YARA-L non-Windows coverage

248 non-Windows YARA-L detection rules across 9 platforms, grouped by MITRE ATT&CK technique within each platform. The Windows coverage matrix lives at /rules/chronicle/; this page reorganizes the same corpus along platform × technique because non-Windows rules have no catalog event IDs to plot.

For coverage organized by each platform's native action vocabulary across all vendors, see the platform matrices: AWS, Azure AD, GCP, M365, Okta. This page is the vendor-organized browse of the same rules.

AWS 55 rules

Azure 35 rules

Initial Access 1 rule, 1 technique

Phishing T1566 1 rule

Microsoft Entra ID Device code phishing attack azure (identity)

Persistence 4 rules, 2 techniques

Account Manipulation: Additional Cloud Roles T1098.003 3 rules

Entra ID Add User Outside PIM azure (cloud)
Entra ID Add User To Admin Role azure (cloud)
Entra ID Recently Created User Assigned an Entra ID Role azure (cloud)

Account Manipulation: Additional Cloud Credentials T1098.001 1 rule

Client Secret Added to Entra ID Application azure (cloud)

Stealth 2 rules, 1 technique

Valid Accounts: Cloud Accounts T1078.004 2 rules

Entra ID Admin Login Activity to Uncommon MS Cloud Apps azure (cloud)
Entra ID Login Activity to Uncommon MS Cloud Apps azure (cloud)

Defense Impairment 1 rule, 1 technique

Domain or Tenant Policy Modification T1484 1 rule

Entra ID conditional access policy modification azure (cloud)

Lateral Movement 1 rule, 1 technique

Use Alternate Authentication Material: Application Access Token T1550.001 1 rule

Hunt for Expired Tokens Attempting to sign-in to Entra ID azure (cloud)

Untagged 26 rules without MITRE techniques

API access to mailboxes for top N messages via the Microsoft Graph azure (cloud)
Entra ID Application Creation azure (cloud)
Entra ID Application Deletion azure (cloud)
Entra ID application enumeration observed in the Microsoft Graph API azure (cloud)
Entra ID Application Hard Deletion azure (cloud)
Entra ID Application Restore azure (cloud)
Entra ID Excessive Permission Changes to Application azure (cloud)
Entra ID Login Activity to Azure AD PowerShell Application azure (cloud)
Entra ID Successful Group Deletion azure (cloud)
Enumeration observed in the Microsoft Graph API using GraphRunner GraphRecon command azure (cloud)
Enumeration of inboxes accessible by a user in the Microsoft Graph API azure (cloud)
Enumeration of updatable groups in the Microsoft Graph API azure (cloud)
Enumeration of users and group membership observed in the Microsoft Graph API azure (cloud)
Hunt for application API calls in the Microsoft Graph azure (cloud)
Hunt for authorization policy API calls in the Microsoft Graph azure (cloud)
Hunt for Bad Request errors against the Groups endpoint in the Microsoft Graph API azure (cloud)
Hunt for group members enumeration in the Microsoft Graph API azure (cloud)
Hunt for Groups endpoint requests in the Microsoft Graph API azure (cloud)
Hunt for search/query endpoint API requests in the Microsoft Graph azure (cloud)
Hunt for successful group creation in the Microsoft Graph API azure (cloud)
Hunt for the delete method in Microsoft Graph API calls azure (cloud)
Hunt for Undocumented API - Estimate Access called in Microsoft Graph API azure (cloud)
Hunt for user API endpoint requests in the Microsoft Graph azure (cloud)
Multiple failed file downloads from OneDrive observed in the Microsoft Graph API azure (cloud)
Multiple failed unique file downloads from OneDrive observed in the Microsoft Graph API azure (cloud)
Suspicious User Agent Strings associated withGraphRunner azure (cloud)

GCP 26 rules

Initial Access 1 rule, 0 techniques

No specific technique 1 rule

Google Cloud identity low and medium alert escalation gcp (cloud)

Execution 1 rule, 1 technique

User Execution T1204 1 rule

GCP Successful API Call From Tor Exit Node gcp (cloud)

Persistence 6 rules, 4 techniques

Account Manipulation T1098 1 rule

GCP IAM Organization Policy Updated Or Deleted gcp (cloud)

Account Manipulation: Additional Cloud Credentials T1098.001 1 rule

Google Cloud Service Account Key Created or Uploaded gcp (cloud)

Account Manipulation: Additional Cloud Roles T1098.003 1 rule

GCP Admin Privileged Roles Added To Service Accounts gcp (cloud)

Create Account: Cloud Account T1136.003 1 rule

GCP Free Gmail Domains Added To IAM Policy gcp (cloud)

No specific technique 2 rules

Google Cloud identity low and medium alert escalation gcp (cloud)
Unauthorized KMS Decryption gcp (cloud)

Privilege Escalation 1 rule, 0 techniques

No specific technique 1 rule

Google Cloud identity low and medium alert escalation gcp (cloud)

Stealth 8 rules, 3 techniques

Impair Defenses T1562 4 rules

GCP BigQuery Datasets Opened To Public gcp (cloud)
GCP Firewall Rule Opened To The World gcp (cloud)
GCP Security Command Center Service Disabled gcp (cloud)
GCP Storage Bucket Opened To Public gcp (cloud)

Impair Defenses: Disable or Modify Cloud Logs T1562.008 2 rules

GCP Cloud Audit Logging Removed From All Services gcp (cloud)
GCP Exempt Principals From Audit Log gcp (cloud)

Valid Accounts: Cloud Accounts T1078.004 1 rule

GCP Workload Identity Pool Disabled Or Deleted gcp (cloud)

No specific technique 1 rule

Google Cloud identity low and medium alert escalation gcp (cloud)

Credential Access 2 rules, 2 techniques

Unsecured Credentials: Private Keys T1552.004 1 rule

GCP Service Account Key Used From Multiple Countries gcp (cloud)

Credentials from Password Stores T1555 1 rule

GCP Service API Key Retrieved gcp (cloud)

Discovery 1 rule, 1 technique

Cloud Infrastructure Discovery T1580 1 rule

GCP Excessive Permission Denied Events gcp (cloud)

Exfiltration 2 rules, 2 techniques

Transfer Data to Cloud Account T1537 1 rule

GCP GCE Image Open To Public gcp (cloud)

Exfiltration Over Web Service T1567 1 rule

GCP BigQuery Results Downloaded From Multiple Tables gcp (cloud)

Impact 4 rules, 3 techniques

Data Destruction T1485 2 rules

GCP Multiple KMS Keys Disabled Or Destroyed gcp (cloud)
GCP Multiple Secrets Deleted gcp (cloud)

Service Stop T1489 1 rule

GCP Multiple Service APIs Disabled gcp (cloud)

Account Access Removal T1531 1 rule

GCP Multiple HMAC Keys Deleted gcp (cloud)

Microsoft 365 29 rules

Persistence 4 rules, 2 techniques

Account Manipulation: Additional Cloud Credentials T1098.001 2 rules

O365 AD PowerShell App Login Subsequent Activity m365 (saas)
O365 Entra ID App Client Secret Added, Updated or Deleted m365 (saas)

Account Manipulation: Additional Cloud Roles T1098.003 2 rules

O365 Add User To Admin Role m365 (saas)
O365 Recently Created Entra ID User Assigned Roles m365 (saas)

Stealth 5 rules, 2 techniques

Valid Accounts: Cloud Accounts T1078.004 3 rules

O365 Admin Login Activity To Uncommon Microsoft Cloud Apps m365 (saas)
O365 Login Activity To Azure AD PowerShell App m365 (saas)
O365 Login Activity To Uncommon Microsoft Cloud Apps m365 (saas)

Impair Defenses: Disable or Modify Cloud Logs T1562.008 2 rules

Office 365 logging has been enabled m365 (saas)
Office 365 logging is disabled m365 (saas)

Lateral Movement 2 rules, 2 techniques

Remote Services: Cloud Services T1021.007 1 rule

O365 Persistent Login Activity To Azure AD PowerShell App m365 (saas)

Exploitation of Remote Services T1210 1 rule

SharePoint CVE-2025-49706 Exploitation m365 (saas)

Exfiltration 4 rules, 1 technique

Exfiltration Over Alternative Protocol: Exfiltration Over Asymmetric Encrypted Non-C2 Protocol T1048.002 4 rules

Hunt for Non-Anonymous Office 365 file downloads m365 (saas)
O365 OneDrive Anonymous File Accessed m365 (saas)
O365 OneDrive Anonymous File Downloaded m365 (saas)
O365 OneDrive Anonymous Link Accessed m365 (saas)

Untagged 14 rules without MITRE techniques

Hunt for Office 365 group creation failures m365 (saas)
Hunt for Office 365 group creation success m365 (saas)
Hunt for Office 365 group modification add member success m365 (saas)
Hunt for Office 365 group modification remove member success m365 (saas)
Hunt for suspicious sign-in to Entra ID Using Extrnal Call Method m365 (saas)
O365 Entra ID App Modify Permission Change On Watchlist m365 (saas)
O365 Entra ID App Permissions Percent Threshold Exceeded m365 (saas)
O365 Entra ID App Permissions Threshold Exceeded m365 (saas)
O365 Entra ID Application Creation m365 (saas)
O365 OneDrive Anonymous Link Created or Updated m365 (saas)
Office 365 group deletion success m365 (saas)
Office 365 group modification add member success has exceeded a defined threshold m365 (saas)
Office 365 mail accessed via unexpected application m365 (saas)
Office 365 Teams member removed m365 (saas)

Google Workspace 24 rules

Initial Access 2 rules, 2 techniques

Phishing T1566 1 rule

gmail spike in undeliverables google-workspace (saas)

Phishing: Spearphishing Link T1566.002 1 rule

Chrome Browser Safe Browsing User Bypass google-workspace (saas)

Execution 1 rule, 1 technique

User Execution: Malicious File T1204.002 1 rule

Google Workspace Malicious File Downloaded google-workspace (saas)

Persistence 5 rules, 2 techniques

Account Manipulation: Additional Cloud Roles T1098.003 3 rules

Google Workspace Admin Role Assignment google-workspace (saas)
Google Workspace Custom Admin Role Created google-workspace (saas)
Google Workspace User Ou Changed google-workspace (saas)

Account Manipulation T1098 1 rule

Google Workspace Password Policy Changed google-workspace (saas)

No specific technique 1 rule

Google Workspace Application Added google-workspace (saas)

Stealth 5 rules, 4 techniques

Valid Accounts: Cloud Accounts T1078.004 2 rules

Google Workspace External User Added To Group google-workspace (saas)
Google Workspace User Unsuspended google-workspace (saas)

Valid Accounts T1078 1 rule

Google Workspace SAML IDP Configuration Change google-workspace (saas)

Impair Defenses: Disable or Modify Tools T1562.001 1 rule

Google Workspace Marketplace Allowlist Configuration google-workspace (saas)

Impair Defenses: Disable or Modify Cloud Firewall T1562.007 1 rule

Google Workspace New Trusted Domain Added google-workspace (saas)

Defense Impairment 1 rule, 1 technique

Modify Authentication Process T1556 1 rule

Google Workspace MFA Disabled google-workspace (saas)

Credential Access 1 rule, 1 technique

Unsecured Credentials: Private Keys T1552.004 1 rule

Google Workspace Encryption Key File Accessed By An Anonymous User google-workspace (saas)

Collection 1 rule, 1 technique

Data Staged: Remote Data Staging T1074.002 1 rule

Google Workspace Ownership Transferred On Google Drive google-workspace (saas)

Exfiltration 6 rules, 1 technique

Exfiltration Over Web Service T1567 6 rules

Google Workspace File Shared From Google Drive To Free Email Domain google-workspace (saas)
Google Workspace Multiple Files Copied From Google Drive google-workspace (saas)
Google Workspace Multiple Files Downloaded From Google Drive google-workspace (saas)
Google Workspace Multiple Files Sent As Email Attachments From Google Drive google-workspace (saas)
Google Workspace Suspicious Login and Google Drive File Download google-workspace (saas)
Google Workspace Suspicious Login and Google Drive File Share google-workspace (saas)

Impact 1 rule, 1 technique

Data Destruction T1485 1 rule

Google Workspace Multiple Files Deleted From Google Drive google-workspace (saas)

Untagged 1 rule without MITRE techniques

Google Workspace Alerts Aggregated By Severity google-workspace (saas)

Okta 19 rules

Initial Access 1 rule, 1 technique

Phishing T1566 1 rule

Okta Phishing Detection With Fastpass Origin Check okta (identity)

Stealth 7 rules, 1 technique

Valid Accounts T1078 7 rules

Okta Multiple User's Logins With Invalid Credentials From The Same IP okta (identity)
Okta New API Token Created okta (identity)
Okta Successful High Risk User Logins okta (identity)
Okta User Account Lockout okta (identity)
Okta User Login Out Of Hours okta (identity)
Okta User Logins From Multiple Cities okta (identity)
Okta User Suspicious Activity Reported okta (identity)

Defense Impairment 1 rule, 1 technique

Modify Authentication Process: Multi-Factor Authentication T1556.006 1 rule

Okta User Password and MFA Factor Reset or Deactivated okta (identity)

Credential Access 9 rules, 6 techniques

Brute Force T1110 3 rules

Okta MFA Bruteforce Attack okta (identity)
Okta ThreatInsight Targeted Bruteforce Attack okta (identity)
Okta User Rejected Multiple Push Notifications okta (identity)

Multi-Factor Authentication Request Generation T1621 2 rules

Okta Mismatch Between Source And Response For Verify Push Request okta (identity)
Okta User Failed Number Challenge During Push Notification okta (identity)

Brute Force: Password Guessing T1110.001 1 rule

Okta ThreatInsight Suspected Bruteforce Attack okta (identity)

Brute Force: Password Spraying T1110.003 1 rule

Okta ThreatInsight Suspected Password Spray Attack okta (identity)

Brute Force: Credential Stuffing T1110.004 1 rule

Okta ThreatInsight Login Failure With High Unknown Users okta (identity)

Steal Web Session Cookie T1539 1 rule

Okta Suspicious Use Of A Session Cookie okta (identity)

Lateral Movement 1 rule, 1 technique

Use Alternate Authentication Material: Web Session Cookie T1550.004 1 rule

Okta Multiple Failed Requests To Access Applications okta, windows (identity)

GitHub 26 rules

Persistence 2 rules, 1 technique

Account Manipulation: Additional Cloud Credentials T1098.001 2 rules

GitHub Personal Access Token Created from Tor IP Address github (saas)
GitHub Repository Deploy Key Created Or Modified github (saas)

Stealth 8 rules, 2 techniques

Impair Defenses: Disable or Modify Tools T1562.001 6 rules

GitHub Dependabot Vulnerability Alerts Disabled github (saas)
GitHub Personal Access Token Auto Approve Policy Modified github (saas)
GitHub Repository Branch Protection Rules Disabled github (saas)
GitHub Secret Scanning Disabled Or Bypassed github (saas)
GitHub SSO Configuration Modified github (saas)
GitHub Two-Factor Authentication Requirement Disabled github (saas)

Impair Defenses: Disable or Modify Cloud Logs T1562.008 2 rules

GitHub Enterprise Audit Log Stream Destroyed github (saas)
GitHub Enterprise Audit Log Stream Modified github (saas)

Credential Access 1 rule, 1 technique

Unsecured Credentials T1552 1 rule

GitHub Secret Scanning Alert github (saas)

Collection 3 rules, 1 technique

Data from Information Repositories: Code Repositories T1213.003 3 rules

GitHub Access Granted To Personal Access Token Followed By High Number Of Cloned Non Public Repositories github (saas)
GitHub High Number Of Non Public GitHub Repositories Cloned github (saas)
GitHub High Number Of Non Public GitHub Repositories Downloaded github (saas)

Exfiltration 1 rule, 1 technique

Transfer Data to Cloud Account T1537 1 rule

GitHub Outgoing Organization Transfer Initiated github (saas)

Impact 3 rules, 1 technique

Data Destruction T1485 3 rules

GitHub Enterprise Deleted github (saas)
GitHub Organization Removed From Enterprise github (saas)
GitHub Repository Archived Or Deleted github (saas)

Untagged 8 rules without MITRE techniques

GitHub Application Installed github (saas)
GitHub Enterprise Or Organization Recovery Codes Activity github (saas)
GitHub Invitation Sent To Non Company Email Domain github (saas)
GitHub OAuth Application Access Restrictions Disabled github (saas)
GitHub Outgoing Repository Transfer Initiated github (saas)
GitHub Repository Visibility Changed To Public github (saas)
GitHub User Blocked From Accessing Organization Repositories github (saas)
GitHub User Unblocked From Accessing Organization Repositories github (saas)

Identity 7 rules

Stealth 3 rules, 1 technique

Valid Accounts: Cloud Accounts T1078.004 3 rules

OneLogin Multiple Users Login Failures From The Same IP identity (identity)
OneLogin Super User Privileges Assigned identity (identity)
OneLogin User Logins From Multiple Countries identity (identity)

Defense Impairment 1 rule, 1 technique

Modify Authentication Process: Multi-Factor Authentication T1556.006 1 rule

OneLogin User Authentication Factor Removed identity (identity)

Credential Access 2 rules, 2 techniques

Brute Force T1110 1 rule

OneLogin OTP Bruteforce Attack identity (identity)

Unsecured Credentials T1552 1 rule

OneLogin Application Password Revealed identity (identity)

Lateral Movement 1 rule, 1 technique

Use Alternate Authentication Material T1550 1 rule

OneLogin Multiple Users Assumed identity (identity)

Application 30 rules

Initial Access 1 rule, 1 technique

Exploit Public-Facing Application T1190 1 rule

sap gateway acl bypass attempt application (application)

Execution 3 rules, 2 techniques

Shared Modules T1129 2 rules

sap function module testing detected application (application)
sap sensitive rfc function module execution application (application)

Command and Scripting Interpreter T1059 1 rule

sap execution of sensitive abap program application (application)

Persistence 13 rules, 2 techniques

Account Manipulation T1098 10 rules

sap change documents sensitive profile assignment application (application)
sap change documents sensitive profile assignment data table application (application)
sap change documents sensitive role assignment application (application)
sap critial role assigned to new user application (application)
sap critical authorization value changed application (application)
sap critical role assigned to new user application (application)
sap hanadb assign admin authorizations application (application)
sap multiple password changes application (application)
sap sensitive role assignment correlation application (application)
sap sensitive role authorization modification application (application)

Create Account T1136 3 rules

sap hanadb user admin actions application (application)
sap security audit log user created deleted or unlocked application (application)
sap user creates and uses new user application (application)

Stealth 6 rules, 3 techniques

Impair Defenses T1562 3 rules

sap deactivation of security audit log application (application)
sap hanadb audit trail policy changes application (application)
sap security audit log configuration change application (application)

Impair Defenses: Disable or Modify Tools T1562.001 2 rules

sap hanadb deactivation of audit trail application (application)
sap system or client configuration change application (application)

Hide Artifacts T1564 1 rule

sap data changed during debugging application (application)

Credential Access 1 rule, 1 technique

Brute Force T1110 1 rule

sap brute force rfc logon application (application)

Discovery 1 rule, 1 technique

System Information Discovery T1082 1 rule

sap gateway ufo table access application (application)

Collection 2 rules, 1 technique

Data from Local System T1005 2 rules

sap sensitive tables direct access by rfc logon data table application (application)
sap sensitive tables direct access by rfc logon static list application (application)

Exfiltration 1 rule, 1 technique

Exfiltration Over C2 Channel T1041 1 rule

sap suspected data exfiltration application (application)

Untagged 2 rules without MITRE techniques

Network HTTP Low Prevalence Domain Access application (application)
WHOIS Expired Domain Accessed application (application)

`j` / `k`	Scroll down / up
`d` / `u`	Half-page down / up
`gg` / `G`	Top / bottom
`h` / `l`	History back / forward
`f`	Follow link (`Shift` = new tab)
`/`	Focus search
`?`	Toggle this help
`↑` / `↓`	Navigate search results
`Enter`	Open highlighted result
`Esc`	Close results / dialog

`type:`	`events` / `rules` / `providers`
`vendor:`	`sigma` / `elastic` / `splunk` / `kusto` / `chronicle` (vendor name alone also works: `sigma:`, `kql:`, `secops:`…)
`tactic:`	TA-id, slug, or name: `credential_access`, `TA0006`
`technique:`	technique or sub-technique ID: `T1003`, `T1003.001` (alias `tech:`)
`severity:`	`critical` / `high` / `medium` / `low` / `informational` (alias `sev:`)
`risk_score`	Numeric comparison on the Elastic risk score (0 to 100): `risk_score>50`, `risk_score<=20`, `risk_score=99` (alias `risk`; Elastic rules only)
`stages:`	Rules with exactly N pipeline stages
`correlation:`	`single_event` / `sequence` / `alternatives` / `alternatives_cross_log` / `all_required` / `correlated`
`with:`	Co-occurrence event-id; stacks (`with:4624 with:4769`) to require all, while a comma list in one occurrence (`with:4624,4769`) is an either-or group. Implies multi-event
`like:`	Structural neighbors of a rule slug (equivalents + subsumption stricter / broader): `like:comsvcs_lsass_memory_dump-splunk-sysmon`
`groupby:`	Entity-grouping substring match against `group_by_keys`: `groupby:user`, `groupby:host`
`uses:`	Rules whose predicate tree touches the field (any kind, any value): `uses:CommandLine`
`excludes:`	Rules with top-level `not()` clauses on the field (FP whitelists): `excludes:ParentImage`
`field:` / `value:`	Predicate search; narrows rule cards to those with a matching leaf and drives the indicator tier. Unquoted = substring, wildcards allowed (`value:mimikatz`)
`indicator:`	Shorthand for `field:F value:V`: `indicator:Image=*\powershell.exe`
`kind:`	Filter by predicate kind. Narrows rule cards to those carrying a matching predicate leaf (`vendor:elastic kind:cidr_match`) and drives the indicator tier: `contains` / `starts_with` / `ends_with` / `regex` / `cidr` / `eq` / `in` … (operator aliases `op:`/`match:`)
`has:` / `no:`	`sample`, `field`, `notes`, `refs`, `trace`, `thirdparty`, `rule`, `pattern`, `timewindow`, `threshold`, `newterms`, `sigma`/`elastic`/`splunk`/`kusto`/`chronicle`
`-op:val`	Exclude matches; works on most operators but not `type:`/`like:`/`has:`/`no:` (use `no:<flag>` to exclude a rule flag): `tactic:execution -vendor:splunk`. Standalone `-kind:`/`-field:`/`-value:` drop every rule carrying a matching predicate leaf (`type:rules -kind:is_null`)
`field:"…"` / `value:"…"`	Quoted value = anchored exact match (also allows spaces): `value:"net user"`
`a,b`	Comma = OR inside one operator (`vendor:sigma,elastic`, `severity:high,critical`); repeating a facet merges the same way. `field:`/`value:` never split (literal commas)
`vendors:` / `stage:`	Singular and plural spellings fold to the canonical operator and value: `tactics:` = `tactic:`, `type:event` = `type:events`, `correlation:sequences` = `correlation:sequence`, `has:thresholds` = `has:threshold`
`"quoted phrase"`	Exact-match a multi-word phrase (free text)

YARA-L non-Windows coverage

AWS 55 rules

Resource Development 2 rules, 2 techniques

Execution 3 rules, 3 techniques

Persistence 5 rules, 3 techniques

Stealth 19 rules, 5 techniques

Defense Impairment 4 rules, 2 techniques

Credential Access 6 rules, 4 techniques

Discovery 4 rules, 2 techniques

Lateral Movement 1 rule, 1 technique

Command & Control 4 rules, 3 techniques

Exfiltration 2 rules, 1 technique

Impact 5 rules, 4 techniques

Azure 35 rules

Initial Access 1 rule, 1 technique

Persistence 4 rules, 2 techniques

Stealth 2 rules, 1 technique

Defense Impairment 1 rule, 1 technique

Lateral Movement 1 rule, 1 technique

Untagged 26 rules without MITRE techniques

GCP 26 rules

Initial Access 1 rule, 0 techniques

Execution 1 rule, 1 technique

Persistence 6 rules, 4 techniques

Privilege Escalation 1 rule, 0 techniques

Stealth 8 rules, 3 techniques

Credential Access 2 rules, 2 techniques

Discovery 1 rule, 1 technique

Exfiltration 2 rules, 2 techniques

Impact 4 rules, 3 techniques

Microsoft 365 29 rules

Persistence 4 rules, 2 techniques

Stealth 5 rules, 2 techniques

Lateral Movement 2 rules, 2 techniques

Exfiltration 4 rules, 1 technique

Untagged 14 rules without MITRE techniques

Google Workspace 24 rules

Initial Access 2 rules, 2 techniques

Execution 1 rule, 1 technique

Persistence 5 rules, 2 techniques

Stealth 5 rules, 4 techniques

Defense Impairment 1 rule, 1 technique

Credential Access 1 rule, 1 technique

Collection 1 rule, 1 technique

Exfiltration 6 rules, 1 technique

Impact 1 rule, 1 technique

Untagged 1 rule without MITRE techniques

Okta 19 rules

Initial Access 1 rule, 1 technique

Stealth 7 rules, 1 technique

Defense Impairment 1 rule, 1 technique

Credential Access 9 rules, 6 techniques

Lateral Movement 1 rule, 1 technique

GitHub 26 rules

Persistence 2 rules, 1 technique

Stealth 8 rules, 2 techniques

Credential Access 1 rule, 1 technique

Collection 3 rules, 1 technique

Exfiltration 1 rule, 1 technique

Impact 3 rules, 1 technique

Untagged 8 rules without MITRE techniques

Identity 7 rules

Stealth 3 rules, 1 technique

Defense Impairment 1 rule, 1 technique

Credential Access 2 rules, 2 techniques

Lateral Movement 1 rule, 1 technique

Application 30 rules

Initial Access 1 rule, 1 technique

Execution 3 rules, 2 techniques

Persistence 13 rules, 2 techniques

Stealth 6 rules, 3 techniques

Credential Access 1 rule, 1 technique

Discovery 1 rule, 1 technique

Collection 2 rules, 1 technique

Exfiltration 1 rule, 1 technique

Untagged 2 rules without MITRE techniques