spam Detections by Detection technologyHunting Query🔗 GitHubGitHub OnlyThis query visualises total emails with Spam detections over time by various Spam Detection technologies/controls.
Display Name - Spoof and ImpersonationHunting Query🔗 GitHubGitHub OnlyThis query helps reviewing incoming email messages where the Display Name of the sender contains own or other partner company/brand name
Impersonation Detections by Detection Technology TrendHunting Query🔗 GitHubGitHub OnlyThis query visualises total emails with Phish (BEC) Impersonation detections by Detection Technology over time
Impersonation Detections by Detection TechnologyHunting Query🔗 GitHubGitHub OnlyThis query visualises total emails with Phish (BEC) Impersonation detections by Detection Technology
Impersonation Detections TrendHunting Query🔗 GitHubGitHub OnlyThis query visualises total emails with Phish (BEC) - Impersonation detections over time.
referral-phish-emailsHunting Query🔗 GitHubGitHub OnlyHunting for credential phishing using the "Referral" infrastructure using Defender for Office 365 data
Spoof and impersonation detections by sender IPHunting Query🔗 GitHubGitHub OnlyThis query helps reviewing count of spoof and impersonation detections done per sender IP
Spoof and impersonation phish detectionsHunting Query🔗 GitHubGitHub OnlyThis query helps reviewing count of phish detections done by spoof detection methods
Spoof Detections by Detection Technology TrendHunting Query🔗 GitHubGitHub OnlyThis query visualises total emails with Phish (BEC) Spoof detections by Detection Technology over time
Spoof Detections by Detection TechnologyHunting Query🔗 GitHubGitHub OnlyThis query visualises total emails with Phish (BEC) Spoof detections by Detection Technology
Spoof Detections TrendHunting Query🔗 GitHubGitHub OnlyThis query visualises total emails Business Email Compromise (BEC) Spoofing detections over time summarizing the data daily.
Top Domains Outbound with Emails with Threats Inbound (Partner BEC)Hunting Query🔗 GitHubGitHub OnlyThis query visualises top outbound recipient domains by outbound email volume and shows total number of inbound emails with Threats from the same domains (as inbound senders)
User not covered under display name impersonationHunting Query🔗 GitHubGitHub OnlyThis query helps to find threats using display name impersonation for users not already protected with User Impersonation
Admin Submission Trend (FN)Hunting Query🔗 GitHubGitHub OnlyThis query visualises the daily amount of admin false negative submission by submission type.
Admin Submission Trend (FP)Hunting Query🔗 GitHubGitHub OnlyThis query visualises the daily amount of admin false positive submission by submission type.
Admin Submissions by DetectionMethod (Phish FP)Hunting Query🔗 GitHubGitHub OnlyThis query visualises the original detection technology of emails submitted as phish false positive by admins
Admin Submissions by DetectionMethod (Spam FP)Hunting Query🔗 GitHubGitHub OnlyThis query visualises the original detection technology of emails submitted as spam false positive by admins
Admin Submissions by Detection TypeHunting Query🔗 GitHubGitHub OnlyThis query visualises all emails submitted as false positive by admins summarizing by the original filter verdict threat type
Admin Submissions by Grading verdict (FN-FP)Hunting Query🔗 GitHubGitHub OnlyThis query visualises the total amount of admin false negative or false positive submissions by the verdict of the submission grading.
Admin Submissions by Submission State (FN)Hunting Query🔗 GitHubGitHub OnlyThis query visualises the total amount of admin false negative submissions by the state of the submission.
Admin Submissions by Submission State (FP)Hunting Query🔗 GitHubGitHub OnlyThis query visualises the total amount of admin false positive submissions by the state of the submission.
Admin Submissions by Submission Type (FN)Hunting Query🔗 GitHubGitHub OnlyThis query helps reviewing admin reported email submissions
Admin Submissions by Submission Type (FP)Hunting Query🔗 GitHubGitHub OnlyThis query visualises the total amount of admin false positive submission by submission type.
Status of submissionsHunting Query🔗 GitHubGitHub OnlyThis query helps reviewing status of submissions
Top accounts performing admin submissions (FN)Hunting Query🔗 GitHubGitHub OnlyThis query visualises the top admins performing false negative submissions
Top accounts performing admin submissions (FP)Hunting Query🔗 GitHubGitHub OnlyThis query visualises the top admins performing false positive submissions
Top accounts performing user submissionsHunting Query🔗 GitHubGitHub OnlyThis query graphs top accounts performing user submissions
Top 10 Detection Overrides - Admin Email Submissions (FN)Hunting Query🔗 GitHubGitHub OnlyThis query visualises emails submitted as false negatives by admins where emails where already detected by MDO but there was an admin policy override
Top 10 sender domains - Admin email submissions (FN)Hunting Query🔗 GitHubGitHub OnlyThis query visualises emails submitted by admins as false negatives, summarizing the data by top 10 sender domains of those emails
Top 10 sender domains - Admin email submissions (FP)Hunting Query🔗 GitHubGitHub OnlyThis query visualises emails submitted by admins as false positives, summarizing the data by top 10 sender domains of those emails
Total Submissions by Submission StateHunting Query🔗 GitHubGitHub OnlyTotal Submissions by Submission State
Total Submissions by Submission TypeHunting Query🔗 GitHubGitHub OnlyTotal Submissions by Submission Type
User reported submissionsHunting Query🔗 GitHubGitHub OnlyThis query helps reviewing user reported email submissions
User Email Submissions accuracy vs Admin review verdictHunting Query🔗 GitHubGitHub OnlyThis query visualises user submissions type compared to admin review verdict
User Email Submissions (FN) - Top Detection Overrides by AdminsHunting Query🔗 GitHubGitHub OnlyThis query visualises emails submitted as false negatives by users where emails were already detected by MDO but there was an admin definded policy override
User Email Submissions (FN) - Top Detection Overrides by UsersHunting Query🔗 GitHubGitHub OnlyThis query visualises emails submitted as false negatives by users where emails were already detected by MDO but there was a policy override.
User Email Submissions (FN) - Top Inbound P2 Senders domainsHunting Query🔗 GitHubGitHub OnlyThis query visualises top sender domains of inbound emails submitted as false negatives by users.
User Email Submissions (FN) - Top Inbound P2 SendersHunting Query🔗 GitHubGitHub OnlyThis query visualises top sender email addresses of inbound emails submitted as false negatives by users.
User Email Submissions (FN) - Top Intra-Org P2 SendersHunting Query🔗 GitHubGitHub OnlyThis query visualises top sender email addresses of intra-org emails submitted as false negatives by users.
User Email Submissions (FN) - Top Intra-Org SubjectsHunting Query🔗 GitHubGitHub OnlyThis query visualises top 10 subjects of intra-org emails submitted as false negatives by users.
User Email Submissions by Admin review status (Mark and Notify)Hunting Query🔗 GitHubGitHub OnlyThis query visualises user submissions where admin also performed 'mark and notify' action on the submission
User Email Submissions (FN-FP) by Grading verdictHunting Query🔗 GitHubGitHub OnlyThis query visualises the total ammount of user false negative or false positive submissions by the verdict of the submission grading.
User Email Submissions (FN) by Submission TypeHunting Query🔗 GitHubGitHub OnlyThis query visualises the total ammount of user false negative submission by submission type, including the phish simulations reported emails
User email submissions (FN) from Junk FolderHunting Query🔗 GitHubGitHub OnlyThis query visualises the total ammount of user false negative submissions from the junk folder
User Email Submission Trend (FN)Hunting Query🔗 GitHubGitHub OnlyThis query visualises the daily ammount of users false negative submission by submission type, including phish simulations reported by users.
Attacked more than x times averageHunting Query🔗 GitHubGitHub OnlyThis query helps reviewing count of users attacked more than x times average.
Malicious mails by sender IPsHunting Query🔗 GitHubGitHub OnlyThis query helps reviewing sender IPs sending malicious email of type Malware or Phish
Top 10% of most attacked usersHunting Query🔗 GitHubGitHub OnlyThis query helps reviewing the list of top 10% of most attacked users
Top 10 URL domains attacking organizationHunting Query🔗 GitHubGitHub OnlyThis query helps reviewing list of top 10 URL domains attacking the organization
Top external malicious sendersHunting Query🔗 GitHubGitHub OnlyThis query helps reviewing external top malicious email sender with malware or phishing emails in an organization in last 30 days
Top targeted usersHunting Query🔗 GitHubGitHub OnlyThis query helps reviewing top targeted users with malware or phishing emails in an organization in last 30 days
Malicious Clicks allowed (click-through)Hunting Query🔗 GitHubGitHub OnlyVisualises malicious URL clicks that were allowed through Safe Links over time, helping analysts identify when users bypass security controls and click on malicious content. Based on Defender for Offi...
Malicious Emails with QR code UrlsHunting Query🔗 GitHubGitHub OnlyVisualises emails containing QR code URLs that have been detected as malicious, helping analysts identify QR code-based attack campaigns. Based on Defender for Office 365 workbook: https://techcommuni...
PhishingEmailUrlRedirector (1)Hunting Query🔗 GitHubGitHub OnlyThe query helps detect emails associated with the open redirector URL campaign using Defender for Office 365 data.
SafeLinks URL detectionsHunting Query🔗 GitHubGitHub OnlyThis query provides insights on the detections done by SafeLinks protection in Defender for Office 365
Top 10 Users clicking on Malicious URLs (Malware)Hunting Query🔗 GitHubGitHub OnlyVisualises the top 10 users with click attempts on URLs in emails detected as malware, helping analysts identify risky user behaviour and potential targets. Based on Defender for Office 365 workbook: ...
Top 10 Users clicking on Malicious URLs (Phish)Hunting Query🔗 GitHubGitHub OnlyVisualises the top 10 users with click attempts on URLs in emails detected as phishing, helping analysts identify risky user behaviour and potential targets. Based on Defender for Office 365 workbook:...
Top 10 Users clicking on Malicious URLs (Spam)Hunting Query🔗 GitHubGitHub OnlyVisualises the top 10 users with click attempts on URLs in emails detected as spam, helping analysts identify risky user behaviour and potential targets. Based on Defender for Office 365 workbook: htt...
URL Click attempts by threat typeHunting Query🔗 GitHubGitHub OnlyVisualises the total amount of click attempts on URLs with detections, split by the different threat types identified. Based on Defender for Office 365 workbook: https://techcommunity.microsoft.com/bl...
URL Clicks by ActionHunting Query🔗 GitHubGitHub OnlySummarizes URL click events by action type to help analysts understand user click behavior and policy effectiveness. Based on Defender for Office 365 workbook: https://techcommunity.microsoft.com/blog...
URLs by locationHunting Query🔗 GitHubGitHub OnlyVisualises where URLs have been identified in emails, summarizing by location (for example: Attachment, header, body) to help analysts understand distribution and risk. Based on Defender for Office 36...
End user malicious clicksHunting Query🔗 GitHubGitHub OnlyThis query helps reviewing list of top users click on Phis URLs
URL click count by click actionHunting Query🔗 GitHubGitHub OnlyThis query helps reviewing URL click count by ClickAction
URL click on ZAP emailHunting Query🔗 GitHubGitHub OnlyIn this query, we are looking for Url clicks on emails which get actioned by Zerohour auto purge
URL clicks actions by URLHunting Query🔗 GitHubGitHub OnlyIn this query, we are looking URL click actions by URL in the last 7 days
URLClick details based on malicious URL click alertHunting Query🔗 GitHubGitHub OnlyIn this query, we are looking for Url clicks on emails which are generated the alert-A potentially malicious URL click was detected
User clicked through eventsHunting Query🔗 GitHubGitHub OnlyThis query helps reviewing malicious clicks where user was allowed to proceed through malicious URL page.
User clicks on malicious inbound emailsHunting Query🔗 GitHubGitHub OnlyThis query provides insights on users who clicked on a suspicious URL
User clicks on phishing URLs in emailsHunting Query🔗 GitHubGitHub OnlyThis query helps in determining clickthroughs when email delivered because of detection overrides.
Post Delivery Events by AdminHunting Query🔗 GitHubGitHub OnlyThis query visualises the daily amount of emails that had an admin post delivery action, summarizing the data by action type
Post Delivery Events by LocationHunting Query🔗 GitHubGitHub OnlyThis query visualises the amount of emails that had a post delivery action, summarizing the data daily by the final location as a result of the action
Post Delivery Events by ZAP typeHunting Query🔗 GitHubGitHub OnlyThis query visualises the daily amount of emails that had a post delivery action from zero-hour auto purge, summarizing by phish,spam or malware detection action
Post Delivery Events over timeHunting Query🔗 GitHubGitHub OnlyThis query visualises the daily amount of emails that had a post delivery action from zero-hour auto purge.
Bazacall EmailsHunting Query🔗 GitHubGitHub OnlyBazacall malware uses emails that contain a phone number for the user to call in order to cancel a fake subscription. These emails contain no links or attachments, and use automatic payment lures to t...
Cobalt Strike Lateral MovementHunting Query🔗 GitHubGitHub OnlyMicrosoft has observed Bazacall using Cobalt Strike in order to move laterally to other machines on the network.
Dropping payload via certutilHunting Query🔗 GitHubGitHub OnlyBazaCall is a campaign that manipulate users into calling a customer support center, where they are instructed to download an Excel file to unsubscribe from a phony service. When the user opens the Ex...
Excel file download domain patternHunting Query🔗 GitHubGitHub OnlyBazaCall is a campaign that manipulate users into calling a customer support center, where they are instructed to download an Excel file to unsubscribe from a phony service. When the user opens the Ex...
Excel Macro ExecutionHunting Query🔗 GitHubGitHub OnlyBazacall uses malicious macro-enabled Excel documents to execute their payload.
Malicious Excel DeliveryHunting Query🔗 GitHubGitHub OnlyBazacall uses malicious Excel files to execute payloads on affected devices.
NTDS theftHunting Query🔗 GitHubGitHub OnlyMicrosoft has observed compromises related to Bazacall resulting in theft of the Active Directory database using ntdsutil.exe.
Renamed Rclone ExfilHunting Query🔗 GitHubGitHub OnlyMicrosoft has observed Bazacall using a renamed version of Rclone for data exfiltration.
RunDLL Suspicious Network ConnectionHunting Query🔗 GitHubGitHub OnlyDuring the chain of events from Bazacall to Bazaloader, RunDLL makes several network connections, including to command and control (C2) infrastructure. The command line for these connections contains ...
Stolen Images ExecutionHunting Query🔗 GitHubGitHub OnlyThe "Stolen Images" Bazarloader campaign uses fake copyright infingement contact form emails and malicious files pretending to contain "stolen images" to trick users into downloading the malware.
Zip-Doc - Creation of JPG Payload FileHunting Query🔗 GitHubGitHub OnlyIn the campaign where Bazarloader is delivered via emails containing pw protected zip attachments, regsvr32.exe is used to launch a malicious payload that is disguised as a JPG file.
Zip-Doc - Word Launching MSHTAHunting Query🔗 GitHubGitHub OnlyThe pw protected zip attachment -> Word doc delivery method of Bazarloader utilizes Word to create an .hta file and launch it via MSHTA to connect to a malicious domain and pull down the Bazarloader p...
Identify EUROPIUM IOCsHunting Query🔗 GitHubGitHub OnlyThe following query can locate activity possibly associated with the EUROPIUM threat actor
Identify Microsoft Defender Antivirus detection related to EUROPIUMHunting Query🔗 GitHubGitHub OnlyThis query looks for Microsoft Defender Antivirus detections related to EUROPIUM actor
Identify unusual identity additions related to EUROPIUMHunting Query🔗 GitHubGitHub OnlyThis query looks for identity add through exchange PowerShell
deimos-component-executionHunting Query🔗 GitHubGitHub OnlyJupyter, otherwise known as SolarMarker, is a malware family and cluster of components known for its info-stealing and backdoor capabilities that mainly proliferates through search engine optimization...
evasive-powershell-executionsHunting Query🔗 GitHubGitHub OnlyJupyter, otherwise known as SolarMarker, is a malware family and cluster of components known for its info-stealing and backdoor capabilities that mainly proliferates through search engine optimization...
evasive-powershell-stringsHunting Query🔗 GitHubGitHub OnlyThis query searches for a string pattern detected in evasive PowerShell usage. Jupyter or SolarMarker will iterate on this pattern multiple times to read data and call additional processes. This query...
successive-tk-domain-callsHunting Query🔗 GitHubGitHub OnlyJupyter, otherwise known as SolarMarker, is a malware family and cluster of components known for its info-stealing and backdoor capabilities that mainly proliferates through search engine optimization...
KNOTWEED-AV DetectionsHunting Query🔗 GitHubGitHub OnlyThis query looks for Microsoft Defender Antivirus detections with the family names used by KNOTWEED
KNOTWEED-COM Registry Key Modified to Point to Color Profile FolderHunting Query🔗 GitHubGitHub OnlyThis query identifies modifications to COM registry keys to point to executable files in C:\Windows\System32\spool\drivers\color\
KNOTWEED-Domain IOCsHunting Query🔗 GitHubGitHub OnlyThis query identifies matches based on domain IOCs related to KNOTWEED against Microsoft Defender for Endpoint device network connections
KNOTWEED-Downloading new file using CurlHunting Query🔗 GitHubGitHub OnlyThis query looks for new files being downloaded using Curl.
KNOTWEED-File Hash IOCsHunting Query🔗 GitHubGitHub OnlyThis query identifies matches based on KNOTWEED file hash IOCs across Microsoft Defender for Endpoint tables
KNOTWEED-PE File Dropped in Color Profile FolderHunting Query🔗 GitHubGitHub OnlyThis query identifies modifications to COM registry keys to point to executable files in C:\Windows\System32\spool\drivers\color\
LemonDuck-competition-killerHunting Query🔗 GitHubGitHub OnlyLemonDuck is an actively updated and robust malware primarily known for its botnet and cryptocurrency mining objectives. First discovered in 2019, LemonDuck has since adopted more sophisticated behavi...
LemonDuck-component-download-structureHunting Query🔗 GitHubGitHub OnlyLemonDuck is an actively updated and robust malware primarily known for its botnet and cryptocurrency mining objectives. First discovered in 2019, LemonDuck has since adopted more sophisticated behavi...
LemonDuck-component-namesHunting Query🔗 GitHubGitHub OnlyLemonDuck is an actively updated and robust malware primarily known for its botnet and cryptocurrency mining objectives. First discovered in 2019, LemonDuck has since adopted more sophisticated behavi...
LemonDuck-control-structureHunting Query🔗 GitHubGitHub OnlyLemonDuck is an actively updated and robust malware primarily known for its botnet and cryptocurrency mining objectives. First discovered in 2019, LemonDuck has since adopted more sophisticated behavi...
LemonDuck-defender-exclusionsHunting Query🔗 GitHubGitHub OnlyLemonDuck is an actively updated and robust malware primarily known for its botnet and cryptocurrency mining objectives. First discovered in 2019, LemonDuck has since adopted more sophisticated behavi...
LemonDuck-email-subjectsHunting Query🔗 GitHubGitHub OnlyLemonDuck is an actively updated and robust malware primarily known for its botnet and cryptocurrency mining objectives. First discovered in 2019, LemonDuck has since adopted more sophisticated behavi...
LemonDuck-id-generationHunting Query🔗 GitHubGitHub OnlyLemonDuck is an actively updated and robust malware primarily known for its botnet and cryptocurrency mining objectives. First discovered in 2019, LemonDuck has since adopted more sophisticated behavi...
LemonDuck-registration-functionHunting Query🔗 GitHubGitHub OnlyLemonDuck is an actively updated and robust malware primarily known for its botnet and cryptocurrency mining objectives. First discovered in 2019, LemonDuck has since adopted more sophisticated behavi...
Alerts related to Log4j vulnerabilityHunting Query🔗 GitHubGitHub OnlyMicrosoft has observed attackers exploiting vulnerabilities associated with Log4J.
Devices with Log4j vulnerability alerts and additional other alert related contextHunting Query🔗 GitHubGitHub OnlyMicrosoft has observed threat actors exploiting vulnerabilities associated with Log4J.
Suspicious JScript staging commentHunting Query🔗 GitHubGitHub OnlyMicrosoft has observed attackers who have gained entry to an environment via the Log4J vulnerability utilizing identifiable strings in PowerShell commands.
Suspicious PowerShell curl flagsHunting Query🔗 GitHubGitHub OnlyMicrosoft has observed attackers who have gained entry to an environment via the Log4J vulnerability utilizing uncommon PowerShell flags to communicate to command-and-control infrastructure.
Suspicious process event creation from VMWare Horizon TomcatServiceHunting Query🔗 GitHubGitHub OnlyMicrosoft has observed attackers who have gained entry to an environment via the Log4J vulnerability utilizing the ws_TomcatService.exe process to launch malicious processes.
Disable Controlled FoldersHunting Query🔗 GitHubGitHub OnlyPrior to deploying Macaw ransomware in an organization, the adversary will disable all controlled folders, which will enable them to be encrypted once the ransomware payload is deployed.
Imminent RansomwareHunting Query🔗 GitHubGitHub OnlyDirectly prior to deploying Macaw ransomware in an organization, the attacker will run several commands designed to disable security tools and system recovery tools.
Inhibit recovery by disabling tools and functionalityHunting Query🔗 GitHubGitHub OnlyPrior to deploying Macaw ransomware in an organization, the adversary will disable several tools and functions in order to inhibit later recovery efforts.
Mass account password changeHunting Query🔗 GitHubGitHub OnlyPrior to deploying Macaw ransomware in an organization, adversaries will change the password for hundreds or thousands of accounts in order to lock users out of the network and impeded recovery effort...
PSExec Attrib commandsHunting Query🔗 GitHubGitHub OnlyPrior to deploying Macaw ransomware in an organization, adversaries wil use Attrib to display file attribute information on multiple drives and all subfolders.
Use of MSBuild as LOLBinHunting Query🔗 GitHubGitHub OnlyPrior to deploying Macaw ransomware in an organization, the adversary frequently uses MSBuild.exe as a LOLBin to communicate with the C2.
Excel launching anomalous processesHunting Query🔗 GitHubGitHub OnlyUse this query to find Excel launching anomalous processes congruent with Qakbot payloads which contain additional markers from recent Qakbot executions. The presence of such anomalous processes indic...
General attempts to access local email storeHunting Query🔗 GitHubGitHub OnlyUse this query to find attempts to access files in the local path containing Outlook emails.
Qakbot Craigslist DomainsHunting Query🔗 GitHubGitHub OnlyQakbot operators have been abusing the Craigslist messaging system to send malicious emails. These emails contain non-clickable links to malicious domains impersonating Craigslist, which the user is i...
Qakbot email theft (1)Hunting Query🔗 GitHubGitHub OnlyUse this query to find email stealing activities ran by Qakbot that will use "ping.exe -t 127.0.0.1" to obfuscate subsequent actions. Email theft that occurs might be exfiltrated to operators and indi...
Qakbot email theftHunting Query🔗 GitHubGitHub OnlyUse this query to find email stealing activities ran by Qakbot that will use "ping.exe -t 127.0.0.1" to obfuscate subsequent actions. Email theft that occurs might be exfiltrated to operators and indi...
Qakbot reconnaissance activitiesHunting Query🔗 GitHubGitHub OnlyUse this query to find reconnaissance and beaconing activities after code injection occurs. Reconnaissance commands are consistent with the current version of Qakbot and occur automatically to exfiltr...
StrRAT-AV-DiscoveryHunting Query🔗 GitHubGitHub OnlyStrRAT is a Java-based remote access tool which steals browser credentials, logs keystrokes and take remote control of infected systems. It also has a module to download additional payload onto to the...
StrRAT-Email-DeliveryHunting Query🔗 GitHubGitHub OnlyStrRAT is a Java-based remote access tool which steals browser credentials, logs keystrokes and take remote control of infected systems. It also has a module to download additional payload onto to the...
StrRAT-Malware-PersistenceHunting Query🔗 GitHubGitHub OnlyStrRAT is a Java-based remote access tool which steals browser credentials, logs keystrokes and take remote control of infected systems. It also has a module to download additional payload onto to the...
app-armor-stoppedHunting Query🔗 GitHubGitHub OnlyThis query was originally published in the threat analytics report, Sysrv botnet evolution. Sysrv is a Go-based botnet that targets both Windows and Linux servers, and steals resources to mine cryptoc...
java-executing-cmd-to-run-powershellHunting Query🔗 GitHubGitHub OnlyThis query was originally published in the threat analytics report, Sysrv botnet evolution. Sysrv is a Go-based botnet that targets both Windows and Linux servers, and steals resources to mine cryptoc...
kinsing-miner-downloadHunting Query🔗 GitHubGitHub OnlyThis query was originally published in the threat analytics report, Sysrv botnet evolution. Sysrv is a Go-based botnet that targets both Windows and Linux servers, and steals resources to mine cryptoc...
oracle-webLogic-executing-powershellHunting Query🔗 GitHubGitHub OnlyThis query was originally published in the threat analytics report, Sysrv botnet evolution. Sysrv is a Go-based botnet that targets both Windows and Linux servers, and steals resources to mine cryptoc...
rce-on-vulnerable-serverHunting Query🔗 GitHubGitHub OnlyThis query was originally published in the threat analytics report, Sysrv botnet evolution. Sysrv is a Go-based botnet that targets both Windows and Linux servers, and steals resources to mine cryptoc...
tomcat-8-executing-powershellHunting Query🔗 GitHubGitHub OnlyThis query was originally published in the threat analytics report, Sysrv botnet evolution. Sysrv is a Go-based botnet that targets both Windows and Linux servers, and steals resources to mine cryptoc...
Malicious bat fileHunting Query🔗 GitHubGitHub OnlyZLoader was delivered in a campaign in late summer 2021. This campaign was tweeted by @MsftSecIntel on twitter.
Payload DeliveryHunting Query🔗 GitHubGitHub OnlyZLoader was delivered in a campaign in summer 2021 via malvertising. This campaign was tweeted about by @MsftSecIntel on twitter.
Suspicious Registry KeysHunting Query🔗 GitHubGitHub OnlyZLoader was delivered in a campaign in late summer 2021 using malvertising to download malicious .msi files onto affected machines. This campaign was originally tweeted by @MsftSecIntel on Twitter. In...
A365 AI Agents - Hard-coded credentials in Tools or ActionsHunting Query🔗 GitHubGitHub OnlyThis query identifies A365 AI agents that contain hard-coded credentials in their tools or actions. Storing credentials in clear text within agent logic creates a security risk because these secrets ...
A365 AI Agents - HTTP Requests to Non-HTTPS EndpointsHunting Query🔗 GitHubGitHub OnlyThis query identifies A365 AI agents that send HTTP requests to endpoints using non-HTTPS schemes. Communication over unencrypted HTTP exposes sensitive data in transit and increases the risk of inte...
A365 AI Agents - HTTP Requests to Non-standard PortsHunting Query🔗 GitHubGitHub OnlyThis query identifies A365 AI agents that send HTTP requests to endpoints using non-standard ports (other than 443). Communication over uncommon ports can indicate suspicious activity, unauthorized n...
A365 AI Agents - MCP Tool ConfiguredHunting Query🔗 GitHubGitHub OnlyThis query identifies A365 AI agents that have Model Context Protocol (MCP) tools configured. MCP tools extend agent capabilities but introduce additional security considerations because they can exec...
A365 AI Agents - Missing Tools in InstructionsHunting Query🔗 GitHubGitHub OnlyThis query identifies A365 AI agents that have tools configured but they are not mentioned in instructions. This query identifies A365 AI agents that have tools configured but are not mentioned in in...
A365 AI Agents - Published Agents without InstructionsHunting Query🔗 GitHubGitHub OnlyThis query identifies A365 AI agents that are published but lack configured instructions. Missing instructions increase the risk of prompt injection attacks, where malicious input can influence the a...
A365 AI Agents - Publicly SharedHunting Query🔗 GitHubGitHub OnlyThis query identifies A365 AI agents that are shared publicly. Such configurations significantly increase the risk of unauthorized access by unintended users, which could lead to data exposure or misu...
A365 AI Agents - Published Agents with Short InstructionsHunting Query🔗 GitHubGitHub OnlyThis query identifies A365 AI agents that are published but have short or insufficient instructions. Short instructions increase the risk of prompt injection attacks, where malicious input can influe...
A365 AI Agents - Orphaned Agents with Disabled OwnersHunting Query🔗 GitHubGitHub OnlyThis query identifies A365 AI agents whose owners are either disabled or removed from the organization, and are not blocked. Orphaned agents without an active owner pose governance and security risks...
Copilot Studio AI Agents - Sending email to AI controlled input valuesHunting Query🔗 GitHubGitHub OnlyThis query identifies Copilot Studio AI agents using generative orchestration to send emails via the Outlook connector where all action input values are populated dynamically by the orchestrator. Th...
Copilot Studio AI Agents - Sending email to external mailboxesHunting Query🔗 GitHubGitHub OnlyThis query identifies Copilot Studio AI agents configured to send emails to external mailboxes (outside the organization`s domains). Such configurations can lead to sensitive or internal data being e...
Copilot Studio AI Agents - Published Generative Orchestration without InstructionsHunting Query🔗 GitHubGitHub OnlyThis query identifies Copilot Studio AI agents that are published with generative orchestration enabled but lack configured instructions. Missing instructions increase the risk of prompt injection at...
Copilot Studio AI Agents - Hard-coded credentials in Topics or ActionsHunting Query🔗 GitHubGitHub OnlyThis query identifies Copilot Studio AI agents that contain hard-coded credentials in Topics or Actions. Storing credentials in clear text within agent logic creates a security risk because these sec...
Copilot Studio AI Agents - HTTP Requests to Connector EndpointsHunting Query🔗 GitHubGitHub OnlyThis query identifies Copilot Studio AI agents that use HTTP actions to endpoints where Power Platform connectors are available (e.g., graph.microsoft.com, management.azure.com). Using direct HTTP ca...
Copilot Studio AI Agents - HTTP Requests to Non-HTTPS EndpointsHunting Query🔗 GitHubGitHub OnlyThis query identifies Copilot Studio AI agents that send HTTP requests to endpoints using non-HTTPS schemes. Communication over unencrypted HTTP exposes sensitive data in transit and increases the ri...
Copilot Studio AI Agents - HTTP Requests to Non-standard PortsHunting Query🔗 GitHubGitHub OnlyThis query identifies Copilot Studio AI agents that send HTTP requests to endpoints using non-standard ports (other than 443). Communication over uncommon ports can indicate suspicious activity, unau...
AI Agents - MCP Tool ConfiguredHunting Query🔗 GitHubGitHub OnlyThis query identifies Copilot Studio AI agents that have Model Context Protocol (MCP) tools configured. MCP tools extend agent capabilities but introduce additional security considerations because the...
Copilot Studio AI Agents - MCP Tool with Maker CredentialsHunting Query🔗 GitHubGitHub OnlyIdentifies Copilot Studio AI agents with Model Context Protocol (MCP) tools configured using maker credentials. This configuration can create security risks because the tool runs with the maker`s pers...
Copilot Studio AI Agents - Organization or Multi-tenant SharedHunting Query🔗 GitHubGitHub OnlyThis query identifies Copilot Studio AI agents that are shared broadly-either with the entire organization or configured for multi-tenant access. Such configurations significantly increase the risk of...
Copilot Studio AI Agents - Unused ActionsHunting Query🔗 GitHubGitHub OnlyThis query identifies Copilot Studio AI agents with classic orchestration that include Actions not referenced in any Topic. While unused Actions may not pose an immediate security risk, they can intr...
Copilot Studio AI Agents - Dormant Author Authentication ConnectionHunting Query🔗 GitHubGitHub OnlyThis query identifies Copilot Studio AI agents that are published and contain actions configured with Author Authentication (maker`s personal credentials) but have not been used or invoked in the last...
Copilot Studio AI Agents - No Authentication RequiredHunting Query🔗 GitHubGitHub OnlyThis query identifies Copilot Studio AI agents without authentication mechanisms. Authentication is an agent-level configuration. Such misconfiguration poses significant security risks because when t...
AI Agents - Orphaned Agents with Disabled OwnersHunting Query🔗 GitHubGitHub OnlyThis query identifies AI agents whose owners are either disabled or removed from the organization. Orphaned agents without an active owner pose governance and security risks because no one is account...
Copilot Studio AI Agents - Published Agents with Author AuthenticationHunting Query🔗 GitHubGitHub OnlyThis query identifies Copilot Studio AI agents that are published and use the maker`s personal credentials in their authentication or integration flows. This configuration introduces security risks b...
Copilot Studio AI Agents - Published Dormant (30d)Hunting Query🔗 GitHubGitHub OnlyThis query identifies Copilot Studio AI agents that are published but have not been used by any user in the organization for the last 30 days. Dormant agents can create unnecessary exposure and may s...
AI Agents - Unpublished Unmodified (30d)Hunting Query🔗 GitHubGitHub OnlyThis query identifies AI agents that remain unpublished and have not been modified for at least 30 days. While these agents may not pose an immediate security threat, they can create operational inef...
detect-uac-elevationHunting Query🔗 GitHubGitHub OnlyThis query identifies UAC elevated processes by analyzing launches of consent.exe (the process that performs UAC elevation). The first parameter of consent.exe is the process ID being elevated, theref...
Web Content Filtering EventsHunting Query🔗 GitHubGitHub OnlyThis query identifies web content filtering events in Advanced Hunting.
Detect DNS obfuscation using @ symbolHunting Query🔗 GitHubGitHub OnlyOne of the tricks used in phishing is obfuscating the domain name in a URL by using the @ symbol. This technique goes all the way back to the original RFC for URLs, RFC 1738. When you specify an @ in...
Shadow Copy DeletionsHunting Query🔗 GitHubGitHub OnlyThis rule detects when Shadow Copies are being deleted. This is a know actions that is performed by TA. This query detects know commands that have been used by the ransomware actors. Some information ...
Blocked Clicks TrendHunting Query🔗 GitHubGitHub OnlyVisualises the trend of malicious URL clicks that were blocked by Safe Links over the past 30 days, helping analysts monitor the effectiveness of click protection policies. Based on Defender for Offic...
Malicious URL Clicks by workloadHunting Query🔗 GitHubGitHub OnlyVisualises click attempts on malicious URLs, grouped by workload (such as Exchange, Teams, SharePoint, Copilot etc.), to help analysts understand which workloads are most targeted. Based on Defender f...
1PasswordWorkbook🔗 GitHubGitHub Only
42CrunchAPIProtectionWorkbookWorkbook🔗 GitHubGitHub Only
AADManagedIdentitySignInLogsWorkbook🔗 GitHubGitHub Only
AADNonInteractiveUserSignInLogsWorkbook🔗 GitHubGitHub Only
AADServicePrincipalSignInLogsWorkbook🔗 GitHubGitHub Only
AcscEssential8Workbook🔗 GitHubGitHub Only
AdvancedKQLWorkbook🔗 GitHubGitHub Only
AdvancedWorkbookConceptsWorkbook🔗 GitHubGitHub Only
ADXvsLAWorkbook🔗 GitHubGitHub Only
AIA-DarktraceWorkbook🔗 GitHubGitHub Only
AIVectraDetectWorkbookWorkbook🔗 GitHubGitHub Only
AksSecurityWorkbook🔗 GitHubGitHub Only
AliCloudWorkbookWorkbook🔗 GitHubGitHub Only
AlsidIoAWorkbook🔗 GitHubGitHub Only
AlsidIoEWorkbook🔗 GitHubGitHub Only
AMAmigrationTrackerWorkbook🔗 GitHubGitHub Only
AmazonWebServicesNetworkActivitiesWorkbook🔗 GitHubGitHub Only
AmazonWebServicesUserActivitiesWorkbook🔗 GitHubGitHub Only
AnalyticsEfficiencyWorkbook🔗 GitHubGitHub Only
AnalyticsHealthAuditWorkbook🔗 GitHubGitHub Only
AnomaliesVisualizationWorkbook🔗 GitHubGitHub Only
AnomalyDataWorkbook🔗 GitHubGitHub Only
ArchivingBasicLogsRetentionWorkbook🔗 GitHubGitHub Only
ASC-ComplianceandProtectionWorkbook🔗 GitHubGitHub Only
AttackSurfaceReductionWorkbook🔗 GitHubGitHub Only
Auth0WorkbookWorkbook🔗 GitHubGitHub Only
AutomationHealthWorkbook🔗 GitHubGitHub Only
AWSS3Workbook🔗 GitHubGitHub Only
AzDDoSStandardWorkbookWorkbook🔗 GitHubGitHub Only
AzureActiveDirectoryAuditLogsWorkbook🔗 GitHubGitHub Only
AzureActiveDirectorySigninsWorkbook🔗 GitHubGitHub Only
AzureActivityWorkbook🔗 GitHubGitHub Only
AzureAuditActivityAndSigninWorkbook🔗 GitHubGitHub Only
AzureFirewallWorkbook🔗 GitHubGitHub Only
AzureFirewallWorkbookWorkbook🔗 GitHubGitHub Only
AzureInformationProtectionWorkbook🔗 GitHubGitHub Only
AzureKeyVaultWorkbookWorkbook🔗 GitHubGitHub Only
AzureLogCoverageWorkbook🔗 GitHubGitHub Only
AzureNetworkWatcherWorkbook🔗 GitHubGitHub Only
AzureOpenAIMonitoringWorkbook🔗 GitHubGitHub Only
AzureSentinelCostWorkbook🔗 GitHubGitHub Only
AzureSentinelSecurityAlertsWorkbook🔗 GitHubGitHub Only
AzureServiceHealthWorkbookWorkbook🔗 GitHubGitHub Only
AzureThreatResearchMatrixWorkbookWorkbook🔗 GitHubGitHub Only
BarracudaWorkbook🔗 GitHubGitHub Only
BETTER_MTD_WorkbookWorkbook🔗 GitHubGitHub Only
CheckPointWorkbook🔗 GitHubGitHub Only
CiscoWorkbook🔗 GitHubGitHub Only
CiscoFirepowerWorkbook🔗 GitHubGitHub Only
CiscoMerakiWorkbook🔗 GitHubGitHub Only
CitrixWorkbook🔗 GitHubGitHub Only
CitrixWAFWorkbook🔗 GitHubGitHub Only
CodelessConnectorBuilderWorkbook🔗 GitHubGitHub Only
CognniIncidentsWorkbookWorkbook🔗 GitHubGitHub Only
ConditionalAccessTrendsandChangesWorkbook🔗 GitHubGitHub Only
CopilotforSecurityMonitoringWorkbook🔗 GitHubGitHub Only
CriblWorkbookWorkbook🔗 GitHubGitHub Only
CyberArkEPVWorkbook🔗 GitHubGitHub Only
CyberpionOverviewWorkbookWorkbook🔗 GitHubGitHub Only
DataCollectionHealthMonitoringWorkbook🔗 GitHubGitHub Only
Data_Latency_WorkbookWorkbook🔗 GitHubGitHub Only
DCR-ToolkitWorkbook🔗 GitHubGitHub Only
DelineaWorkbookWorkbook🔗 GitHubGitHub Only
DnsWorkbook🔗 GitHubGitHub Only
DoDZeroTrustWorkbookWorkbook🔗 GitHubGitHub Only
DSTIMWorkbookWorkbook🔗 GitHubGitHub Only
DuoSecurityWorkbook🔗 GitHubGitHub Only
esetSMCWorkbookWorkbook🔗 GitHubGitHub Only
EventAnalyzerWorkbook🔗 GitHubGitHub Only
ExchangeCompromiseHuntingWorkbook🔗 GitHubGitHub Only
ExchangeOnlineWorkbook🔗 GitHubGitHub Only
ExtraHopDetectionSummaryWorkbook🔗 GitHubGitHub Only
F5BIGIPSystemMetricsWorkbook🔗 GitHubGitHub Only
F5NetworksWorkbook🔗 GitHubGitHub Only
ForcepointCASBWorkbook🔗 GitHubGitHub Only
ForcepointCloudSecuirtyGatewayworkbookWorkbook🔗 GitHubGitHub Only
ForcepointDLPWorkbook🔗 GitHubGitHub Only
ForcepointNGFWWorkbook🔗 GitHubGitHub Only
ForcepointNGFWAdvancedWorkbook🔗 GitHubGitHub Only
FortigateWorkbook🔗 GitHubGitHub Only
GitHubSecurityWorkbookWorkbook🔗 GitHubGitHub Only
IdentityAndAccessWorkbook🔗 GitHubGitHub Only
IllusiveADSWorkbook🔗 GitHubGitHub Only
IllusiveASMWorkbook🔗 GitHubGitHub Only
IncidentOverviewWorkbook🔗 GitHubGitHub Only
IncidentTasksWorkbookWorkbook🔗 GitHubGitHub Only
InfobloxNIOSWorkbook🔗 GitHubGitHub Only
InsecureProtocolsWorkbook🔗 GitHubGitHub Only
IntrotoKQLWorkbook🔗 GitHubGitHub Only
IntsightsIOCWorkbookWorkbook🔗 GitHubGitHub Only
InvestigationInsightsWorkbook🔗 GitHubGitHub Only
IoTAssetDiscoveryWorkbook🔗 GitHubGitHub Only
IOT_AlertsWorkbook🔗 GitHubGitHub Only
KeeperSecurityDashboardWorkbook🔗 GitHubGitHub Only
LinuxMachinesWorkbook🔗 GitHubGitHub Only
Log4jPostCompromiseHuntingWorkbook🔗 GitHubGitHub Only
LogAnalyticsQueryAnalysisWorkbook🔗 GitHubGitHub Only
LogSourcesAndAnalyticRulesCoverageWorkbook🔗 GitHubGitHub Only
M365SecurityPostureWorkbook🔗 GitHubGitHub Only
ManualSentinelIncidentWorkbook🔗 GitHubGitHub Only
MicrosoftCloudAppSecurityWorkbook🔗 GitHubGitHub Only
MicrosoftCopilotActivityMonitoringWorkbook🔗 GitHubGitHub Only
MicrosoftDefenderForEndPointWorkbook🔗 GitHubGitHub Only
microsoftdefenderforidentityWorkbook🔗 GitHubGitHub Only
MicrosoftDefenderForOffice365Workbook🔗 GitHubGitHub Only
MicrosoftGraphActivityLogsWorkbook🔗 GitHubGitHub Only
MicrosoftPurviewInformationProtectionWorkbook🔗 GitHubGitHub Only
MicrosoftSentinelCostEURWorkbook🔗 GitHubGitHub Only
MicrosoftSentinelCostGBPWorkbook🔗 GitHubGitHub Only
MicrosoftSentinelDeploymentandMigrationTrackerWorkbook🔗 GitHubGitHub Only
MicrosoftTeamsWorkbook🔗 GitHubGitHub Only
MITREAttackWorkbook🔗 GitHubGitHub Only
NetskopeEventsWorkbook🔗 GitHubGitHub Only
NetskopeWebTx_WorkbookWorkbook🔗 GitHubGitHub Only
NordPassWorkbook🔗 GitHubGitHub Only
NormalizedNetworkEventsWorkbook🔗 GitHubGitHub Only
Office365Workbook🔗 GitHubGitHub Only
OnapsisAlarmsOverviewWorkbook🔗 GitHubGitHub Only
OneIdentityWorkbook🔗 GitHubGitHub Only
OptimizationWorkbookWorkbook🔗 GitHubGitHub Only
OrcaAlertsWorkbook🔗 GitHubGitHub Only
PaloAltoNetworkThreatWorkbook🔗 GitHubGitHub Only
PaloAltoOverviewWorkbook🔗 GitHubGitHub Only
Perimeter81OverviewWorkbookWorkbook🔗 GitHubGitHub Only
pfsenseWorkbook🔗 GitHubGitHub Only
PhishingAnalysisWorkbook🔗 GitHubGitHub Only
PlaybookHealthWorkbook🔗 GitHubGitHub Only
PrancerSentinelAnalyticsWorkbook🔗 GitHubGitHub Only
ProofpointPODWorkbook🔗 GitHubGitHub Only
ProofpointTAPWorkbook🔗 GitHubGitHub Only
ProofPointThreatDashboardWorkbook🔗 GitHubGitHub Only
PulseConnectSecureWorkbook🔗 GitHubGitHub Only
QualysVMWorkbook🔗 GitHubGitHub Only
QualysVMv2Workbook🔗 GitHubGitHub Only
SamsungKnoxAssetIntelligenceWorkbook🔗 GitHubGitHub Only
SecurityOperationsEfficiencyWorkbook🔗 GitHubGitHub Only
SecurityStatusWorkbook🔗 GitHubGitHub Only
SensitiveOperationsinAzureActivityLogReviewWorkbook🔗 GitHubGitHub Only
SentinelCostsWorkbook🔗 GitHubGitHub Only
SentinelHealthWorkbook🔗 GitHubGitHub Only
SentinelWorkspaceReconToolsWorkbook🔗 GitHubGitHub Only
Sentinel_CentralWorkbook🔗 GitHubGitHub Only
SharePointAndOneDriveWorkbook🔗 GitHubGitHub Only
SOCProcessFrameworkWorkbook🔗 GitHubGitHub Only
SolarWindsPostCompromiseHuntingWorkbook🔗 GitHubGitHub Only
SonicWallFirewallWorkbook🔗 GitHubGitHub Only
SophosXGFirewallWorkbook🔗 GitHubGitHub Only
SquadraTechnologiesSecRMMWorkbook🔗 GitHubGitHub Only
SummaryRulesWorkbookWorkbook🔗 GitHubGitHub Only
SymantecProxySGWorkbook🔗 GitHubGitHub Only
SymantecVIPWorkbook🔗 GitHubGitHub Only
Syslog-BifurcationWorkbook🔗 GitHubGitHub Only
syslogoverviewWorkbook🔗 GitHubGitHub Only
SysmonThreatHuntingWorkbook🔗 GitHubGitHub Only
TalonInsightsWorkbook🔗 GitHubGitHub Only
ThreatIntelligenceWorkbook🔗 GitHubGitHub Only
TrendMicroDeepSecurityAttackActivityWorkbook🔗 GitHubGitHub Only
TrendMicroDeepSecurityOverviewWorkbook🔗 GitHubGitHub Only
TrendMicroXDROverviewWorkbook🔗 GitHubGitHub Only
UnifiSGWorkbook🔗 GitHubGitHub Only
UnifiSGNetflowWorkbook🔗 GitHubGitHub Only
usecasemapperWorkbook🔗 GitHubGitHub Only
UserEntityBehaviorAnalyticsWorkbook🔗 GitHubGitHub Only
UserMapWorkbook🔗 GitHubGitHub Only
User_Analytics_WorkbookWorkbook🔗 GitHubGitHub Only
VeeamDataPlatformMonitoringWorkbook🔗 GitHubGitHub Only
VeeamSecurityActivitesWorkbook🔗 GitHubGitHub Only
VeeamSecurityActivitiesWorkbook🔗 GitHubGitHub Only
VirtualMachinesInsightsWorkbook🔗 GitHubGitHub Only
VisualizationDemoWorkbook🔗 GitHubGitHub Only
WatchGuardFireboxWorkbookWorkbook🔗 GitHubGitHub Only
WebApplicationFirewallFirewallEventsWorkbook🔗 GitHubGitHub Only
WebApplicationFirewallGatewayAccessEventsWorkbook🔗 GitHubGitHub Only
WebApplicationFirewallOverviewWorkbook🔗 GitHubGitHub Only
WebApplicationFirewallWAFTypeEventsWorkbook🔗 GitHubGitHub Only
WindowsAuditCheckerWorkbook🔗 GitHubGitHub Only
WindowsFirewallWorkbook🔗 GitHubGitHub Only
WindowsFirewallViaAMAWorkbook🔗 GitHubGitHub Only
WithSecureTopComputersByInfectionsWorkbook🔗 GitHubGitHub Only
WorkspaceAuditingWorkbook🔗 GitHubGitHub Only
WorkspaceUsageWorkbook🔗 GitHubGitHub Only
ZeroTrustStrategyWorkbookWorkbook🔗 GitHubGitHub Only
ZimperiumWorkbooksWorkbook🔗 GitHubGitHub Only
ZscalerFirewallWorkbook🔗 GitHubGitHub Only
ZscalerOffice365AppsWorkbook🔗 GitHubGitHub Only
ZscalerThreatsWorkbook🔗 GitHubGitHub Only
ZscalerWebOverviewWorkbook🔗 GitHubGitHub Only
AD4IoT-AutoCloseIncidentsPlaybook🔗 GitHubGitHub OnlyAuthor: Amit Sheps
AD4IoT-MailByProductionLinePlaybook🔗 GitHubGitHub OnlyAuthor: Amit Sheps
AD4IoT-NewAssetServiceNowTicketPlaybook🔗 GitHubGitHub OnlyAuthor: Amit Sheps
TritonPlayookPlaybook🔗 GitHubGitHub OnlyAuthor: Amit Sheps and Lior Tamir
ADX-health-playbookPlaybook🔗 GitHubGitHub OnlyAuthor: María de Sousa-Valadas <br /> Version: 1.0
AI-Commandline-AnalysisPlaybook🔗 GitHubGitHub OnlyAuthor: Curtis Middlehurst
Comment-OriginAlertURLPlaybook🔗 GitHubGitHub Onlyauthor: Jordan Ross
Comment_RemediationStepsPlaybook🔗 GitHubGitHub Onlyauthors: Jordan Ross and Nicholas DiCola
Comment_RemediationStepsPlaybook🔗 GitHubGitHub Onlyauthors: Jordan Ross and Nicholas DiCola
Create-AzureSnapshotPlaybook🔗 GitHubGitHub OnlyThis playbook will create a snapshot from an Azure VM.
CrowdSecurity-Suspicious-Login-DetectionPlaybook🔗 GitHubGitHub OnlyThis PlayBook / Logic App automatically create an alert when a successful login is performed from a suspicious or malicious IP.
Export-Report-CSVPlaybook🔗 GitHubGitHub Only---- Author: Matt Egen
Fortinet_IncidentEnrichmentPlaybook🔗 GitHubGitHub OnlyThis playbook enriches the incident with address object and address group.
Fortinet_ResponseOnIPPlaybook🔗 GitHubGitHub OnlyThis playbook allows the SOC users to automatically response to Azure Sentinel incidents which includes IPs, by adding/removing the IPs to the Sentinel IP blocked group. Learn more about Threat Intell...
Fortinet_ResponseOnURLPlaybook🔗 GitHubGitHub OnlyThis playbook allows the SOC users to automatically response to Azure Sentinel incidents which includes URL's, by adding the URLs to the Sentinel URL blocked group. Learn more about Threat Intelligenc...
Get-AlertEntitiesEnrichmentPlaybook🔗 GitHubGitHub Onlyauthor: Sebastien Molendijk - Microsoft
UserEnrichment.templatePlaybook🔗 GitHubGitHub Onlyauthor: Sebastien Molendijk - Microsoft
Get-AlienVault_OTX_V2Playbook🔗 GitHubGitHub Onlyauthor: Andrew Blumhardt
Get-CompromisedPasswordsPlaybook🔗 GitHubGitHub OnlyIntent: As an IT admin, I want to be know which users have publicly posted compromised passwords and I want to ensure these passwords and variations of those passwords are not used in my environment.
Get-GeoFromIPandTagIncident-EmailAlertBasedonGeoPlaybook🔗 GitHubGitHub OnlyAuthor: Rudi Jubran
Get-MachineData-EDR-SOAR-ActionsOnMachinePlaybook🔗 GitHubGitHub Onlyauthor: Kloudynet Technologies
Get-MDATPVulnerabilitiesPlaybook🔗 GitHubGitHub Onlyauthor: Wayne Lee
Get-MDEFileActivityWithin30MinsPlaybook🔗 GitHubGitHub Onlyauthor: Dennis Pike
Get-MDEProcessActivityWithin30MinsPlaybook🔗 GitHubGitHub Onlyauthor: Dennis Pike
C19ImportToSentinelPlaybook🔗 GitHubGitHub OnlyMicrosoft released threat indicators related to Covid19 as described at https://www.microsoft.com/security/blog/2020/05/14/open-sourcing-covid-threat-intelligence/
C19IndicatorProcessorPlaybook🔗 GitHubGitHub OnlyMicrosoft released threat indicators related to Covid19 as described at https://www.microsoft.com/security/blog/2020/05/14/open-sourcing-covid-threat-intelligence/
Get-Recipients-EmailMessageID-containing-URLPlaybook🔗 GitHubGitHub Onlyauthor: Dennis Pike
Get-VTURLPositivesCommentPlaybook🔗 GitHubGitHub Onlyauthor: Dennis Pike
Incident-Status-Sync-To-WDATPPlaybook🔗 GitHubGitHub OnlyAuthor: Mahmoud Elsayed
Get-SecureScore-InformationPlaybook🔗 GitHubGitHub OnlyAuthor: Matt Lowe, Benjamin Kovacevic
InfrequentCountryTriagePlaybook🔗 GitHubGitHub Onlyauthor: Sebastien Molendijk - Microsoft
Get-NamedLocationsPlaybook🔗 GitHubGitHub Onlyauthor: Thijs Lecomte
ConnectorHealthAppPlaybook🔗 GitHubGitHub OnlyThis enhanced solution builds on the existing “Connector Health Workbook” described in this video: [https://www.youtube.com/watch?v=T6Vyo7gZYds] .The Logic App leverages underlying queries to provide ...
Sync-Comments-to-M365DefenderPlaybook🔗 GitHubGitHub Onlyauthor: Prateek Taneja, Benjamin Kovacevic
Update-NamedLocations-TORPlaybook🔗 GitHubGitHub OnlyIntent: As an IT admin, I want to be able to block logins from all TOR Exit Node IP Addresses using Conditional Access.
Update-Watchlist-With-NamedLocationsPlaybook🔗 GitHubGitHub Onlyauthor: Maria de Sousa-Valadas </br> version: 1.1
Move-LogAnalytics-to-StoragePlaybook🔗 GitHubGitHub Only~~Description:~~ ~~This Playbook runs on a daily schedule and moves 89 day old logs per data type to Blob storage in hourly incremements. The result of this Playbook is a structured file explorer with...
Azure-Public-IPsWatchlist🔗 GitHubGitHub Only
DeploymentandMigrationWatchlist🔗 GitHubGitHub Only
ListofTCPUDPPortsWatchlist🔗 GitHubGitHub Only
NOBELIUM-TIWatchlist🔗 GitHubGitHub Only
Update-RiskyUserWatchlistWatchlist🔗 GitHubGitHub Only
UpdateCloudIPsWatchlist🔗 GitHubGitHub Only
GitLab - Brute-force AttemptsAnalytic Rule📦 SolutionGitLabThis query relies on GitLab Application Logs to get failed logins to highlight brute-force attempts from different IP addresses in a short space of time.
GitLab - External User Added to GitLabAnalytic Rule📦 SolutionGitLabThis queries GitLab Application logs to list external user accounts (i.e.: account not in allow-listed domains) which have been added to GitLab users.
GitLab - User ImpersonationAnalytic Rule📦 SolutionGitLabThis queries GitLab Audit Logs for user impersonation. A malicious operator or a compromised admin account could leverage the impersonation feature of GitLab to change code or repository settings bypa...
GitLab - Local Auth - No MFAAnalytic Rule📦 SolutionGitLabThis query checks GitLab Audit Logs to see if a user authenticated without MFA. Ot might mean that MFA was disabled for the GitLab server or that an external authentication provider was bypassed. This...
GitLab - TI - Connection from Malicious IPAnalytic Rule📦 SolutionGitLabThis query correlates Threat Intelligence data from Microsoft Sentinel with GitLab NGINX Access Logs (available in GitLab CE as well) to identify access from potentially TI-flagged IPs.
GitLab - Personal Access Tokens creation over timeAnalytic Rule📦 SolutionGitLabThis queries GitLab Audit Logs for access tokens. Attacker can exfiltrate data from you GitLab repository after gaining access to it by generating or hijacking access tokens. This hunting queries all...
GitLab - Repository visibility to PublicAnalytic Rule📦 SolutionGitLabThis query leverages GitLab Audit Logs. A repository in GitLab changed visibility from Private or Internal to Public which could indicate compromise, error or misconfiguration leading to exposing the ...
GitLab - Abnormal number of repositories deletedAnalytic Rule📦 SolutionGitLabThis hunting queries identify an unusual increase of repo deletion activities adversaries may want to disrupt availability or compromise integrity by deleting business data.
GitLab - SSO - Sign-Ins BurstAnalytic Rule📦 SolutionGitLabThis query relies on Microsoft Entra ID sign-in activity when Microsoft Entra ID is used for SSO with GitLab to highlights GitLab accounts associated with multiple authentications from different geogr...
GitLabAccessParser📦 SolutionGitLab
GitLabAppParser📦 SolutionGitLab
GitLabAuditParser📦 SolutionGitLab
GSA - TI Domain EntityAnalytic Rule📦 SolutionGlobal Secure AccessThis query identifies Domain indicators of compromise (IOCs) from threat intelligence (TI) by searching for matches in GSA NetworkAccessTraffic.
GSA - TI IP EntityAnalytic Rule📦 SolutionGlobal Secure AccessThis query identifies IP indicators of compromise (IOCs) from threat intelligence (TI) by searching for matches in GSA NetworkAccessTraffic.
GSA - TI URL EntityAnalytic Rule📦 SolutionGlobal Secure AccessThis query identifies URL indicators of compromise (IOCs) from threat intelligence (TI) by searching for matches in GSA NetworkAccessTraffic.
GSA - Detect Connections Outside Operational HoursAnalytic Rule📦 SolutionGlobal Secure AccessThis query identifies connections that occur outside of the defined operational hours. It helps in monitoring and flagging any unusual activity that may occur during non-business hours, indicating pot...
GSA - Detect Abnormal Deny Rate for Source to Destination IPAnalytic Rule📦 SolutionGlobal Secure AccessIdentifies abnormal deny rate for specific source IP to destination IP based on the normal average and standard deviation learned during a configured period. This can indicate potential exfiltration, ...
GSA - Detect Protocol Changes for Destination PortsAnalytic Rule📦 SolutionGlobal Secure AccessIdentifies changes in the protocol used for specific destination ports, comparing the current runtime with a learned baseline. This can indicate potential protocol misuse or configuration changes. Con...
GSA - Detect Source IP Scanning Multiple Open PortsAnalytic Rule📦 SolutionGlobal Secure AccessIdentifies a source IP scanning multiple open ports on Global Secure Access Firewall. This can indicate malicious scanning of ports by an attacker, trying to reveal open ports in the organization that...
GSAM365EnrichedEventsWorkbook📦 SolutionGlobal Secure Access
GSAMCPInsightsWorkbook📦 SolutionGlobal Secure Access
GSANetworkTrafficWorkbook📦 SolutionGlobal Secure Access
ApigeeXParser📦 SolutionGoogle Apigee
ApigeeXV2Parser📦 SolutionGoogle Apigee
Unified_ApigeeXParser📦 SolutionGoogle Apigee
GCP Audit Logs - Detect Bulk VM Snapshot DeletionAnalytic Rule📦 SolutionGoogle Cloud Platform Audit LogsDetects bulk deletion of Google Cloud VM snapshots within a short time period, which may indicate data destruction or defense evasion activities. VM snapshots are critical for backup and disaster reco...
GCP Audit Logs - Data Access Logging Exemption Added for PrincipalAnalytic Rule📦 SolutionGoogle Cloud Platform Audit LogsDetects when a principal (user or service account) is exempted from GCP data access audit logging. This is a critical security event as it reduces visibility into privileged operations and may indicat...
GCP Audit Logs - DNSSEC Disabled on Managed DNS ZoneAnalytic Rule📦 SolutionGoogle Cloud Platform Audit LogsDetects when DNSSEC (DNS Security Extensions) is disabled on a Google Cloud DNS managed zone. DNSSEC provides cryptographic authentication of DNS data, preventing DNS spoofing and cache poisoning atta...
GCP Audit Logs - Open Firewall Rule Created or ModifiedAnalytic Rule📦 SolutionGoogle Cloud Platform Audit LogsDetects when a Google Cloud Platform firewall rule is created or modified to allow traffic from any source (0.0.0.0/0 or 0.0.0.0). Open firewall rules expose resources to the internet and can signific...
GCP Audit Logs - Detect Organization Policy Deletion or UpdationAnalytic Rule📦 SolutionGoogle Cloud Platform Audit LogsDetects when a Google Cloud Platform organization policy is deleted or updated. Organization policies provide centralized control over your organization's cloud resources and help ensure security and...
GCP Audit Logs - Storage Bucket Made PublicAnalytic Rule📦 SolutionGoogle Cloud Platform Audit LogsDetects when a Google Cloud Storage bucket is made publicly accessible by granting permissions to allUsers or allAuthenticatedUsers. Making buckets public can expose sensitive data to unauthorized acc...
GCP Audit Logs - VPC Flow Logs DisabledAnalytic Rule📦 SolutionGoogle Cloud Platform Audit LogsDetects when Google Cloud Platform VPC Flow Logs configurations are disabled or deleted. VPC Flow Logs capture information about IP traffic going to and from network interfaces in VPC networks, provid...
GCP Audit Logs - List Activities Disabling Data Access Logging for GCP ServicesHunting Query📦 SolutionGoogle Cloud Platform Audit LogsList all activities where data access logging (ADMIN_READ, DATA_READ, or DATA_WRITE) is disabled for GCP services through IAM policy modifications.
GCP Audit Logs - List All GCP Firewall Operations by PrincipalHunting Query📦 SolutionGoogle Cloud Platform Audit LogsLists all Google Cloud Platform firewall rule operations performed by principals (users and service accounts).
GCP Audit Logs - List GCP Organization Policy Modifications by PrincipalHunting Query📦 SolutionGoogle Cloud Platform Audit LogsLists all Google Cloud Platform organization policy deletion and update operations performed by principals (users and service accounts).
GCP Audit Logs - List All GCP VPN Tunnels CreatedHunting Query📦 SolutionGoogle Cloud Platform Audit LogsLists all Google Cloud VPN tunnel creation operations to identify network connectivity changes and tunnel configurations.
GCP Audit Logs - List All GCP VPN Tunnels DeletedHunting Query📦 SolutionGoogle Cloud Platform Audit LogsLists all Google Cloud VPN tunnel deletion operations to identify network connectivity changes and potential security impacts.
Google Cloud Platform BigQuery - Create Wtchlist with BigQuery Table DataPlaybook📦 SolutionGoogle Cloud Platform BigQueryThis playbook can be run from incident context manually or from automation rule to create a watchlist from GCP BigQuery table data.
Google Cloud Platform BigQuery - Enrich Incident with BigQuery Table DataPlaybook📦 SolutionGoogle Cloud Platform BigQueryThis playbook can be run from incident context manually or from automation rule to query the GCP BigQuery table and enrich the incident with query results. Query result is filtered based on provided e...
Google Cloud Platform BigQuery - Query BigQuery TablePlaybook📦 SolutionGoogle Cloud Platform BigQueryThis playbook can be run from incident context manually or from automation rule to query the GCP BigQuery table and enrich the incident with results.
GCP_MONITORParser📦 SolutionGoogle Cloud Platform Cloud Monitoring
GCP Security Command Center - Detect Open/Unrestricted API KeysAnalytic Rule📦 SolutionGoogle Cloud Platform Security Command CenterDetects Google Cloud projects that have API keys with unrestricted API access using Security Command Center API_KEY_APIS_UNRESTRICTED findings. These findings indicate API keys that are not restricted...
GCP Security Command Center - Detect projects with API Keys presentAnalytic Rule📦 SolutionGoogle Cloud Platform Security Command CenterDetects Google Cloud projects that have API Keys present using Security Command Center API_KEY_EXISTS findings. Projects with API Keys may expose credentials that enable unauthorized access if keys ar...
GCP Security Command Center - Detect DNSSEC disabled for DNS zonesAnalytic Rule📦 SolutionGoogle Cloud Platform Security Command CenterDetects Google Cloud DNS zones where DNSSEC is disabled using Security Command Center findings (DNSSEC_DISABLED). Disabling DNSSEC increases risk of DNS hijacking and man-in-the-middle attacks. This a...
GCP Security Command Center - Detect Firewall rules allowing unrestricted high-risk portsAnalytic Rule📦 SolutionGoogle Cloud Platform Security Command CenterThis query detects GCP Firewall rules that allow unrestricted (0.0.0.0/0) ingress to high-risk ports using Google Cloud Security Command Center OPEN_FIREWALL findings. Publicly exposed management, dat...
GCP Security Command Center - Detect Resources with Logging DisabledAnalytic Rule📦 SolutionGoogle Cloud Platform Security Command CenterDetects Google Cloud resources where logging is disabled for services like (Cloud Storage buckets, Firewall rules, Cloud DNS networks) based on Google Cloud Security Command Center findings.
Identify GCP Service Account with Overly Permissive RolesHunting Query📦 SolutionGoogle Cloud Platform Security Command CenterThis query identifies Google Cloud Platform (GCP) service accounts with admin privileges using findings from the Security Command Center.
Identify Compute VMs with Secure Boot DisabledHunting Query📦 SolutionGoogle Cloud Platform Security Command CenterIdentifies Google Compute Engine VM instances reported by Security Command Center with Secure Boot disabled (COMPUTE_SECURE_BOOT_DISABLED findings).
Identify GCP Instances with Full API AccessHunting Query📦 SolutionGoogle Cloud Platform Security Command CenterIdentifies Google Cloud Platform Compute Engine instances that are configured with the "Allow full access to all Cloud APIs" scope using Security Command Center FULL_API_ACCESS findings.
Identify Public GCP Storage BucketsHunting Query📦 SolutionGoogle Cloud Platform Security Command CenterIdentifies Google Cloud Storage buckets that are publicly accessible using Security Command Center findings (PUBLIC_BUCKET_ACL).
Identify GCP User-Managed Service Account KeysHunting Query📦 SolutionGoogle Cloud Platform Security Command CenterIdentifies user-managed service account keys reported by Security Command Center findings (USER_MANAGED_SERVICE_ACCOUNT_KEY).
Google Threat Intelligence - Threat Hunting DomainAnalytic Rule📦 SolutionGoogle Threat IntelligenceGoogle Threat Intelligence domain correlation.
Google Threat Intelligence - Threat Hunting HashAnalytic Rule📦 SolutionGoogle Threat IntelligenceGoogle Threat Intelligence hash correlation.
Google Threat Intelligence - Threat Hunting IPAnalytic Rule📦 SolutionGoogle Threat IntelligenceGoogle Threat Intelligence IP correlation.
Google Threat Intelligence - Threat Hunting UrlAnalytic Rule📦 SolutionGoogle Threat IntelligenceGoogle Threat Intelligence Url correlation.
Google Threat Intelligence - Threat Hunting DomainHunting Query📦 SolutionGoogle Threat IntelligenceGoogle Threat Intelligence domain correlation.
Google Threat Intelligence - Threat Hunting HashHunting Query📦 SolutionGoogle Threat IntelligenceGoogle Threat Intelligence hash correlation.
Google Threat Intelligence - Threat Hunting IPHunting Query📦 SolutionGoogle Threat IntelligenceGoogle Threat Intelligence IP correlation.
Google Threat Intelligence - Threat Hunting UrlHunting Query📦 SolutionGoogle Threat IntelligenceGoogle Threat Intelligence Url correlation.
Google Threat Intelligence - IoC StreamPlaybook📦 SolutionGoogle Threat IntelligenceThis playbook will ingest Google Threat Intelligence from your IoC Streams into Threat Intelligence Sentinel.
Google Threat Intelligence - Threat ListPlaybook📦 SolutionGoogle Threat IntelligenceThis playbook will ingest Google Threat Intelligence into Threat Intelligence Sentinel.
Google Threat Intelligence - IOC EnrichmentPlaybook📦 SolutionGoogle Threat IntelligenceThis playbook will enrich IP, Hash, URL & Domain entities found in alerts.
Google Threat Intelligence - IOC EnrichmentPlaybook📦 SolutionGoogle Threat IntelligenceThis playbook will enrich IP, Hash, URL & Domain entities found in incidents.
Google Threat Intelligence - Domain EnrichmentPlaybook📦 SolutionGoogle Threat IntelligenceThis playbook will enrich Domain entities.
Google Threat Intelligence - FileHash EnrichmentPlaybook📦 SolutionGoogle Threat IntelligenceThis playbook will enrich FileHash entities.
Google Threat Intelligence - IP EnrichmentPlaybook📦 SolutionGoogle Threat IntelligenceThis playbook will enrich IP entities.
Google Threat Intelligence - URL EnrichmentPlaybook📦 SolutionGoogle Threat IntelligenceThis playbook will enrich URL entities.
Google DNS - CVE-2021-40444 exploitationAnalytic Rule📦 SolutionGoogleCloudPlatformDNSDetects CVE-2021-40444 exploitation.
Google DNS - Possible data exfiltrationAnalytic Rule📦 SolutionGoogleCloudPlatformDNSDetects possible data exfiltration.
Google DNS - Exchange online autodiscover abuseAnalytic Rule📦 SolutionGoogleCloudPlatformDNSDetects possible Exchange online autodiscover abuse.
Google DNS - IP check activityAnalytic Rule📦 SolutionGoogleCloudPlatformDNSDetects requests to ip lookup resources.
Google DNS - Request to dynamic DNS serviceAnalytic Rule📦 SolutionGoogleCloudPlatformDNSDetects requests to ip lookup resources.
Google DNS - Malicous Python packagesAnalytic Rule📦 SolutionGoogleCloudPlatformDNSDetects requests to resources with malicious Python packages.
Google DNS - Multiple errors for sourceAnalytic Rule📦 SolutionGoogleCloudPlatformDNSDetects multiple errors for the same source IP address.
Google DNS - Multiple errors to same domainAnalytic Rule📦 SolutionGoogleCloudPlatformDNSDetects multiple errors to same domain.
Google DNS - CVE-2021-34527 (PrintNightmare) external exploitAnalytic Rule📦 SolutionGoogleCloudPlatformDNSDetects CVE-2021-34527 (PrintNightmare) external exploit
Google DNS - CVE-2020-1350 (SIGRED) exploitation patternAnalytic Rule📦 SolutionGoogleCloudPlatformDNSDetects exploitation pattern of CVE-2020-1350 (SIGRED) vulnerability.
Google DNS - UNC2452 (Nobelium) APT Group activityAnalytic Rule📦 SolutionGoogleCloudPlatformDNSDetects UNC2452 (Nobelium) APT Group activity.
Google DNS - ErrorsHunting Query📦 SolutionGoogleCloudPlatformDNSQuery searches for DNS requests with errors.
Google DNS - Requests to IP lookup resourcesHunting Query📦 SolutionGoogleCloudPlatformDNSQuery searches for requests to IP lookup resources.
Google DNS - Requests to online sharesHunting Query📦 SolutionGoogleCloudPlatformDNSQuery searches for requests to online/cloud shares.
Google DNS - Rare domainsHunting Query📦 SolutionGoogleCloudPlatformDNSQuery searches for requests rare domains.
Google DNS - Domains with rare errorsHunting Query📦 SolutionGoogleCloudPlatformDNSQuery searches for Domains with rare errors.
Google DNS - Requests to TOR resourcesHunting Query📦 SolutionGoogleCloudPlatformDNSQuery searches for requests to TOR resources.
Google DNS - Server latencyHunting Query📦 SolutionGoogleCloudPlatformDNSQuery searches for server latency.
Google DNS - Sources with high number of errorsHunting Query📦 SolutionGoogleCloudPlatformDNSQuery searches for sources with high number of errors.
Google DNS - Unexpected top level domainsHunting Query📦 SolutionGoogleCloudPlatformDNSQuery searches for unexpected TLDs.
Google DNS - Unusual top level domainsHunting Query📦 SolutionGoogleCloudPlatformDNSQuery searches for unusual TLDs.
GCPDNSWorkbook📦 SolutionGoogleCloudPlatformDNS
GCPCloudDNSParser📦 SolutionGoogleCloudPlatformDNS
GCP IAM - Disable Data Access LoggingAnalytic Rule📦 SolutionGoogleCloudPlatformIAMDetects when Data Access Logging is disabled.
GCP IAM - Empty user agentAnalytic Rule📦 SolutionGoogleCloudPlatformIAMDetects requests where user agent is empty.
GCP IAM - High privileged role added to service accountAnalytic Rule📦 SolutionGoogleCloudPlatformIAMDetects when high privileged role was added to service account.
GCP IAM - New Authentication Token for Service AccountAnalytic Rule📦 SolutionGoogleCloudPlatformIAMDetects when new authentication token is created for service account.
GCP IAM - New Service AccountAnalytic Rule📦 SolutionGoogleCloudPlatformIAMDetects new service account creation.
GCP IAM - New Service Account KeyAnalytic Rule📦 SolutionGoogleCloudPlatformIAMDetects new service account key creation.
GCP IAM - Privileges EnumerationAnalytic Rule📦 SolutionGoogleCloudPlatformIAMDetects possible privileges enumeration.
GCP IAM - Publicly exposed storage bucketAnalytic Rule📦 SolutionGoogleCloudPlatformIAMDetects possible misconfiguration for bucket policy making it publicly available.
GCP IAM - Service Account EnumerationAnalytic Rule📦 SolutionGoogleCloudPlatformIAMDetects possible service account enumeration.
GCP IAM - Service Account Keys EnumerationAnalytic Rule📦 SolutionGoogleCloudPlatformIAMDetects possible service account keys enumeration.
GCP IAM - Changed rolesHunting Query📦 SolutionGoogleCloudPlatformIAMQuery searches for roles' modifications.
GCP IAM - Deleted service accountsHunting Query📦 SolutionGoogleCloudPlatformIAMQuery searches for service accounts deleted for the last 24 hours.
GCP IAM - Disabled service accountsHunting Query📦 SolutionGoogleCloudPlatformIAMQuery searches for service accounts disabled for the last 24 hours.
GCP IAM - New custom rolesHunting Query📦 SolutionGoogleCloudPlatformIAMQuery searches for new custom roles created for the last 24 hours.
GCP IAM - New service accountsHunting Query📦 SolutionGoogleCloudPlatformIAMQuery searches for new service accounts created for the last 24 hours.
GCP IAM - New service account keysHunting Query📦 SolutionGoogleCloudPlatformIAMQuery searches for new service accounts keys created for the last 24 hours.
GCP IAM - Rare IAM actionsHunting Query📦 SolutionGoogleCloudPlatformIAMQuery searches for rare IAM actions by users.
GCP IAM - Rare user agentHunting Query📦 SolutionGoogleCloudPlatformIAMQuery searches for rare user agents.
GCP IAM - Top service accounts by failed actionsHunting Query📦 SolutionGoogleCloudPlatformIAMQuery searches for service accounts with top failed actions count.
GCP IAM - Top source IP addresses with failed actionsHunting Query📦 SolutionGoogleCloudPlatformIAMQuery searches for source IP addresses with top failed actions count.
GCP_IAMWorkbook📦 SolutionGoogleCloudPlatformIAM
GCP-DisableServiceAccountFromTeamsPlaybook📦 SolutionGoogleCloudPlatformIAMWhen a new sentinel incident is created, this playbook gets triggered and performs the following actions: 1. Sends an adaptive card to the Teams channel where the analyst can choose an action to be ta...
GCP-DisableServiceAccountKeyPlaybook📦 SolutionGoogleCloudPlatformIAMOnce a new sentinel incident is created, this playbook gets triggered and performs the following actions: 1. [Disables Service Account Key](https://cloud.google.com/iam/docs/reference/rest/v1/projects...
GCP-EnrichServiseAccountInfoPlaybook📦 SolutionGoogleCloudPlatformIAMOnce a new sentinel incident is created, this playbook gets triggered and performs the following actions: 1. [Gets service Account Information](https://cloud.google.com/iam/docs/reference/rest/v1/proj...
GCP_IAMParser📦 SolutionGoogleCloudPlatformIAM
Google Directory - Enrich Incident With User Info 🔍Playbook📦 SolutionGoogleDirectoryOnce a new Microsoft Sentinel incident is created, this playbook gets triggered and performs the following actions: 1. Gets users from the incident. 2. [Obtains information about user.](https://develo...
Google Directory - Sign Out User 🔍Playbook📦 SolutionGoogleDirectoryOnce a new Microsoft Sentinel incident is created, this playbook gets triggered and performs the following actions: 1. Gets users from the incident. 2. [Signs out users.](https://developers.google.com...
Google Directory - Suspend User 🔍Playbook📦 SolutionGoogleDirectoryOnce a new Microsoft Sentinel incident is created, this playbook gets triggered and performs the following actions: 1. Gets users from the incident. 2. Sends an adaptive card to the Teams channel wher...
GWorkspace - Admin permissions grantedAnalytic Rule📦 SolutionGoogleWorkspaceReportsTriggers on admin permissions granted.
GWorkspace - Alert eventsAnalytic Rule📦 SolutionGoogleWorkspaceReportsDetects alert events.
GWorkspace - API Access GrantedAnalytic Rule📦 SolutionGoogleWorkspaceReportsTriggers when API Access has been granted to a new client.
GWorkspace - User access has been changedAnalytic Rule📦 SolutionGoogleWorkspaceReportsDetects user access change.
GWorkspace - Multiple user agents for single sourceAnalytic Rule📦 SolutionGoogleWorkspaceReportsDetects requests with different user agents from one source in short timeframe.
GWorkspace - An Outbound Relay has been added to a G Suite DomainAnalytic Rule📦 SolutionGoogleWorkspaceReportsDetects outbound relays may be added to collect email.
GWorkspace - Possible brute force attackAnalytic Rule📦 SolutionGoogleWorkspaceReportsDetects possible brute force attack.
GWorkspace - Possible maldoc file name in Google driveAnalytic Rule📦 SolutionGoogleWorkspaceReportsDetects possible maldoc file name in Google drive.
GWorkspace - Two-step authentification disabled for a userAnalytic Rule📦 SolutionGoogleWorkspaceReportsTriggers on two-step authentification disabled for a user.
GWorkspace - Unexpected OS updateAnalytic Rule📦 SolutionGoogleWorkspaceReportsDetects unexpected OS update.
GWorkspace - Document Copied from Share Drive to Private Drive 🔍Hunting Query📦 SolutionGoogleWorkspaceReportsThis hunting query searches for document copy activity from shared drive to a private drive, potential sign of data exfiltration. https://www.mitiga.io/blog/mitiga-security-advisory-lack-of-forensic-v...
GWorkspace - Document shared externallyHunting Query📦 SolutionGoogleWorkspaceReportsQuery searches document shared externally.
GWorkspace - Document shared publicy in webHunting Query📦 SolutionGoogleWorkspaceReportsQuery searches document shared publicy in web.
GWorkspace - Document shared publicy with linkHunting Query📦 SolutionGoogleWorkspaceReportsQuery searches document shared publicy with link.
GWorkspace - License Revoke and Assignment to User 🔍Hunting Query📦 SolutionGoogleWorkspaceReportsThis hunting query searches for license revoke and assignment in quick succession to user, potential sign of data exfiltration. https://www.mitiga.io/blog/mitiga-security-advisory-lack-of-forensic-vis...
GWorkspace - Multi IP addresses by userHunting Query📦 SolutionGoogleWorkspaceReportsQuery searches users with multi IP addresses.
GWorkspace - Possible SCAM/SPAM or Phishing via CalendarHunting Query📦 SolutionGoogleWorkspaceReportsQuery searches possible SCAM/SPAM or phishing via calendar.
GWorkspace - Rare document types by usersHunting Query📦 SolutionGoogleWorkspaceReportsQuery searches rare document types by users.
GWorkspace - Shared private documentHunting Query📦 SolutionGoogleWorkspaceReportsQuery searches shared private document.
GWorkspace - Suspended usersHunting Query📦 SolutionGoogleWorkspaceReportsQuery searches suspended users.
GWorkspace - Uncommon user agent stringsHunting Query📦 SolutionGoogleWorkspaceReportsQuery searches uncommon user agent strings.
GWorkspace - Unknown login typeHunting Query📦 SolutionGoogleWorkspaceReportsQuery searches unknown login type.
GWorkspace - User reported calendar invite as spamHunting Query📦 SolutionGoogleWorkspaceReportsQuery searches calendar invites used to deliver spam. This query shows results when user reports a calander invite as spam.
GWorkspace - Users with several devicesHunting Query📦 SolutionGoogleWorkspaceReportsQuery searches users with several devices.
GoogleWorkspaceWorkbook📦 SolutionGoogleWorkspaceReports
GWorkspaceActivityReportsParser📦 SolutionGoogleWorkspaceReports
GreyNoise TI Map IP Entity to CommonSecurityLogAnalytic Rule📦 SolutionGreyNoiseThreatIntelligenceThis query maps GreyNoise IP indicators of compromise (IOCs) from threat intelligence (TI), by searching for matches in CommonSecurityLog.
GreyNoise TI Map IP Entity to DnsEventsAnalytic Rule📦 SolutionGreyNoiseThreatIntelligenceThis query maps any IP indicators of compromise (IOCs) from GreyNoise Threat Intelligence (TI), by searching for matches in DnsEvents.
GreyNoise TI map IP entity to Network Session Events (ASIM Network Session schema)Analytic Rule📦 SolutionGreyNoiseThreatIntelligenceThis rule identifies a match Network Sessions for which the source or destination IP address is a known GreyNoise IoC. This analytic rule uses [ASIM](https://aka.ms/AboutASIM) and supports any built-i...
GreyNoise TI map IP entity to OfficeActivityAnalytic Rule📦 SolutionGreyNoiseThreatIntelligenceThis query maps any GreyNoise IP indicators of compromise (IOCs) from threat intelligence (TI), by searching for matches in OfficeActivity.
GreyNoise TI Map IP Entity to SigninLogsAnalytic Rule📦 SolutionGreyNoiseThreatIntelligenceThis query maps any GreyNoise IP indicators of compromise (IOCs) from threat intelligence (TI), by searching for matches in SigninLogs.
GreyNoiseOverviewWorkbook📦 SolutionGreyNoiseThreatIntelligence
GIBIndicatorProcessor 🔍Playbook📦 SolutionGroup-IBAuthor: Hesham Saad
GIBTIA_APT_ThreatActor 🔍Playbook📦 SolutionGroup-IBAuthor: Hesham Saad
GIBTIA_APT_Threats 🔍Playbook📦 SolutionGroup-IBAuthor: Hesham Saad
GIBTIA_Attacks_ddos 🔍Playbook📦 SolutionGroup-IBAuthor: Hesham Saad
GIBTIA_Attacks_deface 🔍Playbook📦 SolutionGroup-IBAuthor: Hesham Saad
GIBTIA_Attacks_phishing 🔍Playbook📦 SolutionGroup-IBAuthor: Hesham Saad
GIBTIA_Attacks_phishing_kit 🔍Playbook📦 SolutionGroup-IBAuthor: Hesham Saad
GIBTIA_BP_phishing 🔍Playbook📦 SolutionGroup-IBAuthor: Hesham Saad
GIBTIA_BP_phishing_kit 🔍Playbook📦 SolutionGroup-IBAuthor: Hesham Saad
GIBTIA_Compromised_account 🔍Playbook📦 SolutionGroup-IBAuthor: Hesham Saad
GIBTIA_Compromised_card 🔍Playbook📦 SolutionGroup-IBAuthor: Hesham Saad
GIBTIA_Compromised_imei 🔍Playbook📦 SolutionGroup-IBAuthor: Hesham Saad
GIBTIA_Compromised_mule 🔍Playbook📦 SolutionGroup-IBAuthor: Hesham Saad
GIBTIA_HI_Threat 🔍Playbook📦 SolutionGroup-IBAuthor: Hesham Saad
GIBTIA_HI_Threat_Actor 🔍Playbook📦 SolutionGroup-IBAuthor: Hesham Saad
GIBTIA_Malware_cnc 🔍Playbook📦 SolutionGroup-IBAuthor: Hesham Saad
GIBTIA_Malware_Targeted_Malware 🔍Playbook📦 SolutionGroup-IBAuthor: Hesham Saad
GIBTIA_OSI_GitLeak 🔍Playbook📦 SolutionGroup-IBAuthor: Hesham Saad
GIBTIA_OSI_PublicLeak 🔍Playbook📦 SolutionGroup-IBAuthor: Hesham Saad
GIBTIA_OSI_Vulnerability 🔍Playbook📦 SolutionGroup-IBAuthor: Hesham Saad
GIBTIA_Suspicious_ip_open_proxy 🔍Playbook📦 SolutionGroup-IBAuthor: Hesham Saad
GIBTIA_Suspicious_ip_socks_proxy 🔍Playbook📦 SolutionGroup-IBAuthor: Hesham Saad
GIBTIA_Suspicious_ip_tor_node 🔍Playbook📦 SolutionGroup-IBAuthor: Hesham Saad
HIPAAComplianceWorkbook📦 SolutionHIPAA Compliance
HYASInsight Enrich Incident By C2Attribution InfoPlaybook📦 SolutionHYASThis playbook enriches hosts asscociated with an incident with C2Attribution information.
HYASInsight Enrich Incident By DynamicDNS InfoPlaybook📦 SolutionHYASThis playbook enriches hosts asscociated with an incident with Dynamic DNS information.
HYASInsight Enrich Incident By Malware Sample InfoPlaybook📦 SolutionHYASThis playbook enriches hosts asscociated with an incident with Malware Sample information.
HYASInsight Enrich Incident By OS Indicator InfoPlaybook📦 SolutionHYASThis playbook enriches hosts asscociated with an incident with By OS Indicator information.
HYASInsight Enrich Incident By Passive Hash InfoPlaybook📦 SolutionHYASThis playbook enriches hosts asscociated with an incident with By Passive Hash information.
HYASInsight Enrich Incident By SSL Certificate InfoPlaybook📦 SolutionHYASThis playbook enriches hosts asscociated with an incident with By SSL Certificate information.
HYASInsight Enrich Incident By WHOIS Current InfoPlaybook📦 SolutionHYASThis playbook enriches hosts asscociated with an incident with By WHOIS Current information.
HYASInsight Enrich Incident By WHOIS InfoPlaybook📦 SolutionHYASThis playbook enriches hosts asscociated with an incident with By WHOIS information.
HYASInsight Enrich Incident By C2 AttributionPlaybook📦 SolutionHYASThis playbook enriches emails asscociated with an incident with By C2 Attribution information.
HYASInsight Enrich Incident By Dynamic DNSPlaybook📦 SolutionHYASThis playbook enriches emails asscociated with an incident with By Dynamic DNS information.
HYASInsight Enrich Incident By WHOISPlaybook📦 SolutionHYASThis playbook enriches emails asscociated with an incident with By WHOIS information.
HYASInsight Enrich Incident By C2 AttributionPlaybook📦 SolutionHYASThis playbook enriches file hashes asscociated with an incident with By C2 Attribution information.
HYASInsight Enrich Incident By Malware InformationPlaybook📦 SolutionHYASThis playbook enriches file hashes asscociated with an incident with by malware information.
HYASInsight Enrich Incident By OS Indicator InformationPlaybook📦 SolutionHYASThis playbook enriches file hashes asscociated with an incident with by os indicator information.
HYASInsight Enrich Incident By C2 Attribution InformationPlaybook📦 SolutionHYASThis playbook enriches file hashes asscociated with an incident with ssl_certificate information.
HYASInsight Enrich Incident By C2 Attribution InformationPlaybook📦 SolutionHYASThis playbook enriches ip addresses asscociated with an incident with by c2 attribution information.
HYASInsight Enrich Incident By Dynamic DNS InformationPlaybook📦 SolutionHYASThis playbook enriches ip addresses asscociated with an incident with by dynamic dns information.
HYASInsight Enrich Incident By Geo Location InformationPlaybook📦 SolutionHYASThis playbook enriches ip addresses asscociated with an incident with by geo location information.
HYASInsight Enrich Incident By Sample Data InformationPlaybook📦 SolutionHYASThis playbook enriches ip addresses asscociated with an incident with by sample information.
HYASInsight Enrich Incident By OS Indicator InformationPlaybook📦 SolutionHYASThis playbook enriches ip addresses asscociated with an incident with by os indicator information.
HYASInsight Enrich Incident By Passive DNS InformationPlaybook📦 SolutionHYASThis playbook enriches ip addresses asscociated with an incident with by passivedns information.
HYASInsight Enrich Incident By Passive Hash InformationPlaybook📦 SolutionHYASThis playbook enriches ip addresses asscociated with an incident with by passivehash information.
HYASInsight Enrich Incident By SinkHole InformationPlaybook📦 SolutionHYASThis playbook enriches ip addresses asscociated with an incident with by sinkhole information.
HYASInsight Enrich Incident By SSL Certificate InformationPlaybook📦 SolutionHYASThis playbook enriches ip addresses asscociated with an incident with by ssl certificate information.
HYASInsight Enrich Incident By WHOIS InfoPlaybook📦 SolutionHYASThis playbook enriches phone numbers asscociated with an incident with WHOIS information.
HYASProtectDNSParser📦 SolutionHYAS Protect
ibossMalwareAndC2Workbook📦 Solutioniboss
ibossWebUsageWorkbook📦 Solutioniboss
ibossUrlEventParser📦 Solutioniboss
IllumioCoreEventParser📦 SolutionIllumio Core
Illumio VEN Clone Detection RuleAnalytic Rule📦 SolutionIllumioSaaSCreate Microsoft Sentinel Incident When A Cloned Ven Is Detected
Illumio VEN Deactivated Detection RuleAnalytic Rule📦 SolutionIllumioSaaSCreate Microsoft Sentinel Incident When Ven Goes Into Deactivated state
Illumio Enforcement Change Analytic RuleAnalytic Rule📦 SolutionIllumioSaaSCreate Microsoft Sentinel Incident When Ven Changes Enforcement State from Full/Selective To Idle/Visibility state
Illumio Firewall Tampering Analytic RuleAnalytic Rule📦 SolutionIllumioSaaSCreate Microsoft Sentinel Incident When Firewall Is Tampered With
Illumio VEN Offline Detection RuleAnalytic Rule📦 SolutionIllumioSaaSCreate Microsoft Sentinel Incident When Ven Goes Into Offline state
Illumio VEN Suspend Detection RuleAnalytic Rule📦 SolutionIllumioSaaSCreate Microsoft Sentinel Incident When Ven Goes Into Suspended state
IllumioAuditableEventsWorkbook📦 SolutionIllumioSaaS
IllumioFlowDataWorkbook📦 SolutionIllumioSaaS
IllumioOnPremHealthWorkbook📦 SolutionIllumioSaaS
IllumioWorkloadsStatsWorkbook📦 SolutionIllumioSaaS
Illumio Get Ven Details PlaybookPlaybook📦 SolutionIllumioSaaSThis playbook leverages Illumio workloads API to enrich IP, Hostname and Labels, found in Microsoft Sentinel alerts. <img src="https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Solutions/I...
Illumio Containment Switch PlaybookPlaybook📦 SolutionIllumioSaaSThis playbook leverages Illumio workloads API to contain and isolate a workload based on user inputs. <img src="https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Solutions/IllumioSaaS/Play...
Illumio Workload Quarantine PlaybookPlaybook📦 SolutionIllumioSaaSThis playbook leverages Illumio workloads API to quarantine a workload based on user inputs. <img src="https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Solutions/IllumioSaaS/Playbooks/Ill...
IllumioSyslogAuditEventsParser📦 SolutionIllumioSaaS
IllumioSyslogNetworkTrafficEventsParser📦 SolutionIllumioSaaS
Illusive-SentinelIncident-Enrichment 🔍Playbook📦 SolutionIllusive Active Defense<p align="left"> <img width="300" height="100" src="./Images/logo.jpg"> </a> </p>
Illusive-SentinelIncident-Response 🔍Playbook📦 SolutionIllusive Active Defense<p align="left"> <img width="300" height="100" src="./Images/logo.jpg"> </a> </p>
Illusive Incidents Analytic RuleAnalytic Rule📦 SolutionIllusive PlatformCreate a Microsoft Sentinel incident upon a new Illusive alert (incident) and associate all related Illusive events to the relevant Microsoft Sentinel alert. This is done by filtering and processing I...
IllusiveADSWorkbook📦 SolutionIllusive Platform
IllusiveASMWorkbook📦 SolutionIllusive Platform
Imperva - Abnormal protocol usageAnalytic Rule📦 SolutionImpervaCloudWAFDetects abnormal protocol usage.
Imperva - Request from unexpected IP address to admin panelAnalytic Rule📦 SolutionImpervaCloudWAFDetects requests from unexpected IP addresses to admin panel.
Imperva - Critical severity event not blockedAnalytic Rule📦 SolutionImpervaCloudWAFDetects when critical severity event was not blocked.
Imperva - Possible command injectionAnalytic Rule📦 SolutionImpervaCloudWAFDetects requests with commands in URI.
Imperva - Request from unexpected countriesAnalytic Rule📦 SolutionImpervaCloudWAFDetects request attempts from unexpected countries.
Imperva - Forbidden HTTP request method in requestAnalytic Rule📦 SolutionImpervaCloudWAFDetects connections with unexpected HTTP request method.
Imperva - Malicious ClientAnalytic Rule📦 SolutionImpervaCloudWAFDetects connections from known malicious clients.
Imperva - Malicious user agentAnalytic Rule📦 SolutionImpervaCloudWAFDetects requests containing known malicious user agent strings.
Imperva - Multiple user agents from same sourceAnalytic Rule📦 SolutionImpervaCloudWAF'Detects suspicious number of user agents from the same IP address.
Imperva - Request to unexpected destination portAnalytic Rule📦 SolutionImpervaCloudWAFDetects request attempts to unexpected destination ports.
Imperva - Top destinations with blocked requestsHunting Query📦 SolutionImpervaCloudWAFQuery searches destination IP addresses requests to which were blocked by the service.
Imperva - Applications with insecure web protocol versionHunting Query📦 SolutionImpervaCloudWAFQuery searches for with insecure web protocol version.
Imperva - Non HTTP/HTTPs applicationsHunting Query📦 SolutionImpervaCloudWAFQuery searches for non HTTP/HTTPs applications.
Imperva - Rare applicationsHunting Query📦 SolutionImpervaCloudWAFQuery searches for rare application protocols.
Imperva - Rare client applicationsHunting Query📦 SolutionImpervaCloudWAFQuery searches for rare client applications used.
Imperva - Rare destination portsHunting Query📦 SolutionImpervaCloudWAFQuery searches for requests for rare destination ports.
Imperva - request from known botsHunting Query📦 SolutionImpervaCloudWAFQuery searches for requests from known bots.
Imperva - Top sources with blocked requestsHunting Query📦 SolutionImpervaCloudWAFQuery searches source IP addresses with blocked requests.
Imperva - Top applications with error requestsHunting Query📦 SolutionImpervaCloudWAFQuery searches for top applications with protocol or network errors.
Imperva - Top sources with error requestsHunting Query📦 SolutionImpervaCloudWAFQuery searches for top source IP addresses with protocol or network errors.
Imperva WAF Cloud OverviewWorkbook📦 SolutionImpervaCloudWAF
ImpervaWAFCloudParser📦 SolutionImpervaCloudWAF
Infoblox - SOC Insight Detected - API SourceAnalytic Rule📦 SolutionInfobloxInfoblox SOC Insight detected in logs sourced via REST API. Customize scheduling, responses and more. This rule depends on a parser based on a Kusto Function to work as expected called [**InfobloxInsi...
Infoblox - SOC Insight Detected - CDC SourceAnalytic Rule📦 SolutionInfobloxInfoblox SOC Insight detected in logs sourced via Infoblox CDC. Customize scheduling, responses and more. This rule depends on a parser based on a Kusto Function to work as expected called [**Infoblox...
Infoblox_Lookup_WorkbookWorkbook📦 SolutionInfoblox
Infoblox_WorkbookWorkbook📦 SolutionInfoblox
Infoblox-Block-Allow-IP-DomainPlaybook📦 SolutionInfobloxThe playbook will add/remove IP or Domain value in Named List of Infoblox.
Infoblox-Block-Allow-IP-Domain-Incident-BasedPlaybook📦 SolutionInfobloxThe playbook will add / remove IP or Domain values in Named List that available in incidents of Infoblox.
Infoblox-Config-Insight-DetailsPlaybook📦 SolutionInfobloxThe playbook retrieves Config Insight Details Data and ingests it into a custom table within the Log Analytics Workspace on an on-demand basis from the Workbook.
Infoblox-Config-InsightsPlaybook📦 SolutionInfobloxThe playbook retrieves Config Insight Data and ingests it into a custom table within the Log Analytics Workspace on a scheduled basis.
Infoblox-Data-Connector-Trigger-SyncPlaybook📦 SolutionInfobloxPlaybook to sync timer trigger of all Infoblox data connectors.
Infoblox-DHCP-LookupPlaybook📦 SolutionInfobloxThe playbook will retrieve IP entities from an incident, search for related DHCP data in a table, and if found, add the DHCP lookup data as a comment on the incident.
Infoblox-Get-Host-NamePlaybook📦 SolutionInfobloxThe playbook will fetch the data from 'Hosts' API and ingest it into custom table
Infoblox-Get-IP-Space-DataPlaybook📦 SolutionInfobloxThe playbook will fetch the data from 'IP Space' API and ingest it into custom table
Infoblox-Get-Service-NamePlaybook📦 SolutionInfobloxThis playbook will fetch the data from 'Services' API and ingest it into custom table
Infoblox-IPAM-LookupPlaybook📦 SolutionInfobloxThe playbook will retrieve IP entities from an incident, call an API to obtain IPAM lookup data, and add this data, along with IP space and subnet information, as a comment on the incident.
Infoblox-SOC-Get-Insight-DetailsPlaybook📦 SolutionInfobloxLeverages the Infoblox SOC Insights API to enrich a Microsoft Sentinel Incident triggered by an Infoblox SOC Insight & ingest Insight details into custom InfobloxInsight tables. The tables are used to...
Infoblox-SOC-Get-Open-Insights-APIPlaybook📦 SolutionInfobloxLeverages the Infoblox SOC Insights API to ingest all Open/Active SOC Insights at time of run into the custom InfobloxInsight table. This playbook is scheduled to run on a daily basis.
Infoblox-SOC-Import-Indicators-TIPlaybook📦 SolutionInfobloxImports each Indicator of a Microsoft Sentinel Incident triggered by an Infoblox SOC Insight into the ThreatIntelligenceIndicator table. You must run the Infoblox-SOC-Get-Insight-Details playbook on a...
Infoblox-TIDE-LookupPlaybook📦 SolutionInfobloxThe playbook fetches TIDE lookup data for the provided entity type and value.
Infoblox-TIDE-Lookup-Via-IncidentPlaybook📦 SolutionInfobloxThe playbook takes entity type and value from incident available in Workbook and ingests TIDE Lookup data for that entity into Log table.
Infoblox-TIDE-Lookup-Comment-EnrichmentPlaybook📦 SolutionInfobloxThe playbook enrich an incident by adding TIDE Lookup information as comment on an incident.
Infoblox-TimeRangeBased-DHCP-LookupPlaybook📦 SolutionInfobloxThe playbook will retrieve IP entities from an incident, search for related DHCP data in a table for a apecified time range, and if found, add the DHCP lookup data as a comment on the incident.
InfobloxCDC_SOCInsightsParser📦 SolutionInfoblox
InfobloxInsightParser📦 SolutionInfoblox
InfobloxInsightAssetsParser📦 SolutionInfoblox
InfobloxInsightCommentsParser📦 SolutionInfoblox
InfobloxInsightEventsParser📦 SolutionInfoblox
InfobloxInsightIndicatorsParser📦 SolutionInfoblox
Infoblox - Data Exfiltration AttackAnalytic Rule📦 SolutionInfoblox Cloud Data ConnectorData exfiltration attack detected by Infoblox Threat Insight. Customize query count, scheduling, responses and more. This rule depends on a parser based on a Kusto Function to work as expected called ...
Infoblox - High Threat Level Query Not Blocked DetectedAnalytic Rule📦 SolutionInfoblox Cloud Data ConnectorAt least 1 high threat level query generated by single host in 1 hour that is not blocked or redirected. Customize query count, scheduling, responses and more. This rule depends on a parser based on a...
Infoblox - Many High Threat Level Queries From Single Host DetectedAnalytic Rule📦 SolutionInfoblox Cloud Data ConnectorAt least 200 high threat level queries generated by single host in 1 hour. Queries do not need to be the same. Customize query count, scheduling, responses and more. This rule depends on a parser base...
Infoblox - Many High Threat Level Single Query DetectedAnalytic Rule📦 SolutionInfoblox Cloud Data ConnectorSingle high threat level domain queried at least 200 times in 1 hour regardless of source. Customize query count, scheduling, responses and more. This rule depends on a parser based on a Kusto Functio...
Infoblox - Many NXDOMAIN DNS Responses DetectedAnalytic Rule📦 SolutionInfoblox Cloud Data ConnectorDetected at least 200 DNS responses for non-existent domains in 1 hour generated by single host. Queries do not need to be the same. Customize query count, scheduling, responses and more. This rule de...
Infoblox - TI - CommonSecurityLog Match Found - MalwareC2Analytic Rule📦 SolutionInfoblox Cloud Data ConnectorCommonSecurityLog (CEF) MalwareC2/MalwareC2DGA match found in your Infoblox TIDE Threat Intelligence. Customize query count, scheduling, responses and more. Modify data sources, types and threat prope...
Infoblox - TI - InfobloxCDC Match Found - Lookalike DomainsAnalytic Rule📦 SolutionInfoblox Cloud Data ConnectorInfobloxCDC Lookalike Domain match found in your Infoblox TIDE Threat Intelligence. Customize query count, scheduling, responses and more. Modify data sources, types and threat properties as desired. ...
Infoblox - TI - Syslog Match Found - URLAnalytic Rule📦 SolutionInfoblox Cloud Data ConnectorSyslog URL match found in your Infoblox TIDE Threat Intelligence. Customize query count, scheduling, responses and more. Modify data sources, types and threat properties as desired.
InfobloxCDCB1TDWorkbookWorkbook📦 SolutionInfoblox Cloud Data Connector
Infoblox Import AISCOMM WeeklyPlaybook📦 SolutionInfoblox Cloud Data ConnectorLeverages the Infoblox TIDE API to automatically import threat indicators into the ThreatIntelligenceIndicator table. This playbook imports all indicators from the AISCOMM data provider on a scheduled...
Infoblox Import Emails WeeklyPlaybook📦 SolutionInfoblox Cloud Data ConnectorLeverages the Infoblox TIDE API to automatically import threat indicators into the ThreatIntelligenceIndicator table. This playbook imports newly detected emails on a scheduled weekly basis.
Infoblox Import Hashes WeeklyPlaybook📦 SolutionInfoblox Cloud Data ConnectorLeverages the Infoblox TIDE API to automatically import threat indicators into the ThreatIntelligenceIndicator table. This playbook imports newly detected hashes on a scheduled weekly basis.
Infoblox Import Hosts Daily Lookalike DomainsPlaybook📦 SolutionInfoblox Cloud Data ConnectorLeverages the Infoblox TIDE API to automatically import threat indicators into the ThreatIntelligenceIndicator table. This playbook imports newly detected Lookalike domains on a scheduled daily basis.
Infoblox Import Hosts Daily MalwareC2DGAPlaybook📦 SolutionInfoblox Cloud Data ConnectorLeverages the Infoblox TIDE API to automatically import threat indicators into the ThreatIntelligenceIndicator table. This playbook imports newly detected MalwareC2DGA domains on a scheduled daily bas...
Infoblox Import Hosts Daily PhishingPlaybook📦 SolutionInfoblox Cloud Data ConnectorLeverages the Infoblox TIDE API to automatically import threat indicators into the ThreatIntelligenceIndicator table. This playbook imports newly detected Phishing domains on a scheduled daily basis.
Infoblox Import Hosts HourlyPlaybook📦 SolutionInfoblox Cloud Data ConnectorLeverages the Infoblox TIDE API to automatically import threat indicators into the ThreatIntelligenceIndicator table. This playbook imports all newly detected hosts on a scheduled hourly basis.
Infoblox Import IPs HourlyPlaybook📦 SolutionInfoblox Cloud Data ConnectorLeverages the Infoblox TIDE API to automatically import threat indicators into the ThreatIntelligenceIndicator table. This playbook imports all newly detected IPs on a scheduled hourly basis.
Infoblox Import URLs HourlyPlaybook📦 SolutionInfoblox Cloud Data ConnectorLeverages the Infoblox TIDE API to automatically import threat indicators into the ThreatIntelligenceIndicator table. This playbook imports all newly detected URLs on a scheduled hourly basis.
Infoblox Incident Enrichment DomainsPlaybook📦 SolutionInfoblox Cloud Data ConnectorLeverages the Infoblox TIDE API to enrich Microsoft Sentinel incidents with detailed TIDE data. This playbook can be configured to run automatically when an incident occurs (recommended) or run on dem...
Infoblox Incident Send EmailPlaybook📦 SolutionInfoblox Cloud Data ConnectorSends a detailed email when an incident occurs. Optionally enriches an applicable entity within the email with Infoblox TIDE data. This playbook can be configured to run automatically when an incident...
InfobloxCDCParser📦 SolutionInfoblox Cloud Data Connector
Excessive NXDOMAIN DNS QueriesAnalytic Rule📦 SolutionInfoblox NIOSThis creates an incident in the event a client generates excessive amounts of DNS queries for non-existent domains.
Potential DHCP Starvation AttackAnalytic Rule📦 SolutionInfoblox NIOSThis creates an incident in the event that an excessive amount of DHCPREQUEST have been recieved by a DHCP Server and could potentially be an indication of a DHCP Starvation Attack.
Infoblox-Workbook-V2Workbook📦 SolutionInfoblox NIOS
InfobloxParser📦 SolutionInfoblox NIOS
Infoblox_allotherdhcpdTypesParser📦 SolutionInfoblox NIOS
Infoblox_allotherdnsTypesParser📦 SolutionInfoblox NIOS
Infoblox_allotherlogTypesParser📦 SolutionInfoblox NIOS
Infoblox_dhcpackParser📦 SolutionInfoblox NIOS
Infoblox_dhcpaddedParser📦 SolutionInfoblox NIOS
Infoblox_dhcpbindupdateParser📦 SolutionInfoblox NIOS
Infoblox_dhcpdiscoverParser📦 SolutionInfoblox NIOS
Infoblox_dhcpexpireParser📦 SolutionInfoblox NIOS
Infoblox_dhcpinformParser📦 SolutionInfoblox NIOS
Infoblox_dhcpofferParser📦 SolutionInfoblox NIOS
Infoblox_dhcpoptionParser📦 SolutionInfoblox NIOS
Infoblox_dhcpotherParser📦 SolutionInfoblox NIOS
Infoblox_dhcpreleaseParser📦 SolutionInfoblox NIOS
Infoblox_dhcpremovedParser📦 SolutionInfoblox NIOS
Infoblox_dhcprequestParser📦 SolutionInfoblox NIOS
Infoblox_dhcpsessionParser📦 SolutionInfoblox NIOS
Infoblox_dhcp_consolidatedParser📦 SolutionInfoblox NIOS
Infoblox_dnsclientParser📦 SolutionInfoblox NIOS
Infoblox_dnsgssParser📦 SolutionInfoblox NIOS
Infoblox_dnszoneParser📦 SolutionInfoblox NIOS
Infoblox_dns_consolidatedParser📦 SolutionInfoblox NIOS
Infoblox - SOC Insight Detected - API SourceAnalytic Rule📦 SolutionInfoblox SOC InsightsInfoblox SOC Insight detected in logs sourced via REST API. Customize scheduling, responses and more. This rule depends on a parser based on a Kusto Function to work as expected called [**InfobloxInsi...
Infoblox - SOC Insight Detected - CDC SourceAnalytic Rule📦 SolutionInfoblox SOC InsightsInfoblox SOC Insight detected in logs sourced via Infoblox CDC. Customize scheduling, responses and more. This rule depends on a parser based on a Kusto Function to work as expected called [**Infoblox...
InfobloxSOCInsightsWorkbookWorkbook📦 SolutionInfoblox SOC Insights
Infoblox SOC Get Insight DetailsPlaybook📦 SolutionInfoblox SOC InsightsLeverages the Infoblox SOC Insights API to enrich a Microsoft Sentinel Incident triggered by an Infoblox SOC Insight & ingest Insight details into custom InfobloxInsight tables. The tables are used to...
Infoblox SOC Get Open Insights APIPlaybook📦 SolutionInfoblox SOC InsightsLeverages the Infoblox SOC Insights API to ingest all Open/Active SOC Insights at time of run into the custom InfobloxInsight table. This playbook is scheduled to run on a daily basis.
Infoblox SOC Import Indicators TIPlaybook📦 SolutionInfoblox SOC InsightsImports each Indicator of a Microsoft Sentinel Incident triggered by an Infoblox SOC Insight into the ThreatIntelligenceIndicator table. You must run the Infoblox-SOC-Get-Insight-Details playbook on a...
InfobloxCDC_SOCInsightsParser📦 SolutionInfoblox SOC Insights
InfobloxInsightParser📦 SolutionInfoblox SOC Insights
InfobloxInsightAssetsParser📦 SolutionInfoblox SOC Insights
InfobloxInsightCommentsParser📦 SolutionInfoblox SOC Insights
InfobloxInsightEventsParser📦 SolutionInfoblox SOC Insights
InfobloxInsightIndicatorsParser📦 SolutionInfoblox SOC Insights
Atlassian Beacon AlertAnalytic Rule📦 SolutionIntegration for Atlassian BeaconThe analytic rule creates an incident when an alert is created in Atlassian Beacon. The incident's events contains values such as alert name, alert url, actor name, actor details, worskpace id of the ...
Atlassian Beacon IntegrationPlaybook📦 SolutionIntegration for Atlassian BeaconThis Logic App recieves a webhook from Atlassian Beacon and ingest the payload into Microsoft Sentinel's log analytics workspace
[Deprecated] Intel 471 Malware Intelligence to Graph SecurityPlaybook📦 SolutionIntel471This playbook ingests malware indicators from Intel 471's Titan API into Microsoft Graph Security as tiIndicator resource type.
Intel 471 Malware Intelligence to SentinelPlaybook📦 SolutionIntel471This playbook ingests malware indicators from Intel 471's Titan or Verity API into Microsoft Sentinel as tiIndicator resource type.
High Urgency IONIX Action ItemsAnalytic Rule📦 SolutionIONIXThis query creates an alert for active IONIX Action Items with high urgency (9-10). Urgency can be altered using the "min_urgency" variable in the query.
IONIXOverviewWorkbookWorkbook📦 SolutionIONIX
Denial of Service (Microsoft Defender for IoT)Analytic Rule📦 SolutionIoTOTThreatMonitoringwithDefenderforIoTThis alert leverages Defender for IoT to detect attacks that would prevent the use or proper operation of a DCS system including Denial of Service events.
Excessive Login Attempts (Microsoft Defender for IoT)Analytic Rule📦 SolutionIoTOTThreatMonitoringwithDefenderforIoTThis alert leverages Defender for IoT to detect excessive login attempts that may indicate improper service configuration, human error, or malicious activity on the network such as a cyber threat atte...
Firmware Updates (Microsoft Defender for IoT)Analytic Rule📦 SolutionIoTOTThreatMonitoringwithDefenderforIoTThis alert leverages Defender for IoT to detect unauthorized firmware updates that may indicate malicious activity on the network such as a cyber threat that attempts to manipulate PLC firmware to com...
High bandwidth in the network (Microsoft Defender for IoT)Analytic Rule📦 SolutionIoTOTThreatMonitoringwithDefenderforIoTThis alert leverages Defender for IoT to detect an unusually high bandwidth which may be an indication of a new service/process or malicious activity on the network. An example scenario is a cyber thr...
Illegal Function Codes for ICS traffic (Microsoft Defender for IoT)Analytic Rule📦 SolutionIoTOTThreatMonitoringwithDefenderforIoTThis alert leverages Defender for IoT to detect Illegal function codes in SCADA equipment indicating improper application configuration or malicious activity such using illegal values within a protoco...
No traffic on Sensor Detected (Microsoft Defender for IoT)Analytic Rule📦 SolutionIoTOTThreatMonitoringwithDefenderforIoTThis alert leverages Defender for IoT to detect that a sensor can no longer detect the network traffic, which indicates that the system is potentially insecure.
PLC unsecure key state (Microsoft Defender for IoT)Analytic Rule📦 SolutionIoTOTThreatMonitoringwithDefenderforIoTThis alert leverages Defender for IoT to detect PLC operating mode changes indicating the PLC is potentially insecure. If the PLC is compromised, devices that interact with it may be impacted. This ma...
Internet Access (Microsoft Defender for IoT)Analytic Rule📦 SolutionIoTOTThreatMonitoringwithDefenderforIoTThis alert leverages Defender for IoT to detect an OT device communicating with Internet which is possibly an indication of improper configuration of an application or malicious activity on the networ...
Suspicious malware found in the network (Microsoft Defender for IoT)Analytic Rule📦 SolutionIoTOTThreatMonitoringwithDefenderforIoTThis alert leverages Defender for IoT to detect IoT/OT malware found on the network indicating possible attempts to compromise production systems.
Multiple scans in the network (Microsoft Defender for IoT)Analytic Rule📦 SolutionIoTOTThreatMonitoringwithDefenderforIoTThis alert leverages Defender for IoT to detect multiple scans on the network indicating new devices, functionality, application misconfiguration, or malicious reconnaissance activity on the network.
PLC Stop Command (Microsoft Defender for IoT)Analytic Rule📦 SolutionIoTOTThreatMonitoringwithDefenderforIoTThis alert leverages Defender for IoT to detect PLC stop commands which could indicate improper configuration or malicious activity on the network such as a threat manipulating PLC programming to affe...
Unauthorized device in the network (Microsoft Defender for IoT)Analytic Rule📦 SolutionIoTOTThreatMonitoringwithDefenderforIoTThis alert leverages Defender for IoT to detect a new device indicating a legitimate device recently installed on the network or an indication of malicious activity such as a cyber threat attempting t...
Unauthorized DHCP configuration in the network (Microsoft Defender for IoT)Analytic Rule📦 SolutionIoTOTThreatMonitoringwithDefenderforIoTThis alert leverages Defender for IoT to detect an unauthorized DHCP configuration indicating a possible unauthorized device configuration.
Unauthorized PLC changes (Microsoft Defender for IoT)Analytic Rule📦 SolutionIoTOTThreatMonitoringwithDefenderforIoTThis alert leverages Defender for IoT to detect unauthorized changes to PLC ladder logic code indicating new functionality in the PLC, improper configuration of an application, or malicious activity o...
Unauthorized remote access to the network (Microsoft Defender for IoT)Analytic Rule📦 SolutionIoTOTThreatMonitoringwithDefenderforIoTThis alert leverages Defender for IoT to detect unauthorized remote access to network devices, if another device on the network is compromised, target devices can be accessed remotely, increasing the ...
IoTOTThreatMonitoringwithDefenderforIoTWorkbook📦 SolutionIoTOTThreatMonitoringwithDefenderforIoT
AD4IoT-AutoAlertStatusSyncPlaybook📦 SolutionIoTOTThreatMonitoringwithDefenderforIoTThis playbook updates alert statuses in Defender for IoT whenever a related alert in Microsoft Sentinel has a Status update.
AD4IoT-AutoCloseIncidentsPlaybook📦 SolutionIoTOTThreatMonitoringwithDefenderforIoTIn some cases, maintenance activities generate alerts in Microsoft Sentinel which distracts the SOC team from handling the real problems. This playbook allows to input the time period in which the mai...
AD4IoT-AutoTriageIncidentPlaybook📦 SolutionIoTOTThreatMonitoringwithDefenderforIoTSOC and OT engineers can stream their workflows using the playbook, which automatically updates the incident severity based on the devices involved in the incident and their importance.
AD4IoT-CVEAutoWorkflowPlaybook📦 SolutionIoTOTThreatMonitoringwithDefenderforIoTThe playbook automates the SOC workflow by automatically enriching incident comments with the CVEs of the involved devices based on Defender for IoT data. An automated triage is performed if the CVE i...
Get-AD4IoTDeviceCVEs - Incident 🔍Playbook📦 SolutionIoTOTThreatMonitoringwithDefenderforIoTFor each IoT device entity included in the alert, this playbook will get CVEs from the Azure Defender for IoT Sensor.
AD4IoT-MailByProductionLinePlaybook📦 SolutionIoTOTThreatMonitoringwithDefenderforIoTThe following playbook will send mail to notify specific stake holders. One example can be in the case of specific security team per product line or per physical location. This playbook requires a wat...
AD4IoT-NewAssetServiceNowTicketPlaybook📦 SolutionIoTOTThreatMonitoringwithDefenderforIoTNormally, the authorized entity to program a PLC is the Engineering Workstation, to program a PLC attackers might create a new Engineering Workstation to create malicious programing. The following pla...
AD4IoT-SendEmailtoIoTOwnerPlaybook📦 SolutionIoTOTThreatMonitoringwithDefenderforIoTThe playbooks automate the SOC workflow by automatically emailing the incident details to the right IoT/OT device owner (based on Defender for IoT dafinition) and allowing him to respond by email. The...
Enrich-Sentinel-IPQualityScore-Email-Address-ReputationPlaybook📦 SolutionIPQualityScoreThis playbook uses the IPQS Fraud and Risk Scoring connector to automatically enrich Email Addresses found in the Sentinel incidents. This Playbook Template provides the Reputation such as **Critical,...
Enrich-Sentinel-IPQualityScore-IP-Address-ReputationPlaybook📦 SolutionIPQualityScoreThis playbook uses the IPQS Fraud and Risk Scoring connector to automatically enrich IP Addresses found in the Sentinel incidents. This Playbook Template provides the Reputation such as **Critical, Hi...
Enrich-Sentinel-IPQualityScore-Phone-Number-ReputationPlaybook📦 SolutionIPQualityScoreThis playbook uses the IPQS Fraud and Risk Scoring connector to automatically enrich Phone Numbers found in the Sentinel incidents. This Playbook Template provides the Reputation such as **High Risk, ...
Enrich-Sentinel-IPQualityScore-URL-ReputationPlaybook📦 SolutionIPQualityScoreThis playbook uses the IPQS Fraud and Risk Scoring connector to automatically enrich URL's found in the Sentinel incidents. This Playbook Template provides the Reputation such as **Critical, High Risk...
Enrich_Sentinel_IPQualityScore_Domain_ReputationPlaybook📦 SolutionIPQualityScoreThis playbook uses the IPQS Fraud and Risk Scoring connector to automatically enrich Domain's found in the Sentinel incidents. This Playbook Template provides the Reputation such as **Critical, High R...
Create Incidents from IronDefenseAnalytic Rule📦 SolutionIronNet IronDefenseCreates incidents based on behavioral detections from IronDefense.
IronDefenseAlertDashboardWorkbook📦 SolutionIronNet IronDefense
IronDefenseAlertDetailsWorkbook📦 SolutionIronNet IronDefense
IronNet_UpdateIronDefenseAlerts 🔍Playbook📦 SolutionIronNet IronDefenseauthor: IronNet
IronNet_UpdateSentinelIncidents 🔍Playbook📦 SolutionIronNet IronDefenseauthor: IronNet
IronNet_Validate_IronNet_API 🔍Playbook📦 SolutionIronNet IronDefenseauthor: IronNet
ISCBindParser📦 SolutionISC Bind
IslandAdminAuditOverviewWorkbook📦 SolutionIsland
IslandUserActivityOverviewWorkbook📦 SolutionIsland
IvantiUEMEventParser📦 SolutionIvanti Unified Endpoint Management
Jamf Protect - AlertsAnalytic Rule📦 SolutionJamf ProtectCreates an incident based on Jamf Protect Alert data in Microsoft Sentinel
Jamf Protect - Network ThreatsAnalytic Rule📦 SolutionJamf ProtectCreates an incident based based on Jamf Protect's Network Threat Event Stream alerts.
Jamf Protect - Unified LogsAnalytic Rule📦 SolutionJamf ProtectCreates an informational incident based on Jamf Protect Unified Log data in Microsoft Sentinel
JamfProtectDashboardWorkbook📦 SolutionJamf Protect
Jamf Protect - Set Alert to In ProgressPlaybook📦 SolutionJamf ProtectThis Jamf Protect Playbook can be used manually or in a Automation Rule to change the state of the Alert in Jamf Protect itself, in an automated way you can mirror the state from a Microsoft Sentinel ...
Jamf Protect - Set Alert to ResolvedPlaybook📦 SolutionJamf ProtectThis Jamf Protect Playbook can be used manually or in a Automation Rule to change the state of the Alert in Jamf Protect itself, in an automated way you can mirror the state from a Microsoft Sentinel ...
Jamf Protect - Remote lock computer with Jamf ProPlaybook📦 SolutionJamf ProtectThis Playbook can be used manually or in a Automation Rule to send an remote MDM command with Jamf Pro to lock the computer with an randomised 6 digit passcode.
JamfProtectAlertsParser📦 SolutionJamf Protect
JamfProtectNetworkTrafficParser📦 SolutionJamf Protect
JamfProtectTelemetryParser📦 SolutionJamf Protect
JamfProtectThreatEventsParser📦 SolutionJamf Protect
JamfProtectUnifiedLogsParser📦 SolutionJamf Protect
JBossEventParser📦 SolutionJBoss
JoeSandbox File AnalyisPlaybook📦 SolutionJoeSandboxSubmits a attachment or set of attachment associated with an office 365 email to JoeSandbox for Analyis.
JoeSandbox URL AnalyisPlaybook📦 SolutionJoeSandboxSubmits a url or set of urls associated with an incident to JoeSandbox for Analyis.
Joshua Import To SentinelPlaybook📦 SolutionJoshua-CyberiskvisionJoshua Cyberiskvision provides two main use cases: Get Indicators and Alert Enrichment.
Joshua Indicators Processor DOMAINPlaybook📦 SolutionJoshua-CyberiskvisionJoshua Cyberiskvision provides two main use cases: Get Indicators and Alert Enrichment.
Joshua Indicators Processor EMAILPlaybook📦 SolutionJoshua-CyberiskvisionJoshua Cyberiskvision provides two main use cases: Get Indicators and Alert Enrichment.
Joshua Indicators Processor FILEPlaybook📦 SolutionJoshua-CyberiskvisionJoshua Cyberiskvision provides two main use cases: Get Indicators and Alert Enrichment.
Joshua Indicators Processor IPPlaybook📦 SolutionJoshua-CyberiskvisionJoshua Cyberiskvision provides two main use cases: Get Indicators and Alert Enrichment.
Joshua Indicators Processor URLPlaybook📦 SolutionJoshua-CyberiskvisionJoshua Cyberiskvision provides two main use cases: Get Indicators and Alert Enrichment.
Joshua Intel Enrichment FilePlaybook📦 SolutionJoshua-CyberiskvisionThese playbooks use the Joshua Cyberiskvision threat intelligence to automatically enrich incidents generated by Microsoft Sentinel. From the analyst perspective, it is important that the alert contai...
Joshua Intel Enrichment IPPlaybook📦 SolutionJoshua-CyberiskvisionThese playbooks use the Joshua Cyberiskvision threat intelligence to automatically enrich incidents generated by Microsoft Sentinel. From the analyst perspective, it is important that the alert contai...
Joshua Intel Enrichment URLPlaybook📦 SolutionJoshua-CyberiskvisionThese playbooks use the Joshua Cyberiskvision threat intelligence to automatically enrich incidents generated by Microsoft Sentinel. From the analyst perspective, it is important that the alert contai...
JuniperSRXParser📦 SolutionJuniper SRX
JuniperIDPParser📦 SolutionJuniperIDP
Keeper Security - Password ChangedAnalytic Rule📦 SolutionKeeper SecurityCreates an informational incident based on Keeper Security Password Changed data in Microsoft Sentinel
Keeper Security - User MFA ChangedAnalytic Rule📦 SolutionKeeper SecurityCreates an informational incident based on Keeper Security User MFA Changed data in Microsoft Sentinel
KeeperSecurityDashboardWorkbook📦 SolutionKeeper Security
KnowBe4 Defend - Dangerous Attachment DetectedAnalytic Rule📦 SolutionKnowBe4 DefendDefend has detected a user has a suspicious file type from a suspicious sender in their mailbox.
KnowBe4 Defend - Dangerous Link ClickAnalytic Rule📦 SolutionKnowBe4 DefendDefend has detected a user has clicked a dangerous link in their mailbox.
Dangerous emails with links clickedHunting Query📦 SolutionKnowBe4 DefendThis will check for emails that Defend has identified as dangerous and a user has clicked a link.
KnowBe4DefendMetricsWorkbook📦 SolutionKnowBe4 Defend
DefendAuditDataParser📦 SolutionKnowBe4 Defend
AdvancedKQLWorkbook📦 SolutionKQL Training
IntrotoKQLWorkbook📦 SolutionKQL Training
Employee account deletedAnalytic Rule📦 SolutionLastpass Enterprise Activity MonitoringThis rule will monitor for any employee accounts being deleted. Deleting an employee account can have a big potential impact as all of the data for that user will be removed.
Failed sign-ins into LastPass due to MFAAnalytic Rule📦 SolutionLastpass Enterprise Activity MonitoringThis rule will check if a sign-in failed into LastPass due to MFA. An incident can indicate the potential brute forcing of a LastPass account. The use of MFA is identified by combining the sign-in lo...
Highly Sensitive Password AccessedAnalytic Rule📦 SolutionLastpass Enterprise Activity MonitoringThis rule will monitor access to highly sensitive passwords. Within the Watchlist called 'LastPass' define passwords which are deemed highly sensitive (such as password to a high privileged applicatio...
TI map IP entity to LastPass dataAnalytic Rule📦 SolutionLastpass Enterprise Activity MonitoringIdentifies a match in LastPass table from any IP IOC from TI
Unusual Volume of Password Updated or RemovedAnalytic Rule📦 SolutionLastpass Enterprise Activity MonitoringThis rule will check if there is an unnormal activity of sites that are deleted or changed per user. The normal amount of actions is calculated based on the previous 14 days of activity. If there is ...
Failed sign-ins into LastPass due to MFA.Hunting Query📦 SolutionLastpass Enterprise Activity MonitoringThis will check for sign-ins into LastPass which are not confirmed using MFA based on the Sign-in Logs
Login into LastPass from a previously unknown IP.Hunting Query📦 SolutionLastpass Enterprise Activity MonitoringThis query will check how many activity there is in LastPass from IPs that are not seen before in the Sign-in Logs
Password moved to shared foldersHunting Query📦 SolutionLastpass Enterprise Activity MonitoringThis query will check for data that is shared in the LastPass environment.
LastPassWorkbookWorkbook📦 SolutionLastpass Enterprise Activity Monitoring
HighlySensitivePasswordsWatchlist📦 SolutionLastpass Enterprise Activity Monitoring
Dev-0056 Command Line Activity November 2021Hunting Query📦 SolutionLegacy IOC based Threat ProtectionThis hunting query looks for process command line activity related to activity observed by Dev-0056.The command lines this query hunts for are used as part of the threat actor's post exploitation acti...
Dev-0322 Command Line Activity November 2021 (ASIM Version)Hunting Query📦 SolutionLegacy IOC based Threat ProtectionThis query hunts for command line activity linked to Dev-0322's compromise of ZOHO ManageEngine ADSelfService Plus software. It focuses on commands used in post-exploitation activity. Hosts with highe...
Dev-0322 Command Line Activity November 2021Hunting Query📦 SolutionLegacy IOC based Threat ProtectionThis query hunts for command line activity linked to Dev-0322's compromise of ZOHO ManageEngine ADSelfService Plus software. It focuses on commands used in post-exploitation activity. Hosts with highe...
Dev-0322 File Drop Activity November 2021 (ASIM Version)Hunting Query📦 SolutionLegacy IOC based Threat ProtectionThis query hunts for file creation events linked to Dev-0322's compromise of ZOHO ManageEngine ADSelfService Plus software. It focuses on files dropped during post-exploitation activity. Hosts with hi...
Dev-0322 File Drop Activity November 2021Hunting Query📦 SolutionLegacy IOC based Threat ProtectionThis query hunts for file creation events linked to Dev-0322's compromise of ZOHO ManageEngine ADSelfService Plus software. It focuses on files dropped during post-exploitation activity. Hosts with hi...
Retrospective hunt for Forest Blizzard IP IOCsHunting Query📦 SolutionLegacy IOC based Threat ProtectionMatches domain name IOCs related to Forest Blizzard group activity with CommonSecurityLog and SecurityAlert dataTypes. The query is scoped in the time window that these IOCs were active.
Connection from external IP to OMI related PortsHunting Query📦 SolutionLegacy IOC based Threat ProtectionThis query detects attempts to exploit OMI vulnerability (CVE-2021-38647) by identifying external IP connections to management ports (5985,5986,1270). It uses the imNetworkSession schema and other log...
Nylon Typhoon Command Line Activity November 2021Hunting Query📦 SolutionLegacy IOC based Threat ProtectionThis query hunts for Nylon Typhoon-related activity, specifically data collection and staging. It looks for use of tools like xcopy and renamed archiving tools on hosts with observed signatures.
Known Nylon Typhoon Registry modifications patternsHunting Query📦 SolutionLegacy IOC based Threat ProtectionThis query identifies instances where malware intentionally configures the browser settings for its use by modifying the following registry entries by Nylon Typhoon threat actor.
SolarWinds InventoryHunting Query📦 SolutionLegacy IOC based Threat ProtectionBeyond your internal software management systems, it is possible you may not have visibility into your entire footprint of SolarWinds installations. This query helps discover any systems that have Sol...
Lookout - Critical Audit and Policy Changes (v2)Analytic Rule📦 SolutionLookoutMonitors critical audit events and policy changes from Lookout Mobile Risk API v2. Detects unauthorized configuration changes, policy modifications, security setting adjustments, and administrative ac...
Lookout - Device Compliance and Security Status Changes (v2)Analytic Rule📦 SolutionLookoutMonitors device compliance status changes and security posture degradation using Lookout Mobile Risk API v2 enhanced device fields. Detects devices becoming non-compliant, security status changes, and...
Lookout - Critical Smishing and Phishing Alerts (v2)Analytic Rule📦 SolutionLookoutDetects critical smishing (SMS phishing) and phishing alerts from Lookout Mobile Risk API v2. This rule identifies sophisticated social engineering attacks including CEO fraud, credential harvesting, ...
Lookout - New Threat events found.Analytic Rule📦 SolutionLookoutCreated to detect new Threat events from the data which is recently synced by Lookout Solution.
Lookout - High Severity Mobile Threats Detected (v2)Analytic Rule📦 SolutionLookoutDetects high severity mobile threats from Lookout Mobile Risk API v2 with enhanced threat intelligence and device context. This rule leverages the comprehensive v2 field set to provide detailed threat...
Lookout Advanced Threat Hunting - Multi-Vector AttacksHunting Query📦 SolutionLookoutIdentifies devices experiencing multiple threat types within a short timeframe, indicating coordinated attacks
LookoutEventsWorkbook📦 SolutionLookout
LookoutEventsV2Workbook📦 SolutionLookout
LookoutExecutiveDashboardWorkbook📦 SolutionLookout
LookoutIOAInvestigationDashboardWorkbook📦 SolutionLookout
LookoutSecurityInvestigationDashboardWorkbook📦 SolutionLookout
LookoutEventsParser📦 SolutionLookout
LookoutCSActivitiesParser📦 SolutionLookout Cloud Security Platform for Microsoft Sentinel
LookoutCSAnomaliesParser📦 SolutionLookout Cloud Security Platform for Microsoft Sentinel
LookoutCSViolationsParser📦 SolutionLookout Cloud Security Platform for Microsoft Sentinel
Lumen TI domain in DnsEventsAnalytic Rule📦 SolutionLumen Defender Threat FeedThis query searches for matches between Lumen threat intelligence domain indicators and DnsEvents.
Lumen TI IPAddress in CommonSecurityLogAnalytic Rule📦 SolutionLumen Defender Threat FeedThis query maps Lumen IP indicators of compromise (IOCs) from threat intelligence (TI), by searching for matches in CommonSecurityLog.
Lumen TI IPAddress in DeviceEventsAnalytic Rule📦 SolutionLumen Defender Threat FeedThis query maps Lumen IP indicators of compromise (IOCs) from threat intelligence (TI), by searching for matches in DeviceEvents.
Lumen TI IPAddress in IdentityLogonEventsAnalytic Rule📦 SolutionLumen Defender Threat FeedThis query maps Lumen IP indicators of compromise (IOCs) from threat intelligence (TI), by searching for matches in Azure AD sign-in logs.
Lumen TI IPAddress in OfficeActivityAnalytic Rule📦 SolutionLumen Defender Threat FeedThis query maps Lumen IP indicators of compromise (IOCs) from threat intelligence (TI), by searching for matches in OfficeActivity.
Lumen TI IPAddress in SecurityEventsAnalytic Rule📦 SolutionLumen Defender Threat FeedThis query maps Lumen IP indicators of compromise (IOCs) from threat intelligence (TI), by searching for matches in SecurityEvents.
Lumen TI IPAddress in SigninLogsAnalytic Rule📦 SolutionLumen Defender Threat FeedThis query maps Lumen IP indicators of compromise (IOCs) from threat intelligence (TI), by searching for matches in SigninLogs.
Lumen TI IPAddress in WindowsEventsAnalytic Rule📦 SolutionLumen Defender Threat FeedThis query maps Lumen IP indicators of compromise (IOCs) from threat intelligence (TI), by searching for matches in WindowsEvents.
Lumen TI IPAddress indicator in CommonSecurityLogHunting Query📦 SolutionLumen Defender Threat FeedThis query searches for matches between Lumen threat intelligence IPAddress indicators and security log events.
Lumen-Threat-Feed-OverviewWorkbook📦 SolutionLumen Defender Threat Feed
MailGuard 365 - High Confidence Threats 🔍Hunting Query📦 SolutionMailGuard 365Query searches for high confidence threats stopped by MailGuard 365.
MailGuard 365 - Malware Threats 🔍Hunting Query📦 SolutionMailGuard 365Query searches for malware threats stopped by MailGuard 365.
MailGuard 365 - Phishing Threats 🔍Hunting Query📦 SolutionMailGuard 365Query searches for phishing threats stopped by MailGuard 365.
MailGuard365Dashboard 🔍Workbook📦 SolutionMailGuard 365
Detect Malicious Usage of Recovery Tools to Delete Backup FilesAnalytic Rule📦 SolutionMalware Protection EssentialsThis analytic rule detects usage of recovery tools vssadmin, wbadmin, wmic and bcedit to delete backup files or change recovery configuration. Adversaries may use these tools to delete shadow copies a...
Detect Print Processors Registry Driver Key Creation/ModificationAnalytic Rule📦 SolutionMalware Protection EssentialsThis analytic rule detects any registry value creation or modification of print processor registry Driver key. This will load the executable at startup with print spooler service. This could be an ind...
Detect Registry Run Key Creation/ModificationAnalytic Rule📦 SolutionMalware Protection EssentialsThis analytic rule detects any registry value or key creation in the registry run keys. This could be an indication of a persistence attempt by an adversary.
Process Creation with Suspicious CommandLine ArgumentsAnalytic Rule📦 SolutionMalware Protection EssentialsThis analytic rule detects process creation events with base64 encoded command line arguments. This could be an indication of a malicious process being executed.
Detect Windows Allow Firewall Rule Addition/ModificationAnalytic Rule📦 SolutionMalware Protection EssentialsThis analytic rule detects any registry value creation or modification of Windows firewall registry keys to allow network traffic. This could be an indication of defense evasion by an adversary to all...
Detect Windows Update Disabled from RegistryAnalytic Rule📦 SolutionMalware Protection EssentialsThis analytic rule detects any registry value creation or modification of Windows Update registry keys to disable Windows Update. This could be an indication of defense evasion by an adversary on a co...
Executable Files Created in Uncommon LocationsHunting Query📦 SolutionMalware Protection EssentialsThis analytic rule detects any executable file creation in uncommon locations like temproray folders. This could be an indication of a persistence or defese evasion attempt by an adversary.
Detect File Creation in Startup FolderHunting Query📦 SolutionMalware Protection EssentialsThis hunting query detects when a file is created in the Startup folder. This is a common technique used by adversaries to maintain persistence on a system.
Detect Files with Ramsomware ExtensionsHunting Query📦 SolutionMalware Protection EssentialsThis hunting query identifies cretion of files with ransomware extensions. Ransomware file extensions are defined in a watchlist named RansomwareFileExtensions.
Detect New Scheduled Task Creation that Run Executables From Non-Standard LocationHunting Query📦 SolutionMalware Protection EssentialsThis hunting query identifies new scheduled task created, to run executables from uncommon location like temp folders. Malware often creates scheduled tasks to execute malicious code and maintain pers...
Detect New Scheduled Task Entry CreationsHunting Query📦 SolutionMalware Protection EssentialsThis hunting query identifies new scheduled task entry creations. Malware often creates scheduled tasks to execute malicious code and maintain persistence on a system.
Detect Modification to System Files or Directories by User AccountsHunting Query📦 SolutionMalware Protection EssentialsThis hunting query searches for modifications to system files or directories by a non system account (User Account).
MalwareProtectionEssentialsWorkbookWorkbook📦 SolutionMalware Protection Essentials
RansomwareFileExtensionsWatchlist📦 SolutionMalware Protection Essentials
MarkLogicAuditParser📦 SolutionMarkLogicAudit
M2131_AssetStoppedLoggingAnalytic Rule📦 SolutionMaturityModelForEventLogManagementM2131This alert is designed to monitor assets within the Maturity Model for Event Log Management (M-21-31) standard. The alert triggers when a monitored asset fails to provide a heartbeat within 24 hours.
M2131_DataConnectorAddedChangedRemovedAnalytic Rule📦 SolutionMaturityModelForEventLogManagementM2131This alert is designed to monitor data connector configurations. This alert is triggered when a data connector is added, updated, or deleted.
M2131_EventLogManagementPostureChanged_EL0Analytic Rule📦 SolutionMaturityModelForEventLogManagementM2131This alert is desinged to monitor Azure policies aligned with the Maturity Model for Event Log Management (M-21-31) standard. The alert triggers when EL0 policy compliance falls below 70% within a 1 w...
M2131_EventLogManagementPostureChanged_EL1Analytic Rule📦 SolutionMaturityModelForEventLogManagementM2131This alert is desinged to monitor Azure policies aligned with the Maturity Model for Event Log Management (M-21-31) standard. The alert triggers when EL1 policy compliance falls below 70% within a 1 w...
M2131_EventLogManagementPostureChanged_EL2Analytic Rule📦 SolutionMaturityModelForEventLogManagementM2131This alert is desinged to monitor Azure policies aligned with the Maturity Model for Event Log Management (M-21-31) standard. The alert triggers when EL2 policy compliance falls below 70% within a 1 w...
M2131_EventLogManagementPostureChanged_EL3Analytic Rule📦 SolutionMaturityModelForEventLogManagementM2131This alert is desinged to monitor Azure policies aligned with the Maturity Model for Event Log Management (M-21-31) standard. The alert triggers when EL3 policy compliance falls below 70% within a 1 w...
M2131_LogRetentionLessThan1YearAnalytic Rule📦 SolutionMaturityModelForEventLogManagementM2131This alert is designed to monitor log retention within the Maturity Model for Event Log Management (M-21-31) standard. The alert triggers when a log analytics workspace in active storage is configured...
M2131_RecommendedDatatableUnhealthyAnalytic Rule📦 SolutionMaturityModelForEventLogManagementM2131This alert is designed to monitor recommended data tables aligned to the Maturity Model for Event Log Management (M-21-31) standard. The alert triggers when a recommended data table hasn't been observ...
M2131_RecommendedDatatableNotLogged_EL0Hunting Query📦 SolutionMaturityModelForEventLogManagementM2131This alert audits your logging architecture for recommended data tables aligned to Event Logging (EL0) of the Maturity Model for Event Log Management (M-21-31) standard. The alert triggers when recomm...
M2131_RecommendedDatatableNotLogged_EL1Hunting Query📦 SolutionMaturityModelForEventLogManagementM2131This alert audits your logging architecture for recommended data tables aligned to Basic Event Logging (EL1) of the Maturity Model for Event Log Management (M-21-31) standard. The alert triggers when ...
M2131_RecommendedDatatableNotLogged_EL2Hunting Query📦 SolutionMaturityModelForEventLogManagementM2131This alert audits your logging architecture for recommended data tables aligned to Intermediate Event Logging (EL2) of the Maturity Model for Event Log Management (M-21-31) standard. The alert trigger...
M2131_RecommendedDatatableNotLogged_EL3Hunting Query📦 SolutionMaturityModelForEventLogManagementM2131This alert audits your logging architecture for recommended data tables aligned to Advanced Event Logging (EL3) of the Maturity Model for Event Log Management (M-21-31) standard. The alert triggers wh...
MaturityModelForEventLogManagement_M2131Workbook📦 SolutionMaturityModelForEventLogManagementM2131
Notify-LogManagementTeamPlaybook📦 SolutionMaturityModelForEventLogManagementM2131This Security Orchestration, Automation, & Response (SOAR) capability is designed for configuration with the solution's analytics rules. When analytics rules trigger this automation notifies the log m...
Create-AzureDevOpsTaskPlaybook📦 SolutionMaturityModelForEventLogManagementM2131This playbook will create the Azure DevOps task filled with the Microsoft Sentinel incident details.
Create Jira IssuePlaybook📦 SolutionMaturityModelForEventLogManagementM2131This playbook will open a Jira Issue when a new incident is opened in Microsoft Sentinel.
McAfee ePO - Agent Handler downAnalytic Rule📦 SolutionMcAfee ePolicy OrchestratorDetects when AgentHandler is down.
McAfee ePO - Error sending alertAnalytic Rule📦 SolutionMcAfee ePolicy OrchestratorDetects when error sending alert occurs.
McAfee ePO - Attempt uninstall McAfee agentAnalytic Rule📦 SolutionMcAfee ePolicy OrchestratorDetects attempts uninstalling McAfee agent on host.
McAfee ePO - Deployment failedAnalytic Rule📦 SolutionMcAfee ePolicy OrchestratorDetects when errors occur during deployment new changes/policies.
McAfee ePO - File added to exceptionsAnalytic Rule📦 SolutionMcAfee ePolicy OrchestratorDetects when file was added to exception list on a host.
McAfee ePO - Firewall disabledAnalytic Rule📦 SolutionMcAfee ePolicy OrchestratorDetects when firewall was disabled from Mctray.
McAfee ePO - Logging error occurredAnalytic Rule📦 SolutionMcAfee ePolicy OrchestratorDetects when logging errors on agent.
McAfee ePO - Multiple threats on same hostAnalytic Rule📦 SolutionMcAfee ePolicy OrchestratorRule fires when multiple threat events were detected on the same host.
McAfee ePO - Scanning engine disabledAnalytic Rule📦 SolutionMcAfee ePolicy OrchestratorDetects when OAS scanning engine was disabled.
McAfee ePO - Spam Email detectedAnalytic Rule📦 SolutionMcAfee ePolicy OrchestratorDetects when email was marked as spam.
McAfee ePO - Task errorAnalytic Rule📦 SolutionMcAfee ePolicy OrchestratorDetects when task error occurs.
McAfee ePO - Threat was not blockedAnalytic Rule📦 SolutionMcAfee ePolicy OrchestratorDetects when a threat was not blocked on a host.
McAfee ePO - Unable to clean or delete infected fileAnalytic Rule📦 SolutionMcAfee ePolicy OrchestratorDetects when McAfee failed to clean or delete infected file.
McAfee ePO - Update failedAnalytic Rule📦 SolutionMcAfee ePolicy OrchestratorDetects when update failed event occurs on agent.
McAfee ePO - Agent ErrorsHunting Query📦 SolutionMcAfee ePolicy OrchestratorQuery searches for error events from McAfee agents.
McAfee ePO - Applications blocked or containedHunting Query📦 SolutionMcAfee ePolicy OrchestratorQuery searches for blocked or contained applications.
McAfee ePO - Email TreatsHunting Query📦 SolutionMcAfee ePolicy OrchestratorQuery searches for email related threat events.
McAfee ePO - Infected files by sourceHunting Query📦 SolutionMcAfee ePolicy OrchestratorQuery searches for infected files which were detected.
McAfee ePO - Infected SystemsHunting Query📦 SolutionMcAfee ePolicy OrchestratorQuery searches for infected systems based on scan results.
McAfee ePO - Long term infected systemsHunting Query📦 SolutionMcAfee ePolicy OrchestratorQuery searches for infected systems which were not cleaned for long term.
McAfee ePO - Sources with multiple threatsHunting Query📦 SolutionMcAfee ePolicy OrchestratorQuery searches for sources with several different threats.
McAfee ePO - Objects not scannedHunting Query📦 SolutionMcAfee ePolicy OrchestratorQuery searches for unscanned objects.
McAfee ePO - Scan ErrorsHunting Query📦 SolutionMcAfee ePolicy OrchestratorQuery searches for scan error events.
McAfee ePO - Threats detected and not blocked, cleaned or deletedHunting Query📦 SolutionMcAfee ePolicy OrchestratorQuery searches for events where threats were detected and not blocked, cleaned or deleted.
McAfeeePOOverviewWorkbook📦 SolutionMcAfee ePolicy Orchestrator
McAfeeEPOEventParser📦 SolutionMcAfee ePolicy Orchestrator
McAfeeNSPEventParser📦 SolutionMcAfee Network Security Platform
Exchange AuditLog DisabledAnalytic Rule📦 SolutionMicrosoft 365Identifies when the exchange audit logging has been disabled which may be an adversary attempt to evade detection or avoid other defenses.
Accessed files shared by temporary external userAnalytic Rule📦 SolutionMicrosoft 365This detection identifies when an external user is added to a Team or Teams chat and shares a file which is accessed by many users (>10) and the users is removed within short period of time. This migh...
External user added and removed in short timeframeAnalytic Rule📦 SolutionMicrosoft 365This detection flags the occurrences of external user accounts that are added to a Team and then removed within one hour.
Possible Forest Blizzard attempted credential harvesting - Sept 2020 🔍Analytic Rule📦 SolutionMicrosoft 365This analytic rule is retired because IoCs are outdated. It is recommended to use Microsoft Entra ID Solution's Analytic rules instead to detect credential harvesting attempts.
Exchange workflow MailItemsAccessed operation anomalyAnalytic Rule📦 SolutionMicrosoft 365Identifies anomalous increases in Exchange mail items accessed operations. The query leverages KQL built-in anomaly detection algorithms to find large deviations from baseline patterns. Sudden increas...
Mail redirect via ExO transport ruleAnalytic Rule📦 SolutionMicrosoft 365Identifies when Exchange Online transport rule configured to forward emails. This could be an adversary mailbox configured to collect mail from multiple user accounts.
Malicious Inbox RuleAnalytic Rule📦 SolutionMicrosoft 365Often times after the initial compromise the attackers create inbox rules to delete emails that contain certain keywords. This is done so as to limit ability to warn compromised users that they've be...
Multiple Teams deleted by a single userAnalytic Rule📦 SolutionMicrosoft 365This detection flags the occurrences of deleting multiple teams within an hour. This data is a part of Office 365 Connector in Microsoft Sentinel.
Multiple users email forwarded to same destinationAnalytic Rule📦 SolutionMicrosoft 365Identifies when multiple (more than one) users mailboxes are configured to forward to the same destination. This could be an attacker-controlled destination mailbox configured to collect mail from mu...
Office Policy TamperingAnalytic Rule📦 SolutionMicrosoft 365Identifies if any tampering is done to either auditlog, ATP Safelink, SafeAttachment, AntiPhish or Dlp policy. An adversary may use this technique to evade detection or avoid other policy based defen...
New executable via Office FileUploaded OperationAnalytic Rule📦 SolutionMicrosoft 365Identifies when executable file types are uploaded to Office services such as SharePoint and OneDrive. List currently includes 'exe', 'inf', 'gzip', 'cmd', 'bat' file extensions. Additionally, identif...
Rare and potentially high-risk Office operationsAnalytic Rule📦 SolutionMicrosoft 365Identifies Office operations that are typically rare and can provide capabilities useful to attackers.
SharePointFileOperation via previously unseen IPsAnalytic Rule📦 SolutionMicrosoft 365Identifies anomalies using user behavior by setting a threshold for significant changes in file upload/download activities from new IP addresses. It establishes a baseline of typical behavior, compare...
SharePointFileOperation via devices with previously unseen user agentsAnalytic Rule📦 SolutionMicrosoft 365Identifies anomalies if the number of documents uploaded or downloaded from device(s) associated with a previously unseen user agent exceeds a threshold (default is 5) and deviation (default is 25).
Office365 Sharepoint File transfer above thresholdAnalytic Rule📦 SolutionMicrosoft 365Identifies Office365 Sharepoint File Transfers above certain threshold in a 15min time period. Please note that entity mapping for arrays is not supported, so when there is a single value in an array...
Office365 Sharepoint File transfer Folders above thresholdAnalytic Rule📦 SolutionMicrosoft 365Identifies Office365 Sharepoint File Transfers with distinct folder count above certain threshold in a 15min time period. Please note that entity mapping for arrays is not supported, so when there is...
Anomalous access to other users' mailboxesHunting Query📦 SolutionMicrosoft 365Looks for users accessing multiple other users' mailboxes or accessing multiple folders in another users mailbox.
Exes with double file extension and access summaryHunting Query📦 SolutionMicrosoft 365Provides a summary of executable files with double file extensions in SharePoint and the users and IP addresses that have accessed them.
External user added and removed in a short timeframeHunting Query📦 SolutionMicrosoft 365This hunting query identifies external user accounts that are added to a Team and then removed within one hour.
External user from a new organisation added to TeamsHunting Query📦 SolutionMicrosoft 365This query identifies external users added to Teams where the user's domain is not one previously seen in Teams data.
Mail redirect via ExO transport ruleHunting Query📦 SolutionMicrosoft 365Identifies when Exchange Online transport rule configured to forward emails. This could be an adversary mailbox configured to collect mail from multiple user accounts.
Multiple Teams deleted by a single userHunting Query📦 SolutionMicrosoft 365This hunting query identifies where multiple Teams have been deleted by a single user in a short timeframe.
Multiple users email forwarded to same destinationHunting Query📦 SolutionMicrosoft 365Identifies when multiple (more than one) users mailboxes are configured to forward to the same destination. This could be an attacker-controlled destination mailbox configured to collect mail from mu...
Bots added to multiple teamsHunting Query📦 SolutionMicrosoft 365This hunting query helps identify bots added to multiple Teams in a short space of time.
User made Owner of multiple teamsHunting Query📦 SolutionMicrosoft 365This hunting query identifies users who have been made Owner of multiple Teams.
Previously unseen bot or application added to TeamsHunting Query📦 SolutionMicrosoft 365This hunting query helps identify new, and potentially unapproved applications or bots being added to Teams.
New Admin account activity seen which was not seen historicallyHunting Query📦 SolutionMicrosoft 365This will help you discover any new admin account activity which was seen and were not seen historically. Any new accounts seen in the results can be validated and investigated for any suspicious acti...
SharePointFileOperation via previously unseen IPsHunting Query📦 SolutionMicrosoft 365Shows SharePoint upload/download volume by IPs with high-risk ASNs. New IPs with volume spikes may be unauthorized and exfiltrating documents.
SharePointFileOperation via devices with previously unseen user agentsHunting Query📦 SolutionMicrosoft 365Tracking via user agent is one way to differentiate between types of connecting device. In homogeneous enterprise environments the user agent associated with an attacker device may stand out as unusua...
New Windows Reserved Filenames staged on Office file servicesHunting Query📦 SolutionMicrosoft 365This identifies new Windows Reserved Filenames on Office services like SharePoint and OneDrive in the past 7 days. It also detects when a user uploads these files to another user's workspace, which ma...
Non-owner mailbox login activityHunting Query📦 SolutionMicrosoft 365Finds non-owner mailbox access by admin/delegate permissions. Whitelist valid users and check others for unauthorized access.
Office Mail Forwarding - Hunting VersionHunting Query📦 SolutionMicrosoft 365Adversaries often abuse email-forwarding rules to monitor victim activities, steal information, and gain intelligence on the victim or their organization. This query highlights cases where user mail i...
PowerShell or non-browser mailbox login activityHunting Query📦 SolutionMicrosoft 365Detects mailbox login from Exchange PowerShell. All accounts can use it by default, but admins can change it. Whitelist benign activities.
SharePointFileOperation via clientIP with previously unseen user agentsHunting Query📦 SolutionMicrosoft 365New user agents associated with a clientIP for SharePoint file uploads/downloads.
Files uploaded to teams and access summaryHunting Query📦 SolutionMicrosoft 365This hunting queries identifies files uploaded to SharePoint via a Teams chat and summarizes users and IP addresses that have accessed these files. This allows for identification of anomolous file sh...
User added to Teams and immediately uploads fileHunting Query📦 SolutionMicrosoft 365This hunting queries identifies users who are added to a Teams Channel or Teams chat and within 1 minute of being added upload a file via the chat. This might be an indicator of suspicious activity.
Windows Reserved Filenames staged on Office file servicesHunting Query📦 SolutionMicrosoft 365This identifies Windows Reserved Filenames on Office services like SharePoint and OneDrive. It also detects when a user uploads these files to another user's workspace, which may indicate malicious ac...
ExchangeOnlineWorkbook📦 SolutionMicrosoft 365
Office365Workbook📦 SolutionMicrosoft 365
SharePointAndOneDriveWorkbook📦 SolutionMicrosoft 365
Dataverse - Anomalous application user activityAnalytic Rule📦 SolutionMicrosoft Business ApplicationsIdentifies anomalies in activity patterns of Dataverse application (non-interactive) users, based on activity falling outside the normal pattern of use.
Dataverse - Audit log data deletionAnalytic Rule📦 SolutionMicrosoft Business ApplicationsIdentifies audit log data deletion activity in Dataverse.
Dataverse - Audit logging disabledAnalytic Rule📦 SolutionMicrosoft Business ApplicationsIdentifies a change in system audit configuration whereby audit logging is turned off.
Dataverse - Bulk record ownership re-assignment or sharingAnalytic Rule📦 SolutionMicrosoft Business ApplicationsIdentifies individual record ownership changes including sharing of records with other users/teams or re-assignment of ownership exceeding a pre-defined threshold.
Dataverse - Executable uploaded to SharePoint document management siteAnalytic Rule📦 SolutionMicrosoft Business ApplicationsIdentifies executable files and scripts uploaded to SharePoint sites used for Dynamics document management, circumventing native file extension restrictions in Dataverse.
Dataverse - Export activity from terminated or notified employeeAnalytic Rule📦 SolutionMicrosoft Business ApplicationsThis query identifies Dataverse export activity triggered by terminated, or employees about to leave the organization. This analytics rule uses the TerminatedEmployees watchlist template.
Dataverse - Guest user exfiltration following Power Platform defense impairmentAnalytic Rule📦 SolutionMicrosoft Business ApplicationsIdentifies a chain of events starting with disablement of Power Platform tenant isolation and removal of an environment's access security group. These events are correlated with Dataverse exfiltration...
Dataverse - Hierarchy security manipulationAnalytic Rule📦 SolutionMicrosoft Business ApplicationsIdentifies suspicious behaviors in hierarchy security including: - Hierarchy security disabled. - User assigns themselves as a manager. - User assigns themselves to a monitored position.
Dataverse - Honeypot instance activityAnalytic Rule📦 SolutionMicrosoft Business ApplicationsIdentifies activities in a predefined Honeypot Dataverse instance. Alerts when either sign-in to the Honeypot is detected or when monitored Dataverse tables in the Honeypot are accessed. Note: Requir...
Dataverse - Login by a sensitive privileged userAnalytic Rule📦 SolutionMicrosoft Business ApplicationsIdentifies Dataverse and Dynamics 365 logons by sensitive users.
Dataverse - Login from IP in the block listAnalytic Rule📦 SolutionMicrosoft Business ApplicationsIdentifies Dataverse sign-in activity from IPv4 addresses which are on a predefined block list. Blocked network ranges are maintained in the NetworkAddresses watchlist template.
Dataverse - Login from IP not in the allow listAnalytic Rule📦 SolutionMicrosoft Business ApplicationsIdentifies logons from IPv4 addresses not matching IPv4 subnets maintained on an allow list. This analytics rule uses the NetworkAddresses watchlist template.
Dataverse - Malware found in SharePoint document management siteAnalytic Rule📦 SolutionMicrosoft Business ApplicationsThis query identifies malware uploaded via Dynamics 365 document management or directly in SharePoint impacting Dataverse associated SharePoint sites.
Dataverse - Mass deletion of recordsAnalytic Rule📦 SolutionMicrosoft Business ApplicationsIdentifies large scale record delete operations based on a predefined threshold and also detects scheduled bulk deletion jobs.
Dataverse - Mass download from SharePoint document managementAnalytic Rule📦 SolutionMicrosoft Business ApplicationsIdentifies mass download (in the last hour) of files from SharePoint sites configured for document management in Dynamics 365. This analytics rule utilizes the MSBizApps-Configuration watchlist to ide...
Dataverse - Mass export of records to ExcelAnalytic Rule📦 SolutionMicrosoft Business ApplicationsIdentifies users exporting a large amount of records from Dynamics 365 to Excel, significantly more records exported than any other recent activity by that user. Large exports from users with no recen...
Dataverse - Mass record updatesAnalytic Rule📦 SolutionMicrosoft Business ApplicationsThis query detects mass record update changes in Dataverse and Dynamics 365, exceeding a pre-defined threshold.
Dataverse - New Dataverse application user activity typeAnalytic Rule📦 SolutionMicrosoft Business ApplicationsIdentifies new or previously unseen activity types associated with Dataverse application (non-interactive) user.
Dataverse - New non-interactive identity granted accessAnalytic Rule📦 SolutionMicrosoft Business ApplicationsIdentifies API level access grants, either via the delegated permissions of a Microsoft Entra application or direct assignment within Dataverse as an application user.
Dataverse - New sign-in from an unauthorized domainAnalytic Rule📦 SolutionMicrosoft Business ApplicationsIdentifies Dataverse sign-in activity originating from users with UPN suffixes that have not been seen previously in the last 14 days and are not present on a predefined list of authorized domains. Co...
Dataverse - New user agent type that was not used beforeAnalytic Rule📦 SolutionMicrosoft Business ApplicationsIdentifies users accessing Dataverse from a User Agent that has not been seen in any Dataverse instance in the last 14 days.
Dataverse - New user agent type that was not used with Office 365Analytic Rule📦 SolutionMicrosoft Business ApplicationsIdentifies users accessing Dynamics with a User Agent that has not been seen in any Office 365 workloads in the last 14 days.
Dataverse - Organization settings modifiedAnalytic Rule📦 SolutionMicrosoft Business ApplicationsIdentifies changes made at organization level in the Dataverse environment.
Dataverse - Removal of blocked file extensionsAnalytic Rule📦 SolutionMicrosoft Business ApplicationsIdentifies modifications to an environment's blocked file extensions and extracts the removed extension.
Dataverse - SharePoint document management site added or updatedAnalytic Rule📦 SolutionMicrosoft Business ApplicationsIdentifies modifications of SharePoint document management integration. Document management allows storage of data located externally to Dataverse. Combine this analytics rule with the MSBizApps-Add-S...
Dataverse - Suspicious security role modificationsAnalytic Rule📦 SolutionMicrosoft Business ApplicationsIdentifies an unusual pattern of events whereby a new role is created followed by the creator adding members to the role and subsequently removing the member or deleting the role after a short time pe...
Dataverse - Suspicious use of TDS endpointAnalytic Rule📦 SolutionMicrosoft Business ApplicationsIdentifies Dataverse TDS (Tabular Data Stream) protocol based queries where the source user or IP address has recent security alerts and the TDS protocol has not been used previously in the target env...
Dataverse - Suspicious use of Web APIAnalytic Rule📦 SolutionMicrosoft Business ApplicationsIdentifies sign-in across multiple Dataverse environments, breaching a predefined threshold, originating from a user with IP address that was used to sign-into the well known Microsoft Entra app regis...
Dataverse - Terminated employee exfiltration over emailAnalytic Rule📦 SolutionMicrosoft Business ApplicationsThis query identifies Dataverse exfiltration via email by terminated employees.
Dataverse - Terminated employee exfiltration to USB driveAnalytic Rule📦 SolutionMicrosoft Business ApplicationsIdentifies files downloaded from Dataverse by departing or terminated employees which are copied to USB mounted drives.
Dataverse - TI map IP to DataverseActivityAnalytic Rule📦 SolutionMicrosoft Business ApplicationsIdentifies a match in DataverseActivity from any IP IOC from Microsoft Sentinel Threat Intelligence.
Dataverse - TI map URL to DataverseActivityAnalytic Rule📦 SolutionMicrosoft Business ApplicationsIdentifies a match in DataverseActivity from any URL IOC from Microsoft Sentinel Threat Intelligence.
Dataverse - Unusual sign-in following disabled IP address-based cookie binding protectionAnalytic Rule📦 SolutionMicrosoft Business ApplicationsIdentifies previously unseen IP and user agents in a Dataverse instance following disabling of cookie binding protection. See https://docs.microsoft.com/power-platform/admin/block-cookie-replay-attack
Dataverse - User bulk retrieval outside normal activityAnalytic Rule📦 SolutionMicrosoft Business ApplicationsIdentifies users retrieving significantly more records from Dataverse than they have previously in the past 2 weeks.
F&O - Bank account change following network alias reassignmentAnalytic Rule📦 SolutionMicrosoft Business ApplicationsIdentifies changes to user accounts where the network alias was modified to a new value. Shortly afterwards, the updated alias is used to update a bank account number.
F&O - Mass update or deletion of user recordsAnalytic Rule📦 SolutionMicrosoft Business ApplicationsIdentifies large delete or update operations on Finance & Operations user records based on predefined thresholds.
F&O - Non-interactive account mapped to self or sensitive privileged userAnalytic Rule📦 SolutionMicrosoft Business ApplicationsIdentifies changes to Microsoft Entra client apps registered for Finance & Operations, specifically when a new client is mapped to a predefined list of sensitive privileged user accounts, or when a us...
F&O - Reverted bank account number modificationsAnalytic Rule📦 SolutionMicrosoft Business ApplicationsIdentifies changes to bank account numbers in Finance & Operations, whereby a bank account number is modified but then subsequently reverted a short time later.
F&O - Unusual sign-in activity using single factor authenticationAnalytic Rule📦 SolutionMicrosoft Business ApplicationsIdentifies sucessful sign-in events to Finance & Operations and Lifecycle Services using single factor/password authentication. Sign-in events from tenants not using MFA, coming from a Microsoft Entra...
Power Apps - App activity from unauthorized geoAnalytic Rule📦 SolutionMicrosoft Business ApplicationsIdentifies Power Apps activity from countries in a predefined list of unauthorized countries.
Power Apps - Bulk sharing of Power Apps to newly created guest usersAnalytic Rule📦 SolutionMicrosoft Business ApplicationsIdentifies unusual bulk sharing, based on a predefined threshold in the query, of Power Apps to newly created Microsoft Entra guest users.
Power Apps - Multiple apps deletedAnalytic Rule📦 SolutionMicrosoft Business ApplicationsIdentifies mass delete activity where multiple Power Apps are deleted, matching a predefined threshold of total apps deleted or app delete events across multiple Power Platform environments.
Power Apps - Multiple users access a malicious link after launching new appAnalytic Rule📦 SolutionMicrosoft Business ApplicationsIdentifies a chain of events, where a new Power App is created, followed by mulitple users launching the app within the detection window and clicking on the same malicious URL.
Power Automate - Departing employee flow activityAnalytic Rule📦 SolutionMicrosoft Business ApplicationsIdentifies instances where an employee who has been notified or is already terminated, on the TerminatedEmployees watchlist, creates or modifies a Power Automate flow.
Power Automate - Unusual bulk deletion of flow resourcesAnalytic Rule📦 SolutionMicrosoft Business ApplicationsIdentifies bulk deletion of Power Automate flows that exceed a predefined threshold defined in the query and deviate from activity patterns observed in the last 14 days.
Power Platform - Account added to privileged Microsoft Entra rolesAnalytic Rule📦 SolutionMicrosoft Business ApplicationsIdentifies changes to privileged directory roles impacting Power Platform: - Dynamics 365 Admins - Power Platform Admins - Fabric Admins
Power Platform - Connector added to a sensitive environmentAnalytic Rule📦 SolutionMicrosoft Business ApplicationsIdentifies occurrences of new API connector creations within Power Platform, specifically targeting a predefined list of sensitive environments.
Power Platform - DLP policy updated or removedAnalytic Rule📦 SolutionMicrosoft Business ApplicationsIdentifies changes to DLP policy, specifically policies which are updated or removed.
Power Platform - Possibly compromised user accesses Power Platform servicesAnalytic Rule📦 SolutionMicrosoft Business ApplicationsIdentifies user accounts flagged at risk in Microsoft Entra Identity Protection and correlates these users with sign-in activity in Power Platform, including Power Apps, Power Automate and Power Platf...
Dataverse - Activity after failed logonsHunting Query📦 SolutionMicrosoft Business ApplicationsThis hunting query looks for users conducting Dataverse/Dynamics 365 activity shortly after a number of failed logons. Use this to look for potential post brute force activity. Adjust the threshold fi...
Dataverse - Activity after Microsoft Entra alertsHunting Query📦 SolutionMicrosoft Business ApplicationsThis hunting query looks for users conducting Dataverse/Dynamics 365 activity shortly after a Microsoft Entra Identity Protection alert for that user. The query only looks for users not seen before or...
Dataverse - Cross-environment data export activityHunting Query📦 SolutionMicrosoft Business ApplicationsThis query searches for data export activity across a predetermined number of Dataverse instances. Data export activity across multiple environments could indicate suspicious activity as users typical...
Dataverse - Dataverse export copied to USB devicesHunting Query📦 SolutionMicrosoft Business ApplicationsThis query uses XDR data from M365 Defender to detect files downloaded from a Dataverse instance and copied to USB drive.
Dataverse - Generic client app used to access production environmentsHunting Query📦 SolutionMicrosoft Business ApplicationsThis query detects the use of the built-in "Dynamics 365 Example Application" to access production environments. This generic app can not be restricted by Azure AD authorization controls and could be ...
Dataverse - Identity management activity outside of privileged directory role membershipHunting Query📦 SolutionMicrosoft Business ApplicationsThis query detects identity administration events in Dataverse/Dynamics 365 made by accounts which are not members of privileged directory roles 'Dynamics 365 Admins', 'Power Platform Admins' or 'Glob...
Dataverse - Identity management changes without MFAHunting Query📦 SolutionMicrosoft Business ApplicationsThis query is used to show privileged identity administration operations in Dataverse made by accounts that signed in without using MFA
Power Apps - Anomalous bulk sharing of Power App to newly created guest usersHunting Query📦 SolutionMicrosoft Business ApplicationsThe query detects anomalous attempts to perform bulk sharing of Power App to newly created guest users.
Dynamics365ActivityWorkbook📦 SolutionMicrosoft Business Applications
Dataverse: Add SharePoint sites to watchlistPlaybook📦 SolutionMicrosoft Business ApplicationsThis playbook is used to add new or updated SharePoint document management sites into the configuration watchlist. When combined with a scheduled analytics rule monitoring the Dataverse activity log, ...
Dataverse: Add user to blocklist (incident trigger)Playbook📦 SolutionMicrosoft Business ApplicationsThis playbook can be triggered when a Microsoft Sentinel incident is raised and will automatically add affected user entitites to a pre-defined Microsoft Entra group, resulting in blocked access. The ...
Dataverse: Add user to blocklist (alert trigger)Playbook📦 SolutionMicrosoft Business ApplicationsThis playbook can be triggered on-demand when a Microsoft Sentinel alert is raised, allowing the analyst to add affected user entitites to a pre-defined Microsoft Entra group, resulting in blocked acc...
Dataverse: Add user to blocklist using Outlook approval workflowPlaybook📦 SolutionMicrosoft Business ApplicationsThis playbook can be triggered when a Microsoft Sentinel incident is raised and will automatically add affected user entitites to a pre-defined Microsoft Entra group, using an Outlook based approval w...
Dataverse: Add user to blocklist using Teams approval workflowPlaybook📦 SolutionMicrosoft Business ApplicationsThis playbook can be triggered when a Microsoft Sentinel incident is raised and will automatically add affected user entitites to a pre-defined Microsoft Entra group, using a Teams adaptive card appro...
Dataverse: Remove user from blocklistPlaybook📦 SolutionMicrosoft Business ApplicationsThis playbook can be triggered on-demand when a Microsoft Sentinel alert is raised, allowing the analyst to remove affected user entitites from a pre-defined Microsoft Entra group used to block access...
Dataverse: Send notification to managerPlaybook📦 SolutionMicrosoft Business ApplicationsThis playbook can be triggered when a Microsoft Sentinel incident is raised and will automatically send an email notificiation to the manager of the affected user entitites. The Playbook can be config...
Security workflow: alert verification with workload ownersPlaybook📦 SolutionMicrosoft Business ApplicationsThis playbook can reduce burden on the SOC by offloading alert verification to IT admins for specific analytics rules. It is triggered when a Microsoft Sentinel alert is generated, creates a message (...
DataverseSharePointSitesParser📦 SolutionMicrosoft Business Applications
MSBizAppsNetworkAddressesParser📦 SolutionMicrosoft Business Applications
MSBizAppsOrgSettingsParser📦 SolutionMicrosoft Business Applications
MSBizAppsTerminatedEmployeesParser📦 SolutionMicrosoft Business Applications
MSBizAppsVIPUsersParser📦 SolutionMicrosoft Business Applications
MSBizApps-ConfigurationWatchlist📦 SolutionMicrosoft Business Applications
Copilot - File Uploads DisabledAnalytic Rule📦 SolutionMicrosoft CopilotDetects when file uploads are disabled in Copilot. Attackers often disable logging or file upload capabilities to avoid evidence collection and cover their tracks. This rule identifies potential data ...
Copilot - Jailbreak Attempt DetectedAnalytic Rule📦 SolutionMicrosoft CopilotDetects jailbreak attempts in Copilot interactions where users are trying to bypass Copilot guardrails and security controls. This rule identifies prompt injection and LLM abuse scenarios that could l...
Copilot - Plugin Created by Non-Admin UserAnalytic Rule📦 SolutionMicrosoft CopilotDetects when a normal user creates a Copilot plugin. This can be used to inject malicious prompts, tools, or data exfiltration paths. This rule identifies potential persistence or privilege misuse sce...
Copilot - Plugin Tampering (Enable and Disable Within 5 Minutes)Analytic Rule📦 SolutionMicrosoft CopilotDetects when a user enables and disables Copilot plugins within a 5-minute window. This behavior often indicates probing for security controls or living-off-Copilot techniques. This rule identifies di...
Copilot - Access From External IP AddressHunting Query📦 SolutionMicrosoft CopilotDetects when Copilot is accessed from an external IP address outside the corporate network. This is very dangerous if an attacker is using Copilot to enumerate data. This rule identifies potential acc...
Copilot - Plugin Enabled After Being DisabledHunting Query📦 SolutionMicrosoft CopilotDetects when a Copilot plugin is re-enabled after being previously disabled. This could indicate a possible attacker restoring their backdoor. This rule identifies security control bypass scenarios wh...
MicrosoftCopilotActivityMonitoringWorkbook📦 SolutionMicrosoft Copilot
Detect CoreBackUp Deletion Activity from related Security AlertsAnalytic Rule📦 SolutionMicrosoft Defender for CloudThe query identifies any efforts by an attacker to delete backup containers, while also searching for any security alerts that may be linked to the same activity, in order to uncover additional inform...
Linked Malicious Storage ArtifactsAnalytic Rule📦 SolutionMicrosoft Defender for Cloud AppsThis query identifies the additional files uploaded by the same IP address which triggered a malware alert for malicious content upload on Azure Blob or File Storage Container.
MicrosoftCloudAppSecurityWorkbook📦 SolutionMicrosoft Defender for Cloud Apps
MicrosoftDefenderForOffice365Workbook📦 SolutionMicrosoft Defender for Office 365
O365 - Block Malware file extensionsPlaybook📦 SolutionMicrosoft Defender for Office 365This Playbook Provides the automation on blocking the suspicious/malicious file attachment on mails
O365 - Block Suspicious SenderPlaybook📦 SolutionMicrosoft Defender for Office 365This Playbook Provides the automation on blocking the suspicious/malicious senders
O365 - Block Sender Entity TriggerPlaybook📦 SolutionMicrosoft Defender for Office 365This Playbook Provides the automation on blocking the suspicious/malicious sender
O365 - Block Spam DomainPlaybook📦 SolutionMicrosoft Defender for Office 365This Playbook Provides the automation on blocking the suspicious/malicious attacker Domains
O365 - Delete All Malicious Inbox RulePlaybook📦 SolutionMicrosoft Defender for Office 365This Playbook provides the automation on deleting all the suspicious/malicious Inbox Rules from Provided Mailbox
MicrosoftThreatIntelligenceWorkbook📦 SolutionMicrosoft Defender Threat Intelligence
MDTI-Automated-TriagePlaybook📦 SolutionMicrosoft Defender Threat IntelligenceThis playbook uses the MDTI Reputation data to automatically enrich incidents generated by Microsoft Sentinel. Indicators from an incident will be evaluated with MDTI reputation data. If any indicator...
MDTI-Data-CookiesPlaybook📦 SolutionMicrosoft Defender Threat IntelligenceThis playbook uses the MDTI Components data to automatically enrich incidents generated by Microsoft Sentinel. Leverage this playbook in order to enrich your incidents with [Cookies](https://learn.mic...
MDTI-Data-WebComponentsPlaybook📦 SolutionMicrosoft Defender Threat IntelligenceThis playbook uses the MDTI Components data to automatically enrich incidents generated by Microsoft Sentinel. Leverage this playbook in order to enrich your incidents with [Webcomponents](https://lea...
MDTI-Intel-ReputationPlaybook📦 SolutionMicrosoft Defender Threat IntelligenceThis playbook uses the MDTI API to automatically enrich incidents generated by Microsoft Sentinel. Reputation information provides analyst with a decision as to whether an indicator is considered beni...
MDTI-Data-PassiveDnsPlaybook📦 SolutionMicrosoft Defender Threat IntelligenceThis playbook enriches Microsoft Sentinel incidents by querying Microsoft Defender Threat Intelligence Passive DNS data for related host and IP entities.
MDTI-Data-ReverseDnSPlaybook📦 SolutionMicrosoft Defender Threat IntelligenceThis logic app automatically retrieves and enriches incident indicators generated by Microsoft Sentinel by leveraging data from the MDTI Passive DNS Reverse endpoint.
MDTI-Data-TrackersPlaybook📦 SolutionMicrosoft Defender Threat IntelligenceThis logic app automatically retrieves and enriches incident indicators generated by Microsoft Sentinel by leveraging data from the MDTI tracker endpoint.
AV detections related to Ukraine threatsAnalytic Rule📦 SolutionMicrosoft Defender XDRThis query looks for Microsoft Defender AV detections for malware observed in relation to the war in Ukraine. Ref: https://msrc-blog.microsoft.com/2022/02/28/analysis-resources-cyber-threat-activity...
AV detections related to SpringShell VulnerabilityAnalytic Rule📦 SolutionMicrosoft Defender XDRThis query looks for Microsoft Defender AV detections related to the SpringShell vulnerability. In Microsoft Sentinel, the SecurityAlerts table includes only the Device Name of the affected device. ...
AV detections related to Tarrask malwareAnalytic Rule📦 SolutionMicrosoft Defender XDRThis query looks for Microsoft Defender AV detections related to Tarrask malware. In Microsoft Sentinel, the SecurityAlerts table includes only the Device Name of the affected device, this query joins...
Possible Phishing with CSL and Network SessionsAnalytic Rule📦 SolutionMicrosoft Defender XDRThis query looks for malicious URL clicks in phishing email recognized by MDO in correlation with CommonSecurityLogs(CSL) & NetworkSession events. If your workspace doesnt have one of the many data s...
Execution of software vulnerable to webp buffer overflow of CVE-2023-4863Analytic Rule📦 SolutionMicrosoft Defender XDRThis query looks at device, process, and network events from Defender for Endpoint that may be vulnerable to buffer overflow defined in CVE-2023-4863. Results are not an indicator of malicious activit...
Potential Build Process Compromise - MDEAnalytic Rule📦 SolutionMicrosoft Defender XDRThe query looks for source code files being modified immediately after a build process is started. The purpose of this is to look for malicious code injection during the build process. This query uses...
SUNBURST and SUPERNOVA backdoor hashesAnalytic Rule📦 SolutionMicrosoft Defender XDRIdentifies SolarWinds SUNBURST and SUPERNOVA backdoor file hash IOCs in DeviceFileEvents References: - https://www.fireeye.com/blog/threat-research/2020/12/evasive-attacker-leverages-solarwinds-supply...
SUNBURST network beaconsAnalytic Rule📦 SolutionMicrosoft Defender XDRIdentifies SolarWinds SUNBURST domain beacon IOCs in DeviceNetworkEvents References: - https://www.fireeye.com/blog/threat-research/2020/12/evasive-attacker-leverages-solarwinds-supply-chain-compromis...
TEARDROP memory-only dropperAnalytic Rule📦 SolutionMicrosoft Defender XDRIdentifies SolarWinds TEARDROP memory-only dropper IOCs in Window's defender Exploit Guard activity References: - https://www.fireeye.com/blog/threat-research/2020/12/evasive-attacker-leverages-solarw...
SUNSPOT malware hashesAnalytic Rule📦 SolutionMicrosoft Defender XDRThis query uses Microsoft Defender for Endpoint data to look for IoCs associated with the SUNSPOT malware shared by Crowdstrike. More details: - https://www.crowdstrike.com/blog/sunspot-malware-tec...
C2-NamedPipeAnalytic Rule📦 SolutionMicrosoft Defender XDRDetects the creation of a named pipe used by known APT malware. Reference - https://docs.microsoft.com/openspecs/windows_protocols/ms-wpo/4de75e21-36fd-440a-859b-75accc74487c
DopplePaymer ProcdumpAnalytic Rule📦 SolutionMicrosoft Defender XDRThis query was originally published in the threat analytics report, Doppelpaymer: More human-operated ransomware. There is also a related blog. DoppelPaymer is ransomware that is spread manually by hu...
LSASS Credential Dumping with ProcdumpAnalytic Rule📦 SolutionMicrosoft Defender XDRThis query was originally published in the threat analytics report, "Exchange Server zero-days exploited in the wild". In early March 2021, Microsoft released patches for four different zero-day vulne...
Doppelpaymer Stop ServicesAnalytic Rule📦 SolutionMicrosoft Defender XDRThis query was originally published in the threat analytics report, Doppelpaymer: More human-operated ransomware. There is also a related blog. DoppelPaymer is ransomware that is spread manually by hu...
Qakbot Campaign Self DeletionAnalytic Rule📦 SolutionMicrosoft Defender XDRThis query was originally published in the threat analytics report, Qakbot blight lingers, seeds ransomware Qakbot is malware that steals login credentials from banking and financial services. It has ...
Regsvr32 Rundll32 Image Loads Abnormal ExtensionAnalytic Rule📦 SolutionMicrosoft Defender XDRThis query is looking for regsvr32.exe or rundll32.exe loading DLL images with other extensions than .dll. Joins the data to public network events. References: https://threathunt.blog/running-live-mal...
Regsvr32 Rundll32 with Anomalous Parent ProcessAnalytic Rule📦 SolutionMicrosoft Defender XDRThis analytical rule looks for rundll32.exe or regsvr32.exe being spawned by abnormal processes: wscript.exe, powershell.exe, cmd.exe, pwsh.exe, cscript.exe. Blog: https://threathunt.blog/running-live...
Detect Suspicious Commands Initiated by Webserver ProcessesAnalytic Rule📦 SolutionMicrosoft Defender XDRThis query was originally published in the threat analytics report, Operation Soft Cell. Operation Soft Cell is a series of campaigns targeting users' call logs at telecommunications providers through...
Bitsadmin ActivityAnalytic Rule📦 SolutionMicrosoft Defender XDRBackground Intelligent Transfer Service (BITS) is a way to reliably download files from webservers or SMB servers. This service is commonly used for legitimate purposes, but can also be used as part ...
Office Apps Launching WsciptAnalytic Rule📦 SolutionMicrosoft Defender XDRThis query was originally published in the threat analytics report, Trickbot: Pervasive & underestimated. Trickbot is a very prevalent piece of malware with an array of malicious capabilities. Origina...
Detect Potential Kerberoast ActivitiesAnalytic Rule📦 SolutionMicrosoft Defender XDRThis query aim to detect if someone requests service tickets (where count => maxcount) The query requires trimming to set a baseline level for MaxCount Mitre Technique: Kerberoasting (T1558.003) @Ma...
Files Copied to USB DrivesAnalytic Rule📦 SolutionMicrosoft Defender XDRThis query lists files copied to USB external drives with USB drive information based on FileCreated events associated with most recent USBDriveMount events befor file creations. But be aware that Adv...
MosaicLoaderAnalytic Rule📦 SolutionMicrosoft Defender XDRThis query looks Malware Hides Itself Among Windows Defender Exclusions to Evade Detection.
Unusual Volume of file deletion by usersAnalytic Rule📦 SolutionMicrosoft Defender XDRThis query looks for users performing file deletion activities. Spikes in file deletion observed from risky sign-in sessions are flagged here. This applies to SharePoint and OneDrive users. Audit even...
Remote File Creation with PsExecAnalytic Rule📦 SolutionMicrosoft Defender XDRThis query was originally published in the threat analytics report, Ryuk ransomware. There is also a related blog. Ryuk is human-operated ransomware. Much like DoppelPaymer ransomware, Ryuk is spread ...
Service Accounts Performing Remote PSAnalytic Rule📦 SolutionMicrosoft Defender XDRService Accounts Performing Remote PowerShell. The purpose behind this detection is for finding service accounts that are performing remote powershell sessions. There are two phases to the detection: ...
Account CreationAnalytic Rule📦 SolutionMicrosoft Defender XDRUser accounts may be created to achieve persistence on a machine. Read more here: https://attack.mitre.org/wiki/Technique/T1136. Tags: #CreateAccount. Query #1: Query for users being created using "ne...
Local Admin Group ChangesAnalytic Rule📦 SolutionMicrosoft Defender XDRThis query searches for changes to the local administrators group. Blogpost: https://www.verboon.info/2020/09/hunting-for-local-group-membership-changes.
Rare Process as a ServiceAnalytic Rule📦 SolutionMicrosoft Defender XDRThis query is looking for rarely seen processes which are launched as a service. Whiltelisted process list need to be updated based on the environment. Author: Jouni Mikkola More info: https://threath...
Deletion of data on multiple drives using cipher exeAnalytic Rule📦 SolutionMicrosoft Defender XDRThis query checks for attempts to delete data on multiple drives using cipher.exe. This activity is typically done by ransomware to prevent recovery of data after encryption.
LaZagne Credential TheftAnalytic Rule📦 SolutionMicrosoft Defender XDRLaZagne is a popular open-source tool used to recover passwords stored on a local computer. It has been used in ransomware attacks to steal credentials and escalate privileges. This query looks for th...
Clearing of forensic evidence from event logs using wevtutilAnalytic Rule📦 SolutionMicrosoft Defender XDRThis query checks for attempts to clear at least 10 log entries from event logs using wevtutil. Clearing event logs can be a sign of ransomware activity, as ransomware often attempts to cover its trac...
Stopping multiple processes using taskkillAnalytic Rule📦 SolutionMicrosoft Defender XDRThis query checks for attempts to stop at least 10 separate processes using the taskkill.exe utility. This is a common technique used by ransomware to stop security products and other processes.
Potential Ransomware activity related to Cobalt StrikeAnalytic Rule📦 SolutionMicrosoft Defender XDRThis query searches for alerts related to suspected ransomware and Cobalt Strike activity, a tool used in numerous ransomware campaigns. It looks for alerts that indicate potential ransomware activity...
Qakbot Discovery ActiviesAnalytic Rule📦 SolutionMicrosoft Defender XDRThis query searches for injected processes launching discovery activity. Qakbot has been observed leading to ransomware in numerous instances. It looks for discovery commands such as net.exe, whoami.e...
Shadow Copy DeletionsAnalytic Rule📦 SolutionMicrosoft Defender XDRThis rule detects when Shadow Copies are being deleted. This is a know actions that is performed by threat actors. This query detects know commands that have been used by the ransomware actors. Some i...
Disabling Security Services via RegistryAnalytic Rule📦 SolutionMicrosoft Defender XDRThis query checks for processes modifying the registry to disable security features. This is a common technique used by threat actors for defence evasion.
Deimos Component ExecutionAnalytic Rule📦 SolutionMicrosoft Defender XDRJupyter, otherwise known as SolarMarker, is a malware family and cluster of components known for its info-stealing and backdoor capabilities that mainly proliferates through search engine optimization...
Imminent RansomwareAnalytic Rule📦 SolutionMicrosoft Defender XDRThis query checks for a series of commands that are commonly used by attackers to disable security tools and system recovery tools before deploying Macaw ransomware in an organization.
Java Executing cmd to run PowershellAnalytic Rule📦 SolutionMicrosoft Defender XDRThis query was originally published in the threat analytics report, Sysrv botnet evolution. Sysrv is a Go-based botnet that targets both Windows and Linux servers, and steals resources to mine cryptoc...
Appspot Phishing AbuseHunting Query📦 SolutionMicrosoft Defender XDRThis query helps surface phishing campaigns associated with Appspot abuse.These emails frequently contain phishing links that utilize the recipients' own email address as a unique identifier in the UR...
Spoofing attempts from Specific DomainsHunting Query📦 SolutionMicrosoft Defender XDRThis query identifies potential phishing or spoofing attempts originating from specific domains with authentication failures.
Determine Successfully Delivered Phishing Emails by top IP AddressesHunting Query📦 SolutionMicrosoft Defender XDRThis query identifies phishing emails sent that were successfully delivered, by top IP addressess. cutoff default value is 5, adjust the value as needed.
Determine Successfully Delivered Phishing Emails to Inbox/Junk folder.Hunting Query📦 SolutionMicrosoft Defender XDRThis query identifies threats which got successfully delivered to Inbox/Junk folder.
Judgement Panda Exfil ActivityHunting Query📦 SolutionMicrosoft Defender XDROriginal Sigma Rule: https://github.com/SigmaHQ/sigma/blob/master/rules-emerging-threats/2019/TA/APT31/proc_creation_win_apt_apt31_judgement_panda.yml. Questions via Twitter: @janvonkirchheim.
Robbinhood DriverHunting Query📦 SolutionMicrosoft Defender XDRThis query detects the presence of the Robbinhood ransomware driver.
Snip3 Malicious Network ConnectivityHunting Query📦 SolutionMicrosoft Defender XDRThis hunting query looks for potentially hollowed processes that may be used to facilitate command-and-control or exfiltration by Snip3 malware.
C2-NamedPipeHunting Query📦 SolutionMicrosoft Defender XDRDetects the creation of a named pipe used by known APT malware. Reference - https://docs.microsoft.com/openspecs/windows_protocols/ms-wpo/4de75e21-36fd-440a-859b-75accc74487c
Recon with RundllHunting Query📦 SolutionMicrosoft Defender XDRThis query detects suspicious rundll.exe activity associated with Trickbot campaigns.
DopplePaymer ProcdumpHunting Query📦 SolutionMicrosoft Defender XDRDetects the use of ProcDump to dump credentials from LSASS memory by DoppelPaymer ransomware operators.
Credential Harvesting Using LaZagneHunting Query📦 SolutionMicrosoft Defender XDRDetects the use of LaZagne to steal credentials from the SAM database by Ryuk ransomware operators.
LSASS Credential Dumping with ProcdumpHunting Query📦 SolutionMicrosoft Defender XDRDetects the use of Procdump to dump credentials from LSASS memory.
Clear System LogsHunting Query📦 SolutionMicrosoft Defender XDRThis hunting query searches for attempts to use fsutil.exe to clear system logs and delete forensic artifacts.
Doppelpaymer Stop ServicesHunting Query📦 SolutionMicrosoft Defender XDRThis query searches for attempts to stop security services, which is a common tactic used by DoppelPaymer ransomware operators.
Qakbot Campaign Self DeletionHunting Query📦 SolutionMicrosoft Defender XDRThis query detects if an instance of Qakbot has attempted to overwrite its original binary.
Regsvr32 Rundll32 Image Loads Abnormal ExtensionHunting Query📦 SolutionMicrosoft Defender XDRThis query is looking for regsvr32.exe or rundll32.exe loading DLL images with other extensions than .dll.
Regsvr32 Rundll32 with Anomalous Parent ProcessHunting Query📦 SolutionMicrosoft Defender XDRThis query searches for rundll32.exe or regsvr32.exe being spawned by abnormal processes such as wscript.exe, powershell.exe, cmd.exe, pwsh.exe, cscript.exe.
Detect Suspicious Commands Initiated by Webserver ProcessesHunting Query📦 SolutionMicrosoft Defender XDRDetect suspicious commands initiated by web server processes used for network discovery and user/owner discovery.
Enumeration of Users & Groups for Lateral MovementHunting Query📦 SolutionMicrosoft Defender XDRThis query hunts for attempts to list users or groups using Net commands, which are commonly used for lateral movement.
Anomalous Payload Delivered from ISO filesHunting Query📦 SolutionMicrosoft Defender XDRThis query searches for lnk file executions from other locations than C: drive, which can relate to mounted ISO-files.
Bitsadmin ActivityHunting Query📦 SolutionMicrosoft Defender XDRThis query searches for use of bitsadmin.exe for file transfer, which can be used for legitimate purposes or as part of a malware downloader.
Detect Malicious use of MSIExecHunting Query📦 SolutionMicrosoft Defender XDRThis query detects possible download and execution using Msiexec.
Detect Malicious use of Msiexec MimikatzHunting Query📦 SolutionMicrosoft Defender XDRThis query searches for malicious use of msiexec.exe, particularly alongside mimikatz, a common credential dumper and privilege escalation tool.
Office Apps Launching WsciptHunting Query📦 SolutionMicrosoft Defender XDRThe query searches for Office applications launching wscript.exe to run a JSE file.
Detect Potential kerberoast ActivitiesHunting Query📦 SolutionMicrosoft Defender XDRThis query aim to detect if someone requests service tickets (where count => maxcount). The query requires trimming to set a baseline level for MaxCount.
PowerShell DownloadsHunting Query📦 SolutionMicrosoft Defender XDRThe query searches for PowerShell execution events that could involve a download.
Webserver Executing Suspicious ApplicationsHunting Query📦 SolutionMicrosoft Defender XDRThis query looks for common webserver process names and identifies any processes launched using a scripting language (cmd, powershell, wscript, cscript).
Detect Suspicious Mshta UsageHunting Query📦 SolutionMicrosoft Defender XDRThis query detects when mshta.exe has been run, which might include illegitimate usage by attackers.
Files Copied to USB DrivesHunting Query📦 SolutionMicrosoft Defender XDRThis query lists files copied to USB external drives with USB drive information based on FileCreated events associated with most recent USBDriveMount events befor file creations.
Suspicious Tomcat Confluence Process LaunchHunting Query📦 SolutionMicrosoft Defender XDRThe query checks for suspicious Tomcat process launches associated with likely exploitation of Confluence - CVE-2022-26134.
MosaicLoaderHunting Query📦 SolutionMicrosoft Defender XDRThis hunting query looks Malware Hides Itself Among Windows Defender Exclusions to Evade Detection.
PrintNightmare CVE-2021-1675 usage DetectionHunting Query📦 SolutionMicrosoft Defender XDRThis query looks for any file creations in the print spooler drivers folder.
Windows Print Spooler Service Suspicious File CreationHunting Query📦 SolutionMicrosoft Defender XDRThe query digs in Windows print spooler drivers folder for any file creations. This behavior is used from PoC Exploit of CVE-2021-34527, CVE-2021-1675 or CVE-2022-21999.
MITRE - Suspicious EventsHunting Query📦 SolutionMicrosoft Defender XDRThis hunting query looks for several different MITRE techniques, grouped by risk level. A weighting is applied to each risk level and a total score calculated per machine. Techniques can be added/remo...
Unusual Volume of file deletion by usersHunting Query📦 SolutionMicrosoft Defender XDRThis query looks for users performing file deletion activities. Spikes in file deletion observed from risky sign-in sessions are flagged here.
Detect MaiSniperHunting Query📦 SolutionMicrosoft Defender XDRThis query searches for usage of MailSniper Exchange attack tool.
Account Brute ForceHunting Query📦 SolutionMicrosoft Defender XDRThis hunting query searches for public IP addresses that failed to logon to a computer multiple times, using multiple accounts, and eventually succeeded.
Remote File Creation with PsExecHunting Query📦 SolutionMicrosoft Defender XDRThis query detects remote file creation events that might indicate an active attack using PsExec.
Service Accounts Performing Remote PSHunting Query📦 SolutionMicrosoft Defender XDRThis query searches for any Service Accounts Performing Remote PowerShell.
Account CreationHunting Query📦 SolutionMicrosoft Defender XDRThis query looks for the creation of user accounts on a machine using the "net user" command.
Local Admin Group ChangesHunting Query📦 SolutionMicrosoft Defender XDRThis hunting query searches for changes to the local administrators group.
Rare Process as a ServiceHunting Query📦 SolutionMicrosoft Defender XDRThis query looks for rarely seen processes which are launched as a service.
Scheduled Task CreationHunting Query📦 SolutionMicrosoft Defender XDRThis query searches for any scheduled task creation event.
SAM Name Change CVE-2021-42278Hunting Query📦 SolutionMicrosoft Defender XDRThe following query detects possible CVE-2021-42278 exploitation by finding changes of device names in the network using Microsoft Defender for Identity.
Deletion of data on multiple drives using cipher exeHunting Query📦 SolutionMicrosoft Defender XDRThis query checks for attempts to delete data on multiple drives using cipher.exe. This activity is typically done by ransomware to prevent recovery of data after encryption.
Check for multiple signs of Ransomware ActivityHunting Query📦 SolutionMicrosoft Defender XDRThis query checks for multiple signs of ransomware activity to identify affected devices.
Suspicious Image Load related to IcedIdHunting Query📦 SolutionMicrosoft Defender XDRThis query searches for suspicious load image events by rundll32.exe or regsvr32.exe, a behavior associated with IcedId, which can lead to IcedId ransomware.
LaZagne Credential TheftHunting Query📦 SolutionMicrosoft Defender XDRThis query can be used to locate processes executing credential theft activity, often LaZagne in ransomware compromises.
Clearing of forensic evidence from event logs using wevtutilHunting Query📦 SolutionMicrosoft Defender XDRThis query checks for attempts to clear at least 10 log entries from event logs using wevtutil.
Stopping multiple processes using taskkillHunting Query📦 SolutionMicrosoft Defender XDRThis query checks for attempts to stop at least 10 separate processes using the taskkill.exe utility.
Potential Ransomware activity related to Cobalt StrikeHunting Query📦 SolutionMicrosoft Defender XDRThis query searches for alerts related to suspected ransomware and Cobalt Strike activity, a tool used in numerous ransomware campaigns.
Qakbot Discovery ActiviesHunting Query📦 SolutionMicrosoft Defender XDRThis query searches for injected processes launching discovery activity. Qakbot has been observed leading to ransomware in numerous instances.
Shadow Copy DeletionsHunting Query📦 SolutionMicrosoft Defender XDRThis rule detects when Shadow Copies are being deleted. This is a know actions that is performed by threat actors.
Turning off services using sc exeHunting Query📦 SolutionMicrosoft Defender XDRThis query checks for attempts to turn off at least 10 existing services using sc.exe.
Detect CISA Alert (AA22-117A) 2021 Top Routinely Exploited VulnerabilitiesHunting Query📦 SolutionMicrosoft Defender XDRThis advanced hunting query detects CISA Alert (AA22-117A) 2021 Top Routinely Exploited Vulnerabilities https://www.cisa.gov/uscert/ncas/alerts/aa22-117a
Disabling Services via RegistryHunting Query📦 SolutionMicrosoft Defender XDRSearch for processes modifying the registry to disable security features.
DLLHost.exe WMIC domain discoveryHunting Query📦 SolutionMicrosoft Defender XDRThis query checks for dllhost.exe calling WMIC to discover additional hosts and associated domain.
PowerShell adding exclusion path for Microsoft Defender of ProgramDataHunting Query📦 SolutionMicrosoft Defender XDRIdentify PowerShell creating an exclusion path of ProgramData directory for Microsoft Defender to not monitor.
Spoolsv Spawning Rundll32Hunting Query📦 SolutionMicrosoft Defender XDRLook for the spoolsv.exe launching rundll32.exe with an empty command line.
Suspicious DLLs in spool FolderHunting Query📦 SolutionMicrosoft Defender XDRLook for the creation of suspicious DLL files spawned in the \spool\ folder along with DLLs that were recently loaded afterwards from \Old.
Suspicious Files in spool FolderHunting Query📦 SolutionMicrosoft Defender XDRMonitor for creation of suspicious files in the /spools/driver/ folder. This is a broad-based search that will surface any creation or modification of files in the folder targeted by this exploit.
Suspicious Spoolsv Child ProcessHunting Query📦 SolutionMicrosoft Defender XDRSurfaces suspicious spoolsv.exe behavior likely related to CVE-2021-1675
ATP policy status checkHunting Query📦 SolutionMicrosoft Defender XDRThis query displays the configuration auditing for 'Safe Attachments for SharePoint, OneDrive, and Microsoft Teams' and 'Safe Documents' in Microsoft Defender for Office 365.
JNLP-File-AttachmentHunting Query📦 SolutionMicrosoft Defender XDRJNLP file extensions are an uncommon file type often used to deliver malware.
Safe Attachments detectionsHunting Query📦 SolutionMicrosoft Defender XDRThis query provides insights on the detections done by Safe Attachment detections
Authentication failures by time and authentication typeHunting Query📦 SolutionMicrosoft Defender XDRThis query helps reviewing authentication failure count by authentication type. Update the authentication type below as DMARC, DKIM, SPM, CompAuth
CompAuth Failure TrendHunting Query📦 SolutionMicrosoft Defender XDRThis query visualises total emails with Spoof - Composite Authentication fails summarizing the data daily.
DKIM Failure TrendHunting Query📦 SolutionMicrosoft Defender XDRThis query visualises total emails with Spoof - DKIM fails summarizing the data daily.
DMARC Failure TrendHunting Query📦 SolutionMicrosoft Defender XDRThis query visualises total emails with Spoof - DMARC fails summarizing the data daily.
SPF Failure TrendHunting Query📦 SolutionMicrosoft Defender XDRThis query visualises total emails with Spoof - SPF fails summarizing the data daily.
Spoof attempts with auth failureHunting Query📦 SolutionMicrosoft Defender XDRThis query helps in checking for spoofing attempts on the domain with Authentication failures
Top Spoof external domain detections by Sender domain (P1/P2)Hunting Query📦 SolutionMicrosoft Defender XDRThis query visualises total emails with Phish-Spoof-external domain detections summarizing the data by the top 10 email sender P2 domain (SenderFromDomain) and sender P1 domain (SenderMailFromDomain).
Top Spoof DMARC detections by Sender domain (P1/P2)Hunting Query📦 SolutionMicrosoft Defender XDRThis query visualises total emails with Spoof-DMARC fails detections summarizing the data by the top email sender P2 domain (SenderFromDomain) and sender P1 domain (SenderMailFromDomain).
Top Spoof intra-org detections by Sender domain (P1/P2)Hunting Query📦 SolutionMicrosoft Defender XDRThis query visualises total emails with Phish-Spoof-internal domain detections summarizing the data by the top 10 email sender P2 domain (SenderFromDomain) and sender P1 domain (SenderMailFromDomain).
Message from an Accepted Domain with DMARC TempErrorHunting Query📦 SolutionMicrosoft Defender XDRThis query can be used as a Custom Detection Rule (CDR) to trigger when a potentially malicious email appearing to come from an Accepted Domain but DMARC had a (transient) TempError result.
Message with URL listed on OpenPhish delivered into InboxHunting Query📦 SolutionMicrosoft Defender XDRThis query can be used as a Custom Detection Rule (CDR) to trigger when a potentially malicious email with a URL from OpenPhish was delivered to Inbox
Potential OAuth phishing email delivered into InboxHunting Query📦 SolutionMicrosoft Defender XDRThis query can be used as a Custom Detection Rule (CDR) to trigger when a potentially malicious OAuth app URL has been delivered into an Inbox.
Potentially malicious svg file delivered to InboxHunting Query📦 SolutionMicrosoft Defender XDRThis query can be used as a Custom Detection Rule (CDR) to trigger when a potentially malicious .SVG file has been delivered into an Inbox.
Audit Email Preview-Download actionHunting Query📦 SolutionMicrosoft Defender XDRThis query helps report on who Previewed/Downloaded email messages using the Email entity page in Defender for Office 365
Bad email percentage of Inbound emailsHunting Query📦 SolutionMicrosoft Defender XDRThis query visualises bad traffic (% of emails with threats) compared to total inbound emails over time summarising the data daily.
Calculate overall MDO efficacyHunting Query📦 SolutionMicrosoft Defender XDRThis query helps calculate overall efficacy of MDO based on threats blocked pre-delivery, post-delivery cleanups, or were uncaught.
Email sender IP address Geo location informationHunting Query📦 SolutionMicrosoft Defender XDRThis query helps getting GeoIP information of emails SenderIPv4 addresses.
Hunt for Admin email accessHunting Query📦 SolutionMicrosoft Defender XDRThis query helps report on email access by administrators
Hunt for TABL changesHunting Query📦 SolutionMicrosoft Defender XDRThis query helps hunting for Tenant allow/block list (TABL) changes in Defender for Office 365
Local time to UTC time conversionHunting Query📦 SolutionMicrosoft Defender XDRAdvanced Hunting has default timezone as UTC time. Filters in Advanced Hunting also work in UTC by default whereas query results are shown in local time if user has selected local time zone in securit...
Mail item accessedHunting Query📦 SolutionMicrosoft Defender XDRThis query helps reviewing emails accessed by end users using cloud app events data
Malicious email sendersHunting Query📦 SolutionMicrosoft Defender XDRThis query helps hunting for emails from a sender with at least one email in quarantine
MDO daily detection summary reportHunting Query📦 SolutionMicrosoft Defender XDRThis query helps report daily on total number of emails, total number of emails detected aby Defender for Office 365
New TABL ItemsHunting Query📦 SolutionMicrosoft Defender XDRThis query helps identifying when new items being added to the Tenant/Allow Block List (TABL) in Defender for Office 365.
Top 10 Domains sending Malicious Emails (Malware+Phish+Spam)Hunting Query📦 SolutionMicrosoft Defender XDRIdentifies the top 10 sender domains delivering inbound emails classified as malware, phishing, or spam. Based on Defender for Office 365 workbook: https://techcommunity.microsoft.com/blog/microsoftde...
Top 10 External Senders (Malware)Hunting Query📦 SolutionMicrosoft Defender XDRIdentifies the top 10 external sender addresses delivering inbound emails classified as malware. If you want to exclude your own organization's domains (including subdomains), add a filter after the m...
Top 10 External Senders (Phish)Hunting Query📦 SolutionMicrosoft Defender XDRIdentifies the top 10 external sender addresses delivering inbound emails classified as phishing. If you want to exclude your own organization's domains (including subdomains), add a filter after the ...
Top 10 External Senders (Spam)Hunting Query📦 SolutionMicrosoft Defender XDRIdentifies the top 10 external sender addresses delivering inbound emails classified as spam. If you want to exclude your own organization's domains (including subdomains), add a filter after the spam...
Top 10 External Senders (Spam)Hunting Query📦 SolutionMicrosoft Defender XDRIdentifies the top 10 external sender addresses delivering inbound emails classified as spam. To exclude your own organization's domains (including subdomains), add a filter after the spam filter, e.g...
Top 10 Targeted Users (Malware+Phish+Spam)Hunting Query📦 SolutionMicrosoft Defender XDRIdentifies the top 10 users receiving inbound emails classified as malware, phishing, or spam. Based on concepts from the Defender for Office 365 solution in Sentinel: https://techcommunity.microsoft....
Top 10 Users clicking on Malicious URLs (Malware+Phish+Spam)Hunting Query📦 SolutionMicrosoft Defender XDRVisualises the top 10 users with click attempts on URLs in emails detected as malware, phishing, or spam, helping analysts identify risky user behaviour and potential targets. Based on Defender for Of...
MDO Threat Protection Detections trend over timeHunting Query📦 SolutionMicrosoft Defender XDRGraph of MDO detections trended over time
Total number of detections by MDOHunting Query📦 SolutionMicrosoft Defender XDRProvides a summary of total number of detections
Automated email notifications and suspicious sign-in activityHunting Query📦 SolutionMicrosoft Defender XDRThis query helps hunting for Automated email notifications and suspicious sign-in activity
BEC - File sharing tactics - DropboxHunting Query📦 SolutionMicrosoft Defender XDRThis query helps hunting for BEC - File sharing tactics - Dropbox
BEC - File sharing tactics - OneDrive or SharePointHunting Query📦 SolutionMicrosoft Defender XDRThis query helps hunting for BEC - File sharing tactics - OneDrive or SharePoint
Email bombing attacksHunting Query📦 SolutionMicrosoft Defender XDRThis query helps reviewing recipients who are potentially victim of email bombing attacks
Emails containing links to IP addressesHunting Query📦 SolutionMicrosoft Defender XDRThis query helps hunting for Emails containing links to IP addresses
Files share contents and suspicious sign-in activityHunting Query📦 SolutionMicrosoft Defender XDRThis query helps hunting for Files share contents and suspicious sign-in activity
Good emails from senders with bad patternsHunting Query📦 SolutionMicrosoft Defender XDRThis query helps hunting for good emails from senders with bad patterns
Hunt for email bombing attacksHunting Query📦 SolutionMicrosoft Defender XDRThis query helps to hunt for possible email bombing attacks in Microsoft Defender for Office 365.
Hunt for email conversation take over attemptsHunting Query📦 SolutionMicrosoft Defender XDRThis query helps hunting for email conversation take over attempts
Hunt for malicious attachments using external IOC sourceHunting Query📦 SolutionMicrosoft Defender XDRThis query helps hunt for emails with malicious attachments based on SH256 hash from external IOC source
Hunt for malicious URLs using external IOC sourceHunting Query📦 SolutionMicrosoft Defender XDRThis query helps hunt for emails with malicious URLs based on external IOC source
Inbox rule changes which forward-redirect emailHunting Query📦 SolutionMicrosoft Defender XDRThis query helps hunting for Inbox rule changes which forward-redirect email
MDO_CountOfRecipientsEmailaddressbySubjectHunting Query📦 SolutionMicrosoft Defender XDRCount of recipient's email addresses by subject
MDO_CountofrecipientsemailaddressesbysubjectHunting Query📦 SolutionMicrosoft Defender XDRCount of recipient's email addresses by subject
MDO_CountOfSendersEmailaddressbySubjectHunting Query📦 SolutionMicrosoft Defender XDRCount of sender's email addresses by subject
MDO_SummaryOfSendersHunting Query📦 SolutionMicrosoft Defender XDRCount of all Senders and where they were delivered
MDO_URLClickedinEmailHunting Query📦 SolutionMicrosoft Defender XDRURLs clicked in Email
Top outbound recipient domains sending inbound emails with threatsHunting Query📦 SolutionMicrosoft Defender XDRThis query helps hunting for top outbound recipient domains which are sending inbound emails with threats
Detections by detection methodsHunting Query📦 SolutionMicrosoft Defender XDRThis query helps reviewing malicious email detections by detection methods
Mail reply to new domainHunting Query📦 SolutionMicrosoft Defender XDRThis query helps reviewing mail that is likely a reply but there is no history of the people chatting and the domain is new
Mailflow by directionalityHunting Query📦 SolutionMicrosoft Defender XDRThis query helps reviewing inbound / outbound / intra-org emails by domain per day
Malicious emails detected per dayHunting Query📦 SolutionMicrosoft Defender XDRThis query helps reviewing Malware, Phishing, Spam emails caught per day
Sender recipient contact establishmentHunting Query📦 SolutionMicrosoft Defender XDRThis query helps in checking the sender-recipient contact establishment status
Spam Detections (High) by delivery locationHunting Query📦 SolutionMicrosoft Defender XDRThis query visualises emails with Spam detections (High confidence) summarizing the data by Delivery Location.
Spam Detections (Normal) by delivery locationHunting Query📦 SolutionMicrosoft Defender XDRThis query visualises emails with Spam detections (Normal confidence) summarizing the data by Delivery Location.
Top 100 malicious email sendersHunting Query📦 SolutionMicrosoft Defender XDRThis query helps reviewing top 100 malicious senders
Top 100 sendersHunting Query📦 SolutionMicrosoft Defender XDRThis query helps reviewing top 100 senders in your organization in last 30 days
Zero day threatsHunting Query📦 SolutionMicrosoft Defender XDRThis query helps reviewing zero day threats via URL and file detonations
Email containing malware accessed on a unmanaged deviceHunting Query📦 SolutionMicrosoft Defender XDRIn this query, we are looking for emails containing malware accessed on a unmanaged device
Email containing malware sent by an internal senderHunting Query📦 SolutionMicrosoft Defender XDRIn this query, we are looking for emails containing malware attachment sent by an internal sender
Email malware detection reportHunting Query📦 SolutionMicrosoft Defender XDRThis query helps reviewing email malware detection cases
File Malware Detection TrendHunting Query📦 SolutionMicrosoft Defender XDRThis query visualises total files located on SharePoint, OneDrive and Teams with Malware detections over time summarizing the data daily.
File Malware by Top Malware Families (Anti Virus)Hunting Query📦 SolutionMicrosoft Defender XDRThis query visualises total Malware detections of files located on SharePoint, OneDrive and Teams over time summarizing the data by the various Malware families detected focusing on built-in SharePoin...
File Malware by Top Malware Families (Safe Attachments)Hunting Query📦 SolutionMicrosoft Defender XDRThis query visualises total Malware detections of files located on SharePoint, OneDrive and Teams over time summarizing the data by the various Malware families detected focusing on Defender for Offic...
Malware Detections TrendHunting Query📦 SolutionMicrosoft Defender XDRThis query visualises total emails with Malware detections over time summarizing the data daily.
Malware Detections by delivery locationHunting Query📦 SolutionMicrosoft Defender XDRThis query visualises total emails with Malware detections over time summarizing the data daily by Delivery Location.
Malware Detections by Detection technology TrendHunting Query📦 SolutionMicrosoft Defender XDRThis query visualises total emails with Malware detections over time summarizing the data daily by various Malware detection technologies/controls.
Malware Detections by Detection technologyHunting Query📦 SolutionMicrosoft Defender XDRThis query visualises total emails with Malware detections summarizing the data by various Malware detection technologies/controls.
Malware detections by Workload LocationsHunting Query📦 SolutionMicrosoft Defender XDRThis query visualises the amount of total Malware detections of files located on SharePoint, OneDrive and Teams, summarizing by the locations they are stored
Malware detections by Workload TypeHunting Query📦 SolutionMicrosoft Defender XDRThis query visualises the amount of total Malware detections of files located on SharePoint, OneDrive and Teams, summarizing by the workload in which they are stored
Email Top Domains sending MalwareHunting Query📦 SolutionMicrosoft Defender XDRThis query visualises total inbound emails with Malware detections summarizing the data by the top email sender P2 domain (SenderFromDomain)
Top Malware FamiliesHunting Query📦 SolutionMicrosoft Defender XDRThis query visualises total emails with Malware detections summarizing the data by ThreatNames of the malware detected.
Top Users receiving MalwareHunting Query📦 SolutionMicrosoft Defender XDRThis query visualises total inbound emails with Malware detections summarizing the data by the top recipient email address (RecipientEmailAddress)
Zero-day Malware Detections TrendHunting Query📦 SolutionMicrosoft Defender XDRThis query visualises total emails with Malware detections over time summarizing the data daily by Malware detection technologies/controls used for detecting unknown-unique malware.
Teams communication from suspicious external usersHunting Query📦 SolutionMicrosoft Defender XDRThis query helps hunt for communication from suspicious external users.
Teams communication to suspicious external usersHunting Query📦 SolutionMicrosoft Defender XDRThis query helps hunt for communication with suspicious external users.
Expanding recipients into separate rowsHunting Query📦 SolutionMicrosoft Defender XDRThis query helps hunt for recipients of Teams messages.
External malicious Teams messages sent from internal sendersHunting Query📦 SolutionMicrosoft Defender XDRThis query helps hunt for external malicious Teams messages sent from internal senders
Hunt for malicious messages using External Threat IntelligenceHunting Query📦 SolutionMicrosoft Defender XDRThis query helps hunt for Teams messages with malicious URLs based on external Threat Intelligence source
Inbound Teams messages by sender domainsHunting Query📦 SolutionMicrosoft Defender XDRThis query helps reviewing volume of inbound external Teams message by sender domains
Malicious Teams messages by URL detection methodsHunting Query📦 SolutionMicrosoft Defender XDRThis query helps reviewing malicious Teams message detections by URL detection methods
Malicious Teams messages received from external sendersHunting Query📦 SolutionMicrosoft Defender XDRThis query helps hunt for malicious Teams messages received from external senders.
Microsoft Teams chat initiated by a suspicious external userHunting Query📦 SolutionMicrosoft Defender XDRUse AlertInfo and AlertEvidence to collect general information and clickable links to more IOCs about suspicious external Teams messages.
Number of unique accounts performing Teams message Admin submissionsHunting Query📦 SolutionMicrosoft Defender XDRThis query visualises number of unqiue accounts performing Teams message admin submissions as false negatives or false positives
Number of unique accounts performing Teams message User submissionsHunting Query📦 SolutionMicrosoft Defender XDRThis query visualises number of unqiue accounts performing Teams message user submissions as false negatives or false positives
Possible partner impersonation in external Team messagesHunting Query📦 SolutionMicrosoft Defender XDRThis query can be used as a Custom Detection Rule (CDR) to trigger when a partner email domain or email address is used in a Sender display name part of an inbound external Teams message
Possible Teams phishing activityHunting Query📦 SolutionMicrosoft Defender XDRThis query looks for possible Teams phishing activity.
Potentially malicious URL click in TeamsHunting Query📦 SolutionMicrosoft Defender XDRThis query provides insights on a potentially malicious URL click in Teams
Rare Domains in External Teams MessagesHunting Query📦 SolutionMicrosoft Defender XDRDetects rare domains (seen in fewer than 3 Teams messages) appearing in external Microsoft Teams threads within the last 24 hours.
Suspicious Teams Display NameHunting Query📦 SolutionMicrosoft Defender XDRThis query looks for Teams messages from an external user with a suspicious display name.
Teams Admin submission of Malware and Phish daily trendHunting Query📦 SolutionMicrosoft Defender XDRThis query visualises the daily amount of admin false negative Teams message submissions by submission type of Phish or Malware
Teams Admin submission of No Threats daily trendHunting Query📦 SolutionMicrosoft Defender XDRThis query visualises the daily amount of admin false positive Teams message submissions
Teams Admin-User Submissions Grading VerdictsHunting Query📦 SolutionMicrosoft Defender XDRThis query visualizes Teams messages submitted by users or admins then graded in the submission process.
Teams blocked URL clicks daily trendHunting Query📦 SolutionMicrosoft Defender XDRThis query visualizes the daily amount of blocked Url clicks performed by users on Urls in Teams messages.
Teams Malware ZAPHunting Query📦 SolutionMicrosoft Defender XDRThis query helps hunt for Teams messages with Malware threats that have been ZAPed.
Teams Message with URL listed on OpenPhishHunting Query📦 SolutionMicrosoft Defender XDRThis query can be used as a Custom Detection Rule (CDR) to trigger when a potentially malicious Teams message with a URL from OpenPhish was delivered.
Teams message ZAPed with the same URL in EmailHunting Query📦 SolutionMicrosoft Defender XDRThis query helps hunt for Teams messages that have been ZAPed with the same URL in Email.
Teams messages from a specific sender by ThreadTypeHunting Query📦 SolutionMicrosoft Defender XDRThis query helps hunt for Teams messages from a specific sender by ThreadType.
Teams messages with suspicious URL domainsHunting Query📦 SolutionMicrosoft Defender XDRThis query helps hunt for Teams messages with suspicious URL domains.
Teams Phish ZAPHunting Query📦 SolutionMicrosoft Defender XDRThis query helps hunt for Teams messages with Phish threats that have been ZAPed.
Teams post delivery events daily trendHunting Query📦 SolutionMicrosoft Defender XDRThis query visualizes the daily amount of post delivery events on Teams messages.
Teams Spam ZAPHunting Query📦 SolutionMicrosoft Defender XDRThis query helps hunt for Teams messages with Spam threats that have been ZAPed.
Teams URL clicks actions summarized by URLs clicked onHunting Query📦 SolutionMicrosoft Defender XDRThis query visualizes user clicks in Teams summarizing the data by the various URLs and Click actions on them.
Teams URL clicks through actions on Phish or Malware URLs summarized by URLsHunting Query📦 SolutionMicrosoft Defender XDRThis query visualizes clicks through actions on Phish or Malware URLs in Teams, summarizing the data by Urls.
Teams User submissions daily trendHunting Query📦 SolutionMicrosoft Defender XDRThis query visualises the daily amount of user false negative and false postive Teams message submissions
Teams users clicking on suspicious URL domainsHunting Query📦 SolutionMicrosoft Defender XDRThis query helps hunt for Teams users clicking on suspicious URL domains.
Top 10 Attacked user by Phish messagesHunting Query📦 SolutionMicrosoft Defender XDRTop 10 attacked users by Phish messages from external senders using Teams
Top 10 external senders sending Teams messagesHunting Query📦 SolutionMicrosoft Defender XDRThis query visulises all up Top 10 external senders sending Teams messages
Top 10 External senders sending Teams phishing messsagesHunting Query📦 SolutionMicrosoft Defender XDRThis query looking for top 10 External senders sending Team phishing messsages.
Top 10 sender domains - Admin Teams message submissions FNHunting Query📦 SolutionMicrosoft Defender XDRThis query visualises Teams messages submitted by admins as false negatives, summarizing the data by top 10 sender domains of those messages
Top 10 sender domains - Teams user submissions FN or FPHunting Query📦 SolutionMicrosoft Defender XDRThis query visualises Teams messages submitted by users as false negatives or false positives, summarizing the data by top 10 sender domains of those messages
Top 10 senders - Teams users submissions FN or FPHunting Query📦 SolutionMicrosoft Defender XDRThis query visualises Teams messages submitted by user as false negatives or false positives, summarizing the data by top 10 indidvidual senders of those messages
Top 10 senders of Admin Teams message submissions FNHunting Query📦 SolutionMicrosoft Defender XDRThis query visualises Teams messages submitted by admins as false negatives, summarizing the data by top 10 indidvidual senders of those messages
Top 10 senders of Admin Teams message submissions FPHunting Query📦 SolutionMicrosoft Defender XDRThis query visualises Teams messages submitted by admins as false positives, summarizing the data by top 10 indidvidual senders of those messages
Top 10 Users clicking on malicious URLs in TeamsHunting Query📦 SolutionMicrosoft Defender XDRThis query visualizes Top 10 Users clicking on malicious Phish or Malware URLs in Teams.
Top accounts performing Teams admin submissions FN or FPHunting Query📦 SolutionMicrosoft Defender XDRThis query visualises the top admins performing false negative or false positive admin submissions of Teams messages
Top accounts performing Teams user submissions FN or FPHunting Query📦 SolutionMicrosoft Defender XDRThis query visualises the top users performing false negative or false positive user submissions of Teams messages
Top domains outbound sending Malicious Teams messages inboundHunting Query📦 SolutionMicrosoft Defender XDRThis query looking for potential partner compromise via comparing outbound Teams message traffic per target domain and looking for malicious Teams messages from the same domains as inbound.
Top External malicious SendersHunting Query📦 SolutionMicrosoft Defender XDRTop external senders sending malicious inbound Teams messages Spam, Phish, Malware
Top External Sender domains - MalwareHunting Query📦 SolutionMicrosoft Defender XDRTop External Sender domains sending Teams message with Malware threats
Top External Sender domains - PhishHunting Query📦 SolutionMicrosoft Defender XDRTop External Sender domains sending Teams message with Phish threats
Top External Sender domains - SpamHunting Query📦 SolutionMicrosoft Defender XDRTop External Sender domains sending Teams message with Spam threats
Top malicious URLs clicked by users in TeamsHunting Query📦 SolutionMicrosoft Defender XDRThis query helps hunt for top malicious URLs clicked by users in Teams
Total number of MDO Teams protection detections dailyHunting Query📦 SolutionMicrosoft Defender XDRThis query visulises Total number of MDO Teams protection detections daily
URL click on URLs in ZAP-d Teams messagesHunting Query📦 SolutionMicrosoft Defender XDRThis query visualizes URL clicks on URLs in Teams messages which were acted by ZAP.
Spam and Phish allowed to inbox by Admin OverridesHunting Query📦 SolutionMicrosoft Defender XDRThis query helps in reviewing malicious emails allowed due to admin overrides
Spam and Phish allowed to inbox by User OverridesHunting Query📦 SolutionMicrosoft Defender XDRThis query helps in reviewing malicious emails allowed due to user overrides
Top policies performing admin overridesHunting Query📦 SolutionMicrosoft Defender XDRThis query helps in reviewing top policies for admin overrides (Allow/Block)
Top policies performing user overridesHunting Query📦 SolutionMicrosoft Defender XDRThis query helps in reviewing top policies for user overrides (Allow/Block)
Total Emails with Admin Overrides (Allow)Hunting Query📦 SolutionMicrosoft Defender XDRThis query visualises the total amount of emails subject to an admin policy with action of allow, independent of action taken, summarizing the data by type of override
Total Emails with Admin Overrides (Block)Hunting Query📦 SolutionMicrosoft Defender XDRThis query visualises the amount of emails subject to an admin policy with action of block, summarizing the data daily
Total Emails with User Overrides (Allow)Hunting Query📦 SolutionMicrosoft Defender XDRThis query visualises the amount of emails subject to a user type policy with action of allow, summarizing the data by type of override and threats type found
Total Emails with User Overrides (Block)Hunting Query📦 SolutionMicrosoft Defender XDRThis query visualises the amount of emails subject to a user type policy with action of block, summarizing the data daily
Appspot Phishing AbuseHunting Query📦 SolutionMicrosoft Defender XDRThis query helps surface phishing campaigns associated with Appspot abuse.
Phish Detections TrendHunting Query📦 SolutionMicrosoft Defender XDRThis query visualises total emails with Phish detections over time summarizing the data daily.
Phish Detections (High) by delivery locationHunting Query📦 SolutionMicrosoft Defender XDRThis query visualises emails with Phish detections (High confidence) summarizing the data by Delivery Location.
Phish Detections (Normal) by delivery locationHunting Query📦 SolutionMicrosoft Defender XDRThis query visualises emails with Phish detections (Normal confidence) summarizing the data by Delivery Location.
Phish Detections by delivery location trendHunting Query📦 SolutionMicrosoft Defender XDRThis query visualises total emails with Phish detections over time summarizing the data daily by Delivery Location.
Phish Detections by Detection technology TrendHunting Query📦 SolutionMicrosoft Defender XDRThis query visualises total emails with Phish detections over time summarizing the data daily by various Phish Detection technologies/controls
Phish Detections by Detection technologyHunting Query📦 SolutionMicrosoft Defender XDRThis query visualises total emails with Phish detections summarizing the data by various Phish detection technologies/controls
Possible device code phishing attemptsHunting Query📦 SolutionMicrosoft Defender XDRThis query helps hunting for possible device code Phishing attempts
Punycode lookalikesHunting Query📦 SolutionMicrosoft Defender XDRPunycode lookalike domains in Emails and Teams messages
Email Top Domains sending PhishHunting Query📦 SolutionMicrosoft Defender XDRThis query visualises total inbound emails with Phish detections summarizing the data by the top email sender P2 domain (SenderFromDomain).
Top Users receiving PhishHunting Query📦 SolutionMicrosoft Defender XDRThis query visualises total inbound emails with Phish detections summarizing the data by the top recipient email address (RecipientEmailAddress)
Zero-day Phish Detections TrendHunting Query📦 SolutionMicrosoft Defender XDRThis query visualises total emails with Phish detections over time summarizing the data daily by Phish detection technologies/controls used for detecting unknown-unique phish
Campaign with randomly named attachmentsHunting Query📦 SolutionMicrosoft Defender XDRIn this detection,we hunt for emails with randomly named attachment names from the same sender to multiple recipients
Campaign with suspicious keywordsHunting Query📦 SolutionMicrosoft Defender XDRIn this detection, we track emails with suspicious keywords in subjects.
Custom detection-Emails with QR from non-prevalent sendersHunting Query📦 SolutionMicrosoft Defender XDRIn this detection, we check the sender prevalence over the last 14 days and use the same to detect malicious activity via email containing QR code
Emails delivered having URLs from QR codesHunting Query📦 SolutionMicrosoft Defender XDRIn this query, we hunt for inbound emails delivered having URLs from QR codes
Emails with QR codes and suspicious keywords in subjectHunting Query📦 SolutionMicrosoft Defender XDRIn this query, we hunt for inbound emails having URLs from QR codes and suspicious keywords in subject
Emails with QR codes from non-prevalent senderHunting Query📦 SolutionMicrosoft Defender XDRIn this query, we hunt for inbound emails having URLs from QR codes and send by non-prevalent senders
Hunting for sender patternsHunting Query📦 SolutionMicrosoft Defender XDRIn this detection approach, we correlate email from non-prevalent senders in the organization with impersonation intents
Hunting for user signals-clustersHunting Query📦 SolutionMicrosoft Defender XDRIn this detection,we use Email reported by user as malware or phish MDO alert as a starting point to identify the scope of a campaign.
Inbound emails with QR code URLsHunting Query📦 SolutionMicrosoft Defender XDRIn this query, we summarize volume of inbound emails with QR code URLs in last 30 days
Personalized campaigns based on the first few keywordsHunting Query📦 SolutionMicrosoft Defender XDRIn this detection, we track emails with personalized subjects.
Personalized campaigns based on the last few keywordsHunting Query📦 SolutionMicrosoft Defender XDRIn this detection, we track emails with personalized subjects.
Risky sign-in attempt from a non-managed deviceHunting Query📦 SolutionMicrosoft Defender XDRIn this detection,we hunt for any sign-in attempt from a non-managed, non-compliant, untrusted device.
Suspicious sign-in attempts from QR code phishing campaignsHunting Query📦 SolutionMicrosoft Defender XDRThis detection approach correlates a user accessing an email with image/document attachments and a risky sign-in attempt from non-trusted devices.
Group quarantine releaseHunting Query📦 SolutionMicrosoft Defender XDRThis query helps in reviewing group Quarantine released messages by detection type. Useful to see what is leading to the largest number of messages being released.
High Confidence Phish ReleasedHunting Query📦 SolutionMicrosoft Defender XDRThis query shows information about high confidence phish email that has been released from the Quarantine.
Quarantine Phish Reason trendHunting Query📦 SolutionMicrosoft Defender XDRThis query visualises the amount of phish emails that are quarantined, summarized daily by the detection method
Quarantine Phish ReasonHunting Query📦 SolutionMicrosoft Defender XDRThis query visualises the total amount of phish emails that are quarantined, summarized by the detection method
Quarantine Release Email DetailsHunting Query📦 SolutionMicrosoft Defender XDRThis query shows information about email that has been released from the Quarantine in Defender for Office 365.
Quarantine release trendHunting Query📦 SolutionMicrosoft Defender XDRThis query helps reviewing quarantine release trend in Defender for Office 365
Quarantine releases by Detection TypesHunting Query📦 SolutionMicrosoft Defender XDRThis query visualises emails released from quarantine and summarizing the result by the original filter verdict
Quarantine Spam Reason trendHunting Query📦 SolutionMicrosoft Defender XDRThis query visualises the amount of spam emails that are quarantined, summarized daily by the detection method
Quarantine Spam ReasonHunting Query📦 SolutionMicrosoft Defender XDRThis query visualises the total amount of spam emails that are quarantined, summarized by the detection method
AIR investigation actions insightHunting Query📦 SolutionMicrosoft Defender XDRThis query provides insights into AIR investigation actions in Microsoft Defender for Office 365.
Listing Email Remediation Actions via ExplorerHunting Query📦 SolutionMicrosoft Defender XDRListing Email Remediation Actions performed via Explorer in Defender for Office 365
Top 10 domains sending Bulk emailHunting Query📦 SolutionMicrosoft Defender XDRThis query visualises total inbound emails which has any Bulk complaint level.
Spam detection by delivery locationHunting Query📦 SolutionMicrosoft Defender XDRThis query visualises total emails with Spam detections over time summarizing the data daily by Delivery Location.
Spam detection by IP and its locationHunting Query📦 SolutionMicrosoft Defender XDRThis query visualises total emails with Spam detections summarizing the data by email sender IP address (SenderIPv4, SenderIPv6).
Bulk Emails by Sender Bulk Complaint levelHunting Query📦 SolutionMicrosoft Defender XDRThis query visualises total inbound emails which has any Bulk complaint level.
Spam detection technologiesHunting Query📦 SolutionMicrosoft Defender XDRThis query visualises total emails with Spam detections summarizing the data by various Spam detection technologies/controls.
Email Top 10 Domains sending SpamHunting Query📦 SolutionMicrosoft Defender XDRThis query visualises total inbound emails with Spam detections.
Email Top 10 Targeted Users (Spam)Hunting Query📦 SolutionMicrosoft Defender XDRThis query visualises top 10 users targeted with Spam.
Email Top 15 Domains sending Spam with Additional DetailsHunting Query📦 SolutionMicrosoft Defender XDRThis query visualises total inbound emails with Spam detections summarizing the data by the top 15 email sender P2 domain (SenderFromDomain).
Email Top 15 Targeted Users (Spam) with Additional DetailsHunting Query📦 SolutionMicrosoft Defender XDRThis query visualises top 15 users targeted with Spam with summarized spam detections.
Spam detection trendHunting Query📦 SolutionMicrosoft Defender XDRThis query visualises total emails with Spam detections over time summarizing the data daily
Spam Detections by Detection technologyHunting Query📦 SolutionMicrosoft Defender XDRThis query visualises total emails with Spam detections over time by various Spam Detection technologies/controls.
Display Name - Spoof and ImpersonationHunting Query📦 SolutionMicrosoft Defender XDRThis query helps reviewing incoming email messages where the Display Name of the sender contains own or other partner company/brand name
Impersonation Detections by Detection Technology TrendHunting Query📦 SolutionMicrosoft Defender XDRThis query visualises total emails with Phish (BEC) Impersonation detections by Detection Technology over time
Impersonation Detections by Detection TechnologyHunting Query📦 SolutionMicrosoft Defender XDRThis query visualises total emails with Phish (BEC) Impersonation detections by Detection Technology
Impersonation Detections TrendHunting Query📦 SolutionMicrosoft Defender XDRThis query visualises total emails with Phish (BEC) - Impersonation detections over time.
referral-phish-emailsHunting Query📦 SolutionMicrosoft Defender XDRHunting for credential phishing using the "Referral" infrastructure using Defender for Office 365 data
Spoof and impersonation detections by sender IPHunting Query📦 SolutionMicrosoft Defender XDRThis query helps reviewing count of spoof and impersonation detections done per sender IP
Spoof and impersonation phish detectionsHunting Query📦 SolutionMicrosoft Defender XDRThis query helps reviewing count of phish detections done by spoof detection methods
Spoof Detections by Detection Technology TrendHunting Query📦 SolutionMicrosoft Defender XDRThis query visualises total emails with Phish (BEC) Spoof detections by Detection Technology over time
Spoof Detections by Detection TechnologyHunting Query📦 SolutionMicrosoft Defender XDRThis query visualises total emails with Phish (BEC) Spoof detections by Detection Technology
Spoof Detections TrendHunting Query📦 SolutionMicrosoft Defender XDRThis query visualises total emails Business Email Compromise (BEC) Spoofing detections over time summarizing the data daily.
Top Domains Outbound with Emails with Threats Inbound (Partner BEC)Hunting Query📦 SolutionMicrosoft Defender XDRThis query visualises top outbound recipient domains by outbound email volume and shows total number of inbound emails with Threats from the same domains (as inbound senders)
User not covered under display name impersonationHunting Query📦 SolutionMicrosoft Defender XDRThis query helps to find threats using display name impersonation for users not already protected with User Impersonation
Admin Submission Trend (FN)Hunting Query📦 SolutionMicrosoft Defender XDRThis query visualises the daily amount of admin false negative submission by submission type.
Admin Submission Trend (FP)Hunting Query📦 SolutionMicrosoft Defender XDRThis query visualises the daily amount of admin false positive submission by submission type.
Admin Submissions by DetectionMethod (Phish FP)Hunting Query📦 SolutionMicrosoft Defender XDRThis query visualises the original detection technology of emails submitted as phish false positive by admins
Admin Submissions by DetectionMethod (Spam FP)Hunting Query📦 SolutionMicrosoft Defender XDRThis query visualises the original detection technology of emails submitted as spam false positive by admins
Admin Submissions by Detection TypeHunting Query📦 SolutionMicrosoft Defender XDRThis query visualises all emails submitted as false positive by admins summarizing by the original filter verdict threat type
Admin Submissions by Grading verdict (FN-FP)Hunting Query📦 SolutionMicrosoft Defender XDRThis query visualises the total amount of admin false negative or false positive submissions by the verdict of the submission grading.
Admin Submissions by Submission State (FN)Hunting Query📦 SolutionMicrosoft Defender XDRThis query visualises the total amount of admin false negative submissions by the state of the submission.
Admin Submissions by Submission State (FP)Hunting Query📦 SolutionMicrosoft Defender XDRThis query visualises the total amount of admin false positive submissions by the state of the submission.
Admin Submissions by Submission Type (FN)Hunting Query📦 SolutionMicrosoft Defender XDRThis query helps reviewing admin reported email submissions
Admin Submissions by Submission Type (FP)Hunting Query📦 SolutionMicrosoft Defender XDRThis query visualises the total amount of admin false positive submission by submission type.
Top accounts performing admin submissions (FN)Hunting Query📦 SolutionMicrosoft Defender XDRThis query visualises the top admins performing false negative submissions
Top accounts performing admin submissions (FP)Hunting Query📦 SolutionMicrosoft Defender XDRThis query visualises the top admins performing false positive submissions
Top accounts performing user submissionsHunting Query📦 SolutionMicrosoft Defender XDRThis query graphs top accounts performing user submissions
Top 10 Detection Overrides - Admin Email Submissions (FN)Hunting Query📦 SolutionMicrosoft Defender XDRThis query visualises emails submitted as false negatives by admins where emails where already detected by MDO but there was an admin policy override
Top 10 sender domains - Admin email submissions (FN)Hunting Query📦 SolutionMicrosoft Defender XDRThis query visualises emails submitted by admins as false negatives, summarizing the data by top 10 sender domains of those emails
Top 10 sender domains - Admin email submissions (FP)Hunting Query📦 SolutionMicrosoft Defender XDRThis query visualises emails submitted by admins as false positives, summarizing the data by top 10 sender domains of those emails
Total Submissions by Submission TypeHunting Query📦 SolutionMicrosoft Defender XDRTotal Submissions by Submission Status
Total Submissions by Submission TypeHunting Query📦 SolutionMicrosoft Defender XDRTotal Submissions by Submission Type
User reported submissionsHunting Query📦 SolutionMicrosoft Defender XDRThis query helps reviewing user reported email submissions
User Email Submissions accuracy vs Admin review verdictHunting Query📦 SolutionMicrosoft Defender XDRThis query visualises user submissions type compared to admin review verdict
User Email Submissions (FN) - Top Detection Overrides by AdminsHunting Query📦 SolutionMicrosoft Defender XDRThis query visualises emails submitted as false negatives by users where emails were already detected by MDO but there was an admin definded policy override
User Email Submissions (FN) - Top Detection Overrides by UsersHunting Query📦 SolutionMicrosoft Defender XDRThis query visualises emails submitted as false negatives by users where emails were already detected by MDO but there was a policy override.
User Email Submissions (FN) - Top Inbound P2 Senders domainsHunting Query📦 SolutionMicrosoft Defender XDRThis query visualises top sender domains of inbound emails submitted as false negatives by users.
User Email Submissions (FN) - Top Inbound P2 SendersHunting Query📦 SolutionMicrosoft Defender XDRThis query visualises top sender email addresses of inbound emails submitted as false negatives by users.
User Email Submissions (FN) - Top Intra-Org P2 SendersHunting Query📦 SolutionMicrosoft Defender XDRThis query visualises top sender email addresses of intra-org emails submitted as false negatives by users.
User Email Submissions (FN) - Top Intra-Org SubjectsHunting Query📦 SolutionMicrosoft Defender XDRThis query visualises top 10 subjects of intra-org emails submitted as false negatives by users.
User Email Submissions by Admin review status (Mark and Notify)Hunting Query📦 SolutionMicrosoft Defender XDRThis query visualises user submissions where admin also performed 'mark and notify' action on the submission
User Email Submissions (FN-FP) by Grading verdictHunting Query📦 SolutionMicrosoft Defender XDRThis query visualises the total ammount of user false negative or false positive submissions by the verdict of the submission grading.
User Email Submissions (FN) by Submission TypeHunting Query📦 SolutionMicrosoft Defender XDRThis query visualises the total ammount of user false negative submission by submission type, including the phish simulations reported emails
User email submissions (FN) from Junk FolderHunting Query📦 SolutionMicrosoft Defender XDRThis query visualises the total ammount of user false negative submissions from the junk folder
User Email Submission Trend (FN)Hunting Query📦 SolutionMicrosoft Defender XDRThis query visualises the daily ammount of users false negative submission by submission type, including phish simulations reported by users.
Attacked more than x times averageHunting Query📦 SolutionMicrosoft Defender XDRThis query helps reviewing count of users attacked more than x times average.
Malicious mails by sender IPsHunting Query📦 SolutionMicrosoft Defender XDRThis query helps reviewing sender IPs sending malicious email of type Malware or Phish
Top 10% of most attacked usersHunting Query📦 SolutionMicrosoft Defender XDRThis query helps reviewing the list of top 10% of most attacked users
Top 10 URL domains attacking organizationHunting Query📦 SolutionMicrosoft Defender XDRThis query helps reviewing list of top 10 URL domains attacking the organization
Top external malicious sendersHunting Query📦 SolutionMicrosoft Defender XDRThis query helps reviewing external top malicious email sender with malware or phishing emails in an organization in last 30 days
Top targeted usersHunting Query📦 SolutionMicrosoft Defender XDRThis query helps reviewing top targeted users with malware or phishing emails in an organization in last 30 days
Malicious Clicks allowed (click-through)Hunting Query📦 SolutionMicrosoft Defender XDRVisualises malicious URL clicks that were allowed through Safe Links over time, helping analysts identify when users bypass security controls and click on malicious content. Based on Defender for Offi...
Malicious Emails with QR code UrlsHunting Query📦 SolutionMicrosoft Defender XDRVisualises emails containing QR code URLs that have been detected as malicious, helping analysts identify QR code-based attack campaigns. Based on Defender for Office 365 workbook: https://techcommuni...
PhishingEmailUrlRedirector (1)Hunting Query📦 SolutionMicrosoft Defender XDRThe query helps detect emails associated with the open redirector URL campaign using Defender for Office 365 data.
SafeLinks URL detectionsHunting Query📦 SolutionMicrosoft Defender XDRThis query provides insights on the detections done by SafeLinks protection in Defender for Office 365
Top 10 Users clicking on Malicious URLs (Malware)Hunting Query📦 SolutionMicrosoft Defender XDRVisualises the top 10 users with click attempts on URLs in emails detected as malware, helping analysts identify risky user behaviour and potential targets. Based on Defender for Office 365 workbook: ...
Top 10 Users clicking on Malicious URLs (Phish)Hunting Query📦 SolutionMicrosoft Defender XDRVisualises the top 10 users with click attempts on URLs in emails detected as phishing, helping analysts identify risky user behaviour and potential targets. Based on Defender for Office 365 workbook:...
Top 10 Users clicking on Malicious URLs (Spam)Hunting Query📦 SolutionMicrosoft Defender XDRVisualises the top 10 users with click attempts on URLs in emails detected as spam, helping analysts identify risky user behaviour and potential targets. Based on Defender for Office 365 workbook: htt...
URL Click attempts by threat typeHunting Query📦 SolutionMicrosoft Defender XDRVisualises the total amount of click attempts on URLs with detections, split by the different threat types identified. Based on Defender for Office 365 workbook: https://techcommunity.microsoft.com/bl...
URL Clicks by ActionHunting Query📦 SolutionMicrosoft Defender XDRSummarizes URL click events by action type to help analysts understand user click behavior and policy effectiveness. Based on Defender for Office 365 workbook: https://techcommunity.microsoft.com/blog...
URLs by locationHunting Query📦 SolutionMicrosoft Defender XDRVisualises where URLs have been identified in emails, summarizing by location (for example: Attachment, header, body) to help analysts understand distribution and risk. Based on Defender for Office 36...
End user malicious clicksHunting Query📦 SolutionMicrosoft Defender XDRThis query helps reviewing list of top users click on Phis URLs
URL click count by click actionHunting Query📦 SolutionMicrosoft Defender XDRThis query helps reviewing URL click count by ClickAction
URL click on ZAP emailHunting Query📦 SolutionMicrosoft Defender XDRIn this query, we are looking for Url clicks on emails which get actioned by Zerohour auto purge
URL clicks actions by URLHunting Query📦 SolutionMicrosoft Defender XDRIn this query, we are looking URL click actions by URL in the last 7 days
URLClick details based on malicious URL click alertHunting Query📦 SolutionMicrosoft Defender XDRIn this query, we are looking for Url clicks on emails which are generated the alert-A potentially malicious URL click was detected
User clicked through eventsHunting Query📦 SolutionMicrosoft Defender XDRThis query helps reviewing malicious clicks where user was allowed to proceed through malicious URL page.
User clicks on malicious inbound emailsHunting Query📦 SolutionMicrosoft Defender XDRThis query provides insights on users who clicked on a suspicious URL
User clicks on phishing URLs in emailsHunting Query📦 SolutionMicrosoft Defender XDRThis query helps in determining clickthroughs when email delivered because of detection overrides.
Post Delivery Events by AdminHunting Query📦 SolutionMicrosoft Defender XDRThis query visualises the daily amount of emails that had an admin post delivery action, summarizing the data by action type
Post Delivery Events by LocationHunting Query📦 SolutionMicrosoft Defender XDRThis query visualises the amount of emails that had a post delivery action, summarizing the data daily by the final location as a result of the action
Post Delivery Events by ZAP typeHunting Query📦 SolutionMicrosoft Defender XDRThis query visualises the daily amount of emails that had a post delivery action from zero-hour auto purge, summarizing by phish,spam or malware detection action
Post Delivery Events over timeHunting Query📦 SolutionMicrosoft Defender XDRThis query visualises the daily amount of emails that had a post delivery action from zero-hour auto purge.
Dropping Payload via certutilHunting Query📦 SolutionMicrosoft Defender XDRBazaCall campaign tricks users into calling a fake customer support center, and download a malicious Excel file which contains a macro to infect users' device with BazaLoader. This query searches for ...
Deimos Component ExecutionHunting Query📦 SolutionMicrosoft Defender XDRJupyter, otherwise known as SolarMarker, is a malware family and cluster of components known for its info-stealing and backdoor capabilities that mainly proliferates through search engine optimization...
LemonDuck Registration FunctionHunting Query📦 SolutionMicrosoft Defender XDRLemonDuck is a malware primarily known for its botnet and cryptocurrency mining objectives. First discovered in 2019, LemonDuck has since adopted more sophisticated behavior and escalated its operatio...
Devices with Log4j vulnerability alerts and additional other alert related contextHunting Query📦 SolutionMicrosoft Defender XDRMicrosoft has observed threat actors exploiting vulnerabilities associated with Log4J.
Alerts Related to Log4j VulnerabilityHunting Query📦 SolutionMicrosoft Defender XDRMicrosoft has observed attackers exploiting vulnerabilities associated with Log4J.
Imminent RansomwareHunting Query📦 SolutionMicrosoft Defender XDRBefore deploying Macaw ransomware in an organization, the attacker will run several commands designed to disable security tools and system recovery tools.
Malicious Use of MSBuild as LOLBinHunting Query📦 SolutionMicrosoft Defender XDRPrior to deploying Macaw ransomware in an organization, the adversary frequently uses MSBuild.exe as a LOLBin to communicate with the C2.
Qakbot Reconnaissance ActivitiesHunting Query📦 SolutionMicrosoft Defender XDRThis query searches for reconnaissance and beaconing activities after code injection occurs in Qakbot infections.
Java Executing cmd to run PowershellHunting Query📦 SolutionMicrosoft Defender XDRThis query finds instances of the Java process being used to execute cmd.exe, and download and execute a PowerShell script.
Blocked Clicks Trend 🔍Hunting Query📦 SolutionMicrosoft Defender XDRVisualises the trend of malicious URL clicks that were blocked by Safe Links over the past 30 days, helping analysts monitor the effectiveness of click protection policies. Based on Defender for Offic...
Malicious URL Clicks by workload 🔍Hunting Query📦 SolutionMicrosoft Defender XDRVisualises click attempts on malicious URLs, grouped by workload (such as Exchange, Teams, SharePoint, Copilot etc.), to help analysts understand which workloads are most targeted. Based on Defender f...
MicrosoftDefenderForEndPointWorkbook📦 SolutionMicrosoft Defender XDR
MicrosoftDefenderForIdentityWorkbook📦 SolutionMicrosoft Defender XDR
MicrosoftDefenderForOffice365detectionsandinsightsWorkbook📦 SolutionMicrosoft Defender XDR
Create an Attack Simulator training simulation for users who did not report a phishing attempt 🔍Playbook📦 SolutionMicrosoft Defender XDRThis playbook creates an educational Attack Simulator 'How-To Guide' simulation for end-users who failed to report a message as phishing (e.g. reported as junk, deleted the email, etc.) to the SOC.
Account Created and Deleted in Short TimeframeAnalytic Rule📦 SolutionMicrosoft Entra IDSearch for user principal name (UPN) events. Look for accounts created and then deleted in under 24 hours. Attackers may create an account for their use, and then remove the account when no longer nee...
Account created or deleted by non-approved userAnalytic Rule📦 SolutionMicrosoft Entra IDIdentifies accounts that were created or deleted by a defined list of non-approved user principal names. Add to this list before running the query for accurate results. Ref : https://docs.microsoft.co...
Modified domain federation trust settingsAnalytic Rule📦 SolutionMicrosoft Entra IDThis will alert when a user or application modifies the federation settings on the domain or Update domain authentication from Managed to Federated. For example, this alert will trigger when a new Act...
Password spray attack against ADFSSignInLogsAnalytic Rule📦 SolutionMicrosoft Entra IDIdentifies evidence of password spray activity against Connect Health for AD FS sign-in events by looking for failures from multiple accounts from the same IP address within a time window. Reference: ...
Admin promotion after Role Management Application Permission GrantAnalytic Rule📦 SolutionMicrosoft Entra IDThis rule looks for a service principal being granted the Microsoft Graph RoleManagement.ReadWrite.Directory (application) permission before being used to add an Microsoft Entra ID object or user acco...
Anomalous sign-in location by user account and authenticating applicationAnalytic Rule📦 SolutionMicrosoft Entra IDThis query over Microsoft Entra ID sign-in considers all user sign-ins for each Microsoft Entra ID application and picks out the most anomalous change in location profile for a user within an individu...
Authentication Methods Changed for Privileged AccountAnalytic Rule📦 SolutionMicrosoft Entra IDIdentifies authentication methods being changed for a privileged account. This could be an indication of an attacker adding an auth method to the account so they can have continued access. Ref : https...
Microsoft Entra ID PowerShell accessing non-Entra ID resourcesAnalytic Rule📦 SolutionMicrosoft Entra IDThis will alert when a user or application signs in using Microsoft Entra ID PowerShell to access non-Active Directory resources, such as the Azure Key Vault, which may be undesired or unauthorized be...
Microsoft Entra ID Role Management Permission GrantAnalytic Rule📦 SolutionMicrosoft Entra IDIdentifies when the Microsoft Graph RoleManagement.ReadWrite.Directory (Delegated or Application) permission is granted to a service principal. This permission allows an application to read and manage...
Azure Portal sign in from another Azure TenantAnalytic Rule📦 SolutionMicrosoft Entra IDThis query looks for successful sign in attempts to the Azure Portal where the user who is signing in from another Azure tenant, and the IP address the login attempt is from is an Azure IP. A threat a...
Azure RBAC (Elevate Access)Analytic Rule📦 SolutionMicrosoft Entra IDDetects when a Global Administrator elevates access to all subscriptions and management groups in a tenant. When a Global Administrator elevates access they are assigned the User Access Administrator ...
Brute Force Attack against GitHub AccountAnalytic Rule📦 SolutionMicrosoft Entra IDAttackers who are trying to guess your users' passwords or use brute-force methods to get in. If your organization is using SSO with Microsoft Entra ID, authentication logs to GitHub.com will be gener...
Brute force attack against a Cloud PCAnalytic Rule📦 SolutionMicrosoft Entra IDIdentifies evidence of brute force activity against a Windows 365 Cloud PC by highlighting multiple authentication failures and by a successful authentication within a given time window.
Bulk Changes to Privileged Account PermissionsAnalytic Rule📦 SolutionMicrosoft Entra IDIdentifies when changes to multiple users permissions are changed at once. Investigate immediately if not a planned change. This setting could enable an attacker access to Azure subscriptions in your ...
Attempt to bypass conditional access rule in Microsoft Entra IDAnalytic Rule📦 SolutionMicrosoft Entra IDIdentifies an attempt to Bypass conditional access rule(s) in Microsoft Entra ID. The ConditionalAccessStatus column value details if there was an attempt to bypass Conditional Access or if the Condit...
Conditional Access - A Conditional Access app exclusion has changedAnalytic Rule📦 SolutionMicrosoft Entra IDA Conditional Access app exclusion has changed in Entra ID.
Conditional Access - A Conditional Access Device platforms condition has changed (the Device platforms condition can be spoofed)Analytic Rule📦 SolutionMicrosoft Entra IDA Conditional Access Device platforms condition has changed (the Device platforms condition can be spoofed) in Entra ID.
Conditional Access - A Conditional Access policy was deletedAnalytic Rule📦 SolutionMicrosoft Entra IDA Conditional Access policy was deleted from Entra ID.
Conditional Access - A Conditional Access policy was disabledAnalytic Rule📦 SolutionMicrosoft Entra IDA Conditional Access policy was disabled in Entra ID.
Conditional Access - A Conditional Access policy was put into report-only modeAnalytic Rule📦 SolutionMicrosoft Entra IDA Conditional Access policy was put into report-only mode in Entra ID.
Conditional Access - A Conditional Access policy was updatedAnalytic Rule📦 SolutionMicrosoft Entra IDA Conditional Access policy was updated in Entra ID.
Conditional Access - A Conditional Access user/group/role exclusion has changedAnalytic Rule📦 SolutionMicrosoft Entra IDA Conditional Access user/group/role exclusion has changed in Azure AD.
Conditional Access - A new Conditional Access policy was createdAnalytic Rule📦 SolutionMicrosoft Entra IDA new Conditional Access policy was created in Entra ID.
Conditional Access - Dynamic Group Exclusion ChangesAnalytic Rule📦 SolutionMicrosoft Entra ID// Detects changes to Dynamic Membership Rules for specified groups (often used in CA exclusions)
Credential added after admin consented to ApplicationAnalytic Rule📦 SolutionMicrosoft Entra IDThis query will identify instances where Service Principal credentials were added to an application by one user after the application was granted admin consent rights by another user. If a threat act...
Cross-tenant Access Settings Organization AddedAnalytic Rule📦 SolutionMicrosoft Entra IDOrganizations are added in the Cross-tenant Access Settings to control communication inbound or outbound for users and applications. This detection notifies when an Organization is added other than th...
Cross-tenant Access Settings Organization DeletedAnalytic Rule📦 SolutionMicrosoft Entra IDOrganizations are added in the Cross-tenant Access Settings to control communication inbound or outbound for users and applications. This detection notifies when an Organization is deleted from the Mi...
Cross-tenant Access Settings Organization Inbound Collaboration Settings ChangedAnalytic Rule📦 SolutionMicrosoft Entra IDOrganizations are added in the Cross-tenant Access Settings to control communication inbound or outbound for users and applications. This detection notifies when Organization Inbound Collaboration Set...
Cross-tenant Access Settings Organization Inbound Direct Settings ChangedAnalytic Rule📦 SolutionMicrosoft Entra IDOrganizations are added in the Cross-tenant Access Settings to control communication inbound or outbound for users and applications. This detection notifies when Organization Inbound Direct Settings a...
Cross-tenant Access Settings Organization Outbound Collaboration Settings ChangedAnalytic Rule📦 SolutionMicrosoft Entra IDOrganizations are added in the Cross-tenant Access Settings to control communication inbound or outbound for users and applications. This detection notifies when Organization Outbound Collaboration Se...
Cross-tenant Access Settings Organization Outbound Direct Settings ChangedAnalytic Rule📦 SolutionMicrosoft Entra IDOrganizations are added in the Cross-tenant Access Settings to control communication inbound or outbound for users and applications. This detection notifies when Organization Outbound Direct Settings ...
Attempts to sign in to disabled accountsAnalytic Rule📦 SolutionMicrosoft Entra IDIdentifies failed attempts to sign in to disabled accounts across multiple Azure Applications. Default threshold for Azure Applications attempted to sign in to is 3. References: https://docs.microsoft...
Distributed Password cracking attempts in Microsoft Entra IDAnalytic Rule📦 SolutionMicrosoft Entra IDIdentifies distributed password cracking attempts from the Microsoft Entra ID SigninLogs. The query looks for unusually high number of failed password attempts coming from multiple locations for a use...
full_access_as_app Granted To ApplicationAnalytic Rule📦 SolutionMicrosoft Entra IDThis detection looks for the full_access_as_app permission being granted to an OAuth application with Admin Consent. This permission provide access to all Exchange mailboxes via the EWS API can could ...
[Deprecated] Explicit MFA DenyAnalytic Rule📦 SolutionMicrosoft Entra IDUser explicitly denies MFA push, indicating that login was not expected and the account's password may be compromised. This rule is deprecated as of July-2024. Alternative rule with similar logic and ...
Failed login attempts to Azure PortalAnalytic Rule📦 SolutionMicrosoft Entra IDIdentifies failed login attempts in the Microsoft Entra ID SigninLogs to the Azure Portal. Many failed logon attempts or some failed logon attempts from multiple IPs could indicate a potential brute ...
First access credential added to Application or Service Principal where no credential was presentAnalytic Rule📦 SolutionMicrosoft Entra IDThis will alert when an admin or app owner account adds a new credential to an Application or Service Principal where there was no previous verify KeyCredential associated. If a threat actor obtains a...
Guest accounts added in Entra ID Groups other than the ones specifiedAnalytic Rule📦 SolutionMicrosoft Entra IDGuest Accounts are added in the Organization Tenants to perform various tasks i.e projects execution, support etc.. This detection notifies when guest users are added to Microsoft Entra ID Groups othe...
Mail.Read Permissions Granted to ApplicationAnalytic Rule📦 SolutionMicrosoft Entra IDThis query look for applications that have been granted (Delegated or App/Role) permissions to Read Mail (Permissions field has Mail.Read) and subsequently has been consented to. This can help identif...
Suspicious application consent similar to O365 Attack ToolkitAnalytic Rule📦 SolutionMicrosoft Entra IDThis will alert when a user consents to provide a previously-unknown Azure application with the same OAuth permissions used by the MDSec O365 Attack Toolkit (https://github.com/mdsecactivebreach/o365-...
Suspicious application consent similar to PwnAuthAnalytic Rule📦 SolutionMicrosoft Entra IDThis will alert when a user consents to provide a previously-unknown Azure application with the same OAuth permissions used by the FireEye PwnAuth toolkit (https://github.com/fireeye/PwnAuth). The def...
MFA Rejected by UserAnalytic Rule📦 SolutionMicrosoft Entra IDIdentifies occurances where a user has rejected an MFA prompt. This could be an indicator that a threat actor has compromised the username and password of this user account and is using it to try and ...
MFA Spamming followed by Successful loginAnalytic Rule📦 SolutionMicrosoft Entra IDIdentifies MFA Spamming followed by Successful logins and by a successful authentication within a given time window. Default Failure count is 10 and 1 successful login with default Time Window is 5 mi...
Multiple admin membership removals from newly created admin.Analytic Rule📦 SolutionMicrosoft Entra IDThis query detects when newly created Global admin removes multiple existing global admins which can be an attempt by adversaries to lock down organization and retain sole access. Investigate reason...
New access credential added to Application or Service PrincipalAnalytic Rule📦 SolutionMicrosoft Entra IDThis will alert when an admin or app owner account adds a new credential to an Application or Service Principal where a verify KeyCredential was already present for the app. If a threat actor obtains ...
New onmicrosoft domain added to tenantAnalytic Rule📦 SolutionMicrosoft Entra IDThis detection looks for new onmicrosoft domains being added to a tenant. An attacker who compromises a tenant may register a new onmicrosoft domain in order to masquerade as a service provider for l...
NRT Modified domain federation trust settingsAnalytic Rule📦 SolutionMicrosoft Entra IDThis will alert when a user or application modifies the federation settings on the domain or Update domain authentication from Managed to Federated. For example, this alert will trigger when a new Act...
NRT Authentication Methods Changed for VIP UsersAnalytic Rule📦 SolutionMicrosoft Entra IDIdentifies authentication methods being changed for a list of VIP users watchlist. This could be an indication of an attacker adding an auth method to the account so they can have continued access.
NRT First access credential added to Application or Service Principal where no credential was presentAnalytic Rule📦 SolutionMicrosoft Entra IDThis will alert when an admin or app owner account adds a new credential to an Application or Service Principal where there was no previous verify KeyCredential associated. If a threat actor obtains a...
NRT New access credential added to Application or Service PrincipalAnalytic Rule📦 SolutionMicrosoft Entra IDThis will alert when an admin or app owner account adds a new credential to an Application or Service Principal where a verify KeyCredential was already present for the app. If a threat actor obtains ...
NRT PIM Elevation Request RejectedAnalytic Rule📦 SolutionMicrosoft Entra IDIdentifies when a user is rejected for a privileged role elevation via PIM. Monitor rejections for indicators of attacker compromise of the requesting account. Ref : https://docs.microsoft.com/azure/a...
NRT Privileged Role Assigned Outside PIMAnalytic Rule📦 SolutionMicrosoft Entra IDIdentifies a privileged role being assigned to a user outside of PIM Ref : https://docs.microsoft.com/azure/active-directory/fundamentals/security-operations-privileged-accounts#things-to-monitor-1
NRT User added to Microsoft Entra ID Privileged GroupsAnalytic Rule📦 SolutionMicrosoft Entra IDThis will alert when a user is added to any of the Privileged Groups. For further information on AuditLogs please see https://docs.microsoft.com/azure/active-directory/reports-monitoring/reference-aud...
PIM Elevation Request RejectedAnalytic Rule📦 SolutionMicrosoft Entra IDIdentifies when a user is rejected for a privileged role elevation via PIM. Monitor rejections for indicators of attacker compromise of the requesting account. Ref : https://docs.microsoft.com/azure/a...
Possible SignIn from Azure BackdoorAnalytic Rule📦 SolutionMicrosoft Entra IDIdentifies when a user adds an unverified domain as an authentication method, followed by a sign-in from a user the newly added domain. Threat actors may add custom domains to create a backdoor to you...
Privileged Accounts - Sign in Failure SpikesAnalytic Rule📦 SolutionMicrosoft Entra ID Identifies spike in failed sign-ins from Privileged accounts. Privileged accounts list can be based on IdentityInfo UEBA table. Spike is determined based on Time series anomaly which will look at his...
Privileged Role Assigned Outside PIMAnalytic Rule📦 SolutionMicrosoft Entra IDIdentifies a privileged role being assigned to a user outside of PIM Ref : https://docs.microsoft.com/azure/active-directory/fundamentals/security-operations-privileged-accounts#things-to-monitor-1
Rare application consentAnalytic Rule📦 SolutionMicrosoft Entra IDThis will alert when the "Consent to application" operation occurs by a user that has not done this operation before or rarely does this. This could indicate that permissions to access the listed Azur...
Password spray attack against Microsoft Entra ID Seamless SSOAnalytic Rule📦 SolutionMicrosoft Entra IDThis query detects when there is a spike in Microsoft Entra ID Seamless SSO errors. They may not be caused by a Password Spray attack, but the cause of the errors might need to be investigated. Micros...
GitHub Signin Burst from Multiple LocationsAnalytic Rule📦 SolutionMicrosoft Entra IDThis detection triggers when there is a Signin burst from multiple locations in GitHub (Entra ID SSO). This detection is based on configurable threshold which can be prone to false positives. To view...
Sign-ins from IPs that attempt sign-ins to disabled accountsAnalytic Rule📦 SolutionMicrosoft Entra IDIdentifies IPs with failed attempts to sign in to one or more disabled accounts using the IP through which successful signins from other accounts have happened. This could indicate an attacker who obt...
Brute force attack against Azure PortalAnalytic Rule📦 SolutionMicrosoft Entra IDDetects Azure Portal brute force attacks by monitoring for multiple authentication failures and a successful login within a 20-minute window. Default settings: 10 failures, 25 deviations. Ref: https:/...
Password spray attack against Microsoft Entra ID applicationAnalytic Rule📦 SolutionMicrosoft Entra IDIdentifies evidence of password spray activity against Microsoft Entra ID applications by looking for failures from multiple accounts from the same IP address within a time window. If the number of ac...
Successful logon from IP and failure from a different IPAnalytic Rule📦 SolutionMicrosoft Entra IDIdentifies when a user account successfully logs onto an Azure App from one IP and within 10 mins failed to logon to the same App via a different IP (may indicate a malicious attempt at password guess...
Suspicious Entra ID Joined Device UpdateAnalytic Rule📦 SolutionMicrosoft Entra IDThis query looks for suspicious updates to an Microsoft Entra ID joined device where the device name is changed and the device falls out of compliance. This could occur when a threat actor updates the...
Suspicious application consent for offline accessAnalytic Rule📦 SolutionMicrosoft Entra IDThis will alert when a user consents to provide a previously-unknown Azure application with offline access via OAuth. Offline access will provide the Azure App with access to the listed resources with...
Suspicious Service Principal creation activityAnalytic Rule📦 SolutionMicrosoft Entra IDThis alert will detect creation of an SPN, permissions granted, credentials created, activity and deletion of the SPN in a time frame (default 10 minutes)
Suspicious Sign In Followed by MFA ModificationAnalytic Rule📦 SolutionMicrosoft Entra IDThis query looks uses Microsoft Sentinel's UEBA features to look for suspicious logons followed by modifications to MFA settings by that user.
External guest invitation followed by Microsoft Entra ID PowerShell signinAnalytic Rule📦 SolutionMicrosoft Entra IDBy default guests have capability to invite more external guest users, guests also can do suspicious Microsoft Entra ID enumeration. This detection look at guest users, who have been invited or have i...
User Accounts - Sign in Failure due to CA SpikesAnalytic Rule📦 SolutionMicrosoft Entra ID Identifies spike in failed sign-ins from user accounts due to conditional access policied. Spike is determined based on Time series anomaly which will look at historical baseline values. Ref : https:...
User added to Microsoft Entra ID Privileged GroupsAnalytic Rule📦 SolutionMicrosoft Entra IDThis will alert when a user is added to any of the Privileged Groups. For further information on AuditLogs please see https://docs.microsoft.com/azure/active-directory/reports-monitoring/reference-aud...
User Assigned New Privileged RoleAnalytic Rule📦 SolutionMicrosoft Entra IDIdentifies when a new eligible or active privileged role is assigned to a user. Does not alert on PIM activations. Any account eligible for a role is now being given privileged access. If the assignme...
New User Assigned to Privileged RoleAnalytic Rule📦 SolutionMicrosoft Entra IDIdentifies when a privileged role is assigned to a new user. Any account eligible for a role is now being given privileged access. If the assignment is unexpected or into a role that isn't the respons...
AzureActiveDirectoryAuditLogsWorkbook📦 SolutionMicrosoft Entra ID
AzureActiveDirectorySigninsWorkbook📦 SolutionMicrosoft Entra ID
ConditionalAccessSISMWorkbook📦 SolutionMicrosoft Entra ID
Revoke-Entra ID SignInSessions alert triggerPlaybook📦 SolutionMicrosoft Entra IDThis playbook will revoke all signin sessions for the user using Graph API. It will send an email to the user's manager.
Revoke Entra ID Sign-in session using entity triggerPlaybook📦 SolutionMicrosoft Entra IDThis playbook will revoke user's sign-in sessions and user will have to perform authentication again. It invalidates all the refresh tokens issued to applications for a user (as well as session cookie...
Revoke Entra ID SignIn Sessions - incident triggerPlaybook📦 SolutionMicrosoft Entra IDThis playbook will revoke all signin sessions for the user using Graph API. It will send an email to the user's manager.
Reset Microsoft Entra ID User Password - Alert TriggerPlaybook📦 SolutionMicrosoft Entra IDThis playbook will reset the user password using Graph API. It will send the password (which is a random guid substring) to the user's manager. The user will have to reset the password upon login.
Reset Microsoft Entra ID User Password - Entity triggerPlaybook📦 SolutionMicrosoft Entra IDThis playbook will reset the user password using Graph API. It will send the password (which is a random guid substring) to the user's manager. The user will have to reset the password upon login.
Reset Microsoft Entra ID User Password - Incident TriggerPlaybook📦 SolutionMicrosoft Entra IDThis playbook will reset the user password using Graph API. It will send the password (which is a random guid substring) to the user's manager. The user will have to reset the password upon login.
Prompt User - AlertPlaybook📦 SolutionMicrosoft Entra IDThis playbook will ask the user if they completed the action from the alert in Microsoft Sentinel. If so, it will close the incident and add a comment. If not, it will post a message to teams for the ...
Prompt User - IncidentPlaybook📦 SolutionMicrosoft Entra IDThis playbook will ask the user if they completed the action from the Incident in Microsoft Sentinel. If so, it will close the incident and add a comment. If not, it will post a message to teams for t...
Block Microsoft Entra ID user - AlertPlaybook📦 SolutionMicrosoft Entra IDFor each account entity included in the alert, this playbook will disable the user in Microsoft Entra ID, add a comment to the incident that contains this alert and notify manager if available. Note: ...
Block Microsoft Entra ID user - Entity triggerPlaybook📦 SolutionMicrosoft Entra IDThis playbook disables the selected user (account entity) in Microsoft Entra ID. If this playbook triggered from an incident context, it will add a comment to the incident. This playbook will notify t...
Block Entra ID user - IncidentPlaybook📦 SolutionMicrosoft Entra IDFor each account entity included in the incident, this playbook will disable the user in Microsoft Entra ID, add a comment to the incident that contains this alert and notify manager if available. Not...
ConditionalAccessBenignStatusCodesWatchlist📦 SolutionMicrosoft Entra ID
Correlate Unfamiliar sign-in properties & atypical travel alertsAnalytic Rule📦 SolutionMicrosoft Entra ID ProtectionThe combination of an Unfamiliar sign-in properties alert and an Atypical travel alert about the same user within a +10m or -10m window is considered a high severity incident.
Identity Protection response from TeamsPlaybook📦 SolutionMicrosoft Entra ID ProtectionRun this playbook on incidents which contains suspicious Microsoft Entra ID identities. For each account, this playbook posts an adaptive card in the SOC Microsoft Teams channel, including the potenti...
Dismiss Microsoft Entra ID Risky User - Alert TriggeredPlaybook📦 SolutionMicrosoft Entra ID ProtectionThis playbook will dismiss the Risky User property in Microsoft Entra ID using Microsoft Entra ID Connectors.
Dismiss Microsoft Entra ID Risky User – Incident TriggeredPlaybook📦 SolutionMicrosoft Entra ID ProtectionThis playbook will dismiss the Risky User property in Microsoft Entra ID using Microsoft Entra ID Connectors.
Confirm Microsoft Entra ID Risky User - Alert TriggeredPlaybook📦 SolutionMicrosoft Entra ID ProtectionThis playbook will set the Risky User property in Microsoft Entra ID using Graph API.
Confirm Microsoft Entra ID Risky User - Incident TriggeredPlaybook📦 SolutionMicrosoft Entra ID ProtectionFor each account entity included in the incident, this playbook will set the Risky User property in Microsoft Entra ID using Graph API using a Beta API.
VIP Mailbox manipulationAnalytic Rule📦 SolutionMicrosoft Exchange Security - Exchange On-PremisesAlert if a cmdlet that can be translated to data exfiltration or mailbox access is executed on a VIP Mailbox.
Server Oriented Cmdlet And User Oriented Cmdlet usedAnalytic Rule📦 SolutionMicrosoft Exchange Security - Exchange On-PremisesDetect if a server oriented cmdlet and a user oriented cmdlet that are monitored are launched by the same user in the same server within a 10 minutes timeframe
Microsoft Exchange Admin ActivityWorkbook📦 SolutionMicrosoft Exchange Security - Exchange On-Premises
Microsoft Exchange Least Privilege with RBACWorkbook📦 SolutionMicrosoft Exchange Security - Exchange On-Premises
Microsoft Exchange Search AdminAuditLogWorkbook📦 SolutionMicrosoft Exchange Security - Exchange On-Premises
Microsoft Exchange Security ReviewWorkbook📦 SolutionMicrosoft Exchange Security - Exchange On-Premises
ExchangeAdminAuditLogsParser📦 SolutionMicrosoft Exchange Security - Exchange On-Premises
ExchangeConfigurationParser📦 SolutionMicrosoft Exchange Security - Exchange On-Premises
ExchangeEnvironmentListParser📦 SolutionMicrosoft Exchange Security - Exchange On-Premises
MESCheckVIPParser📦 SolutionMicrosoft Exchange Security - Exchange On-Premises
MESCompareDataOnPMRAParser📦 SolutionMicrosoft Exchange Security - Exchange On-Premises
ExchangeServicesMonitoringWatchlist📦 SolutionMicrosoft Exchange Security - Exchange On-Premises
ExchangeVIPWatchlist📦 SolutionMicrosoft Exchange Security - Exchange On-Premises
Microsoft Exchange Admin Activity - OnlineWorkbook📦 SolutionMicrosoft Exchange Security - Exchange Online
Microsoft Exchange Least Privilege with RBAC - OnlineWorkbook📦 SolutionMicrosoft Exchange Security - Exchange Online
Microsoft Exchange Search AdminAuditLog - OnlineWorkbook📦 SolutionMicrosoft Exchange Security - Exchange Online
Microsoft Exchange Security Review - OnlineWorkbook📦 SolutionMicrosoft Exchange Security - Exchange Online
ExchangeConfigurationParser📦 SolutionMicrosoft Exchange Security - Exchange Online
ExchangeEnvironmentListParser📦 SolutionMicrosoft Exchange Security - Exchange Online
MESCheckOnlineVIPParser📦 SolutionMicrosoft Exchange Security - Exchange Online
MESCompareDataMRAParser📦 SolutionMicrosoft Exchange Security - Exchange Online
MESOfficeActivityLogsParser📦 SolutionMicrosoft Exchange Security - Exchange Online
ExchOnlineVIPWatchlist📦 SolutionMicrosoft Exchange Security - Exchange Online
MicrosoftPowerBIActivityWorkbookWorkbook📦 SolutionMicrosoft PowerBI
Sensitive Data Discovered in the Last 24 HoursAnalytic Rule📦 SolutionMicrosoft PurviewIdentifies all classifications that have been detected on assets during a scan by Microsoft Purview within the last 24 hours.
Sensitive Data Discovered in the Last 24 Hours - CustomizedAnalytic Rule📦 SolutionMicrosoft PurviewCustomized query used to identify specific classifications and parameters that have been discovered on assets in the last 24 hours by Microsoft Purview. By default, the query identifies Social Securit...
MicrosoftPurviewWorkbook📦 SolutionMicrosoft Purview
Failed Logon Attempts on SQL ServerHunting Query📦 SolutionMicrosoft Windows SQL Server Database AuditThis query detects failed logons on SQL Server using the SQLEvent KQL Parser function.
Failed Logon on SQL Server from Same IPAddress in Short time SpanHunting Query📦 SolutionMicrosoft Windows SQL Server Database AuditThis query detects multiple failed logon attempts from the same IP within a short span of time. It relies on the SQLEvent KQL Parser function.
Multiple Failed Logon on SQL Server in Short time SpanHunting Query📦 SolutionMicrosoft Windows SQL Server Database AuditThis query looks multiple failed logon attempts from the same IP within a short span of time. It relies on the SQLEvent KQL Parser function.
New User created on SQL ServerHunting Query📦 SolutionMicrosoft Windows SQL Server Database AuditThis query detects new user creation from SQL Server using the SQLEvent KQL Parser function.
User added to SQL Server SecurityAdmin GroupHunting Query📦 SolutionMicrosoft Windows SQL Server Database AuditThis hunting query identifies user added in the SecurityAdmin group of SQL Server.
SQL User deleted from DatabaseHunting Query📦 SolutionMicrosoft Windows SQL Server Database AuditThis hunting query identifies deletion of user from SQL Database. It relies on the SQLEvent KQL Parser function.
User removed from SQL Server SecurityAdmin GroupHunting Query📦 SolutionMicrosoft Windows SQL Server Database AuditThis hunting query identifies user removed from the SecurityAdmin group of SQL Server. It relies on the SQLEvent KQL Parser function.
User removed from SQL Server RolesHunting Query📦 SolutionMicrosoft Windows SQL Server Database AuditThis hunting query identifies user removed from a SQL Server Role. It relies on the SQLEvent KQL Parser function.
User Role altered on SQL ServerHunting Query📦 SolutionMicrosoft Windows SQL Server Database AuditThis hunting query identifies user role altered on SQL Server. It relies on the SQLEvent KQL Parser function.
Aqua Blizzard AV hits - Feb 2022Analytic Rule📦 SolutionMicrosoftDefenderForEndpointIdentifies a match in the Security Alert table for MDATP hits related to the Aqua Blizzard actor
SUNBURST suspicious SolarWinds child processesHunting Query📦 SolutionMicrosoftDefenderForEndpointIdentifies suspicious child processes of SolarWinds.Orion.Core.BusinessLayer.dll that may be evidence of the SUNBURST backdoor
Probable AdFind Recon Tool UsageHunting Query📦 SolutionMicrosoftDefenderForEndpointIdentifies the host and account that executed AdFind by hash and filename in addition to common and unique flags that are used by many threat actors in discovery.
Unisolate MDE Machine using entity triggerPlaybook📦 SolutionMicrosoftDefenderForEndpointThis playbook will unisolate Microsoft Defender for Endpoint (MDE) device using entity trigger.
Unisolate MDE Machine - Alert TriggeredPlaybook📦 SolutionMicrosoftDefenderForEndpointThis playbook will release a machine from isolation in Microsoft Defender for Endpoint. It is triggered by an alert in Microsoft Sentinel.
Unisolate MDE Machine - Incident TriggeredPlaybook📦 SolutionMicrosoftDefenderForEndpointThis playbook will release a machine from isolation in Microsoft Defender for Endpoint. It is triggered by an incident creation in Microsoft Sentinel. The playbook will search for the host entity in t...
Run MDE Antivirus - Alert TriggeredPlaybook📦 SolutionMicrosoftDefenderForEndpointThis playbook will run a antivirus (full) scan on the machine in Microsoft Defender for Endpoint. It is triggered by an alert in Microsoft Sentinel.
Run MDE Antivirus - Incident TriggeredPlaybook📦 SolutionMicrosoftDefenderForEndpointThis playbook will run a antivirus (full) scan on the machine in Microsoft Defender for Endpoint. It is triggered by an incident creation in Microsoft Sentinel. The playbook will look for the host ent...
Restrict MDE Url - Alert TriggeredPlaybook📦 SolutionMicrosoftDefenderForEndpointThis playbook will take Url entities and generate alert and block threat indicators for each IP in MDE for 90 days.
Restrict MDE URL - Entity TriggeredPlaybook📦 SolutionMicrosoftDefenderForEndpointThis playbook will take the triggering entity and generate an alert and block threat indicator for the URL in MDE for 90 days.
Restrict MDE Url - Incident TriggeredPlaybook📦 SolutionMicrosoftDefenderForEndpointThis playbook will take Url entities and generate alert and block threat indicators for each IP in MDE for 90 days.
Restrict MDE Ip Address - Alert TriggeredPlaybook📦 SolutionMicrosoftDefenderForEndpointThis playbook will take IP entities and generate alert and block threat indicators for each IP in MDE for 90 days.
Restrict MDE Ip Address - Entity TriggeredPlaybook📦 SolutionMicrosoftDefenderForEndpointThis playbook will and generate alert and block threat indicators for the IP entity in MDE for 90 days.
Restrict MDE Ip Address - Incident TriggeredPlaybook📦 SolutionMicrosoftDefenderForEndpointThis playbook will take IP entities and generate alert and block threat indicators for each IP in MDE for 90 days.
Restrict MDE FileHash - Alert TriggeredPlaybook📦 SolutionMicrosoftDefenderForEndpointThis playbook will take FileHash entities and generate alert and block threat indicators for each file hash in MDE for 90 days. It will also add a comment to the incident with the file hash and action...
Restrict MDE FileHash - Entity TriggeredPlaybook📦 SolutionMicrosoftDefenderForEndpointThis playbook will take the triggering FileHash entity and generate an alert and block threat indicator for the file hash in MDE for 90 days. It will also add a comment to the incident with the file h...
Restrict MDE FileHash - Incident TriggeredPlaybook📦 SolutionMicrosoftDefenderForEndpointThis playbook will take FileHash entities and generate alert and block threat indicators for each file hash in MDE for 90 days.
Restrict MDE Domain - Alert TriggeredPlaybook📦 SolutionMicrosoftDefenderForEndpointThis play book will take DNS entities and generate alert and block threat indicators for each domain in Microsoft Defender for Endpoint for 90 days.
Restrict MDE Domain - Entity TriggeredPlaybook📦 SolutionMicrosoftDefenderForEndpointThis playbook will take the triggering entity and generate an alert and block threat indicator for the domain in MDE for 90 days.
Restrict MDE Domain - Incident TriggeredPlaybook📦 SolutionMicrosoftDefenderForEndpointThis play book will take DNS entities and generate alert and block threat indicators for each domain in Microsoft Defender for Endpoint for 90 days.
Restrict MDE App Execution - Alert TriggeredPlaybook📦 SolutionMicrosoftDefenderForEndpointThis playbook will restrict app execution on the machine in Microsoft Defender for Endpoint.
Restrict MDE App Execution - Incident TriggeredPlaybook📦 SolutionMicrosoftDefenderForEndpointThis playbook will restrict app execution on the machine in Microsoft Defender for Endpoint.
Isolate MDE Machine using entity triggerPlaybook📦 SolutionMicrosoftDefenderForEndpointThis playbook will isolate Microsoft Defender for Endpoint MDE device using entity trigger. It will be triggered by Microsoft Sentinel when an entity of type 'Host' is detected in an incident. The pla...
Isolate MDE Machine - Alert TriggeredPlaybook📦 SolutionMicrosoftDefenderForEndpointThis playbook will isolate (full) the machine in Microsoft Defender for Endpoint. It is triggered by an alert in Microsoft Sentinel. The playbook will add a comment to the incident with the result of ...
Isolate endpoint - MDE - Incident TriggeredPlaybook📦 SolutionMicrosoftDefenderForEndpointThis playbook will isolate (full) the machine in Microsoft Defender for Endpoint. It is triggered by an incident in Microsoft Sentinel.
AssignedIPAddressParser📦 SolutionMicrosoftDefenderForEndpoint
DevicefromipParser📦 SolutionMicrosoftDefenderForEndpoint
Insider Risk_High User Security Alert CorrelationsAnalytic Rule📦 SolutionMicrosoftPurviewInsiderRiskManagementThis alert joins SecurityAlerts from Microsoft Products with SecurityIncidents from Microsoft Sentinel and Microsoft Defender XDR. This join allows for identifying patterns in user principal names ass...
Insider Risk_High User Security Incidents CorrelationAnalytic Rule📦 SolutionMicrosoftPurviewInsiderRiskManagementThis alert joins SecurityAlerts to SecurityIncidents to associate Security Alerts and Incidents with user accounts. This aligns all Microsoft Alerting Products with Microsoft Incident Generating Produ...
Insider Risk_Microsoft Purview Insider Risk Management Alert ObservedAnalytic Rule📦 SolutionMicrosoftPurviewInsiderRiskManagementThis alert is triggered when a Microsoft Purview Insider Risk Management alert is recieved in Microsoft Sentinel via the Microsoft Purview Insider Risk Management Connector. The alert extracts usernam...
Insider Risk_Sensitive Data Access Outside Organizational Geo-locationAnalytic Rule📦 SolutionMicrosoftPurviewInsiderRiskManagementThis alert joins Azure Information Protection Logs (InformationProtectionLogs_CL) with Microsoft Entra ID Sign in Logs (SigninLogs) to provide a correlation of sensitive data access by geo-location. R...
Insider Risk_Risky User Access By ApplicationAnalytic Rule📦 SolutionMicrosoftPurviewInsiderRiskManagementThis alert evaluates Microsoft Entra ID Sign in risk via Machine Learning correlations in the basket operator. The basket threshold is adjustable, and the default is set to .01. There is an optional c...
Insider Risk_Entity Anomaly Followed by IRM AlertHunting Query📦 SolutionMicrosoftPurviewInsiderRiskManagementThis query joins Microsoft Sentinel Entity Insights with Microsoft Purview Insider Risk Management Alerts. There is also an option for configuration of correlations against watchlists. For more inform...
Insider Risk_ISP Anomaly to ExfilHunting Query📦 SolutionMicrosoftPurviewInsiderRiskManagementThis query joins UEBA to Security Alerts from Microsoft products for a correlation of Internet Service Provider anomalies to data exfiltration (watchlist options). For more information, see https://do...
Insider Risk_Multiple Entity-Based AnomaliesHunting Query📦 SolutionMicrosoftPurviewInsiderRiskManagementThis query returns entity counts by anomaly and user principal name including ranges for start/end time observed (watchlists configurable). For more information, see https://docs.microsoft.com/azure/s...
Insider Risk_Possible SabotageHunting Query📦 SolutionMicrosoftPurviewInsiderRiskManagementThis query correlates users with entity anomalies, security alerts, and delete/remove actions for identification of possible sabotage activities (watchlists configurable). For more information, see ht...
Insider Risk_Sign In Risk Followed By Sensitive Data AccessHunting Query📦 SolutionMicrosoftPurviewInsiderRiskManagementThis query correlates a risky user sign ins with access to sensitive data classified by data loss prevention capabilities (watchlist configurable). For more information, see https://docs.microsoft.com...
InsiderRiskManagementWorkbook📦 SolutionMicrosoftPurviewInsiderRiskManagement
Notify-InsiderRiskTeamPlaybook📦 SolutionMicrosoftPurviewInsiderRiskManagementThis playbook should be configured as an automation action with the Insider Risk Management Analytics Rules. Upon triggering an Analytic Rule, this playbook captures respective details and both emails...
Mimecast Audit - Logon Authentication FailedAnalytic Rule📦 SolutionMimecastDetects threat when logon authentication failure found in audit
Mimecast Secure Email Gateway - Attachment ProtectAnalytic Rule📦 SolutionMimecastDetect threat for mail attachment under the targeted threat protection.
Mimecast Secure Email Gateway - AVAnalytic Rule📦 SolutionMimecastDetects threats from email anti virus scan.
Mimecast Secure Email Gateway - Impersonation ProtectAnalytic Rule📦 SolutionMimecastDetects threats from impersonation mail under targeted threat protection.
Mimecast Secure Email Gateway - Internal Email ProtectAnalytic Rule📦 SolutionMimecastDetects threats from internal email threat protection.
Mimecast Secure Email Gateway - Spam Event ThreadAnalytic Rule📦 SolutionMimecastDetects threat from spam event thread protection logs.
Mimecast Secure Email Gateway - URL ProtectAnalytic Rule📦 SolutionMimecastDetect threat when potentially malicious url found.
Mimecast Secure Email Gateway - VirusAnalytic Rule📦 SolutionMimecastDetect threat for virus from mail receipt virus event.
Mimecast Data Leak Prevention - HoldAnalytic Rule📦 SolutionMimecastDetects threat for data leak when action is hold
Mimecast Data Leak Prevention - NotificationsAnalytic Rule📦 SolutionMimecastDetects threat for data leak when action is notification
Mimecast Targeted Threat Protection - Attachment ProtectAnalytic Rule📦 SolutionMimecastDetects a threat for an unsafe attachment in an email.
Mimecast Targeted Threat Protection - Impersonation ProtectAnalytic Rule📦 SolutionMimecastDetects a maliciously tagged impersonation.
Mimecast Targeted Threat Protection - URL ProtectAnalytic Rule📦 SolutionMimecastDetects malicious scan results and actions which are not allowed.
Mimecast_Audit_WorkbookWorkbook📦 SolutionMimecast
Mimecast_Awareness_Training_WorkbookWorkbook📦 SolutionMimecast
Mimecast_Cloud_Integrated_WorkbookWorkbook📦 SolutionMimecast
Mimecast_SEG_WorkbookWorkbook📦 SolutionMimecast
Mimecast_TTP_WorkbookWorkbook📦 SolutionMimecast
Mimecast-Data-Connector-Trigger-SyncPlaybook📦 SolutionMimecastPlaybook to sync timer trigger of all Mimecast data connectors.
Mimecast_AT_Performane_DetailParser📦 SolutionMimecast
Mimecast_AT_Safe_ScoreParser📦 SolutionMimecast
Mimecast_AT_User_DataParser📦 SolutionMimecast
Mimecast_AT_WatchlistParser📦 SolutionMimecast
Mimecast_AuditParser📦 SolutionMimecast
Mimecast_Cloud_IntegratedParser📦 SolutionMimecast
Mimecast_SEG_CGParser📦 SolutionMimecast
Mimecast_SEG_DLPParser📦 SolutionMimecast
Mimecast_TTP_AttachmentParser📦 SolutionMimecast
Mimecast_TTP_ImpersonationParser📦 SolutionMimecast
Mimecast_TTP_UrlParser📦 SolutionMimecast
Mimecast Audit - Logon Authentication FailedAnalytic Rule📦 SolutionMimecastAuditDetects threat when logon authentication failure found in audit
MimecastAuditWorkbook📦 SolutionMimecastAudit
Mimecast Data Leak Prevention - NotificationsAnalytic Rule📦 SolutionMimecastSEGDetects threat for data leak when action is notification
Mimecast Data Leak Prevention - HoldAnalytic Rule📦 SolutionMimecastSEGDetects threat for data leak when action is hold
Mimecast Secure Email Gateway - Attachment ProtectAnalytic Rule📦 SolutionMimecastSEGDetect threat for mail attachment under the targeted threat protection
Mimecast Secure Email Gateway - AVAnalytic Rule📦 SolutionMimecastSEGDetects threats from email anti virus scan
Mimecast Secure Email Gateway - Impersonation ProtectAnalytic Rule📦 SolutionMimecastSEGDetects threats from impersonation mail under targeted threat protection
Mimecast Secure Email Gateway - Internal Email ProtectAnalytic Rule📦 SolutionMimecastSEGDetects threats from internal email threat protection
Mimecast Secure Email Gateway - Spam Event ThreadAnalytic Rule📦 SolutionMimecastSEGDetects threat from spam event thread protection logs
Mimecast Secure Email Gateway - URL ProtectAnalytic Rule📦 SolutionMimecastSEGDetect threat when potentially malicious url found
Mimecast Secure Email Gateway - VirusAnalytic Rule📦 SolutionMimecastSEGDetect threat for virus from mail receipt virus event
MimecastSEGworkbookWorkbook📦 SolutionMimecastSEG
MimecastTIRegionalWorkbook📦 SolutionMimecastTIRegional
Mimecast Targeted Threat Protection - Attachment ProtectAnalytic Rule📦 SolutionMimecastTTPDetects a threat for an unsafe attachment in an email
Mimecast Targeted Threat Protection - Impersonation ProtectAnalytic Rule📦 SolutionMimecastTTPDetects a maliciously tagged impersonation
Mimecast Targeted Threat Protection - URL ProtectAnalytic Rule📦 SolutionMimecastTTPDetects malicious scan results and actions which are not allowed
MimecastTTPWorkbookWorkbook📦 SolutionMimecastTTP
Create Indicator - MinemeldPlaybook📦 SolutionMinemeldThis playbook search for indicators in Minemeld related to the entities(IP, filehash, URL) gathered from Sentinel incident. If the search result is positive a comment stating the indicator is already ...
Entity (IP, URL, FileHash) Enrichment - MinemeldPlaybook📦 SolutionMinemeldThis playbook search for indicators in Minemeld related to the entities(IP, filehash, URL) gathered from Sentinel incident. If the search result is positive a comment will be added to enrich the incid...
MongoDBAuditParser📦 SolutionMongoDBAudit
Critical Severity IncidentAnalytic Rule📦 SolutionMorphisecTriggers an incident for every Morphisec alert whose attacks severity is critical.
Device Alert SurgeAnalytic Rule📦 SolutionMorphisecTriggers an incident when a device generates 5 or more Medium or High severity alerts, indicating potential compromise.
Process-Level AnomalyAnalytic Rule📦 SolutionMorphisecTriggers an incident when the same process name appears in 50 or more alerts across multiple devices, suggesting widespread activity.
MorphisecParser📦 SolutionMorphisec
MuleSoftCloudhubParser📦 SolutionMulesoft
Cross-Cloud Password Spray detectionAnalytic Rule📦 SolutionMulti Cloud Attack Coverage Essentials - Resource AbuseThis detection focuses on identifying potential cross-cloud brute force / Password Spray attempts involving Azure and AWS platforms. It monitors sign-in activities within the Azure Portal and AWS Cons...
Cross-Cloud Suspicious Compute resource creation in GCPAnalytic Rule📦 SolutionMulti Cloud Attack Coverage Essentials - Resource AbuseThis detection identifies potential suspicious activity across multi-cloud environments by combining AWS GuardDuty findings with GCP Audit Logs. It focuses on AWS activities related to unauthorized a...
Cross-Cloud Suspicious user activity observed in GCP EnvourmentAnalytic Rule📦 SolutionMulti Cloud Attack Coverage Essentials - Resource AbuseThis detection query aims to correlate potentially suspicious user activities logged in Google Cloud Platform (GCP) Audit Logs with security alerts originating from Microsoft Security products. This c...
Cross-Cloud Unauthorized Credential Access Detection From AWS RDS LoginAnalytic Rule📦 SolutionMulti Cloud Attack Coverage Essentials - Resource AbuseThis detection correlates AWS GuardDuty Credential Access alerts related to Amazon Relational Database Service (RDS) activity with Azure portal sign-in activities. It identifies successful and failed ...
Successful AWS Console Login from IP Address Observed Conducting Password SprayAnalytic Rule📦 SolutionMulti Cloud Attack Coverage Essentials - Resource AbuseThis query aims to detect instances of successful AWS console login events followed by multiple failed app logons alerts generated by Microsoft Cloud App Security or password spray alerts generated by...
Suspicious AWS console logins by credential access alertsAnalytic Rule📦 SolutionMulti Cloud Attack Coverage Essentials - Resource AbuseThis query aims to detect instances of successful AWS console logins that align with high-severity credential access or Initial Access alerts generated by Defender Products. Specifically, it focuses ...
Unauthorized user access across AWS and AzureAnalytic Rule📦 SolutionMulti Cloud Attack Coverage Essentials - Resource AbuseThis detection compiles and correlates unauthorized user access alerts originating from AWS GuardDuty with Azure portal sign-in activities. It focuses on AWS GuardDuty alerts related to unauthorized u...
User impersonation by Identity Protection alertsAnalytic Rule📦 SolutionMulti Cloud Attack Coverage Essentials - Resource AbuseThis detection focuses on identifying user-related events involving IAM roles, groups, user access, and password changes. It examines instances where the user's IP address matches and alerts generated...
High-Risk Cross-Cloud User ImpersonationAnalytic Rule📦 SolutionMulti Cloud Attack Coverage Essentials - Resource AbuseThis detection focuses on identifying high-risk cross-cloud activities and sign-in anomalies that may indicate potential security threats. The query starts by analyzing Microsoft Entra ID Signin Logs ...
Ransomware Attack DetectedAnalytic Rule📦 SolutionNasuniIdentifies ransomware attacks detected by the Ransomware Protection service running on a Nasuni Edge Appliance.
Ransomware Client BlockedAnalytic Rule📦 SolutionNasuniIdentifies malicious clients blocked by the Ransomware Protection service running on a Nasuni Edge Appliance.
Nasuni File Delete ActivityHunting Query📦 SolutionNasuniThis query looks for file delete audit events generated by a Nasuni Edge Appliance.
NucleusCyber_NCProtect_WorkbookWorkbook📦 SolutionNC Protect Data Connector
NCSCNLShareSTIXBundlePlaybook📦 SolutionNCSC-NL NDN Cyber Threat Intelligence SharingThis playbook gets triggered every hour and perform the following actions: 1. Get all the threat intelligence indicators from Microsoft Sentinel Workspace with given tag. 2. Filter all the indicators ...
NetApp Ransomware Resilience Authentication PlaybookPlaybook📦 SolutionNetApp Ransomware ResilienceThis playbook creates a shared Key Vault for NetApp Ransomware Resilience credentials and provides authentication services to all NetApp Ransomware Resilience playbooks in the solution.
NetApp RRS Manual IP to Volume OfflinePlaybook📦 SolutionNetApp Ransomware ResilienceManually trigger playbook to take a volume offline based on IP address enrichment
NetApp Ransomware Resilience Async Poll PlaybookPlaybook📦 SolutionNetApp Ransomware ResilienceThis playbook polls NetApp Ransomware Resilience job status asynchronously until completion or timeout using the updated job status API endpoint.
NetApp Ransomware Resilience Enrich IP PlaybookPlaybook📦 SolutionNetApp Ransomware ResilienceThis playbook enriches IP data by calling the updated NetApp Ransomware Resilience enrich IP address API endpoint and asynchronously polls multiple job results.
NetApp Ransomware Resilience Enrich StorageVM PlaybookPlaybook📦 SolutionNetApp Ransomware ResilienceThis playbook enriches storage data by calling the updated NetApp Ransomware Resilience enrich storage API endpoint.
NetApp Ransomware Resilience Volume Offline PlaybookPlaybook📦 SolutionNetApp Ransomware ResilienceThis playbook takes a NetApp volume offline using the updated NetApp Ransomware Resilience take-volume-offline API endpoint and optionally polls for completion.
NetApp Ransomware Resilience Volume Snapshot PlaybookPlaybook📦 SolutionNetApp Ransomware ResilienceThis playbook creates a NetApp volume snapshot using the updated NetApp Ransomware Resilience take-snapshot API endpoint and optionally polls for completion.
NetClean ProActive IncidentsAnalytic Rule📦 SolutionNetClean ProActiveNetClean Incident
NetCleanProActiveWorkbookWorkbook📦 SolutionNetClean ProActive
NetskopeEventsWorkbook📦 SolutionNetskope
Netskope 🔍Parser📦 SolutionNetskope
Netskope - WebTransaction Error DetectionAnalytic Rule📦 SolutionNetskopev2Rule helps to track error occurred in Netskope WebTransaction Data Connector.
NetskopeCCFWebtxDashboardWorkbook📦 SolutionNetskopev2
NetskopeCCPDashboardWorkbook📦 SolutionNetskopev2
NetskopeCEDashboardWorkbook📦 SolutionNetskopev2
NetskopeDashboardWorkbook📦 SolutionNetskopev2
NetskopeDataConnectorsTriggerSyncPlaybook📦 SolutionNetskopev2Playbook to sync timer trigger of all Netskope data connectors.
NetskopeWebTxErrorEmailPlaybook📦 SolutionNetskopev2This playbook sends email when Netskope Web Transaction data connector error is detected.
AlertsCompromisedCredentialParser📦 SolutionNetskopev2
AlertsCtepParser📦 SolutionNetskopev2
AlertsDLPParser📦 SolutionNetskopev2
AlertsMalsiteParser📦 SolutionNetskopev2
AlertsMalwareParser📦 SolutionNetskopev2
AlertsPolicyParser📦 SolutionNetskopev2
AlertsQuarantineParser📦 SolutionNetskopev2
AlertsRemediationParser📦 SolutionNetskopev2
AlertsSecurityAssessmentParser📦 SolutionNetskopev2
AlertsUbaParser📦 SolutionNetskopev2
EventIncidentParser📦 SolutionNetskopev2
EventsApplicationParser📦 SolutionNetskopev2
EventsAuditParser📦 SolutionNetskopev2
EventsConnectionParser📦 SolutionNetskopev2
EventsNetworkParser📦 SolutionNetskopev2
EventsPageParser📦 SolutionNetskopev2
NetskopeAlertsParser📦 SolutionNetskopev2
NetskopeCCFWebTransactionsParser📦 SolutionNetskopev2
NetskopeCEAlertsParser📦 SolutionNetskopev2
NetskopeCEEventsApplicationParser📦 SolutionNetskopev2
NetskopeCEWebTransactionsParser📦 SolutionNetskopev2
NetskopeEventsApplicationParser📦 SolutionNetskopev2
NetskopeEventsAuditParser📦 SolutionNetskopev2
NetskopeEventsConnectionParser📦 SolutionNetskopev2
NetskopeEventsDLPParser📦 SolutionNetskopev2
NetskopeEventsEndpointParser📦 SolutionNetskopev2
NetskopeEventsInfrastructureParser📦 SolutionNetskopev2
NetskopeEventsNetworkParser📦 SolutionNetskopev2
NetskopeEventsPageParser📦 SolutionNetskopev2
NetskopeWebTransactionsParser📦 SolutionNetskopev2
Netskope - Anomalous User Behavior (High Volume from Unmanaged Device)Analytic Rule📦 SolutionNetskopeWebTxDetects anomalous user behavior including high data volume transfers from unmanaged devices, unusual access patterns, and suspicious application usage.
Netskope - Unsanctioned/Risky Cloud App Access (Shadow IT)Analytic Rule📦 SolutionNetskopeWebTxAlerts when users access unsanctioned or risky cloud applications based on Cloud Confidence Level (CCL) and app tags. Detects Shadow IT usage.
Netskope - Data Movement Tracking (Upload/Download Monitoring)Analytic Rule📦 SolutionNetskopeWebTxTracks file uploads and downloads, monitoring data movement direction, size, and destination. Provides visibility into data flow patterns.
Netskope - Excessive Downloads Detection (Spike vs Baseline)Analytic Rule📦 SolutionNetskopeWebTxDetects users with excessive download activity compared to their 7-day baseline. Triggers when current download volume exceeds 3x the average.
Netskope - Heavy Personal Cloud Storage Usage (Shadow IT)Analytic Rule📦 SolutionNetskopeWebTxDetects heavy usage of personal cloud storage applications like personal Dropbox, Google Drive, OneDrive personal, etc. Indicates potential Shadow IT or data leakage risk.
Netskope - Impossible Travel Detection (Two Countries in Less Than 1 Hour)Analytic Rule📦 SolutionNetskopeWebTxDetects when a user accesses resources from two distinct countries within less than 1 hour, indicating potential credential compromise or VPN abuse.
Netskope - Large Outbound Data Transfer / Sensitive Upload (DLP)Analytic Rule📦 SolutionNetskopeWebTxDetects large outbound data transfers and sensitive file uploads. Monitors for potential data exfiltration via cloud applications.
Netskope - New Risky App Access vs 7-Day BaselineAnalytic Rule📦 SolutionNetskopeWebTxCompares today's accessed applications against a 7-day baseline and triggers alerts when users access new risky applications not seen before.
Netskope - Repeated or Critical Policy ViolationsAnalytic Rule📦 SolutionNetskopeWebTxDetects users with repeated policy violations or critical policy blocks. Monitors policy enforcement effectiveness and compliance.
Netskope - Suspicious Network Context (Unusual IPs/Geo/Ports)Analytic Rule📦 SolutionNetskopeWebTxDetects suspicious network activity based on unusual source/destination IPs, geographic anomalies, uncommon ports, and high traffic volumes.
NetskopeWebTx_WorkbookWorkbook📦 SolutionNetskopeWebTx
NetskopeWebtxParser📦 SolutionNetskopeWebTx
Anomaly in SMB Traffic(ASIM Network Session schema)Analytic Rule📦 SolutionNetwork Session EssentialsThis detection detects abnormal SMB traffic, a file-sharing protocol. By calculating the average deviation of SMB connections over last 14 days, flagging sources exceeding 50 average deviations.
Anomaly found in Network Session Traffic (ASIM Network Session schema)Analytic Rule📦 SolutionNetwork Session EssentialsThe rule identifies anomalous pattern in network session traffic based on previously seen data, different Device Action, Network Protocol, Network Direction or overall volume. The rule utilize [ASIM](...
Detect port misuse by anomaly based detection (ASIM Network Session schema)Analytic Rule📦 SolutionNetwork Session EssentialsThis rule detects anomalous pattern in port usage. The rule utilize [ASIM](https://aka.ms/AboutASIM) normalization, and is applied to any source which supports the ASIM Network Session schema. To tune...
Detect port misuse by static threshold (ASIM Network Session schema)Analytic Rule📦 SolutionNetwork Session EssentialsThis detection rule detects port usage above the configured threshold. The rule utilize [ASIM](https://aka.ms/AboutASIM) normalization, and is applied to any source which supports the ASIM Network Ses...
Excessive number of failed connections from a single source (ASIM Network Session schema)Analytic Rule📦 SolutionNetwork Session EssentialsThis rule identifies a single source that generates an excessive amount of failed connections. Modify the threshold to change the sensitivity of the rule: the higher the threshold, the less sensitive ...
Network Port Sweep from External Network (ASIM Network Session schema)Analytic Rule📦 SolutionNetwork Session EssentialsThis detection rule detects scenarios when a particular port is being scanned by multiple external sources. The rule utilize [ASIM](https://aka.ms/AboutASIM) normalization, and is applied to any sourc...
Port scan detected (ASIM Network Session schema)Analytic Rule📦 SolutionNetwork Session EssentialsThis rule identifies a possible port scan, in which a single source tries to access a large number of different ports is a short time frame. This may indicate that a [port scanner](https://en.wikipedi...
Potential beaconing activity (ASIM Network Session schema)Analytic Rule📦 SolutionNetwork Session EssentialsThis rule identifies beaconing patterns from Network traffic logs based on recurrent frequency patterns. Such potential outbound beaconing patterns to untrusted public networks should be investigated...
Remote Desktop Network Brute force (ASIM Network Session schema)Analytic Rule📦 SolutionNetwork Session EssentialsThis detection identifies RDP application network traffic and filters any source/destination pair generating more than 25 events hard threshold.
Detect Outbound LDAP Traffic(ASIM Network Session schema)Hunting Query📦 SolutionNetwork Session EssentialsMalicious actors often abuse misconfigured LDAP servers or applications that use the LDAP servers in organizations. Outbound LDAP traffic should not be allowed outbound through your perimeter firewall...
Detect port misuse by anomaly (ASIM Network Session schema)Hunting Query📦 SolutionNetwork Session EssentialsThis hunting query detect anomalous pattern in port usage with ASIM normalization. To tune the query to your environment configure it using the 'NetworkSession_Monitor_Configuration' watchlist.
Detect port misuse by static threshold (ASIM Network Session schema)Hunting Query📦 SolutionNetwork Session EssentialsThere is an normal amount of traffic that goes on a particular port in any organization. This hunting query identifies port usage higher than threshold defined in 'NetworkSession_Monitor_Configuration...
Detects several users with the same MAC address (ASIM Network Session schema)Hunting Query📦 SolutionNetwork Session EssentialsIdeally one user should be associated with one MAC ID, this hunting query will identify if same MAC ID is associated with more than one user which can be a case of MAC spoofing attack.
Mismatch between Destination App name and Destination Port (ASIM Network Session schema)Hunting Query📦 SolutionNetwork Session EssentialsEvery standard app has a port associated with it. This query will identify if destination port associated with destination app is not standard which can be a case of network spoofing attack.
Protocols passing authentication in cleartext (ASIM Network Session schema)Hunting Query📦 SolutionNetwork Session EssentialsThis hunting query identifies cleartext protocols like telnet, POP3, IMAP, and non-anonymous FTP that could leak sensitive information. These protocols may use SSL, but usually on different ports.
Remote Desktop Network Traffic(ASIM Network Session schema)Hunting Query📦 SolutionNetwork Session EssentialsThis hunting query looks for unusual remote desktop activity by monitoring TCP/3389 traffic. While RDP is common, focus on atypical connections to identify potential threats.
NetworkSessionEssentialsWorkbook📦 SolutionNetwork Session Essentials
NetworkSessionEssentialsV2Workbook📦 SolutionNetwork Session Essentials
Summarize Data for Network Session EssentialsPlaybook📦 SolutionNetwork Session EssentialsThis playbook summarizes data for Network Session Essentials and lands it into custom tables.
NetworkSession_Monitor_ConfigurationWatchlist📦 SolutionNetwork Session Essentials
NetworkSummary_CountrySummary Rule📦 SolutionNetwork Session EssentialsThis summary rule aggregates recent network session data using the ASIM normalized _Im_NetworkSession function. It creates 20-minute summaries of traffic between source and destination countries, grou...
NetworkSummary_IPSummary Rule📦 SolutionNetwork Session EssentialsThis summary rule aggregates network session data using the ASIM normalized _Im_NetworkSession function. It creates hourly summaries of traffic between source and destination IP addresses, grouped by ...
NetworkSummary_ProtocolSummary Rule📦 SolutionNetwork Session EssentialsThis summary rule aggregates recent network session data using the ASIM normalized _Im_NetworkSession function. It generates 20-minute summaries of traffic grouped by network protocol, destination por...
NetworkSummary_ResultSummary Rule📦 SolutionNetwork Session EssentialsThis summary rule aggregates recent network session data using the ASIM normalized _Im_NetworkSession function. It creates 20-minute summaries grouped by event result, network direction, device action...
NetworkSummary_RuleSummary Rule📦 SolutionNetwork Session EssentialsThis summary rule aggregates recent network session data using the ASIM normalized _Im_NetworkSession function. It creates 20-minute summaries grouped by rule name, network direction, and device actio...
NetworkSummary_SourceInfoSummary Rule📦 SolutionNetwork Session EssentialsThis summary rule aggregates recent network session data using the ASIM normalized _Im_NetworkSession function. It creates 20-minute summaries grouped by product name (vendor-product combination) and ...
NetworkSummary_Source_PortSummary Rule📦 SolutionNetwork Session EssentialsThis summary rule aggregates network session data using the ASIM normalized _Im_NetworkSession function. It creates hourly summaries of traffic grouped by source port, network direction, and device ac...
NetworkSummary_ThreatSummary Rule📦 SolutionNetwork Session EssentialsThis summary rule aggregates recent network session data using the ASIM normalized _Im_NetworkSession function. It creates 20-minute summaries grouped by threat identifier or name, threat category, ev...
NetworkSummary_Threat_IOCSummary Rule📦 SolutionNetwork Session EssentialsThis summary rule aggregates recent network session data using the ASIM normalized _Im_NetworkSession function. It creates 20-minute summaries of sessions involving threat-related activity, grouped by...
NetworkSummary_CountrySummary Rule📦 SolutionNetwork Session EssentialsThis summary rule aggregates recent network session data using the ASIM normalized _Im_NetworkSession function. It creates 20-minute summaries of traffic between source and destination countries, grou...
NetworkSummary_IPSummary Rule📦 SolutionNetwork Session EssentialsThis summary rule aggregates network session data using the ASIM normalized _Im_NetworkSession function. It creates hourly summaries of traffic between source and destination IP addresses, grouped by ...
NetworkSummary_ProtocolSummary Rule📦 SolutionNetwork Session EssentialsThis summary rule aggregates recent network session data using the ASIM normalized _Im_NetworkSession function. It generates 20-minute summaries of traffic grouped by network protocol, destination por...
NetworkSummary_ResultSummary Rule📦 SolutionNetwork Session EssentialsThis summary rule aggregates recent network session data using the ASIM normalized _Im_NetworkSession function. It creates 20-minute summaries grouped by event result, network direction, device action...
NetworkSummary_RuleSummary Rule📦 SolutionNetwork Session EssentialsThis summary rule aggregates recent network session data using the ASIM normalized _Im_NetworkSession function. It creates 20-minute summaries grouped by rule name, network direction, and device actio...
NetworkSummary_SourceInfoSummary Rule📦 SolutionNetwork Session EssentialsThis summary rule aggregates recent network session data using the ASIM normalized _Im_NetworkSession function. It creates 20-minute summaries grouped by product name (vendor-product combination) and ...
NetworkSummary_Source_PortSummary Rule📦 SolutionNetwork Session EssentialsThis summary rule aggregates network session data using the ASIM normalized _Im_NetworkSession function. It creates hourly summaries of traffic grouped by source port, network direction, and device ac...
NetworkSummary_ThreatSummary Rule📦 SolutionNetwork Session EssentialsThis summary rule aggregates recent network session data using the ASIM normalized _Im_NetworkSession function. It creates 20-minute summaries grouped by threat identifier or name, threat category, ev...
NetworkSummary_Threat_IOCSummary Rule📦 SolutionNetwork Session EssentialsThis summary rule aggregates recent network session data using the ASIM normalized _Im_NetworkSession function. It creates 20-minute summaries of sessions involving threat-related activity, grouped by...
Network endpoint to host executable correlationAnalytic Rule📦 SolutionNetwork Threat Protection EssentialsCorrelates blocked URLs hosting [malicious] executables with host endpoint data to identify potential instances of executables of the same name having been recently run.
New UserAgent observed in last 24 hoursAnalytic Rule📦 SolutionNetwork Threat Protection EssentialsIdentifies new UserAgents observed in the last 24 hours versus the previous 14 days. This detection extracts words from user agents to build the baseline and determine rareity rather than perform a di...
Base64 encoded IPv4 address in request urlHunting Query📦 SolutionNetwork Threat Protection EssentialsThis query detects Base64-encoded IPv4 addresses in outbound request URLs. It uses pre-computed base64 offsets for IPv4 sequences, eliminating the need for decoding. After identifying a candidate,the ...
Risky base64 encoded command in URLHunting Query📦 SolutionNetwork Threat Protection EssentialsThis query detects risky Base64-encoded commands in web requests. It identifies potential C2 server communication and illuminates injected webshells. Note that base64 is case-sensitive, requiring mult...
Exploit and Pentest Framework User AgentHunting Query📦 SolutionNetwork Threat Protection EssentialsThis query detects suspicious user agent strings used by exploit and pen test frameworks.There are several exploit and pen test frameworks that are being used by pen testers as well as attackers to c...
NetwrixAuditorParser📦 SolutionNetwrix Auditor
EnrichIP-GeoInfo-NeustarPlaybook📦 SolutionNeustar IP GeoPointWhen a new sentinel incident is created, this playbook gets triggered and performs the following actions: 1. Gets IP Addresses from incident. 2. Gets Geographical location information from Neustart IP...
NGINX - Command in URIAnalytic Rule📦 SolutionNGINX HTTP ServerDetects command in URI
NGINX - Core DumpAnalytic Rule📦 SolutionNGINX HTTP ServerDetects a core dump of a crashing Nginx worker process, which could be a signal of a serious problem or exploitation attempts.
NGINX - Multiple user agents for single sourceAnalytic Rule📦 SolutionNGINX HTTP ServerDetects requests with different user agents from one source in short timeframe.
NGINX - Known malicious user agentAnalytic Rule📦 SolutionNGINX HTTP ServerDetects known malicious user agents
NGINX - Multiple client errors from single IP addressAnalytic Rule📦 SolutionNGINX HTTP ServerDetects multiple client errors from one source in short timeframe
NGINX - Multiple server errors from single IP addressAnalytic Rule📦 SolutionNGINX HTTP ServerDetects multiple server errors from one source in short timeframe
NGINX - Private IP address in URLAnalytic Rule📦 SolutionNGINX HTTP ServerDetects requests to unusual URL
NGINX - Put file and get file from same IP addressAnalytic Rule📦 SolutionNGINX HTTP ServerDetects put or get files from one source in short timeframe
NGINX - Request to sensitive filesAnalytic Rule📦 SolutionNGINX HTTP ServerDetects request to sensitive files.
NGINX - Sql injection patternsAnalytic Rule📦 SolutionNGINX HTTP ServerDetects possible sql injection patterns
NGINX - Abnormal request sizeHunting Query📦 SolutionNGINX HTTP ServerQuery shows abnormal request size.
NGINX - Rare files requestedHunting Query📦 SolutionNGINX HTTP ServerQuery shows rare files requested
NGINX - Rare URLs requestedHunting Query📦 SolutionNGINX HTTP ServerQuery shows rare URLs requested.
NGINX - Requests from bots and crawlersHunting Query📦 SolutionNGINX HTTP ServerQuery searches requests from bots and crawlers.
NGINX - Requests to unexisting filesHunting Query📦 SolutionNGINX HTTP ServerQuery shows list of requests to unexisting files
NGINX - Top files requestedHunting Query📦 SolutionNGINX HTTP ServerQuery shows list of files requested
NGINX - Top files with error requestsHunting Query📦 SolutionNGINX HTTP ServerQuery shows list of files with error requests.
NGINX - Top URLs client errorsHunting Query📦 SolutionNGINX HTTP ServerQuery shows URLs list with client errors.
NGINX - Top URLs server errorsHunting Query📦 SolutionNGINX HTTP ServerQuery shows URLs list with server errors.
NGINX - Uncommon user agent stringsHunting Query📦 SolutionNGINX HTTP ServerQuery searches uncommon user agent strings.
NGINXWorkbook📦 SolutionNGINX HTTP Server
NGINXHTTPServerParser📦 SolutionNGINX HTTP Server
NIST SP 800-53 Posture ChangedAnalytic Rule📦 SolutionNISTSP80053This alert is desinged to monitor Azure policies aligned with the NIST SP 800-53 Regulatory Compliance initative. The alert triggers when policy compliance falls below 70% within a 1 week timeframe.
NISTSP80053Workbook📦 SolutionNISTSP80053
Create-AzureDevOpsTaskPlaybook📦 SolutionNISTSP80053This playbook will create the Azure DevOps task filled with the Microsoft Sentinel incident details.
Create Jira IssuePlaybook📦 SolutionNISTSP80053This playbook will open a Jira Issue when a new incident is opened in Microsoft Sentinel.
Notify_GovernanceComplianceTeamPlaybook📦 SolutionNISTSP80053This playbook will create the Azure DevOps task filled with the Microsoft Sentinel incident details.
NordPass - Domain data detected in breachAnalytic Rule📦 SolutionNordPassThis will alert you when Data Breach Scanner discovers data related to your organization's domains on the dark web. !This rule should be enabled only by the organizations that have set up Data Breach...
NordPass - Declined invitationAnalytic Rule📦 SolutionNordPassThis will alert you when the user declines the invite to the NordPass organization.
NordPass - User deletes items in bulkAnalytic Rule📦 SolutionNordPassThis will alert you if a user deletes items in bulk, namely, more than 10 items or in the span of 10 minutes. If a mix of bulk and one-off deletions were performed, this will group all actions and re...
NordPass - Deleting items of deleted memberAnalytic Rule📦 SolutionNordPassThis will alert you if the deleted user's items have been removed without being transferred to another active user, as this could result in the loss of access to critical tools or information.
NordPass - Manual invitation, suspension, or deletionAnalytic Rule📦 SolutionNordPassThis will alert you when the user is manually invited, suspended, or deleted. !This rule should be enabled only by organizations that have User and Group Provisioning enabled.
NordPass - Activity token revocationAnalytic Rule📦 SolutionNordPassThis will alert you when the event reporting token is revoked, posing the risk of active integration being blocked.
NordPass - User data detected in breachAnalytic Rule📦 SolutionNordPassThis will alert you when Data Breach Scanner discovers data related to a member of your organization on the dark web.
NordPass - User fails authenticationAnalytic Rule📦 SolutionNordPassThis will alert you if a user fails to log in to their NordPass account or SSO authentication three or more times in the last 24 hours.
NordPass - Vault exportAnalytic Rule📦 SolutionNordPassThis will alert you if the vault has been exported, allowing you to review and evaluate the incident to mitigate potential risks. NOTE: The organization can control whether it allows its members to ex...
NordPassWorkbook📦 SolutionNordPass
NozomiNetworksEventsParser📦 SolutionNozomiNetworks
NXLog_parsed_AIX_Audit_view 🔍Parser📦 SolutionNXLogAixAudit
ASimDnsMicrosoftNXLogParser📦 SolutionNXLogDNSLogs
Device Registration from Malicious IPAnalytic Rule📦 SolutionOkta Single Sign-OnThis query identifies Device Registration from IP addresses identified as malicious by Okta ThreatInsight.
Failed Logins from Unknown or Invalid UserAnalytic Rule📦 SolutionOkta Single Sign-OnThis query searches for numerous login attempts to the management console with an unknown or invalid user name.
High-Risk Admin ActivityAnalytic Rule📦 SolutionOkta Single Sign-OnThe Okta risk engine auto-assigns risk levels to each login attempt. This query identifies admin operations originating from events associated with high-risk profiles.
User Login from Different Countries within 3 hoursAnalytic Rule📦 SolutionOkta Single Sign-OnThis query searches for successful user logins to the Okta Console from different countries within 3 hours.
MFA Fatigue (OKTA)Analytic Rule📦 SolutionOkta Single Sign-OnMFA fatigue attack is a cybersecurity threat where attackers exploit user exhaustion from multi-factor authentication prompts to trick them into providing their MFA details thus compromising their own...
New Device/Location sign-in along with critical operationAnalytic Rule📦 SolutionOkta Single Sign-OnThis query identifies users seen login from new geo location/country as well as a new device and performing critical operations.
Potential Password Spray AttackAnalytic Rule📦 SolutionOkta Single Sign-OnThis query searches for failed attempts to log into the Okta console from more than 15 various users within a 5 minute timeframe from the same source. This is a potential indication of a password spra...
Okta Fast Pass phishing DetectionAnalytic Rule📦 SolutionOkta Single Sign-OnThis query detects cases in which Okta FastPass effectively prevented access to a known phishing website.
User Session Impersonation(Okta)Analytic Rule📦 SolutionOkta Single Sign-OnA user has started a session impersonation, gaining access with the impersonated users permissions. This typically signifies Okta admin access and should only happen if anticipated and requested.
Admin privilege granted (Okta)Hunting Query📦 SolutionOkta Single Sign-OnQuery checks for admin permissions granted to users/groups, often used by adversaries for access and privilege elevation.
Create API Token (Okta)Hunting Query📦 SolutionOkta Single Sign-OnOkta API tokens are used to authenticate requests to Okta APIs. This query searches for attempts to create new API Token. Refrence: https://developer.okta.com/docs/reference/api/event-types/
Initiate impersonation session (Okta)Hunting Query📦 SolutionOkta Single Sign-OnUser.session.impersonation, usually triggered by Okta Support, are rare. This query checks for impersonation events used in LAPSUS$ breach.
Okta login attempts using Legacy AuthHunting Query📦 SolutionOkta Single Sign-OnThis query identifies use of legacy authentication protocol in the Okta Logs.
Okta Login from multiple locationsHunting Query📦 SolutionOkta Single Sign-OnThis query identifies accounts associated with multiple authentications from different geographical locations in a short period of time.
Sign-ins from Nord VPN ProvidersHunting Query📦 SolutionOkta Single Sign-OnThis query searches for sign-in activity from Nord VPN providers. The purpose is to identify any unfamiliar sign-in attempts from VPN providers, that are not typically observed among users in the orga...
Logins originating from VPS ProvidersHunting Query📦 SolutionOkta Single Sign-OnThis query searches for successful logons from known VPS provider network ranges. This is not an exhaustive list of VPS provider ranges but covers some of the most prevalent providers observed.
New device registration from unfamiliar locationHunting Query📦 SolutionOkta Single Sign-OnThis query identifies new device being registered from a location where the user does not normally login from
Rare MFA Operations (Okta)Hunting Query📦 SolutionOkta Single Sign-OnMFA prevents credential compromise. This query checks for rare MFA operations like deactivation, update, reset, and bypass attempts often used by adversaries to compromise networks/accounts.
User password reset(Okta)Hunting Query📦 SolutionOkta Single Sign-OnAdversaries often manipulate accounts for access. This query checks for admin attempts to reset user passwords in Okta logs.
OktaSingleSignOnWorkbook📦 SolutionOkta Single Sign-On
User enrichment - OktaPlaybook📦 SolutionOkta Single Sign-OnThis playbook will collect user information from Okta and post a report on the incident.
Prompt Okta userPlaybook📦 SolutionOkta Single Sign-OnThis playbook uses the OKTA connector to prompt the risky user on Teams. User is asked action was taken by them. Based on the user confirmation the SOC admin is notified to investige on the user accou...
Response on Okta user from TeamsPlaybook📦 SolutionOkta Single Sign-OnThis playbooks sends an adaptive card to the SOC Teams channel with information about the Okta user and incident details. The SOC is allowed to take action such suspend, reset password, expire passwor...
OktaSSOParser📦 SolutionOkta Single Sign-On
OnapsisAlarmsOverviewWorkbook📦 SolutionOnapsis Platform
OnapsisLookupParser📦 SolutionOnapsis Platform
OneIdentityWorkbook📦 SolutionOneIdentity
OneIdentity_Safeguard 🔍Parser📦 SolutionOneIdentity
OneLoginParser📦 SolutionOneLoginIAM
AuthASIMParser 🔍Parser📦 SolutionOpen Systems
FirewallASIMParser 🔍Parser📦 SolutionOpen Systems
FirewallASIMParserFilter 🔍Parser📦 SolutionOpen Systems
ProxyASIMParser 🔍Parser📦 SolutionOpen Systems
ProxyASIMParserFilter 🔍Parser📦 SolutionOpen Systems
Create Indicator - OpenCTIPlaybook📦 SolutionOpenCTIThis playbook adds new indicator in OpenCTI based on the entities info present in Sentinel incident. This playbook search in OpenCTI for indicatoes based on the entities (Account, Host, IP, FileHash, ...
Entity (IP, URL, FileHash, Account, Host) Enrichment - OpenCTIPlaybook📦 SolutionOpenCTIThis playbook search in OpenCTI for indicatoes based on the entities (Account, Host, IP, FileHash, URL) present in Microsoft Sentinel incident. If it presnts in OpenCTI, information will be added to i...
Read Stream- OpenCTI IndicatorsPlaybook📦 SolutionOpenCTIThis playbook fetches indicators from OpenCTI and send to Sentinel. Supported types are Domain, File, IPv4, IPv6, Account, Url. This runs for every 10 minutes
Send to Security Graph API - Batch Import (OpenCTI)Playbook📦 SolutionOpenCTIThis playbook sends messages to Security GraphAPI in batches
OpenVpnEventParser📦 SolutionOpenVPN
OCI - Discovery activityAnalytic Rule📦 SolutionOracle Cloud InfrastructureDetects possible discovery activity.
OCI - Event rule deletedAnalytic Rule📦 SolutionOracle Cloud InfrastructureDetects when event rule was deleted.
OCI - Inbound SSH connectionAnalytic Rule📦 SolutionOracle Cloud InfrastructureDetects inbound SSH connection.
OCI - Insecure metadata endpointAnalytic Rule📦 SolutionOracle Cloud InfrastructureDetects insecure metadata endpoint.
OCI - Instance metadata accessAnalytic Rule📦 SolutionOracle Cloud InfrastructureDetects instance metadata access.
OCI - Multiple instances launchedAnalytic Rule📦 SolutionOracle Cloud InfrastructureDetects when multiple instances were launched.
OCI - Multiple instances terminatedAnalytic Rule📦 SolutionOracle Cloud InfrastructureDetects when multiple instances were terminated.
OCI - Multiple rejects on rare portsAnalytic Rule📦 SolutionOracle Cloud InfrastructureDetects multiple rejects on rare ports.
OCI - SSH scannerAnalytic Rule📦 SolutionOracle Cloud InfrastructureDetects possible SSH scanning activity.
OCI - Unexpected user agentAnalytic Rule📦 SolutionOracle Cloud InfrastructureDetects unexpected user agent strings.
OCI - Destination ports (inbound traffic)Hunting Query📦 SolutionOracle Cloud InfrastructureQuery searches for destination ports of inbound traffic.
OCI - Destination ports (outbound traffic)Hunting Query📦 SolutionOracle Cloud InfrastructureQuery searches for destination ports of outbound traffic.
OCI - Launched instancesHunting Query📦 SolutionOracle Cloud InfrastructureQuery searches for new launched instances.
OCI - Update activitiesHunting Query📦 SolutionOracle Cloud InfrastructureQuery searches for update activities performed by users.
OCI - Delete operationsHunting Query📦 SolutionOracle Cloud InfrastructureQuery searches for delete operations performed by user.
OCI - Deleted usersHunting Query📦 SolutionOracle Cloud InfrastructureQuery searches for users being deleted.
OCI - New usersHunting Query📦 SolutionOracle Cloud InfrastructureQuery searches for new users created.
OCI - User source IP addressesHunting Query📦 SolutionOracle Cloud InfrastructureQuery searches for user source IP addresses.
OCI - Terminated instancesHunting Query📦 SolutionOracle Cloud InfrastructureQuery searches for terminated instances.
OCI - Updated instancesHunting Query📦 SolutionOracle Cloud InfrastructureQuery searches for updated instances.
OracleCloudInfrastructureOCIWorkbook📦 SolutionOracle Cloud Infrastructure
OCILogsParser📦 SolutionOracle Cloud Infrastructure
OracleDBAudit - Connection to database from external IPAnalytic Rule📦 SolutionOracleDatabaseAuditDetects when connection to database is from external IP source.
OracleDBAudit - Multiple tables dropped in short timeAnalytic Rule📦 SolutionOracleDatabaseAuditDetects when user drops many tables in short period of time.
OracleDBAudit - Connection to database from unknown IPAnalytic Rule📦 SolutionOracleDatabaseAuditDetects when user connects to a database from IP address which is not present in AllowList.
OracleDBAudit - User connected to database from new IPAnalytic Rule📦 SolutionOracleDatabaseAuditDetects when a user connects to database from new IP address.
OracleDBAudit - New user accountAnalytic Rule📦 SolutionOracleDatabaseAuditDetects when an action was made by new user.
OracleDBAudit - Query on Sensitive TableAnalytic Rule📦 SolutionOracleDatabaseAuditDetects when user queries sensitive tables.
OracleDBAudit - User activity after long inactivity timeAnalytic Rule📦 SolutionOracleDatabaseAuditDetects when an action was made by a user which last activity was observed more than 30 days ago.
OracleDBAudit - Unusual user activity on multiple tablesAnalytic Rule📦 SolutionOracleDatabaseAuditDetects when user queries many tables in short period of time.
OracleDBAudit - Shutdown ServerAnalytic Rule📦 SolutionOracleDatabaseAuditDetects when "SHUTDOWN" command was sent to server.
OracleDBAudit - SQL injection patternsAnalytic Rule📦 SolutionOracleDatabaseAuditDetects common known SQL injection patterns used in automated scripts.
OracleDBAudit - Action by IpHunting Query📦 SolutionOracleDatabaseAuditQuery searches sources from which DbActions were made.
OracleDBAudit - Action by userHunting Query📦 SolutionOracleDatabaseAuditQuery searches actions made by user.
OracleDBAudit - Active UsersHunting Query📦 SolutionOracleDatabaseAuditQuery for searching active database user accounts.
OracleDBAudit - Users connected to databases during non-operational hours.Hunting Query📦 SolutionOracleDatabaseAuditQuery searches for users who have connected to databases during non-operational hours.
OracleDBAudit - Dropped TablesHunting Query📦 SolutionOracleDatabaseAuditQuery searches for dropped tables.
OracleDBAudit - Inactive UsersHunting Query📦 SolutionOracleDatabaseAuditQuery for searching user accounts which last activity was more than 30 days ago.
OracleDBAudit - Audit large queriesHunting Query📦 SolutionOracleDatabaseAuditQuery for auditing large queries.
OracleDBAudit - Top tables queriesHunting Query📦 SolutionOracleDatabaseAuditQuery searches for tables queries.
OracleDBAudit - Users with new privilegesHunting Query📦 SolutionOracleDatabaseAuditQuery for searching user accounts whith new privileges.
OracleDBAudit - Users Privileges ReviewHunting Query📦 SolutionOracleDatabaseAuditQuery searches for user accounts and their privileges.
OracleDatabaseAuditWorkbook📦 SolutionOracleDatabaseAudit
OracleDatabaseAuditEventParser📦 SolutionOracleDatabaseAudit
Oracle - Command in URIAnalytic Rule📦 SolutionOracleWebLogicServerDetects command in URI
Oracle - Multiple user agents for single sourceAnalytic Rule📦 SolutionOracleWebLogicServerDetects requests with different user agents from one source in short timeframe.
Oracle - Oracle WebLogic Exploit CVE-2021-2109Analytic Rule📦 SolutionOracleWebLogicServerDetects exploitation of Oracle WebLogic vulnerability CVE-2021-2109
Oracle - Malicious user agentAnalytic Rule📦 SolutionOracleWebLogicServerDetects known malicious user agent strings
Oracle - Multiple client errors from single IPAnalytic Rule📦 SolutionOracleWebLogicServerDetects multiple client errors from one source in short timeframe
Oracle - Multiple server errors from single IPAnalytic Rule📦 SolutionOracleWebLogicServerDetects multiple server errors from one source in short timeframe
Oracle - Private IP in URLAnalytic Rule📦 SolutionOracleWebLogicServerDetects requests to unusual URL
Oracle - Put file and get file from same IP addressAnalytic Rule📦 SolutionOracleWebLogicServerDetects put or get files from one source in short timeframe
Oracle - Put suspicious fileAnalytic Rule📦 SolutionOracleWebLogicServerDetects PUT or POST of suspicious file
Oracle - Request to sensitive filesAnalytic Rule📦 SolutionOracleWebLogicServerDetects request to sensitive files.
Oracle - Request to forbidden filesHunting Query📦 SolutionOracleWebLogicServerQuery shows request to forbidden files.
Oracle - Abnormal request sizeHunting Query📦 SolutionOracleWebLogicServerQuery shows abnormal request size.
Oracle - Critical event severityHunting Query📦 SolutionOracleWebLogicServerQuery shows critical event severity
Oracle - Error messagesHunting Query📦 SolutionOracleWebLogicServerQuery shows error messages.
Oracle - Top files requested by users with errorHunting Query📦 SolutionOracleWebLogicServerQuery shows list of files with error requests.
Oracle - Rare user agents with client errorsHunting Query📦 SolutionOracleWebLogicServerQuery shows rare user agent strings with client errors
Oracle - Rare URLs requestedHunting Query📦 SolutionOracleWebLogicServerQuery shows rare URLs requested.
Oracle - Rare user agentsHunting Query📦 SolutionOracleWebLogicServerQuery shows rare user agents
Oracle - Top URLs client errorsHunting Query📦 SolutionOracleWebLogicServerQuery shows URLs list with client errors.
Oracle - Top URLs server errorsHunting Query📦 SolutionOracleWebLogicServerQuery shows URLs list with server errors.
OracleWorkbookWorkbook📦 SolutionOracleWebLogicServer
OracleWebLogicServerEventParser📦 SolutionOracleWebLogicServer
OrcaAlertsWorkbook📦 SolutionOrca Security Alerts
OSSECEventParser📦 SolutionOSSEC
PaloAltoXDR 🔍Workbook📦 SolutionPalo Alto - XDR (Cortex)
PaloAltoXDR 🔍Playbook📦 SolutionPalo Alto - XDR (Cortex)1. Overview 1. Prerequisites 1. Deploy Palo Alot XDR playbook 1. Deployment Instructions 1. Post-Deployment Instructions 1. References
Microsoft COVID-19 file hash indicator matchesAnalytic Rule📦 SolutionPaloAlto-PAN-OSIdentifies a match in CommonSecurityLog Event data from any FileHash published in the Microsoft COVID-19 Threat Intel Feed - as described at https://www.microsoft.com/security/blog/2020/05/14/open-sou...
Palo Alto - potential beaconing detectedAnalytic Rule📦 SolutionPaloAlto-PAN-OSIdentifies beaconing patterns from Palo Alto Network traffic logs based on recurrent timedelta patterns. The query leverages various KQL functions to calculate time deltas and then compares it with to...
Palo Alto - possible internal to external port scanningAnalytic Rule📦 SolutionPaloAlto-PAN-OSIdentifies a list of internal Source IPs (10.x.x.x Hosts) that have triggered 10 or more non-graceful tcp server resets from one or more Destination IPs which results in an "ApplicationProtocol = inco...
Palo Alto - possible nmap scan on with top 100 optionAnalytic Rule📦 SolutionPaloAlto-PAN-OSDetect possible execution of Nmap top 100 option. This detection will detect scanning of 90% of Top 100 port of NMAP in less than 2 minutes. Unusual port only access through a scan are present in this...
Palo Alto Threat signatures from Unusual IP addressesAnalytic Rule📦 SolutionPaloAlto-PAN-OSIdentifies Palo Alto Threat signatures from unusual IP addresses which are not historically seen. This detection is also leveraged and required for MDE and PAN Fusion scenario https://docs.microsoft....
Palo Alto - potential beaconing detectedHunting Query📦 SolutionPaloAlto-PAN-OSIdentifies beaconing patterns from PAN traffic logs based on recurrent timedelta patterns. Reference Blog:https://techcommunity.microsoft.com/t5/microsoft-sentinel-blog/detect-network-beaconing-via-i...
Palo Alto - high-risk portsHunting Query📦 SolutionPaloAlto-PAN-OSIdentifies network connections whose ports are frequent targets of attacks and should not cross network boundaries or reach untrusted public networks. Consider updating the firewall policies to block ...
PaloAltoNetworkThreatWorkbook📦 SolutionPaloAlto-PAN-OS
PaloAltoOverviewWorkbook📦 SolutionPaloAlto-PAN-OS
PaloAlto-PAN-OS-BlockIPPlaybook📦 SolutionPaloAlto-PAN-OSThis playbook allows blocking/unblocking IPs in PaloAlto, using **Address Object Groups**. This allows to make changes on predefined address group, which is attached to predefined security policy rule...
Block IP - Palo Alto PAN-OS - Entity triggerPlaybook📦 SolutionPaloAlto-PAN-OSThis playbook interacts with relevant stakeholders, such incident response team, to approve blocking/allowing IPs in Palo Alto PAN-OS, using **Address Object Groups**. This allows to make changes on p...
PaloAlto-PAN-OS-BlockURLPlaybook📦 SolutionPaloAlto-PAN-OSThis playbook allows blocking/unblocking URLs in PaloAlto, using **predefined address group**. This allows to make changes on predefined address group, which is attached to security policy rule.
PaloAlto-PAN-OS-BlockURL-EntityTriggerPlaybook📦 SolutionPaloAlto-PAN-OSThis playbook allows blocking/unblocking URLs in PaloAlto, using **predefined address group**. This allows to make changes on predefined address group, which is attached to security policy rule.
Get System Info - Palo Alto PAN-OS XML APIPlaybook📦 SolutionPaloAlto-PAN-OSThis playbook allows us to get System Info of a Palo Alto device for a Microsoft Sentinel alert.
Get Threat PCAP - Palo Alto PAN-OS XML APIPlaybook📦 SolutionPaloAlto-PAN-OSThis playbook allows us to get a threat PCAP for a given PCAP ID.
PaloAlto-PAN-OS-GetURLCategoryInfoPlaybook📦 SolutionPaloAlto-PAN-OSWhen a new sentinal incident is created, this playbook gets triggered and performs below actions:
PaloAlto - MAC address conflictAnalytic Rule📦 SolutionPaloAltoCDLDetects several users with the same MAC address.
PaloAlto - Dropping or denying session with trafficAnalytic Rule📦 SolutionPaloAltoCDLDetects dropping or denying session with traffic.
PaloAlto - File type changedAnalytic Rule📦 SolutionPaloAltoCDLDetects when file type changed.
PaloAlto - Inbound connection to high risk portsAnalytic Rule📦 SolutionPaloAltoCDLDetects inbound connection to high risk ports.
PaloAlto - Possible attack without responseAnalytic Rule📦 SolutionPaloAltoCDLDetects possible attack without response.
PaloAlto - Possible floodingAnalytic Rule📦 SolutionPaloAltoCDLDetects possible flooding.
PaloAlto - Possible port scanAnalytic Rule📦 SolutionPaloAltoCDLDetects possible port scan.
PaloAlto - User privileges was changedAnalytic Rule📦 SolutionPaloAltoCDLDetects changing of user privileges.
PaloAlto - Put and post method request in high risk file typeAnalytic Rule📦 SolutionPaloAltoCDLDetects put and post method request in high risk file type.
PaloAlto - Forbidden countriesAnalytic Rule📦 SolutionPaloAltoCDLDetects suspicious connections from forbidden countries.
PaloAlto - Critical event resultHunting Query📦 SolutionPaloAltoCDLQuery shows critical event result
PaloAlto - File permission with PUT or POST requestHunting Query📦 SolutionPaloAltoCDLQuery shows file permission with PUT or POST request
PaloAlto - Incomplete application protocolHunting Query📦 SolutionPaloAltoCDLQuery shows incomplete application protocol
PaloAlto - Destination ports by IPsHunting Query📦 SolutionPaloAltoCDLQuery shows destination ports by IP address.
PaloAlto - Multiple Deny result by userHunting Query📦 SolutionPaloAltoCDLQuery shows multiple Deny results by user
PaloAlto - Agent versionsHunting Query📦 SolutionPaloAltoCDLQuery shows agents which are not updated to the latest version
PaloAlto - Outdated config vesionsHunting Query📦 SolutionPaloAltoCDLQuery shows outdated config vesions
PaloAlto - Rare application layer protocolsHunting Query📦 SolutionPaloAltoCDLQuery shows Rare application layer protocols
PaloAlto - Rare files observedHunting Query📦 SolutionPaloAltoCDLQuery shows rare files observed
PaloAlto - Rare ports by userHunting Query📦 SolutionPaloAltoCDLQuery shows rare ports by user.
PaloAltoCDLWorkbook📦 SolutionPaloAltoCDL
PaloAltoCDLEventParser📦 SolutionPaloAltoCDL
Palo Alto Prisma Cloud - Access keys are not rotated for 90 daysAnalytic Rule📦 SolutionPaloAltoPrismaCloudDetects access keys which were not rotated for 90 days.
Palo Alto Prisma Cloud - Network ACL allow all outbound trafficAnalytic Rule📦 SolutionPaloAltoPrismaCloudDetects network ACLs with outbound rule to allow all traffic.
Palo Alto Prisma Cloud - Network ACL allow ingress traffic to server administration portsAnalytic Rule📦 SolutionPaloAltoPrismaCloudDetects Network ACLs allow ingress traffic to server administration ports.
Palo Alto Prisma Cloud - Network ACLs Inbound rule to allow All TrafficAnalytic Rule📦 SolutionPaloAltoPrismaCloudDetects Network ACLs with Inbound rule to allow All Traffic.
Palo Alto Prisma Cloud - Anomalous access key usageAnalytic Rule📦 SolutionPaloAltoPrismaCloudDetects anomalous API key usage activity.
Palo Alto Prisma Cloud - High risk score alertAnalytic Rule📦 SolutionPaloAltoPrismaCloudDetects alerts with high risk score value.
Palo Alto Prisma Cloud - High severity alert opened for several daysAnalytic Rule📦 SolutionPaloAltoPrismaCloudDetects high severity alert which is opened for several days.
Palo Alto Prisma Cloud - IAM Group with Administrator Access PermissionsAnalytic Rule📦 SolutionPaloAltoPrismaCloudDetects IAM Groups with Administrator Access Permissions.
Palo Alto Prisma Cloud - Inactive userAnalytic Rule📦 SolutionPaloAltoPrismaCloudDetects users inactive for 30 days.
Palo Alto Prisma Cloud - Maximum risk score alertAnalytic Rule📦 SolutionPaloAltoPrismaCloudDetects alerts with maximum risk score value.
Palo Alto Prisma Cloud - Multiple failed logins for userAnalytic Rule📦 SolutionPaloAltoPrismaCloudDetects multiple failed logins for the same user account.
Palo Alto Prisma Cloud - Access keys usedHunting Query📦 SolutionPaloAltoPrismaCloudQuery searches for access keys used for programmatic access.
Palo Alto Prisma Cloud - Top sources of failed loginsHunting Query📦 SolutionPaloAltoPrismaCloudQuery searches for top source IP addresses of failed logins.
Palo Alto Prisma Cloud - Top users by failed loginsHunting Query📦 SolutionPaloAltoPrismaCloudQuery searches for users who have large number of failed logins.
Palo Alto Prisma Cloud - High risk score opened alertsHunting Query📦 SolutionPaloAltoPrismaCloudQuery searches for alerts with high risk score value.
Palo Alto Prisma Cloud - High severity alertsHunting Query📦 SolutionPaloAltoPrismaCloudQuery searches for high severity alerts.
Palo Alto Prisma Cloud - New usersHunting Query📦 SolutionPaloAltoPrismaCloudQuery searches for new users.
Palo Alto Prisma Cloud - Opened alertsHunting Query📦 SolutionPaloAltoPrismaCloudQuery searches opened alerts.
Palo Alto Prisma Cloud - Top recources with alertsHunting Query📦 SolutionPaloAltoPrismaCloudQuery searches for resources which appeared in different alerts.
Palo Alto Prisma Cloud - Updated resourcesHunting Query📦 SolutionPaloAltoPrismaCloudQuery searches recently updated resources.
PaloAltoPrismaCloudOverviewWorkbook📦 SolutionPaloAltoPrismaCloud
Fetch Security Posture from Prisma CloudPlaybook📦 SolutionPaloAltoPrismaCloudThis playbook provides/updates the compliance security posture details of asset in comments section of triggered incident so that SOC analysts can directly take corrective measure to prevent the attac...
Remediate assets on prisma cloudPlaybook📦 SolutionPaloAltoPrismaCloudThis playbook provides/updates the compliance security posture details of asset in comments section of triggered incident so that SOC analysts can directly take corrective measure to prevent the attac...
PaloAltoPrismaCloudParser📦 SolutionPaloAltoPrismaCloud
PCIDSSComplianceWorkbook📦 SolutionPCI DSS Compliance
Perimeter81OverviewWorkbookWorkbook📦 SolutionPerimeter 81
Ping Federate - Abnormal password reset attemptsAnalytic Rule📦 SolutionPingFederateDetects abnormal password reset attempts for user in short period of time.
Ping Federate - Authentication from new IP.Analytic Rule📦 SolutionPingFederateDetects authentication requests from new IP address.
Ping Federate - Forbidden countryAnalytic Rule📦 SolutionPingFederateDetects requests from forbidden countries.
Ping Federate - Abnormal password resets for userAnalytic Rule📦 SolutionPingFederateDetects multiple password reset for user.
Ping Federate - New user SSO success loginAnalytic Rule📦 SolutionPingFederateDetects new user SSO success login.
Ping Federate - OAuth old versionAnalytic Rule📦 SolutionPingFederateDetects requests using not the latest version of OAuth protocol.
Ping Federate - Password reset request from unexpected source IP address..Analytic Rule📦 SolutionPingFederateDetects password reset requests from unexpected source IP address.
Ping Federate - SAML old versionAnalytic Rule📦 SolutionPingFederateDetects requests using not the latest version of SAML protocol.
Ping Federate - Unexpected authentication URL.Analytic Rule📦 SolutionPingFederateDetects unexpected authentication URL.
Ping Federate - Unexpected country for userAnalytic Rule📦 SolutionPingFederateDetects requests from different countries for user in shotr term.
Ping Federate - Unusual mail domain.Analytic Rule📦 SolutionPingFederateDetects unusual mail domain in authentication requests.
Ping Federate - Authentication URLsHunting Query📦 SolutionPingFederateQuery searches for authentication URLs used.
Ping Federate - Failed AuthenticationHunting Query📦 SolutionPingFederateQuery searches for failed authentication events
Ping Federate - New usersHunting Query📦 SolutionPingFederateQuery searches for new users.
Ping Federate - Password reset requestsHunting Query📦 SolutionPingFederateQuery searches for password reset requests events.
Ping Federate - Rare source IP addressesHunting Query📦 SolutionPingFederateQuery searches for rare source IP addresses of requests
Ping Federate - SAML subjectsHunting Query📦 SolutionPingFederateQuery searches for SAML subjects used in requests
Ping Federate - Top source IP addressesHunting Query📦 SolutionPingFederateQuery searches for source IP addresses with the most requests
Ping Federate - Requests from unusual countriesHunting Query📦 SolutionPingFederateQuery searches for requests from unusual countries.
Ping Federate - Authentication from unusual sourcesHunting Query📦 SolutionPingFederateQuery searches for unusual sources of authentication.
Ping Federate - Users recently reseted passwordHunting Query📦 SolutionPingFederateQuery searches for users who recently reseted their passwords.
PingFederateWorkbook📦 SolutionPingFederate
PingFederateEventParser📦 SolutionPingFederate
PostgreSQLEventParser📦 SolutionPostgreSQL
Disks Alerts From Prancer 🔍Analytic Rule📦 SolutionPrancer PenSuiteAI IntegrationHigh severity disk alerts found by Prancer.
Flow Logs Alerts for Prancer 🔍Analytic Rule📦 SolutionPrancer PenSuiteAI IntegrationHigh severity flow Log alerts found by Prancer.
NetworkSecurityGroups Alert From Prancer 🔍Analytic Rule📦 SolutionPrancer PenSuiteAI IntegrationHigh severity network security groups alerts found by Prancer.
PAC high severity 🔍Analytic Rule📦 SolutionPrancer PenSuiteAI IntegrationHigh severity alerts found by Prancer.
Registries Alerts for Prancer 🔍Analytic Rule📦 SolutionPrancer PenSuiteAI IntegrationHigh severity registry alerts found by Prancer.
Sites Alerts for Prancer 🔍Analytic Rule📦 SolutionPrancer PenSuiteAI IntegrationHigh severity sites alerts found by Prancer.
Storage Accounts Alerts From Prancer 🔍Analytic Rule📦 SolutionPrancer PenSuiteAI IntegrationHigh severity storage account alerts found by Prancer.
Subnets Alerts for Prancer 🔍Analytic Rule📦 SolutionPrancer PenSuiteAI IntegrationHigh severity subnet alerts found by Prancer.
Vaults Alerts for Prancer 🔍Analytic Rule📦 SolutionPrancer PenSuiteAI IntegrationHigh severity vault alerts found by Prancer.
VirtualNetworkPeerings Alerts From Prancer 🔍Analytic Rule📦 SolutionPrancer PenSuiteAI IntegrationHigh severity virtual network peerings alerts found by Prancer.
Virtual Machines Alerts for Prancer 🔍Analytic Rule📦 SolutionPrancer PenSuiteAI IntegrationHigh severity virtual machine alerts found by Prancer.
Hunting Query for Failed CSPM Scan Items 🔍Hunting Query📦 SolutionPrancer PenSuiteAI IntegrationThis query pulls in all the failed scan results from the CSPM scans
Hunting Query for High Severity PAC findings 🔍Hunting Query📦 SolutionPrancer PenSuiteAI IntegrationThis query pulls in all the high severity Pensuite AI pentest findings into one location
PrancerSentinelAnalytics 🔍Workbook📦 SolutionPrancer PenSuiteAI Integration
ProofpointPOD - Binary file in attachmentAnalytic Rule📦 SolutionProofpoint On demand(POD) Email SecurityDetects when email received with binary file as attachment.
ProofpointPOD - Possible data exfiltration to private emailAnalytic Rule📦 SolutionProofpoint On demand(POD) Email SecurityDetects when sender sent email to the non-corporate domain and recipient's username is the same as sender's username.
ProofpointPOD - Email sender in TI listAnalytic Rule📦 SolutionProofpoint On demand(POD) Email SecurityEmail sender in TI list.
ProofpointPOD - Email sender IP in TI listAnalytic Rule📦 SolutionProofpoint On demand(POD) Email SecurityEmail sender IP in TI list.
ProofpointPOD - High risk message not discardedAnalytic Rule📦 SolutionProofpoint On demand(POD) Email SecurityDetects when email with high risk score was not rejected or discarded by filters.
ProofpointPOD - Multiple archived attachments to the same recipientAnalytic Rule📦 SolutionProofpoint On demand(POD) Email SecurityDetects when multiple emails where sent to the same recipient with large archived attachments.
ProofpointPOD - Multiple large emails to the same recipientAnalytic Rule📦 SolutionProofpoint On demand(POD) Email SecurityDetects when multiple emails with large size where sent to the same recipient.
ProofpointPOD - Multiple protected emails to unknown recipientAnalytic Rule📦 SolutionProofpoint On demand(POD) Email SecurityDetects when multiple protected messages where sent to early not seen recipient.
ProofpointPOD - Suspicious attachmentAnalytic Rule📦 SolutionProofpoint On demand(POD) Email SecurityDetects when email contains suspicious attachment (file type).
ProofpointPOD - Weak ciphersAnalytic Rule📦 SolutionProofpoint On demand(POD) Email SecurityDetects when weak TLS ciphers are used.
ProofpointPOD - Emails with high score of 'adult' filter classifier valueHunting Query📦 SolutionProofpoint On demand(POD) Email SecuritySearch for emails with high score of 'adult' filter classifier value.
ProofpointPOD - Emails with high score of 'malware' filter classifier valueHunting Query📦 SolutionProofpoint On demand(POD) Email SecuritySearch for emails with high score of 'malware' filter classifier value.
ProofpointPOD - Emails with high score of 'phish' filter classifier valueHunting Query📦 SolutionProofpoint On demand(POD) Email SecuritySearch for emails with high score of 'phish' filter classifier value.
ProofpointPOD - Emails with high score of 'spam' filter classifier valueHunting Query📦 SolutionProofpoint On demand(POD) Email SecuritySearch for emails with high score of 'spam' filter classifier value.
ProofpointPOD - Emails with high score of 'suspect' filter classifier valueHunting Query📦 SolutionProofpoint On demand(POD) Email SecuritySearch for emails with high score of 'suspect' filter classifier value.
ProofpointPOD - Large size outbound emailsHunting Query📦 SolutionProofpoint On demand(POD) Email SecuritySearch for emails which size is 2 times grater than average size of outbound email for user.
ProofpointPOD - Recipients with high number of discarded or rejected emailsHunting Query📦 SolutionProofpoint On demand(POD) Email SecuritySearch for recipients with high number of discarded or rejected emails.
ProofpointPOD - Recipients with large number of corrupted emailsHunting Query📦 SolutionProofpoint On demand(POD) Email SecuritySearch for recipients with large number of corrupted emails.
ProofpointPOD - Senders with large number of corrupted messagesHunting Query📦 SolutionProofpoint On demand(POD) Email SecuritySearch for senders with large number of corrupted messages.
ProofpointPOD - Suspicious file types in attachmentsHunting Query📦 SolutionProofpoint On demand(POD) Email SecurityHunting for suspicious file types in attachments.
ProofpointPODWorkbook📦 SolutionProofpoint On demand(POD) Email Security
ProofpointPODParser📦 SolutionProofpoint On demand(POD) Email Security
Malware attachment deliveredAnalytic Rule📦 SolutionProofPointTapThis query identifies a message containing a malware attachment that was delivered.
Malware Link ClickedAnalytic Rule📦 SolutionProofPointTapThis query identifies a user clicking on an email link whose threat category is classified as a malware
ProofpointTAPWorkbook📦 SolutionProofPointTap
ProofpointTAP-AddForensicsInfoToIncidentPlaybook📦 SolutionProofPointTapOnce a new sentinel incident is created, this playbook gets triggered and performs the following actions: 1. [Gets Forensics](https://help.proofpoint.com/Threat_Insight_Dashboard/API_Documentation/For...
ProofpointTAP-CheckAccountInVAPPlaybook📦 SolutionProofPointTapOnce a new sentinel incident is created, this playbook gets triggered and performs the following actions: 1. Gets [Very Attacked People](https://help.proofpoint.com/Threat_Insight_Dashboard/API_Docume...
ProofpointTAPEventParser📦 SolutionProofPointTap
PulseConnectSecure - Potential Brute Force AttemptsAnalytic Rule📦 SolutionPulse Connect SecureThis query identifies evidence of potential brute force attack by looking at multiple failed attempts to log into the VPN server
PulseConnectSecure - Large Number of Distinct Failed User LoginsAnalytic Rule📦 SolutionPulse Connect SecureThis query identifies evidence of failed login attempts from a large number of distinct users on a Pulse Connect Secure VPN server
PulseConnectSecureWorkbook📦 SolutionPulse Connect Secure
PulseConnectSecureParser📦 SolutionPulse Connect Secure
External Fabric Module XFM1 is unhealthyAnalytic Rule📦 SolutionPure StorageExternal Fabric Module XFM1 is unhealthy
Pure Controller FailedAnalytic Rule📦 SolutionPure StorageDetect controller failure and take appropriate response action.
Pure Failed LoginAnalytic Rule📦 SolutionPure StorageDetect failed login attacks and delete user
Pure Storage FlashBlade File System SnapshotPlaybook📦 SolutionPure StorageThis playbook gets triggered when a Microsoft Sentinel Incident created for suspicious activity and it takes files system snapshot of specific file systems listed in key vault
Pure Storage Protection Group SnapshotPlaybook📦 SolutionPure StorageThis playbook gets triggered when a Microsoft Sentinel Incident created for suspicious activity and it takes protection group snapshot of specific protection groups listed in key vault.
Pure Storage User DeletionPlaybook📦 SolutionPure StorageThis playbook gets triggered when a Microsoft Sentinel Incident created for suspicious user activity and it deletes the respective user from storage array
Pure Storage Volume SnapshotPlaybook📦 SolutionPure StorageThis playbook gets triggered when a Microsoft Sentinel Incident created for suspicious activity and it takes snapshot of specific volumes mentioned in key vault.
PureStorageFlashArrayParserParser📦 SolutionPure Storage
PureStorageFlashBladeParserParser📦 SolutionPure Storage
QualysKBParser📦 SolutionQualys VM Knowledgebase
High Number of Urgent Vulnerabilities DetectedAnalytic Rule📦 SolutionQualysVMThis Creates an incident when a host has a high number of Urgent, severity 5, vulnerabilities detected.
New High Severity Vulnerability Detected Across Multiple HostsAnalytic Rule📦 SolutionQualysVMThis creates an incident when a new high severity vulnerability is detected across multilple hosts
QualysVMv2Workbook📦 SolutionQualysVM
QualysVM-GetAssetDetailsPlaybook📦 SolutionQualysVMWhen a new sentinel incident is created, this playbook gets triggered and performs the following actions: 1. Get IP Addresses from incident. 2. Get Asset Details for all IP Addresses. 3. Add asset det...
QualysVM-GetAssets-ByCVEIDPlaybook📦 SolutionQualysVMWhen a new sentinel incident is created, this playbook gets triggered and performs the following actions: 1. Get CVE IDs from incident. 2. Create a Dynamic Search List with CVE IDs as filter criteria....
QualysVM-GetAssets-ByOpenPortPlaybook📦 SolutionQualysVMWhen a new sentinel incident is created, this playbook gets triggered and performs the following actions: 1. Gets Port from incident. (Only one port) 2. Search the Qualys platform and get the asset co...
QualysVM-LaunchVMScan-GenerateReportPlaybook📦 SolutionQualysVMWhen a new sentinel incident is created, this playbook gets triggered and performs the following actions: 1. Get IP Addresses from incident. 2. Scan IP Addresses with Qualys Scanner. 3. Generate the S...
QualysHostDetectionParser📦 SolutionQualysVM
Quokka - Malicious Results DetectedAnalytic Rule📦 SolutionQuokkaDetects if there are any malicious results in the app events coming from organization devices.
QscoutDashboardsWorkbook📦 SolutionQuokka
Radiflow - Exploit DetectedAnalytic Rule📦 SolutionRadiflowGenerates an incident when the use of an exploit is detected by Radiflow's iSID.
Radiflow - Network Scanning DetectedAnalytic Rule📦 SolutionRadiflowGenerates an incident when a network scan is detected either by Radiflow's iSID.
Radiflow - New Activity DetectedAnalytic Rule📦 SolutionRadiflowGenerates an incident when a new asset or MAC is detected either by Radiflow's iSID.
Radiflow - Platform AlertAnalytic Rule📦 SolutionRadiflowGenerates an incident when an alert raised by Radiflow's iSID is not contemplated by any of the other analytic rules
Radiflow - Policy Violation DetectedAnalytic Rule📦 SolutionRadiflowGenerates an incident when an unauthorized session or action is detected either by Radiflow's iSID.
Radiflow - Suspicious Malicious Activity DetectedAnalytic Rule📦 SolutionRadiflowGenerates an incident when malware is detected by Radiflow's iSID.
Radiflow - Unauthorized Command in Operational DeviceAnalytic Rule📦 SolutionRadiflowGenerates an incident when an unauthorized command is detected in the network by Radiflow's iSID.
Radiflow - Unauthorized Internet AccessAnalytic Rule📦 SolutionRadiflowGenerates an incident when an unauthorized link between the network and the Internet is detected by Radiflow's iSID.
RadiflowEventParser📦 SolutionRadiflow
Rapid7 Insight VM - Enrich incident with asset infoPlaybook📦 SolutionRapid7InsightVMOnce a new Microsoft Sentinel incident is created, this playbook gets triggered and performs the following actions: 1. Obtains IPs from the incident. 2. Searches asset ids by the IPs. 3. Gets assets i...
Rapid7 Insight VM - Enrich vulnerability infoPlaybook📦 SolutionRapid7InsightVMOnce a new Microsoft Sentinel incident is created, this playbook gets triggered and performs the following actions: 1. Obtains IPs from the incident. 2. Searches asset ids by the IPs. 3. Gets vulnerab...
Rapid7 Insight VM - Run scanPlaybook📦 SolutionRapid7InsightVMOnce a new Microsoft Sentinel incident is created, this playbook gets triggered and performs the following actions: 1. Obtains IPs from the incident. 2. Searches asset ids by the IPs. 3. Obtains a lis...
InsightVMAssetsParser📦 SolutionRapid7InsightVM
InsightVMVulnerabilitiesParser📦 SolutionRapid7InsightVM
RecordedFuture Threat Hunting Domain All ActorsAnalytic Rule📦 SolutionRecorded FutureRecorded Future Threat Hunting domain correlation for all actors.
RecordedFuture Threat Hunting Hash All ActorsAnalytic Rule📦 SolutionRecorded FutureRecorded Future Threat Hunting hash correlation for all actors.
RecordedFuture Threat Hunting IP All ActorsAnalytic Rule📦 SolutionRecorded FutureRecorded Future Threat Hunting IP correlation for all actors.
RecordedFuture Threat Hunting Url All ActorsAnalytic Rule📦 SolutionRecorded FutureRecorded Future Threat Hunting Url correlation for all actors.
RecordedFuture Threat Hunting Domain All Actors 🔍Hunting Query📦 SolutionRecorded FutureRecorded Future Threat Hunting domain correlation for all actors.
RecordedFuture Threat Hunting Hash All Actors 🔍Hunting Query📦 SolutionRecorded FutureRecorded Future Threat Hunting hash correlation for all actors.
RecordedFuture Threat Hunting IP All Actors 🔍Hunting Query📦 SolutionRecorded FutureRecorded Future Threat Hunting IP correlation for all actors.
RecordedFuture Threat Hunting URL All Actors 🔍Hunting Query📦 SolutionRecorded FutureRecorded Future URL Threat Actor Hunt.
RecordedFutureAlertOverviewWorkbook📦 SolutionRecorded Future
RecordedFutureDomainCorrelationWorkbook📦 SolutionRecorded Future
RecordedFutureHashCorrelationWorkbook📦 SolutionRecorded Future
RecordedFutureIPCorrelationWorkbook📦 SolutionRecorded Future
RecordedFutureMalwareThreatHuntingWorkbook📦 SolutionRecorded Future
RecordedFuturePlaybookAlertOverviewWorkbook📦 SolutionRecorded Future
RecordedFutureThreatActorHuntingWorkbook📦 SolutionRecorded Future
RecordedFutureURLCorrelationWorkbook📦 SolutionRecorded Future
RecordedFuture-ActorThreatHunt-IndicatorImportPlaybook📦 SolutionRecorded FutureThis playbook will write Recorded Future threat hunting indicators to ThreatIntelligenceIndicator log analytics table via the RecordedFuture-ThreatIntelligenceImport playbook.
RecordedFuture-MalwareThreatHunt-IndicatorImportPlaybook📦 SolutionRecorded FutureThis playbook will write Recorded Future threat hunting indicators to ThreatIntelligenceIndicator log analytics table via the RecordedFuture-ThreatIntelligenceImport playbook.
RecordedFuture-ThreatMap-ImporterPlaybook📦 SolutionRecorded FutureThis playbook will import Threat Map data from Recorded Future and store it in a custom log.
RecordedFuture-ThreatMapMalware-ImporterPlaybook📦 SolutionRecorded FutureThis playbook will import Threat Map data from Recorded Future and store it in a custom log.
RecordedFuture-Sandbox_Enrichment-UrlPlaybook📦 SolutionRecorded FutureThis playbook will enrich url entities in an incident and send them to Recorded Future Sandbox. The result will be written as a incident comment.
RecordedFuture-Sandbox_Outlook_AttachmentPlaybook📦 SolutionRecorded FutureThis playbook will trigger on emails with attachmets and send them to Recorded Future Sandbox. The result will be written as a reply and a Sentinel Incident will be created if the file attachment has ...
RecordedFuture-Sandbox_StorageAccountPlaybook📦 SolutionRecorded FutureThis playbook will trigger on files in a Storage Account and send them to Recorded Future Sandbox. The result will be written as a reply and a Sentinel Incident will be created if the file attachment ...
RecordedFuture-Domain-IndicatorImportPlaybook📦 SolutionRecorded FutureThis playbook imports Domain risk lists from Recorded Future and stores them as Threat Intelligence Indicators in Microsoft Sentinel, for detection purposes. This playbook depends on RecordedFuture-Th...
RecordedFuture-Hash-IndicatorImportPlaybook📦 SolutionRecorded FutureThis playbook imports Hash risk lists from Recorded Future and stores them as Threat Intelligence Indicators in Microsoft Sentinel, for detection purposes. This playbook depends on RecordedFuture-Thre...
RecordedFuture-IP-IndicatorImportPlaybook📦 SolutionRecorded FutureThis playbook imports IP risk lists from Recorded Future and stores them as Threat Intelligence Indicators in Microsoft Sentinel, for detection purposes. This playbook depends on RecordedFuture-Threat...
RecordedFuture-ThreatIntelligenceImportPlaybook📦 SolutionRecorded FutureThis playbook will write indicators in batch to ThreatIntelligenceIndicator log analytics table.
RecordedFuture-URL-IndicatorImportPlaybook📦 SolutionRecorded FutureThis playbook imports URL risk lists from Recorded Future and stores them as Threat Intelligence Indicators in Microsoft Sentinel, for detection purposes. This playbook depends on RecordedFuture-Threa...
RecordedFuture-IOC_EnrichmentPlaybook📦 SolutionRecorded FutureThis playbook leverages the Recorded Future API to enrich IP, Domain, Url & Hash indicators, found in Microsoft Sentinel incidents, with the following context: Risk Score, Risk Rules and Link to Intel...
RecordedFuture-DOMAIN-C2_DNS_Name-TIProcessorPlaybook📦 SolutionRecorded Future**[Deprecated]** Deprecated due to changes in the Threat Intelligence Platform. Use the new IndicatorImport playbooks that is provided in this Solution. This playbook leverages the Recorded Future API...
RecordedFuture-HASH-Obs_in_Underground-TIProcessorPlaybook📦 SolutionRecorded Future**[Deprecated]** Deprecated due to changes in the Threat Intelligence Platform. Use the new IndicatorImport playbooks that is provided in this Solution. This playbook leverages the Recorded Future API...
RecordedFuture-ImportToSentinelPlaybook📦 SolutionRecorded Future**[Deprecated]** Deprecated due to changes in the Threat Intelligence Platform. Use the new IndicatorImport playbooks that is provided in this Solution. This playbook is purposed to listen (via batchi...
RecordedFuture-IP-Actively_Comm_C2_Server-TIProcessorPlaybook📦 SolutionRecorded Future**[Deprecated]** Deprecated due to changes in the Threat Intelligence Platform. Use the new IndicatorImport playbooks that is provided in this Solution. This playbook leverages the Recorded Future API...
RecordedFuture-Ukraine-IndicatorProcessorPlaybook📦 SolutionRecorded Future**[Deprecated]** Deprecated due to changes in the Threat Intelligence Platform. Use the new IndicatorImport playbooks that is provided in this Solution. This playbook leverages the Recorded Future API...
RecordedFuture-URL-Recent_Rep_by_Insikt-TIProcessorPlaybook📦 SolutionRecorded Future**[Deprecated]** Deprecated due to changes in the Threat Intelligence Platform. Use the new IndicatorImport playbooks that is provided in this Solution. This playbook leverages the Recorded Future API...
RecordedFuture-Alert-ImporterPlaybook📦 SolutionRecorded FutureThis playbook imports alerts from Recorded Future and stores them in a custom log in the log analytics workspace. It can create alerts dependant on the parameter: create_incident.
RecordedFuture-Playbook-Alert-ImporterPlaybook📦 SolutionRecorded FutureThis playbook imports alerts from Recorded Future and stores them in a custom log in the log analytics workspace.
Recorded Future Identity - Credential Exposure DetectedAnalytic Rule📦 SolutionRecorded Future IdentityCreates incidents when Recorded Future Identity detects compromised credentials for users in your organization
RFI-Playbook-Alert-ImporterPlaybook📦 SolutionRecorded Future IdentityThis playbook fetches identity compromises from Recorded Future, places users in a security group and confirms them as 'risky users' in Entra ID.
RFI-Playbook-Alert-Importer-LAWPlaybook📦 SolutionRecorded Future IdentityThis playbook fetches identity compromises from Recorded Future, places users in a security group and confirms them as 'risky users' in Entra ID.
RFI-Playbook-Alert-Importer-LAW-Sentinel (DEPRECATED)Playbook📦 SolutionRecorded Future IdentityDEPRECATED: This playbook creates incidents via the Azure Microsoft Sentinel Logic Apps connector, which do not appear in the unified Microsoft Defender portal. Use RFI-Playbook-Alert-Importer-LAW ins...
RFI-add-EntraID-security-group-userPlaybook📦 SolutionRecorded Future IdentityThis playbook adds a compromised user to an EntraID security group. Triage and remediation should be handled in follow up playbooks or actions.
RFI-confirm-EntraID-risky-userPlaybook📦 SolutionRecorded Future IdentityThis playbook confirms compromise of users deemed 'high risk' by EntraID.
RFI-lookup-and-save-userPlaybook📦 SolutionRecorded Future IdentityThis playbook gets compromise identity details from Recorded Future Identity Intelligence and saves the data for further review and analysis.
RFI-search-external-userPlaybook📦 SolutionRecorded Future IdentityThis playbook searches the Recorded Future Identity Intelligence Module for compromised external (customer) users. This playbook depends on: - RFI-add-EntraID-security-group-user - RFI-confirm-EntraID...
RFI-search-workforce-userPlaybook📦 SolutionRecorded Future IdentityThis playbook searches the Recorded Future Identity Intelligence Module for compromised workforce users. This playbook depends on: - RFI-add-EntraID-security-group-user - RFI-confirm-EntraID-risky-use...
Red Canary Threat Detection 🔍Analytic Rule📦 SolutionRed CanaryTriggers Incidents using detection data assembled by Red Canary.
ReversingLabs-CapabilitiesOverviewWorkbook📦 SolutionReversingLabs
ReversingLabs-CheckQuotaPlaybook📦 SolutionReversingLabsThis playbook will check your ReversingLabs TitaniumCloud API quota and provide usage details. To be used in conjunction with the ReversingLabs-CapabilitiesOverview workbook.
SpectraAnalyze-EnrichFileHashPlaybook📦 SolutionReversingLabsThis playbook will enrich a Microsoft Sentinel incident with file hash information from a Spectra Analyze appliance. A comment will be added to the incident with details about the file.
SpectraAnalyze-EnrichNetworkEntitiesPlaybook📦 SolutionReversingLabsThis playbook will enrich a network entities (IP addresses, URLs, and domain names) with information from a Spectra Analyze appliance. A comment will be added to the incident with details about the en...
SpectraIntelligence-EnrichFileHashPlaybook📦 SolutionReversingLabsThis playbook will enrich a Microsoft Sentinel Incident with file hash information from ReversingLabs Spectra Intelligence (formerly TitaniumCloud). A comment will be added to the incident with detail...
SpectraIntelligence-EnrichNetworkEntitiesPlaybook📦 SolutionReversingLabsThis playbook will enrich a Microsoft Sentinel Incident with information about network entities (IP addresses, URLs, and domain names) from ReversingLabs Spectra Intelligence (formerly TitaniumCloud)....
Critical RisksAnalytic Rule📦 SolutionRidgeSecurityThis query searches for all the exploited risks that RidgeBot identified
VulerabilitiesAnalytic Rule📦 SolutionRidgeSecurityThis query searches for all the vulerabilities that RidgeBot identified
RiskIQ-BasePlaybook📦 SolutionRiskIQThis playbook creates a shared API Connection for all RiskIQ playbooks to leverage. This eases the configuration process for a user during deployment of the RiskIQ solution. In time, this base playboo...
RiskIQ-Data-PassiveDnsPlaybook📦 SolutionRiskIQThis playbook uses the RiskIQ PassiveTotal connector to automatically enrich incidents generated by Microsoft Sentinel. Passive DNS provides analysts with a means to see DNS data in a historic manner....
RiskIQ-Data-PassiveDns-DomainPlaybook📦 SolutionRiskIQThis playbook uses the RiskIQ PassiveTotal connector to automatically enrich incidents generated by Microsoft Sentinel. Passive DNS provides analysts with a means to see DNS data in a historic manner....
RiskIQ-Data-PassiveDns-IpPlaybook📦 SolutionRiskIQThis playbook uses the RiskIQ PassiveTotal connector to automatically enrich incidents generated by Microsoft Sentinel. Passive DNS provides analysts with a means to see DNS data in a historic manner....
RiskIQ-Data-WhoisPlaybook📦 SolutionRiskIQThis playbook uses the RiskIQ PassiveTotal connector to automatically enrich incidents generated by Microsoft Sentinel. WHOIS is akin to a phone book for the Internet; it reveals the owners behind dom...
RiskIQ-Data-Whois-DomainPlaybook📦 SolutionRiskIQThis playbook uses the RiskIQ PassiveTotal connector to automatically enrich incidents generated by Microsoft Sentinel. WHOIS is akin to a phone book for the Internet; it reveals the owners behind dom...
RiskIQ-Data-Whois-IpPlaybook📦 SolutionRiskIQThis playbook uses the RiskIQ PassiveTotal connector to automatically enrich incidents generated by Microsoft Sentinel. WHOIS is akin to a phone book for the Internet; it reveals the owners behind dom...
RiskIQ-Intel-Summary-Ip-AlertPlaybook📦 SolutionRiskIQThis playbook uses the RiskIQ PassiveTotal connector to automatically enrich incidents generated by Microsoft Sentinel. RiskIQ intelligence provides analyst with deeper context around vulnerabilities,...
RiskIQ-Intel-Summary-Ip-IncidentPlaybook📦 SolutionRiskIQThis playbook uses the RiskIQ PassiveTotal connector to automatically enrich incidents generated by Microsoft Sentinel. RiskIQ intelligence provides analyst with deeper context around vulnerabilities,...
RiskIQ-Intel-Summary-Domain-AlertPlaybook📦 SolutionRiskIQThis playbook uses the RiskIQ PassiveTotal connector to automatically enrich incidents generated by Microsoft Sentinel. RiskIQ intelligence provides analyst with deeper context around vulnerabilities,...
RiskIQ-Intel-Summary-Domain-IncidentPlaybook📦 SolutionRiskIQThis playbook uses the RiskIQ PassiveTotal connector to automatically enrich incidents generated by Microsoft Sentinel. RiskIQ intelligence provides analyst with deeper context around vulnerabilities,...
RiskIQ-Intel-Summary-AlertPlaybook📦 SolutionRiskIQThis playbook uses the RiskIQ PassiveTotal connector to automatically enrich incidents generated by Microsoft Sentinel. RiskIQ intelligence provides analyst with deeper context around vulnerabilities,...
RiskIQ-Intel-Summary-IncidentPlaybook📦 SolutionRiskIQThis playbook uses the RiskIQ PassiveTotal connector to automatically enrich incidents generated by Microsoft Sentinel. RiskIQ intelligence provides analyst with deeper context around vulnerabilities,...
RiskIQ-Intel-Reputation-Ip-AlertPlaybook📦 SolutionRiskIQThis playbook uses the RiskIQ PassiveTotal connector to automatically enrich incidents generated by Microsoft Sentinel. Reputation information provides analyst with a decision as to whether an indicat...
RiskIQ-Intel-Reputation-Ip-IncidentPlaybook📦 SolutionRiskIQThis playbook uses the RiskIQ PassiveTotal connector to automatically enrich incidents generated by Microsoft Sentinel. Reputation information provides analyst with a decision as to whether an indicat...
RiskIQ-Intel-Reputation-Domain-AlertPlaybook📦 SolutionRiskIQThis playbook uses the RiskIQ PassiveTotal connector to automatically enrich incidents generated by Microsoft Sentinel. Reputation information provides analyst with a decision as to whether an indicat...
RiskIQ-Intel-Reputation-Domain-IncidentPlaybook📦 SolutionRiskIQThis playbook uses the RiskIQ PassiveTotal connector to automatically enrich incidents generated by Microsoft Sentinel. Reputation information provides analyst with a decision as to whether an indicat...
RiskIQ-Intel-Reputation-AlertPlaybook📦 SolutionRiskIQThis playbook uses the RiskIQ PassiveTotal connector to automatically enrich incidents generated by Microsoft Sentinel. Reputation information provides analyst with a decision as to whether an indicat...
RiskIQ-Intel-Reputation-IncidentPlaybook📦 SolutionRiskIQThis playbook uses the RiskIQ PassiveTotal connector to automatically enrich incidents generated by Microsoft Sentinel. Reputation information provides analyst with a decision as to whether an indicat...
RiskIQ-Data-Summary-Ip-AlertPlaybook📦 SolutionRiskIQThis playbook uses the RiskIQ PassiveTotal connector to automatically enrich incidents generated by Microsoft Sentinel. The RiskIQ summary data will provide analysts with an understanding of what Risk...
RiskIQ-Data-Summary-Ip-IncidentPlaybook📦 SolutionRiskIQThis playbook uses the RiskIQ PassiveTotal connector to automatically enrich incidents generated by Microsoft Sentinel. The RiskIQ summary data will provide analysts with an understanding of what Risk...
RiskIQ-Data-Summary-Domain-alertPlaybook📦 SolutionRiskIQThis playbook uses the RiskIQ PassiveTotal connector to automatically enrich incidents generated by Microsoft Sentinel. The RiskIQ summary data will provide analysts with an understanding of what Risk...
RiskIQ-Data-Summary-Domain-incidentPlaybook📦 SolutionRiskIQThis playbook uses the RiskIQ PassiveTotal connector to automatically enrich incidents generated by Microsoft Sentinel. The RiskIQ summary data will provide analysts with an understanding of what Risk...
RiskIQ Data Summary AlertPlaybook📦 SolutionRiskIQThis playbook uses the RiskIQ PassiveTotal connector to automatically enrich incidents generated by Microsoft Sentinel. The RiskIQ summary data will provide analysts with an understanding of what Risk...
RiskIQ Data Summary IncidentPlaybook📦 SolutionRiskIQThis playbook uses the RiskIQ PassiveTotal connector to automatically enrich incidents generated by Microsoft Sentinel. The RiskIQ summary data will provide analysts with an understanding of what Risk...
RiskIQ-Automated-Triage-AlertPlaybook📦 SolutionRiskIQThis playbook uses the RiskIQ PassiveTotal connector to automatically enrich incidents generated by Microsoft Sentinel. Indicators from an incident will be evaluated with RiskIQ reputation data. If an...
RiskIQ-Automated-Triage-IncidentPlaybook📦 SolutionRiskIQThis playbook uses the RiskIQ PassiveTotal connector to automatically enrich incidents generated by Microsoft Sentinel. Indicators from an incident will be evaluated with RiskIQ reputation data. If an...
RSASecurIDAMEventParser📦 SolutionRSA SecurID
RSA ID Plus - Locked Administrator Account DetectedAnalytic Rule📦 SolutionRSAIDPlus_AdminLogs_ConnectorRaises an alert when an admin account is locked out of the Admin console (RSAIDPlus Admin Events).
SendEmailonRSAIDPlusAlertPlaybook📦 SolutionRSAIDPlus_AdminLogs_ConnectorSends an email notification when an RSA ID Plus analytic rule triggers. This playbook can be linked via automation rules.
Rubrik Critical AnomalyAnalytic Rule📦 SolutionRubrikSecurityCloudRubrik Critical Anomaly rule matches Severity and if Critical severity found then generate the incident for each object.
Rubrik Threat MonitoringAnalytic Rule📦 SolutionRubrikSecurityCloudRubrik Threat Monitoring matches Event Name and if match found then generate the incident for each object.
Rubrik Advanced Threat HuntPlaybook📦 SolutionRubrikSecurityCloudThis playbook fetches the object mapped with incident and starts advance threat hunt.
Rubrik Anomaly AnalysisPlaybook📦 SolutionRubrikSecurityCloudThis playbook queries Rubrik Security Cloud to enrich the Anomaly event with additional information regarding the Ransomware analysis, results from sensitive data scans, (to aid in incident prioritiza...
Rubrik Anomaly Generate Downloadable LinkPlaybook📦 SolutionRubrikSecurityCloudThis playbook will generate downloadable links according to objectType (VMware, Fileset or VolumeGroup) and add suspiciousFiles and downloadable links as an incident comment to enrich the anomaly.
Rubrik Anomaly Incident ResponsePlaybook📦 SolutionRubrikSecurityCloudThis playbook provides an end to end example of the collection of Ransomware Anomaly information from Rubrik, its enrichment with Data Classification insights (to aid in incident prioritization), and ...
Rubrik Data Object DiscoveryPlaybook📦 SolutionRubrikSecurityCloudThis playbook queries Rubrik Security Cloud to enrich the incoming event with additional information from Rubrik about the object and it's snapshots that the event refers to.
Rubrik File Object Context AnalysisPlaybook📦 SolutionRubrikSecurityCloudThis playbook will retrieve policy hits from Rubrik Security Cloud for a given object, for a particular file, folder, or file share.
Rubrik Fileset Ransomware DiscoveryPlaybook📦 SolutionRubrikSecurityCloudThis playbook queries Rubrik Security Cloud to enrich the incoming event with additional information from Rubrik about the fileset object and perform an IOC scan against the fileset.
Rubrik IOC ScanPlaybook📦 SolutionRubrikSecurityCloudThis playbook interacts with Rubrik Security Cloud to scan backups for specified IOCs. This playbook is used by other playbooks that leverage this capability.
Rubrik Poll Async ResultPlaybook📦 SolutionRubrikSecurityCloudThis playbook is used by other playbooks to poll for results from some of the asynchronous API calls that are invoked by other playbooks.
Rubrik Ransomware Discovery and File RecoveryPlaybook📦 SolutionRubrikSecurityCloudThis playbook interacts with Rubrik Security Cloud to (1) optionally preserve evidence by creating an on-demand snapshot of the object, (2) identify a potential recovery point by scanning backups for ...
Rubrik Ransomware Discovery and VM RecoveryPlaybook📦 SolutionRubrikSecurityCloudThis playbook interacts with Rubrik Security Cloud to (1) optionally preserve evidence by creating an on-demand snapshot of the object, (2) identify a potential recovery point by scanning backups for ...
Rubrik Retrieve User Intelligence InformationPlaybook📦 SolutionRubrikSecurityCloudThis playbook queries Rubrik Security Cloud to get risk detail and policy hits details for a username or email address, and enriches the incident by adding incident comment
Rubrik Turbo Threat HuntPlaybook📦 SolutionRubrikSecurityCloudThis playbook fetches the object mapped with incident and starts turbo threat hunt.
Rubrik Update Anomaly StatusPlaybook📦 SolutionRubrikSecurityCloudThis playbook will resolve or report false positive to unresolved anomaly and update status as resolved.
Rubrik Update Anomaly Status Via IncidentPlaybook📦 SolutionRubrikSecurityCloudThis playbook queries Rubrik Security Cloud to enrich the Anomaly event with additional information and internally calls RubrikUpdateAnomalyStatus playbook with additional anomaly information to resol...
Rubrik User Intelligence AnalysisPlaybook📦 SolutionRubrikSecurityCloudThis playbook queries Rubrik Security Cloud to get user sensitive data and update severity of incident accordingly. This playbook calls the RubrikRetrieveUserIntelligenceInformation playbook internall...
RubrikWorkloadAnalysisPlaybook📦 SolutionRubrikSecurityCloudThis playbook retrieves sensitive IP and Host data to enrich the incident details, and adjusts the incident's severity level based on the gathered information.
SailPointIdentityNowAlertForTriggersAnalytic Rule📦 SolutionSailPointIdentityNowCreate alerts for SailPoint IdentityNow Event Trigger Service.
SailPointIdentityNowEventTypeAnalytic Rule📦 SolutionSailPointIdentityNowCreated to detect failed events of particular type from SailPointIDN_Events.
SailPointIdentityNowEventTypeTechnicalNameAnalytic Rule📦 SolutionSailPointIdentityNowCreated to detect new threat events from the data in SailPointIDN_Events.
SailPointIdentityNowFailedEventsAnalytic Rule📦 SolutionSailPointIdentityNowDetects all events with status failed.
SailPointIdentityNowFailedEventsBasedOnTimeAnalytic Rule📦 SolutionSailPointIdentityNowDetects failed events based on created time.
SailPointIdentityNowUserWithFailedEventAnalytic Rule📦 SolutionSailPointIdentityNowDetects any failed event for a particular user.
SalemDashboardWorkbook📦 SolutionSalemCyber
Send-Sentinel-Alerts-to-SalemPlaybook📦 SolutionSalemCyberUse this playbook to send Microsoft Sentinel alerts to Salem Virtual Cyber Analyst
Brute force attack against user credentialsAnalytic Rule📦 SolutionSalesforce Service CloudIdentifies evidence of brute force activity against a user based on multiple authentication failures and at least one successful authentication within a given time window. This query limits IPAddresse...
Potential Password Spray AttackAnalytic Rule📦 SolutionSalesforce Service CloudThis query searches for failed attempts to log in from more than 15 various users within a 5 minutes timeframe from the same source. This is a potential indication of a password spray attack.
User Sign in from different countriesAnalytic Rule📦 SolutionSalesforce Service CloudThis query searches for successful user logins from different countries within 30 mins.
SalesforceServiceCloudWorkbook📦 SolutionSalesforce Service Cloud
SalesforceServiceCloudParser📦 SolutionSalesforce Service Cloud
Samsung Knox - Application Privilege Escalation or Change EventsAnalytic Rule📦 SolutionSamsung Knox Asset IntelligenceWhen a Knox mobile app has transitioned from an acceptable uid/esuid/fsuid to a different, non-App id.
Samsung Knox - Mobile Device Boot Compromise EventsAnalytic Rule📦 SolutionSamsung Knox Asset IntelligenceWhen a Knox device boot binary is at risk of compromise.
Samsung Knox - Password Lockout EventsAnalytic Rule📦 SolutionSamsung Knox Asset IntelligenceWhen maximum password attempts have been reached, and the Knox device is locked out. This is based on a threshold set in the MDM device policy
Samsung Knox - Peripheral Access Detection with Camera EventsAnalytic Rule📦 SolutionSamsung Knox Asset IntelligenceWhen camera access has been detected on a Knox device, even though such access is disabled through an MDM device policy.
Samsung Knox - Peripheral Access Detection with Mic EventsAnalytic Rule📦 SolutionSamsung Knox Asset IntelligenceWhen microphone access has been detected on a Knox device, even though such access is disabled through an MDM device policy.
Samsung Knox - Security Log Full EventsAnalytic Rule📦 SolutionSamsung Knox Asset IntelligenceWhen the Knox Security Log is full on a device.
Samsung Knox - Suspicious URL Accessed EventsAnalytic Rule📦 SolutionSamsung Knox Asset IntelligenceWhen a Knox device user clicks on URLs or links detected as suspicious (potentially phishing or malicious) with a high degree of confidence.
SamsungKnoxAssetIntelligenceWorkbook📦 SolutionSamsung Knox Asset Intelligence
SAP - Lock User (Agentless Basic) 🔍Playbook📦 SolutionSAPThis playbook locks an SAP user when triggered by a Microsoft Sentinel incident. It dynamically finds SAP-specific alert details across all alerts in the incident, supporting complex multi-alert incid...
workflow 🔍Playbook📦 SolutionSAP< 🏡home
workflow 🔍Playbook📦 SolutionSAP< 🏡home
BTP - Audit log service unavailableAnalytic Rule📦 SolutionSAP BTPIdentifies SAP BTP subaccounts that have not reported audit logs for an unusual period. This could indicate that the audit log service has been disabled or tampered with, potentially by an attacker at...
BTP - Build Work Zone unauthorized access and role tamperingAnalytic Rule📦 SolutionSAP BTPIdentifies unauthorized OData access attempts and mass role/user deletions in SAP Build Work Zone Standard Edition. These events may indicate an attacker accessing restricted resources or removing a...
BTP - Cloud Identity Service application configuration monitorAnalytic Rule📦 SolutionSAP BTPIdentifies CRUD operations on Application (SSO Domain/Service Provider) configurations within SAP Cloud Identity Service. This includes both SAML 2.0 and OpenID Connect applications. Unauthorized appl...
BTP - Cloud Integration access policy tamperingAnalytic Rule📦 SolutionSAP BTPIdentifies changes to access policies in SAP Cloud Integration. Access policies control authorization for integration artifacts, defining which users and roles can access specific integration flows an...
BTP - Cloud Integration artifact deploymentAnalytic Rule📦 SolutionSAP BTPIdentifies deployment and undeployment of integration artifacts in SAP Cloud Integration. Integration flows are executable code that can process, transform, and route data between systems. Unauthoriz...
BTP - Cloud Integration JDBC data source changesAnalytic Rule📦 SolutionSAP BTPIdentifies deployment and undeployment of JDBC data source configurations in SAP Cloud Integration. JDBC data sources contain database connection credentials and configuration that enable integration ...
BTP - Cloud Integration package import or transportAnalytic Rule📦 SolutionSAP BTPIdentifies import and transport operations for integration packages and artifacts in SAP Cloud Integration. Packages contain integration flows, mappings, scripts, and other artifacts that can be impor...
BTP - Cloud Integration tampering with security materialAnalytic Rule📦 SolutionSAP BTPIdentifies operations on security material (credentials, certificates, and keys) within SAP Cloud Integration. This includes credentials (passwords/secrets), X.509 certificates and key pairs, and PGP ...
BTP - Failed access attempts across multiple BAS subaccountsAnalytic Rule📦 SolutionSAP BTPIdentifies failed Business Application Studio access attempts over a predefined number of subaccounts.
BTP - Malware detected in BAS dev spaceAnalytic Rule📦 SolutionSAP BTPIdentifies instances of malware detected using SAP internal malware agent within Business Application Studio dev spaces.
BTP - Mass user deletion in a sub accountAnalytic Rule📦 SolutionSAP BTPIdentifies user account deletion activity where the amount of deleted users exceeds a predefined threshold.
BTP - Mass user deletion in SAP Cloud Identity ServiceAnalytic Rule📦 SolutionSAP BTPIdentifies mass user deletion activity in SAP Cloud Identity Service where the amount of deleted users exceeds a predefined threshold.
BTP - Trust and authorization Identity Provider monitorAnalytic Rule📦 SolutionSAP BTPIdentifies CRUD operations on Identity Provider settings within a sub account.
BTP - User added to Cloud Identity Service privileged Administrators listAnalytic Rule📦 SolutionSAP BTPIdentifies when a user is granted privileged administrator permissions in SAP Cloud Identity Service. These permissions include managing Identity Providers, Service Providers, Users, Groups, and Acces...
BTP - User added to sensitive privileged role collectionAnalytic Rule📦 SolutionSAP BTPIdentifies identity management actions whereby a user is added to a set of monitored privileged role collections.
SAPBTPActivityWorkbook📦 SolutionSAP BTP
SAP ETD - Execution of Sensitive Function ModuleAnalytic Rule📦 SolutionSAP ETD CloudIdentifies execution of a sensitive ABAP Function Module using the watchlists provided by the Microsoft Sentinel Solution for SAP Source Action: Execute a sensitive function module directly using SE3...
SAP ETD - Login from unexpected networkAnalytic Rule📦 SolutionSAP ETD CloudIdentifies logons from an unexpected network. Source Action: Logon to the backend system from an IP address which is not assigned to one of the networks. networks can be maintained in the "SAP - Netwo...
SAP ETD - Synch alertsAnalytic Rule📦 SolutionSAP ETD CloudSynch alerts coming in from SAP Enterprise Threat Detection into Microsoft Sentinel (one way)
SAP ETD - Synch investigationsAnalytic Rule📦 SolutionSAP ETD CloudSynch investigations coming in from SAP Enterprise Threat Detection into Microsoft Sentinel (one way)
SAP LogServ - HANA DB - Assign Admin AuthorizationsAnalytic Rule📦 SolutionSAP LogServIdentifies admin privileges/roles assignment. Source Action: Assign a user with any Admin role / privileges. *Data Sources: SAP LogServ - HANA DB (Syslog)*
SAP LogServ - HANA DB - Audit Trail Policy ChangesAnalytic Rule📦 SolutionSAP LogServIdentifies changes for HANA DB audit trail policies. Source Action: Create / update existing audit policy in security definitions. *Data Sources: SAP LogServ - HANA DB (Syslog)*
SAP LogServ - HANA DB - Deactivation of Audit TrailAnalytic Rule📦 SolutionSAP LogServIdentifies deactivation of HANA DB audit log. Source Action: Deactivate Audit Log in HANA DB security defnitions. *Data Sources: SAP LogServ - HANA DB (Syslog)*
SAP LogServ - HANA DB - User Admin actionsAnalytic Rule📦 SolutionSAP LogServIdentifies user administration actions. Souirce Action: Create/Update/Delete a DB User. *Data Sources: SAP LogServ - HANA DB (Syslog)*
SAPLogServObserveWorkbook📦 SolutionSAP LogServ
SecurityBridge: A critical event occuredAnalytic Rule📦 SolutionSecurityBridge AppThis rule alerts if there is any critical event occured in the SAP system
SecurityBridgeThreatDetectionforSAPWorkbook📦 SolutionSecurityBridge App
SecurityScorecardWorkbookWorkbook📦 SolutionSecurityScorecard Cybersecurity Ratings
Possible AiTM Phishing Attempt Against Microsoft Entra IDAnalytic Rule📦 SolutionSecurityThreatEssentialSolutionThreat actors may attempt to phish users in order to hijack a users sign-in session, and skip the authentication process even if the user had enabled multifactor authentication (MFA) by stealing and r...
Threat Essentials - Mail redirect via ExO transport ruleAnalytic Rule📦 SolutionSecurityThreatEssentialSolutionIdentifies when Exchange Online transport rule configured to forward emails. This could be an adversary mailbox configured to collect mail from multiple user accounts.
Threat Essentials - Multiple admin membership removals from newly created admin.Analytic Rule📦 SolutionSecurityThreatEssentialSolutionThis query detects when newly created Global admin removes multiple existing global admins which can be an attempt by adversaries to lock down organization and retain sole access. Investigate reason...
Threat Essentials - NRT User added to Microsoft Entra ID Privileged GroupsAnalytic Rule📦 SolutionSecurityThreatEssentialSolutionThis will alert when a user is added to any of the Privileged Groups. For further information on AuditLogs please see https://docs.microsoft.com/azure/active-directory/reports-monitoring/reference-aud...
Threat Essentials - Time series anomaly for data size transferred to public internetAnalytic Rule📦 SolutionSecurityThreatEssentialSolutionIdentifies anomalous data transfer to public networks. The query leverages built-in KQL anomaly detection algorithms that detects large deviations from a baseline pattern. A sudden increase in data tr...
Threat Essentials - Mass Cloud resource deletions Time Series AnomalyAnalytic Rule📦 SolutionSecurityThreatEssentialSolutionThis query generates baseline pattern of cloud resource deletions by an user and generated anomaly when any unusual spike is detected. These anomalies from unusual or privileged users could be an indi...
Threat Essentials - User Assigned Privileged RoleAnalytic Rule📦 SolutionSecurityThreatEssentialSolutionIdentifies when a new privileged role is assigned to a user. Any account eligible for a role is now being given privileged access. If the assignment is unexpected or into a role that isn't the respon...
Threat Essentials - Signins from Nord VPN ProvidersHunting Query📦 SolutionSecurityThreatEssentialSolutionThis query looks for sign-in activity from NordVPN providers using the public feed leveraging the NordVPN API. Investigation of any unknown sign-in attempts from VPN providers such as Nord VPN unless ...
Threat Essentials - Signins From VPS ProvidersHunting Query📦 SolutionSecurityThreatEssentialSolutionLook for successful logons from known VPS provider network ranges with suspicious token-based logon patterns. This is not an exhaustive list of VPS provider ranges, but it covers some of the most prev...
Semperis DSP Mimikatz's DCShadow AlertAnalytic Rule📦 SolutionSemperis Directory Services ProtectorMimikatz's DCShadow switch allows a user who has compromised an AD domain, to inject arbitrary changes into AD using a "fake" domain controller. These changes bypass the security event log and can't b...
Semperis DSP Kerberos krbtgt account with old passwordAnalytic Rule📦 SolutionSemperis Directory Services ProtectorThe krbtgt user account is a special (disabled) user account in every Active Directory domain that has a special role in Kerberos function. If this account's password is compromised, Golden Ticket att...
Semperis DSP Recent sIDHistory changes on AD objectsAnalytic Rule📦 SolutionSemperis Directory Services ProtectorThis indicator detects any recent changes to sIDHistory on AD objects, including changes to non-privileged accounts where privileged SIDs are added.
Semperis DSP Well-known privileged SIDs in sIDHistoryAnalytic Rule📦 SolutionSemperis Directory Services ProtectorThis indicator looks for security principals that contain specific SIDs of accounts from built-in privileged groups within their sIDHistory attribute. This would allow those security principals to hav...
Semperis DSP Zerologon vulnerabilityAnalytic Rule📦 SolutionSemperis Directory Services ProtectorThis indicator looks for security vulnerability to CVE-2020-1472, which was patched by Microsoft in August 2020. Without this patch, an unauthenticated attacker can exploit CVE-2020-1472 to elevate th...
Semperis DSP Failed LogonsAnalytic Rule📦 SolutionSemperis Directory Services ProtectorAlerts when there are failed logons in the DSP system.
Semperis DSP Operations Critical NotificationsAnalytic Rule📦 SolutionSemperis Directory Services ProtectorAlerts when there are critical notifications fired in the DSP system.
Semperis DSP RBAC ChangesAnalytic Rule📦 SolutionSemperis Directory Services ProtectorAlerts when there are RBAC changes in the DSP system.
SemperisDSPADChangesWorkbook📦 SolutionSemperis Directory Services Protector
SemperisDSPNotificationsWorkbook📦 SolutionSemperis Directory Services Protector
SemperisDSPQuickviewDashboardWorkbook📦 SolutionSemperis Directory Services Protector
SemperisDSPSecurityIndicatorsWorkbook📦 SolutionSemperis Directory Services Protector
SemperisDSPWorkbook 🔍Workbook📦 SolutionSemperis Directory Services Protector
workbooksMetadata 🔍Workbook📦 SolutionSemperis Directory Services Protector
dsp_parserParser📦 SolutionSemperis Directory Services Protector
Azure secure score admin MFAAnalytic Rule📦 SolutionSenservaProThis query searches for requiring multi-factor authentication (MFA) for all administrative roles makes it harder for attackers to access accounts. Administrative roles have higher permissions than typ...
SenservaPro AD Applications Not Using Client CredentialsAnalytic Rule📦 SolutionSenservaProSearches for logs of AD Applications without Client Credentials (Key or Secret)
Azure secure score block legacy authenticationAnalytic Rule📦 SolutionSenservaProThis query searches for most compromising sign-in attempts come from legacy authentication. Older office clients such as Office 2010 do not support modern authentication and use legacy protocols suc...
Azure secure score role overlapAnalytic Rule📦 SolutionSenservaProThis query searches for accounts that have been assigned Global Administrator do not need other roles assigned. Global Administrators have access to all aspects of Azure
Azure secure score MFA registration V2Analytic Rule📦 SolutionSenservaProThis query searches for multi-factor authentication (MFA) helps protect devices and data that are accessible to these users. Adding more authentication methods, such as the Microsoft Authenticator app...
Non-admin guestAnalytic Rule📦 SolutionSenservaProThis query searches for guest is not an admin in Azure
Service principal not using client credentialsAnalytic Rule📦 SolutionSenservaProThis query searches for an service principal is not using a client certificate or secret is not secure. It is recommended that you review your needs and use an Authentication method for sign-in.
Azure secure score one adminAnalytic Rule📦 SolutionSenservaProThis query searches for having 1 Global Administrator reduces the surface area of attack for your Azure tenant, but sets up a single point of failure for the whole tenant. Global Administrators have a...
Azure secure score PW age policy newAnalytic Rule📦 SolutionSenservaProThis query searches for having found that when periodic password resets are enforced, passwords become less secure. Users tend to pick a weaker password and vary it slightly for each reset. If a use...
Stale last password changeAnalytic Rule📦 SolutionSenservaProThis query searches for stale last password change
Azure Secure Score Self Service Password ResetAnalytic Rule📦 SolutionSenservaProThis query searches for requires you to setup Microsoft Entra ID Connect. Microsoft Entra ID Connect is free with all Azure Subscriptions
Azure secure score sign in risk policyAnalytic Rule📦 SolutionSenservaProThis query searches for an active Azure Premium P2 license is required to use and edit this policy. You will be required to have setup the MFA Policy before activating this policy
Third party integrated appsAnalytic Rule📦 SolutionSenservaProThis query searches for your services by regulating the access of third-party integrated apps. Only allow access to necessary apps that support robust security controls. Third-party applications a...
UserAccountDisabledAnalytic Rule📦 SolutionSenservaProThis query searches for account is Disabled. Does not effect score as its easily enabled.
Azure secure score user risk policyAnalytic Rule📦 SolutionSenservaProThis query searches for an active Azure Premium P2 license is required to use and edit this policy. You will be required to have setup the MFA Policy before activating this policy
Application not using client credentialsHunting Query📦 SolutionSenservaProThis query searches for application not using a client certificate or secret is not secure.
Azure secure score admin MFA V2Hunting Query📦 SolutionSenservaProThis query searches for requiring multi-factor authentication (MFA) for all administrative roles makes it harder for attackers to access accounts. Administrative roles have higher permissions than ty...
Azure secure score block legacy authenticationHunting Query📦 SolutionSenservaProThis query searches for most compromising sign-in attempts come from legacy authentication. Older office clients such as Office 2010 do not support modern authentication and use legacy protocols s...
Azure secure score integrated appsHunting Query📦 SolutionSenservaProThis query searches for your services by regulating the access of third-party integrated apps. Only allow access to necessary apps that support robust security controls.
Azure secure score MFA registration V2Hunting Query📦 SolutionSenservaProThis query searches for multi-factor authentication (MFA) helps protect devices and data that are accessible to these users. Adding more authentication methods, increases the level of protection i...
Azure secure score one adminHunting Query📦 SolutionSenservaProThis query searches for having 1 Global Administrator reduces the surface area of attack for your Azure tenant, but sets up a single point of failure for the whole tenant. Global Administrators have...
Azure secure score PW age policy newHunting Query📦 SolutionSenservaProThis query searches for having found that when periodic password resets are enforced, passwords become less secure. Users tend to pick a weaker password and vary it slightly for each reset.
Azure secure score role overlapHunting Query📦 SolutionSenservaProThis query searches for accounts that have been assigned Global Administrator do not need other roles assigned. Global Administrators have access to all aspects of Azure
Azure Secure Score Self Service Password ResetHunting Query📦 SolutionSenservaProThis query searches for requires you to setup Microsoft Entra ID Connect. Microsoft Entra ID Connect is free with all Azure Subscriptions
Azure secure score sign in risk policyHunting Query📦 SolutionSenservaProThis query searches for an active Azure Premium P2 license is required to use and edit this policy. You will be required to have setup the MFA Policy before activating this policy
Azure secure score user risk policyHunting Query📦 SolutionSenservaProThis query searches for an active Azure Premium P2 license is required to use and edit this policy. You will be required to have setup the MFA Policy before activating this policy
Non-admin guestHunting Query📦 SolutionSenservaProThis query searches for guest is not an admin in Azure
Service principal not using client credentialsHunting Query📦 SolutionSenservaProThis query searches for an service principal is not using a client certificate or secret is not secure. It is recommended that you review your needs and use an Authentication method for sign-in.
Stale last password changeHunting Query📦 SolutionSenservaProThis query searches for stale last password change
UserAccountDisabledHunting Query📦 SolutionSenservaProThis query searches for account is Disabled. Does not effect score as its easily enabled.
SenservaProAnalyticsWorkbookWorkbook📦 SolutionSenservaPro
SenservaProMultipleWorkspaceWorkbookWorkbook📦 SolutionSenservaPro
SenservaProSecureScoreMultiTenantWorkbookWorkbook📦 SolutionSenservaPro
Sentinel One - Admin login from new locationAnalytic Rule📦 SolutionSentinelOneDetects admin user login from new location (IP address).
Sentinel One - Agent uninstalled from multiple hostsAnalytic Rule📦 SolutionSentinelOneDetects when agent was uninstalled from multiple hosts.
Sentinel One - Alert from custom ruleAnalytic Rule📦 SolutionSentinelOneDetects when alert from custom rule received.
Sentinel One - Blacklist hash deletedAnalytic Rule📦 SolutionSentinelOneDetects when blacklist hash was deleted.
Sentinel One - Exclusion addedAnalytic Rule📦 SolutionSentinelOneDetects when new exclusion added.
Sentinel One - Multiple alerts on hostAnalytic Rule📦 SolutionSentinelOneDetects when multiple alerts received from same host.
Sentinel One - New admin createdAnalytic Rule📦 SolutionSentinelOneDetects when new admin user is created.
Sentinel One - Rule deletedAnalytic Rule📦 SolutionSentinelOneDetects when a rule was deleted.
Sentinel One - Rule disabledAnalytic Rule📦 SolutionSentinelOneDetects when a rule was disabled.
Sentinel One - Same custom rule triggered on different hostsAnalytic Rule📦 SolutionSentinelOneDetects when same custom rule was triggered on different hosts.
Sentinel One - User viewed agent's passphraseAnalytic Rule📦 SolutionSentinelOneDetects when a user viewed agent's passphrase.
Sentinel One - Agent not updatedHunting Query📦 SolutionSentinelOneQuery shows agent which are not updated to the latest version.
Sentinel One - Agent statusHunting Query📦 SolutionSentinelOneQuery shows agent properties.
Sentinel One - Alert triggers (files, processes, strings)Hunting Query📦 SolutionSentinelOneQuery shows alert triggers (e.g. files, processes, etc.).
Sentinel One - Hosts not scanned recentlyHunting Query📦 SolutionSentinelOneQuery searches for hosts wich were not scanned recently.
Sentinel One - New rulesHunting Query📦 SolutionSentinelOneQuery shows new rules.
Sentinel One - Deleted rulesHunting Query📦 SolutionSentinelOneQuery shows deleted rules.
Sentinel One - Scanned hostsHunting Query📦 SolutionSentinelOneQuery searches for hosts with completed full scan.
Sentinel One - Sources by alert countHunting Query📦 SolutionSentinelOneQuery shows sources (hosts) by alert count.
Sentinel One - Uninstalled agentsHunting Query📦 SolutionSentinelOneQuery shows uninstalled agents.
Sentinel One - Users by alert countHunting Query📦 SolutionSentinelOneQuery shows users by alert count.
SentinelOneWorkbook📦 SolutionSentinelOne
SentinelOneParser📦 SolutionSentinelOne
AutomationHealthWorkbook📦 SolutionSentinelSOARessentials
IncidentOverview 🔍Workbook📦 SolutionSentinelSOARessentials
IncidentTasksWorkbookWorkbook📦 SolutionSentinelSOARessentials
SecurityOperationsEfficiencyWorkbook📦 SolutionSentinelSOARessentials
Create Incident From Microsoft Forms ResponsePlaybook📦 SolutionSentinelSOARessentialsThis playbook will create a new Microsoft Sentinel incident when Microsoft Forms response is submitted.
Create Incident From Shared MailboxPlaybook📦 SolutionSentinelSOARessentialsThis playbook will create a new Microsoft Sentinel incident when new email arrives to shared mailbox with 'incident' keyword in the subject.
Incident tasks - Microsoft Defender XDR BEC Playbook for SecOpsPlaybook📦 SolutionSentinelSOARessentialsThis playbook add Incident Tasks based on Microsoft Defender XDR BEC Playbook for SecOps. This playbook will walk the analyst through four stages of responding to a BEC incident: containment, investig...
Incident tasks - Microsoft Defender XDR Phishing Playbook for SecOpsPlaybook📦 SolutionSentinelSOARessentialsThis playbook add Incident Tasks based on Microsoft Defender XDR Phishing Playbook for SecOps. This playbook will walk the analyst through four stages of responding to a phishing incident: containment...
Incident tasks - Microsoft Defender XDR Ransomware Playbook for SecOpsPlaybook📦 SolutionSentinelSOARessentialsThis playbook add Incident Tasks based on Microsoft Defender XDR Ransomware Playbook for SecOps. This playbook will walk the analyst through four stages of responding to a ransomware incident: contain...
HTTP Trigger Entity AnalyzerPlaybook📦 SolutionSentinelSOARessentialsThis playbook is triggered by HTTP POST requests with entity information and performs automated investigation and enrichment of URL and User entities with asynchronous processing.
Incident Assignment ShiftsPlaybook📦 SolutionSentinelSOARessentialsThis playbook will assign an Incident to an owner based on the Shifts schedule in Microsoft Teams. When an incident is assigned, the incident owner will be notified via email. Incidents are assigned t...
Incident Trigger Entity AnalyzerPlaybook📦 SolutionSentinelSOARessentialsThis playbook is triggered by Microsoft Sentinel incidents and performs automated investigation and enrichment of URL and User entities associated with the incident. It includes intelligent user ident...
Notify When Incident Is ClosedPlaybook📦 SolutionSentinelSOARessentialsThis playbook is utilizing new update trigger to notify person/group on Microsoft Teams/Outlook when incident is closed.
Notify When Incident Is ReopenedPlaybook📦 SolutionSentinelSOARessentialsThis playbook is utilizing new update trigger to notify person/group on Microsoft Teams/Outlook when incident is reopened.
Notify When Incident Severity ChangedPlaybook📦 SolutionSentinelSOARessentialsThis playbook is utilizing new update trigger to notify person/group on Microsoft Teams/Outlook when incident severity change.
Notify Incident Owner in Microsoft TeamsPlaybook📦 SolutionSentinelSOARessentialsThis playbook sends a Teams message to the new incident owner.
Post-Message-SlackPlaybook📦 SolutionSentinelSOARessentialsAuthor: Yaniv Shasha
Post-Message-TeamsPlaybook📦 SolutionSentinelSOARessentialsAuthor: Yaniv Shasha
Relate alerts to incident by IPPlaybook📦 SolutionSentinelSOARessentialsThis playbook looks for other alerts with the same IP as the triggered incident. When such an alert is found, this playbook will add the alert to the incident (only if it isn't related to another inci...
Send basic emailPlaybook📦 SolutionSentinelSOARessentialsThis playbook will be sending email with basic incidents details (Incident title, severity, tactics, link,…) when incident is created in Microsoft Sentinel.
Send email with formatted incident reportPlaybook📦 SolutionSentinelSOARessentialsThis playbook will be sending email with formated incidents report (Incident title, severity, tactics, link,…) when incident is created in Microsoft Sentinel. Email notification is made in HTML.
Send incident email with XDR Portal linksPlaybook📦 SolutionSentinelSOARessentialsThis playbook will send an email with incident and entity information with all links pointing to the security.microsoft.com portal
Send incident Teams Adaptive Card with XDR Portal linksPlaybook📦 SolutionSentinelSOARessentialsThis playbook will send a Teams adaptive card with incident and entity information with all links pointing to the security.microsoft.com portal
Send Teams Adaptive Card on incident creationPlaybook📦 SolutionSentinelSOARessentialsThis playbook will send Microsoft Teams Adaptive Card on incident creation, with the option to change the incident's severity and/or status.
URL Trigger Entity AnalyzerPlaybook📦 SolutionSentinelSOARessentialsThis playbook is triggered manually when a URL entity is selected in a Microsoft Sentinel incident and provides detailed security insights including classification, analysis results, and recommendatio...
Post Message TeamsPlaybook📦 SolutionSentinelSOARessentialsThis playbook will post a message in a Microsoft Teams channel when an Alert is created in Microsoft Sentinel.
Post Message TeamsPlaybook📦 SolutionSentinelSOARessentialsThis playbook will post a message in a Microsoft Teams channel when an Incident is created in Microsoft Sentinel.
Post Message SlackPlaybook📦 SolutionSentinelSOARessentialsThis playbook will post a message in a Slack channel when an alert is created in Microsoft Sentinel
Post Message SlackPlaybook📦 SolutionSentinelSOARessentialsThis playbook will post a message in a Slack channel when an Incident is created in Microsoft Sentinel
Create And Update ServiceNow RecordPlaybook📦 SolutionServicenowThis playbook will create or update incident in ServiceNow. When incident is created, playbook will run and create incident in ServiceNow. When incident is updated, playbook will run and add update to...
Create ServiceNow record - Alert triggerPlaybook📦 SolutionServicenowThis playbook will open a Service Now incident when a new incident is opened in Microsoft Sentinel.
Create ServiceNow record - Incident triggerPlaybook📦 SolutionServicenowThis playbook will open a Service Now incident when a new incident is opened in Microsoft Sentinel.
ServiceNow TISC Batch Indicator UploaderPlaybook📦 SolutionServiceNow TISCThis playbook will write indicators in batch to ThreatIntelligenceIndicator log analytics table. This playbook referenced by **ServiceNowTISC-Import_Observables_Batch** playbook -- which calls the Ser...
ServiceNow TISC Import Observables from TISCPlaybook📦 SolutionServiceNow TISCThis playbook leverages the ServiceNow TISC API to import IP, Domain, URL, and Hash observables from TISC Workspace to Microsoft ThreatIntelligenceIndicator log analytics table. The imported observabl...
Export Domain Entity to TISCPlaybook📦 SolutionServiceNow TISCThis playbook leverages the ServiceNow TISC API to export Domain indicators found in Microsoft Sentinel incidents to TISC Workspace.
Export Hash Entity to TISCPlaybook📦 SolutionServiceNow TISCThis playbook leverages the ServiceNow TISC API to export Hash indicators found in Microsoft Sentinel incidents to TISC Workspace.
Export all Incident Entities to TISCPlaybook📦 SolutionServiceNow TISCThis playbook leverages the ServiceNow TISC API to export IP, Domain, URL, and Hash indicators found in Microsoft Sentinel incidents to TISC Workspace.
Export IP Entity to TISCPlaybook📦 SolutionServiceNow TISCThis playbook leverages the ServiceNow TISC API to export IP indicators found in Microsoft Sentinel incidents to TISC Workspace.
Export URL Entity to TISCPlaybook📦 SolutionServiceNow TISCThis playbook leverages the ServiceNow TISC API to export URL indicators found in Microsoft Sentinel incidents to TISC Workspace
ServiceNow TISC Incident EnrichmentPlaybook📦 SolutionServiceNow TISCThis playbook leverages the ServiceNow TISC API to enrich IP, Domain, URL, and Hash indicators found in Microsoft Sentinel incidents. The enrichment content will be posted as a comment in the Microsof...
Enrich Incidents - ShadowByte AriaPlaybook📦 SolutionShadowByte AriaThis playbook updates the Incident with the brach details if an account has been compromised.
Search for Breaches - ShadowByte AriaPlaybook📦 SolutionShadowByte AriaThis playbook updates the Incident with the brach details if an account has been compromised.
Shodan - Enrich Domain NamePlaybook📦 SolutionShodanThis playbook can be triggered manually from a Domain Entity context to fetch geo location and running services details from Shodan.io.
Shodan - Enrich IP AddressPlaybook📦 SolutionShodanThis playbook can be triggered manually from an IP Address Entity context to fetch geo location and running services details from Shodan.io.
Shodan - Enrich Incident IPs and Domain NamesPlaybook📦 SolutionShodanWhen a new sentinel incident is created, this playbook gets triggered and fetches geo location and running services details for IP addresses and domain names from Shodan.io.
SIGNL4 Alerting and ResponsePlaybook📦 SolutionSIGNL4This playbook will be sending alerts with basic incidents to SIGNL4 teams when an incident is created in Microsoft Sentinel.
Silverfort - Certifried IncidentAnalytic Rule📦 SolutionSilverfortAn Active Directory domain privilege escalation vulnerability that enables a privileged user to access the Domain Controller by abusing Active Directory Certificate Service
Silverfort - Log4Shell IncidentAnalytic Rule📦 SolutionSilverfortVulnerability allows attackers to execute arbitrary code on affected systems by exploiting a flaw in the way Log4j handles log messages containing specially crafted strings
Silverfort - NoPacBreach IncidentAnalytic Rule📦 SolutionSilverfortThe NoPac vulnerability involves privilege escalation, allowing attackers to gain unauthorized access and potentially take control of an entire Active Directory domain
Silverfort - UserBruteForce IncidentAnalytic Rule📦 SolutionSilverfortA security weakness that allows attackers to gain unauthorized access to user accounts by systematically guessing the username and password combinations.
SilverfortWorkbookWorkbook📦 SolutionSilverfort
SSG_Security_IncidentsAnalytic Rule📦 SolutionSINEC Security GuardThe security analytic rule is designed to scrutinize network activity involving private IP addresses within an organization's internal network. By filtering log entries to include only those where eit...
SlackAudit - Empty User AgentAnalytic Rule📦 SolutionSlackAuditThis query shows connections to the Slack Workspace with empty User Agent.
SlackAudit - Multiple archived files uploaded in short period of timeAnalytic Rule📦 SolutionSlackAuditThis query helps to detect when a user uploads multiple archived files in short period of time.
SlackAudit - Multiple failed logins for userAnalytic Rule📦 SolutionSlackAuditThis query helps to detect bruteforce of a user account.
SlackAudit - Public link created for file which can contain sensitive information.Analytic Rule📦 SolutionSlackAuditDetects public links for files which potentialy may contain sensitive data such as passwords, authentication tokens, secret keys.
SlackAudit - Suspicious file downloaded.Analytic Rule📦 SolutionSlackAuditDetects potentialy suspicious downloads.
SlackAudit - Unknown User AgentAnalytic Rule📦 SolutionSlackAuditThis query helps to detect who trying to connect to the Slack Workspace with unknown User Agent.
SlackAudit - User role changed to admin or ownerAnalytic Rule📦 SolutionSlackAuditThis query helps to detect a change in the users role to admin or owner.
SlackAudit - User email linked to account changed.Analytic Rule📦 SolutionSlackAuditDetects when user email linked to account changes.
SlackAudit - User login after deactivated.Analytic Rule📦 SolutionSlackAuditDetects when user email linked to account changes.
SlackAudit - Applications installedHunting Query📦 SolutionSlackAuditThis query searches for application installation events.
SlackAudit - Deactivated usersHunting Query📦 SolutionSlackAuditThis query searches for deactivated user accounts.
SlackAudit - Downloaded files statsHunting Query📦 SolutionSlackAuditThis query shows top users by downloads over time.
SlackAudit - Failed logins with unknown usernameHunting Query📦 SolutionSlackAuditThis query shows failed login attempts where username is unknown.
SlackAudit - New User createdHunting Query📦 SolutionSlackAuditThis query shows new user created.
SlackAudit - Suspicious files downloadedHunting Query📦 SolutionSlackAuditThis query searches for potentialy suspicious files downloads.
SlackAudit - Uploaded files statsHunting Query📦 SolutionSlackAuditThis query shows top users by uploads over time.
SlackAudit - User logins by IPHunting Query📦 SolutionSlackAuditThis query shows user IP table statistics for login events.
SlackAudit - User Permission ChangedHunting Query📦 SolutionSlackAuditQuery searches for user permissions changes events.
SlackAudit - Users joined channels without invitesHunting Query📦 SolutionSlackAuditQuery searches for users which joined channels without invites.
SlackAuditWorkbook📦 SolutionSlackAudit
SlackAuditParser📦 SolutionSlackAudit
SlashNext Phishing Incident Investigation PlaybookPlaybook📦 SolutionSlashNextEnhance your security with threat hunting and incident investigation using this playbook. Scan with world’s largest, real-time phishing intelligence database for accurate, definitive binary verdicts o...
SlashNext Web Access Log AssessmentPlaybook📦 SolutionSlashNextDesigned to analyze Web Access logs from Web Gateways and Firewalls. Scan your logs for continuous detection of phishing and malicious threat URLs clicked by end users. Identify threats missed by curr...
SlashNext Security Events for Microsoft Sentinel - Get customer incidents and logPlaybook📦 SolutionSlashNext SIEMThe playbook will run after every 3 mintues to get list of events occured to a customer in that time and log them in Log Analytic Workspace.
Snowflake - Possible discovery activityAnalytic Rule📦 SolutionSnowflakeDetects possible discovery activity.
Snowflake - Abnormal query process timeAnalytic Rule📦 SolutionSnowflakeDetects query with abnormal proccess time.
Snowflake - Multiple failed queriesAnalytic Rule📦 SolutionSnowflakeDetects multiple failed queries in short timeframe.
Snowflake - Multiple login failures by userAnalytic Rule📦 SolutionSnowflakeDetects multiple login failures by user.
Snowflake - Multiple login failures from single IPAnalytic Rule📦 SolutionSnowflakeDetects Mmltiple login failures from single IP.
Snowflake - Possible data destractionAnalytic Rule📦 SolutionSnowflakeDetects possible data destruction.
Snowflake - Possible privileges discovery activityAnalytic Rule📦 SolutionSnowflakeDetects possible privileges discovery activity.
Snowflake - Query on sensitive or restricted tableAnalytic Rule📦 SolutionSnowflakeDetects query on sensitive or restricted table.
Snowflake - Unusual queryAnalytic Rule📦 SolutionSnowflakeDetects unusual query.
Snowflake - User granted admin privilegesAnalytic Rule📦 SolutionSnowflakeDetects when user asigned admin privileges.
Snowflake - Privileged users' source IP addressesHunting Query📦 SolutionSnowflakeQuery searches for privileged users' source IP addresses.
Snowflake - Deleted databasesHunting Query📦 SolutionSnowflakeQuery searches for deleted databases.
Snowflake - Deleted tablesHunting Query📦 SolutionSnowflakeQuery searches for deleted tables.
Snowflake - Rarely used accountHunting Query📦 SolutionSnowflakeQuery searches for rarely used accounts.
Snowflake - Failed loginsHunting Query📦 SolutionSnowflakeQuery searches for failed logins.
Snowflake - Credit consuming queriesHunting Query📦 SolutionSnowflakeQuery searches for queries which consume abnormal amount of credits.
Snowflake - Time consuming queriesHunting Query📦 SolutionSnowflakeQuery searches for time consuming queries.
Snowflake - Unknown query typeHunting Query📦 SolutionSnowflakeQuery searches for queries of type UNKNOWN.
Snowflake - Rarely used privileged usersHunting Query📦 SolutionSnowflakeQuery searches for rarely used privileged users.
Snowflake - Users' source IP addressesHunting Query📦 SolutionSnowflakeQuery searches for users' source IP addresses.
SnowflakeWorkbook📦 SolutionSnowflake
SnowflakeParser📦 SolutionSnowflake
AnalyticsEfficiencyWorkbook📦 SolutionSOC Handbook
AnomaliesVisualizationWorkbook📦 SolutionSOC Handbook
AnomalyDataWorkbook📦 SolutionSOC Handbook
AttackSurfaceReductionWorkbook📦 SolutionSOC Handbook
AzureSentinelCostWorkbook📦 SolutionSOC Handbook
AzureSentinelSecurityAlertsWorkbook📦 SolutionSOC Handbook
IncidentOverviewWorkbook📦 SolutionSOC Handbook
IntsightsIOCWorkbookWorkbook📦 SolutionSOC Handbook
InvestigationInsightsWorkbook📦 SolutionSOC Handbook
MITREAttackWorkbook📦 SolutionSOC Handbook
SecurityOperationsEfficiencyWorkbook📦 SolutionSOC Handbook
SecurityStatusWorkbook📦 SolutionSOC Handbook
SentinelCentralWorkbook📦 SolutionSOC Handbook
Deleted a Custom Field Mapping profileAnalytic Rule📦 SolutionSOC Prime CCFDeleted a Custom Field Mapping profile from SOC Prime platform
Deleted a TenantAnalytic Rule📦 SolutionSOC Prime CCFDeleted a Tenant from SOC Prime platform
Successful logins to SOC Prime platform from bad IP addressesAnalytic Rule📦 SolutionSOC Prime CCFThis rule identifies successful logins from IP addresses previously flagged as malicious (e.g., botnets, TOR exit nodes, or known malicious IPs)
Building_a_SOCLargeStaffWorkbook📦 SolutionSOC-Process-Framework
Building_a_SOCMediumStaffWorkbook📦 SolutionSOC-Process-Framework
Building_a_SOCPartTimeStaffWorkbook📦 SolutionSOC-Process-Framework
Building_a_SOCSmallStaffWorkbook📦 SolutionSOC-Process-Framework
SOCIRPlanningWorkbook📦 SolutionSOC-Process-Framework
SOCProcessFrameworkWorkbook📦 SolutionSOC-Process-Framework
UpdateSOCMaturityScoreWorkbook📦 SolutionSOC-Process-Framework
Get-SOC-ActionsPlaybook📦 SolutionSOC-Process-FrameworkThis playbook uses the SOC Recommended Actions Watchlist to automatically enrich incidents generated by Microsoft Sentinel with Actions to review and take. Actions will be evaluated per Customer Organ...
SOCcontactsWatchlist📦 SolutionSOC-Process-Framework
SOCDepartmentalWatchlist📦 SolutionSOC-Process-Framework
SOCEmailDistributionWatchlist📦 SolutionSOC-Process-Framework
SOCExternalContactsWatchlist📦 SolutionSOC-Process-Framework
SOCgeneralITWatchlist📦 SolutionSOC-Process-Framework
SOCIRPWatchlist📦 SolutionSOC-Process-Framework
SOCInternalContactsWatchlist📦 SolutionSOC-Process-Framework
SOCMAWatchlist📦 SolutionSOC-Process-Framework
SOCPagerWatchlist📦 SolutionSOC-Process-Framework
SocRAWatchlist📦 SolutionSOC-Process-Framework
SOCUseCaseWatchlist📦 SolutionSOC-Process-Framework
SOCworkstationsWatchlist📦 SolutionSOC-Process-Framework
SOCRadar Alarm Volume SpikeAnalytic Rule📦 SolutionSOCRadarDetects unusual spikes in SOCRadar alarm volume that may indicate an active campaign, coordinated attack, or data breach. Triggers when alarm count in the last hour exceeds the 7-day hourly average by...
SOCRadar High or Critical Severity AlarmAnalytic Rule📦 SolutionSOCRadarDetects SOCRadar alarms with High or Critical severity levels that require immediate attention. These alarms typically indicate active threats such as credential exposure, ransomware mentions, or targ...
SOCRadar Unsynced Closed IncidentAnalytic Rule📦 SolutionSOCRadarDetects Microsoft Sentinel incidents tagged as SOCRadar that were closed more than 30 minutes ago but do not have the Synced tag. This may indicate the SOCRadar-Alarm-Sync playbook has failed to updat...
SOCRadar Alarm OverviewHunting Query📦 SolutionSOCRadarOverview of SOCRadar alarms imported into Microsoft Sentinel, grouped by type and severity.
SOCRadar Alarm TrendsHunting Query📦 SolutionSOCRadarAnalyze SOCRadar alarm trends over the past 7 days to identify patterns and spikes.
SOCRadar Audit AnalysisHunting Query📦 SolutionSOCRadarAnalyze SOCRadar audit logs to monitor import and sync operations.
SOCRadar Critical AlarmsHunting Query📦 SolutionSOCRadarHunt for high and critical severity SOCRadar alarms that may require immediate attention.
SOCRadar Incident CorrelationHunting Query📦 SolutionSOCRadarCorrelate SOCRadar alarms with Microsoft Sentinel incidents to track import status and identify gaps.
SOCRadar-DashboardWorkbook📦 SolutionSOCRadar
SOCRadar-Alarm-ImportPlaybook📦 SolutionSOCRadarImports alarms from SOCRadar with optional audit logging and custom table storage. Supports all statuses or OPEN only.
SOCRadar-Alarm-SyncPlaybook📦 SolutionSOCRadarSyncs closed incidents from Microsoft Sentinel back to SOCRadar platform. Uses Synced tag to prevent duplicate syncs. Filters by: SOCRadar tag + Closed status + lastModified. Now with pagination for 1...
SonicWall - Allowed SSH, Telnet, and RDP ConnectionsAnalytic Rule📦 SolutionSonicWall FirewallThis rule identifies allowed inbound SSH, Telnet, and RDP connections. This analytic rule leverages the SonicWall Firewall ASIM Network Session parser (ASimNetworkSessionSonicWallFirewall).
SonicWall - Capture ATP Malicious File DetectionAnalytic Rule📦 SolutionSonicWall FirewallThis rule identifies malicious file verdicts from the SonicWall Capture ATP service. This analytic rule leverages the SonicWall Firewall ASIM Network Session parser (ASimNetworkSessionSonicWallFirewal...
Outbound SSH/SCP ConnectionsHunting Query📦 SolutionSonicWall FirewallThis query looks for outbound SSH/SCP connections identified by the expected port number (22) or by the SonicWall Deep Packet Inspection services. This query leverages the SonicWall Firewall ASIM Netw...
SonicWallFirewallWorkbook📦 SolutionSonicWall Firewall
New Sonrai TicketAnalytic Rule📦 SolutionSonraiSecurityChecks for new Sonrai tickets. It uses the action type to check if a ticket has been created
Sonrai Ticket AssignedAnalytic Rule📦 SolutionSonraiSecurityChecks if Sonrai tickets have been assigned. It uses the action type to check if a ticket has been assigned
Sonrai Ticket ClosedAnalytic Rule📦 SolutionSonraiSecurityChecks if Sonrai tickets have been closed. It uses the action type to check if a ticket has been closed
Sonrai Ticket Escalation ExecutedAnalytic Rule📦 SolutionSonraiSecurityChecks if Sonrai tickets have had a comment added. It uses the action type to check if a ticket has had a comment added
Sonrai Ticket Escalation ExecutedAnalytic Rule📦 SolutionSonraiSecurityChecks if Sonrai tickets have had an escalation executed. It uses the action type to check if a ticket has had an escalation executed
Sonrai Ticket ReopenedAnalytic Rule📦 SolutionSonraiSecurityChecks if Sonrai tickets have been reopened. It uses the action type to check if a ticket has been reopened
Sonrai Ticket Risk AcceptedAnalytic Rule📦 SolutionSonraiSecurityChecks if Sonrai tickets have had their risk accepted. It uses the action type to check if a ticket has had it's risk accepted
Sonrai Ticket SnoozedAnalytic Rule📦 SolutionSonraiSecurityChecks if Sonrai tickets have been snoozed. It uses the action type to check if a ticket has been snoozed
Sonrai Ticket UpdatedAnalytic Rule📦 SolutionSonraiSecurityChecks if Sonrai tickets have been updated. It uses the action type to check if a ticket has been updated
SonraiWorkbook📦 SolutionSonraiSecurity
SophosEPEventParser📦 SolutionSophos Endpoint Protection
Excessive Amount of Denied Connections from a Single SourceAnalytic Rule📦 SolutionSophos XG FirewallThis creates an incident in the event that a single source IP address generates a excessive amount of denied connections.
Port Scan DetectedAnalytic Rule📦 SolutionSophos XG FirewallThis alert creates an incident when a source IP addresses attempt to communicate with a large amount of distinct ports within a short period.
SophosXGFirewallWorkbook📦 SolutionSophos XG Firewall
SophosXGFirewallParser📦 SolutionSophos XG Firewall
SOXITComplianceWorkbook📦 SolutionSOX IT Compliance
SpyCloud Enterprise Breach DetectionAnalytic Rule📦 SolutionSpyCloud Enterprise ProtectionThis alert creates an incident when an malware record is detected in the SpyCloud watchlist data
SpyCloud Enterprise Malware DetectionAnalytic Rule📦 SolutionSpyCloud Enterprise ProtectionThis alert creates an incident when an malware record is detected in the SpyCloud watchlist data
SpyCloud Breach Information - SpyCloud EnterprisePlaybook📦 SolutionSpyCloud Enterprise ProtectionThis Playbook will be triggered when an spycloud breach incident is created.
Domain Breach Data - SpyCloud EnterprisePlaybook📦 SolutionSpyCloud Enterprise ProtectionThe SpyCloud Enterprise API is able to provide breach data for a domain or set of domains associated with an incident.
Email Address Breach Data - SpyCloud EnterprisePlaybook📦 SolutionSpyCloud Enterprise ProtectionThe SpyCloud Enterprise API is able to provide breach data for a Email address or set of Email addresses associated with an incident.
IP Address Breach Data - SpyCloud EnterprisePlaybook📦 SolutionSpyCloud Enterprise ProtectionThe SpyCloud Enterprise API is able to provide breach data for a IP address or set of IP addresses associated with an incident.
Password Breach Data - SpyCloud EnterprisePlaybook📦 SolutionSpyCloud Enterprise ProtectionThe SpyCloud Enterprise API is able to provide breach data for a provided password.
Username Breach Data - SpyCloud EnterprisePlaybook📦 SolutionSpyCloud Enterprise ProtectionThe SpyCloud Enterprise API is able to provide breach data for a username or set of usernames associated with an incident.
SpyCloud Malware Information - SpyCloud EnterprisePlaybook📦 SolutionSpyCloud Enterprise ProtectionThis Playbook will be triggered when an spycloud malware incident is created.
SpyCloud Watachlist data - SpyCloud EnterprisePlaybook📦 SolutionSpyCloud Enterprise ProtectionThis Playbook will run daily, gets the watchlist data from SpyCloud API and saved it into the custom logs.
Removable storage ONLINE event from secRMMAnalytic Rule📦 SolutionSquadra Technologies SecRmmDetect when a removable storage device is plugged in by the end-user.
AzureSentinelWorkbookForRemovableStorageSecurityEventsWorkbook📦 SolutionSquadra Technologies SecRmm
SquidProxyParser📦 SolutionSquidProxy
Anomaly Sign In Event from an IPAnalytic Rule📄 StandaloneStandalone ContentIdentifies sign-in anomalies from an IP in the last hour, targeting multiple users where the password is correct after multiple attempts
Brute force attack against user credentials (Uses Authentication Normalization)Analytic Rule📄 StandaloneStandalone ContentIdentifies evidence of brute force activity against a user based on multiple authentication failures and at least one successful authentication within a given time window. Note that the query does not...
Potential Password Spray Attack (Uses Authentication Normalization)Analytic Rule📄 StandaloneStandalone ContentThis query searches for failed attempts to log in from more than 15 various users within a 5 minute timeframe from the same source. This is a potential indication of a password spray attack To use th...
User login from different countries within 3 hours (Uses Authentication Normalization)Analytic Rule📄 StandaloneStandalone ContentThis query searches for successful user logins from different countries within 3 hours. To use this analytics rule, make sure you have deployed the [ASIM normalization parsers](https://aka.ms/ASimAut...
Sign-ins from IPs that attempt sign-ins to disabled accounts (Uses Authentication Normalization)Analytic Rule📄 StandaloneStandalone ContentIdentifies IPs with failed attempts to sign in to one or more disabled accounts signed in successfully to another account. To use this analytics rule, make sure you have deployed the [ASIM normalizati...
Excessive NXDOMAIN DNS Queries (ASIM DNS Schema)Analytic Rule📄 StandaloneStandalone ContentThis creates an incident in the event a client generates excessive amounts of DNS queries for non-existent domains. This analytic rule uses [ASIM](https://aka.ms/AboutASIM) and supports any built-in ...
Potential DGA detected (ASIM DNS Schema)Analytic Rule📄 StandaloneStandalone ContentIdentifies clients with a high NXDomain count which could be indicative of a DGA (cycling through possible C2 domains where most C2s are not live). Alert is generated when a new IP address is seen (ba...
DNS events related to mining pools (ASIM DNS Schema)Analytic Rule📄 StandaloneStandalone ContentIdentifies IP addresses that may be performing DNS lookups associated with common currency mining pools. This analytic rule uses [ASIM](https://aka.ms/AboutASIM) and supports any built-in or custom so...
DNS events related to ToR proxies (ASIM DNS Schema)Analytic Rule📄 StandaloneStandalone ContentIdentifies IP addresses performing DNS lookups associated with common ToR proxies. This analytic rule uses [ASIM](https://aka.ms/AboutASIM) and supports any built-in or custom source that supports the...
SUNBURST and SUPERNOVA backdoor hashes (Normalized File Events)Analytic Rule📄 StandaloneStandalone ContentIdentifies SolarWinds SUNBURST and SUPERNOVA backdoor file hash IOCs in File Events To use this analytics rule, make sure you have deployed the [ASIM normalization parsers](https://aka.ms/ASimFileEven...
Dev-0228 File Path Hashes November 2021 (ASIM Version)Analytic Rule📄 StandaloneStandalone ContentThis hunting query looks for file paths/hashes related to observed activity by Dev-0228. The actor is known to use custom version of popular tool like PsExec, Procdump etc. to carry its activity. The...
Probable AdFind Recon Tool Usage (Normalized Process Events)Analytic Rule📄 StandaloneStandalone ContentIdentifies the host and account that executed AdFind by hash and filename in addition to common and unique flags that are used by many threat actors in discovery. To use this analytics rule, make sure...
Base64 encoded Windows process command-lines (Normalized Process Events)Analytic Rule📄 StandaloneStandalone ContentIdentifies instances of a base64 encoded PE file header seen in the process command line parameter. To use this analytics rule, make sure you have deployed the [ASIM normalization parsers](https://aka...
Malware in the recycle bin (Normalized Process Events)Analytic Rule📄 StandaloneStandalone ContentIdentifies malware that has been hidden in the recycle bin. To use this analytics rule, make sure you have deployed the [ASIM normalization parsers](https://aka.ms/ASimProcessEvent)
Midnight Blizzard - suspicious rundll32.exe execution of vbscript (Normalized Process Events)Analytic Rule📄 StandaloneStandalone ContentThis query idenifies when rundll32.exe executes a specific set of inline VBScript commands References: https://www.microsoft.com/security/blog/2021/03/04/goldmax-goldfinder-sibot-analyzing-nobelium-ma...
SUNBURST suspicious SolarWinds child processes (Normalized Process Events)Analytic Rule📄 StandaloneStandalone ContentIdentifies suspicious child processes of SolarWinds.Orion.Core.BusinessLayer.dll that may be evidence of the SUNBURST backdoor References: - https://www.fireeye.com/blog/threat-research/2020/12/evasiv...
New EXE deployed via Default Domain or Default Domain Controller Policies (ASIM Version)Analytic Rule📄 StandaloneStandalone ContentThis detection highlights executables deployed to hosts via either the Default Domain or Default Domain Controller Policies. These policies apply to all hosts or Domain Controllers and best practice i...
Potential re-named sdelete usage (ASIM Version)Analytic Rule📄 StandaloneStandalone ContentThis detection looks for command line parameters associated with the use of Sysinternals sdelete (https://docs.microsoft.com/sysinternals/downloads/sdelete) to delete multiple files on a host's C driv...
Sdelete deployed via GPO and run recursively (ASIM Version)Analytic Rule📄 StandaloneStandalone ContentThis query looks for the Sdelete process being run recursively after being deployed to a host via GPO. Attackers could use this technique to deploy Sdelete to multiple host and delete data on them. ...
Discord CDN Risky File Download (ASIM Web Session Schema)Analytic Rule📄 StandaloneStandalone ContentIdentifies callouts to Discord CDN addresses for risky file extensions. This detection will trigger when a callout for a risky file is made to a discord server that has only been seen once in your env...
Excessive number of HTTP authentication failures from a source (ASIM Web Session schema)Analytic Rule📄 StandaloneStandalone ContentThis rule identifies a source that repeatedly fails to authenticate to a web service (HTTP response code 403). This may indicate a [brute force](https://en.wikipedia.org/wiki/Brute-force_attack) or [c...
Potential communication with a Domain Generation Algorithm (DGA) based hostname (ASIM Web Session schema)Analytic Rule📄 StandaloneStandalone ContentThis rule identifies communication with hosts that have a domain name that might have been generated by a Domain Generation Algorithm (DGA). DGAs are used by malware to generate rendezvous points that...
A client made a web request to a potentially harmful file (ASIM Web Session schema)Analytic Rule📄 StandaloneStandalone ContentThis rule identifies a web request to a URL that holds a file type, including .ps1, .bat, .vbs, and .scr that can be harmful if downloaded. This analytic rule uses [ASIM](https://aka.ms/AboutASIM) and...
A host is potentially running a crypto miner (ASIM Web Session schema)Analytic Rule📄 StandaloneStandalone ContentThis rule identifies a web request with a user agent header known to belong to a crypto miner. This indicates a crypto miner may have infected the client machine.<br>You can add custom crypto mining i...
A host is potentially running a hacking tool (ASIM Web Session schema)Analytic Rule📄 StandaloneStandalone ContentThis rule identifies a web request with a user agent header known to belong to a hacking tool. This indicates a hacking tool is used on the host.<br>You can add custom hacking tool indicating User-Age...
A host is potentially running PowerShell to send HTTP(S) requests (ASIM Web Session schema)Analytic Rule📄 StandaloneStandalone ContentThis rule identifies a web request with a user agent header known to belong PowerShell. <br>You can add custom Powershell indicating User-Agent headers using a watchlist, for more information refer to...
Addition of a Temporary Access Pass to a Privileged AccountAnalytic Rule📄 StandaloneStandalone ContentDetects when a Temporary Access Pass (TAP) is created for a Privileged Account. A Temporary Access Pass is a time-limited passcode issued by an admin that satisfies strong authentication requirement...
Application ID URI ChangedAnalytic Rule📄 StandaloneStandalone ContentDetects changes to an Application ID URI. Monitor these changes to make sure that they were authorized. Ref: https://docs.microsoft.com/azure/active-directory/fundamentals/security-operations-appl...
Application Redirect URL UpdateAnalytic Rule📄 StandaloneStandalone ContentDetects the redirect URL of an app being changed. Applications associated with URLs not controlled by the organization can pose a security risk. Ref: https://docs.microsoft.com/azure/active-direct...
Changes to Application Logout URLAnalytic Rule📄 StandaloneStandalone ContentDetects changes to an applications sign out URL. Look for any modifications to a sign out URL. Blank entries or entries to non-existent locations would stop a user from terminating a session. Ref:...
Changes to Application OwnershipAnalytic Rule📄 StandaloneStandalone ContentDetects changes to the ownership of an appplicaiton. Monitor these changes to make sure that they were authorized. Ref: https://learn.microsoft.com/en-gb/entra/architecture/security-operations-app...
Changes to PIM SettingsAnalytic Rule📄 StandaloneStandalone ContentPIM provides a key mechanism for assigning privileges to accounts, this query detects changes to PIM role settings. Monitor these changes to ensure they are being made legitimately and don't confer ...
Conditional Access Policy Modified by New UserAnalytic Rule📄 StandaloneStandalone ContentDetects a Conditional Access Policy being modified by a user who has not modified a policy in the last 14 days. A threat actor may try to modify policies to weaken the security controls in place. ...
End-user consent stopped due to risk-based consentAnalytic Rule📄 StandaloneStandalone ContentDetects a user's consent to an OAuth application being blocked due to it being too risky. These events should be investigated to understand why the user attempted to consent to the applicaiton and w...
Guest Users Invited to Tenant by New InvitersAnalytic Rule📄 StandaloneStandalone ContentDetects when a Guest User is added by a user account that has not been seen adding a guest in the previous 14 days. Monitoring guest accounts and the access they are provided is important to detect ...
Service Principal Assigned App Role With Sensitive AccessAnalytic Rule📄 StandaloneStandalone ContentDetects a Service Principal being assigned an app role that has sensitive access such as Mail.Read. A threat actor who compromises a Service Principal may assign it an app role to allow it to access...
Service Principal Assigned Privileged RoleAnalytic Rule📄 StandaloneStandalone ContentDetects a privileged role being added to a Service Principal. Ensure that any assignment to a Service Principal is valid and appropriate - Service Principals should not be assigned to very highly pr...
Suspicious linking of existing user to external UserAnalytic Rule📄 StandaloneStandalone Content This query will detect when an attempt is made to update an existing user and link it to an guest or external identity. These activities are unusual and such linking of external identities should be...
URL Added to Application from Unknown DomainAnalytic Rule📄 StandaloneStandalone ContentDetects a URL being added to an application where the domain is not one that is associated with the tenant. The query uses domains seen in sign in logs to determine if the domain is associated with ...
User Account Created Using Incorrect Naming FormatAnalytic Rule📄 StandaloneStandalone ContentThis query looks for accounts being created where the name does not match a defined pattern. Attackers may attempt to add accounts as a means of establishing persistant access to an environment, loo...
User account created without expected attributes definedAnalytic Rule📄 StandaloneStandalone ContentThis query looks for accounts being created that do not have attributes populated that are commonly populated in the tenant. Attackers may attempt to add accounts as a means of establishing persista...
User State changed from Guest to MemberAnalytic Rule📄 StandaloneStandalone ContentDetects when a guest account in a tenant is converted to a member of the tenant. Monitoring guest accounts and the access they are provided is important to detect potential account abuse. Accounts...
Azure Diagnostic settings removed from a resourceAnalytic Rule📄 StandaloneStandalone ContentThis query looks for diagnostic settings that are removed from a resource. This could indicate an attacker or malicious internal trying to evade detection before malicious act is performed. If the dia...
Azure VM Run Command operations executing a unique PowerShell scriptAnalytic Rule📄 StandaloneStandalone ContentIdentifies when Azure Run command is used to execute a PowerShell script on a VM that is unique. The uniqueness of the PowerShell script is determined by taking a combined hash of the cmdLets it impor...
AppServices AV Scan FailureAnalytic Rule📄 StandaloneStandalone ContentIdentifies if an AV scan fails in Azure App Services.
AppServices AV Scan with Infected FilesAnalytic Rule📄 StandaloneStandalone ContentIdentifies if an AV scan finds infected files in Azure App Services.
Application Gateway WAF - SQLi DetectionAnalytic Rule📄 StandaloneStandalone ContentIdentifies a match for SQL Injection attack in the Application gateway WAF logs. The Threshold value in the query can be changed as per your infrastructure's requirement. References: https://owasp.or...
Application Gateway WAF - XSS DetectionAnalytic Rule📄 StandaloneStandalone ContentIdentifies a match for XSS attack in the Application gateway WAF logs. The Threshold value in the query can be changed as per your infrastructure's requirement. References: https://owasp.org/www-proj...
Suspicious Sign In by Entra ID Connect Sync AccountAnalytic Rule📄 StandaloneStandalone ContentThis query looks for sign ins by the Microsoft Entra ID Connect Sync account to Azure where properties about the logon are anomalous. This query uses Microsoft Sentinel's UEBA features to detect these...
CreepyDrive request URL sequenceAnalytic Rule📄 StandaloneStandalone ContentCreepyDrive uses OneDrive for command and control, however, it makes regular requests to predicatable paths. This detecton will alert when over 20 sequences are observed in a single day.
CreepyDrive URLsAnalytic Rule📄 StandaloneStandalone ContentCreepyDrive uses OneDrive for command and control. This detection identifies URLs specific to CreepyDrive.
RunningRAT request parametersAnalytic Rule📄 StandaloneStandalone ContentThis detection will alert when RunningRAT URI parameters or paths are detect in an HTTP request. Id the device blocked this communication presence of this alert means the RunningRAT implant is likely ...
Fortinet - Beacon pattern detectedAnalytic Rule📄 StandaloneStandalone ContentIdentifies patterns in the time deltas of contacts between internal and external IPs in Fortinet network data that are consistent with beaconing. Accounts for randomness (jitter) and seasonality such...
Possible contact with a domain generated by a DGAAnalytic Rule📄 StandaloneStandalone ContentIdentifies contacts with domains names in CommonSecurityLog that might have been generated by a Domain Generation Algorithm (DGA). DGAs can be used by malware to generate rendezvous points that are di...
Time series anomaly detection for total volume of trafficAnalytic Rule📄 StandaloneStandalone ContentIdentifies anamalous spikes in network traffic logs as compared to baseline or normal historical patterns. The query leverages a KQL built-in anomaly detection algorithm to find large deviations from ...
Wazuh - Large Number of Web errors from an IPAnalytic Rule📄 StandaloneStandalone ContentIdentifies instances where Wazuh logged over 400 '403' Web Errors from one IP Address. To onboard Wazuh data into Sentinel please view: https://documentation.wazuh.com/current/cloud-security/azure/ind...
PE file dropped in Color Profile FolderAnalytic Rule📄 StandaloneStandalone ContentThis query looks for writes of PE files to C:\Windows\System32\spool\drivers\color\. This is a common directory used by malware, as well as some legitimate programs, and writes of PE files to the fo...
SUNBURST suspicious SolarWinds child processesAnalytic Rule📄 StandaloneStandalone ContentIdentifies suspicious child processes of SolarWinds.Orion.Core.BusinessLayer.dll that may be evidence of the SUNBURST backdoor References: - https://www.fireeye.com/blog/threat-research/2020/12/evasiv...
Trust Monitor EventAnalytic Rule📄 StandaloneStandalone ContentThis query identifies when a new trust monitor event is detected.
Missing Domain Controller HeartbeatAnalytic Rule📄 StandaloneStandalone ContentThis detection will go over the heartbeats received from the agents of Domain Controllers over the last hour, and will create alerts if the last heartbeats were received an hour ago.
OMI Vulnerability ExploitationAnalytic Rule📄 StandaloneStandalone ContentFollowing the September 14th, 2021 release of three Elevation of Privilege (EoP) vulnerabilities (CVE-2021-38645, CVE-2021-38649, CVE-2021-38648) and one unauthenticated Remote Code Execution (RCE) vu...
Exchange Server Suspicious File Downloads.Analytic Rule📄 StandaloneStandalone ContentThis query looks for messages related to file downloads of suspicious file types on an Exchange Server. This could indicate attempted deployment of webshells. This query uses the Exchange HttpProxy A...
Silk Typhoon Suspicious File Downloads.Analytic Rule📄 StandaloneStandalone ContentThis query looks for messages related to file downloads of suspicious file types. This query uses the Exchange HttpProxy AOBGeneratorLog, you will need to onboard this log as a custom log under the ta...
Users searching for VIP user activityAnalytic Rule📄 StandaloneStandalone ContentThis query monitors for users running Log Analytics queries that contain filters for specific, defined VIP user accounts or the VIPUser watchlist template. Use this detection to alert for users specif...
Failed AzureAD logons but success logon to AWS ConsoleAnalytic Rule📄 StandaloneStandalone ContentIdentifies a list of IP addresses with a minimum number (defualt of 5) of failed logon attempts to Microsoft Entra ID. Uses that list to identify any successful AWS Console logons from these IPs withi...
Failed AzureAD logons but success logon to hostAnalytic Rule📄 StandaloneStandalone ContentIdentifies a list of IP addresses with a minimum number (default of 5) of failed logon attempts to Microsoft Entra ID. Uses that list to identify any successful remote logons to hosts from these IPs w...
IP with multiple failed Microsoft Entra ID logins successfully logs in to Palo Alto VPNAnalytic Rule📄 StandaloneStandalone ContentThis query creates a list of IP addresses with the number of failed login attempts to Entra ID above a set threshold ( default of 5 ). It then looks for any successful Palo Alto VPN logins from any ...
Account created from non-approved sourcesAnalytic Rule📄 StandaloneStandalone ContentThis query looks for an account being created from a domain that is not regularly seen in a tenant. Attackers may attempt to add accounts from these sources as a means of establishing persistant acc...
ADFS DKM Master Key ExportAnalytic Rule📄 StandaloneStandalone ContentIdentifies an export of the ADFS DKM Master Key from Active Directory. References: https://blogs.microsoft.com/on-the-issues/2020/12/13/customers-protect-nation-state-cyberattacks/, https://cloud.goo...
Anomalous login followed by Teams actionAnalytic Rule📄 StandaloneStandalone ContentDetects anomalous IP address usage by user accounts and then checks to see if a suspicious Teams action is performed. Query calculates IP usage Delta for each user account and selects accounts where a...
Audit policy manipulation using auditpol utilityAnalytic Rule📄 StandaloneStandalone ContentThis detects attempts to manipulate audit policies using auditpol command. This technique was seen in relation to Solorigate attack but the results can indicate potential malicious activity used in di...
Failed AWS Console logons but success logon to AzureADAnalytic Rule📄 StandaloneStandalone ContentIdentifies a list of IP addresses with a minimum number (default of 5) of failed logon attempts to AWS Console. Uses that list to identify any successful Microsoft Entra ID logons from these IPs withi...
IP address of Windows host encoded in web requestAnalytic Rule📄 StandaloneStandalone ContentThis detection will identify network requests in HTTP proxy data that contains Base64 encoded IP addresses. After identifying candidates the query joins with DeviceNetworkEvents to idnetify any machin...
Windows host username encoded in base64 web requestAnalytic Rule📄 StandaloneStandalone ContentThis detection will identify network requests in HTTP proxy data that contains Base64 encoded usernames from machines in the DeviceEvents table. This technique was seen usee by POLONIUM in their Runni...
COM Registry Key Modified to Point to File in Color Profile FolderAnalytic Rule📄 StandaloneStandalone ContentThis query looks for changes to COM registry keys to point to files in C:\Windows\System32\spool\drivers\color\. This can be used to enable COM hijacking for persistence. Ref: https://www.microsof...
Dev-0228 File Path Hashes November 2021Analytic Rule📄 StandaloneStandalone ContentThis hunting query looks for file paths/hashes related to observed activity by Dev-0228. The actor is known to use custom version of popular tool like PsExec, Procdump etc. to carry its activity. The...
Dev-0530 File Extension RenameAnalytic Rule📄 StandaloneStandalone ContentDev-0530 actors are known to encrypt the contents of the victims device as well as renaming the file extensions. This query looks for the creation of files with .h0lyenc extension or presence of ranso...
High risk Office operation conducted by IP Address that recently attempted to log into a disabled accountAnalytic Rule📄 StandaloneStandalone ContentIt is possible that a disabled user account is compromised and another account on the same IP is used to perform operations that are not typical for that user. The query filters the SigninLogs for en...
Email access via active syncAnalytic Rule📄 StandaloneStandalone ContentThis query detects attempts to add attacker devices as allowed IDs for active sync using the Set-CASMailbox command. This technique was seen in relation to Solorigate attack but the results can indica...
Europium - Hash and IP IOCs - September 2022Analytic Rule📄 StandaloneStandalone ContentIdentifies a match across various data feeds for hashes and IP IOC related to Europium Reference: https://www.microsoft.com/security/blog/2022/09/08/microsoft-investigates-iranian-attacks-against-th...
Unusual identity creation using exchange powershellAnalytic Rule📄 StandaloneStandalone Content The query below identifies creation of unusual identity by the Europium actor to mimic Microsoft Exchange Health Manager Service account using Exchange PowerShell commands Reference: https://www.mi...
Exchange Worker Process Making Remote CallAnalytic Rule📄 StandaloneStandalone ContentThis query dynamically identifies Exchange servers and then looks for instances where the IIS worker process initiates a call out to a remote URL using either cmd.exe or powershell.exe. This behaviour...
Known Forest Blizzard group domains - July 2019Analytic Rule📄 StandaloneStandalone ContentMatches domain name IOCs related to Forest Blizzard group activity published July 2019 with CommonSecurityLog, DnsEvents and VMConnection dataTypes. References: https://blogs.microsoft.com/on-the-issu...
Gain Code Execution on ADFS Server via Remote WMI ExecutionAnalytic Rule📄 StandaloneStandalone ContentThis query detects instances where an attacker has gained the ability to execute code on an ADFS Server through remote WMI Execution. In order to use this query you need to be collecting Sysmon EventI...
Failed host logons but success logon to AzureADAnalytic Rule📄 StandaloneStandalone ContentIdentifies a list of IP addresses with a minimum number(default of 5) of failed logon attempts to remote hosts. Uses that list to identify any successful logons to Microsoft Entra ID from these IPs wi...
Detecting Impossible travel with mailbox permission tampering & Privilege Escalation attemptAnalytic Rule📄 StandaloneStandalone ContentThis hunting query will alert on any Impossible travel activity in correlation with mailbox permission tampering followed by account being added to a PIM managed privileged group. Ensure this impossib...
Malformed user agentAnalytic Rule📄 StandaloneStandalone ContentMalware authors will sometimes hardcode user agent string values when writing the network communication component of their malware. Malformed user agents can be an indication of such malware.
Mercury - Domain, Hash and IP IOCs - August 2022Analytic Rule📄 StandaloneStandalone ContentIdentifies a match across various data feeds for domains, hashes and IP IOC related to Mercury Reference: https://www.microsoft.com/security/blog/2022/08/25/mercury-leveraging-log4j-2-vulnerabilitie...
Multiple Password Reset by userAnalytic Rule📄 StandaloneStandalone ContentThis query will determine multiple password resets by user across multiple data sources. Account manipulation including password reset may aid adversaries in maintaining access to credentials and cert...
Phishing link click observed in Network TrafficAnalytic Rule📄 StandaloneStandalone ContentThe purpose of this content is to identify successful phishing links accessed by users. Once a user clicks on a phishing link, we observe successful network activity originating from non-Microsoft net...
Potential Fodhelper UAC Bypass (ASIM Version)Analytic Rule📄 StandaloneStandalone ContentThis detection looks for the steps required to conduct a UAC bypass using Fodhelper.exe. By default this detection looks for the setting of the required registry keys and the invoking of the process w...
Identify Mango Sandstorm powershell commandsAnalytic Rule📄 StandaloneStandalone ContentThe query below identifies powershell commands used by the threat actor Mango Sandstorm. Reference: https://www.microsoft.com/security/blog/2022/08/25/mercury-leveraging-log4j-2-vulnerabilities-in-un...
Prestige ransomware IOCs Oct 2022Analytic Rule📄 StandaloneStandalone ContentThis query looks for file hashes and AV signatures associated with Prestige ransomware payload.
Risky user signin observed in non-Microsoft network deviceAnalytic Rule📄 StandaloneStandalone ContentThis content is utilized to identify instances of successful login by risky users, who have been observed engaging in potentially suspicious network activity on non-Microsoft network devices.
Azure VM Run Command operation executed during suspicious login windowAnalytic Rule📄 StandaloneStandalone ContentIdentifies when the Azure Run Command operation is executed by a UserPrincipalName and IP Address that has resulted in a recent user entity behaviour alert.
Security Service Registry ACL ModificationAnalytic Rule📄 StandaloneStandalone ContentIdentifies attempts to modify registry ACL to evade security solutions. In the Solorigate attack, the attackers were found modifying registry permissions so services.exe cannot access the relevant reg...
Cisco - firewall block but success logon to Microsoft Entra IDAnalytic Rule📄 StandaloneStandalone ContentCorrelate IPs blocked by a Cisco firewall appliance with successful Microsoft Entra ID signins. Because the IP was blocked by the firewall, that same IP logging on successfully to Entra ID is potentia...
Star Blizzard C2 Domains August 2022Analytic Rule📄 StandaloneStandalone ContentIdentifies a match across various data feeds for domains related to an actor tracked by Microsoft as Star Blizzard.
M365D Alerts Correlation to non-Microsoft Network device network activity involved in successful sign-in ActivityAnalytic Rule📄 StandaloneStandalone ContentThis content is employed to correlate with Microsoft Defender XDR phishing-related alerts. It focuses on instances where a user successfully connects to a phishing URL from a non-Microsoft network dev...
Suspicious Login from deleted guest accountAnalytic Rule📄 StandaloneStandalone Content This query will detect logins from guest account which was recently deleted. For any successful logins from deleted identities should be investigated further if any existing user accounts have been ...
Suspicious modification of Global Administrator user propertiesAnalytic Rule📄 StandaloneStandalone ContentThis query will detect if user properties of Global Administrator are updated by an existing user. Usually only user administrator or other global administrator can update such properties. Investigate...
Time series anomaly for data size transferred to public internetAnalytic Rule📄 StandaloneStandalone ContentIdentifies anomalous data transfer to public networks. The query leverages built-in KQL anomaly detection algorithms that detects large deviations from a baseline pattern. A sudden increase in data tr...
NRT Malicious Inbox RuleAnalytic Rule📄 StandaloneStandalone ContentOften times after the initial compromise the attackers create inbox rules to delete emails that contain certain keywords. This is done so as to limit ability to warn compromised users that they've be...
NRT Multiple users email forwarded to same destinationAnalytic Rule📄 StandaloneStandalone ContentIdentifies when multiple (more than one) users mailboxes are configured to forward to the same destination. This could be an attacker-controlled destination mailbox configured to collect mail from mul...
PulseConnectSecure - CVE-2021-22893 Possible Pulse Connect Secure RCE Vulnerability AttackAnalytic Rule📄 StandaloneStandalone ContentThis query identifies exploitation attempts using Pulse Connect Secure(PCS) vulnerability (CVE-2021-22893) to the VPN server
Detect PIM Alert Disabling activityAnalytic Rule📄 StandaloneStandalone ContentPrivileged Identity Management (PIM) generates alerts when there is suspicious or unsafe activity in Microsoft Entra ID (Azure AD) organization. This query will help detect attackers attempts to disa...
AV detections related to Dev-0530 actorsAnalytic Rule📄 StandaloneStandalone ContentThis query looks for Microsoft Defender AV detections related to Dev-0530 actors. In Microsoft Sentinel the SecurityAlerts table includes only the Device Name of the affected device, this query joins...
AV detections related to Europium actorsAnalytic Rule📄 StandaloneStandalone ContentThis query looks for Microsoft Defender AV detections related to Europium actor. In Microsoft Sentinel the SecurityAlerts table includes only the Device Name of the affected device, this query joins...
AV detections related to Hive RansomwareAnalytic Rule📄 StandaloneStandalone ContentThis query looks for Microsoft Defender AV detections related to Hive Ransomware. In Microsoft Sentinel the SecurityAlerts table includes only the Device Name of the affected device, this query joins ...
Mass Download & copy to USB device by single userAnalytic Rule📄 StandaloneStandalone ContentThis query looks for any mass download by a single user with possible file copy activity to a new USB drive. Malicious insiders may perform such activities that may cause harm to the organization. Th...
Microsoft Defender for Endpoint (MDE) signatures for Azure Synapse pipelines and Azure Data FactoryAnalytic Rule📄 StandaloneStandalone ContentThis query looks for Microsoft Defender for Endpoint detections related to the remote command execution attempts on Azure IR with Managed VNet or SHIR. In Microsoft Sentinel, the SecurityAlerts table...
Solorigate Defender DetectionsAnalytic Rule📄 StandaloneStandalone ContentSurfaces any Defender Alert for Solorigate Events. In Microsoft Sentinel the SecurityAlerts table includes only the Device Name of the affected device, this query joins the DeviceInfo table to clearly...
Workspace deletion activity from an infected deviceAnalytic Rule📄 StandaloneStandalone ContentThis query will alert on any sign-ins from devices infected with malware in correlation with workspace deletion activity. Attackers may attempt to delete workspaces containing compute instances after...
Microsoft Entra ID Health Monitoring Agent Registry Keys AccessAnalytic Rule📄 StandaloneStandalone ContentThis detection uses Windows security events to detect suspicious access attempts to the registry key of Microsoft Entra ID Health monitoring agent. This detection requires an access control entry (ACE...
Microsoft Entra ID Health Service Agents Registry Keys AccessAnalytic Rule📄 StandaloneStandalone ContentThis detection uses Windows security events to detect suspicious access attempts to the registry key values and sub-keys of Microsoft Entra ID Health service agents (e.g AD FS). Information from AD He...
Modification of Accessibility FeaturesAnalytic Rule📄 StandaloneStandalone ContentAdversaries may establish persistence and/or elevate privileges by executing malicious content triggered by accessibility features. Windows contains accessibility features that may be launched with a ...
AD FS Abnormal EKU object identifier attributeAnalytic Rule📄 StandaloneStandalone ContentThis detection uses Security events from the "AD FS Auditing" provider to detect suspicious object identifiers (OIDs) as part EventID 501 and specifically part of the Enhanced Key Usage attributes. Th...
AdminSDHolder ModificationsAnalytic Rule📄 StandaloneStandalone ContentThis query detects modification in the AdminSDHolder in the Active Directory which could indicate an attempt for persistence. AdminSDHolder Modification is a persistence technique in which an attack...
COM Event System Loading New DLLAnalytic Rule📄 StandaloneStandalone ContentThis query uses Sysmon Image Load (Event ID 7) and Process Create (Event ID 1) data to look for COM Event System being used to load a newly seen DLL.
DSRM Account AbuseAnalytic Rule📄 StandaloneStandalone ContentThis query detects an abuse of the DSRM account in order to maintain persistence and access to the organization's Active Directory. Ref: https://adsecurity.org/?p=1785
Fake computer account createdAnalytic Rule📄 StandaloneStandalone ContentThis query detects domain user accounts creation (event ID 4720) where the username ends with $. Accounts that end with $ are normally domain computer accounts and when they are created the event ID ...
Group created then added to built in domain local or global groupAnalytic Rule📄 StandaloneStandalone ContentIdentifies when a recently created Group was added to a privileged built in domain local group or global group such as the Enterprise Admins, Cert Publishers or DnsAdmins. Be sure to verify this is a...
Failed logon attempts by valid accounts within 10 minsAnalytic Rule📄 StandaloneStandalone ContentIdentifies when failed logon attempts are 20 or higher during a 10 minute period (2 failed logons per minute minimum) from valid account.
Midnight Blizzard - suspicious rundll32.exe execution of vbscriptAnalytic Rule📄 StandaloneStandalone ContentThis query idenifies when rundll32.exe executes a specific set of inline VBScript commands References: https://www.microsoft.com/security/blog/2021/03/04/goldmax-goldfinder-sibot-analyzing-nobelium-m...
Midnight Blizzard - Script payload stored in RegistryAnalytic Rule📄 StandaloneStandalone ContentThis query identifies when a process execution command-line indicates that a registry value is written to allow for later execution a malicious script References: https://www.microsoft.com/security/b...
AD account with Don't Expire PasswordAnalytic Rule📄 StandaloneStandalone ContentIdentifies whenever a user account has the setting "Password Never Expires" in the user account properties selected. This is indicated in Security event 4738 in the EventData item labeled UserAccountC...
Possible Resource-Based Constrained Delegation AbuseAnalytic Rule📄 StandaloneStandalone ContentThis query identifies Active Directory computer objects modifications that allow an adversary to abuse the Resource-based constrained delegation. This query checks for event id 5136 that the Object C...
Potential Build Process CompromiseAnalytic Rule📄 StandaloneStandalone ContentThe query looks for source code files being modified immediately after a build process is started. The purpose of this is to look for malicious code injection during the build process. More details: h...
Potential KerberoastingAnalytic Rule📄 StandaloneStandalone ContentA service principal name (SPN) is used to uniquely identify a service instance in a Windows environment. Each SPN is usually associated with a service account. Organizations may have used service acco...
Multiple RDP connections from Single SystemAnalytic Rule📄 StandaloneStandalone ContentIdentifies when an RDP connection is made to multiple systems and above the normal connection count for the previous 7 days. Connections from the same system with the same account within the same day....
RDP NestingAnalytic Rule📄 StandaloneStandalone ContentQuery detects potential lateral movement within a network by identifying when an RDP connection (EventID 4624, LogonType 10) is made to an initial system, followed by a subsequent RDP connection from ...
Rare RDP ConnectionsAnalytic Rule📄 StandaloneStandalone ContentIdentifies when an RDP connection is new or rare related to any logon type by a given account today compared with the previous 14 days. RDP connections are indicated by the EventID 4624 with LogonType...
Silk Typhoon New UM Service Child ProcessAnalytic Rule📄 StandaloneStandalone ContentThis query looks for new processes being spawned by the Exchange UM service where that process has not previously been observed before. Reference: https://www.microsoft.com/security/blog/2021/03/02/h...
Silk Typhoon Suspicious UM Service ErrorAnalytic Rule📄 StandaloneStandalone ContentThis query looks for errors that may indicate that an attacker is attempting to exploit a vulnerability in the service. Reference: https://www.microsoft.com/security/blog/2021/03/02/hafnium-targeting...
Solorigate Named PipeAnalytic Rule📄 StandaloneStandalone ContentIdentifies a match across various data feeds for named pipe IOCs related to the Solorigate incident. For the sysmon events required for this detection, logging for Named Pipe Events needs to be confi...
Account added and removed from privileged groupsAnalytic Rule📄 StandaloneStandalone ContentIdentifies accounts that are added to a privileged group and then quickly removed, which could be a sign of compromise.
User account added to built in domain local or global groupAnalytic Rule📄 StandaloneStandalone ContentIdentifies when a user account has been added to a privileged built in domain local group or global group such as the Enterprise Admins, Cert Publishers or DnsAdmins. Be sure to verify this is an expe...
User account created and deleted within 10 minsAnalytic Rule📄 StandaloneStandalone ContentIdentifies when a user account is created and then deleted within 10 minutes. This can be an indication of compromise and an adversary attempting to hide in the noise.
User account enabled and disabled within 10 minsAnalytic Rule📄 StandaloneStandalone ContentIdentifies when a user account is enabled and then disabled within 10 minutes. This can be an indication of compromise and an adversary attempting to hide in the noise.
New user created and added to the built-in administrators groupAnalytic Rule📄 StandaloneStandalone ContentIdentifies when a user account was created and then added to the builtin Administrators group in the same day. This should be monitored closely and all additions reviewed.
Service Principal Name (SPN) Assigned to User AccountAnalytic Rule📄 StandaloneStandalone ContentThis query identifies whether an Active Directory user object was assigned a service principal name which could indicate that an adversary is preparing for performing Kerberoasting. This query checks...
Vulnerable Machines related to OMIGOD CVE-2021-38647Analytic Rule📄 StandaloneStandalone ContentThis query uses the Azure Defender Security Nested Recommendations data to find machines vulnerable to OMIGOD CVE-2021-38647. OMI is the Linux equivalent of Windows WMI and helps users manage configur...
Anomalous Single Factor SigninAnalytic Rule📄 StandaloneStandalone ContentDetects successful signins using single factor authentication where the device, location, and ASN are abnormal. Single factor authentications pose an opportunity to access compromised accounts, inves...
Authentication Attempt from New CountryAnalytic Rule📄 StandaloneStandalone ContentDetects when there is a login attempt from a country that has not seen a successful login in the previous 14 days. Threat actors may attempt to authenticate with credentials from compromised accounts ...
Authentications of Privileged Accounts Outside of Expected ControlsAnalytic Rule📄 StandaloneStandalone ContentDetects when a privileged user account successfully authenticates from a location, device or ASN that another admin has not logged in from in the last 7 days. Privileged accounts are a key target fo...
New country signIn with correct passwordAnalytic Rule📄 StandaloneStandalone ContentIdentifies an interrupted sign-in session from a country the user has not sign-in before in the last 7 days, where the password was correct. Although the session is interrupted by other controls such ...
Privileged User Logon from new ASNAnalytic Rule📄 StandaloneStandalone ContentDetects a successful logon by a privileged account from an ASN not logged in from in the last 14 days. Monitor these logons to ensure they are legitimate and identify if there are any similar sign i...
Service Principal Authentication Attempt from New CountryAnalytic Rule📄 StandaloneStandalone ContentDetects when there is a Service Principal login attempt from a country that has not seen a successful login in the previous 14 days. Threat actors may attempt to authenticate with credentials from c...
Anomalous User Agent connection attemptAnalytic Rule📄 StandaloneStandalone ContentIdentifies connection attempts (success or fail) from clients with very short or very long User Agent strings and with less than 100 connection attempts.
High count of failed attempts from same client IPAnalytic Rule📄 StandaloneStandalone ContentIdentifies when 20 or more failed attempts from a given client IP in 1 minute occur on the IIS server. This could be indicative of an attempted brute force. This could also simply indicate a misconfig...
High count of failed logons by a userAnalytic Rule📄 StandaloneStandalone ContentIdentifies when 100 or more failed attempts by a given user in 10 minutes occur on the IIS Server. This could be indicative of attempted brute force based on known account information. This could also...
High count of connections by client IP on many portsAnalytic Rule📄 StandaloneStandalone ContentIdentifies when 30 or more ports are used for a given client IP in 10 minutes occurring on the IIS server. This could be indicative of attempted port scanning or exploit attempt at internet facing web...
Exchange SSRF Autodiscover ProxyShell - DetectionAnalytic Rule📄 StandaloneStandalone ContentThis query looks for suspicious request patterns to Exchange servers that fit patterns recently blogged about by PeterJson. This exploitation chain utilises an SSRF vulnerability in Exchange which eve...
Silk Typhoon Suspicious Exchange RequestAnalytic Rule📄 StandaloneStandalone ContentThis query looks for suspicious request patterns to Exchange servers that fit a pattern observed by Silk Typhoon actors. The same query can be run on HTTPProxy logs from on-premise hosted Exchange ser...
Zoom E2E Encryption DisabledAnalytic Rule📄 StandaloneStandalone ContentThis alerts when end to end encryption is disabled for Zoom meetings.
External User Access EnabledAnalytic Rule📄 StandaloneStandalone ContentThis alerts when the account setting is changed to allow either external domain access or anonymous access to meetings.
User joining Zoom meeting from suspicious timezoneAnalytic Rule📄 StandaloneStandalone ContentThe alert shows users that join a Zoom meeting from a time zone other than the one the meeting was created in. You can also whitelist known good time zones in the tz_whitelist value using the tz datab...
Suspicious link sharing patternAnalytic Rule📄 StandaloneStandalone ContentAlerts in links that have been shared across multiple Zoom chat channels by the same user in a short space if time. Adjust the threshold figure to change the number of channels a message needs to be p...
Discord download invoked from cmd line (ASIM Version)Hunting Query📄 StandaloneStandalone ContentThis hunting query looks for hosts that have attempted to interact with the Discord CDN. This activity is not normally invoked from the command line and could indicate C2, exfiltration, or malware del...
Crash dump disabled on host (ASIM Version)Hunting Query📄 StandaloneStandalone ContentThis detection looks the prevention of crash dumps being created. This can be used to limit reporting by malware, look for suspicious processes setting this registry key.
Consent to Application discoveryHunting Query📄 StandaloneStandalone ContentThis query looks at the last 14 days for "Consent to application" operation by a user/app which could potentially mean unauthorized access. Additional context is added from AuditLogs based on Corrleat...
Rare Audit activity initiated by AppHunting Query📄 StandaloneStandalone ContentCompares the current day to last 14 days of audits to identify new audit activities. Useful for tracking malicious activity related to user/group additions/removals by Azure Apps and automated approva...
Rare Audit activity initiated by UserHunting Query📄 StandaloneStandalone ContentCompares current day to last 14 days of audits to identify new audit activities. Useful for tracking malicious activity related to user/group additions/removals by specific users.
User Granted Access and associated audit activityHunting Query📄 StandaloneStandalone ContentIdentifies when a new user is granted access and any subsequent audit related activity. This can help you identify rogue or malicious user behavior.
Azure CloudShell UsageHunting Query📄 StandaloneStandalone ContentThis query look for users starting an Azure CloudShell session and summarizes the Azure Activity from that user account during that timeframe (by default 1 hour). This can be used to help identify abu...
Check critical ports opened to the entire internetHunting Query📄 StandaloneStandalone ContentDiscover all critical ports from a list having rules like 'Any' for sourceIp, which means that they are opened to everyone. Critial ports should not be opened to everyone, and should be filtered.
List all the VScode Extensions which are installed on a user systemHunting Query📄 StandaloneStandalone ContentDetects observed Visual Studio Code (VS Code) extension installation activity on a user's system within the query time range. Note: This query does not return a complete per-user inventory of install...
GitHub OAuth App Restrictions DisabledHunting Query📄 StandaloneStandalone ContentThis hunting query identifies a fork activity against a repository done by a user who is not the owner of the repo nor a contributes.
GitHub Repo Clone - Time Series AnomlyHunting Query📄 StandaloneStandalone ContentAttacker can exfiltrate data from your GitHub repository by cloning it. This hunting query tracks clone activities for each repository, allowing quick identification of anomalies/excessive clones to i...
Cross workspace query anomoliesHunting Query📄 StandaloneStandalone ContentThis hunting query looks for increases in the number of workspaces queried by a user.
Multiple large queries made by userHunting Query📄 StandaloneStandalone ContentThis hunting query looks for users who are running multiple queries that return either a very large amount of data or the maximum amount allowed by the query method.
New client running queriesHunting Query📄 StandaloneStandalone ContentThis hunting query looks for clients running queries that have not previously been seen running queries.
New ServicePrincipal running queriesHunting Query📄 StandaloneStandalone ContentThis hunting query looks for new Service Principals running queries that have not previously been seen running queries.
New users running queriesHunting Query📄 StandaloneStandalone ContentThis hunting query looks for users who have run queries that have not previously been seen running queries.
Query data volume anomoliesHunting Query📄 StandaloneStandalone ContentThis hunting query looks for anomalously large LA queries by users.
Query looking for secretsHunting Query📄 StandaloneStandalone ContentThis hunting query looks for queries that appear to be looking for secrets or passwords in tables.
User returning more data than daily averageHunting Query📄 StandaloneStandalone ContentThis hunting query looks for users whose total returned data that is significantly above their average.
User running multiple queries that failHunting Query📄 StandaloneStandalone ContentThis hunting query looks for users who have multiple failed queries in a short space of time.
Anomalous Resource Creation and related Network ActivityHunting Query📄 StandaloneStandalone ContentIndicates when an anomalous number of resources are created in Azure via AzureActivity log. Resource creation could indicate malicious or spurious use of your Azure Resource allocation.
Failed service logon attempt by user account with available AuditDataHunting Query📄 StandaloneStandalone ContentUser account failed to logon in current period. Excludes Windows Sign in attempts and limits to only more than 10 failed logons or 3 different IPs used. Results may indicate a potential malicious use ...
Failed Login Attempt by Expired accountHunting Query📄 StandaloneStandalone ContentThis query looks at Account Logon events found through Windows Event Id's as well as SigninLogs to discover login attempts by accounts that have expired.
Permutations on logon attempts by UserPrincipalNames indicating potential brute forceHunting Query📄 StandaloneStandalone ContentThis identifies failed logon attempts using permutations based on known first and last names within 10m time windows. Iteration through separators or order changes in the logon name may indicate poten...
RareDNSLookupWithDataTransferHunting Query📄 StandaloneStandalone ContentThis query helps identify rare DNS connections and resulting data transfer to/from the associated domain. It can help identify unexpected large data transfers to or from internal systems which may ind...
Rare domains seen in Cloud LogsHunting Query📄 StandaloneStandalone ContentThis script identifies rare domain accounts accessing cloud resources by examining logs. You can lower the domainLimit value to see domains with fewer access attempts. For example, set domainLimit = 2...
Tracking Password ChangesHunting Query📄 StandaloneStandalone ContentThis script identifies password changes or resets across multiple host and cloud sources. Account manipulation, including password changes and resets, may help adversaries maintain access to credentia...
Tracking Privileged Account Rare ActivityHunting Query📄 StandaloneStandalone ContentThis query determines rare activity by a high-value account on a system or service. If any account with rare activity is found, the query retrieves related activity from that account on the same day a...
User Granted Access and created resourcesHunting Query📄 StandaloneStandalone ContentIdentifies when a new user is granted access and starts creating resources in Azure. This can help you identify rogue or malicious user behavior.
Alerts related to IPHunting Query📄 StandaloneStandalone ContentAny Alerts that fired related to a given IpAddress during the range of +6h and -3d
Alerts On HostHunting Query📄 StandaloneStandalone ContentAny Alerts that fired on a given host during the range of +6h and -3d
Alerts related to FileHunting Query📄 StandaloneStandalone ContentAny Alerts that fired related to a given File during the range of +6h and -3d
Web shell command alert enrichmentHunting Query📄 StandaloneStandalone ContentExtracts MDATP Alerts that indicate a command was executed by a web shell. Uses time window based querying to idneitfy the potential web shell location on the server, then enriches with Attacker IP an...
Web shell file alert enrichmentHunting Query📄 StandaloneStandalone ContentExtracts MDATP Alert for a web shell being placed on the server and then enriches this event with information from W3CIISLog to idnetigy the Attacker that placed the shell
External IP address in Command LineHunting Query📄 StandaloneStandalone ContentThis query looks for command lines that contain a public IP address. Attackers may use a hard coded IP for C2 or exfiltration. This query can be filtered to exclude network prefixes that are known t...
Anomalous sign-in location by user account and authenticating applicationHunting Query📄 StandaloneStandalone ContentThis query examines Microsoft Entra ID sign-ins for each application and identifies the most anomalous change in a user's location profile. The goal is to detect user account compromise, possibly via ...
Anomalous sign-in location by user account and authenticating application - with sign-in detailsHunting Query📄 StandaloneStandalone ContentThis query examines Microsoft Entra ID sign-ins and identifies anomalous changes in a user's location profile. A variation joins results back onto the original sign-in data to review the location set ...
Anomalous Microsoft Entra ID apps based on authentication locationHunting Query📄 StandaloneStandalone ContentThis query over Microsoft Entra ID sign-in activity highlights Microsoft Entra ID apps with an unusually high ratio of distinct geolocations versus total number of authentications
Inactive or new account signinsHunting Query📄 StandaloneStandalone ContentQuery for new sign-ins from stale/inactive accounts. UEBA filters based on ActivityInsights. Results for accounts created in the last 7 days are filtered out.
Login spike with increase failure rateHunting Query📄 StandaloneStandalone ContentQuery over SigninLogs summarizes login attempts per hour on weekdays. Kusto anomaly detection finds login spikes. Calculates percentage change between anomalous period and average logins. Determines s...
MFA SpammingHunting Query📄 StandaloneStandalone ContentIdentifies list of user impacted by MFA Spamming within a given time window,Default Failure count is 10 with default Time Window is 5 minutes
Login attempt by Blocked MFA userHunting Query📄 StandaloneStandalone ContentAn account could be blocked if there are too many failed authentication attempts in a row. This hunting query identifies if a MFA user account that is set to blocked tries to login to Microsoft Entra ...
Microsoft Entra ID sign-in burst from multiple locationsHunting Query📄 StandaloneStandalone ContentHighlights accounts associated with multiple authentications from different geographical locations in a short period of time.
Signin Logs with expanded Conditional Access PoliciesHunting Query📄 StandaloneStandalone ContentExample query for SigninLogs showing how to break out packed fields. In this case extending conditional access Policies
Same User - Successful logon for a given App and failure on another App within 1m and low distributionHunting Query📄 StandaloneStandalone ContentThis identifies when a user account successfully logs onto a given App and within 1 minute fails to logon to a different App. This may indicate a malicious attempt at accessing disallowed Apps for dis...
Failed attempt to access Azure PortalHunting Query📄 StandaloneStandalone ContentAccess attempts to Azure Portal from an unauthorized user. Either invalid password or the user account does not exist.
Disabled accounts using Squid proxyHunting Query📄 StandaloneStandalone ContentQuery finds accounts recorded as disabled by AD in previous time period but still using proxy in current time period. Presumes default squid log format is used. http://www.squid-cache.org/Doc/config/a...
Same IP address with multiple csUserAgentHunting Query📄 StandaloneStandalone ContentThis alerts when a client IP connects with 1-15 different useragents in less than 1 hour. Limited to 50 or less connections to avoid high traffic. May indicate malicious activity as a probing method.
Potential IIS brute forceHunting Query📄 StandaloneStandalone ContentQuery shows 1200+ failed attempts by cIP per hour on server, then successful logon. Only includes > 1 user agent string or port. Could indicate successful probing and brute force success on IIS server...
Potential IIS code injection attemptHunting Query📄 StandaloneStandalone ContentPotential code injection into web server roles via IIS logs scan. Represents attempt to gain initial access using drive-by compromise technique. Detection flags events for review and filtering of auth...
URI requests from single clientHunting Query📄 StandaloneStandalone ContentThis finds connections to server files requested by only one client. Effective when actor uses static operational IP addresses. Threshold can be modified. Larger execution window increases reliability...
Rare User Agent stringsHunting Query📄 StandaloneStandalone ContentThis will check for Rare User Agent strings over the last 3 days. This can indicate potential probing of your IIS servers.
Suspect Mailbox Export on IIS/OWAHunting Query📄 StandaloneStandalone ContentThe hunting query looks for suspicious files accessed on a IIS server that might indicate exfiltration hosting. This technique has been observed when exporting mailbox files from OWA servers.
Detect beacon like pattern based on repetitive time intervals in Wire Data TrafficHunting Query📄 StandaloneStandalone ContentQuery identifies beaconing patterns from Wire Data logs. Uses KQL functions to calculate time delta and find beaconing percentage. Results of beaconing to untrusted public networks can be investigated...
Zoom room high CPU alertsHunting Query📄 StandaloneStandalone ContentThis hunting query identifies Zoom room systems with high CPU alerts that may be a sign of device compromise.
User denied multiple registration events successfully registeringHunting Query📄 StandaloneStandalone ContentQuery identifies users denied registration for multiple webinars or recordings but successfully registered for at least one event. Threshold variable adjusts number of events user needs to be rejected...
New domain added to WhitelistHunting Query📄 StandaloneStandalone ContentThis hunting query identifies new domains added to the domain login whitelist in Zoom.
New time zone observedHunting Query📄 StandaloneStandalone ContentThis hunting query identifies users joining a meeting from a time zone that a user has not been observed from in the last 30 days.
Kerberos AS authenticationsHunting Query📄 StandaloneStandalone ContentThis query shows attempts to request Kerberos service ticket using the AS service, to monitor Kerberos AS authentications.
MDE_Find_Out_of_date_clientsHunting Query📄 StandaloneStandalone ContentFind endpoints with out of date Defender clients
MDE_AVScanTimesAndTypeHunting Query📄 StandaloneStandalone ContentList all the scan types and device name of those scansg
MDE_BlockingASRRulesHunting Query📄 StandaloneStandalone ContentFind endpoints ASR Rules blocking
MDE_BrowserExtensionInstalledHunting Query📄 StandaloneStandalone ContentEndpoint's that downloaded browser extensions
MDE_DeviceHealthHunting Query📄 StandaloneStandalone ContentEndpoint Health with AV information
MDE_DeviceInventory-LastUserLoggedInHunting Query📄 StandaloneStandalone ContentEndpoint Inventory
MDE_EvidenceforasingledeviceHunting Query📄 StandaloneStandalone ContentFind all alert evidence for a single endpoint. This is handy for exporting to a third-party SIEM.
MDE_FindDefenderSettingsOnEndpointsHunting Query📄 StandaloneStandalone ContentFind Endpoints policies settings via compliance settings in the registry
MDE_FindLNKFilesOnEndpointsHunting Query📄 StandaloneStandalone ContentFind LNK files on certain devices
MDE_FindMountedISOandDriveLettersHunting Query📄 StandaloneStandalone ContentFind Mounted ISO files and drive letters
MDE_FindsPowerShellExecutionEventsHunting Query📄 StandaloneStandalone ContentFinds PowerShell execution events that could involve a download.
MDE_FindstatuschangefromExposurelevelHunting Query📄 StandaloneStandalone ContentFind status change from Exposurelevel
MDE_ListAllNotOnboardedEnpointsHunting Query📄 StandaloneStandalone ContentList all devices that are not onboarded
MDE_ListAlPnPDevicesAllowedorBlockedHunting Query📄 StandaloneStandalone ContentList all PnP Devices that have been allowed or blocked
MDE_Networktrafficgoingtoport-DNSHunting Query📄 StandaloneStandalone ContentFind web Traffic going to port 53
MDE_NetworktrafficgoingtoportHunting Query📄 StandaloneStandalone ContentFind web Traffic going to port 80 or 443
MDE_ProxyChangesViaRegistryHunting Query📄 StandaloneStandalone ContentCount of sender's email addresses by subject
MDE_ShowUSBMountedandfilescopiedHunting Query📄 StandaloneStandalone ContentShow usb mounted and files copied
MDE_ShowUSBMountedDevicesAndDriveLetterHunting Query📄 StandaloneStandalone ContentShow usb mounted devices and drive letters
MDE_SmartScreenCheckHunting Query📄 StandaloneStandalone ContentCheck to see if Smart screen is working. This can also be used to track users going to websites.
MDE_SoftwareInventorybyOSHunting Query📄 StandaloneStandalone ContentSoftware Inventory by OS
Find_deleted_accounts_and_by_whomHunting Query📄 StandaloneStandalone ContentFind accounts that have been deleted and by whom
MDI_Group_Memebership_ChangesHunting Query📄 StandaloneStandalone ContentFind accounts that have been added/removed from groups in AD.
MDI_Objects_Moving_OUsHunting Query📄 StandaloneStandalone ContentFind objects that have been added/removed to different OUs in AD.
Active Directory Account lockout and unlocksHunting Query📄 StandaloneStandalone ContentThis query lists Active Directory accounts lockout and unlock events
2S-MISP-ForwarderPlaybook📄 StandaloneStandalone ContentThis Playbook will forward selected Threat Intelligence from your Sentinel Workspace to an orchestrator playbook. By default it supports sending filehashes and filenames from Defender 365 'Malware was...
2S-MISP-OrchestratorPlaybook📄 StandaloneStandalone ContentThis Playbook is designed to ingest Threat Intelligence Indicators of Compromise (IOCs) from the MISP-Forwarder Playbooks and send it in the correct form to your MISP-server. It will create a new MISP...
Add IP Entity To Named LocationPlaybook📄 StandaloneStandalone ContentThis playbook will execute using an incident based trigger and add the IP entities to a Conditional Access Named Location
Add IP Entity To Network Security GroupPlaybook📄 StandaloneStandalone ContentThis playbook will execute using an incident based trigger and add the IP entities to a Network Security Group
Affected-Key-Credentials-ScannerPlaybook📄 StandaloneStandalone ContentThis Playbook scans all key credentials in all apps/serviceprincipals in the specified tenant for credentials with property hasExtendedValue == true by calling Microsoft Graph and adds to Azure Sentin...
aggregate-ServiceNow-ticketsPlaybook📄 StandaloneStandalone Content
AS-Add-Azure-AD-User-Job-Title-to-IncidentPlaybook📄 StandaloneStandalone ContentThis playbook is intended to be run from a Microsoft Sentinel incident. It will pull the Azure AD user accounts associated with the entities from Microsoft Sentinel incidents and add the Azure AD job ...
AS-Add-Machine-Logon-Users-to-IncidentPlaybook📄 StandaloneStandalone ContentThis playbook is intended to be run from a Microsoft Sentinel incident. It will match the hosts from a Microsoft Sentinel incident with Microsoft Defender machines and add the logon users for each mac...
AS-Azure-AD-Disable-UserPlaybook📄 StandaloneStandalone ContentThis playbook is intended to be run from a Microsoft Sentinel incident. It will disable the Azure AD user accounts associated with the entities from Microsoft Sentinel incidents.
AS-Azure-AD-Enable-UserPlaybook📄 StandaloneStandalone ContentThis playbook is intended to be run from a Microsoft Sentinel incident. It will enable the Azure AD user accounts associated with the entities from Microsoft Sentinel incidents.
AS-Azure-AD-GroupPlaybook📄 StandaloneStandalone ContentThis playbook is intended to be run from a Microsoft Sentinel incident. It will add the users associated with the accounts from Microsoft Sentinel incidents to an Azure Active Directory Group of your ...
AS-Blob-Storage-Add-Domains-to-Zscaler-URL-CategoryPlaybook📄 StandaloneStandalone ContentThis playbook will use Azure blob storage to maintain a Zscaler custom URL category of your choice. If the azure blob storage is modified, the Zscaler URL category values will be updated to match.
AS-Block-GitHub-UserPlaybook📄 StandaloneStandalone ContentThis playbook is intended to be run from a Microsoft Sentinel Incident. It will look up the GitHub users associated with the Incident Account Entities and block them from your GitHub organization. If ...
AS-Block-Hash-in-DefenderPlaybook📄 StandaloneStandalone ContentThis playbook is intended to be run from a Microsoft Sentinel Incident. It will take the File Hashes from the Incident entities list and block them in Defender. A comment noting the affected File Hash...
AS-Checkmarx-Audit-IngestionPlaybook📄 StandaloneStandalone ContentThis playbook ingests Checkmarx audit log events into a custom Microsoft Sentinel table on a daily schedule.
AS-Checkmarx-SAST-IngestionPlaybook📄 StandaloneStandalone ContentThis playbook ingests Checkmarx SAST scan findings into a custom Microsoft Sentinel table on a daily schedule.
AS-Clear-Okta-Network-Zone-ListPlaybook📄 StandaloneStandalone ContentThis playbook is intended to be run on a schedule. It will clear out all but one of the IPs from an Okta Network Zone list (leaving at least one entry is required by API). This will prevent the list f...
AS-Compromised-Machine-TaggingPlaybook📄 StandaloneStandalone ContentThis playbook is intended to be run from a Microsoft Sentinel incident. It will match the hosts from an incident with machines in Microsoft Defender and tag those machines as compromised.
AS-Create-Opsgenie-IncidentPlaybook📄 StandaloneStandalone ContentThis playbook will create an incident in Opsgenie with the information from a Microsoft Sentinel incident.
AS-CrowdstrikeAlerts-IntegrationPlaybook📄 StandaloneStandalone ContentThis playbook is intended to be run on a timmed trigger. It will poll Crowdstrike for new alerts and replicate them in Sentinel
AS-Datadog-Events-IntegrationPlaybook📄 StandaloneStandalone ContentThis playbook is intended to be run on a timmed trigger. It will poll Datadog for new events and replicate them in Sentinel
AS-Delete-App-RegistrationPlaybook📄 StandaloneStandalone ContentThis playbook is intended to be run from a Microsoft Sentinel incident. If any app registration entities are found (i.e., any entities where kind == CloudApplication), they will be deleted. This playb...
AS-Disable-Microsoft-Entra-ID-User-From-EntityPlaybook📄 StandaloneStandalone ContentThis playbook is intended to be run from a Microsoft Sentinel account entity. It will disable the Entra ID user account associated with the Microsoft Sentinel account entity.
AS-Edgescan-Integration-AssetsPlaybook📄 StandaloneStandalone ContentThis playbook will run daily and ingest asset records created in Edgescan in the last two days. If these records are not in the Microsoft Sentinel Edgescan_Assets_CL custom log, they will be added.
AS-Edgescan-Integration-HostsPlaybook📄 StandaloneStandalone ContentThis playbook will run daily and ingest host records created in Edgescan in the last two days. If these records are not in the Microsoft Sentinel Edgescan_Hosts_CL custom log, they will be added.
AS-Edgescan-Integration-VulnerabilitiesPlaybook📄 StandaloneStandalone ContentThis playbook will run daily and ingest vulnerability records created in Edgescan in the last two days. If these records are not in the Microsoft Sentinel Edgescan_Vulnerabilities_CL custom log, they ...
AS-Enable-Microsoft-Entra-ID-User-From-EntityPlaybook📄 StandaloneStandalone ContentThis playbook is intended to be run from a Microsoft Sentinel account entity. It will enable the Microsoft Entra ID user account associated with the Microsoft Sentinel account entity.
AS-IAM-Entra-ID-Master-PlaybookPlaybook📄 StandaloneStandalone ContentThis playbook is intended to be run from a Microsoft Sentinel incident with account and/or IP entities. It will run two playbooks, revoking the sessions of the related Microsoft Entra Id user account ...
AS-IP-Blocklist-HTTPPlaybook📄 StandaloneStandalone ContentThis playbook is intended to be triggered from an Azure Logic App master playbook. It will add the IP address from Microsoft Sentinel Incidents to a Microsoft Azure Conditional Access Named Locations ...
AS-Microsoft-Entra-ID-Revoke-User-Sessions-HTTPPlaybook📄 StandaloneStandalone ContentThis playbook is intended to be run from a Microsoft Sentinel Incident. It will look up Microsoft Entra ID users associated with the incident account entities and revoke their sessions. A comment noti...
AS-IAM-Master-PlaybookPlaybook📄 StandaloneStandalone ContentThis playbook is intended to be run from a Microsoft Sentinel incident with account and/or IP entities. It will take the IP and account entities and run four separate playbooks to indicate compromise ...
AS-IP-Blocklist-HTTPPlaybook📄 StandaloneStandalone ContentThis playbook is intended to be triggered from an Azure Logic App master playbook. It will add the IP address from Microsoft Sentinel Incidents to a Microsoft Azure Conditional Access Named Locations ...
AS-Microsoft-Entra-ID-Revoke-User-Sessions-HTTPPlaybook📄 StandaloneStandalone ContentThis playbook is intended to be run from a Microsoft Sentinel Incident. It will look up Microsoft Entra ID users associated with the incident account entities and revoke their sessions. A comment noti...
AS-Okta-NetworkZoneUpdate-HTTPPlaybook📄 StandaloneStandalone ContentThis playbook is intended to be triggered from an Azure Logic App master playbook. It will add the IP address from Microsoft Sentinel Incidents to an Okta Network Zone of your choosing.
AS-Okta-Terminate-User-Sessions-HTTPPlaybook📄 StandaloneStandalone ContentThis playbook is intended to be triggered from an Azure Logic App master playbook. It will match Okta users against the account entities on the incident and then terminate all sessions of the matched ...
AS-Import-Azure-AD-Group-Users-to-MS-WatchlistPlaybook📄 StandaloneStandalone ContentThis playbook is intended to be run on a schedule. It will add the users from a specified Azure Active Directory group to a Microsoft Sentinel watchlist.
AS-Get-HostExposureLevel-From-MDEPlaybook📄 StandaloneStandalone ContentThis playbook is intended to be run from a Microsoft Sentinel Incident. It will match the Hosts from a Microsoft Sentinel Incident with Microsoft Defender Machines and add each Machine's exposure leve...
AS-Incident-IP-Matched-on-WatchlistPlaybook📄 StandaloneStandalone ContentThis playbook is intended to be run from a Microsoft Sentinel incident. If any IP entities are found to match those in a specified watchlist containing a list of subnets, a comment noting this match w...
AS-Incident-Response-Approval-EmailPlaybook📄 StandaloneStandalone ContentThis playbook is intended to be run from a Microsoft Sentinel incident. It will facilitate incident response by sending an approval email to the manager(s) of the user(s) associated with the incident.
AS-Incident-Spiderfoot-ScanPlaybook📄 StandaloneStandalone ContentThis playbook will pull email addresses from the account entities in a Microsoft Sentinel incident and use them as targets in a Spiderfoot scan. By default, the scan is created using the HaveIBeenPwne...
AS-IP-BlocklistPlaybook📄 StandaloneStandalone ContentThis playbook is intended to be run from a Microsoft Sentinel Incident. It will add the IP address from Microsoft Sentinel Incidents to a Microsoft Azure Conditional Access Named Locations list, signi...
AS-IP-Blocklist-Remove-IPsPlaybook📄 StandaloneStandalone ContentThis playbook is intended to be run from a Microsoft Sentinel Incident. It will remove the IP address from Microsoft Sentinel Incidents from a Microsoft Azure Conditional Access Named Locations list.
AS-Make-GitHub-Repository-PrivatePlaybook📄 StandaloneStandalone ContentThis playbook is intended to be run from a Microsoft Sentinel Incident. It will look up the GitHub repositories associated with the Incident Account Entities and make them private. A comment noting th...
AS-MDE-Isolate-MachinePlaybook📄 StandaloneStandalone ContentThis playbook is intended to be run from a Microsoft Sentinel Incident. It will match Microsoft Defender for Endpoint machines with the host entities on the incident and then isolate them.
AS-MDE-Unisolate-MachinePlaybook📄 StandaloneStandalone ContentThis playbook is intended to be run from a Microsoft Sentinel Incident. It will match Microsoft Defender for Endpoint isolated machines with the host entities on the incident and then reslease them fr...
AS-Microsoft-DCR-Log-IngestionPlaybook📄 StandaloneStandalone ContentThis playbook is intended to be run
AS-MuleSoft-IntegrationPlaybook📄 StandaloneStandalone ContentThis playbook is intended to run on a schedule and pull MuleSoft Audit Logs into Microsoft Sentinel custom logs where they can be tracked and queried.
AS-Okta-NetworkZoneUpdatePlaybook📄 StandaloneStandalone ContentThis playbook is intended to be run from a Microsoft Sentinel Incident. It will add the IP address from Microsoft Sentinel Incidents to an Okta Network Zone of your choosing.
AS-PagerDuty-IntegrationPlaybook📄 StandaloneStandalone ContentAuthor: Accelerynt
AS-Recurring-Host-EntityPlaybook📄 StandaloneStandalone ContentThis playbook is intended to be run from a Microsoft Sentinel Incident. It will take the Hosts from the Incident entities list and search the Microsoft Sentinel SecurityAlert logs for other entities c...
AS-Remove-Domains-from-Zscaler-URL-CategoryPlaybook📄 StandaloneStandalone ContentThis playbook will extract domains from Microsoft Sentinel incidents and remove them from a Zscaler Custom URL Category of your choice.
AS-Revoke-Entra-ID-User-Session-From-EntityPlaybook📄 StandaloneStandalone ContentThis playbook is intended to be run from a Microsoft Sentinel Entity. It will look up Entra ID users associated with the account entities and revoke their sessions.
AS-Revoke-Entra-ID-User-Session-From-IncidentPlaybook📄 StandaloneStandalone ContentThis playbook is intended to be run from a Microsoft Sentinel Incident. It will look up Entra ID users associated with the incident account entities and revoke their sessions. A comment noting the aff...
AS-Sign-Out-Google-UserPlaybook📄 StandaloneStandalone ContentThis playbook is intended to be run from a Microsoft Sentinel Incident. It will look up the Google Users associated with the Incident Account Entities and sign them out of all Google web and device se...
AS-Slack-IntegrationPlaybook📄 StandaloneStandalone ContentAuthor: Accelerynt
AS-Terminate-Okta-User-Sessions-From-EntityPlaybook📄 StandaloneStandalone ContentThis playbook is intended to be run from a Microsoft Sentinel Entity. It will match Okta users against the account entities on the entity and then terminate all sessions of the matched users in Okta.
AS-Update-Okta-Network-Zone-From-EntityPlaybook📄 StandaloneStandalone ContentThis playbook is intended to be run from a Microsoft Sentinel Entity. It will add the IP address from Microsoft Sentinel Entities to an Okta Network Zone of your choosing.
AutoConnect-ASCSubscriptionsPlaybook📄 StandaloneStandalone Contentauthor: Lior Tamir modifiedby: Nathan Swift
Query Azure Monitor with managed identityPlaybook📄 StandaloneStandalone ContentThis playbook will query Azure Monitor with managed identity. alternative to regular AzureMonitor block which does not support managed identity.
Block AAD user or admin - AlertPlaybook📄 StandaloneStandalone ContentFor each account entity included in the alert, this playbook will disable the user in Azure Active Directoy, add a comment to the incident that contains this alert and notify manager if available. Not...
Block AAD user or admin - incidentPlaybook📄 StandaloneStandalone ContentFor each account entity included in the incident, this playbook will disable the user in Azure Active Directoy, add a comment to the incident that contains this alert and notify manager if available. ...
Block IP in Exchange On-PremPlaybook📄 StandaloneStandalone ContentThis Playbook will block the IP in on-premises Exchange Server.
Block_IPs_on_MDATP_Using_GraphSecurityPlaybook📄 StandaloneStandalone Contentauthor: Chi Nguyen
BlockADOnPremUserPlaybook📄 StandaloneStandalone ContentMany organizations have an on-premises Active Directory infrastructure that is synced to Azure AD in the cloud. However, given that the on-prem side is the authoritative source of truth, any changes, ...
Change-Incident-SeverityPlaybook📄 StandaloneStandalone Content
Change Incident SeverityPlaybook📄 StandaloneStandalone ContentThis playbook will change Incident Severity based on specific username that is part of the Incident user entity.
Block IP - Cisco ASAPlaybook📄 StandaloneStandalone ContentThis playbook allows blocking/allowing of IPs in Cisco ASA, using a Network Object Group. The Network Object Group itself should be part of an Access Control Entry.
Cisco ASA - Create or remove access rules on an interface for IP AddressesPlaybook📄 StandaloneStandalone ContentThis playbook allows blocking/unblocking of IPs in Cisco ASA, using **Access Control Entries** which will be created in an access control list.
Cisco ASA - Create or Inbound Access Rule On InterfacePlaybook📄 StandaloneStandalone ContentThis playbook allows blocking/unblocking of IPs in Cisco ASA, using **Access Rules** which will be created on an interface.
Close-Incident-MCASPlaybook📄 StandaloneStandalone ContentAuthor: Benjamin Kovacevic
Close-SentinelIncident-from-ServiceNowPlaybook📄 StandaloneStandalone ContentAuthor: Yaniv Shasha This Logic App act as listener for a incident close event in ServiceNow and will close the incident in Sentinel.
Generate-Incident-Logic-AppPlaybook📄 StandaloneStandalone ContentThis playbook will help to create an incident in Microsoft Sentinle when an email is sent to the configured email address.
Create-Incident-Logic-AppPlaybook📄 StandaloneStandalone ContentThis playbook will help to create an incident in Microsoft Sentinle when an email is sent to the configured email address.
Create-AzureDevOpsTask-alert-triggerPlaybook📄 StandaloneStandalone ContentThis playbook will create the Azure DevOps task filled with the Microsoft Sentinel incident details.
Create-AzureDevOpsTask-incident-triggerPlaybook📄 StandaloneStandalone ContentThis playbook will create the Azure DevOps task filled with the Microsoft Sentinel incident details.
IBMResilient-IncidentsPlaybook📄 StandaloneStandalone Content
Create-IBMResilientIncidentPlaybook📄 StandaloneStandalone ContentThis playbook will create an IBM Resilient incident from an Azure Sentinel incident. It will also add the Azure Sentinel Incident Entities as IBM Resilient Incident Artifacts.
Create-incident-on-missing-Data-SourcePlaybook📄 StandaloneStandalone ContentAuthor: John Joyner
Create Zendesk ticketPlaybook📄 StandaloneStandalone ContentThis playbook will create a Zendesk ticket when a new incident is created in Microsoft Sentinel.
Crowdstrike-ResponsefromTeamsPlaybook📄 StandaloneStandalone ContentWhen a new Azure Sentinel incident is created, this playbook gets triggered and performs below actions: 1. Fetches the device information from Crowdstrike 1. Contain the device or run a script based o...
Cyble-Threat-Intel-PlaybookPlaybook📄 StandaloneStandalone ContentThe Cyble Threat Intel Playbook facilitates the retrieval of logs from the Cyble Alerts API into Microsoft Sentinel.
CDC_Dismiss_Upstream_EventsPlaybook📄 StandaloneStandalone Contentauthor: Bridewell Consulting - Robert Kitching
Dynamic-Summaries-API-UpsertPlaybook📄 StandaloneStandalone ContentThis playbook shows how to query Log Analytics data and upload the query result to Sentinel Dynamic Summaries table through Dynamic Summaries REST API.
Query Azure Resource Graph with HTTP input and outputPlaybook📄 StandaloneStandalone ContentThis playbook queries Azure Resource Graph and returns azure information related to the resource like Subscription, Resourcegroups, Tags and Management groups.
Query Azure Resource Graph and enrich sentinel incidentPlaybook📄 StandaloneStandalone ContentThis playbook will enrich a Sentinel Incident with information from AzureResourceGraph.
Enrich MD5 and SHA1 entities - CIRCL hashlookupPlaybook📄 StandaloneStandalone ContentThis playbook will enrich a Sentinel Incident with hash information from CIRCL hashlookup.
Enrich file hash entities - Intezer AnalyzePlaybook📄 StandaloneStandalone ContentThis playbook will enrich a Sentinel Incident with hash information from Intezer Analyze.
Enrich file hashes entities - MalwareBazaarPlaybook📄 StandaloneStandalone ContentThis playbook will enrich a Sentinel Incident with hash information from MalwareBazaar.
Enrich multiple entities - AlienVault-OTXPlaybook📄 StandaloneStandalone ContentThis playbook will enrich a Sentinel Incident with pulse information from AlienVault OTX. If any pulses are found the Incident will also be tagged and the severity raised to High.
GreyNoise-IP-EnrichmentPlaybook📄 StandaloneStandalone Contentauthor: Nathan Swift
GreyNoise-IP-CommunityEnrichmentPlaybook📄 StandaloneStandalone Contentauthor: Nathan Swift
Enrich-SentinelIncident-MDATPTVMPlaybook📄 StandaloneStandalone Contentauthor: Yaniv Shasha
Export-Incidents-With-Comments-ReportPlaybook📄 StandaloneStandalone Contentauthor: Bridewell Consulting - Robert Kitching
Four Playbook templates - F5BigIPPlaybook📄 StandaloneStandalone ContentThis is a consolidated json file for deploying 4 playbooks.
Base playbook - F5 BIG-IPPlaybook📄 StandaloneStandalone ContentThis playbook generates access token for F5 BIG-IP Main playbooks.
Block IP - F5 BIG-IPPlaybook📄 StandaloneStandalone ContentThis playbook checks if malicious IP address is part of IP Address List of F5 BIG-IP firewall.
Block URL - F5 BIG-IPPlaybook📄 StandaloneStandalone ContentThis playbook checks if malicious URL is part of URL Blocklist Category of F5 BIG-IP firewall.
Enrichment IP - F5 BIG-IPPlaybook📄 StandaloneStandalone ContentThis playbook checks if malicious IP address is part of IP Address List of F5 BIG-IP firewall.
Logic Apps Custom Connectors and Playbook templates - ForcepointNGFWPlaybook📄 StandaloneStandalone ContentThis is a consolidated json file for deploying ForcepointSMC custom connector + ForcepointFUID custom connector + 6 playbooks.
Block IP addresses - ForcepointNGFWPlaybook📄 StandaloneStandalone ContentThis playbook checks if malicious IP address is blocked or unblocked by SMC firewall.
Block IP addresses by Username - ForcepointNGFWPlaybook📄 StandaloneStandalone ContentThis is forcepoint FUID playbook for blocking IP addresses by username ForcepointNGFW.
Block URLs - ForcepointNGFWPlaybook📄 StandaloneStandalone ContentThis playbook checks if malicious URL is blocked or unblocked by SMC firewall.
Enrichment IP - ForcepointPlaybook📄 StandaloneStandalone ContentThis playbook checks if malicious IP address is blocked or unblocked by SMC firewall.
Enrichment URL - ForcepointPlaybook📄 StandaloneStandalone ContentThis playbook checks if malicious URL is blocked or unblocked by SMC firewall.
Block or Unblock IP addresses - ForcepointNGFWPlaybook📄 StandaloneStandalone ContentThis playbook checks if malicious IP address is blocked or unblocked by SMC firewall.
Get-AD4IoTDeviceCVEs - AlertPlaybook📄 StandaloneStandalone ContentFor each IoT device entity included in the alert, this playbook will get CVEs from the Azure Defender for IoT Sensor.
Get-AD4IoTDeviceCVEs - IncidentPlaybook📄 StandaloneStandalone ContentFor each IoT device entity included in the alert, this playbook will get CVEs from the Azure Defender for IoT Sensor.
Get-ASCRecommendationsPlaybook📄 StandaloneStandalone Content
Get-ASCRecommendationsPlaybook📄 StandaloneStandalone ContentThis playbook will take each Host entity and If its an Azure Resource, query ASC API to get any ASC recommendations. It will add a tag and comment if any unhealthy recommendations are found for the re...
Get-GeoFromIpAndTagIncidentPlaybook📄 StandaloneStandalone Content
Get-GeoFromIpAndTagIncidentPlaybook📄 StandaloneStandalone Content
Get-MDEInvestigationPackagePlaybook📄 StandaloneStandalone Content
Get-MDEInvestigationPackage-Entity-TriggerPlaybook📄 StandaloneStandalone ContentThis playbook will call the collect invesitgation package in MDE based on Host entity. It will then loop until thats complete, once complete it will add a comment to the incident (in case we invoke th...
Get-MDEInvestigationPackagePlaybook📄 StandaloneStandalone ContentThis playbook will call the collect invesitgation package in MDE. It will then loop until thats complete, once complete it will add a comment to the incident and post a message in teams with the URL t...
Get-MDEStatisticsPlaybook📄 StandaloneStandalone Content
Get-MDEStatisticsPlaybook📄 StandaloneStandalone ContentThis playbook will get IP, File and Domain statistics from Microsoft Defender for Endpoint and them to a comment on the Incident in Azure Sentinel.
Get-MerakiData-configurationChangesPlaybook📄 StandaloneStandalone Contentauthor: Rich Lilly
Get-MerakiData-OrgSecurityEventsPlaybook📄 StandaloneStandalone Contentauthor: Rich Lilly
Get-O365DataPlaybook📄 StandaloneStandalone ContentAuthor: Pete Bryan
Get-SentinelAlertsEvidencePlaybook📄 StandaloneStandalone Content
Get Sentinel Alerts Evidence - incident triggerPlaybook📄 StandaloneStandalone ContentThis playbook will automatically attach alert evidence from Azure Sentinel alerts and send them to an Event Hub that can be consumed by a 3rd party SIEM solution.
Get-SOCActionsPlaybook📄 StandaloneStandalone Contentauthor: Rin Ure
Get-SOCTasksPlaybook📄 StandaloneStandalone ContentThis playbook uses the SOCRA Watchlist to automatically enrich incidents generated by Microsoft Sentinel with Tasks to review and take. Tasks will be evaluated per Customer Organization and edited/mod...
Get-TenableVlunPlaybook📄 StandaloneStandalone ContentAuthor: Younes Khaldi
Guardicore-Import-AssetsPlaybook📄 StandaloneStandalone ContentAuthor: Accelerynt
Guardicore-Import-IncidentsPlaybook📄 StandaloneStandalone ContentAuthor: Accelerynt
Guardicore-ThreatIntelPlaybook📄 StandaloneStandalone ContentAuthor: Accelerynt
Logic Apps Custom Connector and Playbook templates - HaveIBeenPwnedPlaybook📄 StandaloneStandalone ContentThis is a consolidated json file for deploying Have I Been Pwned custom connector + 4 playbooks.
Get Account Breaches - HaveIBeenPwnedPlaybook📄 StandaloneStandalone ContentThis playbook updates the Incident if the user accounts are breached.
Get Site Breaches - HaveIBeenPwnedPlaybook📄 StandaloneStandalone ContentThis playbook update the Incident if the sites are breached.
Response on Teams - HaveIBeenPwnedPlaybook📄 StandaloneStandalone ContentThis playbook checks if user accounts are breached, sends email to breached user account and closes incident based on action taken by SOC.
Send Email - HaveIBeenPwnedPlaybook📄 StandaloneStandalone ContentThis playbook checks if user accounts are breached and sends breach details to user account that have been breached.
HaveIBeenPwnedEmailPlaybook📄 StandaloneStandalone ContentThis Playbook for Azure Sentinel uses the API for haveibeenpwned.com and checks to see if an email address entity in an Incident has been compromised online and returns a quick note to the Comments ta...
IdentityProtection-EmailResponsePlaybook📄 StandaloneStandalone Contentauthor: Lior Tamir
Identity Protection response from TeamsPlaybook📄 StandaloneStandalone ContentRun this playbook on incidents which contains suspiciouse AAD identities. For each account, this playbook posts an adaptive card in the SOC Microsoft Teams channel, including the potential risky user ...
new-inc-notificationPlaybook📄 StandaloneStandalone Contentauthor: Ali Yazdani
IncidentUpdate-GetSentinelAlertsEvidencePlaybook📄 StandaloneStandalone ContentThis playbook will run on a time schedule base (every hour) and it will check for any incident that was updated (in the last hour) in your Sentinel workspace by Sentinel Alerts. <br> It will then auto...
Put CanaryTokens webhook alerts to Custom Logs tablePlaybook📄 StandaloneStandalone ContentThis Logic App connector will act as a Webhook listener, CanaryTokens can then send data upon an incident when the canary token has been opened. This will send the data to Azure Sentinel - CanaryToken...
Ingest-PrismaPlaybook📄 StandaloneStandalone Contentauthor: Nathan Swift
Isolate-AzureStorageAccountPlaybook📄 StandaloneStandalone Contentauthor: Ryan Graham
Isolate-AzureVMtoNSGPlaybook📄 StandaloneStandalone Contentauthor: Nathan Swift
Isolate-AzVMPlaybook📄 StandaloneStandalone Content<img src="https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Logos/Azure_Sentinel.svg" width="75px" height="75px"> **Note:** Please refer to the following before installing the playbook: • ...
MTI Threat Actor LookupPlaybook📄 StandaloneStandalone ContentTo be deployed with the bundled function app to automate infrastructure chaining with the MTI API
Add URL - NetskopePlaybook📄 StandaloneStandalone ContentThis playbook add URLs in Netskope URL list to be used in policy definitions etc.
Notify-ASCAlertAzureResourcePlaybook📄 StandaloneStandalone Contentauthor: Nathan Swift
OktaEvents-to-SentinelPlaybook📄 StandaloneStandalone ContentAuthor: Yaniv Shasha
Open-ServiceDeskPlusOnDemand-TicketPlaybook📄 StandaloneStandalone Contentauthor: Robert Kitching
Block IP - Palo Alto PAN-OSPlaybook📄 StandaloneStandalone ContentThis playbook allows blocking/allowing of IPs in PAN-OS, using a address object group. The address object group itself should be attached to a pre-defined security policy rule.
Block URL - Palo Alto PAN-OSPlaybook📄 StandaloneStandalone ContentThis playbook allows blocking/allowing of URLs in PAN-OS, using an address object group. The address object group itself should be attached to a pre-defined security policy rule.
Get System Info - Palo Alto PAN-OS XML APIPlaybook📄 StandaloneStandalone ContentThis playbook gets a threat PCAP from the Panorama machine for a particular threat.
Get Threat PCAP - Palo Alto PAN-OS XML APIPlaybook📄 StandaloneStandalone ContentThis playbook gets a threat PCAP from the Panorama machine for a particular threat.
PaloAlto-PAN-OS-GetURLCategoryInfoPlaybook📄 StandaloneStandalone ContentWhen a new sentinal incident is created, this playbook gets triggered and performs below actions: 1. Fetches the address group details and URL filtering category information from PAN-OS 2. Updates all...
Logic Apps Custom Connector and Playbook templates - Palo Alto Wildfire and PAN-OSPlaybook📄 StandaloneStandalone ContentThis is a consolidated json file for deploying WildFire custom connector + 3 Playbooks
Block URL - Palo Alto Wildfire and PAN-OSPlaybook📄 StandaloneStandalone ContentThis playbook used to add verdict URL security policy rules
Block URL From Teams - Palo Alto Wildfire and PAN-OSPlaybook📄 StandaloneStandalone ContentThis playbook is used to add Malicious URL to security policy rules of PAN-OS VM on teams response
FileHash Enrichment - Palo Alto WildfirePlaybook📄 StandaloneStandalone ContentThis playbook used to enrich sentinel incident with filehash information
Post-Tags-And-Comments-To-Your-IntSights-AccountPlaybook📄 StandaloneStandalone Contentauthor: Shir Sabag - IntSights
Put Defender for Endpoint Alert as Hunting ARM Template in GitHub RepPlaybook📄 StandaloneStandalone ContentThis Playbook Provides the automation to Push Defender for Endpoint Alerts including Alert Names, MITRE Tactics, Techniques and Sub-Techniques as Hunting ARM Templates into a Sentinel Github Repositor...
Alert trigger empty playbookPlaybook📄 StandaloneStandalone ContentUse this template to quickly create a new playbook which starts with an Azure Sentinel alert. The playbook is deployed with Managed Identity enabled.
Incident trigger empty playbookPlaybook📄 StandaloneStandalone ContentUse this template to quickly create a new playbook which starts with an Azure Sentinel incident. The playbook is deployed with Managed Identity enabled.
RecordedFuture-ImportToDefenderEndpoint (DEPRECATED)Playbook📄 StandaloneStandalone ContentDEPRECATED: This playbook is no longer functional. Microsoft has deprecated the Graph Security tiIndicators API that this playbook relies on. Do not deploy this playbook. This playbook previously leve...
RecordedFuture-TIforDefenderEndpoint (DEPRECATED)Playbook📄 StandaloneStandalone ContentDEPRECATED: This playbook is no longer functional. Microsoft has deprecated the Graph Security tiIndicators API that this playbook relies on. Do not deploy this playbook. This playbook previously leve...
RecordedFuture_IP_SCF_ImportToDefenderEndpoint (DEPRECATED)Playbook📄 StandaloneStandalone ContentDEPRECATED: This playbook is no longer functional. Microsoft has deprecated the Graph Security tiIndicators API that this playbook relies on. Do not deploy this playbook. This playbook previously leve...
RecordedFuture_IP_SCF_IndicatorProcessor (DEPRECATED)Playbook📄 StandaloneStandalone ContentDEPRECATED: This playbook is no longer functional. Microsoft has deprecated the Graph Security tiIndicators API that this playbook relies on. Do not deploy this playbook. This playbook previously leve...
Remove-MDEAppExecutionPlaybook📄 StandaloneStandalone Content
Remove-MDEAppExecutionPlaybook📄 StandaloneStandalone ContentThis playbook will remove restrict app execution on the machine in Microsoft Defender for Endpoint.
Reopen-Incident-With-Incomplete-TasksPlaybook📄 StandaloneStandalone ContentThis playbook will reopen a closed Sentinel incident if there are any incident tasks attached which have not been completed. In addition, a tag and comment will be added to the incident to call attent...
Run-AzureVMPacketCapturePlaybook📄 StandaloneStandalone Contentauthor: Nathan Swift
Run-Notebook-After-Incident-CreationPlaybook📄 StandaloneStandalone ContentThis playbook will trigger a Microsoft Sentinel notebook to process newly created incident. It will pass incident ID and entities if any to the notebook.
Send-AnalyticalRulesHealthNotificationsPlaybook📄 StandaloneStandalone ContentSend notifications on Azure Sentinel Analytical Rules - auto-disabled rules
Send-AzCommunicationsSMSMessagePlaybook📄 StandaloneStandalone Content
Send-AzCommunicationsSMSMessagePlaybook📄 StandaloneStandalone ContentThis playbook will send an SMS Message using Azure Communications Services to alert of new incidents.
Ingestion Cost Alert PlaybookPlaybook📄 StandaloneStandalone ContentThis playbook sends you an e-mail or Microsoft Teams message alert if a user-defined budget threshold is exceeded
Send Ingestion Cost Anomaly AlertPlaybook📄 StandaloneStandalone ContentThis playbook sends you an alert should there be an ingestion spike into your workspace. The playbook uses the series_decompose_anomalies KQL function to determine anomalous ingestion.
Post Message Slack Via WebhookPlaybook📄 StandaloneStandalone ContentThis playbook will be sending Slack with basic incidents details (Incident title, severity, tactics, link,…) when incident is created in Microsoft Sentinel. The playbook includes functionality to:<br>...
Send Unhealthy Azure Arc Resource AlertPlaybook📄 StandaloneStandalone ContentSentinel logic app designed to send an email alert when an unhealthy Azure Arc resource is detected. The logic app is implemented using Azure Logic Apps and utilizes Azure Monitor Logs and Office 365 ...
Send-UrlReportPlaybook📄 StandaloneStandalone Contentauthor: yaniv Shasha and Yehuda Tognder
spur_alertPlaybook📄 StandaloneStandalone Content
spur_alertPlaybook📄 StandaloneStandalone Content
Start-MDEAutomatedInvestigationPlaybook📄 StandaloneStandalone Content
Start-MDEAutomatedInvestigationPlaybook📄 StandaloneStandalone ContentThis playbook will call the start automated investigation in MDE. It will then add a comment to the incident and post a message in Teams.
Sync - Incident Comment To M365D On UpdatePlaybook📄 StandaloneStandalone ContentThis playbook will sync incident comments from Microsoft Sentinel to Microsoft 365 Defender when comment is added.
Thinkst Canary Microsoft Sentinel Alert IntegrationPlaybook📄 StandaloneStandalone ContentThis Playbook Integrate Thinkst Canary cloud console alerts with Microsoft Sentinel
Update-BulkIncidentsPlaybook📄 StandaloneStandalone Contentauthors: Priscila Viana, Nathan Swift
Update Watchlist - CVE IPs by GreyNoisePlaybook📄 StandaloneStandalone ContentThis playbook uses the GreyNoise API to search for interesting IPs discovered in the last day tagged per each CVE found in the mode you setup.
Update-VIPUsers-Watchlist-from-AzureAD-GroupPlaybook📄 StandaloneStandalone Contentauthor: Benjamin Kovacevic
Watchlist-SendSQLData-WatchlistPlaybook📄 StandaloneStandalone Contentauthor: Yaniv Shasha
Block IP - ZscalerPlaybook📄 StandaloneStandalone ContentThis playbook allows blocks IPs in Zscaler by adding them to categories
Zscaler URL category lookupPlaybook📄 StandaloneStandalone ContentThis playbook posts Zscaler category information for the Url included in the incident.
AS-Add-Domains-to-Zscaler-URL-CategoryPlaybook📄 StandaloneStandalone ContentThis playbook will extract domains from Microsoft Sentinel incidents and add them to a Zscaler Custom URL Category of your choice.
ZscalarDNSEventsIPSummarySummary Rule📄 StandaloneStandalone ContentThis summary rule aggregates DNS events from Zscaler Internet Access devices, providing hourly insights into event count by event result details, dns query, source username, source and destination IP ...
FortinetFortigateNetworkSessionIPSummarySummary Rule📄 StandaloneStandalone ContentThis summary rule aggregates network session logs from Fortinet Fortigate devices, providing hourly insights into session count, data sent and data received by device actions, destination port, protoc...
PaloAltoPANOSNetworkSessionIPSummarySummary Rule📄 StandaloneStandalone ContentThis summary rule aggregates network session logs from Palo Alto PAN-OS devices, providing hourly insights into session count, data sent, data received by device actions, destination port, source and ...
ZscalarNetworkSessionIPSummarySummary Rule📄 StandaloneStandalone ContentThis summary rule aggregates network session logs from Zscaler Internet Access devices, providing hourly insights into session count, data sent, data received by device actions, destination port, prot...
FortinetFortigateWebSessionIPSummarySummary Rule📄 StandaloneStandalone ContentThis summary rule aggregates web session logs from Fortinet Fortigate devices, providing hourly insights into session count, data sent and data received by device actions, destination hostname, source...
PaloAltoPANOSWebSessionIPSummarySummary Rule📄 StandaloneStandalone ContentThis summary rule aggregates web session logs from Palo Alto PAN-OS devices, providing hourly insights into session count, data sent, data received by device actions, sourceUserName, destination hostn...
ZscalarWebSessionIPSummarySummary Rule📄 StandaloneStandalone ContentThis summary rule aggregates web session logs from Zscaler Internet Access devices, providing hourly insights into session count, data sent and data received by device action, destination hostname, so...
Excessive Blocked Traffic Events Generated by UserAnalytic Rule📦 SolutionSymantec Endpoint ProtectionCreates an incident when a Symantec Endpoint Proection agent detects excessive amounts of blocked traffic generated by a single user.
Malware DetectedAnalytic Rule📦 SolutionSymantec Endpoint ProtectionCreates an incident when a Symantec Endpoint Proection agent detects malware and the malware was not cleaned.
SymantecEndpointProtectionWorkbook📦 SolutionSymantec Endpoint Protection
SymantecEndpointProtectionParser📦 SolutionSymantec Endpoint Protection
ClientDeniedAccessAnalytic Rule📦 SolutionSymantec VIPCreates an incident in the event a Client has an excessive amounts of denied access requests.
Excessive Failed Authentication from Invalid InputsAnalytic Rule📦 SolutionSymantec VIPCreates an incident in the event that a user generates an excessive amount of failed authentications due to invalid inputs, indications of a potential brute force.
SymantecVIPWorkbook📦 SolutionSymantec VIP
SymantecVIPParser📦 SolutionSymantec VIP
Excessive Denied Proxy TrafficAnalytic Rule📦 SolutionSymantecProxySGThis alert creates an incident when a client generates an excessive amounts of denied proxy traffic.
User Accessed Suspicious URL CategoriesAnalytic Rule📦 SolutionSymantecProxySGCreates an incident in the event the requested URL accessed by the user has been identified as Suspicious, Phishing, or Hacking.
SymantecProxySGWorkbook📦 SolutionSymantecProxySG
SymantecProxySGParser📦 SolutionSymantecProxySG
Failed logon attempts in authprivAnalytic Rule📦 SolutionSyslogIdentifies failed logon attempts from unknown users in Syslog authpriv logs. The unknown user means the account that tried to log in isn't provisioned on the machine. A few hits could indicate someone...
NRT Squid proxy events related to mining poolsAnalytic Rule📦 SolutionSyslogChecks for Squid proxy events in Syslog associated with common mining pools .This query presumes the default Squid log format is being used. http://www.squid-cache.org/Doc/config/access_log/
SFTP File transfer above thresholdAnalytic Rule📦 SolutionSyslogIdentifies SFTP File Transfers above certain threshold in a 15min time period. It requires SFTP VERBOSE loglevel to be enabled. Please note that entity mapping for arrays is not supported, so when th...
SFTP File transfer folder count above thresholdAnalytic Rule📦 SolutionSyslogIdentifies SFTP File Transfers with distinct folder count above certain threshold in a 15min time period. It requires SFTP VERBOSE loglevel to be enabled. Please note that entity mapping for arrays ...
Squid proxy events related to mining poolsAnalytic Rule📦 SolutionSyslogChecks for Squid proxy events in Syslog associated with common mining pools. This query presumes the default Squid log format is being used. http://www.squid-cache.org/Doc/config/access_log/
Squid proxy events for ToR proxiesAnalytic Rule📦 SolutionSyslogCheck for Squid proxy events associated with common ToR proxies. This query presumes the default squid log format is being used. http://www.squid-cache.org/Doc/config/access_log/
SSH - Potential Brute ForceAnalytic Rule📦 SolutionSyslogIdentifies an IP address that had 15 failed attempts to sign in via SSH in a 4 hour block during a 24 hour time period. Please note that entity mapping for arrays is not supported, so when there is a...
Crypto currency miners EXECVEHunting Query📦 SolutionSyslogThis query hunts through EXECVE syslog data generated by AUOMS to find instances of crypto currency miners being downloaded.It returns a table of suspicious command lines.
Suspicious crytocurrency mining related threat activity detectedHunting Query📦 SolutionSyslogThis query detects terminated suspicious crypto mining payloads/processes. Attackers often halt other mining processes to gain more resources on compromised systems for their payload.
Rare process running on a Linux hostHunting Query📦 SolutionSyslogLooks for rare processes that are running on Linux hosts. Looks for process seen less than 14 times in last 7 days, or observed rate is less than 1% of of the average for the environment and fewer th...
Linux scheduled task AggregationHunting Query📦 SolutionSyslogThis query aggregates and charts cron job data based on unique user-command pairs. It shows the frequency of commands, the number of computers they've run on, and their percentage of total tenant comp...
Editing Linux scheduled tasks through CrontabHunting Query📦 SolutionSyslogThis query displays user edits to scheduled tasks via crontab, bucketed into 10-min intervals. It collects all actions by a user over seven days.
SCX Execute RunAs ProvidersHunting Query📦 SolutionSyslogThis query uses AUOMS security events to examine SCX Execute RunAs providers. These providers execute UNIX/Linux commands/scripts from /var/opt/microsoft/scx/tmp. SCXcore is used in various Microsoft ...
Squid commonly abused TLDsHunting Query📦 SolutionSyslogSome TLDs, often linked to malware due to ease of obtaining, may be undesirable for enterprises. The 'clientCount' column shows domain usage across the estate. Assumes default squid log format.
Squid malformed requestsHunting Query📦 SolutionSyslogMalformed web requests are sometimes used for reconnaissance to detect the presence of network security devices. A large number of requests from a single source may indicate compromised hosts. Assumes...
Squid data volume timeseries anomaliesHunting Query📦 SolutionSyslogMalware or data exfiltration can cause network data volume anomalies. This query detects such anomalies in volume of bytes traversing a squid proxy. Anomalies require further investigation. Assumes de...
LinuxMachinesWorkbook📦 SolutionSyslog
SyslogConnectorsOverviewWorkbookWorkbook📦 SolutionSyslog
TacitRed to Defender TIPlaybook📦 SolutionTacitRed-Defender-ThreatIntelligenceThis playbook ingests TacitRed threat intelligence into Microsoft Defender Threat Intelligence via an Azure Function. It runs on a recurring schedule, retrieves compromised credentials from TacitRed, ...
TacitRed to CrowdStrike IOC AutomationPlaybook📦 SolutionTacitRed-IOC-CrowdStrikeThis playbook fetches compromised credential findings from TacitRed threat intelligence and creates corresponding IOC indicators in CrowdStrike Falcon for automated threat response.
TacitRed to SentinelOne IOC AutomationPlaybook📦 SolutionTacitRed-SentinelOneThis playbook fetches compromised credential findings from TacitRed threat intelligence and creates corresponding IOC indicators in SentinelOne for automated threat response.
TacitRed - High Confidence CompromiseAnalytic Rule📦 SolutionTacitRedThreatIntelligenceDetects compromised credentials with high confidence scores. High confidence findings indicate verified credential compromises that require immediate attention. Ref: https://data443.com/tacitred-atta...
TacitRed - Repeat Compromise DetectionAnalytic Rule📦 SolutionTacitRedThreatIntelligenceDetects users who have been compromised multiple times within a 7-day window. This may indicate a persistent threat or inadequate remediation. Ref: https://data443.com/tacitred-attack-surface-intelli...
TacitRedSecOpsWorkbookWorkbook📦 SolutionTacitRedThreatIntelligence
TalonInsightsWorkbook📦 SolutionTalon
Tanium Threat Response AlertsAnalytic Rule📦 SolutionTaniumAlerts from Tanium Threat Response (THR) that can be acted upon by Microsoft Sentinel Playbook
TaniumWorkbookWorkbook📦 SolutionTanium
Tanium-ComplyFindingsPlaybook📦 SolutionTaniumTanium's real-time data can speed up investigations by providing important context for analysts, such as whether or not there are compliance findings on the endpoints in question. This playbook starts...
Tanium-GeneralHostInfoPlaybook📦 SolutionTaniumTanium's real-time data can speed up investigations by providing important context for analysts, such as basic information about the computer's name, IP, and storage information. This playbook starts ...
Tanium-MSDefenderHealthPlaybook📦 SolutionTaniumTanium's real-time data can speed up investigations by providing important context for analysts, such as whether or not Defender is healthy on the endpoint. This playbook starts with a Microsoft Senti...
Tanium-QuarantineHostsPlaybook📦 SolutionTaniumDuring an investigation, it may be critical to isolate endpoints quickly if a compromise is detected. It's also important to track quarantine actions for auditing purposes. This playbook starts with a...
Tanium-ResolveThreatResponseAlertPlaybook📦 SolutionTaniumMaintaining alert hygiene in multiple consoles can be overwhelming. This playbook helps teams keep Tanium Threat Response up-to-date when using Microsoft Sentinel to centrally manage alerts. This play...
Tanium-SCCMClientHealthPlaybook📦 SolutionTaniumTanium's real-time data can speed up investigations by providing important context for analysts, such as pulling back Microsoft Configuration Manager (formerly SCCM) Health. This playbook starts with ...
Tanium-ListSecurityPatchesPlaybook📦 SolutionTaniumTanium's real-time data can speed up investigations by providing important context for analysts, such as which security patches are missing on the endpoints in question. This playbook starts with a Mi...
Tanium-UnquarantineHostsPlaybook📦 SolutionTaniumThis playbook starts with a Microsoft Sentinel incident, gets the hosts associated with that incident, then directs Tanium to un-quarantine those hosts. The status of the un-quarantine operation is co...
TeamCymruScoutWorkbook📦 SolutionTeam Cymru Scout
Team Cymru Scout Create Incident And NotifyPlaybook📦 SolutionTeam Cymru ScoutThis playbook will create an incident for suspicious or malicious ip and notify to pre-defined or user customizable email id.
Team Cymru Scout Enrich IncidentPlaybook📦 SolutionTeam Cymru ScoutThis playbook will fetch and ingest IP or Domain Indicator data based on Entity mapped in Microsoft Sentinel Incident and notify to pre-defined or user customizable email id.
Team Cymru Scout Live InvestigationPlaybook📦 SolutionTeam Cymru ScoutThis playbook will fetch and ingest IP or Domain Indicator data based on input parameters given in the live investigation dashboard.
CymruScoutAccountUsageParser📦 SolutionTeam Cymru Scout
CymruScoutCommunicationsDataParser📦 SolutionTeam Cymru Scout
CymruScoutCorrelateParser📦 SolutionTeam Cymru Scout
CymruScoutDomainParser📦 SolutionTeam Cymru Scout
CymruScoutDomainDataParser📦 SolutionTeam Cymru Scout
CymruScoutFingerprintsDataParser📦 SolutionTeam Cymru Scout
CymruScoutIdentityParser📦 SolutionTeam Cymru Scout
CymruScoutIPParser📦 SolutionTeam Cymru Scout
CymruScoutOpenPortsDataParser📦 SolutionTeam Cymru Scout
CymruScoutPdnsDataParser📦 SolutionTeam Cymru Scout
CymruScoutProtoByIPParser📦 SolutionTeam Cymru Scout
CymruScoutSummaryParser📦 SolutionTeam Cymru Scout
CymruScoutSummaryTopCertsParser📦 SolutionTeam Cymru Scout
CymruScoutSummaryTopFingerprintsParser📦 SolutionTeam Cymru Scout
CymruScoutSummaryTopOpenPortsParser📦 SolutionTeam Cymru Scout
CymruScoutSummaryTopPdnsParser📦 SolutionTeam Cymru Scout
CymruScoutTopAsnsByIPParser📦 SolutionTeam Cymru Scout
CymruScoutTopCountryCodesByIPParser📦 SolutionTeam Cymru Scout
CymruScoutTopServicesByIPParser📦 SolutionTeam Cymru Scout
CymruScoutTopTagsByIPParser📦 SolutionTeam Cymru Scout
CymruScoutWhoisParser📦 SolutionTeam Cymru Scout
CymruScoutX509DataParser📦 SolutionTeam Cymru Scout
TeamCymruScoutDomainDataWatchlist📦 SolutionTeam Cymru Scout
TeamCymruScoutIPDataWatchlist📦 SolutionTeam Cymru Scout
MicrosoftTeamsWorkbook📦 SolutionTeams
Advanced ServiceNow Teams Integration PlaybookPlaybook📦 SolutionTeamsThis playbook showcases an example of triggering an incident within a targeted Teams channel and opening up a ticket within Service Now. Additionally The playbook will also list playbooks that can be ...
Send Teams Adaptive Card on incident creationPlaybook📦 SolutionTeamsThis playbook will send Microsoft Teams Adaptive Card on incident creation, with the option to change the incident's severity and/or status.
TIE Active Directory attacks pathwaysAnalytic Rule📦 SolutionTenable AppSearches for triggered Indicators of Exposures related to Active Directory attacks pathways.
TIE DCShadowAnalytic Rule📦 SolutionTenable AppSearches for DCShadow attacks.
TIE DCSyncAnalytic Rule📦 SolutionTenable AppSearches for DCSync attacks.
TIE Golden TicketAnalytic Rule📦 SolutionTenable AppSearches for Golden Ticket attacks.
TIE Indicators of AttackAnalytic Rule📦 SolutionTenable AppSearches for triggered Indicators of Attack.
TIE Indicators of ExposuresAnalytic Rule📦 SolutionTenable AppSearches for triggered Indicators of Exposures.
TIE LSASS MemoryAnalytic Rule📦 SolutionTenable AppSearches for OS Credentials dumping attacks.
TIE Password GuessingAnalytic Rule📦 SolutionTenable AppSearches for bruteforce Password Guessing attacks.
TIE Password issuesAnalytic Rule📦 SolutionTenable AppSearches for triggered Indicators of Exposures related to password issues.
TIE Password SprayingAnalytic Rule📦 SolutionTenable AppSearches for Password spraying attacks.
TIE privileged accounts issuesAnalytic Rule📦 SolutionTenable AppSearches for triggered Indicators of Exposures related to privileged accounts issues.
TIE user accounts issuesAnalytic Rule📦 SolutionTenable AppSearches for triggered Indicators of Exposures related to user accounts issues.
TenableIEIoAWorkbook📦 SolutionTenable App
TenableIEIoEWorkbook📦 SolutionTenable App
Tenable VM - Enrich incident with asset infoPlaybook📦 SolutionTenable AppOnce a new Microsoft Sentinel incident is created, this playbook gets triggered and performs the following actions: 1. Obtains IPs from the incident. 2. Searches asset information by the IPs in Micros...
Tenable VM - Enrich incident with vulnerability infoPlaybook📦 SolutionTenable AppOnce a new Microsoft Sentinel incident is created, this playbook gets triggered and performs the following actions: 1. Obtains IPs from the incident. 2. Searches asset IDs by the IPs in Microsoft Sent...
Tenable VM - Launch ScanPlaybook📦 SolutionTenable AppOnce a new Microsoft Sentinel incident is created, this playbook gets triggered and performs the following actions: 1. Launches scan by scan id provided during the playbook deployment. 2. Adds informa...
afad_parserParser📦 SolutionTenable App
TenableVMAssetsParser📦 SolutionTenable App
TenableVMVulnerabilitiesParser📦 SolutionTenable App
Tenable.ad Active Directory attacks pathways 🔍Analytic Rule📦 SolutionTenableADSearches for triggered Indicators of Exposures related to Active Directory attacks pathways.
Tenable.ad DCShadow 🔍Analytic Rule📦 SolutionTenableADSearches for DCShadow attacks.
Tenable.ad DCSync 🔍Analytic Rule📦 SolutionTenableADSearches for DCSync attacks.
Tenable.ad Golden Ticket 🔍Analytic Rule📦 SolutionTenableADSearches for Golden Ticket attacks.
Tenable.ad Indicators of Attack 🔍Analytic Rule📦 SolutionTenableADSearches for triggered Indicators of Attack.
Tenable.ad Indicators of Exposures 🔍Analytic Rule📦 SolutionTenableADSearches for triggered Indicators of Exposures.
Tenable.ad LSASS Memory 🔍Analytic Rule📦 SolutionTenableADSearches for OS Credentials dumping attacks.
Tenable.ad Password Guessing 🔍Analytic Rule📦 SolutionTenableADSearches for bruteforce Password Guessing attacks.
Tenable.ad Password issues 🔍Analytic Rule📦 SolutionTenableADSearches for triggered Indicators of Exposures related to password issues.
Tenable.ad Password Spraying 🔍Analytic Rule📦 SolutionTenableADSearches for Password spraying attacks.
Tenable.ad privileged accounts issues 🔍Analytic Rule📦 SolutionTenableADSearches for triggered Indicators of Exposures related to privileged accounts issues.
Tenable.ad user accounts issues 🔍Analytic Rule📦 SolutionTenableADSearches for triggered Indicators of Exposures related to user accounts issues.
TenableAdIoA 🔍Workbook📦 SolutionTenableAD
TenableAdIoE 🔍Workbook📦 SolutionTenableAD
afad_parser 🔍Parser📦 SolutionTenableAD
Tenable.io - Enrich incident with asset infoPlaybook📦 SolutionTenableIOOnce a new Microsoft Sentinel incident is created, this playbook gets triggered and performs the following actions: 1. Obtains IPs from the incident. 2. Searches asset information by the IPs in Micros...
Tenable.io - Enrich incident with vulnerability infoPlaybook📦 SolutionTenableIOOnce a new Microsoft Sentinel incident is created, this playbook gets triggered and performs the following actions: 1. Obtains IPs from the incident. 2. Searches asset IDs by the IPs in Microsoft Sent...
Tenable.io - Launch ScanPlaybook📦 SolutionTenableIOOnce a new Microsoft Sentinel incident is created, this playbook gets triggered and performs the following actions: 1. Launches scan by scan id provided during the playbook deployment. 2. Adds informa...
TenableIOAssets 🔍Parser📦 SolutionTenableIO
TenableIOVulnerabilities 🔍Parser📦 SolutionTenableIO
The Hive - Create alertPlaybook📦 SolutionTheHiveOnce a new Microsoft Sentinel incident is created, this playbook gets triggered and performs the following actions: 1. Parses alert extended properties. 2. Parses alert custom details. 3. Creates aler...
The Hive - Create casePlaybook📦 SolutionTheHiveOnce a new Microsoft Sentinel incident is created, this playbook gets triggered and performs the following actions: 1. Creates case in TheHive instance with enriched description and title. 2. Gets Hos...
The Hive - Lock userPlaybook📦 SolutionTheHiveOnce a new Microsoft Sentinel incident is created, this playbook gets triggered and performs the following actions: 1. Parses alerts custom details 2. Locks Users by UserId or UserLogin passed from al...
TheHive 🔍Parser📦 SolutionTheHive
Theom Critical RisksAnalytic Rule📦 SolutionTheom"Creates Microsoft Sentinel incidents for critical risk Theom alerts."
Theom High RisksAnalytic Rule📦 SolutionTheom"Creates Microsoft Sentinel incidents for high risk Theom alerts."
Theom InsightsAnalytic Rule📦 SolutionTheom"Creates Microsoft Sentinel incidents for Theom insight alerts."
Theom Low RisksAnalytic Rule📦 SolutionTheom"Creates Microsoft Sentinel incidents for low risk Theom alerts"
Theom Medium RisksAnalytic Rule📦 SolutionTheom"Creates Microsoft Sentinel incidents for medium risk Theom alerts."
Theom - Dev secrets unencryptedAnalytic Rule📦 SolutionTheom"Creates Sentinel incidents for critical/high Theom risks, associated with ruleId TRIS0001 (Developer secrets have been observed in unencrypted data stores. Encrypt data at rest to comply with this CI...
Theom - National IDs unencryptedAnalytic Rule📦 SolutionTheom"Creates Sentinel incidents for critical/high Theom risks, associated with ruleId TRIS0002 (National IDs have been observed in unencrypted data stores. Encrypt data at rest to comply with this CIS req...
Theom - Financial data unencryptedAnalytic Rule📦 SolutionTheom"Creates Sentinel incidents for critical/high Theom risks, associated with ruleId TRIS0003 (Financial data has been observed in unencrypted data stores. Encrypt data at rest to comply with this CIS re...
Theom - Healthcare data unencryptedAnalytic Rule📦 SolutionTheom"Creates Sentinel incidents for critical/high Theom risks, associated with ruleId TRIS0004 (Healthcare data has been observed in unencrypted data stores. Encrypt data at rest to comply with this CIS r...
Theom - Unencrypted public data storesAnalytic Rule📦 SolutionTheom"Creates Sentinel incidents for critical/high Theom risks, associated with ruleId TRIS0005 (Theom has observed data stores that are both unencrypted and publicly accessible. Review if the data store a...
Theom - Critical data in API headers or bodyAnalytic Rule📦 SolutionTheom"Creates Sentinel incidents for critical/high Theom risks, associated with ruleId's TRIS0007 to TRIS0010 and TRIS0014"
Theom - Dev secrets exposedAnalytic Rule📦 SolutionTheom"Creates Sentinel incidents for critical/high Theom risks, associated with ruleId TRIS0012 (Theom has observed developer secrets in a data store that is publicly exposed. As per this requirement, use ...
Theom - Healthcare data exposedAnalytic Rule📦 SolutionTheom"Creates Sentinel incidents for critical/high Theom risks, associated with ruleId TRIS0015 (Theom has observed healthcare data in a data store that is publicly exposed. As per this requirement, use th...
Theom - National IDs exposedAnalytic Rule📦 SolutionTheom"Creates Sentinel incidents for critical/high Theom risks, associated with ruleId TRIS0018 (Theom has observed National IDs in a data store that is publicly exposed. As per this requirement, use this ...
Theom - Financial data exposedAnalytic Rule📦 SolutionTheom"Creates Sentinel incidents for critical/high Theom risks, associated with ruleId TRIS0026 (Theom has observed financial data in a data store that is publicly exposed. As per this requirement, use thi...
Theom - Dark Data with large fin valueAnalytic Rule📦 SolutionTheom"Creates Sentinel incidents for critical/high Theom risks, associated with ruleId TRIS0032 (Theom has observed data with a large financial value, but that has not been accessed recently. Use this info...
Theom - Least priv large value shadow DBAnalytic Rule📦 SolutionTheom"Creates Sentinel incidents for critical/high Theom risks, associated with ruleId TRIS0032 (Theom has observed shadow (or clone) databases/tables that have a large financial value. Additionally, it ha...
Theom - Overprovisioned Roles Shadow DBAnalytic Rule📦 SolutionTheom"Creates Sentinel incidents for critical/high Theom risks, associated with ruleId TRIS0034 (Theom has observed shadow (or clone) databases/tables. Additionally, it has observed roles that are overprov...
Theom - Shadow DB large datastore valueAnalytic Rule📦 SolutionTheom"Creates Sentinel incidents for critical/high Theom risks, associated with ruleId TRIS0035 (Theom has observed shadow (or clone) databases/tables with large financial value. As per this requirement, u...
Theom - Shadow DB with atypical accessesAnalytic Rule📦 SolutionTheom"Creates Sentinel incidents for critical/high Theom risks, associated with ruleId TRIS0036 (Theom has observed shadow or clone databases/tables. Additionally, it has observed atypical accesses to thes...
TheomWorkbook📦 SolutionTheom
Preview - TI map Domain entity to Cloud App EventsAnalytic Rule📦 SolutionThreat IntelligenceIdentifies compromises and attacks and detect malicious activities in one's domain entity from TI.
TI map Domain entity to PaloAlto CommonSecurityLogAnalytic Rule📦 SolutionThreat IntelligenceIdentifies a match in PaloAlto CommonSecurityLog table from any Domain IOC from TI
TI Map Domain Entity to DeviceNetworkEventsAnalytic Rule📦 SolutionThreat IntelligenceThis query identifies any Domain indicators of compromise (IOCs) from threat intelligence (TI) by searching for matches in DeviceNetworkEvents.
TI map Domain entity to DnsEventsAnalytic Rule📦 SolutionThreat IntelligenceIdentifies a match in DnsEvents from any Domain IOC from TI
TI map Domain entity to EmailEventsAnalytic Rule📦 SolutionThreat IntelligenceIdentifies a match in EmailEvents table from any Domain IOC from TI
TI map Domain entity to EmailUrlInfoAnalytic Rule📦 SolutionThreat IntelligenceIdentifies a match in EmailUrlInfo table from any Domain IOC from TI.
TI map Domain entity to Web Session Events (ASIM Web Session schema)Analytic Rule📦 SolutionThreat IntelligenceThis rule identifies Web Sessions for which the target URL hostname is a known IoC. This rule uses the [Advanced Security Information Model (ASIM)](https:/aka.ms/AboutASIM) and supports any web sessio...
TI map Domain entity to PaloAltoAnalytic Rule📦 SolutionThreat IntelligenceIdentifies a match in Palo Alto data in CommonSecurityLog table from any Domain IOC from TI
TI map Domain entity to SecurityAlertAnalytic Rule📦 SolutionThreat IntelligenceIdentifies a match in SecurityAlert table from any Domain IOC from TI
TI map Domain entity to SyslogAnalytic Rule📦 SolutionThreat IntelligenceIdentifies a match in Syslog table from any Domain IOC from TI
TI map Email entity to AzureActivityAnalytic Rule📦 SolutionThreat IntelligenceIdentifies a match in AzureActivity table from any Email IOC from TI
Preview - TI map Email entity to Cloud App EventsAnalytic Rule📦 SolutionThreat IntelligenceIdentifies compromises and attacks and detect malicious activities in one's email entity from TI
TI map Email entity to EmailEventsAnalytic Rule📦 SolutionThreat IntelligenceIdentifies a match in EmailEvents table from any Email IOC from TI
TI map Email entity to OfficeActivityAnalytic Rule📦 SolutionThreat IntelligenceIdentifies a match in OfficeActivity table from any Email IOC from TI
TI map Email entity to PaloAlto CommonSecurityLogAnalytic Rule📦 SolutionThreat IntelligenceIdentifies a match in CommonSecurityLog table from any Email IOC from TI
TI map Email entity to SecurityAlertAnalytic Rule📦 SolutionThreat IntelligenceIdentifies a match in SecurityAlert table from any Email IOC from TI which will extend coverage to datatypes such as MCAS, StorageThreatProtection and many others
TI map Email entity to SecurityEventAnalytic Rule📦 SolutionThreat IntelligenceIdentifies a match in SecurityEvent table from any Email IOC from TI
TI map Email entity to SigninLogsAnalytic Rule📦 SolutionThreat IntelligenceIdentifies a match in SigninLogs table from any Email IOC from TI
TI map File Hash to CommonSecurityLog EventAnalytic Rule📦 SolutionThreat IntelligenceIdentifies a match in CommonSecurityLog Event data from any FileHash IOC from TI
TI map File Hash to DeviceFileEvents EventAnalytic Rule📦 SolutionThreat IntelligenceIdentifies a match in DeviceFileEvents Event data from any FileHash IOC from TI
TI map File Hash to Security EventAnalytic Rule📦 SolutionThreat IntelligenceIdentifies a match in Security Event data from any File Hash IOC from TI
TI map Domain entity to Dns Events (ASIM DNS Schema)Analytic Rule📦 SolutionThreat IntelligenceIdentifies a match in DNS events from any Domain IOC from TI This analytic rule uses [ASIM](https://aka.ms/AboutASIM) and supports any built-in or custom source that supports the ASIM DNS schema'
TI map IP entity to DNS Events (ASIM DNS schema)Analytic Rule📦 SolutionThreat IntelligenceThis rule identifies DNS requests for which response IP address is a known IoC. This analytic rule uses [ASIM](https://aka.ms/AboutASIM) and supports any built-in or custom source that supports the AS...
TI map IP entity to AppServiceHTTPLogsAnalytic Rule📦 SolutionThreat IntelligenceIdentifies a match in AppServiceHTTPLogs from any IP IOC from TI
TI map IP entity to AWSCloudTrailAnalytic Rule📦 SolutionThreat IntelligenceIdentifies a match in AWSCloudTrail from any IP IOC from TI
TI Map IP Entity to AzureActivityAnalytic Rule📦 SolutionThreat IntelligenceThis query maps any IP indicators of compromise (IOCs) from threat intelligence (TI), by searching for matches in AzureActivity.
TI map IP entity to AzureFirewallAnalytic Rule📦 SolutionThreat IntelligenceIdentifies a match in AzureFirewall (NetworkRule & ApplicationRule Logs) from any IP IOC from TI
TI map IP entity to Azure Key Vault logsAnalytic Rule📦 SolutionThreat IntelligenceIdentifies a match in Azure Key Vault logs from any IP IOC from TI
TI map IP entity to AzureNetworkAnalytics_CL (NSG Flow Logs)Analytic Rule📦 SolutionThreat IntelligenceIdentifies a match in AzureNetworkAnalytics_CL (NSG Flow Logs) from any IP IOC from TI that was Allowed
TI Map IP Entity to Azure SQL Security Audit EventsAnalytic Rule📦 SolutionThreat IntelligenceThis query maps any IP indicators of compromise (IOCs) from threat intelligence (TI), by searching for matches in SQL Security Audit Events.
Preview - TI map IP entity to Cloud App EventsAnalytic Rule📦 SolutionThreat IntelligenceIdentifies compromises and attacks and detect malicious activities in one's IP entity from TI
TI Map IP Entity to CommonSecurityLogAnalytic Rule📦 SolutionThreat IntelligenceThis query maps any IP indicators of compromise (IOCs) from threat intelligence (TI), by searching for matches in CommonSecurityLog.
TI Map IP Entity to DeviceNetworkEventsAnalytic Rule📦 SolutionThreat IntelligenceIdentifies a match in DeviceNetworkEvents Event data from any IP Indicator from TI.
TI Map IP Entity to DnsEventsAnalytic Rule📦 SolutionThreat IntelligenceThis query maps any IP indicators of compromise (IOCs) from threat intelligence (TI), by searching for matches in DnsEvents.
TI Map IP Entity to Duo SecurityAnalytic Rule📦 SolutionThreat IntelligenceThis query maps any IP indicators of compromise (IOCs) from threat intelligence (TI), by searching for matches in DuoSecurity.
TI map IP entity to Network Session Events (ASIM Network Session schema)Analytic Rule📦 SolutionThreat IntelligenceThis rule identifies a match Network Sessions for which the source or destination IP address is a known IoC. This analytic rule uses [ASIM](https://aka.ms/AboutASIM) and supports any built-in or custo...
TI map IP entity to Web Session Events (ASIM Web Session schema)Analytic Rule📦 SolutionThreat IntelligenceThis rule identifies Web Sessions for which the source IP address is a known IoC. This rule uses the [Advanced Security Information Model (ASIM)](https://aka.ms/AboutASIM) and supports any web session...
TI map IP entity to OfficeActivityAnalytic Rule📦 SolutionThreat IntelligenceThis query maps any IP indicators of compromise (IOCs) from threat intelligence (TI), by searching for matches in OfficeActivity.
TI Map IP Entity to SigninLogsAnalytic Rule📦 SolutionThreat IntelligenceThis query maps any IP indicators of compromise (IOCs) from threat intelligence (TI), by searching for matches in SigninLogs.
TI Map IP Entity to VMConnectionAnalytic Rule📦 SolutionThreat IntelligenceThis query maps any IP indicators of compromise (IOCs) from threat intelligence (TI), by searching for matches in VMConnection.
TI Map IP Entity to W3CIISLogAnalytic Rule📦 SolutionThreat IntelligenceThis query maps any IP indicators of compromise (IOCs) from threat intelligence (TI), by searching for matches in W3CIISLog.
TI map IP entity to Workday(ASimAuditEventLogs)Analytic Rule📦 SolutionThreat IntelligenceDetects a match in Workday activity from any IP Indicator of Compromise (IOC) provided by Threat Intelligence (TI).
TI map IP entity to GitHub_CLAnalytic Rule📦 SolutionThreat IntelligenceIdentifies a match in GitHub_CL table from any IP IOC from TI
TI Map URL Entity to AuditLogsAnalytic Rule📦 SolutionThreat IntelligenceThis query identifies any URL indicators of compromise (IOCs) from threat intelligence (TI) by searching for matches in AuditLogs.
Preview - TI map URL entity to Cloud App EventsAnalytic Rule📦 SolutionThreat IntelligenceIdentifies compromises and attacks and detect malicious activities in one's URL entity from TI
TI Map URL Entity to DeviceNetworkEventsAnalytic Rule📦 SolutionThreat IntelligenceThis query identifies any URL indicators of compromise (IOCs) from threat intelligence (TI) by searching for matches in DeviceNetworkEvents.
TI Map URL Entity to EmailUrlInfoAnalytic Rule📦 SolutionThreat IntelligenceThis query identifies any URL indicators of compromise (IOCs) from threat intelligence (TI) by searching for matches in EmailUrlInfo.
TI Map URL Entity to OfficeActivity Data [Deprecated]Analytic Rule📦 SolutionThreat IntelligenceThis query is Deprecated as its filter conditions will never yield results. This query identifies any URL indicators of compromise (IOCs) from threat intelligence (TI) by searching for matches in Offi...
TI Map URL Entity to PaloAlto DataAnalytic Rule📦 SolutionThreat IntelligenceThis query identifies any URL indicators of compromise (IOCs) from threat intelligence (TI) by searching for matches in PaloAlto Data.
TI Map URL Entity to SecurityAlert DataAnalytic Rule📦 SolutionThreat IntelligenceThis query identifies any URL indicators of compromise (IOCs) from threat intelligence (TI) by searching for matches in SecurityAlert data.
TI Map URL Entity to Syslog DataAnalytic Rule📦 SolutionThreat IntelligenceThis query identifies any URL indicators of compromise (IOCs) from threat intelligence (TI) by searching for matches in Syslog data.
TI Map URL Entity to UrlClickEventsAnalytic Rule📦 SolutionThreat IntelligenceThis query identifies any URL indicators of compromise (IOCs) from threat intelligence (TI) by searching for matches in UrlClickEvents.
TI Map File Entity to OfficeActivity EventHunting Query📦 SolutionThreat IntelligenceThis query finds matches in OfficeActivity Event data for known FileName Indicators of Compromise from Threat Intelligence sources. FileName matches may produce false positives, so use this for huntin...
TI Map File Entity to Security EventHunting Query📦 SolutionThreat IntelligenceThis query finds matches in Security Event data for known FileName Indicators of Compromise from Threat Intelligence sources. FileName matches may produce false positives, so use this for hunting rath...
TI Map File Entity to Syslog EventHunting Query📦 SolutionThreat IntelligenceThis query finds matches in Syslog Event data for known FileName Indicators of Compromise from Threat Intelligence sources. FileName matches may produce false positives, so use this for hunting rather...
TI Map File Entity to VMConnection EventHunting Query📦 SolutionThreat IntelligenceThis query finds matches in VMConnection Event data for known FileName Indicators of Compromise from Threat Intelligence sources. FileName matches may produce false positives, so use this for hunting ...
TI Map File Entity to WireData EventHunting Query📦 SolutionThreat IntelligenceThis query finds matches in WireData Event data for known FileName Indicators of Compromise from Threat Intelligence sources. FileName matches may produce false positives, so use this for hunting rath...
ThreatIntelligenceWorkbook📦 SolutionThreat Intelligence
TI map Domain entity to Cloud App EventsAnalytic Rule📦 SolutionThreat Intelligence (NEW)Identifies compromises and attacks and detect malicious activities in one's domain entity from TI.
TI map Domain entity to PaloAlto CommonSecurityLogAnalytic Rule📦 SolutionThreat Intelligence (NEW)Identifies a match in PaloAlto CommonSecurityLog table from any Domain IOC from TI
TI Map Domain Entity to DeviceNetworkEventsAnalytic Rule📦 SolutionThreat Intelligence (NEW)This query identifies any Domain indicators of compromise (IOCs) from threat intelligence (TI) by searching for matches in DeviceNetworkEvents.
TI map Domain entity to DnsEventsAnalytic Rule📦 SolutionThreat Intelligence (NEW)Identifies a match in DnsEvents from any Domain IOC from TI
TI map Domain entity to EmailEventsAnalytic Rule📦 SolutionThreat Intelligence (NEW)Identifies a match in EmailEvents table from any Domain IOC from TI
TI map Domain entity to EmailUrlInfoAnalytic Rule📦 SolutionThreat Intelligence (NEW)Identifies a match in EmailUrlInfo table from any Domain IOC from TI.
TI map Domain entity to Web Session Events (ASIM Web Session schema)Analytic Rule📦 SolutionThreat Intelligence (NEW)This rule identifies Web Sessions for which the target URL hostname is a known IoC. This rule uses the [Advanced Security Information Model (ASIM)](https:/aka.ms/AboutASIM) and supports any web sessio...
TI map Domain entity to PaloAltoAnalytic Rule📦 SolutionThreat Intelligence (NEW)Identifies a match in Palo Alto data in CommonSecurityLog table from any Domain IOC from TI
TI map Domain entity to SecurityAlertAnalytic Rule📦 SolutionThreat Intelligence (NEW)Identifies a match in SecurityAlert table from any Domain IOC from TI
TI map Domain entity to SyslogAnalytic Rule📦 SolutionThreat Intelligence (NEW)Identifies a match in Syslog table from any Domain IOC from TI
TI map Email entity to AzureActivityAnalytic Rule📦 SolutionThreat Intelligence (NEW)Identifies a match in AzureActivity table from any Email IOC from TI
TI map Email entity to Cloud App EventsAnalytic Rule📦 SolutionThreat Intelligence (NEW)Identifies compromises and attacks and detect malicious activities in one's email entity from TI
TI map Email entity to EmailEventsAnalytic Rule📦 SolutionThreat Intelligence (NEW)Identifies a match in EmailEvents table from any Email IOC from TI
TI map Email entity to OfficeActivityAnalytic Rule📦 SolutionThreat Intelligence (NEW)Identifies a match in OfficeActivity table from any Email IOC from TI
TI map Email entity to PaloAlto CommonSecurityLogAnalytic Rule📦 SolutionThreat Intelligence (NEW)Identifies a match in CommonSecurityLog table from any Email IOC from TI
TI map Email entity to SecurityAlertAnalytic Rule📦 SolutionThreat Intelligence (NEW)Identifies a match in SecurityAlert table from any Email IOC from TI which will extend coverage to datatypes such as MCAS, StorageThreatProtection and many others
TI map Email entity to SecurityEventAnalytic Rule📦 SolutionThreat Intelligence (NEW)Identifies a match in SecurityEvent table from any Email IOC from TI
TI map Email entity to SigninLogsAnalytic Rule📦 SolutionThreat Intelligence (NEW)Identifies a match in SigninLogs table from any Email IOC from TI
TI map File Hash to CommonSecurityLog EventAnalytic Rule📦 SolutionThreat Intelligence (NEW)Identifies a match in CommonSecurityLog Event data from any FileHash IOC from TI
TI map File Hash to DeviceFileEvents EventAnalytic Rule📦 SolutionThreat Intelligence (NEW)Identifies a match in DeviceFileEvents Event data from any FileHash IOC from TI
TI map File Hash to Security EventAnalytic Rule📦 SolutionThreat Intelligence (NEW)Identifies a match in Security Event data from any File Hash IOC from TI
TI map Domain entity to Dns Events (ASIM DNS Schema)Analytic Rule📦 SolutionThreat Intelligence (NEW)Identifies a match in DNS events from any Domain IOC from TI This analytic rule uses [ASIM](https://aka.ms/AboutASIM) and supports any built-in or custom source that supports the ASIM DNS schema'
TI map IP entity to DNS Events (ASIM DNS schema)Analytic Rule📦 SolutionThreat Intelligence (NEW)This rule identifies DNS requests for which response IP address is a known IoC. This analytic rule uses [ASIM](https://aka.ms/AboutASIM) and supports any built-in or custom source that supports the AS...
TI map IP entity to AppServiceHTTPLogsAnalytic Rule📦 SolutionThreat Intelligence (NEW)Identifies a match in AppServiceHTTPLogs from any IP IOC from TI
TI map IP entity to AWSCloudTrailAnalytic Rule📦 SolutionThreat Intelligence (NEW)Identifies a match in AWSCloudTrail from any IP IOC from TI
TI Map IP Entity to AzureActivityAnalytic Rule📦 SolutionThreat Intelligence (NEW)This query maps any IP indicators of compromise (IOCs) from threat intelligence (TI), by searching for matches in AzureActivity.
TI map IP entity to AzureFirewallAnalytic Rule📦 SolutionThreat Intelligence (NEW)Identifies a match in AzureFirewall (NetworkRule & ApplicationRule Logs) from any IP IOC from TI
TI map IP entity to Azure Key Vault logsAnalytic Rule📦 SolutionThreat Intelligence (NEW)Identifies a match in Azure Key Vault logs from any IP IOC from TI
TI map IP entity to AzureNetworkAnalytics_CL (NSG Flow Logs)Analytic Rule📦 SolutionThreat Intelligence (NEW)Identifies a match in AzureNetworkAnalytics_CL (NSG Flow Logs) from any IP IOC from TI that was Allowed
TI Map IP Entity to Azure SQL Security Audit EventsAnalytic Rule📦 SolutionThreat Intelligence (NEW)This query maps any IP indicators of compromise (IOCs) from threat intelligence (TI), by searching for matches in SQL Security Audit Events.
TI map IP entity to Cloud App EventsAnalytic Rule📦 SolutionThreat Intelligence (NEW)Identifies compromises and attacks and detect malicious activities in one's IP entity from TI
TI Map IP Entity to CommonSecurityLogAnalytic Rule📦 SolutionThreat Intelligence (NEW)This query maps any IP indicators of compromise (IOCs) from threat intelligence (TI), by searching for matches in CommonSecurityLog.
TI Map IP Entity to DeviceNetworkEventsAnalytic Rule📦 SolutionThreat Intelligence (NEW)Identifies a match in DeviceNetworkEvents Event data from any IP Indicator from TI.
TI Map IP Entity to DnsEventsAnalytic Rule📦 SolutionThreat Intelligence (NEW)This query maps any IP indicators of compromise (IOCs) from threat intelligence (TI), by searching for matches in DnsEvents.
TI Map IP Entity to Duo SecurityAnalytic Rule📦 SolutionThreat Intelligence (NEW)This query maps any IP indicators of compromise (IOCs) from threat intelligence (TI), by searching for matches in DuoSecurity.
TI map IP entity to Network Session Events (ASIM Network Session schema)Analytic Rule📦 SolutionThreat Intelligence (NEW)This rule identifies a match Network Sessions for which the source or destination IP address is a known IoC. This analytic rule uses [ASIM](https://aka.ms/AboutASIM) and supports any built-in or custo...
TI map IP entity to Web Session Events (ASIM Web Session schema)Analytic Rule📦 SolutionThreat Intelligence (NEW)This rule identifies Web Sessions for which the source IP address is a known IoC. This rule uses the [Advanced Security Information Model (ASIM)](https://aka.ms/AboutASIM) and supports any web session...
TI map IP entity to OfficeActivityAnalytic Rule📦 SolutionThreat Intelligence (NEW)This query maps any IP indicators of compromise (IOCs) from threat intelligence (TI), by searching for matches in OfficeActivity.
TI Map IP Entity to SigninLogsAnalytic Rule📦 SolutionThreat Intelligence (NEW)This query maps any IP indicators of compromise (IOCs) from threat intelligence (TI), by searching for matches in SigninLogs.
TI Map IP Entity to VMConnectionAnalytic Rule📦 SolutionThreat Intelligence (NEW)This query maps any IP indicators of compromise (IOCs) from threat intelligence (TI), by searching for matches in VMConnection.
TI Map IP Entity to W3CIISLogAnalytic Rule📦 SolutionThreat Intelligence (NEW)This query maps any IP indicators of compromise (IOCs) from threat intelligence (TI), by searching for matches in W3CIISLog.
TI map IP entity to Workday(ASimAuditEventLogs)Analytic Rule📦 SolutionThreat Intelligence (NEW)Detects a match in Workday activity from any IP Indicator of Compromise (IOC) provided by Threat Intelligence (TI).
TI map IP entity to GitHub_CLAnalytic Rule📦 SolutionThreat Intelligence (NEW)Identifies a match in GitHub_CL table from any IP IOC from TI
TI Map URL Entity to AuditLogsAnalytic Rule📦 SolutionThreat Intelligence (NEW)This query identifies any URL indicators of compromise (IOCs) from threat intelligence (TI) by searching for matches in AuditLogs.
TI map URL entity to Cloud App EventsAnalytic Rule📦 SolutionThreat Intelligence (NEW)Identifies compromises and attacks and detect malicious activities in one's URL entity from TI
TI Map URL Entity to DeviceNetworkEventsAnalytic Rule📦 SolutionThreat Intelligence (NEW)This query identifies any URL indicators of compromise (IOCs) from threat intelligence (TI) by searching for matches in DeviceNetworkEvents.
TI Map URL Entity to EmailUrlInfoAnalytic Rule📦 SolutionThreat Intelligence (NEW)This query identifies any URL indicators of compromise (IOCs) from threat intelligence (TI) by searching for matches in EmailUrlInfo.
TI map URL entity to Web Session Events (ASIM Web Session schema)Analytic Rule📦 SolutionThreat Intelligence (NEW)This rule identifies Web Sessions where the full requested URL matches a known malicious URL from Threat Intelligence sources. The rule uses the Advanced Security Information Model (ASIM) and supports...
TI Map URL Entity to PaloAlto DataAnalytic Rule📦 SolutionThreat Intelligence (NEW)This query identifies any URL indicators of compromise (IOCs) from threat intelligence (TI) by searching for matches in PaloAlto Data.
TI Map URL Entity to SecurityAlert DataAnalytic Rule📦 SolutionThreat Intelligence (NEW)This query identifies any URL indicators of compromise (IOCs) from threat intelligence (TI) by searching for matches in SecurityAlert data.
TI Map URL Entity to Syslog DataAnalytic Rule📦 SolutionThreat Intelligence (NEW)This query identifies any URL indicators of compromise (IOCs) from threat intelligence (TI) by searching for matches in Syslog data.
TI Map URL Entity to UrlClickEventsAnalytic Rule📦 SolutionThreat Intelligence (NEW)This query identifies any URL indicators of compromise (IOCs) from threat intelligence (TI) by searching for matches in UrlClickEvents.
TI Map File Entity to OfficeActivity EventHunting Query📦 SolutionThreat Intelligence (NEW)This query finds matches in OfficeActivity Event data for known FileName Indicators of Compromise from Threat Intelligence sources. FileName matches may produce false positives, so use this for huntin...
TI Map File Entity to Security EventHunting Query📦 SolutionThreat Intelligence (NEW)This query finds matches in Security Event data for known FileName Indicators of Compromise from Threat Intelligence sources. FileName matches may produce false positives, so use this for hunting rath...
TI Map File Entity to Syslog EventHunting Query📦 SolutionThreat Intelligence (NEW)This query finds matches in Syslog Event data for known FileName Indicators of Compromise from Threat Intelligence sources. FileName matches may produce false positives, so use this for hunting rather...
TI Map File Entity to VMConnection EventHunting Query📦 SolutionThreat Intelligence (NEW)This query finds matches in VMConnection Event data for known FileName Indicators of Compromise from Threat Intelligence sources. FileName matches may produce false positives, so use this for hunting ...
TI Map File Entity to WireData EventHunting Query📦 SolutionThreat Intelligence (NEW)This query finds matches in WireData Event data for known FileName Indicators of Compromise from Threat Intelligence sources. FileName matches may produce false positives, so use this for hunting rath...
ThreatIntelligenceNewWorkbook📦 SolutionThreat Intelligence (NEW)
ThreatIntelIndicatorsv2Parser📦 SolutionThreat Intelligence (NEW)
DynamicThreatModeling&ResponseWorkbook📦 SolutionThreatAnalysis&Response
ThreatAnalysis&ResponseWorkbook📦 SolutionThreatAnalysis&Response
Threat Connect TI map Domain entity to DnsEventsAnalytic Rule📦 SolutionThreatConnectIdentifies a match in DnsEvents from any ThreatConnect Domain IOC from TI
ThreatConnect TI map Email entity to OfficeActivityAnalytic Rule📦 SolutionThreatConnectIdentifies a match in OfficeActivity table from any Email IOC from ThreatConnect TI
ThreatConnect TI map Email entity to SigninLogsAnalytic Rule📦 SolutionThreatConnectIdentifies a match in SigninLogs table from any Email IOC from ThreatConnect TI
ThreatConnect TI map IP entity to Network Session Events (ASIM Network Session schema)Analytic Rule📦 SolutionThreatConnectThreatConnect Specific: This rule identifies a match Network Sessions for which the source or destination IP address is a known IoC. This analytic rule uses [ASIM](https://aka.ms/AboutASIM) and suppor...
ThreatConnect TI Map URL Entity to OfficeActivity DataAnalytic Rule📦 SolutionThreatConnectThis query identifies any URL indicators of compromise (IOCs) from threat intelligence (TI) by searching for matches in OfficeActivity data.
ThreatConnectOverviewWorkbook📦 SolutionThreatConnect
Block IP & URL on ThreatX-WAF cloudPlaybook📦 SolutionThreatXCloudThis Playbook Provides the automation on blocking the suspicious/malicious IP and URL on ThreatX cloud waf
Fetch Threat Intel from ThreatXPlaybook📦 SolutionThreatXCloudThis playbook provides/updates the threat intel and essential details in comments section of triggered incident so that SOC analysts can directly take corrective measure to stop the attack
Tomcat - Commands in URIAnalytic Rule📦 SolutionTomcatDetects commands in URI
Tomcat - Known malicious user agentAnalytic Rule📦 SolutionTomcatDetects known malicious user agents
Tomcat - Multiple client errors from single IP addressAnalytic Rule📦 SolutionTomcatDetects multiple client errors from one source in short timeframe
Tomcat - Multiple empty requests from same IPAnalytic Rule📦 SolutionTomcatDetects multiple empty requests from same IP
Tomcat - Multiple server errors from single IP addressAnalytic Rule📦 SolutionTomcatDetects multiple server errors from one source in short timeframe
Tomcat - Put file and get file from same IP addressAnalytic Rule📦 SolutionTomcatDetects put or get files from one source in short timeframe
Tomcat - Request from localhost IP addressAnalytic Rule📦 SolutionTomcatDetects request from localhost IP address.
Tomcat - Request to sensitive filesAnalytic Rule📦 SolutionTomcatDetects request to sensitive files.
Tomcat - Server errors after multiple requests from same IPAnalytic Rule📦 SolutionTomcatDetects server errors after multiple requests from same IP address.
Tomcat - Sql injection patternsAnalytic Rule📦 SolutionTomcatDetects possible sql injection patterns
Tomcat - Request to forbidden fileHunting Query📦 SolutionTomcatQuery shows request to forbidden files.
Tomcat - Abnormal request sizeHunting Query📦 SolutionTomcatQuery shows abnormal request size.
Tomcat - Catalina errorsHunting Query📦 SolutionTomcatQuery shows errors events.
Tomcat - Rare files requestedHunting Query📦 SolutionTomcatQuery shows rare files requested
Tomcat - Rare URLs requestedHunting Query📦 SolutionTomcatQuery shows rare URLs requested.
Tomcat - Top files with error requestsHunting Query📦 SolutionTomcatQuery shows list of files with error requests.
Tomcat - Top URLs client errorsHunting Query📦 SolutionTomcatQuery shows URLs list with client errors.
Tomcat - Top URLs server errorsHunting Query📦 SolutionTomcatQuery shows URLs list with server errors.
Tomcat - Uncommon user agent stringsHunting Query📦 SolutionTomcatQuery searches uncommon user agent strings.
Tomcat - Rare user agents with client errorsHunting Query📦 SolutionTomcatQuery shows rare user agent strings with client errors
Tomcat - Rare user agents with server errorsHunting Query📦 SolutionTomcatQuery shows rare user agent strings with server errors
TomcatWorkbook📦 SolutionTomcat
TomcatEventParser📦 SolutionTomcat
Notify Sentinel Incident Creation and Update to Torq WebhookPlaybook📦 SolutionTorqSends an HTTPS request to a webhook trigger in Torq everytime a new Incident is created or updated in Microsoft Sentinel
TrellixEventsParser📦 SolutionTrellix
ApexOne - Attack Discovery DetectionAnalytic Rule📦 SolutionTrend Micro Apex OneDetects Attack Discovery Detection events.
ApexOne - Suspicious commandline argumentsAnalytic Rule📦 SolutionTrend Micro Apex OneDetects suspicious commandline arguments.
ApexOne - Commands in UrlAnalytic Rule📦 SolutionTrend Micro Apex OneDetects commands in Url.
ApexOne - Device access permissions was changedAnalytic Rule📦 SolutionTrend Micro Apex OneQuery shows device access permissions was changed.
ApexOne - Inbound remote access connectionAnalytic Rule📦 SolutionTrend Micro Apex OneDetects inbound remote access connection.
ApexOne - Multiple deny or terminate actions on single IPAnalytic Rule📦 SolutionTrend Micro Apex OneDetects multiple deny or terminate actions on single IP.
ApexOne - Possible exploit or execute operationAnalytic Rule📦 SolutionTrend Micro Apex OneDetects possible exploit or execute operation.
ApexOne - C&C callback eventsAnalytic Rule📦 SolutionTrend Micro Apex OneDetects C&C callback events.
ApexOne - Spyware with failed responseAnalytic Rule📦 SolutionTrend Micro Apex OneDetects spyware with failed response.
ApexOne - Suspicious connectionsAnalytic Rule📦 SolutionTrend Micro Apex OneDetects suspicious connections.
ApexOne - Behavior monitoring actions by filesHunting Query📦 SolutionTrend Micro Apex OneShows behavior monitoring actions taken for files.
ApexOne - Behavior monitoring operations by usersHunting Query📦 SolutionTrend Micro Apex OneShows behavior monitoring operations by users.
ApexOne - Behavior monitoring triggered policy by command lineHunting Query📦 SolutionTrend Micro Apex OneShows behavior monitoring triggered policy by command line.
ApexOne - Behavior monitoring event types by usersHunting Query📦 SolutionTrend Micro Apex OneShows behavior monitoring event types.
ApexOne - Channel type by usersHunting Query📦 SolutionTrend Micro Apex OneShows channel type.
ApexOne - Data loss prevention action by IPHunting Query📦 SolutionTrend Micro Apex OneShows data loss prevention action by IP address.
ApexOne - Rare application protocols by Ip addressHunting Query📦 SolutionTrend Micro Apex OneQuery searches rare application protocols by Ip address.
ApexOne - Spyware detectionHunting Query📦 SolutionTrend Micro Apex OneQuery searches spyware detection events.
ApexOne - Suspicious files eventsHunting Query📦 SolutionTrend Micro Apex OneQuery searches suspicious files events.
ApexOne - Top sources with alertsHunting Query📦 SolutionTrend Micro Apex OneQuery shows list of top sources with alerts.
TrendMicroApexOneWorkbook📦 SolutionTrend Micro Apex One
TMApexOneEventParser📦 SolutionTrend Micro Apex One
Trend Micro CAS - DLP violationAnalytic Rule📦 SolutionTrend Micro Cloud App SecurityDetects when DLP policy violation occurs.
Trend Micro CAS - Possible phishing mailAnalytic Rule📦 SolutionTrend Micro Cloud App SecurityDetects possible phishing mail.
Trend Micro CAS - Ransomware infectionAnalytic Rule📦 SolutionTrend Micro Cloud App SecurityTriggeres when ransomware was detected.
Trend Micro CAS - Ransomware outbreakAnalytic Rule📦 SolutionTrend Micro Cloud App SecurityTriggeres when ransomware was detected on several accounts.
Trend Micro CAS - Suspicious filenameAnalytic Rule📦 SolutionTrend Micro Cloud App SecurityDetects unexpected filename.
Trend Micro CAS - Threat detected and not blockedAnalytic Rule📦 SolutionTrend Micro Cloud App SecurityDetects when threat was not blocked by CAS solution.
Trend Micro CAS - Unexpected file via mailAnalytic Rule📦 SolutionTrend Micro Cloud App SecurityDetects when unexpected file recieved via mail.
Trend Micro CAS - Unexpected file on file shareAnalytic Rule📦 SolutionTrend Micro Cloud App SecurityDetects unexpected files on file share.
Trend Micro CAS - Infected userAnalytic Rule📦 SolutionTrend Micro Cloud App SecurityDetects when malware was detected for user account.
Trend Micro CAS - Multiple infected usersAnalytic Rule📦 SolutionTrend Micro Cloud App SecurityDetects when same malware was detected for multiple user account.
Trend Micro CAS - Files stored on cloud fileshare servicesHunting Query📦 SolutionTrend Micro Cloud App SecurityQuery searches for stored on cloud fileshare services.
Trend Micro CAS - Infected files received via emailHunting Query📦 SolutionTrend Micro Cloud App SecurityQuery searches for infected files received via email.
Trend Micro CAS - Ransomware threatsHunting Query📦 SolutionTrend Micro Cloud App SecurityQuery searches for ransomware threats.
Trend Micro CAS - Rare files received via email servicesHunting Query📦 SolutionTrend Micro Cloud App SecurityQuery searches for rare files recieved via email services.
Trend Micro CAS - Risky usersHunting Query📦 SolutionTrend Micro Cloud App SecurityQuery searches for users with high number of threats.
Trend Micro CAS - Security risk scan threatsHunting Query📦 SolutionTrend Micro Cloud App SecurityQuery searches for threats discovered via security risk scans.
Trend Micro CAS - Suspicious files on sharepointHunting Query📦 SolutionTrend Micro Cloud App SecurityQuery searches for suspicious files on sharepoint.
Trend Micro CAS - Files received via email servicesHunting Query📦 SolutionTrend Micro Cloud App SecurityQuery searches for top files recieved via email services.
Trend Micro CAS - DLP violationsHunting Query📦 SolutionTrend Micro Cloud App SecurityQuery searches for DLP violations by users.
Trend Micro CAS - Virtual Analyzer threatsHunting Query📦 SolutionTrend Micro Cloud App SecurityQuery searches for Virtual Analyzer threats.
TrendMicroCASWorkbook📦 SolutionTrend Micro Cloud App Security
TrendMicroCAS 🔍Parser📦 SolutionTrend Micro Cloud App Security
TrendMicroDeepSecurityAttackActivityWorkbook📦 SolutionTrend Micro Deep Security
TrendMicroDeepSecurityOverviewWorkbook📦 SolutionTrend Micro Deep Security
TrendMicroDeepSecurityParser📦 SolutionTrend Micro Deep Security
TrendMicroTippingPointParser📦 SolutionTrend Micro TippingPoint
Create Incident for XDR AlertsAnalytic Rule📦 SolutionTrend Micro Vision OneThis Query creates an incident based on Trend Vision One Workbench Alerts and maps the impacted entities for Microsoft Sentinel usage.
TrendMicroXDROverviewWorkbook📦 SolutionTrend Micro Vision One
Ubiquiti - Possible connection to cryptominning poolAnalytic Rule📦 SolutionUbiquiti UniFiDetects connections which may indicate that device is infected with cryptominer.
Ubiquiti - Connection to known malicious IP or C2Analytic Rule📦 SolutionUbiquiti UniFiDetects allowed connections to IP addresses which are in TI list and are known to be malicious.
Ubiquiti - Unusual FTP connection to external serverAnalytic Rule📦 SolutionUbiquiti UniFiDetects local to remote (L2R) FTP connections.
Ubiquiti - Large ICMP to external serverAnalytic Rule📦 SolutionUbiquiti UniFiDetects large ICMP packets to external host.
Ubiquiti - connection to non-corporate DNS serverAnalytic Rule📦 SolutionUbiquiti UniFiDetects connections to non-corporate DNS servers.
Ubiquiti - Unusual DNS connectionAnalytic Rule📦 SolutionUbiquiti UniFiDetects unusual remote to local (R2L) DNS connections.
Ubiquiti - RDP from external sourceAnalytic Rule📦 SolutionUbiquiti UniFiDetects remote to local (R2L) RDP connection.
Ubiquiti - SSH from external sourceAnalytic Rule📦 SolutionUbiquiti UniFiDetects remote to local (R2L) SSH connection to internal host.
Ubiquiti - Unknown MAC Joined APAnalytic Rule📦 SolutionUbiquiti UniFiDetects when device with unseen MAC Address joined AP.
Ubiquiti - Unusual trafficAnalytic Rule📦 SolutionUbiquiti UniFiDetects unusual traffic masking as HTTP(S).
Ubiquiti - DNS requests timed outHunting Query📦 SolutionUbiquiti UniFiQuery shows failed DNS requests due to timeout.
Ubiquiti - Hidden internal DNS serverHunting Query📦 SolutionUbiquiti UniFiQuery shows list of unaccounted internal DNS servers.
Ubiquiti - Rare internal portsHunting Query📦 SolutionUbiquiti UniFiQuery shows list of least used internal destination ports.
Ubiquiti - Top blocked destinationsHunting Query📦 SolutionUbiquiti UniFiQuery shows list of top destinations connections to which were blocked by firewall.
Ubiquiti - Top blocked external servicesHunting Query📦 SolutionUbiquiti UniFiQuery shows list of top blocked connections to external services.
Ubiquiti - Top blocked internal servicesHunting Query📦 SolutionUbiquiti UniFiQuery shows list of top blocked connections to internal services.
Ubiquiti - Top blocked sourcesHunting Query📦 SolutionUbiquiti UniFiQuery shows list of top sources with blocked connections.
Ubiquiti - Top firewall rulesHunting Query📦 SolutionUbiquiti UniFiQuery shows list of top triggered firewall rules.
Ubiquiti - Unusual number of subdomains for top level domain (TLD)Hunting Query📦 SolutionUbiquiti UniFiQuery counts the number of unique subdomains for each TLD.
Ubiquiti - Vulnerable devicesHunting Query📦 SolutionUbiquiti UniFiQuery shows list of devices (APs) which do not have the latest version of firmware installed.
UbiquitiWorkbook📦 SolutionUbiquiti UniFi
UbiquitiAuditEventParser📦 SolutionUbiquiti UniFi
Anomalies on users tagged as VIPHunting Query📦 SolutionUEBA EssentialsShows all users tagged as VIP in the VIP users watchlist that had anomalies with a score greater than 0.
Anomalous Microsoft Entra ID Account CreationHunting Query📦 SolutionUEBA EssentialsAdversaries may create a cloud account to maintain access to victim systems. With a sufficient level of access, such accounts may be used to establish secondary credentialed access that does not requi...
Anomalous Activity Role AssignmentHunting Query📦 SolutionUEBA EssentialsAdversaries may circumvent mechanisms designed to control elevated privileges to gain higher-level permissions. The query below generates an output of all users performing an "action" operation regard...
Anomalous AWS Console Login Without MFA from Uncommon CountryHunting Query📦 SolutionUEBA EssentialsDetect unusual logon times, MFA fatigue, or service principal misuse across hybrid environments. Get visibility into geo-location of events and Threat Intelligence insights. Here''s an example of how ...
Anomalous Code Execution on a Virtual MachineHunting Query📦 SolutionUEBA EssentialsAdversaries may abuse command and script interpreters to execute commands, scripts, or binaries. These interfaces and languages provide ways of interacting with computer systems and are a common featu...
Anomalous connection from highly privileged userHunting Query📦 SolutionUEBA EssentialsShows all users from a given department, which have a high impact on the organization, who connected to a resource for the first time and none of their peers accessed it.
Anomalous Database Export ActivityHunting Query📦 SolutionUEBA EssentialsAdversaries may attempt to exfiltrate sensitive data by exporting databases. The query identifies users performing an "Export database" operation where one or more behavioral features deviate from the...
Anomalous Database Vulnerability Baseline RemovalHunting Query📦 SolutionUEBA EssentialsAdversaries may disable security tools to avoid possible detection of their tools and activities. DarkComet, for example, can disable Security Center functions like anti-virus. The query below generat...
Anomalous Entra High-Privilege Role ModificationHunting Query📦 SolutionUEBA EssentialsAdversaries may manipulate accounts to maintain access to victim systems. These actions include adding new accounts to high privilleged groups. Dragonfly 2.0, for example, added newly created accoun...
Anomalous Failed LogonHunting Query📦 SolutionUEBA EssentialsAdversaries with no prior knowledge of legitimate credentials within the system or environment may guess passwords to attempt access to accounts. Emotet, for example, has been observed using a hard-co...
Anomalous First-Time Device LogonHunting Query📦 SolutionUEBA EssentialsIdentifies anomalous device logon events from Microsoft Defender for Endpoint (MDE) where a user connects to a device for the first time or a device connects from a new IP address. The query filters h...
Anomalous GCP IAM ActivityHunting Query📦 SolutionUEBA EssentialsIdentifies anomalous IAM-related activities in Google Cloud Platform (GCP) Audit Logs where the investigation priority is greater than zero. This query highlights potential privilege or access anomali...
Anomalous Geo Location LogonHunting Query📦 SolutionUEBA EssentialsAdversaries may steal the credentials of a specific user or service account using credential access techniques or capture credentials earlier in their reconnaissance process through social engineering...
Anomalous High-Privileged Role AssignmentHunting Query📦 SolutionUEBA EssentialsAdversaries may manipulate accounts to maintain access to victim systems. These actions include adding new accounts to high-privilege groups. Dragonfly 2.0, for example, added newly created accounts t...
Anomalous High-Score Activity TriageHunting Query📦 SolutionUEBA EssentialsIdentify the highest-scoring anomalies for rapid triage using Anomalies Table.
Anomalous Okta First-Time or Uncommon ActionsHunting Query📦 SolutionUEBA EssentialsDetects anomalous Okta activities where a user performs an action that is uncommon in the tenant or connects from a country for the first time. The query focuses on high-priority anomalies and provide...
Anomalous Password ResetHunting Query📦 SolutionUEBA EssentialsAdversaries may interrupt the availability of system and network resources by inhibiting access to accounts utilized by legitimate users. Accounts may be deleted, locked, or manipulated (ex: changed c...
Anomalous RDP ActivityHunting Query📦 SolutionUEBA EssentialsAdversaries may use valid accounts to log into a computer using the Remote Desktop Protocol (RDP). The adversary may then perform actions as the logged-on user. FIN10, for example, has used RDP to mov...
Anomalous Resource AccessHunting Query📦 SolutionUEBA EssentialsThe adversary may be trying to move through the environment. APT29 and APT32, for example, have used PtH and PtT techniques to lateral move around the network. The query below generates an output of a...
Anomalous Sign-in by New or Dormant AccountHunting Query📦 SolutionUEBA EssentialsAdversaries may steal the credentials of a specific user or service account using credential access techniques or capture credentials earlier in their reconnaissance process through social engineering...
Anomalous action performed in tenant by privileged userHunting Query📦 SolutionUEBA EssentialsShows activities that have never been executed in the tenant, performed by a user with high privileges.
Anomaly Detection Trend AnalysisHunting Query📦 SolutionUEBA EssentialsVisualizes anomaly detection trends over the past 90 days, showing daily counts of triggered anomaly templates. Use this time-series chart to identify patterns, spikes in anomalous behavior, and seaso...
Anomaly Template Distribution by Tactics and TechniquesHunting Query📦 SolutionUEBA EssentialsProvides a statistical overview of anomaly detections over the past 30 days, grouped by template name, MITRE ATT&CK tactics, and techniques. Use this query to identify the most frequently triggered an...
Dormant Local Admin LogonHunting Query📦 SolutionUEBA EssentialsAdversaries may steal the credentials of a specific user or service account using credential access techniques or capture credentials earlier in their reconnaissance process through social engineering...
Dormant account activity from uncommon countryHunting Query📦 SolutionUEBA EssentialsShows dormant accounts (not active in the last 180 days) that connect from a country for the first time and the country is uncommon in the tenant or is the first time the ISP is used.
Anomalous login activity originated from Botnet, Tor proxy or C2Hunting Query📦 SolutionUEBA EssentialsShows login activity (successful or failed) originated from botnet, Tor proxy or C2, with at least one 'True' activity insight.
Top Anomalous Source IP TriageHunting Query📦 SolutionUEBA EssentialsIdentifies the top source IP addresses with multiple distinct anomaly templates over the past 30 days (excluding single noisy hits), then surfaces their most recent (last 24h) high-fidelity anomalous ...
UEBA Multi-Source Anomalous Activity OverviewHunting Query📦 SolutionUEBA EssentialsRetrieves and displays anomalous activity detected across multiple identity and cloud sources (AWS CloudTrail, Okta, GCP Audit Logs, and general authentication events) using UEBA anomaly templates. Th...
Anomalous Key Vault Modification by High-Privilege UserHunting Query📦 SolutionUEBA EssentialsShows all Key Vault modification activities performed by high-privilege users. If the activity is performed for the first time (by the user or in the tenant) or if the activity originated from a never...
User-Centric Anomaly InvestigationHunting Query📦 SolutionUEBA EssentialsInvestigates all anomalous activities associated with a specific user account over the past 30 days, including anomaly scores, behavioral insights, source locations, and MITRE ATT&CK mappings. Customi...
UEBABehaviorsAnalysisWorkbookWorkbook📦 SolutionUEBA Essentials
URLhaus-CheckHashAndEnrichIncidentPlaybook📦 SolutionURLhausOnce a new Microsoft Sentinel incident is created, this playbook gets triggered and performs the following actions: 1. [Gets Information](https://urlhaus-api.abuse.ch/#payloadinfo) from URLhaus by has...
URLhaus-CheckHostAndEnrichIncidentPlaybook📦 SolutionURLhausOnce a new Microsoft Sentinel incident is created, this playbook gets triggered and performs the following actions: 1. [Gets Information](https://urlhaus-api.abuse.ch/#payloadinfo) from URLhaus by has...
URLhaus-CheckURLAndEnrichIncidentPlaybook📦 SolutionURLhausOnce a new Microsoft Sentinel incident is created, this playbook gets triggered and performs the following actions: 1. [Gets Information](https://urlhaus-api.abuse.ch/#payloadinfo) from URLhaus by has...
Vaikora - Agent policy violationAnalytic Rule📦 SolutionVaikora-SentinelIdentifies AI agent actions explicitly blocked by a Vaikora policy. Repeated violations from the same agent may indicate prompt injection, policy circumvention, or a compromised workflow.
Vaikora - Behavioral anomaly detectedAnalytic Rule📦 SolutionVaikora-SentinelIdentifies AI agent behavioral anomalies flagged by Vaikora with an anomaly score of 0.7 or above, indicating significant deviation from the agent's established behavioral baseline.
Vaikora - High severity AI agent action detectedAnalytic Rule📦 SolutionVaikora-SentinelIdentifies AI agent actions from Vaikora classified as high or critical severity. These events may indicate an agent operating outside safe parameters or triggering policy thresholds.
VaikoraAgentSignalsDashboardWorkbook📦 SolutionVaikora-Sentinel
Valence Security AlertsAnalytic Rule📦 SolutionValence SecurityValence Security Alerts
ValenceAlertsWorkbookWorkbook📦 SolutionValence Security
Valimail Enforce - Email Authentication Key DeletedAnalytic Rule📦 SolutionValimailEnforceThis query searches for deletion of SPF delegations or DKIM keys, which are medium-severity events that could degrade email authentication posture for a domain.
Valimail Enforce - DMARC Policy Weakened to NoneAnalytic Rule📦 SolutionValimailEnforceThis query searches for DMARC policies changed to 'none', which disables enforcement and leaves the domain vulnerable to spoofing and phishing attacks.
Valimail Enforce - Unusual Rate of Configuration Changes or User AdditionsAnalytic Rule📦 SolutionValimailEnforceThis query searches for a single user performing more than 3 configuration changes or user additions within a 1-hour window on any domain. An unusual burst of changes may indicate a compromised admin ...
Valimail Enforce - High-Value User Management EventAnalytic Rule📦 SolutionValimailEnforceThis query searches for high-severity user management events such as user deletion or deactivation in Valimail Enforce, which may indicate unauthorized access or insider threat.
Valimail Enforce - Bulk Domain Changes by Single UserHunting Query📦 SolutionValimailEnforceHunt for users who have made configuration changes to an unusually high number of domains in a short period. May indicate a compromised admin account or unauthorized bulk reconfiguration.
Valimail Enforce - Configuration Change Rate TrendHunting Query📦 SolutionValimailEnforceHunt for configuration change and user addition activity grouped by user and domain over hourly buckets. Use this to establish baselines, spot unusual spikes, and investigate specific users or domains...
Valimail Enforce - DMARC Policy Change HistoryHunting Query📦 SolutionValimailEnforceHunt for all DMARC policy changes across domains over the selected time range. Helps identify domains that have had their enforcement posture changed and by whom.
Valimail Enforce - High Value Event SummaryHunting Query📦 SolutionValimailEnforceSummarizes all high-value Valimail Enforce events over the selected time range, grouped by category and user. Good for periodic security reviews and baselining normal admin activity.
vArmour AppController - SMB Realm TraversalAnalytic Rule📦 SolutionvArmour Application ControllerDetects when SMB traffic crosses Production and Non-Production Realms. Possible network share discovery or lateral tool transfer across realms
vArmour_AppContoller_WorkbookWorkbook📦 SolutionvArmour Application Controller
VaronisSaaSWorkbook📦 SolutionVaronisSaaS
Vectra AI Detect - Suspected Compromised AccountAnalytic Rule📦 SolutionVectra AI DetectCreate an incident when an Account is suspected to be compromised. The higher the severity level is, the more immediate attention it requires as Vectra AI engine is more confident that this is a real...
Vectra Account's BehaviorsAnalytic Rule📦 SolutionVectra AI DetectThis analytic rule is looking for new attacker behaviors observed by the Vectra Platform. This rule is focused on account's detections.
Vectra AI Detect - Detections with High SeverityAnalytic Rule📦 SolutionVectra AI DetectCreate an incident for high severity malicious behavior detected by Vectra AI (Threat score superior to 7.0). The Severity is a mapping with the Threat score assigned to a detection. It ranges betwee...
Vectra AI Detect - Suspected Compromised HostAnalytic Rule📦 SolutionVectra AI DetectCreate an incident when a Host is suspected to be compromised. The higher the severity level is, the more immediate attention it requires as Vectra AI engine is more confident that this is a real thr...
Vectra Host's BehaviorsAnalytic Rule📦 SolutionVectra AI DetectThis analytic rule is looking for new attacker behaviors observed by the Vectra Platform. This rule is focused on host's detections.
Vectra AI Detect - New Campaign DetectedAnalytic Rule📦 SolutionVectra AI DetectIdentifies when a new Campaign has been detected. This occurs when multiple Detections accross different Hosts are suspected to be part of the same Attack Campaign.
Vectra AI Detect - Suspicious Behaviors by CategoryAnalytic Rule📦 SolutionVectra AI DetectCreate an incident for each new malicious behavior detected by Vectra Detect for a specific Category. By default, it looks through all tactics. This can be modified to create incident only for a subs...
AIVectraDetectWorkbookWorkbook📦 SolutionVectra AI Detect
VectraStream_functionParser📦 SolutionVectra AI Stream
vectra_beaconParser📦 SolutionVectra AI Stream
vectra_dcerpcParser📦 SolutionVectra AI Stream
vectra_dhcpParser📦 SolutionVectra AI Stream
vectra_dnsParser📦 SolutionVectra AI Stream
vectra_httpParser📦 SolutionVectra AI Stream
vectra_isessionParser📦 SolutionVectra AI Stream
vectra_kerberosParser📦 SolutionVectra AI Stream
vectra_ldapParser📦 SolutionVectra AI Stream
vectra_matchParser📦 SolutionVectra AI Stream
vectra_ntlmParser📦 SolutionVectra AI Stream
vectra_radiusParser📦 SolutionVectra AI Stream
vectra_rdpParser📦 SolutionVectra AI Stream
vectra_smbfilesParser📦 SolutionVectra AI Stream
vectra_smbmappingParser📦 SolutionVectra AI Stream
vectra_smtpParser📦 SolutionVectra AI Stream
vectra_sshParser📦 SolutionVectra AI Stream
vectra_sslParser📦 SolutionVectra AI Stream
vectra_streamParser📦 SolutionVectra AI Stream
vectra_x509Parser📦 SolutionVectra AI Stream
Vectra Create Incident Based on Tag for AccountsAnalytic Rule📦 SolutionVectra XDRCreate an incident when the account entity presents a specific tag. If the tag is present, an incident should be created and marked with highest priority.
Vectra Create Incident Based on Tag for HostsAnalytic Rule📦 SolutionVectra XDRCreate an incident when the host entity presents a specific tag. If the tag is present, an incident should be created and marked with highest priority.
Defender Alert EvidenceAnalytic Rule📦 SolutionVectra XDRThis analytic rule is looking for new alert evidence from Microsoft Defender for Endpoint. The intent is to create entries in the SecurityAlert table for every new alert evidence attached to an entity...
Vectra Create Detection Alert for AccountsAnalytic Rule📦 SolutionVectra XDRThis analytic rule is looking for new attacker behaviors observed by the Vectra Platform. The intent is to create entries in the SecurityAlert table for every new detection attached to an entity monit...
Vectra Create Detection Alert for HostsAnalytic Rule📦 SolutionVectra XDRThis analytic rule is looking for new attacker behaviors observed by the Vectra Platform. The intent is to create entries in the SecurityAlert table for every new detection attached to an entity monit...
Vectra Create Incident Based on Priority for AccountsAnalytic Rule📦 SolutionVectra XDRCreate an incident when an identity is suspected to be compromised. Vectra is using AI to prioritize an entity based on multiple factors (attack rating, velocity, breadth, importance.etc.). This layer...
Vectra Create Incident Based on Priority for HostsAnalytic Rule📦 SolutionVectra XDRCreate an incident when an identity is suspected to be compromised. Vectra is using AI to prioritize an entity based on multiple factors (attack rating, velocity, breadth, importance.etc.). This layer...
VectraXDRWorkbook📦 SolutionVectra XDR
Vectra Download Pcap File To StoragePlaybook📦 SolutionVectra XDRThis playbook enables user to download pcap file of any detections associated with a Vectra Entity to default file share of storage account. Users can provide detection ids via MS Teams AdaptiveCard.
Vectra Add Note To EntityPlaybook📦 SolutionVectra XDRThis playbook extracts notes from incident comments and adds them to Vectra Entity if comment added in proper structure, otherwise it prompts the user for input to add note to the Vectra Entity.
Vectra Add Tag To EntityPlaybook📦 SolutionVectra XDRThis playbook extracts tags from incident comments and adds them to the entity if comment found with proper structure, otherwise it prompts the user for tags input to add them to the Vectra Entity.
Vectra Add Tag To Entity All DetectionsPlaybook📦 SolutionVectra XDRThis playbook enables user to add tags to all detections associated with a Vectra Entity. Tags can be fetched from comments of the associated incident else if no comments found, users can provide comm...
Vectra Add Tag To Entity Selected DetectionsPlaybook📦 SolutionVectra XDRThis playbook enables users to add tags to selected detections associated with an entity. Users can provide inputs of detections selection and tags value via Microsoft Teams.
Vectra Assign Dynamic User To EntityPlaybook📦 SolutionVectra XDRThis playbook will assign a user selected by user from teams adpative card to an entity in Vectra when the status of an incident changes from 'New' to 'Active'.
Vectra Assign Static User To EntityPlaybook📦 SolutionVectra XDRThis playbook will assign a predefined user to an entity in Vectra when the status of an incident changes from 'New' to 'Active'.
Vectra Close DetectionsPlaybook📦 SolutionVectra XDRThis playbook enables user to close detections associated with a Vectra Entity with reason as Remediated or Benign. User can add detection ids in comments along with the reason to close the detections...
Vectra Decorate Incident Based On TagPlaybook📦 SolutionVectra XDRThis playbook will add pre-defined or user customizable comment to an incident generated based on tags and add pre-defined or user customizable note to associated Vectra Entity.
Vectra Decorate Incident Based On Tags And NotifyPlaybook📦 SolutionVectra XDRThis playbook will add pre-defined or user customizable comment to an incident generated based on tags, add pre-defined or user customizable note to associated Vectra Entity and notify to Microsoft Te...
Vectra Dynamic Assign Member To GroupPlaybook📦 SolutionVectra XDRThis playbook allows users to filter the group list by providing a group type and a description. From the filtered list, users can choose a group and provide member details to add members to the group...
Vectra Dynamic Resolve AssignmentPlaybook📦 SolutionVectra XDRWhen an incident is closed, This playbook will prompt the operator to select an outcome from a predefined list, choose detections to triage from associated detection IDs and name list, provide a resol...
Vectra Generate Access TokenPlaybook📦 SolutionVectra XDRThis playbook will generate access token and refresh token for another playbooks.
Vectra Incident Timeline UpdatePlaybook📦 SolutionVectra XDRThis playbook will update the incident timeline by keeping most recent alerts and adding most recent detections and defender alerts from entities timeline to the incident timeline.
Vectra Mark Detections As FixedPlaybook📦 SolutionVectra XDRThis playbook will mark active detection as fixed associated with an entity based on choice of user provided over MS Teams. Also it adds a pre-defined but user customizable comment to an incident and ...
Vectra Open Closed DetectionsPlaybook📦 SolutionVectra XDRThis playbook enables user to close opened detections associated with a Vectra Entity. User can add detection ids in comments of the associated incident else if no comments found, users can provide de...
Vectra Operate On Entity Source IPPlaybook📦 SolutionVectra XDRThis Playbook will extract the ip from entities associated with an incident on which playbook is triggered.
Vectra Static Assign Member To GroupPlaybook📦 SolutionVectra XDRThis playbook will take input of group id and members from user via MS teams and assign members to the provided group.
Vectra Static Resolve AssignmentPlaybook📦 SolutionVectra XDRThis playbook resolves the assignment for an entity in Vectra and adds a note for the assignment when the status of an incident is changed to 'closed', and also it triages all active detections associ...
Vectra Update Incident Based on Tag And NotifyPlaybook📦 SolutionVectra XDRThis playbook runs hourly to identify entities with Medium severity incidents, checks for user-defined tags in Vectra, and if found, upgrades the incident severity to High, adds a comment, and sends a...
VectraAuditsParser📦 SolutionVectra XDR
VectraDetectionsParser📦 SolutionVectra XDR
VectraEntityScoringParser📦 SolutionVectra XDR
VectraHealthParser📦 SolutionVectra XDR
VectraLockdownParser📦 SolutionVectra XDR
Adding User or Group FailedAnalytic Rule📦 SolutionVeeamDetects failed attempts to add a user or user group to Veeam Backup & Replication.
Application Group DeletedAnalytic Rule📦 SolutionVeeamDetects when an application group is deleted from Veeam Backup & Replication. This might indicate unauthorized removal of critical components.
Application Group Settings UpdatedAnalytic Rule📦 SolutionVeeamDetects when application group settings are updated in Veeam Backup & Replication. This might indicate configuration changes that require review.
Archive Repository DeletedAnalytic Rule📦 SolutionVeeamDetects when an archive repository is deleted from Veeam Backup & Replication. This might indicate unauthorized removal of critical components.
Archive Repository Settings UpdatedAnalytic Rule📦 SolutionVeeamDetects when archive repository settings are updated in Veeam Backup & Replication. This might indicate configuration changes that require review.
Attempt to Delete Backup FailedAnalytic Rule📦 SolutionVeeamDetects failed backup operations. This might indicate system or storage issues, or a potential sabotage of the backup infrastructure.
Attempt to Update Security Object FailedAnalytic Rule📦 SolutionVeeamDetects failed attempts to update security objects in Veeam Backup & Replication. Security objects include users and roles, credential records, certificates, or passwords.
Backup Proxy DeletedAnalytic Rule📦 SolutionVeeamDetects when a backup proxy is deleted from Veeam Backup & Replication. This might indicate unauthorized removal of critical components.
Backup Repository DeletedAnalytic Rule📦 SolutionVeeamDetects when a backup repository is deleted from Veeam Backup & Replication. This might indicate unauthorized removal of critical components.
Backup Repository Settings UpdatedAnalytic Rule📦 SolutionVeeamDetects when backup repository settings are updated in Veeam Backup & Replication. This might indicate configuration changes that require review.
Best Practice Compliance Check Not PassedAnalytic Rule📦 SolutionVeeamDetects when a security best practice does not pass a compliance check in Veeam Security & Compliance Analyzer.
Cloud Gateway DeletedAnalytic Rule📦 SolutionVeeamDetects when a cloud gateway is deleted from Veeam Backup & Replication. This might indicate unauthorized removal of critical components.
Cloud Gateway Pool DeletedAnalytic Rule📦 SolutionVeeamDetects when a cloud gateway pool is deleted from Veeam Backup & Replication. This might indicate unauthorized removal of critical components.
Cloud Gateway Pool Settings UpdatedAnalytic Rule📦 SolutionVeeamDetects when cloud gateway pool settings are updated in Veeam Backup & Replication. This might indicate configuration changes that require review.
Cloud Gateway Settings UpdatedAnalytic Rule📦 SolutionVeeamDetects when cloud gateway settings are updated in Veeam Backup & Replication. This might indicate configuration changes that require review.
Cloud Replica Permanent Failover Performed by TenantAnalytic Rule📦 SolutionVeeamDetects permanent failover of a cloud replica initiated by a tenant. This might indicate disaster recovery activity or issues with primary systems.
Configuration Backup FailedAnalytic Rule📦 SolutionVeeamDetects failed configuration backup operations. This might indicate system or storage issues, or a potential sabotage of the backup infrastructure.
Configuration Backup Job FailedAnalytic Rule📦 SolutionVeeamDetects failed configuration backup operations. This might indicate system or storage issues, or a potential sabotage of the backup infrastructure.
Configuration Backup Job Settings UpdatedAnalytic Rule📦 SolutionVeeamDetects when configuration backup job settings are updated in Veeam Backup & Replication. This might indicate configuration changes that require review.
Connection to Backup Repository LostAnalytic Rule📦 SolutionVeeamDetects when a backup server fails to connect to a backup repository.
Credential Record DeletedAnalytic Rule📦 SolutionVeeamDetects when a credential record is deleted from Veeam Backup & Replication. This might indicate unauthorized removal of critical components.
Credential Record UpdatedAnalytic Rule📦 SolutionVeeamDetects when a credential record is updated in Veeam Backup & Replication.
Detaching Backups StartedAnalytic Rule📦 SolutionVeeamDetects when a backup file is detached from a backup job.
Encryption Password AddedAnalytic Rule📦 SolutionVeeamDetects when an encryption password is added to Veeam Backup & Replication.
Encryption Password ChangedAnalytic Rule📦 SolutionVeeamDetects when an encryption password is updated in Veeam Backup & Replication.
Encryption Password DeletedAnalytic Rule📦 SolutionVeeamDetects when an encryption password is deleted in Veeam Backup & Replication. This might indicate unauthorized removal of critical components.
External Repository DeletedAnalytic Rule📦 SolutionVeeamDetects when an external repository is deleted from Veeam Backup & Replication. This might indicate unauthorized removal of critical components.
External Repository Settings UpdatedAnalytic Rule📦 SolutionVeeamDetects when external repository settings are updated in Veeam Backup & Replication. This might indicate configuration changes that require review.
Failover Plan DeletedAnalytic Rule📦 SolutionVeeamDetects when a failover plan is deleted from Veeam Backup & Replication. This might indicate unauthorized removal of critical components.
Failover Plan FailedAnalytic Rule📦 SolutionVeeamDetects when a failover plan fails. This might indicate disaster recovery activity or issues with primary systems.
Failover Plan Settings UpdatedAnalytic Rule📦 SolutionVeeamDetects when failover plan settings are updated in Veeam Backup & Replication. This might indicate configuration changes that require review.
Failover Plan StartedAnalytic Rule📦 SolutionVeeamDetects when a failover plan starts. This might indicate disaster recovery activity or issues with primary systems.
Failover Plan StoppedAnalytic Rule📦 SolutionVeeamDetects when a failover plan stops. This might indicate disaster recovery activity or issues with primary systems.
File Server DeletedAnalytic Rule📦 SolutionVeeamDetects when a file server is deleted from Veeam Backup & Replication. This might indicate unauthorized removal of critical components.
File Server Settings UpdatedAnalytic Rule📦 SolutionVeeamDetects when file server settings are updated in Veeam Backup & Replication. This might indicate configuration changes that require review.
File Share DeletedAnalytic Rule📦 SolutionVeeamDetects when a file share is deleted from Veeam Backup & Replication. This might indicate unauthorized removal of critical components.
Four-Eyes Authorization DisabledAnalytic Rule📦 SolutionVeeamDetects when four-eyes authorization is disabled.
Four-Eyes Authorization Request CreatedAnalytic Rule📦 SolutionVeeamDetects when a four-eyes authorization request is created.
Four-Eyes Authorization Request ExpiredAnalytic Rule📦 SolutionVeeamDetects when a four-eyes authorization request is expired.
Four-Eyes Authorization Request RejectedAnalytic Rule📦 SolutionVeeamDetects when a four-eyes authorization request is rejected.
General Settings UpdatedAnalytic Rule📦 SolutionVeeamDetects when Veeam Backup & Replication general settings are updated. This might indicate configuration changes that require review.
Global Network Traffic Rules DeletedAnalytic Rule📦 SolutionVeeamDetects when a global network traffic rule is deleted in Veeam Backup & Replication. This might indicate unauthorized removal of critical components.
Global VM Exclusions AddedAnalytic Rule📦 SolutionVeeamDetects when global VM exclusion are added in Veeam Backup & Replication.
Global VM Exclusions ChangedAnalytic Rule📦 SolutionVeeamDetects when global VM exclusions are updated in Veeam Backup & Replication.
Global VM Exclusions DeletedAnalytic Rule📦 SolutionVeeamDetects when a VM is removed from global exclusions in Veeam Backup & Replication. This might indicate unauthorized changes.
Host DeletedAnalytic Rule📦 SolutionVeeamDetects when a host is deleted from Veeam Backup & Replication. This might indicate unauthorized removal of critical components.
Host Settings UpdatedAnalytic Rule📦 SolutionVeeamDetects when host settings are updated in Veeam Backup & Replication. This might indicate configuration changes that require review.
Hypervisor Host DeletedAnalytic Rule📦 SolutionVeeamDetects when a hypervisor host is deleted from Veeam Backup & Replication. This might indicate unauthorized changes to the virtualization environment.
Hypervisor Host Settings UpdatedAnalytic Rule📦 SolutionVeeamDetects when hypervisor host settings are updated in Veeam Backup & Replication. This might indicate configuration changes that require review.
Invalid Code for Multi-Factor Authentication EnteredAnalytic Rule📦 SolutionVeeamDetects failed multi-factor authentication attempts. This might indicate credential stuffing or brute-force attacks.
Job DeletedAnalytic Rule📦 SolutionVeeamDetects when a job is deleted from Veeam Backup & Replication. This might indicate unauthorized removal of critical components.
Job No Longer Used as Second DestinationAnalytic Rule📦 SolutionVeeamDetects when a job used as a secondary destination is removed.
KMS Key Rotation Job FinishedAnalytic Rule📦 SolutionVeeamDetects when a KMS key rotation job is finished.
KMS Server DeletedAnalytic Rule📦 SolutionVeeamDetects when a KMS server is deleted from Veeam Backup & Replication. This might indicate unauthorized removal of critical components.
KMS Server Settings UpdatedAnalytic Rule📦 SolutionVeeamDetects when KMS server settings are updated in Veeam Backup & Replication. This might indicate configuration changes that require review.
License ExpiredAnalytic Rule📦 SolutionVeeamDetects when a Veeam license is expired. This could impact backup operations and data protection.
License ExpiringAnalytic Rule📦 SolutionVeeamDetects when a Veeam license expires shortly.
License Grace Period StartedAnalytic Rule📦 SolutionVeeamDetects when a Veeam license grace period starts. This might indicate potential licensing issues that need attention.
License Limit ExceededAnalytic Rule📦 SolutionVeeamDetects when the Veeam license limit is exceeded.
License RemovedAnalytic Rule📦 SolutionVeeamDetects when the Veeam license is removed from Veeam Backup & Replication.
License Support ExpiredAnalytic Rule📦 SolutionVeeamDetects when the Veeam support contract is expired. This might impact backup operations and data protection.
License Support ExpiringAnalytic Rule📦 SolutionVeeamDetects when the Veeam support contract expires shortly.
Malware Activity DetectedAnalytic Rule📦 SolutionVeeamDetects when restore points marked as suspicious. This might indicate potential compromise of backup data.
Malware Detection Exclusions List UpdatedAnalytic Rule📦 SolutionVeeamDetects when malware detection exclusions are updated. This might indicate potential compromise of backup data.
Malware Detection Session FinishedAnalytic Rule📦 SolutionVeeamDetects when malware detection session finishes.
Malware Detection Settings UpdatedAnalytic Rule📦 SolutionVeeamDetects when malware detection settings are updated.
Malware Event DetectedAnalytic Rule📦 SolutionVeeamDetects when restore points are marked as infected. This might indicate potential compromise of backup data.
Multi-Factor Authentication DisabledAnalytic Rule📦 SolutionVeeamDetects when multi-factor authentication is disabled for all users.
Multi-Factor Authentication for User DisabledAnalytic Rule📦 SolutionVeeamDetects when multi-factor authentication is disabled for a specific user.
Multi-Factor Authentication Token RevokedAnalytic Rule📦 SolutionVeeamDetects when a multi-factor authentication token is revoked.
Multi-Factor Authentication User LockedAnalytic Rule📦 SolutionVeeamDetects when the allowed number of multi-factor authentication attempts is exceeded for a user.
NDMP Server DeletedAnalytic Rule📦 SolutionVeeamDetects when an NDMP server is deleted from Veeam Backup & Replication. This might indicate unauthorized removal of critical components.
Objects Added to Malware Detection ExclusionsAnalytic Rule📦 SolutionVeeamDetects when an object is added to malware detection exclusions.
Objects Deleted from Malware Detection ExclusionsAnalytic Rule📦 SolutionVeeamDetects when an object is deleted from malware detection exclusions.
Objects for Job DeletedAnalytic Rule📦 SolutionVeeamDetects when objects are deleted from the job. This might indicate unauthorized removal of critical components.
Objects for Protection Group ChangedAnalytic Rule📦 SolutionVeeamDetects when protection group objects are updated.
Objects for Protection Group DeletedAnalytic Rule📦 SolutionVeeamDetects when objects are deleted from a protection group. This might indicate unauthorized removal of critical components.
Object Marked as CleanAnalytic Rule📦 SolutionVeeamDetects when an object is marked as clean.
Object Storage DeletedAnalytic Rule📦 SolutionVeeamDetects when an object storage is deleted from Veeam Backup & Replication. This might indicate unauthorized removal of critical components.
Object Storage Settings UpdatedAnalytic Rule📦 SolutionVeeamDetects when object storage settings are updated in Veeam Backup & Replication. This might indicate configuration changes that require review.
Preferred Networks DeletedAnalytic Rule📦 SolutionVeeamDetects when a preferred network is deleted from Veeam Backup & Replication. This might indicate unauthorized removal of critical components.
Protection Group DeletedAnalytic Rule📦 SolutionVeeamDetects when a protection group is deleted from Veeam Backup & Replication. This might indicate unauthorized removal of critical components.
Protection Group Settings UpdatedAnalytic Rule📦 SolutionVeeamDetects when protection group settings are updated in Veeam Backup & Replication. This might indicate configuration changes that require review.
Recovery Token DeletedAnalytic Rule📦 SolutionVeeamDetects when a recovery token is deleted. This might indicate unauthorized removal of critical components.
Restore Point Marked as CleanAnalytic Rule📦 SolutionVeeamDetects when a restore point is marked as clean.
Restore Point Marked as InfectedAnalytic Rule📦 SolutionVeeamDetects when a restore point is marked as infected.
Scale-Out Backup Repository DeletedAnalytic Rule📦 SolutionVeeamDetects when a scale-out backup repository is deleted from Veeam Backup & Replication. This might indicate unauthorized removal of critical components.
Scale-Out Backup Repository Settings UpdatedAnalytic Rule📦 SolutionVeeamDetects when scale-out backup repository settings are updated in Veeam Backup & Replication. This might indicate configuration changes that require review.
Service Provider DeletedAnalytic Rule📦 SolutionVeeamDetects when a service provider is deleted from Veeam Backup & Replication. This might indicate unauthorized removal of critical components.
Service Provider UpdatedAnalytic Rule📦 SolutionVeeamDetects when service provider settings are updated in Veeam Backup & Replication.
SSH Credentials ChangedAnalytic Rule📦 SolutionVeeamDetects when SSH credentials are updated.
Storage DeletedAnalytic Rule📦 SolutionVeeamDetects when storage is deleted from Veeam Backup & Replication. This might indicate unauthorized removal of critical components.
Storage Settings UpdatedAnalytic Rule📦 SolutionVeeamDetects when storage settings are updated in Veeam Backup & Replication. This might indicate configuration changes that require review.
Subtenant DeletedAnalytic Rule📦 SolutionVeeamDetects when a subtenant is deleted from Veeam Backup & Replication. This might indicate unauthorized removal of critical components.
Subtenant UpdatedAnalytic Rule📦 SolutionVeeamDetects when subtenant settings are updated in Veeam Backup & Replication.
SureBackup Job FailedAnalytic Rule📦 SolutionVeeamDetects failed SureBackup job operations. This might indicate malware issues, storage problems, or potential sabotage of backup infrastructure.
Tape Erase Job StartedAnalytic Rule📦 SolutionVeeamDetects when tape erase operations start. This might indicate data destruction activity.
Tape Library DeletedAnalytic Rule📦 SolutionVeeamDetects when a tape library is deleted from Veeam Backup & Replication. This might indicate unauthorized removal of critical components.
Tape Media Pool DeletedAnalytic Rule📦 SolutionVeeamDetects when a tape media pool is deleted from Veeam Backup & Replication. This might indicate unauthorized removal of critical components.
Tape Media Vault DeletedAnalytic Rule📦 SolutionVeeamDetects when a tape media vault is deleted from Veeam Backup & Replication. This might indicate unauthorized removal of critical components.
Tape Medium DeletedAnalytic Rule📦 SolutionVeeamDetects when a tape medium is deleted from Veeam Backup & Replication. This might indicate unauthorized removal of critical components.
Tape Server DeletedAnalytic Rule📦 SolutionVeeamDetects when a tape server is deleted from Veeam Backup & Replication. This might indicate unauthorized removal of critical components.
Tenant Password ChangedAnalytic Rule📦 SolutionVeeamDetects when a tenant password is updated.
Tenant Quota ChangedAnalytic Rule📦 SolutionVeeamDetects when a tenant quota is updated.
Tenant Quota DeletedAnalytic Rule📦 SolutionVeeamDetects when a tenant quota is deleted from Veeam Backup & Replication. This might indicate unauthorized removal of critical components.
Tenant Replica StartedAnalytic Rule📦 SolutionVeeamDetects when a tenant replica starts.
Tenant Replica StoppedAnalytic Rule📦 SolutionVeeamDetects when a tenant replica stops.
Tenant State ChangedAnalytic Rule📦 SolutionVeeamDetects when tenant state is updated.
User or Group AddedAnalytic Rule📦 SolutionVeeamDetects when a user or user group is added to Veeam Backup & Replication.
User or Group DeletedAnalytic Rule📦 SolutionVeeamDetects when a user or user group is deleted from Veeam Backup & Replication. This might indicate unauthorized removal of critical components.
Veeam ONE Application with No Recent Data Backup SessionsAnalytic Rule📦 SolutionVeeamDetects applications with no recent backup sessions.
Veeam ONE Backup Copy RPOAnalytic Rule📦 SolutionVeeamDetects Veeam ONE Backup Copy RPO violation alerts.
Veeam ONE Backup Server Security and Compliance StateAnalytic Rule📦 SolutionVeeamDetects backup server security and compliance state issues.
Veeam ONE Computer with No BackupAnalytic Rule📦 SolutionVeeamDetects computers with no backup.
Veeam ONE Immutability Change TrackingAnalytic Rule📦 SolutionVeeamDetects changes in Veeam ONE immutability tracking configuration.
Veeam ONE Immutability StateAnalytic Rule📦 SolutionVeeamDetects changes in the immutability state of Veeam Backup & Replication repositories. This might indicate configuration changes that require review.
Veeam ONE Job DisabledAnalytic Rule📦 SolutionVeeamDetects when a Veeam ONE job is disabled.
Veeam ONE Job Disabled (Veeam Backup for Microsoft 365)Analytic Rule📦 SolutionVeeamDetects when Veeam Backup for Microsoft 365 jobs are disabled.
Veeam ONE Possible Ransomware Activity (Hyper-V)Analytic Rule📦 SolutionVeeamDetects Veeam ONE possible ransomware activity alerts for Microsoft Hyper-V.
Veeam ONE Possible Ransomware Activity (vSphere)Analytic Rule📦 SolutionVeeamDetects Veeam ONE possible ransomware activity alerts for VMware vSphere.
Veeam ONE Suspicious Incremental Backup SizeAnalytic Rule📦 SolutionVeeamDetects suspiciously large incremental backup sizes.
Veeam ONE Unusual Job DurationAnalytic Rule📦 SolutionVeeamDetects Veeam ONE unusual job duration alerts.
Veeam ONE Unusual Job Duration (Veeam Backup for Microsoft 365)Analytic Rule📦 SolutionVeeamDetects Veeam Backup for Microsoft 365 jobs with unusual execution duration.
Veeam ONE Malware Detection Change TrackingAnalytic Rule📦 SolutionVeeamDetects changes in Veeam ONE malware detection tracking.
Veeam ONE VM with No BackupAnalytic Rule📦 SolutionVeeamDetects Veeam ONE VMs with no backup.
Veeam ONE VM with No Backup (Hyper-V)Analytic Rule📦 SolutionVeeamDetects Veeam ONE VMs with no backup (Hyper-V).
Veeam ONE VM with No ReplicaAnalytic Rule📦 SolutionVeeamDetects Veeam ONE VMs with no replica configuration.
Veeam ONE VM with No Replica (Hyper-V)Analytic Rule📦 SolutionVeeamDetects Hyper-V VMs with no replica configured.
Virtual Lab DeletedAnalytic Rule📦 SolutionVeeamDetects when a virtual lab is deleted from Veeam Backup & Replication. This might indicate unauthorized removal of critical components.
Virtual Lab Settings UpdatedAnalytic Rule📦 SolutionVeeamDetects when virtual lab settings are updated in Veeam Backup & Replication. This might indicate configuration changes that require review.
WAN Accelerator DeletedAnalytic Rule📦 SolutionVeeamDetects when a WAN accelerator is deleted from Veeam Backup & Replication. This might indicate unauthorized removal of critical components.
WAN Accelerator Settings UpdatedAnalytic Rule📦 SolutionVeeamDetects when WAN accelerator settings are updated in Veeam Backup & Replication. This might indicate configuration changes that require review.
VeeamDataPlatformMonitoringWorkbook📦 SolutionVeeam
VeeamSecurityActivitiesWorkbook📦 SolutionVeeam
Veeam-ChangeCollectionTimePlaybook📦 SolutionVeeamThis Microsoft Sentinel playbook adjusts the recurrence intervals for Veeam collection playbooks based on settings in the collection_schedule_settings watchlist.
Veeam-CollectConfigurationBackupsPlaybook📦 SolutionVeeamA Microsoft Sentinel playbook that automatically runs configuration backup sessions on Veeam Backup & Replication servers on schedule. The playbook gets Veeam Backup & Replication settings from the wa...
Veeam-CollectCovewareFindingsPlaybook📦 SolutionVeeamThis Microsoft Sentinel playbook automatically collects Coveware findings on a schedule. Retrieves Coveware settings from watchlist and calls the GetCovewareFindings function for each enabled server, ...
Veeam-CollectMalwareEventsPlaybook📦 SolutionVeeamA Microsoft Sentinel playbook that automatically collects malware events from Veeam Backup & Replication servers on a schedule. The playbook gets Veeam Backup & Replication settings from watchlist and...
Veeam-CollectSecurityComplianceAnalyzerResultPlaybook📦 SolutionVeeamA Microsoft Sentinel playbook that automatically collects Veeam Security Compliance Analyzer results from Veeam Backup & Replication servers on schedule. The playbook gets Veeam Backup & Replication s...
Veeam-CollectVeeamAuthorizationEventsPlaybook📦 SolutionVeeamThis Microsoft Sentinel playbook automatically collects Veeam authorization events Veeam Backup & Replication servers on schedule. The playbook gets Veeam Backup & Replication settings from watchlist ...
Veeam-CollectVeeamONEAlarmsPlaybook📦 SolutionVeeamThis Microsoft Sentinel playbook automatically collects Veeam ONE alarms on a schedule. Retrieves Veeam ONE settings from the watchlist and calls the GetVoneAlarms function for each enabled server, in...
Veeam-FindCleanRestorePointsPlaybook📦 SolutionVeeamA Microsoft Sentinel playbook with the incident trigger, that finds the last clean restore point for VM, specified in the incident by VbrHostName and MachineDisplayName. If finds a clean restore point...
Veeam-PerformConfigurationBackupOnIncidentPlaybook📦 SolutionVeeamA Microsoft Sentinel playbook that automatically runs configuration backup session when triggered by an incident. The playbook gets Veeam Backup & Replication settings from incident custom fields, run...
Veeam-PerformInstantVMRecoveryPlaybook📦 SolutionVeeamThis Microsoft Sentinel playbook performs instant VM recovery on the vm specified by MachineDisplayName custom field of Microsoft Sentinel's incident custom fields. The playbook automatically finds th...
Veeam-PerformScanBackupPlaybook📦 SolutionVeeamThis Microsoft Sentinel playbook with an incident trigger performs antivirus scan on Veeam backup using VbrHostName, BackupObjectId, MachineDisplayName custom incident fields to identify backup. Indic...
Veeam-ResolveTriggeredAlarmPlaybook📦 SolutionVeeamA Microsoft Sentinel playbook with an incident trigger that resolves Veeam ONE alarms (identified by TriggeredAlarmId custom incident field) on the Veeam ONE server specified by the VoneHostName custo...
Veeam-SetupConnectionsPlaybook📦 SolutionVeeamA Microsoft Sentinel playbook that configures Key Vault secrets and hybrid connections for Veeam servers. The playbook gets server settings and Key Vault secrets from vbr_settings and vone_settings wa...
Veeam-StartQuickBackupPlaybook📦 SolutionVeeamA Microsoft Sentinel playbook with an incident trigger, that performs quick backup support for affected backupObject (specifided by the BackupObjectId incidents custom field) when triggered by Microso...
Veeam-StartSecurityComplianceAnalyzerPlaybook📦 SolutionVeeamThis Microsoft Sentinel playbook initiates and monitors Veeam Security and Compliance Analyzer sessions via HTTP trigger.
Veeam_GetFinishedConfigurationBackupSessionsParser📦 SolutionVeeam
Veeam_GetJobFinishedParser📦 SolutionVeeam
Veeam_GetSecurityEventsParser📦 SolutionVeeam
Veeam_GetVeeamONEAlarmsParser📦 SolutionVeeam
action_results_lookupWatchlist📦 SolutionVeeam
coveware_settingsWatchlist📦 SolutionVeeam
job_types_lookupWatchlist📦 SolutionVeeam
license_editions_lookupWatchlist📦 SolutionVeeam
license_types_lookupWatchlist📦 SolutionVeeam
operation_names_lookupWatchlist📦 SolutionVeeam
session_states_lookupWatchlist📦 SolutionVeeam
vbr_events_lookupWatchlist📦 SolutionVeeam
vbr_settingsWatchlist📦 SolutionVeeam
collection_schedule_settingsWatchlist📦 SolutionVeeam
vone_settingsWatchlist📦 SolutionVeeam
Alarming number of anomalies generated in NetBackupAnalytic Rule📦 SolutionVeritas NetBackupThis rule generates an incident when an alarming number of anomalies are generated in the last 15 minutes.
Multiple failed attempts of NetBackup loginAnalytic Rule📦 SolutionVeritas NetBackupThis rule generates an incident when there are more than 5 failed login attemts for a given host in the last 15 minutes.
Versasec CMS - Multiple Failed Login AttemptsAnalytic Rule📦 SolutionVersasecCMSDetects when Operator login failed to often.
VersasecCmsErrorParser📦 SolutionVersasecCMSStructured view of Versasec CMS error events
VersasecCmsSyslogParser📦 SolutionVersasecCMSStandardized parser for Versasec CMS system activities
URL Enrichment - Virus Total Report - Alert TriggeredPlaybook📦 SolutionVirusTotalThis playbook will take each URL entity and query VirusTotal for info (https://developers.virustotal.com/v3.0/reference#url-info).
URL Enrichment - Virus Total Report - Incident TriggeredPlaybook📦 SolutionVirusTotalThis playbook will take each URL entity and query VirusTotal for info (https://developers.virustotal.com/v3.0/reference#url-info).
IP Enrichment - Virus Total Report - Alert TriggeredPlaybook📦 SolutionVirusTotalThis playbook will take each IP entity and query VirusTotal for IP Address Report (https://developers.virustotal.com/v3.0/reference#ip-info). It will write the results to Log Analytics and add a comme...
IP Enrichment - Virus Total Report - Entity TriggerPlaybook📦 SolutionVirusTotalThis playbook will query VirusTotal Report for the selected IP Address (https://developers.virustotal.com/v3.0/reference#ip-info). The report will be added as a comment to the incident
IP Enrichment - Virus Total Report - Incident TriggeredPlaybook📦 SolutionVirusTotalThis playbook will take each IP entity and query VirusTotal for IP Address Report (https://developers.virustotal.com/v3.0/reference#ip-info). It will write the results to Log Analytics and add a comme...
FileHash Enrichment - Virus Total Report - Alert TriggeredPlaybook📦 SolutionVirusTotalThis playbook will take each File Hash entity and query VirusTotal for file report (https://developers.virustotal.com/v3.0/reference#file-info).
FileHash Enrichment - Virus Total Report - Incident TriggeredPlaybook📦 SolutionVirusTotalThis playbook will take each File Hash entity and query VirusTotal for file report (https://developers.virustotal.com/v3.0/reference#file-info).
URL Enrichment - Virus Total Domain Report - Alert TriggeredPlaybook📦 SolutionVirusTotalThis playbook will take each URL entity and query VirusTotal for Domain info (https://developers.virustotal.com/v3.0/reference#domain-info).
URL Enrichment - Virus Total Domain Report - Incident TriggeredPlaybook📦 SolutionVirusTotalThis playbook will take each URL entity and query VirusTotal for Domain Report (https://developers.virustotal.com/v3.0/reference#domain-info). It will write the results to Log Analytics and add a comm...
VTI - High Severity Domain Collision DetectionAnalytic Rule📦 SolutionVisa Threat Intelligence (VTI)This will alert when a collision is detected for EmailUrlInfo events with VTI high severity domain IoCs
VTI - High Severity SHA1 Collision DetectionAnalytic Rule📦 SolutionVisa Threat Intelligence (VTI)This will alert when a collision is detected for DeviceFileEvents events with VTI high severity SHA1 IoCs
VTI_IOC_FeedWorkbook📦 SolutionVisa Threat Intelligence (VTI)
VMRay URL AnalyisPlaybook📦 SolutionVMRaySubmits a url or set of urls associated with an incident to VMRay for Analyis.
VMRay Email Attachment AnalyisPlaybook📦 SolutionVMRaySubmits a attachment or set of attachment associated with an office 365 email to VMRay for Analyis.
Critical Threat DetectedAnalytic Rule📦 SolutionVMware Carbon Black CloudThis creates an incident in the event a critical threat was identified on a Carbon Black managed endpoint.
Known Malware DetectedAnalytic Rule📦 SolutionVMware Carbon Black CloudThis creates an incident when a known Malware is detected on a endpoint managed by a Carbon Black.
VMwareCarbonBlackWorkbook📦 SolutionVMware Carbon Black Cloud
Endpoint enrichment - Carbon BlackPlaybook📦 SolutionVMware Carbon Black CloudThis playbook will collect device information from Carbon Black and post a report on the incident.
Isolate endpoint - Carbon BlackPlaybook📦 SolutionVMware Carbon Black CloudThis playbook will quarantine the host in Carbon Black.
Endpoint take action from Teams - Carbon BlackPlaybook📦 SolutionVMware Carbon Black CloudThis playbook sends an adaptive card to the SOC Teams channel, lets the analyst decide on action: Quarantine the device or Update the policy. It posts a comment on the incident with the information co...
VMware Cloud Web Security - Policy Publish EventAnalytic Rule📦 SolutionVMware SASEThis alert is capturing events when VMware CWS policies were published. During publish, the VMware Edge Cloud Orchestrator deploys the CWS policies in SASE POPs, making them effective. All new rules w...
VMware Cloud Web Security - Policy Change DetectedAnalytic Rule📦 SolutionVMware SASEThis Analytics rule provides notifications when a VMware CWS policy has been modified. These alerts serve audit purposes. Policy changes might lower the level of security controls.
VMware Cloud Web Security - Web Access Policy ViolationAnalytic Rule📦 SolutionVMware SASEVMware Cloud Web Security reported access events which were violating web access policy rules. Additional investigation might be required.
VMware Cloud Web Security - Data Loss Prevention ViolationAnalytic Rule📦 SolutionVMware SASEThis Analytics rule receives VMware CWS DLP alerts and combines them with their respective Web Log events. Each Data Loss Prevention event is an alert of policy violations and should be investigated.
VMware SD-WAN Edge - Device Congestion Alert - Packet DropsAnalytic Rule📦 SolutionVMware SASEThe VMware Edge Cloud Orchestrator reported an edge congestion event, where the Edge is dropping a large number of packets on one of its interfaces. This could indicate an ongoing Denial of Service at...
VMware SD-WAN Edge - IDS/IPS Alert triggered (Search API)Analytic Rule📦 SolutionVMware SASEThe VMware SD-WAN Edge appliance captured a potentially malicious traffic flow. Please investigate the IOC information available. This analytics rule analyses Search API streams. Search API queries r...
VMware SD-WAN Edge - IDS/IPS Alert triggered (Syslog)Analytic Rule📦 SolutionVMware SASEThe VMware SD-WAN Edge appliance captured a potentially malicious traffic flow. Please investigate the IOC information available. This analytics rule analyzes Syslog streams.
VMware SD-WAN Edge - IDS/IPS Signature Update SucceededAnalytic Rule📦 SolutionVMware SASEThe VMware SD-WAN Edge Management Plane reported a successful IDS/IPS signature update. New signatures might impact Data Plane traffic, therefore an audit event is generated.
VMware SD-WAN Edge - IDS/IPS Signature Update FailedAnalytic Rule📦 SolutionVMware SASEThe VMware SD-WAN Edge Management Plane reported a failed IDS/IPS signature update. This can indicate a potential management plane issue, an Edge OS version mismatch (IDS/IPS has been introduced in re...
VMware SD-WAN Edge - Network Anomaly Detection - Potential Fragmentation AttackAnalytic Rule📦 SolutionVMware SASEThe VMware SD-WAN Edge appliance received packets potentially part of an IP Fragmentation attack or indicating an MTU mismatch. An IP fragmentation attack is a cyberattack that exploits how IP packet...
VMware Edge Cloud Orchestrator - New LAN-Side Client Device DetectedAnalytic Rule📦 SolutionVMware SASEThis analytics rule creates notifications of newly connected devices. These clients are connected to the LAN interface of the Edge.
VMware SD-WAN Edge - All Cloud Security Service Tunnels DOWNAnalytic Rule📦 SolutionVMware SASEThis analytics rule collects events where an SD-WAN Edge reports that all Cloud Security Service (CSS) tunnels are down. Losing connectivity to a Secure Service Edge (SSE) service can impact security ...
VMware SD-WAN - Orchestrator Audit EventAnalytic Rule📦 SolutionVMware SASEThis rule is searching for configuration changes. Configuration changes can override security measures and the overarching security design. Therefore audit events must be accurately tracked.
VMware SD-WAN Edge - Network Anomaly Detection - RPF Check FailureAnalytic Rule📦 SolutionVMware SASEThe VMware SD-WAN Edge appliance received packets that failed a Reverse Path Forwarding (RPF) Check. Reverse path forwarding (RPF) check is a network security mechanism that verifies whether the sour...
VMware Edge Cloud Orchestrator - High number of login failures from a source IP addressHunting Query📦 SolutionVMware SASEThis query identifies repeating authentication attempts (5 or higher attempts) from a single source IP. These could be failed automation or service accounts, however, it is worth investigating these e...
VMwareSASESOCDashboardWorkbook📦 SolutionVMware SASE
vCenter - Root impersonationAnalytic Rule📦 SolutionVMware vCenterDetects when root impersonation occurs.
VMware vCenter - Root loginAnalytic Rule📦 SolutionVMware vCenterDetects when root user login from uncommon IP address.
vCenterWorkbook📦 SolutionVMware vCenter
vCenterParser📦 SolutionVMware vCenter
VMware ESXi - Dormant VM startedAnalytic Rule📦 SolutionVMWareESXiDetects when dormant VM was started.
VMware ESXi - Low patch disk spaceAnalytic Rule📦 SolutionVMWareESXiThis rule is triggered when low patch disk store space is detected.
VMware ESXi - Low temp directory spaceAnalytic Rule📦 SolutionVMWareESXiThis rule is triggered when temp directory space is detected.
VMware ESXi - Multiple Failed Shell Login via SSHAnalytic Rule📦 SolutionVMWareESXiIdentifies a failed ESXi Shell login via SSH in a short TimeFrame. This could be suspicious activity especially if this alert is seen triggering many times within a short time frame which could be evi...
VMware ESXi - Multiple new VMs startedAnalytic Rule📦 SolutionVMWareESXiDetects when multiple new VMs were started.
VMware ESXi - Multiple VMs stoppedAnalytic Rule📦 SolutionVMWareESXiDetects when multiple VMs ware stopped by user.
VMware ESXi - New VM startedAnalytic Rule📦 SolutionVMWareESXiDetects when new VM was started.
VMware ESXi - Root impersonationAnalytic Rule📦 SolutionVMWareESXiDetects when root impersonation occurs.
VMware ESXi - Root loginAnalytic Rule📦 SolutionVMWareESXiDetects when root user login from uncommon IP address.
VMware ESXi - Root password changedAnalytic Rule📦 SolutionVMWareESXiDetects when root user password is changed.
VMware ESXi - Shared or stolen root accountAnalytic Rule📦 SolutionVMWareESXiDetects when shared or stolen root account.
VMware ESXi - SSH Enable on ESXi HostAnalytic Rule📦 SolutionVMWareESXiDetects when vim-cmd is used to enable SSH on an ESXi host
VMware ESXi - Unexpected disk imageAnalytic Rule📦 SolutionVMWareESXiDetects unexpected disk image for VM.
VMware ESXi - VM stoppedAnalytic Rule📦 SolutionVMWareESXiDetects when VM was stopped.
VMware ESXi - List of dormant users.Hunting Query📦 SolutionVMWareESXiQuery searches for dormant user dormant.
VMware ESXi - Download errorsHunting Query📦 SolutionVMWareESXiQuery searches for download errors.
VMware ESXi - NFC download activitiesHunting Query📦 SolutionVMWareESXiQuery searches for download activities.
VMware ESXi - Root logins failuresHunting Query📦 SolutionVMWareESXiQuery searches for failed root logins.
VMware ESXi - Root loginsHunting Query📦 SolutionVMWareESXiQuery searches for root logins.
VMware ESXi - List of unused VMsHunting Query📦 SolutionVMWareESXiQuery searches for unused VMs.
VMware ESXi - List of virtual disks (images)Hunting Query📦 SolutionVMWareESXiQuery searches for virtual disks (images) seen for VM.
VMware ESXi - VM high resource loadHunting Query📦 SolutionVMWareESXiQuery searches for VMs with high resource consumption.
VMware ESXi - List of powered off VMsHunting Query📦 SolutionVMWareESXiQuery searches for powered off VMs.
VMware ESXi - List of powered on VMsHunting Query📦 SolutionVMWareESXiQuery searches for powered on VMs.
VMWareESXiWorkbook📦 SolutionVMWareESXi
VMwareESXiParser📦 SolutionVMWareESXi
Votiro - File Blocked from ConnectorAnalytic Rule📦 SolutionVotiroThe analytic rule is intended to detect when a file is blocked by Votiro Sanitization Engine due to a specific policy, and notify the appropriate parties so that they can take appropriate action. The ...
Votiro - File Blocked in EmailAnalytic Rule📦 SolutionVotiroThe analytic rule is designed to identify when an email is blocked by Votiro Sanitization Engine policy. The rule generates an alert when an email is blocked after Sanitization process which is not pa...
Votiro Monitoring DashboardWorkbook📦 SolutionVotiro
WatchGuardFirebox 🔍Parser📦 SolutionWatchguard Firebox
Watchlist - close incidents with safe IPsPlaybook📦 SolutionWatchlists UtilitiesThis playbook leverages Microsoft Sentinel Watchlists in order to close incidents which include IP addresses considered safe.
Watchlists - Inform Subscription OwnerPlaybook📦 SolutionWatchlists UtilitiesThis playbook leverages Microsoft Sentinel Watchlists in order to get the relevant subscription owner contact details, and inform about an ASC alert that occured in that subscription. It uses Microsof...
Watchlist - Change Incident Severity and Title if User VIP - Alert TriggerPlaybook📦 SolutionWatchlists UtilitiesThis playbook leverages Microsoft Sentinel Watchlists in order to adapt the incidents severity which include User entity and check it against VIP user list.
Watchlist - Change Incident Severity and Title if User VIP - Incident TriggerPlaybook📦 SolutionWatchlists UtilitiesThis playbook leverages Microsoft Sentinel Watchlists in order to adapt the incidents severity which include User entity and check it against VIP user list
Add User To Watchlist - Alert TriggerPlaybook📦 SolutionWatchlists UtilitiesThis playbook will add a user entity from the alert to a new or existing watchlist.
Add User To Watchlist - Incident TriggerPlaybook📦 SolutionWatchlists UtilitiesThis playbook will add a User entity to a new or existing watchlist.
Add URL To Watchlist - Alert TriggerPlaybook📦 SolutionWatchlists UtilitiesThis playbook will add a URL entity from the alert to a new or existing watchlist.
Add URL To Watchlist - Incident TriggerPlaybook📦 SolutionWatchlists UtilitiesThis playbook will add a URL entity to a new or existing watchlist.
Add IP To Watchlist - Alert TriggerPlaybook📦 SolutionWatchlists UtilitiesThis playbook will add a IP entity from the alert to a new or existing watchlist.
Add IP To Watchlist - Incident TriggerPlaybook📦 SolutionWatchlists UtilitiesThis playbook will add a IP entity to a new or existing watchlist.
Add Host To Watchlist - Alert TriggerPlaybook📦 SolutionWatchlists UtilitiesThis playbook will add a host entity from the alert to a new or existing watchlist.
Add Host To Watchlist - Incident TriggerPlaybook📦 SolutionWatchlists UtilitiesThis playbook will add a Host entity to a new or existing watchlist.
Detect URLs containing known malicious keywords or commands (ASIM Web Session)Analytic Rule📦 SolutionWeb Session EssentialsThe utilization of system commands or functions in the request URL may suggest that an attacker is trying to gain unauthorized access to the environment by exploiting a vulnerable service.
Detect unauthorized data transfers using timeseries anomaly (ASIM Web Session)Analytic Rule📦 SolutionWeb Session EssentialsThis query utilizes built-in KQL anomaly detection algorithms to identify anomalous data transfers to public networks. It detects significant deviations from a baseline pattern, allowing the detection...
The download of potentially risky files from the Discord Content Delivery Network (CDN) (ASIM Web Session)Analytic Rule📦 SolutionWeb Session EssentialsThis detection mechanism identifies instances where requests are made to Discord CDN addresses for file extensions that are considered risky. It triggers when a callout is made to a Discord server t...
Detect known risky user agents (ASIM Web Session)Analytic Rule📦 SolutionWeb Session EssentialsThis rule is designed to flag web requests that contain a user agent header that is recognized as malicious. It relies on a predefined list of known user agents, which is referenced from a specific CS...
Detect Local File Inclusion(LFI) in web requests (ASIM Web Session)Analytic Rule📦 SolutionWeb Session EssentialsLFI vulnerabilities allow an attacker to read (and sometimes execute) files on the victim machine. This can be very dangerous because if the web server is misconfigured and running with high privilege...
Detect instances of multiple client errors occurring within a brief period of time (ASIM Web Session)Analytic Rule📦 SolutionWeb Session EssentialsThis detection mechanism identifies situations where multiple client errors originate from a single source within a limited time frame.
Detect instances of multiple server errors occurring within a brief period of time (ASIM Web Session)Analytic Rule📦 SolutionWeb Session EssentialsThis detection mechanism identifies situations where multiple server errors originate from a single source within a limited time frame.
Identify instances where a single source is observed using multiple user agents (ASIM Web Session)Analytic Rule📦 SolutionWeb Session EssentialsThis detection mechanism identifies requests originating from a single source within a brief time period that exhibit multiple user agents. Such behavior could indicate unusual web browsing activities...
Detect potential presence of a malicious file with a double extension (ASIM Web Session)Analytic Rule📦 SolutionWeb Session EssentialsDouble extension vulnerability is a significant concern in file uploads, as it can lead to various issues if an attacker successfully uploads a virus-infected file.
Detect potential file enumeration activity (ASIM Web Session)Analytic Rule📦 SolutionWeb Session EssentialsThis detection method identifies potential cases of file enumeration activity. The query is designed to identify client sources that generate multiple requests resulting in 404 error codes
Detect presence of private IP addresses in URLs (ASIM Web Session)Analytic Rule📦 SolutionWeb Session EssentialsThis rule identifies requests made to atypical URLs, as malware can exploit IP addresses for communication with command-and-control (C2) servers. The detection identifies network requests that contain...
Detect requests for an uncommon resources on the web (ASIM Web Session)Analytic Rule📦 SolutionWeb Session EssentialsThis detection mechanism examines connections made to a domain where only a single file is requested, which is considered unusual since most contemporary web applications require additional resources....
Detect presence of uncommon user agents in web requests (ASIM Web Session)Analytic Rule📦 SolutionWeb Session EssentialsThis rule assists in detecting rare user agents, which may indicate web browsing activity by an unconventional process different from the usual ones. The rule specifically searches for UserAgent strin...
Detect web requests to potentially harmful files (ASIM Web Session)Analytic Rule📦 SolutionWeb Session EssentialsThis rule detects web requests made to URLs containing file types such as .ps1, .bat, .vbs,.scr etc. which have the potential to be harmful if downloaded. This rule uses the [Advanced Security Informa...
Detect threat information in web requests (ASIM Web Session)Analytic Rule📦 SolutionWeb Session EssentialsThis rule would generate an alert if EvenSeverity is 'High' or 'ThreatRiskLevel' or 'ThreatOriginalConfidence' value is greater than 90.
Empty User Agent Detected (ASIM Web Session)Hunting Query📦 SolutionWeb Session EssentialsThis rule helps to identify instances of empty user agent requests originating from IP addresses that have previously reported user agent at least once within the same time period.
Excessive number of forbidden requests detected (ASIM Web Session)Hunting Query📦 SolutionWeb Session EssentialsThis rule detects abnormal number of 403 errors from clients. HTTP 403 is returned when the client is not permitted access to the resource despite providing authentication in case such as when authent...
Detect IPAddress in the requested URL (ASIM Web Session)Hunting Query📦 SolutionWeb Session EssentialsThis rule detects IPAddress in the requested URL
Detect Kali Linux UserAgent (ASIM Web Session)Hunting Query📦 SolutionWeb Session EssentialsThis rule helps to detect usage of Kali Linux in your environment. Attackers might utilize Kali Linux's tools and features for unauthorized penetration testing, reconnaissance, or exploitation attempt...
Beaconing traffic based on common user agents visiting limited number of domains (ASIM Web Session)Hunting Query📦 SolutionWeb Session EssentialsThis query searches web proxy logs for a specific type of beaconing behavior by caparing with a known request pattern.
Potential beaconing detected - Similar sent bytes (ASIM Web Session)Hunting Query📦 SolutionWeb Session EssentialsCalculate the number of SrcBytes (Sent bytes) for each unique combination of SrcIpAddress and DstIpAddress within a 24-hour timeframe. The presence of a high count of repetitive identical SrcBytes cou...
Potential beaconing detected (ASIM Web Session)Hunting Query📦 SolutionWeb Session EssentialsIdentifies beaconing patterns from web traffic logs based on recurrent timedelta patterns. Reference Blog: https://techcommunity.microsoft.com/t5/microsoft-sentinel-blog/detect-network-beaconing-via-i...
Request from bots and crawlers (ASIM Web Session)Hunting Query📦 SolutionWeb Session EssentialsWhile most of these values are associated with legitimate bots or crawlers, malicious actors may sometimes spoof or manipulate user agent headers to disguise their activities. It is important to inves...
Detect threat information in web requests (ASIM Web Session)Hunting Query📦 SolutionWeb Session EssentialsThis query identifies the presence of threat information in fields such as EventSeverity, ThreatName, and ThreatCategory
WebSessionEssentialsWorkbook📦 SolutionWeb Session Essentials
Summarize Web Session DataPlaybook📦 SolutionWeb Session EssentialsThe 'SummarizeWebSessionData' Playbook helps with summarizing the Web Session logs and ingesting them into custom tables for persistence. Although enabling the summarization playbook for the Web Sessi...
Malicious web application requests linked with Microsoft Defender for Endpoint (formerly Microsoft Defender ATP) alertsAnalytic Rule📦 SolutionWeb Shells Threat ProtectionTakes Microsoft Defender for Endpoint (formerly Microsoft Defender ATP) alerts where web scripts are present in the evidence and correlates with requests made to those scripts in the WCSIISLog to surf...
Identify SysAid Server web shell creationAnalytic Rule📦 SolutionWeb Shells Threat ProtectionThis query looks for potential webshell creation by the threat actor Mercury after the sucessful exploitation of SysAid server. Reference: https://www.microsoft.com/security/blog/2022/08/25/mercury-...
SUPERNOVA webshellAnalytic Rule📦 SolutionWeb Shells Threat ProtectionIdentifies SUPERNOVA webshell based on W3CIISLog data. References: - https://unit42.paloaltonetworks.com/solarstorm-supernova/
Exchange IIS Worker Dropping WebshellsHunting Query📦 SolutionWeb Shells Threat ProtectionThis query checks for the IIS worker process dropping files that resemble web shells and other artifacts seen in known attacks. Reference: https://msrc-blog.microsoft.com/2021/03/02/multiple-security-...
Possible webshell dropHunting Query📦 SolutionWeb Shells Threat ProtectionThis query searches for files with common web page content extensions created by IIS or Apache that could run arbitrary code. It includes a throttling mechanism to reduce false positive detections for...
Webshell DetectionHunting Query📦 SolutionWeb Shells Threat ProtectionWeb shells are scripts that allow remote administration when uploaded to a web server. This query can detect web shells using GET requests by searching for keywords in URL strings.
Possible Webshell usage attempt related to SpringShell(CVE-2022-22965)Hunting Query📦 SolutionWeb Shells Threat ProtectionThis query searches Azure Web Application Firewall data for potential Webshell usage related to the SpringShell RCE vulnerability (CVE-2022-22965). For more information refer to Microsoft's security b...
UMWorkerProcess Creating WebshellHunting Query📦 SolutionWeb Shells Threat ProtectionThis query detects unusual file content created by UMWorkerProcess, indicating exploitation of CVE-2021-26858 to generate a web shell. More related queries can be found on the Microsoft Security Respo...
Web Shell ActivityHunting Query📦 SolutionWeb Shells Threat ProtectionThis query detects web shells by analyzing the distribution of commonly-used scripts against regular scripts for public client IPs with no W3CIIS activity in a fixed lookback period.
WindowsFirewallWorkbook📦 SolutionWindows Firewall
Caramel Tsunami Actor IOC - July 2021Analytic Rule📦 SolutionWindows Forwarded EventsIdentifies a match across IOC's related to an actor tracked by Microsoft as Caramel Tsunami
Chia_Crypto_Mining IOC - June 2021Analytic Rule📦 SolutionWindows Forwarded EventsIdentifies a match across IOC's related to Chia cryptocurrency farming/plotting activity
Progress MOVEIt File transfer above threshold 🔍Analytic Rule📦 SolutionWindows Forwarded EventsIdentifies Progress MOVEIt File Transfers above certain threshold in a 15min time period. Please note that entity mapping for arrays is not supported, so when there is a single value in an array, we ...
Progress MOVEIt File transfer folder count above threshold 🔍Analytic Rule📦 SolutionWindows Forwarded EventsIdentifies Progress MOVEIt File Transfers with distinct folder count above certain threshold in a 15min time period. Please note that entity mapping for arrays is not supported, so when there is a s...
ADFS Database Named Pipe ConnectionAnalytic Rule📦 SolutionWindows Security EventsThis detection uses Sysmon telemetry to detect suspicious local connections via a named pipe to the AD FS configuration database (Windows Internal Database). In order to use this query you need to be ...
AD FS Remote Auth Sync ConnectionAnalytic Rule📦 SolutionWindows Security EventsThis detection uses Security events from the "AD FS Auditing" provider to detect suspicious authentication events on an AD FS server. The results then get correlated with events from the Windows Filte...
AD FS Remote HTTP Network ConnectionAnalytic Rule📦 SolutionWindows Security EventsThis detection uses Sysmon events (NetworkConnect events) to detect incoming network traffic on port 80 on AD FS servers. This could be a sign of a threat actor trying to use replication services on t...
Excessive Windows Logon FailuresAnalytic Rule📦 SolutionWindows Security EventsThis query identifies user accounts which has over 50 Windows logon failures today and at least 33% of the count of logon failures over the previous 7 days.
Exchange OAB Virtual Directory Attribute Containing Potential WebshellAnalytic Rule📦 SolutionWindows Security EventsThis query uses Windows Event ID 5136 in order to detect potential webshell deployment by exploitation of CVE-2021-27065. This query looks for changes to the InternalHostName or ExternalHostName prope...
Gain Code Execution on ADFS Server via SMB + Remote Service or Scheduled TaskAnalytic Rule📦 SolutionWindows Security EventsThis query detects instances where an attacker has gained the ability to execute code on an ADFS Server through SMB and Remote Service or Scheduled Task.
Microsoft Entra ID Local Device Join Information and Transport Key Registry Keys AccessAnalytic Rule📦 SolutionWindows Security EventsThis detection uses Windows security events to detect suspicious access attempts by the same process to registry keys that provide information about an Microsoft Entra ID joined or registered devices ...
SecurityEvent - Multiple authentication failures followed by a successAnalytic Rule📦 SolutionWindows Security EventsIdentifies accounts who have failed to logon to the domain multiple times in a row, followed by a successful authentication within a short time frame. Multiple failed attempts followed by a success ca...
New EXE deployed via Default Domain or Default Domain Controller PoliciesAnalytic Rule📦 SolutionWindows Security EventsThis detection highlights executables deployed to hosts via either the Default Domain or Default Domain Controller Policies. These policies apply to all hosts or Domain Controllers and best practice i...
Non Domain Controller Active Directory ReplicationAnalytic Rule📦 SolutionWindows Security EventsThis query detects potential attempts by non-computer accounts (non domain controllers) to retrieve/synchronize an active directory object leveraging directory replication services (DRS). A Domain Con...
NRT Base64 Encoded Windows Process Command-linesAnalytic Rule📦 SolutionWindows Security EventsThis detection identifies instances of a base64 encoded PE file header seen in the process command line parameter.
NRT Process executed from binary hidden in Base64 encoded fileAnalytic Rule📦 SolutionWindows Security EventsEncoding malicious software is a technique used to obfuscate files from detection. The first CommandLine component is looking for Python decoding base64. The second CommandLine component is looking fo...
NRT Security Event log clearedAnalytic Rule📦 SolutionWindows Security EventsChecks for event id 1102 which indicates the security event log was cleared. It uses Event Source Name "Microsoft-Windows-Eventlog" to avoid generating false positives from other sources, like AD FS s...
AD user enabled and password not set within 48 hoursAnalytic Rule📦 SolutionWindows Security EventsIdentifies when an account is enabled with a default password and the password is not set by the user within 48 hours. Effectively, there is an event 4722 indicating an account was enabled and within ...
Potential Fodhelper UAC BypassAnalytic Rule📦 SolutionWindows Security EventsThis detection looks for the steps required to conduct a UAC bypass using Fodhelper.exe. By default this detection looks for the setting of the required registry keys and the invoking of the process w...
Potential re-named sdelete usageAnalytic Rule📦 SolutionWindows Security EventsThis detection looks for command line parameters associated with the use of Sysinternals sdelete (https://docs.microsoft.com/sysinternals/downloads/sdelete) to delete multiple files on a host's C driv...
Scheduled Task HideAnalytic Rule📦 SolutionWindows Security EventsThis query detects attempts by malware to hide the scheduled task by deleting the SD (Security Descriptor) value. Removal of SD value results in the scheduled task disappearing from schtasks /query an...
Sdelete deployed via GPO and run recursivelyAnalytic Rule📦 SolutionWindows Security EventsThis query looks for the Sdelete process being run recursively after being deployed to a host via GPO. Attackers could use this technique to deploy Sdelete to multiple host and delete data on them.
Starting or Stopping HealthService to Avoid DetectionAnalytic Rule📦 SolutionWindows Security EventsThis query detects events where an actor is stopping or starting HealthService to disable telemetry collection/detection from the agent. The query requires a SACL to audit for access request to the s...
Process Execution Frequency AnomalyAnalytic Rule📦 SolutionWindows Security EventsThis detection identifies anomalous spike in frequency of executions of sensitive processes which are often leveraged as attack vectors. The query leverages KQL's built-in anomaly detection algorithms...
AD Account LockoutHunting Query📦 SolutionWindows Security EventsDetects Active Directory account lockouts
Commands executed by WMI on new hosts - potential ImpacketHunting Query📦 SolutionWindows Security EventsQuery identifies hosts with WMI command runs, absent in last 7 days and filters for Impacket wmiexec arguments. Impacket filters can be adjusted for targeted hunting.
Crash dump disabled on hostHunting Query📦 SolutionWindows Security EventsThis detection looks the prevention of crash dumps being created. This can be used to limit reporting by malware, look for suspicious processes setting this registry key.
Domain controller installation media creationHunting Query📦 SolutionWindows Security EventsThis hunting query helps to detect attempts to create installation media from domain controllers, either remotely or locally using a commandline tool called ntdsutil. These media are intended to be us...
Cscript script daily summary breakdownHunting Query📦 SolutionWindows Security Eventsbreakdown of scripts running in the environment
VIP account more than 6 failed logons in 10Hunting Query📦 SolutionWindows Security EventsVIP Account with more than 6 failed logon attempts in 10 minutes, include your own VIP list in the table below NTSTATUS codes - https://docs.microsoft.com/openspecs/windows_protocols/ms-erref/596a107...
Decoy User Account Authentication AttemptHunting Query📦 SolutionWindows Security EventsThe query detects authentication attempts from a decoy user account. A decoy user account is explicitly created and monitored to alert the SOC, indicating a malicious activity when the account is in ...
Discord download invoked from cmd lineHunting Query📦 SolutionWindows Security EventsThis hunting query looks for hosts that have attempted to interact with the Discord CDN. This activity is not normally invoked from the command line and could indicate C2, exfiltration, or malware del...
Enumeration of users and groupsHunting Query📦 SolutionWindows Security EventsFinds attempts to list users or groups using the built-in Windows 'net' tool
Exchange PowerShell Snapin AddedHunting Query📦 SolutionWindows Security EventsThe Exchange Powershell Snapin was loaded on a host, this allows for a Exchange server management via PowerShell. Whilst this is a legitimate administrative tool it is abused by attackers to performs ...
Summary of failed user logons by reason of failureHunting Query📦 SolutionWindows Security EventsA summary of failed logons can be used to infer lateral movement with the intention of discovering credentials and sensitive data
Group added to Built in Domain Local or Global GroupHunting Query📦 SolutionWindows Security EventsA Group created in the last 7 days was added to a privileged built in domain local group or global group such as the Enterprise Admins, Cert Publishers or DnsAdmins. Be sure to verify this is an expe...
Host Exporting Mailbox and Removing ExportHunting Query📦 SolutionWindows Security EventsQuery detects mailbox exports from on-prem Exchange servers, followed by export removal from same host within a short time window. This is a common attack pattern used by attackers when exfiltrating e...
Hosts with new logonsHunting Query📦 SolutionWindows Security EventsShows new accounts that have logged onto a host for the first time - this may clearly be benign activity but an account logging onto multiple hosts for the first time can also be used to look for evid...
Establishing internal proxiesHunting Query📦 SolutionWindows Security EventsThis hunting query helps to detect attempts to create proxies on compromised systems using the built-in netsh portproxy command. VoltTyphoon has been seen creating these proxies on compromised hosts...
Invoke-PowerShellTcpOneLine Usage.Hunting Query📦 SolutionWindows Security EventsInvoke-PowerShellTcpOneLine is a PowerShell script to create a simple and small reverse shell. It can be abused by attackers to exfiltrate data. This query looks for command line activity similar to I...
KrbRelayUp Local Privilege Escalation Service CreationHunting Query📦 SolutionWindows Security EventsThis query detects the default service name created by KrbRelayUp. KrbRelayUp is Local Privilege Escalation tool that combine features of Rubeus and KrbRelay.
Least Common Parent And Child Process PairsHunting Query📦 SolutionWindows Security EventsLooks across your environment for least common Parent/Child process combinations. Will possibly find some malicious activity disguised as well known process names. By ZanCo
Least Common Processes by Command LineHunting Query📦 SolutionWindows Security EventsLooks across your environment for least common Process Command Lines, may be noisy and require allowlisting. By ZanCo
Least Common Processes Including Folder DepthHunting Query📦 SolutionWindows Security EventsLooks across your environment for least common Process Command Lines, may be noisy and require allowlisting. By ZanCo
Masquerading filesHunting Query📦 SolutionWindows Security EventsMalware writers often use windows system process names like svchost.exe to hide malicious activities. Query searches for execution of process svchost.exe, filtering out execution by well-known SIDs an...
Potential Exploitation of MS-RPRN printer bugHunting Query📦 SolutionWindows Security EventsThis query detects potential attempts to remotely access to the print spooler service on Active Directory Domain Controllers which could indicate an exploitation of MS-RPRN printer bug from a server t...
Multiple Explicit Credential Usage - 4648 eventsHunting Query📦 SolutionWindows Security EventsQuery identifies credential abuse across hosts, using Security Event 4648 to detect multiple account connections to various machines, indicative of Solorigate-like patterns.
New Child Process of W3WP.exeHunting Query📦 SolutionWindows Security EventsHunting Query detects unusual child processes of w3wp.exe not seen in 14 days, signaling potential web server compromise and web shell installation.
New processes observed in last 24 hoursHunting Query📦 SolutionWindows Security EventsNew processes in stable environments may indicate malicious activity. Analyzing logon sessions where these binaries ran can help identify attacks.
Nishang Reverse TCP Shell in Base64Hunting Query📦 SolutionWindows Security EventsThis query searches for Base64-encoded commands associated with the Nishang reverse TCP shell. Ref: https://github.com/samratashok/nishang/blob/master/Shells/Invoke-PowerShellTcp.ps1
Summary of users created using uncommon/undocumented commandline switchesHunting Query📦 SolutionWindows Security EventsSummarizes uses of uncommon & undocumented commandline switches to create user accounts. User accounts may be created to achieve persistence on a machine.
Powercat DownloadHunting Query📦 SolutionWindows Security EventsPowercat is a PowerShell implementation of netcat. Whilst it can be used as a legitimate administrative tool it can be abused by attackers to exfiltrate data. This query looks for command line activit...
PowerShell downloadsHunting Query📦 SolutionWindows Security EventsFinds PowerShell execution events that could involve a download
New PowerShell scripts encoded on the commandlineHunting Query📦 SolutionWindows Security EventsIdentify and decode new encoded powershell scripts this week versus previous 14 days
Entropy for Processes for a given HostHunting Query📦 SolutionWindows Security EventsQuery tracks rare processes on hosts, using entropy to highlight unusual activity. Lower Weight/ProcessEntropy scores suggest higher interest.
Rare Processes Run by Service AccountsHunting Query📦 SolutionWindows Security EventsService accounts normally are supposed to perform a limited set of tasks in a stable environment. The query collects a list of service account and then joins them with rare processes in an environment...
Rare Process PathHunting Query📦 SolutionWindows Security EventsIdentifies when a process is running from a rare path. This could indicate malicious or unexpected activity as attacks often try to use common process names running from non-standard locations
Hosts Running a Rare Process with CommandlineHunting Query📦 SolutionWindows Security EventsThis query searches for hosts running a rare process. A rare process has execution requency of less than 1% of the average for 30 days and less than a count of 100 on a given host or less than a 14 co...
Hosts Running a Rare ProcessHunting Query📦 SolutionWindows Security EventsThis query searches for hosts running a rare process. A rare process has execution requency of less than 1% of the average for 30 days and less than a count of 100 on a given host or less than a 14 co...
Remote Task Creation/Update using Schtasks ProcessHunting Query📦 SolutionWindows Security EventsThis query detects a scheduled task, created/updated remotely, using the Schtasks process.
Service installation from user writable directoryHunting Query📦 SolutionWindows Security EventsThis query detects a service installation that is originated from a user writable directory. Ref: https://attack.mitre.org/techniques/T1569/002/
Suspected LSASS DumpHunting Query📦 SolutionWindows Security EventsLook for evidence of the LSASS process being dumped either using Procdump or comsvcs.dll. Often used by attackers to access credentials stored on a system.
Suspicious command line tokens in LolBins or LolScriptsHunting Query📦 SolutionWindows Security EventsThis query identifies Microsoft-signed Binaries and Scripts that are not system initiated. This technique is commonly used in phishing attacks.
Suspicious Enumeration using Adfind ToolHunting Query📦 SolutionWindows Security EventsQuery detects Adfind tool use for domain reconnaissance, regardless of executable name, focusing on DC and ADFS servers, to spot potential adversary activity.
Suspicious Windows Login Outside Normal HoursHunting Query📦 SolutionWindows Security EventsQuery identifies unusual logon events outside a user's normal hours by comparing with the last 14 days' logon activity, flagging anomalies based on historical patterns.
Uncommon processes - bottom 5%Hunting Query📦 SolutionWindows Security EventsQuery highlights uncommon, rare process runs, to flag new potentially unauthorized binaries in stable environments for potential attack detection.
Summary of user logons by logon typeHunting Query📦 SolutionWindows Security EventsComparing succesful and nonsuccessful logon attempts can be used to identify attempts to move laterally within the environment with the intention of discovering credentials and sensitive data.
User Account added to Built in Sensitive or Privileged Domain Local or Global GroupHunting Query📦 SolutionWindows Security EventsUser account was added to a privileged built in domain local group or global group such as the Enterprise Adminis, Cert Publishers or DnsAdmins Be sure to verify this is an expected addition.
Long lookback User Account Created and Deleted within 10minsHunting Query📦 SolutionWindows Security EventsUser account created and then deleted within 10 minutes across last 14 days
User account added or removed from a security group by an unauthorized userHunting Query📦 SolutionWindows Security EventsUser account added or removed from a security group by an unauthorized user, pass in a list
User created by unauthorized userHunting Query📦 SolutionWindows Security EventsUser account created by an unauthorized user, pass in a list
VIP account more than 6 failed logons in 10Hunting Query📦 SolutionWindows Security EventsVIP Account with more than 6 failed logon attempts in 10 minutes, include your own VIP list in the table below
Windows System Shutdown/Reboot(Sysmon)Hunting Query📦 SolutionWindows Security EventsThis hunting query uses Sysmon telemetry to detect System Shutdown/Reboot (MITRE Technique: T1529).
Windows System Time changed on hostsHunting Query📦 SolutionWindows Security EventsIdentifies when the system time was changed on a Windows host which can indicate potential timestomping activities.
EventAnalyzerWorkbook📦 SolutionWindows Security Events
IdentityAndAccessWorkbook📦 SolutionWindows Security Events
Potential DGA detectedAnalytic Rule📦 SolutionWindows Server DNSIdentifies clients with a high NXDomain count, which could be indicative of a DGA (cycling through possible C2 domains where most C2s are not live). Alerts are generated when a new IP address is seen ...
Rare client observed with high reverse DNS lookup countAnalytic Rule📦 SolutionWindows Server DNSIdentifies clients with a high reverse DNS counts that could be carrying out reconnaissance or discovery activity. Alerts are generated if the IP performing such reverse DNS lookups was not seen doing...
DNS events related to mining poolsAnalytic Rule📦 SolutionWindows Server DNSIdentifies IP addresses that may be performing DNS lookups associated with common currency mining pools.
DNS events related to ToR proxiesAnalytic Rule📦 SolutionWindows Server DNSIdentifies IP addresses performing DNS lookups associated with common ToR proxies.
NRT DNS events related to mining poolsAnalytic Rule📦 SolutionWindows Server DNSIdentifies IP addresses that may be performing DNS lookups associated with common currency mining pools.
DNS lookups for commonly abused TLDsHunting Query📦 SolutionWindows Server DNSSome top level domains (TLDs) are more commonly associated with malware for a range of reasons - including how easy domains on these TLDs are to obtain. Many of these may be undesirable from an ente...
DNS - domain anomalous lookup increaseHunting Query📦 SolutionWindows Server DNSChecking for a threefold increase or more of domain lookups per client IP address for the current day compared to the daily average for the previous week. This can potentially identify excessive traff...
DNS Full Name anomalous lookup increaseHunting Query📦 SolutionWindows Server DNSChecking for a threefold increase or more in Full Name lookups per Client IP for the current day as compared to the daily average for the previous week. This can potentially identify excessive traffic...
Potential DGA detectedHunting Query📦 SolutionWindows Server DNSClients with a high NXDomain count could be indicative of a DGA (cycling through possible C2 domains where most C2s are not live). Based on quartile percent analysis algorithm.
High reverse DNS count by hostHunting Query📦 SolutionWindows Server DNSClients with a high reverse DNS count could be carrying out reconnaissance or discovery activity.
Abnormally long DNS URI queriesHunting Query📦 SolutionWindows Server DNSThe length of a DNS query can often be an indicator of suspicious activity. Typical domain name lengths are short, whereas the domain name query used for data exfiltration or tunneling can often be ve...
DNS Domains linked to WannaCry ransomware campaignHunting Query📦 SolutionWindows Server DNSDisplays the client DNS request for any of the known domains linked to WannaCry. These results may indicate a Wannacry/Wannacrypt ransomware infection. Reference: Domain listing from https://pastebin....
Solorigate DNS PatternHunting Query📦 SolutionWindows Server DNSLooks for the DGA pattern of the domain associated with Solorigate in order to find other domains with the same activity pattern.
Solorigate Encoded Domain in URLHunting Query📦 SolutionWindows Server DNSLooks for a logon domain seen in Azure AD logs appearing in a DNS query encoded with the DGA encoding used in the Solorigate incident. Reference: https://blogs.microsoft.com/on-the-issues/2020/12/13/c...
DnsWorkbook📦 SolutionWindows Server DNS
WithSecureTopComputersByInfectionsWorkbook📦 SolutionWithSecureElementsViaFunction
WizFindingsWorkbook📦 SolutionWiz
Workplace_Facebook 🔍Parser📦 SolutionWorkplace from Facebook
XbowCriticalHighFindingsAnalytic Rule📦 SolutionXBOWCreates an incident for each Critical or High severity finding reported by XBOW that is currently in an open state. These findings represent the most severe security issues and require immediate atten...
XbowLowFindingsAnalytic Rule📦 SolutionXBOWCreates an incident for each Low severity finding reported by XBOW that is currently in an open state. These findings represent minor security issues or best-practice violations that should be address...
XbowMediumFindingsAnalytic Rule📦 SolutionXBOWCreates an incident for each Medium severity finding reported by XBOW that is currently in an open state. These findings represent moderate security risks that should be addressed in a timely manner. ...
XbowNewAssetDiscoveredAnalytic Rule📦 SolutionXBOWAlerts when a new asset is registered in XBOW for the first time. This is detected by matching assets whose CreatedAt timestamp falls within the current query window, indicating the asset was newly ad...
ZeroFox Alerts - High Severity AlertsAnalytic Rule📦 SolutionZeroFoxDetects high severity alerts from ZeroFox
ZeroFox Alerts - Informational Severity AlertsAnalytic Rule📦 SolutionZeroFoxDetects informational severity alerts from ZeroFox
ZeroFox Alerts - Low Severity AlertsAnalytic Rule📦 SolutionZeroFoxDetects low severity alerts from ZeroFox
ZeroFox Alerts - Medium Severity AlertsAnalytic Rule📦 SolutionZeroFoxDetects medium severity alerts from ZeroFox
Zero Networks Segement - Machine Removed from protectionAnalytic Rule📦 SolutionZeroNetworksDetects when a machine is removed from protection.
Zero Networks Segment - New API Token createdAnalytic Rule📦 SolutionZeroNetworksDetects when a api token has been created.
Zero Networks Segment - Rare JIT Rule CreationAnalytic Rule📦 SolutionZeroNetworksIdentifies when a JIT Rule connection is new or rare by a given account today based on comparison with the previous 14 days. JIT Rule creations are indicated by the Activity Type Id 20
Zero Networks Segment - Excessive access by userHunting Query📦 SolutionZeroNetworksFind users who gained access to the largest number of target assets in the selected time range
Zero Networks Segment - Excessive access to a built-in group by userHunting Query📦 SolutionZeroNetworksA rule was created which granted a user access to a large, built-in, group of assets.
Zero Networks Segment - Inbound Block Rules DeletedHunting Query📦 SolutionZeroNetworksQuery searches for inbound block rules deleted by non AI.
Zero Networks Segment - Outbound Block Rules DeletedHunting Query📦 SolutionZeroNetworksQuery searches for outbound block rules deleted by non AI.
ZNSegmentAuditWorkbook📦 SolutionZeroNetworks
Add Asset to Protection - Zero Networks SegmentPlaybook📦 SolutionZeroNetworksThis playbook takes a host from a Microsoft Sentinel incident and adds it to protection. The playbook is configured to add the machine to protection(learning). If you want to have it go straight to pr...
Add Block Outbound Rule - Zero Networks Acccess OrchestratorPlaybook📦 SolutionZeroNetworksThis playbook allows blocking an IP outbound from protected assets in Zero Networks Segment.
Enrich Incident - Zero Networks Acccess OrchestratorPlaybook📦 SolutionZeroNetworksThis playbook will take each Host entity and get its Asset status from Zero Network Segment. The playbook will then write a comment to the Microsoft Sentinel incident with a table of assets and protec...
ZNSegmentAuditParser📦 SolutionZeroNetworks
ZeroTrust(TIC3.0) Control Assessment Posture ChangeAnalytic Rule📦 SolutionZeroTrust(TIC3.0)Zero Trust(TIC3.0) Control Assessments have Deviated from Configured Threshold Baselines
ZeroTrustTIC3Workbook📦 SolutionZeroTrust(TIC3.0)
Notify-GovernanceComplianceTeamPlaybook📦 SolutionZeroTrust(TIC3.0)This Security Orchestration, Automation, & Response (SOAR) capability is designed for configuration with the solution's analytics rules. When analytics rules trigger this automation notifies the gover...
Create-AzureDevOpsTaskPlaybook📦 SolutionZeroTrust(TIC3.0)This playbook will create the Azure DevOps task filled with the Microsoft Sentinel incident details.
Create Jira IssuePlaybook📦 SolutionZeroTrust(TIC3.0)This playbook will open a Jira Issue when a new incident is opened in Microsoft Sentinel.
ZimperiumWorkbooksWorkbook📦 SolutionZimperium Mobile Threat Defense
AV detections related to Zinc actorsAnalytic Rule📦 SolutionZinc Open SourceThis query looks for Microsoft Defender AV detections related to Zinc threat actor. In Microsoft Sentinel the SecurityAlerts table includes only the Device Name of the affected device, this query joi...
Zinc Actor IOCs files - October 2022Analytic Rule📦 SolutionZinc Open SourceIdentifies a match across filename and commandline IOC's related to an actor tracked by Microsoft as Zinc. Reference: https://www.microsoft.com/security/blog/2022/09/29/zinc-weaponizing-open-source-so...
[Deprecated] - Zinc Actor IOCs domains hashes IPs and useragent - October 2022Analytic Rule📦 SolutionZinc Open SourceUse Microsoft's up-to-date Threat Intelligence solution from the Content Hub to replace the deprecated query with outdated IoCs. Install it from: https://learn.microsoft.com/azure/sentinel/sentinel-so...
ZoomReportsWorkbook📦 SolutionZoomReports
ZoomParser📦 SolutionZoomReports
Discord CDN Risky File Download 🔍Analytic Rule📦 SolutionZscaler Internet AccessIdentifies callouts to Discord CDN addresses for risky file extensions. This detection will trigger when a callout for a risky file is made to a discord server that has only been seen once in your env...
Request for single resource on domain 🔍Analytic Rule📦 SolutionZscaler Internet AccessThis will look for connections to a domain where only a single file is requested, this is unusual as most modern web applications require additional recources. This type of activity is often assocaite...
NSSAuditLogsWorkbook📦 SolutionZscaler Internet Access
NSSCASBActivityLogsWorkbook📦 SolutionZscaler Internet Access
NSSCASBCloudStorageLogsWorkbook📦 SolutionZscaler Internet Access
NSSCASBCollabLogsWorkbook📦 SolutionZscaler Internet Access
NSSCASBCRMLogsWorkbook📦 SolutionZscaler Internet Access
NSSCASBEmailWorkbook📦 SolutionZscaler Internet Access
NSSCASBFileSharingLogsWorkbook📦 SolutionZscaler Internet Access
NSSCASBITSMLogsWorkbook📦 SolutionZscaler Internet Access
NSSCASBRepoLogsWorkbook📦 SolutionZscaler Internet Access
NSSDNSLogsWorkbook📦 SolutionZscaler Internet Access
NSSEmailDLPLogsWorkbook📦 SolutionZscaler Internet Access
NSSEndpointDLPLogsWorkbook📦 SolutionZscaler Internet Access
NSSFWLogsWorkbook📦 SolutionZscaler Internet Access
NSSTunnelLogsWorkbook📦 SolutionZscaler Internet Access
NSSWebLogsOffice365Workbook📦 SolutionZscaler Internet Access
NSSWebLogsOverviewWorkbook📦 SolutionZscaler Internet Access
NSSWebLogsThreatsWorkbook📦 SolutionZscaler Internet Access
Zscaler OAuth2 AuthenticationPlaybook📦 SolutionZscaler Internet AccessThis playbook obtains OAuth2 access tokens for Zscaler Internet Access (ZIA) integrations using Zscaler ZIdentity OAuth and returns the token response.
Zscaler OAuth2 Blacklist URLPlaybook📦 SolutionZscaler Internet AccessThis playbook adds URLs to the Zscaler security blacklist using OAuth2 authentication.
Zscaler OAuth2 Block IPPlaybook📦 SolutionZscaler Internet AccessThis playbook blocks IP addresses in Zscaler by adding them to a category using OAuth2 authentication.
Zscaler OAuth2 Block URLPlaybook📦 SolutionZscaler Internet AccessThis playbook blocks URLs in Zscaler by adding them to a category using OAuth2 authentication.
Zscaler OAuth2 Lookup IPPlaybook📦 SolutionZscaler Internet AccessThis playbook looks up IP categorization information from Zscaler using OAuth2 authentication.
Zscaler OAuth2 Lookup URLPlaybook📦 SolutionZscaler Internet AccessThis playbook looks up URL categorization information from Zscaler using OAuth2 authentication.
Zscaler-Oauth2-UnblacklistURLPlaybook📦 SolutionZscaler Internet AccessThis playbook enables automated removal of URLs from the Zscaler Internet Access (ZIA) blacklist when triggered by Microsoft Sentinel incidents. It uses OAuth2 authentication to securely communicate w...
Zscaler OAuth2 Unblock IPPlaybook📦 SolutionZscaler Internet AccessThis playbook unblocks IP addresses in Zscaler by removing them from a category using OAuth2 authentication.
Zscaler OAuth2 Unblock URLPlaybook📦 SolutionZscaler Internet AccessThis playbook unblocks URLs in Zscaler by removing them from a category using OAuth2 authentication.
Zscaler-Oauth2-WhitelistURLPlaybook📦 SolutionZscaler Internet AccessThis playbook enables automated addition of URLs to the Zscaler Internet Access (ZIA) security whitelist when triggered by Microsoft Sentinel incidents. It uses OAuth2 authentication to securely commu...
Zscaler - Shared ZPA sessionAnalytic Rule📦 SolutionZscaler Private Access (ZPA)Detects shared ZPA session.
Zscaler - Unexpected event count of rejects by policyAnalytic Rule📦 SolutionZscaler Private Access (ZPA)Detects unexpected event count of rejects by policy.
Zscaler - Forbidden countriesAnalytic Rule📦 SolutionZscaler Private Access (ZPA)Detects suspicious ZPA connections from forbidden countries.
Zscaler - Unexpected update operationAnalytic Rule📦 SolutionZscaler Private Access (ZPA)Detects unexpected version of update operation.
Zscaler - Connections by dormant userAnalytic Rule📦 SolutionZscaler Private Access (ZPA)Detects ZPA connections by dormant user.
Zscaler - ZPA connections by new userAnalytic Rule📦 SolutionZscaler Private Access (ZPA)Detects ZPA connections by new user.
Zscaler - ZPA connections from new countryAnalytic Rule📦 SolutionZscaler Private Access (ZPA)Detects ZPA connections from new country.
Zscaler - ZPA connections from new IPAnalytic Rule📦 SolutionZscaler Private Access (ZPA)Detects ZPA connections from new IP.
Zscaler - ZPA connections outside operational hoursAnalytic Rule📦 SolutionZscaler Private Access (ZPA)Detects ZAP connections outside operational hours.
Zscaler - Unexpected ZPA session durationAnalytic Rule📦 SolutionZscaler Private Access (ZPA)Detects Unexpected ZPA session duration.
Zscaler - Abnormal total bytes sizeHunting Query📦 SolutionZscaler Private Access (ZPA)Query shows abnormal total bytes size.
Zscaler - Applications using by accountsHunting Query📦 SolutionZscaler Private Access (ZPA)Query shows applications using by accounts.
Zscaler - Connection close reasonsHunting Query📦 SolutionZscaler Private Access (ZPA)Query shows connection close reasons.
Zscaler - Destination ports by IPHunting Query📦 SolutionZscaler Private Access (ZPA)Query shows destination ports by IP address.
Zscaler - Users by source location countriesHunting Query📦 SolutionZscaler Private Access (ZPA)Query shows Users by source location countries.
Zscaler - Top connectorsHunting Query📦 SolutionZscaler Private Access (ZPA)Query shows top connectors.
Zscaler - Top source IPHunting Query📦 SolutionZscaler Private Access (ZPA)Query shows top source IP.
Zscaler - Rare urlhostname requestsHunting Query📦 SolutionZscaler Private Access (ZPA)Query shows rare urlhostname requests.
Zscaler - Users access groupsHunting Query📦 SolutionZscaler Private Access (ZPA)Query shows users access groups.
Zscaler - Server error by userHunting Query📦 SolutionZscaler Private Access (ZPA)Query shows server error by user.
ZscalerZPAWorkbook📦 SolutionZscaler Private Access (ZPA)
ZPAEventParser📦 SolutionZscaler Private Access (ZPA)
📦 In solution package 📄 Standalone (not in solution JSON) 🔗 GitHub only (no content hub package) 🔍 Not listed in solution JSON
ParserSourceSolutionTables
AADUserInfo📂 LegacyAADUserInfo_CL
ADOAuditLogs📦 SolutionAzureDevOpsAuditingADOAuditLogs_CL, AzureDevOpsAuditing
afad_parser📦 SolutionTenable AppTenable_IE_CL
afad_parser 🔍📦 SolutionTenableADTenable_ad_CL
afad_parser 🔍📦 SolutionTenableADTenable_ad_CL
afad_parser.kql 🔍📦 SolutionAlsid For ADAlsidForADLog_CL
AIShield📦 SolutionAIShield AI Security MonitoringAIShield_CL
AkamaiSIEMEvent📦 SolutionAkamai Security EventsCommonSecurityLog
Alerts_advisory📦 SolutionCyble VisionCybleVisionAlerts_CL
Alerts_assets📦 SolutionCyble VisionCybleVisionAlerts_CL
Alerts_bit_bucket📦 SolutionCyble VisionCybleVisionAlerts_CL
Alerts_cloud_storage📦 SolutionCyble VisionCybleVisionAlerts_CL
Alerts_compromised_endpoints_cookies📦 SolutionCyble VisionCybleVisionAlerts_CL
Alerts_compromised_files📦 SolutionCyble VisionCybleVisionAlerts_CL
Alerts_cyber_crime_forums📦 SolutionCyble VisionCybleVisionAlerts_CL
Alerts_darkweb_data_breaches📦 SolutionCyble VisionCybleVisionAlerts_CL
Alerts_darkweb_marketplaces📦 SolutionCyble VisionCybleVisionAlerts_CL
Alerts_darkweb_ransomware📦 SolutionCyble VisionCybleVisionAlerts_CL
Alerts_defacement_content📦 SolutionCyble VisionCybleVisionAlerts_CL
Alerts_defacement_keyword📦 SolutionCyble VisionCybleVisionAlerts_CL
Alerts_defacement_url📦 SolutionCyble VisionCybleVisionAlerts_CL
Alerts_discord📦 SolutionCyble VisionCybleVisionAlerts_CL
Alerts_docker📦 SolutionCyble VisionCybleVisionAlerts_CL
Alerts_domain_expiry📦 SolutionCyble VisionCybleVisionAlerts_CL
Alerts_domain_watchlist📦 SolutionCyble VisionCybleVisionAlerts_CL
Alerts_flash_report📦 SolutionCyble VisionCybleVisionAlerts_CL
Alerts_github📦 SolutionCyble VisionCybleVisionAlerts_CL
Alerts_hacktivism📦 SolutionCyble VisionCybleVisionAlerts_CL
Alerts_i2p📦 SolutionCyble VisionCybleVisionAlerts_CL
Alerts_iocs📦 SolutionCyble VisionCybleVisionAlerts_CL
Alerts_ip_risk_score📦 SolutionCyble VisionCybleVisionAlerts_CL
Alerts_leaked_credentials📦 SolutionCyble VisionCybleVisionAlerts_CL
Alerts_malicious_ads📦 SolutionCyble VisionCybleVisionAlerts_CL
Alerts_mobile_apps📦 SolutionCyble VisionCybleVisionAlerts_CL
Alerts_new_vulnerability📦 SolutionCyble VisionCybleVisionAlerts_CL
Alerts_news_feed📦 SolutionCyble VisionCybleVisionAlerts_CL
Alerts_osint📦 SolutionCyble VisionCybleVisionAlerts_CL
Alerts_ot_ics📦 SolutionCyble VisionCybleVisionAlerts_CL
Alerts_pastebin📦 SolutionCyble VisionCybleVisionAlerts_CL
Alerts_phishing📦 SolutionCyble VisionCybleVisionAlerts_CL
Alerts_physical_threats📦 SolutionCyble VisionCybleVisionAlerts_CL
Alerts_postman📦 SolutionCyble VisionCybleVisionAlerts_CL
Alerts_product_vulnerability📦 SolutionCyble VisionCybleVisionAlerts_CL
Alerts_ransomware_updates📦 SolutionCyble VisionCybleVisionAlerts_CL
Alerts_social_media_monitoring📦 SolutionCyble VisionCybleVisionAlerts_CL
Alerts_ssl_expiry📦 SolutionCyble VisionCybleVisionAlerts_CL
Alerts_stealer_logs📦 SolutionCyble VisionCybleVisionAlerts_CL
Alerts_subdomains📦 SolutionCyble VisionCybleVisionAlerts_CL
Alerts_suspicious_domains📦 SolutionCyble VisionCybleVisionAlerts_CL
Alerts_telegram_mentions📦 SolutionCyble VisionCybleVisionAlerts_CL
Alerts_tor_links📦 SolutionCyble VisionCybleVisionAlerts_CL
Alerts_vulnerability📦 SolutionCyble VisionCybleVisionAlerts_CL
Alerts_web_applications📦 SolutionCyble VisionCybleVisionAlerts_CL
AlertsCompromisedCredential📦 SolutionNetskopev2alertscompromisedcredentialdata_CL
AlertsCtep📦 SolutionNetskopev2alertsctepdata_CL
AlertsDLP📦 SolutionNetskopev2alertsdlpdata_CL
AlertsMalsite📦 SolutionNetskopev2alertsmalsitedata_CL
AlertsMalware📦 SolutionNetskopev2alertsmalwaredata_CL
AlertsPolicy📦 SolutionNetskopev2alertspolicydata_CL
AlertsQuarantine📦 SolutionNetskopev2alertsquarantinedata_CL
AlertsRemediation📦 SolutionNetskopev2alertsremediationdata_CL
AlertsSecurityAssessment📦 SolutionNetskopev2alertssecurityassessmentdata_CL
AlertsUba📦 SolutionNetskopev2alertsubadata_CL
AliCloud📦 SolutionAlibaba CloudAliCloud_CL
ApacheHTTPServer📦 SolutionApacheHTTPServerApacheHTTPServer_CL
ApigeeX📦 SolutionGoogle ApigeeApigeeX_CL, GoogleApigeeXV2_CL
ApigeeXv2📦 SolutionGoogle ApigeeApigeeXV2_CL
ArmisActivities📦 SolutionArmisArmis_Activities_CL
ArmisAlerts📦 SolutionArmisArmis_Alerts_CL
ArmisDevice📦 SolutionArmisArmis_Devices_CL
ArubaClearPass📦 SolutionAruba ClearPassCommonSecurityLog
ASimAuthenticationOpenSystems 🔍📦 SolutionOpen SystemsOpenSystemsAuthenticationLogs_CL
ASimDnsMicrosoftNXLog📦 SolutionNXLogDNSLogs?
ASimNetworkSessionOpenSystemsFirewall 🔍📦 SolutionOpen SystemsOpenSystemsFirewallLogs_CL
ASimWebSessionOpenSystemsSecureWebGateway 🔍📦 SolutionOpen SystemsOpenSystemsProxyLogs_CL
AssignedIPAddress📦 SolutionMicrosoftDefenderForEndpointDeviceNetworkInfo
Auth0📦 SolutionAuth0Auth0AM_CL, Auth0_CL
Auth0AM📦 SolutionAuth0Auth0AM_CL, Auth0Logs_CL
AwarenessPerformanceDetails📦 SolutionMimecastAwareness_Performance_Details_CL
AwarenessSafeScore📦 SolutionMimecastAwareness_SafeScore_Details_CL
AwarenessUserData📦 SolutionMimecastAwareness_User_Data_CL
AwarenessWatchlist📦 SolutionMimecastAwareness_Watchlist_Details_CL
AWSALBAccessLogsData📦 SolutionAWS ELBAWSALBAccessLogs, AWSALBAccessLogs_CL
AWSELBFlowLogsData📦 SolutionAWS ELBAWSELBFlowLogs, AWSELBFlowLogs_CL
AWSNLBAccessLogsData📦 SolutionAWS ELBAWSNLBAccessLogs, AWSNLBAccessLogs_CL
AzureFirewallApplicationRule📂 LegacyAzureDiagnostics
AzureFirewallDnsProxy📂 Legacy?
AzureFirewallNetworkRule📂 LegacyAzureDiagnostics
Bitglass📦 SolutionBitglassBitglassLogs_CL
BitSightAlerts📦 SolutionBitSightBitsightAlerts_data_CL
BitSightBreaches📦 SolutionBitSightBitsightBreaches_data_CL
BitSightCompanyDetails📦 SolutionBitSightBitsightCompany_details_CL
BitSightCompanyRatings📦 SolutionBitSightBitsightCompany_rating_details_CL
BitSightDiligenceHistoricalStatistics📦 SolutionBitSightBitsightDiligence_historical_statistics_CL
BitSightDiligenceStatistics📦 SolutionBitSightBitsightDiligence_statistics_CL
BitSightFindingsData📦 SolutionBitSightBitsightFindings_data_CL
BitSightFindingsSummary📦 SolutionBitSightBitsightFindings_summary_CL
BitSightGraphData📦 SolutionBitSightBitsightGraph_data_CL
BitSightIndustrialStatistics📦 SolutionBitSightBitsightIndustrial_statistics_CL
BitSightObservationStatistics📦 SolutionBitSightBitsightObservation_statistics_CL
BitwardenEventLogs📦 SolutionBitwardenBitwardenEventLogs_CL, BitwardenGroups_CL, ...
BoxEvents📦 SolutionBoxBoxEventsV2_CL, BoxEvents_CL
CassandraAuditLog📂 LegacyCassandraAuditLog_CL
CBS_BreachedCredentials 🔍📦 SolutionCTM360CBS_BreachedCredentials_AzureV2_CL, CBS_BreachedCredentials_CL
CBS_CompromisedCards 🔍📦 SolutionCTM360CBS_CompromisedCards_AzureV2_CL, CBS_CompromisedCards_CL
CBS_DomainInfringement 🔍📦 SolutionCTM360CBS_DomainInfringement_AzureV2_CL, CBS_DomainInfringement_CL
CBS_MalwareLogs 🔍📦 SolutionCTM360CBS_MalwareLogs_AzureV2_CL, CBS_MalwareLogs_CL
CBS_SubdomainInfringement 🔍📦 SolutionCTM360CBS_SubdomainInfringement_AzureV2_CL, CBS_SubdomainInfringement_CL
CBSLog 🔍📦 SolutionCTM360CBSLog_AzureV2_CL, CBSLog_Azure_1_CL
CGFWFirewallActivity📦 SolutionBarracuda CloudGen FirewallSyslog
Cisco_Umbrella📦 SolutionCiscoUmbrellaCisco_Umbrella_audit_CL, Cisco_Umbrella_cloudfirewall_CL, ...
CiscoACIEvent📦 SolutionCisco ACISyslog
CiscoDuo📦 SolutionCiscoDuoSecurityCiscoDuo_CL
CiscoISEEvent📦 SolutionCisco ISESyslog
CiscoMeraki📦 SolutionCiscoMerakiCiscoMerakiNativePoller_CL, Syslog, ...
CiscoSDWANNetflow 🔍📦 SolutionCisco SD-WANCiscoSDWANNetflow_CL
CiscoSecureEndpoint📦 SolutionCisco Secure EndpointCiscoSecureEndpointAuditLogsV2_CL, CiscoSecureEndpointEventsV2_CL, ...
CiscoSEGEvent📦 SolutionCiscoSEGCommonSecurityLog
CiscoSyslogFW6LogSummary 🔍📦 SolutionCisco SD-WANSyslog
CiscoSyslogUTD 🔍📦 SolutionCisco SD-WANSyslog
CiscoUCS📦 SolutionCisco UCSSyslog
CiscoWSAEvent📦 SolutionCiscoWSASyslog
CitrixADCEvent📦 SolutionCitrix ADCSyslog
CitrixADCEventOld 🔍📦 SolutionCitrix ADCCommonSecurityLog
ClarotyEvent📦 SolutionClarotyCommonSecurityLog
Cloudflare📦 SolutionCloudflareCloudflareV2_CL, Cloudflare_CL
Cloudflare📦 SolutionCloudflare CCFCloudflareV2_CL, Cloudflare_CL
ConfluenceAudit📦 SolutionAtlassianConfluenceAuditConfluence_Audit_CL
ContrastADR📦 SolutionContrastADRContrastADRAttackEvents_CL
ContrastADR_Incident📦 SolutionContrastADRContrastADRIncidents_CL
Corelight📦 SolutionCorelight?
corelight_anomaly📦 SolutionCorelightCorelight_v2_anomaly_CL
corelight_bacnet📦 SolutionCorelightCorelight_v2_bacnet_CL
corelight_capture_loss📦 SolutionCorelightCorelight_v2_capture_loss_CL
corelight_cip📦 SolutionCorelightCorelight_v2_cip_CL
corelight_conn📦 SolutionCorelightCorelight_v2_conn_CL, Corelight_v2_conn_long_CL, ...
corelight_conn_agg📦 SolutionCorelightCorelight_v2_conn_agg_CL
corelight_conn_long📦 SolutionCorelightCorelight_v2_conn_long_CL
corelight_conn_red📦 SolutionCorelightCorelight_v2_conn_red_CL
corelight_corelight_burst📦 SolutionCorelightCorelight_v2_corelight_burst_CL
corelight_corelight_metrics_disk📦 SolutionCorelightCorelight_v2_corelight_metrics_disk_CL
corelight_corelight_metrics_iface📦 SolutionCorelightCorelight_v2_corelight_metrics_iface_CL
corelight_corelight_metrics_memory📦 SolutionCorelightCorelight_v2_corelight_metrics_memory_CL
corelight_corelight_metrics_system📦 SolutionCorelightCorelight_v2_corelight_metrics_system_CL
corelight_corelight_metrics_zeek_doctor📦 SolutionCorelightCorelight_v2_corelight_metrics_zeek_doctor_CL
corelight_corelight_overall_capture_loss📦 SolutionCorelightCorelight_v2_corelight_overall_capture_loss_CL
corelight_corelight_profiling📦 SolutionCorelightCorelight_v2_corelight_profiling_CL
corelight_datared📦 SolutionCorelightCorelight_v2_datared_CL
corelight_dce_rpc📦 SolutionCorelightCorelight_v2_dce_rpc_CL
corelight_dga📦 SolutionCorelightCorelight_v2_dga_CL
corelight_dhcp📦 SolutionCorelightCorelight_v2_dhcp_CL
corelight_dnp3📦 SolutionCorelightCorelight_v2_dnp3_CL
corelight_dns📦 SolutionCorelightCorelight_v2_dns_CL, Corelight_v2_dns_red_CL
corelight_dns_agg📦 SolutionCorelightCorelight_v2_dns_agg_CL
corelight_dns_red📦 SolutionCorelightCorelight_v2_dns_red_CL
corelight_dpd📦 SolutionCorelightCorelight_v2_dpd_CL
corelight_encrypted_dns📦 SolutionCorelightCorelight_v2_encrypted_dns_CL
corelight_enip📦 SolutionCorelightCorelight_v2_enip_CL
corelight_enip_debug📦 SolutionCorelightCorelight_v2_enip_debug_CL
corelight_enip_list_identity📦 SolutionCorelightCorelight_v2_enip_list_identity_CL
corelight_etc_viz📦 SolutionCorelightCorelight_v2_etc_viz_CL
corelight_files📦 SolutionCorelightCorelight_v2_files_CL, Corelight_v2_files_red_CL
corelight_files_agg📦 SolutionCorelightCorelight_v2_files_agg_CL
corelight_files_red📦 SolutionCorelightCorelight_v2_files_red_CL
corelight_first_seen📦 SolutionCorelightCorelight_v2_first_seen_CL
corelight_ftp📦 SolutionCorelightCorelight_v2_ftp_CL
corelight_generic_dns_tunnels📦 SolutionCorelightCorelight_v2_generic_dns_tunnels_CL
corelight_generic_icmp_tunnels📦 SolutionCorelightCorelight_v2_generic_icmp_tunnels_CL
corelight_http📦 SolutionCorelightCorelight_v2_http2_CL, Corelight_v2_http_CL, ...
corelight_http2📦 SolutionCorelightCorelight_v2_http2_CL
corelight_http_agg📦 SolutionCorelightCorelight_v2_http_agg_CL
corelight_http_red📦 SolutionCorelightCorelight_v2_http_red_CL
corelight_icmp_specific_tunnels📦 SolutionCorelightCorelight_v2_icmp_specific_tunnels_CL
corelight_intel📦 SolutionCorelightCorelight_v2_intel_CL
corelight_ipsec📦 SolutionCorelightCorelight_v2_ipsec_CL
corelight_irc📦 SolutionCorelightCorelight_v2_irc_CL
corelight_iso_cotp📦 SolutionCorelightCorelight_v2_iso_cotp_CL
corelight_kerberos📦 SolutionCorelightCorelight_v2_kerberos_CL
corelight_known_certs📦 SolutionCorelightCorelight_v2_known_certs_CL
corelight_known_devices📦 SolutionCorelightCorelight_v2_known_devices_CL
corelight_known_domains📦 SolutionCorelightCorelight_v2_known_domains_CL
corelight_known_hosts📦 SolutionCorelightCorelight_v2_known_hosts_CL
corelight_known_names📦 SolutionCorelightCorelight_v2_known_names_CL
corelight_known_remotes📦 SolutionCorelightCorelight_v2_known_remotes_CL
corelight_known_services📦 SolutionCorelightCorelight_v2_known_services_CL
corelight_known_users📦 SolutionCorelightCorelight_v2_known_users_CL
corelight_local_subnets📦 SolutionCorelightCorelight_v2_local_subnets_CL
corelight_local_subnets_dj📦 SolutionCorelightCorelight_v2_local_subnets_dj_CL
corelight_local_subnets_graphs📦 SolutionCorelightCorelight_v2_local_subnets_graphs_CL
corelight_log4shell📦 SolutionCorelightCorelight_v2_log4shell_CL
corelight_modbus📦 SolutionCorelightCorelight_v2_modbus_CL
corelight_mqtt_connect📦 SolutionCorelightCorelight_v2_mqtt_connect_CL
corelight_mqtt_publish📦 SolutionCorelightCorelight_v2_mqtt_publish_CL
corelight_mqtt_subscribe📦 SolutionCorelightCorelight_v2_mqtt_subscribe_CL
corelight_mysql📦 SolutionCorelightCorelight_v2_mysql_CL
corelight_notice📦 SolutionCorelightCorelight_v2_notice_CL
corelight_ntlm📦 SolutionCorelightCorelight_v2_ntlm_CL
corelight_ntp📦 SolutionCorelightCorelight_v2_ntp_CL
corelight_ocsp📦 SolutionCorelightCorelight_v2_ocsp_CL
corelight_openflow📦 SolutionCorelightCorelight_v2_openflow_CL
corelight_packet_filter📦 SolutionCorelightCorelight_v2_packet_filter_CL
corelight_pe📦 SolutionCorelightCorelight_v2_pe_CL
corelight_profinet📦 SolutionCorelightCorelight_v2_profinet_CL
corelight_profinet_dce_rpc📦 SolutionCorelightCorelight_v2_profinet_dce_rpc_CL
corelight_profinet_debug📦 SolutionCorelightCorelight_v2_profinet_debug_CL
corelight_radius📦 SolutionCorelightCorelight_v2_radius_CL
corelight_rdp📦 SolutionCorelightCorelight_v2_rdp_CL
corelight_reporter📦 SolutionCorelightCorelight_v2_reporter_CL
corelight_rfb📦 SolutionCorelightCorelight_v2_rfb_CL
corelight_s7comm📦 SolutionCorelightCorelight_v2_s7comm_CL
corelight_signatures📦 SolutionCorelightCorelight_v2_signatures_CL
corelight_sip📦 SolutionCorelightCorelight_v2_sip_CL
corelight_smartpcap📦 SolutionCorelightCorelight_v2_smartpcap_CL
corelight_smartpcap_stats📦 SolutionCorelightCorelight_v2_smartpcap_stats_CL
corelight_smb_files📦 SolutionCorelightCorelight_v2_smb_files_CL
corelight_smb_mapping📦 SolutionCorelightCorelight_v2_smb_mapping_CL
corelight_smtp📦 SolutionCorelightCorelight_v2_smtp_CL
corelight_smtp_links📦 SolutionCorelightCorelight_v2_smtp_links_CL
corelight_snmp📦 SolutionCorelightCorelight_v2_snmp_CL
corelight_socks📦 SolutionCorelightCorelight_v2_socks_CL
corelight_software📦 SolutionCorelightCorelight_v2_software_CL
corelight_specific_dns_tunnels📦 SolutionCorelightCorelight_v2_specific_dns_tunnels_CL
corelight_ssh📦 SolutionCorelightCorelight_v2_ssh_CL
corelight_ssl📦 SolutionCorelightCorelight_v2_ssl_CL, Corelight_v2_ssl_red_CL
corelight_ssl_agg📦 SolutionCorelightCorelight_v2_ssl_agg_CL
corelight_ssl_red📦 SolutionCorelightCorelight_v2_ssl_red_CL
corelight_stats📦 SolutionCorelightCorelight_v2_stats_CL
corelight_stepping📦 SolutionCorelightCorelight_v2_stepping_CL
corelight_stun📦 SolutionCorelightCorelight_v2_stun_CL
corelight_stun_nat📦 SolutionCorelightCorelight_v2_stun_nat_CL
corelight_suri_aggregations📦 SolutionCorelight?
corelight_suricata_corelight📦 SolutionCorelightCorelight_v2_suricata_corelight_CL
corelight_suricata_eve📦 SolutionCorelightCorelight_v2_suricata_eve_CL
corelight_suricata_stats📦 SolutionCorelightCorelight_v2_suricata_stats_CL
corelight_suricata_zeek_stats📦 SolutionCorelightCorelight_v2_suricata_zeek_stats_CL
corelight_syslog📦 SolutionCorelightCorelight_v2_syslog_CL
corelight_tds📦 SolutionCorelightCorelight_v2_tds_CL
corelight_tds_rpc📦 SolutionCorelightCorelight_v2_tds_rpc_CL
corelight_tds_sql_batch📦 SolutionCorelightCorelight_v2_tds_sql_batch_CL
corelight_traceroute📦 SolutionCorelightCorelight_v2_traceroute_CL
corelight_tunnel📦 SolutionCorelightCorelight_v2_tunnel_CL
corelight_unknown_smartpcap📦 SolutionCorelightCorelight_v2_unknown_smartpcap_CL
corelight_util_stats📦 SolutionCorelightCorelight_v2_util_stats_CL
corelight_vpn📦 SolutionCorelightCorelight_v2_vpn_CL
corelight_weird📦 SolutionCorelightCorelight_v2_weird_CL
corelight_weird_agg📦 SolutionCorelightCorelight_v2_weird_agg_CL
corelight_weird_red📦 SolutionCorelightCorelight_v2_weird_red_CL
corelight_weird_stats📦 SolutionCorelightCorelight_v2_weird_stats_CL
corelight_wireguard📦 SolutionCorelightCorelight_v2_wireguard_CL
corelight_x509📦 SolutionCorelightCorelight_v2_x509_CL, Corelight_v2_x509_red_CL
corelight_x509_red📦 SolutionCorelightCorelight_v2_x509_red_CL
corelight_zeek_doctor📦 SolutionCorelightCorelight_v2_zeek_doctor_CL
CortexXDR_Incidents_CL📦 SolutionCortex XDRCortexXDR_Incidents_CL, PaloAltoCortexXDR_Incidents_CL
CPEMAlerts📦 SolutionCheck Point Cyberint Alertsargsentdc_CL
CriblAccess📦 SolutionCriblCriblAccess_CL
CriblAudit📦 SolutionCriblCriblAudit_CL
CriblInternal📦 SolutionCriblCriblInternal_CL
CriblUIAccess📦 SolutionCriblCriblUIAccess_CL
CrowdStrikeFalconEventStream📦 SolutionCrowdStrike Falcon Endpoint ProtectionCommonSecurityLog
CrowdStrikeReplicator📦 SolutionCrowdStrike Falcon Endpoint ProtectionCrowdstrikeReplicatorLogs_CL
CrowdStrikeReplicator 🔍📦 SolutionCrowdStrike Falcon Endpoint ProtectionCrowdstrikeReplicatorLogs_CL
CrowdStrikeReplicatorV2📦 SolutionCrowdStrike Falcon Endpoint ProtectionASimAuditEventLogs, ASimAuthenticationEventLogs, ...
CyberArkEPM📦 SolutionCyberArkEPMCyberArkEPM_CL
CyjaxCorrelate📦 SolutionCyjaxThreatIntelIndicators
CyjaxThreatIndicator📦 SolutionCyjaxThreatIntelIndicators
CylancePROTECT📦 SolutionBlackberry CylancePROTECTSyslog, syslog
CylancePROTECT-old 🔍📦 SolutionBlackberry CylancePROTECTSyslog
CymruScoutAccountUsage📦 SolutionTeam Cymru ScoutCymru_Scout_Account_Usage_Data_CL
CymruScoutCommunicationsData📦 SolutionTeam Cymru ScoutCommunication_Data_CL
CymruScoutCorrelate📦 SolutionTeam Cymru ScoutThreatIntelligenceIndicator
CymruScoutDomain📦 SolutionTeam Cymru ScoutCymru_Scout_Domain_Data_CL
CymruScoutDomainData📦 SolutionTeam Cymru ScoutDomain_Data_CL
CymruScoutFingerprintsData📦 SolutionTeam Cymru ScoutFingerprints_Data_CL
CymruScoutIdentity📦 SolutionTeam Cymru ScoutIdentity_Data_CL
CymruScoutIP📦 SolutionTeam Cymru ScoutCymru_Scout_IP_Data_Details_CL, Cymru_Scout_IP_Data_Foundation_CL, ...
CymruScoutOpenPortsData📦 SolutionTeam Cymru ScoutOpen_Ports_Data_CL
CymruScoutPdnsData📦 SolutionTeam Cymru ScoutPDNS_Data_CL
CymruScoutProtoByIP📦 SolutionTeam Cymru ScoutProto_By_IP_Data_CL
CymruScoutSummary📦 SolutionTeam Cymru ScoutSummary_Details_CL
CymruScoutSummaryTopCerts📦 SolutionTeam Cymru ScoutSummary_Details_Top_Certs_Data_CL
CymruScoutSummaryTopFingerprints📦 SolutionTeam Cymru ScoutSummary_Details_Top_Fingerprints_Data_CL
CymruScoutSummaryTopOpenPorts📦 SolutionTeam Cymru ScoutSummary_Details_Top_Open_Ports_Data_CL
CymruScoutSummaryTopPdns📦 SolutionTeam Cymru ScoutSummary_Details_Top_Pdns_Data_CL
CymruScoutTopAsnsByIP📦 SolutionTeam Cymru ScoutTop_Asns_By_IP_Data_CL
CymruScoutTopCountryCodesByIP📦 SolutionTeam Cymru ScoutTop_Country_Codes_By_IP_Data_CL
CymruScoutTopServicesByIP📦 SolutionTeam Cymru ScoutTop_Services_By_IP_Data_CL
CymruScoutTopTagsByIP📦 SolutionTeam Cymru ScoutTop_Tags_By_IP_Data_CL
CymruScoutWhois📦 SolutionTeam Cymru ScoutWhois_Data_CL
CymruScoutX509Data📦 SolutionTeam Cymru ScoutX509_Data_CL
CynerioEvent_Authentication 🔍📦 SolutionCynerioCynerioEvent_CL
CynerioEvent_NetworkSession 🔍📦 SolutionCynerioCynerioEvent_CL
DataminrPulseAlerts📦 SolutionDataminr PulseDataminrPulse_Alerts_CL, watchlist
DataminrPulseCyberAlerts📦 SolutionDataminr PulseDataminrPulse_Alerts_CL, watchlist
DataverseSharePointSites📦 SolutionMicrosoft Business Applications?
DefendAuditData 🔍📦 SolutionEgress DefendEgressDefend_CL
DefendAuditData📦 SolutionKnowBe4 DefendKnowBe4Defend_CL
Devicefromip📦 SolutionMicrosoftDefenderForEndpointDeviceNetworkInfo
DigitalGuardianDLPEvent📦 SolutionDigital Guardian Data Loss PreventionSyslog
DomainToolsDNSActivity📦 SolutionDomainToolsDomainToolsDomainEnrichment_CL
DragosNotificationsToSentinel📦 SolutionDragosSecurityAlert
DragosPullNotificationsToSentinel📦 SolutionDragosDragosAlerts_CL, SecurityAlert
DragosPushNotificationsToSentinel📦 SolutionDragosCommonSecurityLog
DragosSeverityToSentinelSeverity📦 SolutionDragos?
dsp_parser📦 SolutionSemperis Directory Services ProtectorSecurityEvent
DSTIMCorrelatedLogs📂 LegacyDSTIMAccess_CL, DSTIMClassification_CL, ...
DuoSecurityAdministrator📂 LegacyDuoSecurityAdministrator_CL
DuoSecurityAuthentication📂 LegacyDuoSecurityAuthentication_CL
DuoSecurityOfflineEnrollment📂 LegacyDuoSecurityOfflineEnrollment_CL
DuoSecurityTelephony📂 LegacyDuoSecurityTelephony_CL
DuoSecurityTrustMonitor📂 LegacyDuoSecurityTrustMonitor_CL
DynatraceAttacks📦 SolutionDynatraceDynatraceAttacksV2_CL, DynatraceAttacks_CL
DynatraceAuditLogs📦 SolutionDynatraceDynatraceAuditLogsV2_CL, DynatraceAuditLogs_CL
DynatraceProblems📦 SolutionDynatraceDynatraceProblemsV2_CL, DynatraceProblems_CL
DynatraceSecurityProblems📦 SolutionDynatraceDynatraceSecurityProblemsV2_CL, DynatraceSecurityProblems_CL
ElasticAgentEvent 🔍📦 SolutionElasticAgentElasticAgentLogs_CL
ESETPROTECT📦 SolutionESETPROTECTSyslog
ESETProtectPlatform📦 SolutionESET Protect PlatformIntegrationTable_CL
EventIncident📦 SolutionNetskopev2eventsincidentdata_CL
EventsApplication📦 SolutionNetskopev2eventsapplicationdata_CL
EventsAudit📦 SolutionNetskopev2eventsauditdata_CL
EventsConnection📦 SolutionNetskopev2eventsconnectiondata_CL
EventsNetwork📦 SolutionNetskopev2eventsnetworkdata_CL
EventsPage📦 SolutionNetskopev2eventspagedata_CL
ExabeamEvent📦 SolutionExabeam Advanced AnalyticsSyslog
ExchangeAdminAuditLogs📦 SolutionMicrosoft Exchange Security - Exchange On-PremisesEvent
ExchangeConfiguration📦 SolutionMicrosoft Exchange Security - Exchange On-Premises?
ExchangeConfiguration📦 SolutionMicrosoft Exchange Security - Exchange Online?
ExchangeEnvironmentList📦 SolutionMicrosoft Exchange Security - Exchange On-Premises?
ExchangeEnvironmentList📦 SolutionMicrosoft Exchange Security - Exchange Online?
ExtraHopDetections📦 SolutionExtraHopExtraHop_Detections_CL
FireEyeNXEvent📦 SolutionFireEye Network SecurityCommonSecurityLog
ForescoutEvent📦 SolutionForescout (Legacy)Syslog
ForgeRockParser📦 SolutionForgeRock Common Audit for CEFCommonSecurityLog
Fortinet_FortiNDR_Cloud📦 SolutionFortinet FortiNDR CloudFncEventsDetections_CL, FncEventsObservation_CL, ...
Fortiweb📦 SolutionFortinet FortiWeb Cloud WAF-as-a-Service connector for Microsoft SentinelCommonSecurityLog
GCP_IAM📦 SolutionGoogleCloudPlatformIAMGCPIAM, GCP_IAM_CL
GCP_MONITOR📦 SolutionGoogle Cloud Platform Cloud MonitoringGCP_MONITORINGV2_CL, GCP_MONITORING_CL
GCPCloudDNS📦 SolutionGoogleCloudPlatformDNSGCPDNS, GCP_DNS_CL
GetClassificationList📂 Legacy?
getForgeRockUsers 🔍📦 SolutionForgeRock Common Audit for CEFCommonSecurityLog
GitHubAudit📂 LegacyGitHub_CL
GitHubAuditData📦 SolutionGitHubGitHubAuditLogPolling_CL, GitHubAuditLogsV2_CL
GitHubCodeScanningData📦 SolutionGitHubgithubscanaudit_CL
GitHubDependabotData📦 SolutionGitHubgithubscanaudit_CL
GitHubRepo📂 LegacyGitHubRepoLogs_CL
githubscanaudit📦 SolutionGitHubGitHubAdvancedSecurityAlerts_CL, githubscanaudit_CL
GitHubSecretScanningData📦 SolutionGitHubgithubscanaudit_CL
GitLabAccess📦 SolutionGitLabSyslog
GitLabApp📦 SolutionGitLabSyslog
GitLabAudit📦 SolutionGitLabSyslog
Guardian📦 SolutionAIShield AI Security MonitoringGuardian_CL
GWorkspaceActivityReports📦 SolutionGoogleWorkspaceReportsGWorkspace_ReportsAPI_access_transparency_CL, GWorkspace_ReportsAPI_admin_CL, ...
HackerViewLog 🔍📦 SolutionCTM360HackerViewLog_AzureV2_CL, HackerViewLog_Azure_1_CL
HYASProtectDNSActivity📦 SolutionHYAS ProtectHYASProtectDnsSecurityLogs_CL
ibossUrlEvent📦 SolutionibossCommonSecurityLog
IllumioCoreEvent📦 SolutionIllumio CoreCommonSecurityLog
IllumioSyslogAuditEvents📦 SolutionIllumioSaaSSyslog
IllumioSyslogNetworkTrafficEvents📦 SolutionIllumioSaaSIllumioFlowEventsV2_CL, Syslog
ImpervaWAFCloud📦 SolutionImpervaCloudWAFImpervaWAFCloudV2_CL, ImpervaWAFCloud_CL, ...
Infoblox📦 SolutionInfoblox NIOS?
Infoblox_allotherdhcpdTypes📦 SolutionInfoblox NIOSSyslog
Infoblox_allotherdnsTypes📦 SolutionInfoblox NIOSSyslog
Infoblox_allotherlogTypes📦 SolutionInfoblox NIOSSyslog
Infoblox_dhcp_consolidated📦 SolutionInfoblox NIOS?
Infoblox_dhcpack📦 SolutionInfoblox NIOSSyslog
Infoblox_dhcpadded📦 SolutionInfoblox NIOSSyslog
Infoblox_dhcpbindupdate📦 SolutionInfoblox NIOSSyslog
Infoblox_dhcpdiscover📦 SolutionInfoblox NIOSSyslog
Infoblox_dhcpexpire📦 SolutionInfoblox NIOSSyslog
Infoblox_dhcpinform📦 SolutionInfoblox NIOSSyslog
Infoblox_dhcpoffer📦 SolutionInfoblox NIOSSyslog
Infoblox_dhcpoption📦 SolutionInfoblox NIOSSyslog
Infoblox_dhcpother📦 SolutionInfoblox NIOSSyslog
Infoblox_dhcprelease📦 SolutionInfoblox NIOSSyslog
Infoblox_dhcpremoved📦 SolutionInfoblox NIOSSyslog
Infoblox_dhcprequest📦 SolutionInfoblox NIOSSyslog
Infoblox_dhcpsession📦 SolutionInfoblox NIOSSyslog
Infoblox_dns_consolidated📦 SolutionInfoblox NIOS?
Infoblox_dnsclient📦 SolutionInfoblox NIOSSyslog
Infoblox_dnsgss📦 SolutionInfoblox NIOSSyslog
Infoblox_dnszone📦 SolutionInfoblox NIOSSyslog
InfobloxCDC📦 SolutionInfoblox Cloud Data ConnectorCommonSecurityLog
InfobloxCDC_SOCInsights📦 SolutionInfobloxCommonSecurityLog
InfobloxCDC_SOCInsights📦 SolutionInfoblox SOC InsightsCommonSecurityLog
InfobloxInsight📦 SolutionInfobloxInfobloxInsight_CL
InfobloxInsight📦 SolutionInfoblox SOC InsightsInfobloxInsight_CL
InfobloxInsightAssets📦 SolutionInfobloxInfobloxInsightAssets_CL
InfobloxInsightAssets📦 SolutionInfoblox SOC InsightsInfobloxInsightAssets_CL
InfobloxInsightComments📦 SolutionInfobloxInfobloxInsightComments_CL
InfobloxInsightComments📦 SolutionInfoblox SOC InsightsInfobloxInsightComments_CL
InfobloxInsightEvents📦 SolutionInfobloxInfobloxInsightEvents_CL
InfobloxInsightEvents📦 SolutionInfoblox SOC InsightsInfobloxInsightEvents_CL
InfobloxInsightIndicators📦 SolutionInfobloxInfobloxInsightIndicators_CL
InfobloxInsightIndicators📦 SolutionInfoblox SOC InsightsInfobloxInsightIndicators_CL
InfobloxNIOS📂 LegacySyslog
InsightVMAssets📦 SolutionRapid7InsightVMNexposeInsightVMCloud_assets_CL, Rapid7InsightVMCloudAssets
InsightVMVulnerabilities📦 SolutionRapid7InsightVMNexposeInsightVMCloud_vulnerabilities_CL, Rapid7InsightVMCloudVulnerabilities
ISCBind📦 SolutionISC BindSyslog
IvantiUEMEvent📦 SolutionIvanti Unified Endpoint ManagementSyslog
JamfProtectAlerts📦 SolutionJamf Protectjamfprotectalerts_CL
JamfProtectNetworkTraffic📦 SolutionJamf Protectjamfprotect_CL
JamfProtectTelemetry📦 SolutionJamf Protectjamfprotecttelemetryv2_CL
JamfProtectThreatEvents📦 SolutionJamf Protectjamfprotect_CL
JamfProtectUnifiedLogs📦 SolutionJamf Protectjamfprotectunifiedlogs_CL
JBossEvent📦 SolutionJBossJBossLogs_CL
JiraAudit📦 SolutionAtlassianJiraAuditJira_Audit_CL, Jira_Audit_v2_CL
JuniperIDP📦 SolutionJuniperIDPJuniperIDP_CL
JuniperSRX📦 SolutionJuniper SRXSyslog
LookoutCSActivities📦 SolutionLookout Cloud Security Platform for Microsoft SentinelLookoutCloudSecurity_CL
LookoutCSAnomalies📦 SolutionLookout Cloud Security Platform for Microsoft SentinelLookoutCloudSecurity_CL
LookoutCSViolations📦 SolutionLookout Cloud Security Platform for Microsoft SentinelLookoutCloudSecurity_CL
LookoutEvents📦 SolutionLookoutLookoutMtdV2_CL
MapNetflowUsername 🔍📦 SolutionCisco SD-WAN?
MarkLogicAudit📦 SolutionMarkLogicAuditMarkLogicAudit_CL
McAfeeCommonSecurityLog📂 LegacyCommonSecurityLog
McAfeeEPOEvent📦 SolutionMcAfee ePolicy OrchestratorSyslog
McAfeeNSPEvent📦 SolutionMcAfee Network Security PlatformSyslog
MCASActivity📂 LegacyMCASActivity_CL
MerakiConfigurationChanges📂 LegacyMerakiConfigurationChanges_CL
MerakiSecurityEvents📂 LegacyMerakiSecurityEvents_CL
MESCheckOnlineVIP📦 SolutionMicrosoft Exchange Security - Exchange Online?
MESCheckVIP📦 SolutionMicrosoft Exchange Security - Exchange On-Premises?
MESCompareDataMRA📦 SolutionMicrosoft Exchange Security - Exchange OnlineESIExchangeOnlineConfig_CL
MESCompareDataOnPMRA📦 SolutionMicrosoft Exchange Security - Exchange On-PremisesESIExchangeConfig_CL
MESOfficeActivityLogs📦 SolutionMicrosoft Exchange Security - Exchange OnlineOfficeActivity
MimecastAudit📦 SolutionMimecastAudit_CL
MimecastCG📦 SolutionMimecastSeg_Cg_CL
MimecastCloudIntegrated📦 SolutionMimecastCloud_Integrated_CL
MimecastDLP📦 SolutionMimecastSeg_Dlp_CL
MimecastTTPAttachment📦 SolutionMimecastTtp_Attachment_CL
MimecastTTPImpersonation📦 SolutionMimecastTtp_Impersonation_CL
MimecastTTPUrl📦 SolutionMimecastTtp_Url_CL
MongoDBAudit📦 SolutionMongoDBAuditMongoDBAudit_CL
Morphisec📦 SolutionMorphisecMorphisecAlerts_CL
MSBizAppsNetworkAddresses📦 SolutionMicrosoft Business Applications?
MSBizAppsOrgSettings📦 SolutionMicrosoft Business Applications?
MSBizAppsTerminatedEmployees📦 SolutionMicrosoft Business Applications?
MSBizAppsVIPUsers📦 SolutionMicrosoft Business Applications?
MuleSoftCloudhub📦 SolutionMulesoftMuleSoft_Cloudhub_CL
Netskope 🔍📦 SolutionNetskopeNetskope_CL
NetskopeAlerts📦 SolutionNetskopev2NetskopeAlerts_CL
NetskopeCCFWebTransactions📦 SolutionNetskopev2NetskopeWebTransactions_CL
NetskopeCEAlerts📦 SolutionNetskopev2Netskope_Alerts_CL
NetskopeCEEventsApplication📦 SolutionNetskopev2Netskope_Events_CL
NetskopeCEWebTransactions📦 SolutionNetskopev2Netskope_WebTX_CL
NetskopeEventsApplication📦 SolutionNetskopev2NetskopeEventsApplication_CL
NetskopeEventsAudit📦 SolutionNetskopev2NetskopeEventsAudit_CL
NetskopeEventsConnection📦 SolutionNetskopev2NetskopeEventsConnection_CL
NetskopeEventsDLP📦 SolutionNetskopev2NetskopeEventsDLP_CL
NetskopeEventsEndpoint📦 SolutionNetskopev2NetskopeEventsEndpoint_CL
NetskopeEventsInfrastructure📦 SolutionNetskopev2NetskopeEventsInfrastructure_CL
NetskopeEventsNetwork📦 SolutionNetskopev2NetskopeEventsNetwork_CL
NetskopeEventsPage📦 SolutionNetskopev2NetskopeEventsPage_CL
NetskopeWebTransactions📦 SolutionNetskopev2NetskopeWebtxData_CL
NetskopeWebtx📦 SolutionNetskopeWebTxNetskopeWebTransactions_CL
NetwrixAuditor📦 SolutionNetwrix AuditorCommonSecurityLog
NGINXHTTPServer📦 SolutionNGINX HTTP ServerNGINX_CL
NozomiNetworksEvents📦 SolutionNozomiNetworksCommonSecurityLog
NXLog_parsed_AIX_Audit_view 🔍📦 SolutionNXLogAixAuditAIX_Audit_CL
OCILogs📦 SolutionOracle Cloud InfrastructureOCI_LogsV2_CL, OCI_Logs_CL
OktaSSO📦 SolutionOkta Single Sign-OnOktaV2_CL, Okta_CL
OnapsisLookup📦 SolutionOnapsis Platform?
OneIdentity_Safeguard 🔍📦 SolutionOneIdentityCommonSecurityLog
OneLogin📦 SolutionOneLoginIAMOneLoginEventsV2_CL, OneLoginUsersV2_CL, ...
OneLoginEvents📂 LegacyoneLogin_CL
OpenVpnEvent📦 SolutionOpenVPNSyslog
OracleDatabaseAuditEvent📦 SolutionOracleDatabaseAuditSyslog
OracleWebLogicServerEvent📦 SolutionOracleWebLogicServerOracleWebLogicServer_CL
OSSECEvent📦 SolutionOSSECCommonSecurityLog
PaloAltoCDLEvent📦 SolutionPaloAltoCDLCommonSecurityLog
PaloAltoPrismaCloud📦 SolutionPaloAltoPrismaCloudPaloAltoPrismaCloudAlertV2_CL, PaloAltoPrismaCloudAlert_CL, ...
pfsensefilterlog📂 LegacyCommonSecurityLog
pfsensenginx📂 LegacyCommonSecurityLog
PingFederateEvent📦 SolutionPingFederateCommonSecurityLog
PostgreSQLEvent📦 SolutionPostgreSQLPostgreSQL_CL
ProofpointPOD📦 SolutionProofpoint On demand(POD) Email SecurityProofpointPODMailLog_CL, ProofpointPODMessage_CL, ...
ProofpointTAPEvent📦 SolutionProofPointTapProofPointTAPClicksBlockedV2_CL, ProofPointTAPClicksBlocked_CL, ...
PulseConnectSecure📦 SolutionPulse Connect SecureSyslog
PureStorageFlashArrayParserV1📦 SolutionPure StorageSyslog
PureStorageFlashBladeParserV1📦 SolutionPure StorageSyslog
QualysHostDetection📦 SolutionQualysVMQualysHostDetectionV2_CL, QualysHostDetectionV3_CL, ...
QualysKB📦 SolutionQualys VM KnowledgebaseQualysKB_CL, QualysKnowledgeBase
RadiflowEvent📦 SolutionRadiflowCommonSecurityLog
RSASecurIDAMEvent📦 SolutionRSA SecurIDSyslog
SalesforceServiceCloud📦 SolutionSalesforce Service CloudSalesforceServiceCloudV2_CL, SalesforceServiceCloud_CL
SentinelOne📦 SolutionSentinelOneSentinelOneActivities_CL, SentinelOneAgents_CL, ...
SlackAudit📦 SolutionSlackAuditSlackAuditNativePoller_CL, SlackAuditV2_CL, ...
Snowflake📦 SolutionSnowflakeSnowflakeLoad_CL, SnowflakeLogin_CL, ...
SophosEPEvent📦 SolutionSophos Endpoint Protection?
SophosXGFirewall📦 SolutionSophos XG FirewallSyslog
SQLServer_Parser📂 LegacyEvent
SquidProxy📦 SolutionSquidProxySquidProxy_CL
StealthDefend📂 LegacyCommonSecurityLog
StealthwatchEvent📦 SolutionCisco Secure Cloud AnalyticsSyslog
SymantecDLP📦 SolutionBroadcom SymantecDLPCommonSecurityLog
SymantecEndpointProtection📦 SolutionSymantec Endpoint ProtectionSyslog
SymantecProxySG📂 LegacySyslog
SymantecProxySG📦 SolutionSymantecProxySGSyslog
SymantecVIP📦 SolutionSymantec VIPSyslog
SyslogEventTypeData📂 LegacySyslog
SyslogExecve📂 LegacySyslog
SyslogSyscall📂 LegacySyslog
SyslogUserErr📂 LegacySyslog
Sysmon-AllVersions_Parser📂 LegacyEvent
Sysmon-v10.42-Parser📂 LegacyEvent
Sysmon-v11.0📂 LegacyEvent
Sysmon-v12.0📂 LegacyEvent
Sysmon-v9.10-Parser📂 LegacyEvent
TenableIOAssets 🔍📦 SolutionTenableIOTenable_IO_Assets_CL
TenableIOVulnerabilities 🔍📦 SolutionTenableIOTenable_IO_Vuln_CL
TenableVMAssets📦 SolutionTenable AppTenable_VM_Asset_CL
TenableVMVulnerabilities📦 SolutionTenable AppTenable_VM_Vuln_CL
TheHive 🔍📦 SolutionTheHiveTheHive_CL
ThreatIntelIndicatorsv2📦 SolutionThreat Intelligence (NEW)ThreatIntelIndicators
TMApexOneEvent📦 SolutionTrend Micro Apex OneCommonSecurityLog
TomcatEvent📦 SolutionTomcatTomcat_CL
TrellixEvents📦 SolutionTrellixTrellixEvents_CL
TrendMicroCAS 🔍📦 SolutionTrend Micro Cloud App SecurityTrendMicroCAS_CL
TrendMicroDeepSecurity📦 SolutionTrend Micro Deep SecurityCommonSecurityLog
TrendMicroTippingPoint📦 SolutionTrend Micro TippingPointCommonSecurityLog
UbiquitiAuditEvent📦 SolutionUbiquiti UniFiUbiquiti_CL
Unified_ApigeeX📦 SolutionGoogle ApigeeApigeeXV2_CL, ApigeeX_CL
vCenter📦 SolutionVMware vCentervcenter_CL
vectra_beacon📦 SolutionVectra AI Streamvectra_beacon_CL
vectra_dcerpc📦 SolutionVectra AI Streamvectra_dcerpc_CL
vectra_dhcp📦 SolutionVectra AI Streamvectra_dhcp_CL
vectra_dns📦 SolutionVectra AI Streamvectra_dns_CL
vectra_http📦 SolutionVectra AI Streamvectra_http_CL
vectra_isession📦 SolutionVectra AI Streamvectra_isession_CL
vectra_kerberos📦 SolutionVectra AI Streamvectra_kerberos_CL
vectra_ldap📦 SolutionVectra AI Streamvectra_ldap_CL
vectra_match📦 SolutionVectra AI Streamvectra_match_CL
vectra_ntlm📦 SolutionVectra AI Streamvectra_ntlm_CL
vectra_radius📦 SolutionVectra AI Streamvectra_radius_CL
vectra_rdp📦 SolutionVectra AI Streamvectra_rdp_CL
vectra_smbfiles📦 SolutionVectra AI Streamvectra_smbfiles_CL
vectra_smbmapping📦 SolutionVectra AI Streamvectra_smbmapping_CL
vectra_smtp📦 SolutionVectra AI Streamvectra_smtp_CL
vectra_ssh📦 SolutionVectra AI Streamvectra_ssh_CL
vectra_ssl📦 SolutionVectra AI Streamvectra_ssl_CL
vectra_stream📦 SolutionVectra AI Stream?
vectra_x509📦 SolutionVectra AI Streamvectra_x509_CL
VectraAudits📦 SolutionVectra XDRAudits_Data_CL
VectraDetections📦 SolutionVectra XDRDetections_Data_CL
VectraEntityScoring📦 SolutionVectra XDREntity_Scoring_Data_CL
VectraHealth📦 SolutionVectra XDRHealth_Data_CL
VectraLockdown📦 SolutionVectra XDRLockdown_Data_CL
VectraStream_function📦 SolutionVectra AI StreamVectraStream_CL
Veeam_GetFinishedConfigurationBackupSessions📦 SolutionVeeamSyslog
Veeam_GetJobFinished📦 SolutionVeeamSyslog
Veeam_GetSecurityEvents📦 SolutionVeeamSyslog
Veeam_GetVeeamONEAlarms📦 SolutionVeeamSyslog
VersasecCmsError📦 SolutionVersasecCMSVersasecCmsErrorLogs_CL
VersasecCmsSyslog📦 SolutionVersasecCMSVersasecCmsSysLogs_CL
vimNetworkSessionOpenSystemsFirewall 🔍📦 SolutionOpen SystemsOpenSystemsFirewallLogs_CL
vimWebSessionOpenSystemsProxySecureWebGateway 🔍📦 SolutionOpen SystemsOpenSystemsProxyLogs_CL
VMwareESXi📦 SolutionVMWareESXiSyslog
VotiroEvents📦 SolutionVotiroCommonSecurityLog
WatchGuardFirebox 🔍📦 SolutionWatchguard FireboxSyslog
Workplace_Facebook 🔍📦 SolutionWorkplace from FacebookWorkplace_Facebook_CL
ZNSegmentAudit📦 SolutionZeroNetworksZNAudit_CL, ZNSegmentAuditNativePoller_CL
Zoom📂 LegacyZoom_CL
Zoom📦 SolutionZoomReportsZoom_CL
ZPAEvent📦 SolutionZscaler Private Access (ZPA)ZPA_CL
📦 In solution package 📂 Legacy parser (Parsers folder) 🔍 Discovered (not in solution JSON)
ParserSchemaTypeProductVersionSolutions
ASimAgentEventAgentEventUnifyingSource agnostic0.1.0
imAgentEventAgentEventUnifyingSource agnostic0.1.0
ASimAlertEventMicrosoftDefenderXDRAlertEventSourceMicrosoft Defender XDR0.2.0
ASimAlertEventSentinelOneSingularityAlertEventSourceSentinelOne0.1.0
ASimAlertEventAlertEventUnifyingSource agnostic0.1.0
imAlertEventAlertEventUnifyingSource agnostic0.1.0
ASimAssetEntityAssetEntityUnifyingSource agnostic0.1.0
imAssetEntityAssetEntityUnifyingSource agnostic0.1.0
ASimAuditEventAWSCloudTrailAuditEventSourceAWS CloudTrail0.1.0Amazon Web Services
ASimAuditEventAzureActivityAuditEventSourceMicrosoft Azure0.3.0Azure Activity
ASimAuditEventAzureKeyVaultAuditEventSourceAzure Key Vault0.1.0
ASimAuditEventBarracudaCEFAuditEventSourceBarracuda WAF0.2.1Common Event Format, VirtualMetric DataStream, Zscaler Internet Access
ASimAuditEventBarracudaWAFAuditEventSourceBarracuda WAF0.2.1
ASimAuditEventCiscoISEAuditEventSourceCisco ISE0.1.0Syslog
ASimAuditEventCiscoMerakiAuditEventSourceCisco Meraki0.2.1CiscoMeraki, CustomLogsAma
ASimAuditEventCiscoMerakiSyslogAuditEventSourceCisco Meraki0.2.1Syslog
ASimAuditEventCrowdStrikeFalconHostAuditEventSourceCrowdStrike Falcon Endpoint Protection0.1.0Common Event Format, VirtualMetric DataStream, Zscaler Internet Access
ASimAuditEventIllumioSaaSCoreAuditEventSourceIllumio Core0.2.1IllumioSaaS
ASimAuditEventInfobloxBloxOneAuditEventSourceInfoblox BloxOne0.1.0Common Event Format, VirtualMetric DataStream, Zscaler Internet Access
ASimAuditEventMicrosoftEventAuditEventSourceMicrosoft Windows0.2.1
ASimAuditEventMicrosoftExchangeAdmin365AuditEventSourceMicrosoft SharePoint0.2
ASimAuditEventMicrosoftSecurityEventsAuditEventSourceMicrosoft Windows0.2.1Windows Security Events
ASimAuditEventMicrosoftWindowsEventsAuditEventSourceMicrosoft Windows0.2.1Windows Forwarded Events
ASimAuditEventNativeAuditEventSourceNative0.1.0Cisco Meraki Events via REST API, SynqlyIntegrationConnector, Workday
ASimAuditEventSentinelOneAuditEventSourceSentinelOne0.1.0
ASimAuditEventSQLSecurityAuditAuditEventSourceSQLSecurityAudit Logs0.1.0
ASimAuditEventVectraXDRAuditAuditEventSourceVectra0.1.1Vectra XDR
ASimAuditEventVMwareCarbonBlackCloudAuditEventSourceVMware Carbon Black Cloud0.2.0
ASimAuditEventAuditEventUnifyingSource agnostic0.1.7
imAuditEventAuditEventUnifyingSource agnostic0.1.6
ASimAuthenticationAADManagedIdentitySignInLogsAuthenticationSourceMicrosoft Entra ID0.2.3Microsoft Entra ID
ASimAuthenticationAADNonInteractiveUserSignInLogsAuthenticationSourceMicrosoft Entra ID0.2.3Microsoft Entra ID
ASimAuthenticationAADServicePrincipalSignInLogsAuthenticationSourceMicrosoft Entra ID0.2.3Microsoft Entra ID
ASimAuthenticationAWSCloudTrailAuthenticationSourceAWS0.2.2Amazon Web Services
ASimAuthenticationBarracudaWAFAuthenticationSourceBarracuda WAF0.1.0Common Event Format, VirtualMetric DataStream, Zscaler Internet Access
ASimAuthenticationCiscoASAAuthenticationSourceCisco Adaptive Security Appliance (ASA)0.1.1CiscoASA, Common Event Format, VirtualMetric DataStream, Zscaler Internet Access
ASimAuthenticationCiscoIOSAuthenticationSourceCisco IOS0.1.1Syslog
ASimAuthenticationCiscoISEAuthenticationSourceCisco ISE0.1.0Syslog
ASimAuthenticationCiscoISEAdministratorAuthenticationSourceCisco ISE Administrator0.1.1Syslog
ASimAuthenticationCiscoMerakiAuthenticationSourceCisco Meraki0.2.1CiscoMeraki, CustomLogsAma
ASimAuthenticationCiscoMerakiSyslogAuthenticationSourceCisco Meraki0.2.1Syslog
ASimAuthenticationCrowdStrikeFalconHostAuthenticationSourceCrowdStrike Falcon Endpoint Protection0.2.0Common Event Format, VirtualMetric DataStream, Zscaler Internet Access
ASimAuthenticationFortinetFortigateAuthenticationSourceFortigate0.1.0Common Event Format, VirtualMetric DataStream, Zscaler Internet Access
ASimAuthenticationGoogleWorkspaceAuthenticationSourceGoogle Workspace0.1.0
ASimAuthenticationIllumioSaaSCoreAuthenticationSourceIllumio0.3.0IllumioSaaS
ASimAuthenticationM365DefenderAuthenticationSourceM365 Defender for EndPoint0.2.0
ASimAuthenticationMD4IoTAuthenticationSourceMicrosoft Defender for IoT0.1.2
ASimAuthenticationMicrosoftWindowsEventAuthenticationSourceWindows Security Events0.2.1Microsoft Exchange Security - Exchange On-Premises, Windows Forwarded Events, Windows Security Events
ASimAuthenticationNativeAuthenticationSourceNative0.1.0SynqlyIntegrationConnector, VMware Carbon Black Cloud
ASimAuthenticationOktaSSOAuthenticationSourceOkta0.4.0Okta Single Sign-On
ASimAuthenticationOktaSystemLogsAuthenticationSourceOkta0.1.0
ASimAuthenticationOktaV2AuthenticationSourceOkta0.4.0Okta Single Sign-On
ASimAuthenticationPaloAltoCortexDataLakeAuthenticationSourcePalo Alto Cortex Data Lake0.2.0Common Event Format, VirtualMetric DataStream, Zscaler Internet Access
ASimAuthenticationPaloAltoGlobalProtectAuthenticationSourcePalo Alto PAN-OS GlobalProtect0.1.0Common Event Format, VirtualMetric DataStream, Zscaler Internet Access
ASimAuthenticationPaloAltoPanOSAuthenticationSourcePalo Alto PAN-OS0.1.0Common Event Format, VirtualMetric DataStream, Zscaler Internet Access
ASimAuthenticationPostgreSQLAuthenticationSourcePostgreSQL0.1.4CustomLogsAma
ASimAuthenticationSalesforceSCAuthenticationSourceSalesforce Service Cloud0.1.0
ASimAuthenticationSentinelOneAuthenticationSourceSentinelOne0.1.1
ASimAuthenticationSigninLogsAuthenticationSourceMicrosoft Entra ID0.4.1Microsoft Entra ID
ASimAuthenticationSshdAuthenticationSourceOpenSSH0.3.1Syslog
ASimAuthenticationSuAuthenticationSourcesu0.3.0Syslog
ASimAuthenticationSudoAuthenticationSourcesudo0.2.0Syslog
ASimAuthenticationVectraXDRAuditAuthenticationSourceVectra0.1Vectra XDR
ASimAuthenticationVMwareCarbonBlackCloudAuthenticationSourceVMware Carbon Black Cloud0.1.0
ASimAuthenticationVMwareVCenterAuthenticationSourceVMware vCenter0.1.1CustomLogsAma
ASimAuthenticationAuthenticationUnifyingSource agnostic0.2.13
imAuthenticationAuthenticationUnifyingSource agnostic0.3.10
ASimDhcpEventInfobloxBloxOneDhcpEventSourceInfoblox BloxOne0.1.0Common Event Format, VirtualMetric DataStream, Zscaler Internet Access
ASimDhcpEventNativeDhcpEventSourceNative0.1.0SynqlyIntegrationConnector
ASimDhcpEventDhcpEventUnifyingSource agnostic0.1.0
imDhcpEventDhcpEventUnifyingSource agnostic0.1.0
ASimDnsAzureFirewallDnsSourceAzure Firewall0.4.0Azure Firewall
ASimDnsCiscoUmbrellaDnsSourceCisco Umbrella0.3CiscoUmbrella
ASimDnsCorelightZeekDnsSourceCorelight Zeek0.5.0Corelight
ASimDnsFortinetFortiGateDnsSourceFortinet FortiGate0.1.2Common Event Format, VirtualMetric DataStream, Zscaler Internet Access
ASimDnsGcpDnsSourceGCP Cloud DNS0.4
ASimDnsInfobloxBloxOneDnsSourceInfoblox BloxOne0.1.0Common Event Format, VirtualMetric DataStream, Zscaler Internet Access
ASimDnsInfobloxNIOSDnsSourceInfoblox NIOS0.6.1Syslog
ASimDnsMicrosoftNXlogDnsSourceMS DNS Events0.5.0NXLogDNSLogs
ASimDnsMicrosoftOMSDnsSourceMS DNS Events0.4Windows Server DNS
ASimDnsMicrosoftSysmonDnsSourceMicrosoft Windows Events Sysmon0.5.1
ASimDnsMicrosoftSysmonWindowsEventDnsSourceMicrosoft Windows Events Sysmon0.5.1Windows Forwarded Events
ASimDnsNativeDnsSourceNative0.8.0SynqlyIntegrationConnector
ASimDnsSentinelOneDnsSourceSentinelOne0.1.0
ASimDnsVectraAIDnsSourceVectra AI Streams0.1.1CustomLogsAma, Vectra AI Stream
ASimDnsZscalerZIADnsSourceZscaler ZIA DNS0.6Common Event Format, VirtualMetric DataStream, Zscaler Internet Access
ASimDnsDnsUnifyingSource agnostic0.5.2
imDnsDnsUnifyingSource agnostic0.5.2
ASimFileEventAWSCloudTrailFileEventSourceAWS Cloud Trail0.1.0Amazon Web Services
ASimFileEventAzureBlobStorageFileEventSourceMicrosoft Azure Blob Storage0.1.1Azure Storage
ASimFileEventAzureFileStorageFileEventSourceMicrosoft Azure File Storage0.1.1Azure Storage
ASimFileEventAzureQueueStorageFileEventSourceMicrosoft Azure Queue Storage0.1.1Azure Storage
ASimFileEventAzureTableStorageFileEventSourceMicrosoft Azure Table Storage0.1.1Azure Storage
ASimFileEventGoogleWorkspaceFileEventSourceGoogle Workspace0.1.0
ASimFileEventLinuxSysmonFileCreatedFileEventSourceMicrosoft Sysmon for Linux0.2.1Syslog
ASimFileEventLinuxSysmonFileDeletedFileEventSourceMicrosoft Sysmon for Linux0.2.1Syslog
ASimFileEventMicrosoft365DFileEventSourceMicrosoft 365 Defender for EndPoint0.2.1
ASimFileEventMicrosoftSecurityEventsFileEventSourceMicrosoft Windows Events0.2.0Windows Security Events
ASimFileEventMicrosoftSharePointFileEventSourceMicrosoft SharePoint0.3.1
ASimFileEventMicrosoftSysmonFileEventSourceWindows Sysmon0.5.1
ASimFileEventMicrosoftSysmonWindowsEventFileEventSourceWindows Sysmon0.4.1Windows Forwarded Events
ASimFileEventMicrosoftWindowsEventsFileEventSourceMicrosoft Windows Events0.2.0Windows Forwarded Events
ASimFileEventNativeFileEventSourceNative0.1.1SynqlyIntegrationConnector, VMware Carbon Black Cloud
ASimFileEventSentinelOneFileEventSourceSentinelOne0.1.0
ASimFileEventVMwareCarbonBlackCloudFileEventSourceVMware Carbon Black Cloud0.1.1
ASimFileEventFileEventUnifyingSource agnostic0.1.4
imFileEventFileEventUnifyingSource Agnostic0.2.2
ASimNetworkSessionAppGateSDPNetworkSessionSourceAppGate SDP0.2.0Syslog
ASimNetworkSessionAWSVPCNetworkSessionSourceAWS VPC0.3AWS VPC Flow Logs
ASimNetworkSessionAzureFirewallNetworkSessionSourceAzure Firewall0.2.0Azure Firewall
ASimNetworkSessionAzureNSGNetworkSessionSourceAzure NSG flows0.1.1
ASimNetworkSessionBarracudaCEFNetworkSessionSourceBarracuda WAF0.2.1Common Event Format, VirtualMetric DataStream, Zscaler Internet Access
ASimNetworkSessionBarracudaWAFNetworkSessionSourceBarracuda WAF0.2.1
ASimNetworkSessionCheckPointFirewallNetworkSessionSourceCheckPointFirewall1.2.0Common Event Format, VirtualMetric DataStream, Zscaler Internet Access
ASimNetworkSessionCheckPointSmartDefenseNetworkSessionSourceCheckPointSmartDefense0.1.0Common Event Format, VirtualMetric DataStream, Zscaler Internet Access
ASimNetworkSessionCiscoASANetworkSessionSourceCiscoASA1.1.0CiscoASA, Common Event Format, VirtualMetric DataStream, Zscaler Internet Access
ASimNetworkSessionCiscoFirepowerNetworkSessionSourceCisco Firepower0.1.0Common Event Format, VirtualMetric DataStream, Zscaler Internet Access
ASimNetworkSessionCiscoISENetworkSessionSourceCisco ISE1.1.0Syslog
ASimNetworkSessionCiscoMerakiNetworkSessionSourceCisco Meraki1.2.2CiscoMeraki, CustomLogsAma
ASimNetworkSessionCiscoMerakiSyslogNetworkSessionSourceCisco Meraki1.2.2Syslog
ASimNetworkSessionCorelightZeekNetworkSessionSourceCorelight Zeek0.2Corelight
ASimNetworkSessionCrowdStrikeFalconHostNetworkSessionSourceCrowdStrike Falcon Endpoint Protection0.1.0Common Event Format, VirtualMetric DataStream, Zscaler Internet Access
ASimNetworkSessionForcePointFirewallNetworkSessionSourceForcePointFirewall0.1Common Event Format, VirtualMetric DataStream, Zscaler Internet Access
ASimNetworkSessionFortinetFortiGateNetworkSessionSourceFortinet FortiGate0.6.0Common Event Format, VirtualMetric DataStream, Zscaler Internet Access
ASimNetworkSessionIllumioSaaSCoreNetworkSessionSourceIllumio SaaS Core0.1.0IllumioSaaS
ASimNetworkSessionLinuxSysmonNetworkSessionSourceSysmon for Linux0.3.1Syslog
ASimNetworkSessionMD4IoTAgentNetworkSessionSourceMicrosoft Defender for IoT0.2.1
ASimNetworkSessionMD4IoTSensorNetworkSessionSourceMicrosoft Defender for IoT0.1
ASimNetworkSessionMicrosoft365DefenderNetworkSessionSourceM365 Defender for Endpoint0.4
ASimNetworkSessionMicrosoftSecurityEventFirewallNetworkSessionSourceWindows Firewall0.5.0Microsoft Exchange Security - Exchange On-Premises, Windows Security Events
ASimNetworkSessionMicrosoftSysmonNetworkSessionSourceWindows Sysmon0.2.0
ASimNetworkSessionMicrosoftSysmonWindowsEventNetworkSessionSourceWindows Sysmon0.2.1Windows Forwarded Events
ASimNetworkSessionMicrosoftWindowsEventFirewallNetworkSessionSourceWindows Firewall0.5.0Windows Forwarded Events
ASimNetworkSessionNativeNetworkSessionSourceNative0.3Cisco Meraki Events via REST API, SynqlyIntegrationConnector, VMware Carbon Black Cloud
ASimNetworkSessionNTANetAnalyticsNetworkSessionSourceAzure NTANetAnalytics0.1.1
ASimNetworkSessionPaloAltoCEFNetworkSessionSourcePalo Alto PanOS0.7.1Common Event Format, VirtualMetric DataStream, Zscaler Internet Access
ASimNetworkSessionPaloAltoCortexDataLakeNetworkSessionSourcePalo Alto Cortex Data Lake0.1.1Common Event Format, VirtualMetric DataStream, Zscaler Internet Access
ASimNetworkSessionSentinelOneNetworkSessionSourceSentinelOne0.1.0
ASimNetworkSessionSonicWallFirewallNetworkSessionSourceSonicWall0.1.0Common Event Format, VirtualMetric DataStream, Zscaler Internet Access
ASimNetworkSessionVectraAINetworkSessionSourceVectra AI Streams0.2CustomLogsAma, Vectra AI Stream
ASimNetworkSessionVMConnectionNetworkSessionSourceVMConnection0.2.1
ASimNetworkSessionVMwareCarbonBlackCloudNetworkSessionSourceVMware Carbon Black Cloud0.1.1
ASimNetworkSessionWatchGuardFirewareOSNetworkSessionSourceWatchGuard Fireware OS0.1.4Syslog
ASimNetworkSessionZscalerZIANetworkSessionSourceZscaler ZIA Firewall0.4Common Event Format, VirtualMetric DataStream, Zscaler Internet Access
ASimNetworkSessionNetworkSessionUnifyingSource agnostic0.7.2
imNetworkSessionNetworkSessionUnifyingSource agnostic0.6.3
ASimProcessCreateLinuxSysmonProcessEventSourceSysmon for Linux0.2.1Syslog
ASimProcessCreateMicrosoftSecurityEventsProcessEventSourceSecurity Events0.1.1Windows Security Events
ASimProcessCreateMicrosoftWindowsEventsProcessEventSourceSecurity Events0.3.0Windows Forwarded Events
ASimProcessCreateSentinelOneProcessEventSourceSentinelOne0.1.0
ASimProcessCreateTrendMicroVisionOneProcessEventSourceTrend Micro Vision One0.1.0Trend Micro Vision One
ASimProcessCreateVMwareCarbonBlackCloudProcessEventSourceVMware Carbon Black Cloud0.1.1
ASimProcessEventCreateMicrosoftSysmonProcessEventSourceSysmon0.4.1
ASimProcessEventCreateMicrosoftSysmonWindowsEventProcessEventSourceSysmon0.4.1Windows Forwarded Events
ASimProcessEventMD4IoTProcessEventSourceMicrosoft Defender for IoT0.1.1
ASimProcessEventMicrosoft365DProcessEventSourceMicrosoft 365 Defender for endpoint0.3.0
ASimProcessEventNativeProcessEventSourceNative0.1.0SynqlyIntegrationConnector, VMware Carbon Black Cloud
ASimProcessEventTerminateMicrosoftSysmonProcessEventSourceMicrosoft Windows Events Sysmon0.3.1
ASimProcessEventTerminateMicrosoftSysmonWindowsEventProcessEventSourceMicrosoft Windows Events Sysmon0.4.1Windows Forwarded Events
ASimProcessTerminateLinuxSysmonProcessEventSourceSysmon for Linux0.1.1Syslog
ASimProcessTerminateMicrosoftSecurityEventsProcessEventSourceSecurity Events0.2Windows Security Events
ASimProcessTerminateMicrosoftWindowsEventsProcessEventSourceSecurity Events0.2Windows Forwarded Events
ASimProcessTerminateVMwareCarbonBlackCloudProcessEventSourceVMware Carbon Black Cloud0.1.0
ASimProcessEventProcessEventUnifyingSource Agnostic0.1.2
ASimProcessEventCreateProcessEventUnifyingMultiple0.1.1
ASimProcessEventTerminateProcessEventUnifyingSource Agnostic0.1.1
imProcessCreateProcessEventUnifyingMultiple0.1.2
imProcessEventProcessEventUnifyingSource Agnostic0.1.3
imProcessTerminateProcessEventUnifyingSource Agnostic0.1.2
ASimRegistryEventMicrosoft365DRegistryEventSourceMicrosoft 365 Defender for Endpoint0.1.3Microsoft Defender XDR
ASimRegistryEventMicrosoftSecurityEventRegistryEventSourceSecurity Events0.3.1Windows Security Events
ASimRegistryEventMicrosoftSysmonRegistryEventSourceMicrosoft Sysmon0.3.1
ASimRegistryEventMicrosoftSysmonWindowsEventRegistryEventSourceMicrosoft Sysmon0.3.1Windows Forwarded Events
ASimRegistryEventMicrosoftWindowsEventRegistryEventSourceSecurity Events0.2.1Windows Forwarded Events
ASimRegistryEventNativeRegistryEventSourceNative0.1.0SynqlyIntegrationConnector, VMware Carbon Black Cloud
ASimRegistryEventSentinelOneRegistryEventSourceSentinelOne0.1.0
ASimRegistryEventTrendMicroVisionOneRegistryEventSourceTrend Micro Vision One0.1.0Trend Micro Vision One
ASimRegistryEventVMwareCarbonBlackCloudRegistryEventSourceVMware Carbon Black Cloud0.1.1
ASimRegistryRegistryEventUnifyingSource Agnostic0.1.3
imRegistryRegistryEventUnifyingSource Agnostic0.1.4
ASimUserManagementAWSCloudTrailUserManagementSourceAWS Cloud Trail0.1.0Amazon Web Services
ASimUserManagementCiscoISEUserManagementSourceCisco ISE0.1.2Syslog
ASimUserManagementLinuxAuthprivUserManagementSourceMicrosoft0.1.1Syslog
ASimUserManagementMicrosoftSecurityEventUserManagementSourceMicrosoft Security Event0.2.0Windows Security Events
ASimUserManagementMicrosoftWindowsEventUserManagementSourceMicrosoft Windows Event0.2.1Windows Forwarded Events
ASimUserManagementNativeUserManagementSourceNative0.1.0SynqlyIntegrationConnector
ASimUserManagementSentinelOneUserManagementSourceSentinelOne0.1.1
ASimUserManagementUserManagementUnifyingSource agnostic0.1.2
imUserManagementUserManagementUnifyingSource agnostic0.1.3
ASimWebSessionApacheHTTPServerWebSessionSourceApache HTTP Server0.1.0CustomLogsAma
ASimWebSessionAzureFirewallWebSessionSourceAzure Firewall0.1.0
ASimWebSessionBarracudaCEFWebSessionSourceBarracuda WAF0.2.1Common Event Format, VirtualMetric DataStream, Zscaler Internet Access
ASimWebSessionBarracudaWAFWebSessionSourceBarracuda WAF0.2.2
ASimWebSessionCiscoFirepowerWebSessionSourceCisco Firepower0.1.0Common Event Format, VirtualMetric DataStream, Zscaler Internet Access
ASimWebSessionCiscoMerakiWebSessionSourceCisco Meraki0.1.1Cisco SD-WAN, CiscoMeraki, CustomLogsAma, Forescout (Legacy)
ASimWebSessionCiscoUmbrellaWebSessionSourceCisco Umbrella0.1.0CiscoUmbrella
ASimWebSessionCitrixNetScalerWebSessionSourceCitrix NetScaler0.1.1Common Event Format, VirtualMetric DataStream, Zscaler Internet Access
ASimWebSessionF5ASMWebSessionSourceF5 BIG-IP Application Security Manager (ASM)0.1.0Common Event Format, VirtualMetric DataStream, Zscaler Internet Access
ASimWebSessionFortinetFortiGateWebSessionSourceFortinet FortiGate0.3.0Common Event Format, VirtualMetric DataStream, Zscaler Internet Access
ASimWebSessionIISWebSessionSourceInternet Information Services (IIS)0.2Microsoft Exchange Security - Exchange On-Premises
ASimWebSessionNativeWebSessionSourceNative0.1Cisco Meraki Events via REST API, SynqlyIntegrationConnector
ASimWebSessionPaloAltoCEFWebSessionSourcePalo Alto Networks0.2Common Event Format, VirtualMetric DataStream, Zscaler Internet Access
ASimWebSessionPaloAltoCortexDataLakeWebSessionSourcePalo Alto Cortex Data Lake0.1.1Common Event Format, VirtualMetric DataStream, Zscaler Internet Access
ASimWebSessionSonicWallFirewallWebSessionSourceSonicWall0.1.1Common Event Format, VirtualMetric DataStream, Zscaler Internet Access
ASimWebSessionSquidProxyWebSessionSourceSquid Proxy0.4.0CustomLogsAma
ASimWebSessionVectraAIWebSessionSourceVectra AI Streams0.2CustomLogsAma, Vectra AI Stream
ASimWebSessionZscalerZIAWebSessionSourceZscaler ZIA0.4.1Common Event Format, VirtualMetric DataStream, Zscaler Internet Access
ASimWebSessionWebSessionUnifyingSource agnostic0.5.5
imWebSessionWebSessionUnifyingSource agnostic0.6.3
Unifying Aggregates multiple source parsers Source Parses a specific product log
Generated by Microsoft Sentinel Solutions Analyzer