Valid Accounts `T1078`

Tactics: Stealth, Persistence, Privilege Escalation, Initial Access

Adversaries may obtain and abuse credentials of existing accounts as a means of gaining Initial Access, Persistence, Privilege Escalation, or Defense Evasion. Compromised credentials may be used to bypass access controls placed on various resources on systems within the network and may even be used for persistent access to remote systems and externally available services, such as VPNs, Outlook Web Access, network devices, and remote desktop. Compromised credentials may also grant an adversary increased privilege to specific systems or access to restricted areas of the network. Adversaries may choose not to use malware or tools in conjunction with the legitimate access those credentials provide to make it harder to detect their presence.

Events covered

38 catalog events are tagged with this technique by at least one rule.

Provider	Event	Title
Sysmon	Event ID 1	Process creation
Security-Auditing	Event ID 4624	An account was successfully logged on.
Security-Auditing	Event ID 4625	An account failed to log on.
Security-Auditing	Event ID 4634	An account was logged off.
Security-Auditing	Event ID 4647	User initiated logoff.
Security-Auditing	Event ID 4648	A logon was attempted using explicit credentials.
Security-Auditing	Event ID 4662	An operation was performed on an object.
Security-Auditing	Event ID 4675	SIDs were filtered.
Security-Auditing	Event ID 4688	A new process has been created.
Security-Auditing	Event ID 4720	A user account was created.
Security-Auditing	Event ID 4722	A user account was enabled.
Security-Auditing	Event ID 4723	An attempt was made to change an account's password.
Security-Auditing	Event ID 4724	An attempt was made to reset an account's password.
Security-Auditing	Event ID 4725	A user account was disabled.
Security-Auditing	Event ID 4726	A user account was deleted.
Security-Auditing	Event ID 4727	A security-enabled global group was created.
Security-Auditing	Event ID 4728	A member was added to a security-enabled global group.
Security-Auditing	Event ID 4729	A member was removed from a security-enabled global group.
Security-Auditing	Event ID 4731	A security-enabled local group was created.
Security-Auditing	Event ID 4732	A member was added to a security-enabled local group.
Security-Auditing	Event ID 4733	A member was removed from a security-enabled local group.
Security-Auditing	Event ID 4738	A user account was changed.
Security-Auditing	Event ID 4742	A computer account was changed.
Security-Auditing	Event ID 4754	A security-enabled universal group was created.
Security-Auditing	Event ID 4756	A member was added to a security-enabled universal group.
Security-Auditing	Event ID 4757	A member was removed from a security-enabled universal group.
Security-Auditing	Event ID 4768	A Kerberos authentication ticket (TGT) was requested.
Security-Auditing	Event ID 4769	A Kerberos service ticket was requested.
Security-Auditing	Event ID 4776	The domain controller attempted to validate the credentials for an account.
Security-Auditing	Event ID 4781	The name of an account was changed.
Security-Auditing	Event ID 4964	Special groups have been assigned to a new logon.
Security-Auditing	Event ID 5136	A directory service object was modified.
Security-Auditing	Event ID 5137	A directory service object was created.
ESF	exec	Process Execution (Notify)
MSSQLSERVER	Event ID 18470	Event ID 18470
MSSQLSERVER	Event ID 33205	Event ID 33205
PowerShell	Event ID 4103	Payload Context: ContextInfo User Data: UserData.
PowerShell	Event ID 4104	Creating Scriptblock text (MessageNumber of MessageTotal).

Authoring guide

Patterns shared across the 756 rules above: which fields they filter on, what specific values they look for, and what they exclude. The catalog normalizes field names across vendors so Sigma's Image, Elastic's process.name, and Splunk's process_name collapse into one row. Each rule contributes at most once per row.

Fields filtered most (721 distinct)

The fields most rules look at when detecting this technique. The How column shows the operators authors use (eq, wildcard, regex_match, match) and how often each appears. Sample values are concrete examples to start from, not an exhaustive list.

Field	Rules	How	Sample values
`EventType`	103	`eq` 86, `in` 15, `starts_with` 3, `contains` 1, `wildcard` 1	`access`, `ssh_login`, `Sign-in activity`, `UserLoggedIn`, `authentication`
`data_stream.dataset`	98	`eq` 93, `in` 5, `ne` 1	`azure.signinlogs`, `aws.cloudtrail`, `okta.system`, `o365.audit`, `azure.activitylogs`
`event.outcome`	64	`eq` 55, `in` 9	`success`, `Success`, `failure`
`EventID`	51	`eq` 45, `in` 5, `regex_match` 1	`1`, `4104`, `4624`, `4688`, `4728`
`OperationName`	48	`eq` 24, `contains` 19, `in` 8	`Add member to role`, `update a partner cross-tenant access setting`, `update application`, `Add app role assignment to service principal`, `Delete user`
`aws::eventName`	44	`eq` 38, `in` 5, `starts_with` 1	`ConsoleLogin`, `UpdateSAMLProvider`, `CreateAccessKey`, `CreateUser`, `GetCredentialsForIdentity`
`sourcetype`	37	`eq` 33, `in` 4	`azure:monitor:aad`, `OktaIM2:log`, `aws:cloudtrail`, `vmw-syslog`, `vmware:esxlog*`
`Category`	32	`eq` 31, `contains` 1	`RoleManagement`, `ApplicationManagement`, `UserManagement`, `Administrative`, `AzureRBACRoleManagementElevateAccess`
`Provider_Name`	30	`eq` 29, `in` 1	`iam.amazonaws.com`, `sts.amazonaws.com`, `signin.amazonaws.com`, `AzureActiveDirectory`, `ec2.amazonaws.com`
`src_ip`	28	`is_not_null` 19, `eq` 6, `ne` 4, `cidr_match` 3, `contains` 1	`10.0.0.0/8`, `127.0.0.1`, `-`, `127.0.0.0/8`, `%admin_jump_hosts%`
`displayName`	26	`eq` 25, `in` 2, `contains` 1, `is_not_null` 1	`Role.DisplayName`, `AppRole.Value`, `Role.WellKnownObjectName`, `AppAddress`, `DelegatedPermissionGrant.Scope`
`event.category`	26	`eq` 26	`authentication`, `configuration`, `process`
`type`	25	`eq` 24, `in` 2	`User`, `Policy`, `Role`, `ServicePrincipal`, `api_key.created`
`aws::eventSource`	22	`eq` 20, `in` 1, `ne` 1	`iam.amazonaws.com`, `lambda.amazonaws.com`, `SecurityComplianceCenter`, `signin.amazonaws.com`, `Azure AD`
`ResultType`	21	`eq` 18, `in` 2, `ne` 2	`0`, `50057`, `500121`, `50074`, `53003`

Top indicator values (2308 distinct)

Specific (field, operator, value) combinations the rules check for, ranked by how many rules under this technique use each one. The Corpus reach column counts how many rules across the entire catalog (any technique) check the same combination. High numbers point to widely-used indicators that are likely noisy on their own; combine them with another condition for useful signal. Blank means the combination is specific to rules under this technique. Click a value to expand the rules under this technique that use it.

Field	Kind	Value	Rules (here)	Corpus reach
`event.outcome`	`eq`	`success` elasticAWS AssumeRoleWithWebIdentity from Kubernetes SA and External ASN elasticAWS Bedrock Foundation Model Enumeration Followed by Invocation via Long-Term Key elasticAWS CloudShell Environment Created elasticAWS EC2 Instance Console Login via Assumed Role elasticAWS EC2 Instance Profile Associated with Running Instance elasticAWS IAM API Calls via Temporary Session Tokens elasticAWS IAM Assume Role Policy Update elasticAWS IAM CompromisedKeyQuarantine Policy Attached to User elasticAWS IAM Login Profile Added for Root elasticAWS IAM Login Profile Added to User elasticAWS IAM Long-Term Access Key First Seen from Source IP elasticAWS IAM OIDC Provider Created by Rare User elasticAWS IAM SAML Provider Created elasticAWS IAM Sensitive Operations via Lambda Execution Role elasticAWS IAM Virtual MFA Device Registration Attempt with Session Token elasticAWS Management Console Root Login elasticAWS Rare Source AS Organization Activity elasticAWS Sign-In Console Login with Federated User elasticAWS Sign-In Root Password Recovery Requested elasticAWS Sign-In Token Created elasticAWS STS AssumeRole with New MFA Device elasticAWS STS AssumeRoot by Rare User and Member Account elasticAWS STS GetSessionToken Usage elasticAWS STS Role Assumption by User elasticAWS STS Role Chaining elasticAWS Suspicious User Agent Fingerprint elasticAzure Service Principal Sign-In Followed by Arc Cluster Credential Access elasticAzure Storage Account Keys Accessed by Privileged User elasticEntra ID Microsoft Authentication Broker Sign-In to Unusual Resource elasticEntra ID OAuth Authorization Code Grant for Unusual User, App, and Resource elasticEntra ID OAuth Device Code Grant by Microsoft Authentication Broker elasticEntra ID OAuth Device Code Grant by Unusual User elasticEntra ID OAuth Device Code Phishing via AiTM elasticEntra ID OAuth Flow by Microsoft Authentication Broker to Device Registration Service (DRS) elasticEntra ID OAuth Phishing via First-Party Microsoft Application elasticEntra ID OAuth ROPC Grant Login Detected elasticEntra ID OAuth user_impersonation Scope for Unusual User and Client elasticEntra ID Sharepoint or OneDrive Accessed by Unusual Client elasticEntra ID User Reported Suspicious Activity elasticFirst-Time FortiGate Administrator Login elasticFortiGate Administrator Login from Multiple IP Addresses elasticFortiGate FortiCloud SSO Login from Unusual Source elasticGCP IAM Custom Role Creation elasticM365 Identity Login from Atypical Region elasticM365 Identity Login from Impossible Travel Location elasticOkta User Sessions Started from Different Geolocations elasticPotential Account Takeover - Logon from New Source IP elasticPotential Account Takeover - Mixed Logon Types elasticPotential Successful SSH Brute Force Attack elasticSuccessful Application SSO from Rare Unknown Client Device elasticSuccessful SSH Authentication from Unusual IP Address elasticSuccessful SSH Authentication from Unusual SSH Public Key elasticSuccessful SSH Authentication from Unusual User elasticUnusual AWS S3 Object Encryption with SSE-C elasticUnusual Login via System User	55	251
`data_stream.dataset`	`eq`	`aws.cloudtrail` elasticAWS Access Token Used from Multiple Addresses elasticAWS AssumeRoleWithWebIdentity from Kubernetes SA and External ASN elasticAWS Bedrock Foundation Model Enumeration Followed by Invocation via Long-Term Key elasticAWS CloudShell Environment Created elasticAWS EC2 Instance Console Login via Assumed Role elasticAWS EC2 Unauthorized Admin Credential Fetch via Assumed Role elasticAWS IAM API Calls via Temporary Session Tokens elasticAWS IAM Assume Role Policy Update elasticAWS IAM CompromisedKeyQuarantine Policy Attached to User elasticAWS IAM Login Profile Added for Root elasticAWS IAM Long-Term Access Key First Seen from Source IP elasticAWS IAM OIDC Provider Created by Rare User elasticAWS IAM SAML Provider Created elasticAWS IAM Virtual MFA Device Registration Attempt with Session Token elasticAWS Management Console Root Login elasticAWS Sign-In Console Login with Federated User elasticAWS Sign-In Root Password Recovery Requested elasticAWS STS AssumeRole with New MFA Device elasticAWS STS AssumeRoot by Rare User and Member Account elasticAWS STS Role Assumption by User elasticAWS STS Role Chaining elasticAWS Suspicious User Agent Fingerprint elasticUnusual AWS S3 Object Encryption with SSE-C	23	141
`data_stream.dataset`	`eq`	`azure.signinlogs` elasticAzure Service Principal Sign-In Followed by Arc Cluster Credential Access elasticEntra ID Concurrent Sign-in with Suspicious Properties elasticEntra ID High Risk Sign-in elasticEntra ID High Risk User Sign-in Heuristic elasticEntra ID Microsoft Authentication Broker Sign-In to Unusual Resource elasticEntra ID Microsoft Authentication Broker Sign-In with Non-Standard User Agent elasticEntra ID OAuth Authorization Code Grant for Unusual User, App, and Resource elasticEntra ID OAuth Device Code Flow with Concurrent Sign-ins elasticEntra ID OAuth Device Code Phishing via AiTM elasticEntra ID OAuth Flow by Microsoft Authentication Broker to Device Registration Service (DRS) elasticEntra ID OAuth Phishing via First-Party Microsoft Application elasticEntra ID OAuth PRT Issuance to Non-Managed Device Detected elasticEntra ID OAuth ROPC Grant Login Detected elasticEntra ID OAuth User Impersonation to Microsoft Graph elasticEntra ID OAuth user_impersonation Scope for Unusual User and Client elasticEntra ID PowerShell Sign-in elasticEntra ID Service Principal Federated Credential Authentication by Unusual Client elasticEntra ID Service Principal with Unusual Source ASN elasticEntra ID Sharepoint or OneDrive Accessed by Unusual Client elasticEntra ID User Sign-in with Unusual Authentication Type elasticEntra ID User Sign-in with Unusual Client elasticEntra ID User Sign-in with Unusual Non-Managed Device	22	30
`data_stream.dataset`	`eq`	`okta.system` elasticFirst Occurrence of Okta User Session Started via Proxy elasticHigh Number of Okta User Password Reset or Unlock Attempts elasticMultiple Okta User Auth Events with Same Device Token Hash Behind a Proxy elasticOkta Sign-In Events via Third-Party IdP elasticOkta Successful Login After Credential Attack elasticOkta User Session Impersonation elasticOkta User Sessions Started from Different Geolocations elasticPotential Okta MFA Bombing via Push Notifications elasticPotentially Successful Okta MFA Bombing via Push Notifications elasticSuccessful Application SSO from Rare Unknown Client Device elasticSuspicious Activity Reported by Okta User elasticUnauthorized Access to an Okta Application elasticUnauthorized Scope for Public App OAuth2 Token Grant with Client Credentials	13	48
`event.category`	`eq`	`authentication` elasticEntra ID Microsoft Authentication Broker Sign-In to Unusual Resource elasticEntra ID OAuth Device Code Flow with Concurrent Sign-ins elasticEntra ID OAuth Device Code Phishing via AiTM elasticEntra ID User Sign-in with Unusual Authentication Type elasticEntra ID User Sign-in with Unusual Client elasticEntra ID User Sign-in with Unusual Non-Managed Device elasticFirst-Time FortiGate Administrator Login elasticFortiGate Administrator Login from Multiple IP Addresses elasticFortiGate FortiCloud SSO Login from Unusual Source elasticM365 Identity Unusual SSO Authentication Errors for User elasticM365 Identity User Account Lockouts elasticOkta Admin Console Login Failure elasticPotential Account Takeover - Logon from New Source IP elasticPotential Account Takeover - Mixed Logon Types elasticSuccessful SSH Authentication from Unusual IP Address elasticSuccessful SSH Authentication from Unusual SSH Public Key elasticSuccessful SSH Authentication from Unusual User elasticUnusual Login via System User	18	31
`event.category`	`eq`	`configuration` elasticFirst Occurrence of GitHub Repo Interaction From a New IP elasticFirst Occurrence of IP Address For GitHub Personal Access Token (PAT) elasticFirst Occurrence of IP Address For GitHub User elasticFirst Occurrence of Personal Access Token (PAT) Use For a GitHub User elasticFirst Occurrence of Private Repo Event from Specific GitHub Personal Access Token (PAT) elasticFirst Occurrence of User Agent For a GitHub Personal Access Token (PAT) elasticFirst Occurrence of User-Agent For a GitHub User	7	11
`security_result.action`	`eq`	`ALLOW` chronicleAWS Console Login Without MFA chronicleAWS IAM Administrator Access Policy Attached chronicleAWS SAML Identity Provider Changes chronicleAWS Successful Login After Multiple Failed Attempts chronicleAWS User Creates Permanent Access Key chronicleEntra ID Admin Login Activity to Uncommon MS Cloud Apps chronicleEntra ID Login Activity to Uncommon MS Cloud Apps chronicleGCP Workload Identity Pool Disabled Or Deleted chronicleLogins From Terminated Employees chronicleO365 Admin Login Activity To Uncommon Microsoft Cloud Apps chronicleO365 Login Activity To Azure AD PowerShell App chronicleO365 Login Activity To Uncommon Microsoft Cloud Apps chronicleOkta New API Token Created chronicleOkta Successful High Risk User Logins chronicleOkta User Login Out Of Hours	15	102
`Category`	`eq`	`RoleManagement` sigmaUsers Added to Global or Device Admin Roles kustoAdmin promotion after Role Management Application Permission Grant kustoBulk Changes to Privileged Account Permissions kustoChanges to PIM Settings kustoDetect PIM Alert Disabling activity kustoNRT Privileged Role Assigned Outside PIM kustoNRT User added to Microsoft Entra ID Privileged Groups kustoPower Platform - Account added to privileged Microsoft Entra roles kustoPrivileged Account Permissions Changed kustoPrivileged Role Assigned Outside PIM kustoThreat Essentials - NRT User added to Microsoft Entra ID Privileged Groups kustoThreat Essentials - User Assigned Privileged Role kustoUser added to Microsoft Entra ID Privileged Groups kustoUser Assigned New Privileged Role	14	17
`Category`	`eq`	`ApplicationManagement` kustoAdmin promotion after Role Management Application Permission Grant kustoApplication ID URI Changed kustoApplication Redirect URL Update kustoChanges to Application Logout URL kustoChanges to Application Ownership kustoMicrosoft Entra ID Role Management Permission Grant kustoURL Added to Application from Unknown Domain	7	12
`type`	`eq`	`User` kustoAccount Created and Deleted in Short Timeframe kustoBulk Changes to Privileged Account Permissions kustoExternal guest invitation followed by Microsoft Entra ID PowerShell signin kustoGuest accounts added in Entra ID Groups other than the ones specified kustoMultiple Password Reset by user kustoNRT PIM Elevation Request Rejected kustoNRT Privileged Role Assigned Outside PIM kustoNRT User added to Microsoft Entra ID Privileged Groups kustoPIM Elevation Request Rejected kustoPrivileged Role Assigned Outside PIM kustoSuspicious Login from deleted guest account kustoSuspicious modification of Global Administrator user properties kustoUser Added to Admin Role kustoUser added to Microsoft Entra ID Privileged Groups	14	17
`aws::eventName`	`eq`	`ConsoleLogin` sigmaAWS Successful Console Login Without MFA sigmaConsole Login With MFA sigmaConsole Login Without MFA splunkAWS Successful Single-Factor Authentication kustoAWSCloudTrail - Login to AWS Management Console without MFA kustoAWSCloudTrail - NRT Login to AWS Management Console without MFA kustoFailed AzureAD logons but success logon to AWS Console kustoSuccessful AWS Console Login from IP Address Observed Conducting Password Spray kustoSuspicious AWS console logins by credential access alerts pantherLogins Without MFA pantherLogins Without SAML pantherRoot Console Login	12	27
`ResultType`	`eq`	`0` sigmaSign-ins by Unknown Devices kustoAnomalous sign-in location by user account and authenticating application kustoAnomalous Single Factor Signin kustoAuthentications of Privileged Accounts Outside of Expected Controls kustoF&O - Unusual sign-in activity using single factor authentication kustoHigh risk Office operation conducted by IP Address that recently attempted to log into a disabled account kustoM365D Alerts Correlation to non-Microsoft Network device network activity involved in successful sign-in Activity kustoNew country signIn with correct password kustoPossible AiTM Phishing Attempt Against Microsoft Entra ID kustoPrivileged User Logon from new ASN kustoSuspicious Login from deleted guest account	11	19
`Status`	`eq`	`Success` sigmaAccount Created And Deleted Within A Close Time Frame sigmaAuthentications To Important Apps Using Single Factor Authentication sigmaAzure AD Only Single Factor Authentication Required sigmaFailed Authentications From Countries You Do Not Operate Out Of sigmaMeasurable Increase Of Successful Authentications sigmaPassword Reset By User Account sigmaPotential MFA Bypass Using Legacy Client Authentication sigmaPrivileged Account Creation sigmaSuccessful Authentications From Countries You Do Not Operate Out Of sigmaSuspicious SignIns From A Non Registered Device sigmaUsers Authenticating To Other Azure AD Tenants	11	10
`Result`	`eq`	`success` kustoAccount created or deleted by non-approved user kustoAccount Elevated to New Role kustoApplication Redirect URL Update kustoConditional Access Policy Modified by New User kustoGuest Users Invited to Tenant by New Inviters kustoMultiple Password Reset by user kustoSuspicious linking of existing user to external User kustoSuspicious modification of Global Administrator user properties kustoSuspicious Service Principal creation activity kustoURL Added to Application from Unknown Domain	10	25
`Provider_Name`	`eq`	`iam.amazonaws.com` elasticAWS EC2 Instance Interaction with IAM Service elasticAWS IAM API Calls via Temporary Session Tokens elasticAWS IAM Assume Role Policy Update elasticAWS IAM Login Profile Added for Root elasticAWS IAM Login Profile Added to User elasticAWS IAM OIDC Provider Created by Rare User elasticAWS IAM SAML Provider Created elasticAWS IAM Sensitive Operations via Lambda Execution Role elasticAWS IAM Virtual MFA Device Registration Attempt with Session Token	9	25
`Provider_Name`	`eq`	`sts.amazonaws.com` elasticAWS AssumeRoleWithWebIdentity from Kubernetes SA and External ASN elasticAWS STS AssumeRole with New MFA Device elasticAWS STS AssumeRoot by Rare User and Member Account elasticAWS STS GetSessionToken Usage elasticAWS STS Role Assumption by User elasticAWS STS Role Chaining	6	11
`event.outcome`	`in`	`Success` elasticAzure Arc Cluster Credential Access by Identity from Unusual Source elasticAzure Automation Account Created elasticAzure Kubernetes Services (AKS) Kubernetes Rolebindings Created elasticEntra ID External Guest User Invited elasticEntra ID High Risk User Sign-in Heuristic elasticEntra ID Microsoft Authentication Broker Sign-In with Non-Standard User Agent elasticEntra ID PowerShell Sign-in elasticEntra ID Privileged Identity Management (PIM) Role Modified elasticEntra ID User Added as Service Principal Owner	9	37
`event.outcome`	`in`	`success` elasticAzure Arc Cluster Credential Access by Identity from Unusual Source elasticAzure Automation Account Created elasticAzure Kubernetes Services (AKS) Kubernetes Rolebindings Created elasticEntra ID External Guest User Invited elasticEntra ID High Risk User Sign-in Heuristic elasticEntra ID Microsoft Authentication Broker Sign-In with Non-Standard User Agent elasticEntra ID PowerShell Sign-in elasticEntra ID Privileged Identity Management (PIM) Role Modified elasticEntra ID User Added as Service Principal Owner	9	38
`aws::eventSource`	`eq`	`iam.amazonaws.com` sigmaAWS IAM S3Browser LoginProfile Creation sigmaAWS IAM S3Browser Templated S3 Bucket Policy Creation sigmaAWS IAM S3Browser User or AccessKey Creation sigmaAWS SAML Provider Deletion Activity sigmaAWS Suspicious SAML Activity splunkAWS Create Policy Version to allow all resources splunkAWS SetDefaultPolicyVersion pantherAWS Compromised IAM Key Quarantine	8	28
`azure_ad::user_type`	`eq`	`Member` elasticEntra ID OAuth Authorization Code Grant for Unusual User, App, and Resource elasticEntra ID OAuth Flow by Microsoft Authentication Broker to Device Registration Service (DRS) elasticEntra ID OAuth PRT Issuance to Non-Managed Device Detected elasticEntra ID OAuth ROPC Grant Login Detected elasticEntra ID OAuth user_impersonation Scope for Unusual User and Client elasticEntra ID User Sign-in with Unusual Authentication Type elasticEntra ID User Sign-in with Unusual Client elasticEntra ID User Sign-in with Unusual Non-Managed Device	8	10
`event.dataset`	`eq`	`aws.cloudtrail` elasticAWS Credentials Used from GitHub Actions and Non-CI/CD Infrastructure elasticAWS EC2 Instance Interaction with IAM Service elasticAWS EC2 Instance Profile Associated with Running Instance elasticAWS IAM Login Profile Added to User elasticAWS IAM Sensitive Operations via Lambda Execution Role elasticAWS Rare Source AS Organization Activity elasticAWS Sign-In Token Created elasticAWS STS GetSessionToken Usage	8	17
`event.dataset`	`eq`	`github.audit` elasticFirst Occurrence of GitHub Repo Interaction From a New IP elasticFirst Occurrence of IP Address For GitHub Personal Access Token (PAT) elasticFirst Occurrence of IP Address For GitHub User elasticFirst Occurrence of Personal Access Token (PAT) Use For a GitHub User elasticFirst Occurrence of Private Repo Event from Specific GitHub Personal Access Token (PAT) elasticFirst Occurrence of User Agent For a GitHub Personal Access Token (PAT) elasticFirst Occurrence of User-Agent For a GitHub User	7	14
`aws::errorCode`	`eq`	`AccessDenied` sigmaAttempt To Get Credentials For Identity sigmaAttempt To Get Federation Token sigmaAttempt To Get Signin Token sigmaGet Credentials For Identity sigmaGet Federation Token sigmaGet Signin Token splunkAWS Bedrock Invoke Model Access Denied	7	19
`aws::userIdentity.type`	`eq`	`AssumedRole` elasticAWS EC2 Instance Console Login via Assumed Role elasticAWS EC2 Instance Interaction with IAM Service elasticAWS EC2 Unauthorized Admin Credential Fetch via Assumed Role elasticAWS IAM Sensitive Operations via Lambda Execution Role elasticAWS STS Role Chaining pantherLambda Code Updated by User pantherLambda Configuration Updated with Layers by User	7	12
`enough_data`	`eq`	`1` splunkCloud API Calls From Previously Unseen User Roles splunkCloud Compute Instance Created By Previously Unseen User splunkCloud Instance Modified By Previously Unseen User splunkCloud Provisioning Activity From Previously Unseen City splunkCloud Provisioning Activity From Previously Unseen Country splunkCloud Provisioning Activity From Previously Unseen IP Address splunkCloud Provisioning Activity From Previously Unseen Region	7	10
`AccountType`	`eq`	`User` kustoEatonForeseer - Unauthorized Logins kustoGroup created then added to built in domain local or global group kustoNew user created and added to the built-in administrators group kustoUser account added to built in domain local or global group kustoUser account created and deleted within 10 mins kustoUser account enabled and disabled within 10 mins	6	9
`All_Changes.action`	`eq`	`created` splunkCloud Compute Instance Created By Previously Unseen User splunkCloud Provisioning Activity From Previously Unseen City splunkCloud Provisioning Activity From Previously Unseen Country splunkCloud Provisioning Activity From Previously Unseen IP Address splunkCloud Provisioning Activity From Previously Unseen Region splunkOkta New API Token Created	6	11
`All_Changes.status`	`eq`	`success` splunkCloud API Calls From Previously Unseen User Roles splunkCloud Instance Modified By Previously Unseen User splunkCloud Provisioning Activity From Previously Unseen City splunkCloud Provisioning Activity From Previously Unseen Country splunkCloud Provisioning Activity From Previously Unseen IP Address splunkCloud Provisioning Activity From Previously Unseen Region	6	6
`azure_ad::authentication_requirement`	`eq`	`singleFactorAuthentication` sigmaAuthentications To Important Apps Using Single Factor Authentication sigmaAzure AD Only Single Factor Authentication Required sigmaSign-ins by Unknown Devices sigmaSuspicious SignIns From A Non Registered Device elasticEntra ID OAuth ROPC Grant Login Detected elasticEntra ID OAuth user_impersonation Scope for Unusual User and Client	6	8
`count_`	`gt`	`10` kustoCisco Duo - Multiple admin 2FA failures kustoCisco Duo - Multiple user login failures kustoPalo Alto Prisma Cloud - Anomalous access key usage kustoPing Federate - Abnormal password resets for user kustoSnowflake - Multiple login failures by user kustoSnowflake - Multiple login failures from single IP	6	11

Exclusions (582 distinct)

Field/operator/value combinations excluded by rules under this technique (top-level not() clauses), sorted by how many rules exclude each. These are the false-positive paths the community has learned to filter out. A new rule that ignores the high-count entries here will likely fire on the same noisy paths. Click a value to expand the rules under this technique that exclude it.

Field	Kind	Value	Rules excluding
`responseStatus.code`	`ge`	`1` pantherKubernetes ClusterRoleBinding to Privileged Role pantherKubernetes Role With Node Proxy Permissions Created pantherKubernetes Role With Pod Exec Permissions Created pantherKubernetes Role With Wildcard Permissions Created pantherKubernetes Service Account Token Theft from Pod pantherKubernetes System Role Modified or Deleted	6
`responseStatus.code`	`ge`	`400` pantherKubernetes ClusterRoleBinding to Privileged Role pantherKubernetes Role With Node Proxy Permissions Created pantherKubernetes Role With Pod Exec Permissions Created pantherKubernetes Role With Wildcard Permissions Created pantherKubernetes Service Account Token Theft from Pod pantherKubernetes System Role Modified or Deleted	6
`responseStatus.code`	`le`	`16` pantherKubernetes ClusterRoleBinding to Privileged Role pantherKubernetes Role With Node Proxy Permissions Created pantherKubernetes Role With Pod Exec Permissions Created pantherKubernetes Role With Wildcard Permissions Created pantherKubernetes Service Account Token Theft from Pod pantherKubernetes System Role Modified or Deleted	6
`username`	`in`	`aksService` pantherKubernetes ClusterRoleBinding to Privileged Role pantherKubernetes Role With Node Proxy Permissions Created pantherKubernetes Role With Pod Exec Permissions Created pantherKubernetes Role With Wildcard Permissions Created pantherKubernetes Service Account Token Theft from Pod pantherKubernetes System Role Modified or Deleted	6
`username`	`in`	`masterclient` pantherKubernetes ClusterRoleBinding to Privileged Role pantherKubernetes Role With Node Proxy Permissions Created pantherKubernetes Role With Pod Exec Permissions Created pantherKubernetes Role With Wildcard Permissions Created pantherKubernetes Service Account Token Theft from Pod pantherKubernetes System Role Modified or Deleted	6
`username`	`starts_with`	`system:` pantherKubernetes ClusterRoleBinding to Privileged Role pantherKubernetes Role With Node Proxy Permissions Created pantherKubernetes Role With Pod Exec Permissions Created pantherKubernetes Role With Wildcard Permissions Created pantherKubernetes Service Account Token Theft from Pod pantherKubernetes System Role Modified or Deleted	6
`verb`	`ne`	`create` pantherKubernetes ClusterRoleBinding to Privileged Role pantherKubernetes Role With Node Proxy Permissions Created pantherKubernetes Role With Pod Exec Permissions Created pantherKubernetes Role With Wildcard Permissions Created pantherKubernetes Service Account Token Theft from Pod	5
`SubjectUserName`	`ends_with`	`$` sigmaSuspicious Remote Logon with Explicit Credentials sigmaUser Added to Local Administrator Group elasticFirst Time Seen Account Performing DCSync elasticPotential Credential Access via DCSync	4
`resultSignature`	`ne`	`SUCCESS` pantherAzure Device Code Authentication with Broker Client pantherAzure Microsoft Graph Single Session from Multiple IP Addresses pantherAzure Protection Multiple Alerts for User pantherAzure ROPC Login Attempt Without MFA	4
`src_ip`	`cidr_match`	`10.0.0.0/8` sigmaExternal Remote RDP Logon from Public IP sigmaExternal Remote SMB Logon from Public IP sigmaFailed Logon From Public IP kustoOracleDBAudit - Connection to database from external IP	4
`src_ip`	`cidr_match`	`127.0.0.0/8` sigmaExternal Remote RDP Logon from Public IP sigmaExternal Remote SMB Logon from Public IP sigmaFailed Logon From Public IP kustoOracleDBAudit - Connection to database from external IP	4
`src_ip`	`cidr_match`	`169.254.0.0/16` sigmaExternal Remote RDP Logon from Public IP sigmaExternal Remote SMB Logon from Public IP sigmaFailed Logon From Public IP kustoOracleDBAudit - Connection to database from external IP	4
`src_ip`	`cidr_match`	`172.16.0.0/12` sigmaExternal Remote RDP Logon from Public IP sigmaExternal Remote SMB Logon from Public IP sigmaFailed Logon From Public IP kustoOracleDBAudit - Connection to database from external IP	4
`src_ip`	`cidr_match`	`192.168.0.0/16` sigmaExternal Remote RDP Logon from Public IP sigmaExternal Remote SMB Logon from Public IP sigmaFailed Logon From Public IP kustoOracleDBAudit - Connection to database from external IP	4
`aws::errorCode`	`eq`	`AccessDenied` sigmaGet Credentials For Identity sigmaGet Federation Token sigmaGet Signin Token	3

`j` / `k`	Scroll down / up
`d` / `u`	Half-page down / up
`gg` / `G`	Top / bottom
`h` / `l`	History back / forward
`f`	Follow link (`Shift` = new tab)
`/`	Focus search
`?`	Toggle this help
`↑` / `↓`	Navigate search results
`Enter`	Open highlighted result
`Esc`	Close results / dialog

`type:`	`events` / `rules` / `providers`
`vendor:`	`sigma` / `elastic` / `splunk` / `kusto` / `chronicle` (vendor name alone also works: `sigma:`, `kql:`, `secops:`…)
`tactic:`	TA-id, slug, or name: `credential_access`, `TA0006`
`technique:`	technique or sub-technique ID: `T1003`, `T1003.001` (alias `tech:`)
`severity:`	`critical` / `high` / `medium` / `low` / `informational` (alias `sev:`)
`risk_score`	Numeric comparison on the Elastic risk score (0 to 100): `risk_score>50`, `risk_score<=20`, `risk_score=99` (alias `risk`; Elastic rules only)
`stages:`	Rules with exactly N pipeline stages
`correlation:`	`single_event` / `sequence` / `alternatives` / `alternatives_cross_log` / `all_required` / `correlated`
`with:`	Co-occurrence event-id; stacks (`with:4624 with:4769`) to require all, while a comma list in one occurrence (`with:4624,4769`) is an either-or group. Implies multi-event
`like:`	Structural neighbors of a rule slug (equivalents + subsumption stricter / broader): `like:comsvcs_lsass_memory_dump-splunk-sysmon`
`groupby:`	Entity-grouping substring match against `group_by_keys`: `groupby:user`, `groupby:host`
`uses:`	Rules whose predicate tree touches the field (any kind, any value): `uses:CommandLine`
`excludes:`	Rules with top-level `not()` clauses on the field (FP whitelists): `excludes:ParentImage`
`field:` / `value:`	Predicate search; narrows rule cards to those with a matching leaf and drives the indicator tier. Unquoted = substring, wildcards allowed (`value:mimikatz`)
`indicator:`	Shorthand for `field:F value:V`: `indicator:Image=*\powershell.exe`
`kind:`	Filter by predicate kind. Narrows rule cards to those carrying a matching predicate leaf (`vendor:elastic kind:cidr_match`) and drives the indicator tier: `contains` / `starts_with` / `ends_with` / `regex` / `cidr` / `eq` / `in` … (operator aliases `op:`/`match:`)
`has:` / `no:`	`sample`, `field`, `notes`, `refs`, `trace`, `thirdparty`, `rule`, `pattern`, `timewindow`, `threshold`, `newterms`, `sigma`/`elastic`/`splunk`/`kusto`/`chronicle`
`-op:val`	Exclude matches; works on most operators but not `type:`/`like:`/`has:`/`no:` (use `no:<flag>` to exclude a rule flag): `tactic:execution -vendor:splunk`. Standalone `-kind:`/`-field:`/`-value:` drop every rule carrying a matching predicate leaf (`type:rules -kind:is_null`)
`field:"…"` / `value:"…"`	Quoted value = anchored exact match (also allows spaces): `value:"net user"`
`a,b`	Comma = OR inside one operator (`vendor:sigma,elastic`, `severity:high,critical`); repeating a facet merges the same way. `field:`/`value:` never split (literal commas)
`vendors:` / `stage:`	Singular and plural spellings fold to the canonical operator and value: `tactics:` = `tactic:`, `type:event` = `type:events`, `correlation:sequences` = `correlation:sequence`, `has:thresholds` = `has:threshold`
`"quoted phrase"`	Exact-match a multi-word phrase (free text)

Valid Accounts `T1078`

Events covered

Authoring guide

Fields filtered most (721 distinct)

Top indicator values (2308 distinct)

Exclusions (582 distinct)

Rules under this technique

Sigma 124 rules

Elastic 188 rules

Splunk 78 rules

Kusto 239 rules

YARA-L 29 rules

Panther 98 rules

Keyboard shortcuts

Search operators

Valid Accounts T1078

Events covered

Authoring guide

Fields filtered most (721 distinct)

Top indicator values (2308 distinct)

Exclusions (582 distinct)

Rules under this technique

Sigma 124 rules

Elastic 188 rules

Splunk 78 rules

Kusto 239 rules

YARA-L 29 rules

Panther 98 rules

Valid Accounts `T1078`