Kusto non-Windows coverage

1,924 non-Windows Kusto detection rules across 13 platforms, grouped by MITRE ATT&CK technique within each platform. The Windows coverage matrix lives at /rules/kusto/; this page reorganizes the same corpus along platform × technique because non-Windows rules have no catalog event IDs to plot.

For coverage organized by each platform's native action vocabulary across all vendors, see the platform matrices: AWS, Azure AD, GCP, M365, Okta. This page is the vendor-organized browse of the same rules.

Linux 455 rules

Reconnaissance 1 rule, 1 technique

Active Scanning T1595 1 rule

Dataverse - Suspicious use of Web API available linux, macos, windows (endpoint)

Initial Access 47 rules, 6 techniques

Exploit Public-Facing Application T1190 18 rules

AV detections related to SpringShell Vulnerability available linux, macos, windows (endpoint)
Cisco SE - Malware outbreak available linux, macos, windows (endpoint)
Cisco SE - Multiple malware on host available linux, macos, windows (endpoint)
Cisco SE - Unexpected binary file available linux, macos, windows (endpoint)
Cisco SE High Events Last Hour available linux, macos, windows (endpoint)
Dataverse - Login by a sensitive privileged user available linux, macos, windows (endpoint)
Dataverse - Login from IP in the block list available linux, macos, windows (endpoint)
Dataverse - Login from IP not in the allow list available linux, macos, windows (endpoint)
Dataverse - New sign-in from an unauthorized domain available linux, macos, windows (endpoint)
Dataverse - New user agent type that was not used with Office 365 available linux, macos, windows (endpoint)
Dataverse - Suspicious use of TDS endpoint available linux, macos, windows (endpoint)
Microsoft Defender for Endpoint (MDE) signatures for Azure Synapse pipelines and Azure Data Factory linux, macos, windows (endpoint)
OracleDBAudit - Connection to database from external IP available linux (endpoint)
OracleDBAudit - SQL injection patterns available linux (endpoint)
Sentinel One - Alert from custom rule available linux, macos, windows (endpoint)
Sentinel One - Multiple alerts on host available linux, macos, windows (endpoint)
Sentinel One - Same custom rule triggered on different hosts available linux, macos, windows (endpoint)
VMware ESXi - Dormant VM started linux (endpoint)

Phishing T1566 15 rules

Cisco WSA - Access to unwanted site available linux (endpoint)
Dataverse - TI map URL to DataverseActivity available linux, macos, windows (endpoint)
McAfee ePO - Spam Email detected available linux (endpoint)
Possible Phishing with CSL and Network Sessions available linux, macos, windows (endpoint)
Power Apps - Multiple users access a malicious link after launching new app available linux, macos, windows (endpoint)
Preview - TI map Email entity to Cloud App Events linux, macos, windows (endpoint)
TI map Email entity to Cloud App Events linux, macos, windows (endpoint)
Trend Micro CAS - Infected user available linux, macos, windows (endpoint)
Trend Micro CAS - Multiple infected users available linux, macos, windows (endpoint)
Trend Micro CAS - Possible phishing mail available linux, macos, windows (endpoint)
Trend Micro CAS - Suspicious filename available linux, macos, windows (endpoint)
Trend Micro CAS - Unexpected file on file share available linux, macos, windows (endpoint)
Trend Micro CAS - Unexpected file via mail available linux, macos, windows (endpoint)
User Accessed Suspicious URL Categories available linux (endpoint)
Website blocked by ESET linux (endpoint)

Drive-by Compromise T1189 10 rules

Cisco WSA - Internet access from public IP available linux (endpoint)
Cisco WSA - Multiple attempts to download unwanted file available linux (endpoint)
Cisco WSA - Multiple errors to resource from risky category available linux (endpoint)
Cisco WSA - Multiple infected files available linux (endpoint)
Cisco WSA - Unexpected file type available linux (endpoint)
Cisco WSA - Unscannable file or scan error available linux (endpoint)
McAfee ePO - Multiple threats on same host available linux (endpoint)
McAfee ePO - Threat was not blocked available linux (endpoint)
Power Apps - Multiple users access a malicious link after launching new app available linux, macos, windows (endpoint)
Website blocked by ESET linux (endpoint)

Supply Chain Compromise T1195 2 rules

McAfee ePO - Multiple threats on same host available linux (endpoint)
McAfee ePO - Threat was not blocked available linux (endpoint)

Trusted Relationship T1199 1 rule

Dataverse - TI map IP to DataverseActivity available linux, macos, windows (endpoint)

Hardware Additions T1200 1 rule

Potential DHCP Starvation Attack available linux (endpoint)

Execution 17 rules, 7 techniques

User Execution: Malicious File T1204.002 5 rules

Cisco SE - Dropper activity on host available linux, macos, windows (endpoint)
Cisco SE - Generic IOC available linux, macos, windows (endpoint)
Cisco SE - Malware execusion on host available linux, macos, windows (endpoint)
Cisco SE High Events Last Hour available linux, macos, windows (endpoint)
Malware Detected available linux (endpoint)

User Execution T1204 4 rules

Dataverse - Malware found in SharePoint document management site available linux, macos, windows (endpoint)
Dataverse - TI map URL to DataverseActivity available linux, macos, windows (endpoint)
Known Malware Detected available linux, macos, windows (endpoint)
Threats detected by ESET linux (endpoint)

Command and Scripting Interpreter T1059 3 rules

CiscoISE - Command executed with the highest privileges from new IP available linux (endpoint)
CiscoISE - Command executed with the highest privileges by new user available linux (endpoint)
Potential Ransomware activity related to Cobalt Strike available linux, macos, windows (endpoint)

Exploitation for Client Execution T1203 2 rules

Antivirus Detected an Infected File available linux (endpoint)
Prestige ransomware IOCs Oct 2022 linux, macos, windows (endpoint)

Scheduled Task/Job T1053 1 rule

AV detections related to Tarrask malware available linux, macos, windows (endpoint)

Native API T1106 1 rule

Dataverse - Suspicious use of Web API available linux, macos, windows (endpoint)

System Services T1569 1 rule

Dataverse - Anomalous application user activity available linux, macos, windows (endpoint)

Persistence 18 rules, 4 techniques

External Remote Services T1133 12 rules

Cisco SE - Malware outbreak available linux, macos, windows (endpoint)
Cisco SE - Multiple malware on host available linux, macos, windows (endpoint)
Cisco SE - Unexpected binary file available linux, macos, windows (endpoint)
CiscoISE - Command executed with the highest privileges from new IP available linux (endpoint)
CiscoISE - Command executed with the highest privileges by new user available linux (endpoint)
Dataverse - Login by a sensitive privileged user available linux, macos, windows (endpoint)
Dataverse - Login from IP in the block list available linux, macos, windows (endpoint)
Dataverse - Login from IP not in the allow list available linux, macos, windows (endpoint)
Dataverse - New sign-in from an unauthorized domain available linux, macos, windows (endpoint)
Dataverse - New user agent type that was not used with Office 365 available linux, macos, windows (endpoint)
Dataverse - TI map IP to DataverseActivity available linux, macos, windows (endpoint)
OracleDBAudit - Connection to database from external IP available linux (endpoint)

Account Manipulation T1098 4 rules

CiscoISE - Device PostureStatus changed to non-compliant available linux (endpoint)
CiscoISE - ISE administrator password has been reset available linux (endpoint)
Dataverse - New non-interactive identity granted access available linux, macos, windows (endpoint)
VMware ESXi - Root password changed available linux (endpoint)

Create Account T1136 1 rule

GitLab - External User Added to GitLab available linux (endpoint)

Create or Modify System Process T1543 1 rule

McAfee ePO - Multiple threats on same host available linux (endpoint)

Privilege Escalation 8 rules, 3 techniques

Abuse Elevation Control Mechanism T1548 5 rules

CiscoISE - Command executed with the highest privileges from new IP available linux (endpoint)
CiscoISE - Command executed with the highest privileges by new user available linux (endpoint)
Dataverse - Bulk record ownership re-assignment or sharing available linux, macos, windows (endpoint)
Dataverse - Hierarchy security manipulation available linux, macos, windows (endpoint)
Dataverse - Suspicious security role modifications available linux, macos, windows (endpoint)

Exploitation for Privilege Escalation T1068 2 rules

CTERA Mass Permissions Changes Detection Analytic available linux (endpoint)
McAfee ePO - Threat was not blocked available linux (endpoint)

Event Triggered Execution T1546 1 rule

Defender Alert Evidence available linux, macos, windows (endpoint)

Detect Potential Kerberoast Activities available linux, macos, windows (endpoint)

No specific technique 1 rule

Alarming number of anomalies generated in NetBackup available linux, macos, windows (endpoint)

Discovery 9 rules, 5 techniques

Cloud Service Discovery T1526 3 rules

Dataverse - Honeypot instance activity available linux, macos, windows (endpoint)
Dataverse - Suspicious use of Web API available linux, macos, windows (endpoint)
Dataverse - TI map IP to DataverseActivity available linux, macos, windows (endpoint)

Cloud Infrastructure Discovery T1580 2 rules

Dataverse - Suspicious use of Web API available linux, macos, windows (endpoint)
Dataverse - TI map IP to DataverseActivity available linux, macos, windows (endpoint)

Network Service Discovery T1046 1 rule

Port Scan Detected available linux (endpoint)

System Information Discovery T1082 1 rule

Pathlock TDnR - SAP System Log Events available linux (endpoint)

Cloud Service Dashboard T1538 1 rule

Dataverse - Honeypot instance activity available linux, macos, windows (endpoint)

No specific technique 1 rule

Alarming number of anomalies generated in NetBackup available linux, macos, windows (endpoint)

Lateral Movement 6 rules, 2 techniques

Remote Services T1021 3 rules

Dataverse - TI map IP to DataverseActivity available linux, macos, windows (endpoint)
Excessive Blocked Traffic Events Generated by User available linux (endpoint)
VMware ESXi - SSH Enable on ESXi Host available linux (endpoint)

Exploitation of Remote Services T1210 3 rules

Critical Threat Detected available linux, macos, windows (endpoint)
Dataverse - TI map IP to DataverseActivity available linux, macos, windows (endpoint)
Sentinel One - Same custom rule triggered on different hosts available linux, macos, windows (endpoint)

Collection 4 rules, 3 techniques

Automated Collection T1119 2 rules

OracleDBAudit - Connection to database from external IP available linux (endpoint)
OracleDBAudit - Unusual user activity on multiple tables available linux (endpoint)

Data from Local System T1005 1 rule

OracleDBAudit - Query on Sensitive Table available linux (endpoint)

Data from Information Repositories T1213 1 rule

GitLab - Personal Access Tokens creation over time available linux (endpoint)

Command & Control 40 rules, 7 techniques

Application Layer Protocol T1071 25 rules

Cisco SE - Connection to known C2 server available linux, macos, windows (endpoint)
Lumen TI IPAddress in DeviceEvents linux, macos, windows (endpoint)
McAfee ePO - Firewall disabled available linux (endpoint)
Preview - TI map Domain entity to Cloud App Events linux, macos, windows (endpoint)
Preview - TI map IP entity to Cloud App Events linux, macos, windows (endpoint)
Preview - TI map URL entity to Cloud App Events linux, macos, windows (endpoint)
TI map Domain entity to Cloud App Events linux, macos, windows (endpoint)
TI Map Domain Entity to DeviceNetworkEvents linux, macos, windows (endpoint)
TI Map Domain Entity to DeviceNetworkEvents linux, macos, windows (endpoint)
TI map Domain entity to Syslog linux (endpoint)
TI map Domain entity to Syslog linux (endpoint)
TI map File Hash to DeviceFileEvents Event linux, macos, windows (endpoint)
TI map File Hash to DeviceFileEvents Event linux, macos, windows (endpoint)
TI map IP entity to Cloud App Events linux, macos, windows (endpoint)
TI Map IP Entity to DeviceNetworkEvents linux, macos, windows (endpoint)
TI Map IP Entity to DeviceNetworkEvents linux, macos, windows (endpoint)
TI map URL entity to Cloud App Events linux, macos, windows (endpoint)
TI Map URL Entity to DeviceNetworkEvents linux, macos, windows (endpoint)
TI Map URL Entity to DeviceNetworkEvents linux, macos, windows (endpoint)
TI Map URL Entity to Syslog Data linux (endpoint)
TI Map URL Entity to Syslog Data linux (endpoint)
TI Map URL Entity to UrlClickEvents linux, macos, windows (endpoint)
TI Map URL Entity to UrlClickEvents linux, macos, windows (endpoint)
User Accessed Suspicious URL Categories available linux (endpoint)
Website blocked by ESET linux (endpoint)

Web Service T1102 7 rules

Cisco SE - Possible webshell available linux, macos, windows (endpoint)
Cisco WSA - Multiple errors to resource from risky category available linux (endpoint)
Cisco WSA - Multiple errors to URL available linux (endpoint)
Cisco WSA - Unexpected URL available linux (endpoint)
NRT Squid proxy events related to mining pools linux (endpoint)
Possible Phishing with CSL and Network Sessions available linux, macos, windows (endpoint)
Squid proxy events related to mining pools linux (endpoint)

Fallback Channels T1008 2 rules

Excessive NXDOMAIN DNS Queries available linux (endpoint)
Squid proxy events for ToR proxies linux (endpoint)

Proxy T1090 2 rules

Excessive Denied Proxy Traffic available linux (endpoint)
Squid proxy events for ToR proxies linux (endpoint)

Dynamic Resolution T1568 2 rules

CiscoISE - Device changed IP in last 24 hours available linux (endpoint)
Excessive NXDOMAIN DNS Queries available linux (endpoint)

Data Obfuscation T1001 1 rule

Excessive Blocked Traffic Events Generated by User available linux (endpoint)

Data Encoding T1132 1 rule

Excessive Blocked Traffic Events Generated by User available linux (endpoint)

Exfiltration 29 rules, 7 techniques

Exfiltration Over Alternative Protocol T1048 15 rules

Cisco WSA - Suspected protocol abuse available linux (endpoint)
Dataverse - Export activity from terminated or notified employee available linux, macos, windows (endpoint)
Dataverse - Suspicious use of TDS endpoint available linux, macos, windows (endpoint)
Dataverse - User bulk retrieval outside normal activity available linux, macos, windows (endpoint)
Digital Guardian - Bulk exfiltration to external domain available linux (endpoint)
Digital Guardian - Exfiltration to external domain available linux (endpoint)
Digital Guardian - Exfiltration to online fileshare available linux (endpoint)
Digital Guardian - Exfiltration to private email available linux (endpoint)
Digital Guardian - Exfiltration using DNS protocol available linux (endpoint)
Digital Guardian - Incident with not blocked action available linux (endpoint)
Digital Guardian - Multiple incidents from user available linux (endpoint)
Digital Guardian - Possible SMTP protocol abuse available linux (endpoint)
Digital Guardian - Sensitive data transfer over insecure channel available linux (endpoint)
Digital Guardian - Unexpected protocol available linux (endpoint)
Trend Micro CAS - DLP violation available linux, macos, windows (endpoint)

Exfiltration Over Web Service T1567 7 rules

Cisco WSA - Unexpected uploads available linux (endpoint)
Dataverse - Export activity from terminated or notified employee available linux, macos, windows (endpoint)
Dataverse - Honeypot instance activity available linux, macos, windows (endpoint)
Dataverse - Mass export of records to Excel available linux, macos, windows (endpoint)
Dataverse - SharePoint document management site added or updated available linux, macos, windows (endpoint)
Dataverse - Suspicious use of Web API available linux, macos, windows (endpoint)
Dataverse - Terminated employee exfiltration over email available linux, macos, windows (endpoint)

Automated Exfiltration T1020 2 rules

SFTP File transfer above threshold linux (endpoint)
SFTP File transfer folder count above threshold linux (endpoint)

Exfiltration Over C2 Channel T1041 2 rules

Excessive Blocked Traffic Events Generated by User available linux (endpoint)
Website blocked by ESET linux (endpoint)

Scheduled Transfer T1029 1 rule

OracleDBAudit - Connection to database from external IP available linux (endpoint)

Exfiltration Over Physical Medium T1052 1 rule

Dataverse - Terminated employee exfiltration to USB drive available linux, macos, windows (endpoint)

Transfer Data to Cloud Account T1537 1 rule

Dataverse - SharePoint document management site added or updated available linux, macos, windows (endpoint)

Impact 30 rules, 8 techniques

Data Encrypted for Impact T1486 11 rules

AV detections related to Dev-0530 actors linux, macos, windows (endpoint)
AV detections related to Europium actors linux, macos, windows (endpoint)
AV detections related to Hive Ransomware linux, macos, windows (endpoint)
AV detections related to Zinc actors available linux, macos, windows (endpoint)
Cisco SE - Ransomware Activity available linux, macos, windows (endpoint)
Ransom Protect Detected a Ransomware Attack available linux (endpoint)
Ransom Protect User Blocked available linux (endpoint)
Ransomware Attack Detected available linux (endpoint)
Ransomware Client Blocked available linux (endpoint)
Trend Micro CAS - Ransomware infection available linux, macos, windows (endpoint)
Trend Micro CAS - Ransomware outbreak available linux, macos, windows (endpoint)

Data Destruction T1485 7 rules

AV detections related to Ukraine threats available linux, macos, windows (endpoint)
CTERA Mass Deletions Detection Analytic available linux (endpoint)
Dataverse - Mass deletion of records available linux, macos, windows (endpoint)
Dataverse - Mass record updates available linux, macos, windows (endpoint)
GitLab - Abnormal number of repositories deleted available linux (endpoint)
OracleDBAudit - Multiple tables dropped in short time available linux (endpoint)
Unusual Volume of file deletion by users available linux, macos, windows (endpoint)

System Shutdown/Reboot T1529 5 rules

OracleDBAudit - Shutdown Server available linux (endpoint)
VMware ESXi - Low patch disk space available linux (endpoint)
VMware ESXi - Low temp directory space available linux (endpoint)
VMware ESXi - Multiple VMs stopped available linux (endpoint)
VMware ESXi - VM stopped available linux (endpoint)

Inhibit System Recovery T1490 2 rules

CiscoISE - Backup failed available linux (endpoint)
Potential Ransomware activity related to Cobalt Strike available linux, macos, windows (endpoint)

Data Manipulation T1565 2 rules

Dataverse - Mass record updates available linux, macos, windows (endpoint)
Infoblox - TI - Syslog Match Found - URL available linux (endpoint)

Resource Hijacking T1496 1 rule

VMware ESXi - Unexpected disk image available linux (endpoint)

Network Denial of Service T1498 1 rule

Infoblox - TI - Syslog Match Found - URL available linux (endpoint)

Endpoint Denial of Service T1499 1 rule

Excessive Amount of Denied Connections from a Single Source available linux (endpoint)

Untagged 113 rules without MITRE techniques

Adding User or Group Failed available linux (endpoint)
Application Group Deleted available linux (endpoint)
Application Group Settings Updated available linux (endpoint)
Archive Repository Deleted available linux (endpoint)
Archive Repository Settings Updated available linux (endpoint)
Attempt to Delete Backup Failed available linux (endpoint)
Attempt to Update Security Object Failed available linux (endpoint)
Backup Proxy Deleted available linux (endpoint)
Backup Repository Deleted available linux (endpoint)
Backup Repository Settings Updated available linux (endpoint)
Cloud Gateway Deleted available linux (endpoint)
Cloud Gateway Pool Deleted available linux (endpoint)
Cloud Gateway Pool Settings Updated available linux (endpoint)
Cloud Gateway Settings Updated available linux (endpoint)
Cloud Replica Permanent Failover Performed by Tenant available linux (endpoint)
Configuration Backup Job Failed available linux (endpoint)
Configuration Backup Job Settings Updated available linux (endpoint)
Connection to Backup Repository Lost available linux (endpoint)
Create Incident for XDR Alerts available linux, macos, windows (endpoint)
Credential Record Deleted available linux (endpoint)
Credential Record Updated available linux (endpoint)
Detaching Backups Started available linux (endpoint)
Encryption Password Added available linux (endpoint)
Encryption Password Changed available linux (endpoint)
Encryption Password Deleted available linux (endpoint)
External Repository Deleted available linux (endpoint)
External Repository Settings Updated available linux (endpoint)
Failover Plan Deleted available linux (endpoint)
Failover Plan Failed available linux (endpoint)
Failover Plan Settings Updated available linux (endpoint)
Failover Plan Started available linux (endpoint)
Failover Plan Stopped available linux (endpoint)
File Server Deleted available linux (endpoint)
File Server Settings Updated available linux (endpoint)
File Share Deleted available linux (endpoint)
Four-Eyes Authorization Disabled available linux (endpoint)
Four-Eyes Authorization Request Created available linux (endpoint)
Four-Eyes Authorization Request Expired available linux (endpoint)
Four-Eyes Authorization Request Rejected available linux (endpoint)
General Settings Updated available linux (endpoint)
Global Network Traffic Rules Deleted available linux (endpoint)
Global VM Exclusions Added available linux (endpoint)
Global VM Exclusions Changed available linux (endpoint)
Global VM Exclusions Deleted available linux (endpoint)
Host Deleted available linux (endpoint)
Host Settings Updated available linux (endpoint)
Hypervisor Host Deleted available linux (endpoint)
Hypervisor Host Settings Updated available linux (endpoint)
Invalid Code for Multi-Factor Authentication Entered available linux (endpoint)
Job Deleted available linux (endpoint)
Job No Longer Used as Second Destination available linux (endpoint)
KMS Key Rotation Job Finished available linux (endpoint)
KMS Server Deleted available linux (endpoint)
KMS Server Settings Updated available linux (endpoint)
License Expired available linux (endpoint)
License Expiring available linux (endpoint)
License Grace Period Started available linux (endpoint)
License Limit Exceeded available linux (endpoint)
License Removed available linux (endpoint)
License Support Expired available linux (endpoint)
License Support Expiring available linux (endpoint)
Malware Activity Detected available linux (endpoint)
Malware Detection Exclusions List Updated available linux (endpoint)
Malware Detection Session Finished available linux (endpoint)
Malware Detection Settings Updated available linux (endpoint)
Multi-Factor Authentication Disabled available linux (endpoint)
Multi-Factor Authentication for User Disabled available linux (endpoint)
Multi-Factor Authentication Token Revoked available linux (endpoint)
Multi-Factor Authentication User Locked available linux (endpoint)
NDMP Server Deleted available linux (endpoint)
Object Marked as Clean available linux (endpoint)
Object Storage Deleted available linux (endpoint)
Object Storage Settings Updated available linux (endpoint)
Objects Added to Malware Detection Exclusions available linux (endpoint)
Objects Deleted from Malware Detection Exclusions available linux (endpoint)
Objects for Job Deleted available linux (endpoint)
Objects for Protection Group Changed available linux (endpoint)
Objects for Protection Group Deleted available linux (endpoint)
Preferred Networks Deleted available linux (endpoint)
Protection Group Deleted available linux (endpoint)
Protection Group Settings Updated available linux (endpoint)
Recovery Token Deleted available linux (endpoint)
Restore Point Marked as Clean available linux (endpoint)
Restore Point Marked as Infected available linux (endpoint)
Scale-Out Backup Repository Deleted available linux (endpoint)
Scale-Out Backup Repository Settings Updated available linux (endpoint)
Service Provider Deleted available linux (endpoint)
Service Provider Updated available linux (endpoint)
SSH Credentials Changed available linux (endpoint)
Storage Deleted available linux (endpoint)
Storage Settings Updated available linux (endpoint)
Subtenant Deleted available linux (endpoint)
Subtenant Updated available linux (endpoint)
SureBackup Job Failed available linux (endpoint)
Tape Erase Job Started available linux (endpoint)
Tape Library Deleted available linux (endpoint)
Tape Media Pool Deleted available linux (endpoint)
Tape Media Vault Deleted available linux (endpoint)
Tape Medium Deleted available linux (endpoint)
Tape Server Deleted available linux (endpoint)
Tenant Password Changed available linux (endpoint)
Tenant Quota Changed available linux (endpoint)
Tenant Quota Deleted available linux (endpoint)
Tenant Replica Started available linux (endpoint)
Tenant Replica Stopped available linux (endpoint)
Tenant State Changed available linux (endpoint)
Unusual Anomaly linux, macos, windows (endpoint)
User or Group Added available linux (endpoint)
User or Group Deleted available linux (endpoint)
Virtual Lab Deleted available linux (endpoint)
Virtual Lab Settings Updated available linux (endpoint)
WAN Accelerator Deleted available linux (endpoint)
WAN Accelerator Settings Updated available linux (endpoint)

macOS 183 rules

Reconnaissance 1 rule, 1 technique

Active Scanning T1595 1 rule

Dataverse - Suspicious use of Web API available linux, macos, windows (endpoint)

Initial Access 28 rules, 4 techniques

Exploit Public-Facing Application T1190 15 rules

AV detections related to SpringShell Vulnerability available linux, macos, windows (endpoint)
Cisco SE - Malware outbreak available linux, macos, windows (endpoint)
Cisco SE - Multiple malware on host available linux, macos, windows (endpoint)
Cisco SE - Unexpected binary file available linux, macos, windows (endpoint)
Cisco SE High Events Last Hour available linux, macos, windows (endpoint)
Dataverse - Login by a sensitive privileged user available linux, macos, windows (endpoint)
Dataverse - Login from IP in the block list available linux, macos, windows (endpoint)
Dataverse - Login from IP not in the allow list available linux, macos, windows (endpoint)
Dataverse - New sign-in from an unauthorized domain available linux, macos, windows (endpoint)
Dataverse - New user agent type that was not used with Office 365 available linux, macos, windows (endpoint)
Dataverse - Suspicious use of TDS endpoint available linux, macos, windows (endpoint)
Microsoft Defender for Endpoint (MDE) signatures for Azure Synapse pipelines and Azure Data Factory linux, macos, windows (endpoint)
Sentinel One - Alert from custom rule available linux, macos, windows (endpoint)
Sentinel One - Multiple alerts on host available linux, macos, windows (endpoint)
Sentinel One - Same custom rule triggered on different hosts available linux, macos, windows (endpoint)

Phishing T1566 11 rules

Dataverse - TI map URL to DataverseActivity available linux, macos, windows (endpoint)
Possible Phishing with CSL and Network Sessions available linux, macos, windows (endpoint)
Power Apps - Multiple users access a malicious link after launching new app available linux, macos, windows (endpoint)
Preview - TI map Email entity to Cloud App Events linux, macos, windows (endpoint)
TI map Email entity to Cloud App Events linux, macos, windows (endpoint)
Trend Micro CAS - Infected user available linux, macos, windows (endpoint)
Trend Micro CAS - Multiple infected users available linux, macos, windows (endpoint)
Trend Micro CAS - Possible phishing mail available linux, macos, windows (endpoint)
Trend Micro CAS - Suspicious filename available linux, macos, windows (endpoint)
Trend Micro CAS - Unexpected file on file share available linux, macos, windows (endpoint)
Trend Micro CAS - Unexpected file via mail available linux, macos, windows (endpoint)

Drive-by Compromise T1189 1 rule

Power Apps - Multiple users access a malicious link after launching new app available linux, macos, windows (endpoint)

Trusted Relationship T1199 1 rule

Dataverse - TI map IP to DataverseActivity available linux, macos, windows (endpoint)

Execution 12 rules, 7 techniques

User Execution: Malicious File T1204.002 4 rules

Cisco SE - Dropper activity on host available linux, macos, windows (endpoint)
Cisco SE - Generic IOC available linux, macos, windows (endpoint)
Cisco SE - Malware execusion on host available linux, macos, windows (endpoint)
Cisco SE High Events Last Hour available linux, macos, windows (endpoint)

User Execution T1204 3 rules

Dataverse - Malware found in SharePoint document management site available linux, macos, windows (endpoint)
Dataverse - TI map URL to DataverseActivity available linux, macos, windows (endpoint)
Known Malware Detected available linux, macos, windows (endpoint)

Scheduled Task/Job T1053 1 rule

AV detections related to Tarrask malware available linux, macos, windows (endpoint)

Command and Scripting Interpreter T1059 1 rule

Potential Ransomware activity related to Cobalt Strike available linux, macos, windows (endpoint)

Native API T1106 1 rule

Dataverse - Suspicious use of Web API available linux, macos, windows (endpoint)

Exploitation for Client Execution T1203 1 rule

Prestige ransomware IOCs Oct 2022 linux, macos, windows (endpoint)

System Services T1569 1 rule

Dataverse - Anomalous application user activity available linux, macos, windows (endpoint)

Persistence 10 rules, 2 techniques

External Remote Services T1133 9 rules

Cisco SE - Malware outbreak available linux, macos, windows (endpoint)
Cisco SE - Multiple malware on host available linux, macos, windows (endpoint)
Cisco SE - Unexpected binary file available linux, macos, windows (endpoint)
Dataverse - Login by a sensitive privileged user available linux, macos, windows (endpoint)
Dataverse - Login from IP in the block list available linux, macos, windows (endpoint)
Dataverse - Login from IP not in the allow list available linux, macos, windows (endpoint)
Dataverse - New sign-in from an unauthorized domain available linux, macos, windows (endpoint)
Dataverse - New user agent type that was not used with Office 365 available linux, macos, windows (endpoint)
Dataverse - TI map IP to DataverseActivity available linux, macos, windows (endpoint)

Account Manipulation T1098 1 rule

Dataverse - New non-interactive identity granted access available linux, macos, windows (endpoint)

Privilege Escalation 4 rules, 2 techniques

Abuse Elevation Control Mechanism T1548 3 rules

Dataverse - Bulk record ownership re-assignment or sharing available linux, macos, windows (endpoint)
Dataverse - Hierarchy security manipulation available linux, macos, windows (endpoint)
Dataverse - Suspicious security role modifications available linux, macos, windows (endpoint)

Event Triggered Execution T1546 1 rule

Defender Alert Evidence available linux, macos, windows (endpoint)

Stealth 26 rules, 6 techniques

Valid Accounts T1078 13 rules

Dataverse - Hierarchy security manipulation available linux, macos, windows (endpoint)
Dataverse - Login by a sensitive privileged user available linux, macos, windows (endpoint)
Dataverse - Login from IP in the block list available linux, macos, windows (endpoint)
Dataverse - Login from IP not in the allow list available linux, macos, windows (endpoint)
Dataverse - New Dataverse application user activity type available linux, macos, windows (endpoint)
Dataverse - New non-interactive identity granted access available linux, macos, windows (endpoint)
Dataverse - New sign-in from an unauthorized domain available linux, macos, windows (endpoint)
Dataverse - New user agent type that was not used before available linux, macos, windows (endpoint)
Dataverse - Organization settings modified available linux, macos, windows (endpoint)
Dataverse - TI map IP to DataverseActivity available linux, macos, windows (endpoint)
Potential Ransomware activity related to Cobalt Strike available linux, macos, windows (endpoint)
Sentinel One - Admin login from new location available linux, macos, windows (endpoint)
Sentinel One - New admin created available linux, macos, windows (endpoint)

Indicator Removal T1070 7 rules

Dataverse - Audit log data deletion available linux, macos, windows (endpoint)
Potential Ransomware activity related to Cobalt Strike available linux, macos, windows (endpoint)
Sentinel One - Agent uninstalled from multiple hosts available linux, macos, windows (endpoint)
Sentinel One - Blacklist hash deleted available linux, macos, windows (endpoint)
Sentinel One - Exclusion added available linux, macos, windows (endpoint)
Sentinel One - Rule deleted available linux, macos, windows (endpoint)
Sentinel One - Rule disabled available linux, macos, windows (endpoint)

Impair Defenses T1562 3 rules

Cisco SE - Policy update failure available linux, macos, windows (endpoint)
Dataverse - Audit logging disabled available linux, macos, windows (endpoint)
Trend Micro CAS - Threat detected and not blocked available linux, macos, windows (endpoint)

Masquerading T1036 1 rule

Dataverse - New user agent type that was not used before available linux, macos, windows (endpoint)

Valid Accounts: Cloud Accounts T1078.004 1 rule

Suspicious Sign In by Entra ID Connect Sync Account available linux, macos, windows (endpoint)

Hijack Execution Flow T1574 1 rule

Dataverse - TI map URL to DataverseActivity available linux, macos, windows (endpoint)

Credential Access 5 rules, 4 techniques

Exploitation for Credential Access T1212 1 rule

Dataverse - Login by a sensitive privileged user available linux, macos, windows (endpoint)

Steal Application Access Token T1528 1 rule

Dataverse - Anomalous application user activity available linux, macos, windows (endpoint)

Credentials from Password Stores T1555 1 rule

Sentinel One - User viewed agent's passphrase available linux, macos, windows (endpoint)

Steal or Forge Kerberos Tickets: Kerberoasting T1558.003 1 rule

Detect Potential Kerberoast Activities available linux, macos, windows (endpoint)

No specific technique 1 rule

Alarming number of anomalies generated in NetBackup available linux, macos, windows (endpoint)

Discovery 7 rules, 3 techniques

Cloud Service Discovery T1526 3 rules

Dataverse - Honeypot instance activity available linux, macos, windows (endpoint)
Dataverse - Suspicious use of Web API available linux, macos, windows (endpoint)
Dataverse - TI map IP to DataverseActivity available linux, macos, windows (endpoint)

Cloud Infrastructure Discovery T1580 2 rules

Dataverse - Suspicious use of Web API available linux, macos, windows (endpoint)
Dataverse - TI map IP to DataverseActivity available linux, macos, windows (endpoint)

Cloud Service Dashboard T1538 1 rule

Dataverse - Honeypot instance activity available linux, macos, windows (endpoint)

No specific technique 1 rule

Alarming number of anomalies generated in NetBackup available linux, macos, windows (endpoint)

Lateral Movement 4 rules, 2 techniques

Exploitation of Remote Services T1210 3 rules

Critical Threat Detected available linux, macos, windows (endpoint)
Dataverse - TI map IP to DataverseActivity available linux, macos, windows (endpoint)
Sentinel One - Same custom rule triggered on different hosts available linux, macos, windows (endpoint)

Remote Services T1021 1 rule

Dataverse - TI map IP to DataverseActivity available linux, macos, windows (endpoint)

Command & Control 20 rules, 2 techniques

Application Layer Protocol T1071 18 rules

Cisco SE - Connection to known C2 server available linux, macos, windows (endpoint)
Lumen TI IPAddress in DeviceEvents linux, macos, windows (endpoint)
Preview - TI map Domain entity to Cloud App Events linux, macos, windows (endpoint)
Preview - TI map IP entity to Cloud App Events linux, macos, windows (endpoint)
Preview - TI map URL entity to Cloud App Events linux, macos, windows (endpoint)
TI map Domain entity to Cloud App Events linux, macos, windows (endpoint)
TI Map Domain Entity to DeviceNetworkEvents linux, macos, windows (endpoint)
TI Map Domain Entity to DeviceNetworkEvents linux, macos, windows (endpoint)
TI map File Hash to DeviceFileEvents Event linux, macos, windows (endpoint)
TI map File Hash to DeviceFileEvents Event linux, macos, windows (endpoint)
TI map IP entity to Cloud App Events linux, macos, windows (endpoint)
TI Map IP Entity to DeviceNetworkEvents linux, macos, windows (endpoint)
TI Map IP Entity to DeviceNetworkEvents linux, macos, windows (endpoint)
TI map URL entity to Cloud App Events linux, macos, windows (endpoint)
TI Map URL Entity to DeviceNetworkEvents linux, macos, windows (endpoint)
TI Map URL Entity to DeviceNetworkEvents linux, macos, windows (endpoint)
TI Map URL Entity to UrlClickEvents linux, macos, windows (endpoint)
TI Map URL Entity to UrlClickEvents linux, macos, windows (endpoint)

Web Service T1102 2 rules

Cisco SE - Possible webshell available linux, macos, windows (endpoint)
Possible Phishing with CSL and Network Sessions available linux, macos, windows (endpoint)

Exfiltration 12 rules, 4 techniques

Exfiltration Over Web Service T1567 6 rules

Dataverse - Export activity from terminated or notified employee available linux, macos, windows (endpoint)
Dataverse - Honeypot instance activity available linux, macos, windows (endpoint)
Dataverse - Mass export of records to Excel available linux, macos, windows (endpoint)
Dataverse - SharePoint document management site added or updated available linux, macos, windows (endpoint)
Dataverse - Suspicious use of Web API available linux, macos, windows (endpoint)
Dataverse - Terminated employee exfiltration over email available linux, macos, windows (endpoint)

Exfiltration Over Alternative Protocol T1048 4 rules

Dataverse - Export activity from terminated or notified employee available linux, macos, windows (endpoint)
Dataverse - Suspicious use of TDS endpoint available linux, macos, windows (endpoint)
Dataverse - User bulk retrieval outside normal activity available linux, macos, windows (endpoint)
Trend Micro CAS - DLP violation available linux, macos, windows (endpoint)

Exfiltration Over Physical Medium T1052 1 rule

Dataverse - Terminated employee exfiltration to USB drive available linux, macos, windows (endpoint)

Transfer Data to Cloud Account T1537 1 rule

Dataverse - SharePoint document management site added or updated available linux, macos, windows (endpoint)

Impact 13 rules, 4 techniques

Data Encrypted for Impact T1486 7 rules

AV detections related to Dev-0530 actors linux, macos, windows (endpoint)
AV detections related to Europium actors linux, macos, windows (endpoint)
AV detections related to Hive Ransomware linux, macos, windows (endpoint)
AV detections related to Zinc actors available linux, macos, windows (endpoint)
Cisco SE - Ransomware Activity available linux, macos, windows (endpoint)
Trend Micro CAS - Ransomware infection available linux, macos, windows (endpoint)
Trend Micro CAS - Ransomware outbreak available linux, macos, windows (endpoint)

Data Destruction T1485 4 rules

AV detections related to Ukraine threats available linux, macos, windows (endpoint)
Dataverse - Mass deletion of records available linux, macos, windows (endpoint)
Dataverse - Mass record updates available linux, macos, windows (endpoint)
Unusual Volume of file deletion by users available linux, macos, windows (endpoint)

Inhibit System Recovery T1490 1 rule

Potential Ransomware activity related to Cobalt Strike available linux, macos, windows (endpoint)

Data Manipulation T1565 1 rule

Dataverse - Mass record updates available linux, macos, windows (endpoint)

Untagged 2 rules without MITRE techniques

Create Incident for XDR Alerts available linux, macos, windows (endpoint)
Unusual Anomaly linux, macos, windows (endpoint)

AWS 127 rules

Reconnaissance 7 rules, 7 techniques

Gather Victim Identity Information: Email Addresses T1589.002 1 rule

AWSCloudTrail - Suspicious AWS CLI Command Execution aws (cloud)

Gather Victim Identity Information: Employee Names T1589.003 1 rule

AWSCloudTrail - Suspicious AWS CLI Command Execution aws (cloud)

Gather Victim Network Information T1590 1 rule

AWSCloudTrail - Suspicious AWS CLI Command Execution aws (cloud)

Gather Victim Org Information T1591 1 rule

AWSCloudTrail - Suspicious AWS CLI Command Execution aws (cloud)

Gather Victim Host Information: Client Configurations T1592.004 1 rule

AWSCloudTrail - Suspicious AWS CLI Command Execution aws (cloud)

Active Scanning T1595 1 rule

AWSCloudTrail - Suspicious AWS CLI Command Execution aws (cloud)

Search Open Technical Databases T1596 1 rule

AWSCloudTrail - Suspicious AWS CLI Command Execution aws (cloud)

Resource Development 1 rule, 1 technique

Acquire Infrastructure T1583 1 rule

AWSCloudTrail - Unauthorized EC2 Instance Setup Attempt available aws (cloud)

Initial Access 3 rules, 2 techniques

Exploit Public-Facing Application T1190 2 rules

Detect port misuse by anomaly based detection (ASIM Network Session schema) available aws (cloud)
Detect port misuse by static threshold (ASIM Network Session schema) available aws (cloud)

Drive-by Compromise T1189 1 rule

New UserAgent observed in last 24 hours available aws (cloud)

Execution 9 rules, 4 techniques

Command and Scripting Interpreter T1059 4 rules

AWS Security Hub - Detect SSM documents public sharing enabled available aws (cloud)
AWSCloudTrail - EC2 Startup Shell Script Changed available aws (cloud)
Detect port misuse by anomaly based detection (ASIM Network Session schema) available aws (cloud)
Detect port misuse by static threshold (ASIM Network Session schema) available aws (cloud)

Exploitation for Client Execution T1203 3 rules

Detect port misuse by anomaly based detection (ASIM Network Session schema) available aws (cloud)
Detect port misuse by static threshold (ASIM Network Session schema) available aws (cloud)
New UserAgent observed in last 24 hours available aws (cloud)

User Execution T1204 1 rule

AWSCloudTrail - Successful API executed from a Tor exit node available aws (cloud)

Cloud Administration Command T1651 1 rule

AWSCloudTrail - Suspicious command sent to EC2 available aws (cloud)

Persistence 32 rules, 4 techniques

Account Manipulation: Additional Cloud Roles T1098.003 27 rules

AWS Security Hub - Detect IAM Policies allowing full administrative privileges available aws (cloud)
AWSCloudTrail - CloudFormation policy created then used for privilege escalation available aws (cloud)
AWSCloudTrail - Created CRUD S3 policy and then privilege escalation available aws (cloud)
AWSCloudTrail - Creation of CRUD DynamoDB policy and then privilege escalation available aws (cloud)
AWSCloudTrail - Creation of CRUD KMS policy and then privilege escalation available aws (cloud)
AWSCloudTrail - Creation of CRUD Lambda policy and then privilege escalation available aws (cloud)
AWSCloudTrail - Creation of DataPipeline policy and then privilege escalation available aws (cloud)
AWSCloudTrail - Creation of EC2 policy and then privilege escalation available aws (cloud)
AWSCloudTrail - Creation of Glue policy and then privilege escalation available aws (cloud)
AWSCloudTrail - Creation of Lambda policy and then privilege escalation available aws (cloud)
AWSCloudTrail - Creation of new CRUD IAM policy and then privilege escalation available aws (cloud)
AWSCloudTrail - Creation of SSM policy and then privilege escalation available aws (cloud)
AWSCloudTrail - Policy version set to default available aws (cloud)
AWSCloudTrail - Privilege escalation via CloudFormation policy available aws (cloud)
AWSCloudTrail - Privilege escalation via CRUD DynamoDB policy available aws (cloud)
AWSCloudTrail - Privilege escalation via CRUD IAM policy available aws (cloud)
AWSCloudTrail - Privilege escalation via CRUD KMS policy available aws (cloud)
AWSCloudTrail - Privilege escalation via CRUD Lambda policy available aws (cloud)
AWSCloudTrail - Privilege escalation via CRUD S3 policy available aws (cloud)
AWSCloudTrail - Privilege escalation via DataPipeline policy available aws (cloud)
AWSCloudTrail - Privilege escalation via EC2 policy available aws (cloud)
AWSCloudTrail - Privilege escalation via Glue policy available aws (cloud)
AWSCloudTrail - Privilege escalation via Lambda policy available aws (cloud)
AWSCloudTrail - Privilege escalation via SSM policy available aws (cloud)
AWSCloudTrail - Privilege escalation with admin managed policy available aws (cloud)
AWSCloudTrail - Privilege escalation with AdministratorAccess managed policy available aws (cloud)
AWSCloudTrail - Privilege escalation with FullAccess managed policy available aws (cloud)

Account Manipulation: Additional Cloud Credentials T1098.001 3 rules

AWS Security Hub - Detect IAM root user Access Key existence available aws (cloud)
AWSCloudTrail - Changes to internet facing AWS RDS Database instances available aws (cloud)
AWSCloudTrail - Creation of Access Key for IAM User available aws (cloud)

Account Manipulation T1098 1 rule

AWS Security Hub - Detect root user lacking MFA available aws (cloud)

External Remote Services T1133 1 rule

AWS Security Hub - Detect EC2 Security groups allowing unrestricted high-risk ports available aws (cloud)

Stealth 23 rules, 12 techniques

Valid Accounts T1078 5 rules

AWSCloudTrail - Changes to Amazon VPC settings available aws (cloud)
AWSCloudTrail - Login to AWS Management Console without MFA available aws (cloud)
AWSCloudTrail - NRT Login to AWS Management Console without MFA available aws (cloud)
AWSCloudTrail - SAML update identity provider available aws (cloud)
Successful AWS Console Login from IP Address Observed Conducting Password Spray aws (cloud)

Impair Defenses: Disable or Modify Cloud Firewall T1562.007 5 rules

AWSCloudTrail - Changes to Amazon VPC settings available aws (cloud)
AWSCloudTrail - Changes to AWS Elastic Load Balancer security groups available aws (cloud)
AWSCloudTrail - Changes to AWS Security Group ingress and egress settings available aws (cloud)
AWSCloudTrail - Changes to internet facing AWS RDS Database instances available aws (cloud)
AWSCloudTrail - Network ACL with all the open ports to a specified CIDR available aws (cloud)

Impair Defenses: Disable or Modify Cloud Logs T1562.008 3 rules

AWS Security Hub - Detect CloudTrail trails lacking KMS encryption available aws (cloud)
AWSCloudTrail - Config Service Resource Deletion Attempts available aws (cloud)
AWSCloudTrail - Tampering to AWS CloudTrail logs available aws (cloud)

Access Token Manipulation T1134 2 rules

High-Risk Cross-Cloud User Impersonation aws (cloud)
User impersonation by Identity Protection alerts aws (cloud)

Indicator Removal T1070 1 rule

AWSCloudTrail - Changes made to AWS CloudTrail logs available aws (cloud)

Valid Accounts: Default Accounts T1078.001 1 rule

AWS Security Hub - Detect IAM Policies allowing full administrative privileges available aws (cloud)

Valid Accounts: Domain Accounts T1078.002 1 rule

High-Risk Cross-Cloud User Impersonation aws (cloud)

Valid Accounts: Cloud Accounts T1078.004 1 rule

High-Risk Cross-Cloud User Impersonation aws (cloud)

Access Token Manipulation: Token Impersonation/Theft T1134.001 1 rule

AWS Security Hub - Detect IAM root user Access Key existence available aws (cloud)

Access Token Manipulation: Make and Impersonate Token T1134.003 1 rule

AWS Security Hub - Detect IAM root user Access Key existence available aws (cloud)

Impair Defenses T1562 1 rule

AWSCloudTrail - AWS GuardDuty detector disabled or suspended available aws (cloud)

Impair Defenses: Disable or Modify Tools T1562.001 1 rule

AWSCloudTrail - Amazon ECR image scanning disabled available aws (cloud)

Defense Impairment 13 rules, 2 techniques

Domain or Tenant Policy Modification T1484 12 rules

AWSCloudTrail - CloudFormation policy created then used for privilege escalation available aws (cloud)
AWSCloudTrail - Created CRUD S3 policy and then privilege escalation available aws (cloud)
AWSCloudTrail - Creation of CRUD DynamoDB policy and then privilege escalation available aws (cloud)
AWSCloudTrail - Creation of CRUD KMS policy and then privilege escalation available aws (cloud)
AWSCloudTrail - Creation of CRUD Lambda policy and then privilege escalation available aws (cloud)
AWSCloudTrail - Creation of DataPipeline policy and then privilege escalation available aws (cloud)
AWSCloudTrail - Creation of EC2 policy and then privilege escalation available aws (cloud)
AWSCloudTrail - Creation of Glue policy and then privilege escalation available aws (cloud)
AWSCloudTrail - Creation of Lambda policy and then privilege escalation available aws (cloud)
AWSCloudTrail - Creation of new CRUD IAM policy and then privilege escalation available aws (cloud)
AWSCloudTrail - Creation of SSM policy and then privilege escalation available aws (cloud)
AWSCloudTrail - Full Admin policy created and then attached to Roles, Users or Groups available aws (cloud)

Modify Authentication Process: Multi-Factor Authentication T1556.006 1 rule

AWS Security Hub - Detect root user lacking MFA available aws (cloud)

Credential Access 4 rules, 1 technique

Brute Force T1110 4 rules

AWS Security Hub - Detect root user lacking MFA available aws (cloud)
AWSCloudTrail - Successful brute force attack on S3 Bucket available aws (cloud)
Cross-Cloud Password Spray detection aws (cloud)
Successful AWS Console Login from IP Address Observed Conducting Password Spray aws (cloud)

Discovery 6 rules, 4 techniques

Network Service Discovery T1046 2 rules

Anomaly found in Network Session Traffic (ASIM Network Session schema) available aws (cloud)
AWS Security Hub - Detect EC2 Security groups allowing unrestricted high-risk ports available aws (cloud)

Cloud Infrastructure Discovery T1580 2 rules

AWSCloudTrail - Monitor AWS Credential abuse or hijacking available aws (cloud)
AWSCloudTrail - User IAM Enumeration available aws (cloud)

File and Directory Discovery T1083 1 rule

AWSCloudTrail - ECR image scan findings high or critical available aws (cloud)

Cloud Service Discovery T1526 1 rule

AWSCloudTrail - SSM document is publicly exposed available aws (cloud)

Lateral Movement 2 rules, 2 techniques

Remote Services T1021 1 rule

AWS Security Hub - Detect EC2 Security groups allowing unrestricted high-risk ports available aws (cloud)

Exploitation of Remote Services T1210 1 rule

Anomaly found in Network Session Traffic (ASIM Network Session schema) available aws (cloud)

Collection 3 rules, 1 technique

Data from Cloud Storage T1530 3 rules

AWS Security Hub - Detect SQS Queue policy allowing public access available aws (cloud)
AWSCloudTrail - S3 Object Exfiltration from Anonymous User available aws (cloud)
Suspicious access of BEC related documents in AWS S3 buckets aws (cloud)

Command & Control 10 rules, 2 techniques

Application Layer Protocol T1071 7 rules

Anomaly found in Network Session Traffic (ASIM Network Session schema) available aws (cloud)
GreyNoise TI map IP entity to Network Session Events (ASIM Network Session schema) available aws (cloud)
New UserAgent observed in last 24 hours available aws (cloud)
TI map IP entity to AWSCloudTrail aws (cloud)
TI map IP entity to AWSCloudTrail aws (cloud)
TI map IP entity to Network Session Events (ASIM Network Session schema) available aws (cloud)
TI map IP entity to Network Session Events (ASIM Network Session schema) available aws (cloud)

Non-Application Layer Protocol T1095 3 rules

Anomaly found in Network Session Traffic (ASIM Network Session schema) available aws (cloud)
Detect port misuse by anomaly based detection (ASIM Network Session schema) available aws (cloud)
Detect port misuse by static threshold (ASIM Network Session schema) available aws (cloud)

Exfiltration 7 rules, 3 techniques

Transfer Data to Cloud Account T1537 5 rules

AWSCloudTrail - RDS instance publicly exposed available aws (cloud)
AWSCloudTrail - S3 bucket access point publicly exposed available aws (cloud)
AWSCloudTrail - S3 bucket exposed via ACL available aws (cloud)
AWSCloudTrail - S3 bucket exposed via policy available aws (cloud)
AWSCloudTrail - S3 object publicly exposed available aws (cloud)

Data Transfer Size Limits T1030 1 rule

Anomaly found in Network Session Traffic (ASIM Network Session schema) available aws (cloud)

Exfiltration Over Web Service T1567 1 rule

AWS Security Hub - Detect SQS Queue policy allowing public access available aws (cloud)

Impact 6 rules, 4 techniques

Data Encrypted for Impact T1486 2 rules

AWSCloudTrail - S3 bucket suspicious ransomware activity available aws (cloud)
AWSCloudTrail - Suspicious overly permissive KMS key policy created available aws (cloud)

Data Manipulation: Stored Data Manipulation T1565.001 2 rules

AWS Security Hub - Detect CloudTrail trails lacking KMS encryption available aws (cloud)
AWS Security Hub - Detect SQS Queue lacking encryption at rest available aws (cloud)

Data Destruction T1485 1 rule

AWSCloudTrail - Creating keys with encrypt policy without MFA available aws (cloud)

Resource Hijacking T1496 1 rule

AWSCloudTrail - Suspicious AWS EC2 Compute Resource Deployments aws (cloud)

Untagged 1 rule without MITRE techniques

AWSGuardDuty - GuardDuty Alert available aws (cloud)

Azure 400 rules

Reconnaissance 2 rules, 1 technique

Active Scanning: Scanning IP Blocks T1595.001 2 rules

Port Scan available azure (cloud)
Port Sweep available azure (cloud)

Resource Development 2 rules, 2 techniques

Establish Accounts: Cloud Accounts T1585.003 1 rule

New onmicrosoft domain added to tenant available azure (identity)

Develop Capabilities T1587 1 rule

Power Apps - Bulk sharing of Power Apps to newly created guest users available azure (identity)

Initial Access 23 rules, 3 techniques

Exploit Public-Facing Application T1190 12 rules

Abnormal Deny Rate for Source IP available azure (cloud)
Anomalous User Agent connection attempt azure (cloud)
Credential errors stateful anomaly on database available azure (cloud)
Exchange SSRF Autodiscover ProxyShell - Detection azure (cloud)
Failed sign-ins into LastPass due to MFA available azure (identity)
Firewall errors stateful anomaly on database available azure (cloud)
High count of connections by client IP on many ports azure (cloud)
High severity malicious activity detected available azure (cloud)
OLE object manipulation attempts stateful anomaly on database available azure (cloud)
Silk Typhoon Suspicious Exchange Request azure (cloud)
Syntax errors stateful anomaly on database available azure (cloud)
Web Application attack detected available azure (cloud)

Phishing T1566 8 rules

Power Apps - Bulk sharing of Power Apps to newly created guest users available azure (identity)
Star Blizzard C2 Domains August 2022 azure (cloud)
TI map Email entity to AzureActivity azure (cloud)
TI map Email entity to AzureActivity azure (cloud)
TI map Email entity to SecurityAlert azure (cloud)
TI map Email entity to SecurityAlert azure (cloud)
TI map Email entity to SigninLogs azure (identity)
TI map Email entity to SigninLogs azure (identity)

Trusted Relationship T1199 2 rules

Azure Portal sign in from another Azure Tenant available azure (identity)
External Upstream Source Added to Azure DevOps Feed available azure (saas)

No specific technique 1 rule

Vaikora - High severity security alerts available azure (cloud)

Execution 19 rules, 9 techniques

Cloud Administration Command T1651 6 rules

Detect Custom Script or Run Command deployment by risky user azure (cloud)
Detect entra token request via specific BOF (IOC based) azure (identity)
Detect first time Azure Custom Script or Run Command deployment azure (identity)
Detect non-admin requesting token for admin applications azure (identity)
Detect suspicious foci token logins azure (identity)
Detect suspicious foci token logins V2 azure (identity)

User Execution T1204 3 rules

High severity malicious activity detected available azure (cloud)
Insider Risk_Risky User Access By Application azure (identity)
Medium severity malicious activity detected available azure (cloud)

Command and Scripting Interpreter T1059 2 rules

Azure Machine Learning Write Operations available azure (cloud)
New CloudShell User available azure (cloud)

Command and Scripting Interpreter: PowerShell T1059.001 2 rules

Azure VM Run Command operations executing a unique PowerShell script azure (cloud)
Execution attempts stateful anomaly on database available azure (cloud)

Scheduled Task/Job T1053 1 rule

New Agent Added to Pool by New User or Added to a New OS Type available azure (saas)

Command and Scripting Interpreter: Windows Command Shell T1059.003 1 rule

Execution attempts stateful anomaly on database available azure (cloud)

Software Deployment Tools T1072 1 rule

Azure DevOps Pipeline Created and Deleted on the Same Day available azure (saas)

Inter-Process Communication T1559 1 rule

Azure DevOps Personal Access Token (PAT) misuse available azure (saas)

System Services T1569 1 rule

Azure DevOps Pipeline modified by a new user available azure (saas)

No specific technique 1 rule

Vaikora - High severity security alerts available azure (cloud)

Persistence 47 rules, 7 techniques

Account Manipulation T1098 26 rules

Attempt to bypass conditional access rule in Microsoft Entra ID available azure (identity)
Authentication Method Changed for Privileged Account azure (identity)
Authentication Methods Changed for Privileged Account available azure (identity)
Azure DevOps Administrator Group Monitoring available azure (saas)
Azure DevOps Pull Request Policy Bypassing - Historic allow list available azure (saas)
Azure DevOps Service Connection Abuse available azure (saas)
Azure DevOps Service Connection Addition/Abuse - Historic allow list available azure (saas)
Conditional Access - A Conditional Access user/group/role exclusion has changed azure (identity)
Credential added after admin consented to Application available azure (identity)
Detect changes to Connect Sync Application azure (identity)
Detect PIM Alert Disabling activity azure (identity)
Firewall rule manipulation attempts stateful anomaly on database available azure (cloud)
High risk Office operation conducted by IP Address that recently attempted to log into a disabled account azure (identity)
Mail.Read Permissions Granted to Application available azure (identity)
Modified domain federation trust settings available azure (identity)
Multi-Factor Authentication Disabled for a User available azure (identity)
NRT Authentication Methods Changed for VIP Users azure (identity)
NRT Modified domain federation trust settings available azure (identity)
NRT User added to Microsoft Entra ID Privileged Groups available azure (identity)
Possible SignIn from Azure Backdoor azure (identity)
Rare subscription-level operations in Azure available azure (cloud)
Sign-ins from IPs that attempt sign-ins to disabled accounts available azure (identity)
Suspicious granting of permissions to an account available azure (cloud)
Threat Essentials - NRT User added to Microsoft Entra ID Privileged Groups available azure (identity)
User added to Microsoft Entra ID Privileged Groups available azure (identity)
User State changed from Guest to Member azure (identity)

Create Account: Cloud Account T1136.003 11 rules

Account created from non-approved sources azure (identity)
Cross-tenant Access Settings Organization Added available azure (identity)
Cross-tenant Access Settings Organization Deleted available azure (identity)
Cross-tenant Access Settings Organization Inbound Collaboration Settings Changed available azure (identity)
Cross-tenant Access Settings Organization Inbound Direct Settings Changed available azure (identity)
Cross-tenant Access Settings Organization Outbound Collaboration Settings Changed available azure (identity)
Cross-tenant Access Settings Organization Outbound Direct Settings Changed available azure (identity)
External guest invitation followed by Microsoft Entra ID PowerShell signin available azure (identity)
Guest accounts added in Entra ID Groups other than the ones specified available azure (identity)
User Account Created Using Incorrect Naming Format azure (identity)
User account created without expected attributes defined azure (identity)

Account Manipulation: Additional Cloud Credentials T1098.001 2 rules

Detect credential add to Connect Sync Application azure (identity)
New External User Granted Admin Role available azure (identity)

Account Manipulation: Additional Cloud Roles T1098.003 2 rules

Admin promotion after Role Management Application Permission Grant available azure (identity)
Microsoft Entra ID Role Management Permission Grant available azure (identity)

External Remote Services T1133 2 rules

Cross-Cloud Unauthorized Credential Access Detection From AWS RDS Login azure (identity)
GSA - Detect Connections Outside Operational Hours available azure (identity)

Server Software Component T1505 2 rules

Azure DevOps New Extension Added available azure (saas)
SUPERNOVA webshell azure (cloud)

Create Account T1136 1 rule

Rare application consent available azure (identity)

No specific technique 1 rule

Vaikora - High severity security alerts available azure (cloud)

Privilege Escalation 5 rules, 2 techniques

Abuse Elevation Control Mechanism T1548 3 rules

Detecting Impossible travel with mailbox permission tampering & Privilege Escalation attempt azure (cloud)
Power Platform - Account added to privileged Microsoft Entra roles available azure (identity)
Suspicious granting of permissions to an account available azure (cloud)

Exploitation for Privilege Escalation T1068 2 rules

Power Platform - Account added to privileged Microsoft Entra roles available azure (identity)
Rare application consent available azure (identity)

Stealth 99 rules, 7 techniques

Valid Accounts: Cloud Accounts T1078.004 52 rules

Account Created and Deleted in Short Timeframe available azure (identity)
Account created or deleted by non-approved user available azure (identity)
Account Elevated to New Role azure (identity)
Addition of a Temporary Access Pass to a Privileged Account azure (identity)
Admin promotion after Role Management Application Permission Grant available azure (identity)
Anomalous Single Factor Signin azure (identity)
Application ID URI Changed azure (identity)
Application Redirect URL Update azure (identity)
Authentication Attempt from New Country azure (identity)
Authentications of Privileged Accounts Outside of Expected Controls azure (identity)
Bulk Changes to Privileged Account Permissions available azure (identity)
Changes to Application Logout URL azure (identity)
Changes to Application Ownership azure (identity)
Changes to PIM Settings azure (identity)
Conditional Access Policy Modified by New User azure (identity)
Cross-tenant Access Settings Organization Added available azure (identity)
Cross-tenant Access Settings Organization Deleted available azure (identity)
Cross-tenant Access Settings Organization Inbound Collaboration Settings Changed available azure (identity)
Cross-tenant Access Settings Organization Inbound Direct Settings Changed available azure (identity)
Cross-tenant Access Settings Organization Outbound Collaboration Settings Changed available azure (identity)
Cross-tenant Access Settings Organization Outbound Direct Settings Changed available azure (identity)
Detect changes to Connect Sync Application azure (identity)
Detect credential add to Connect Sync Application azure (identity)
Detect device code login with user risk azure (identity)
End-user consent stopped due to risk-based consent azure (identity)
External guest invitation followed by Microsoft Entra ID PowerShell signin available azure (identity)
Guest accounts added in Entra ID Groups other than the ones specified available azure (identity)
Guest Users Invited to Tenant by New Inviters azure (identity)
MFA Rejected by User available azure (identity)
Microsoft Entra ID Role Management Permission Grant available azure (identity)
New PA, PCA, or PCAS added to Azure DevOps available azure (saas)
New User Assigned to Privileged Role available azure (identity)
NRT PIM Elevation Request Rejected available azure (identity)
NRT Privileged Role Assigned Outside PIM available azure (identity)
PIM Elevation Request Rejected available azure (identity)
Possible AiTM Phishing Attempt Against Microsoft Entra ID available azure (identity)
Privileged Account Permissions Changed azure (identity)
Privileged Accounts - Sign in Failure Spikes available azure (identity)
Privileged Role Assigned Outside PIM available azure (identity)
Privileged User Logon from new ASN azure (identity)
Service Principal Assigned App Role With Sensitive Access azure (identity)
Service Principal Assigned Privileged Role azure (identity)
Service Principal Authentication Attempt from New Country azure (identity)
Suspicious linking of existing user to external User azure (identity)
Suspicious Login from deleted guest account azure (identity)
Suspicious modification of Global Administrator user properties azure (identity)
Suspicious Sign In Followed by MFA Modification available azure (identity)
Threat Essentials - User Assigned Privileged Role available azure (identity)
URL Added to Application from Unknown Domain azure (identity)
User Accounts - Sign in Failure due to CA Spikes available azure (identity)
User Added to Admin Role azure (identity)
User Assigned New Privileged Role available azure (identity)

Valid Accounts T1078 32 rules

Anomalous sign-in location by user account and authenticating application available azure (identity)
Anomaly Sign In Event from an IP azure (identity)
Attempt to bypass conditional access rule in Microsoft Entra ID available azure (identity)
Attempts to sign in to disabled accounts available azure (identity)
Azure Machine Learning Write Operations available azure (cloud)
Azure RBAC (Elevate Access) azure (identity)
Conditional Access - A Conditional Access user/group/role exclusion has changed azure (identity)
Correlate Unfamiliar sign-in properties & atypical travel alerts available azure (identity)
Detect PIM Alert Disabling activity azure (identity)
Detecting Impossible travel with mailbox permission tampering & Privilege Escalation attempt azure (cloud)
Elevation of Privilege attempt detected available azure (cloud)
F&O - Unusual sign-in activity using single factor authentication available azure (identity)
Failed AWS Console logons but success logon to AzureAD azure (identity)
Failed AzureAD logons but success logon to AWS Console azure (identity)
Failed sign-ins into LastPass due to MFA available azure (identity)
GSA - Detect Connections Outside Operational Hours available azure (identity)
High risk Office operation conducted by IP Address that recently attempted to log into a disabled account azure (identity)
Hunt for critical credentials on devices with non-critical accounts azure (cloud)
Hunt for privilege escalation paths with high ACLs azure (cloud)
IP with multiple failed Microsoft Entra ID logins successfully logs in to Palo Alto VPN azure (identity)
Microsoft Entra ID PowerShell accessing non-Entra ID resources available azure (identity)
New country signIn with correct password azure (identity)
NRT User added to Microsoft Entra ID Privileged Groups available azure (identity)
Power Apps - App activity from unauthorized geo available azure (identity)
Power Platform - Account added to privileged Microsoft Entra roles available azure (identity)
Power Platform - Possibly compromised user accesses Power Platform services available azure (identity)
Sign-ins from IPs that attempt sign-ins to disabled accounts available azure (identity)
Successful logon from IP and failure from a different IP available azure (identity)
Suspicious Service Principal creation activity available azure (identity)
Threat Essentials - NRT User added to Microsoft Entra ID Privileged Groups available azure (identity)
User added to Microsoft Entra ID Privileged Groups available azure (identity)
Workspace deletion activity from an infected device azure (identity)

Impair Defenses: Disable or Modify Cloud Firewall T1562.007 5 rules

Conditional Access - A Conditional Access Device platforms condition has changed (the Device platforms condition can be spoofed) azure (identity)
Conditional Access - A Conditional Access policy was deleted azure (identity)
Conditional Access - A Conditional Access policy was disabled azure (identity)
Conditional Access - A Conditional Access policy was put into report-only mode azure (identity)
Conditional Access - A new Conditional Access policy was created azure (identity)

Masquerading T1036 3 rules

Medium severity malicious activity detected available azure (cloud)
Microsoft Entra ID Rare UserAgent App Sign-in available azure (identity)
Microsoft Entra ID UserAgent OS Missmatch available azure (identity)

Impair Defenses: Disable or Modify Cloud Logs T1562.008 3 rules

Azure DevOps Audit Stream Disabled available azure (saas)
Azure Diagnostic settings removed from a resource azure (cloud)
NRT Azure DevOps Audit Stream Disabled available azure (saas)

Impair Defenses T1562 2 rules

Conditional Access - A Conditional Access policy was updated azure (identity)
Firewall rule manipulation attempts stateful anomaly on database available azure (cloud)

Hide Artifacts T1564 1 rule

Azure DevOps Retention Reduced available azure (saas)

No specific technique 1 rule

Vaikora - High severity security alerts available azure (cloud)

Defense Impairment 15 rules, 8 techniques

Modify Cloud Compute Infrastructure T1578 6 rules

Azure DevOps Build Variable Modified by New User available azure (saas)
Azure DevOps Pipeline modified by a new user available azure (saas)
Creation of expensive computes in Azure available azure (cloud)
Microsoft Entra ID Hybrid Health AD FS New Server available azure (cloud)
NRT Creation of expensive computes in Azure available azure (cloud)
NRT Microsoft Entra ID Hybrid Health AD FS New Server available azure (cloud)

Modify Authentication Process T1556 2 rules

Cross-Cloud Unauthorized Credential Access Detection From AWS RDS Login azure (identity)
Multi-Factor Authentication Disabled for a User available azure (identity)

Modify Authentication Process: Hybrid Identity T1556.007 2 rules

Detect changes to Connect Sync Application azure (identity)
Detect credential add to Connect Sync Application azure (identity)

Domain or Tenant Policy Modification T1484 1 rule

Conditional Access - Dynamic Group Exclusion Changes azure (identity)

Modify Authentication Process: Multi-Factor Authentication T1556.006 1 rule

Suspicious Sign In Followed by MFA Modification available azure (identity)

Modify Authentication Process: Conditional Access Policies T1556.009 1 rule

Detect suspicious conditional access policy modifications azure (identity)

Modify Cloud Compute Infrastructure: Create Cloud Instance T1578.002 1 rule

Azure DevOps Agent Pool Created Then Deleted available azure (saas)

Modify Cloud Compute Infrastructure: Delete Cloud Instance T1578.003 1 rule

Microsoft Entra ID Hybrid Health AD FS Service Delete available azure (cloud)

Credential Access 55 rules, 13 techniques

Brute Force T1110 20 rules

[Deprecated] Explicit MFA Deny available azure (identity)
Brute force attack against an Entra-authenticated Windows device available azure (identity)
Brute force attack against Azure Portal available azure (identity)
Brute Force Attack against GitHub Account available azure (identity)
Distributed Password cracking attempts in Microsoft Entra ID available azure (identity)
Elevation of Privilege attempt detected available azure (cloud)
Failed AWS Console logons but success logon to AzureAD azure (identity)
Failed AzureAD logons but success logon to AWS Console azure (identity)
Failed login attempts to Azure Portal available azure (identity)
GitHub Signin Burst from Multiple Locations available azure (identity)
GitLab - SSO - Sign-Ins Burst available azure (identity)
High count of failed attempts from same client IP azure (cloud)
High count of failed logons by a user azure (cloud)
IP with multiple failed Microsoft Entra ID logins successfully logs in to Palo Alto VPN azure (identity)
MFA Spamming followed by Successful login available azure (identity)
New country signIn with correct password azure (identity)
Password spray attack against ADFSSignInLogs available azure (identity)
Password spray attack against Microsoft Entra ID application available azure (identity)
Password spray attack against Microsoft Entra ID Seamless SSO available azure (identity)
Successful logon from IP and failure from a different IP available azure (identity)

Steal Application Access Token T1528 8 rules

Azure DevOps PAT used with Browser available azure (saas)
Expired access credentials being used in Azure available azure (identity)
Microsoft Entra ID Hybrid Health AD FS Suspicious Application available azure (cloud)
Suspicious application consent for offline access available azure (identity)
Suspicious application consent similar to O365 Attack Toolkit available azure (identity)
Suspicious application consent similar to PwnAuth available azure (identity)
Suspicious Entra ID Joined Device Update available azure (identity)
Suspicious Service Principal creation activity available azure (identity)

Forge Web Credentials T1606 5 rules

Cross-Cloud Unauthorized Credential Access Detection From AWS RDS Login azure (identity)
Detect entra token request via specific BOF (IOC based) azure (identity)
Detect Multiple Hello for Business PRT tokens being used simultaneously for one device. azure (identity)
Detect suspicious foci token logins azure (identity)
Detect suspicious foci token logins V2 azure (identity)

OS Credential Dumping T1003 4 rules

Azure Key Vault access TimeSeries anomaly available azure (cloud)
High severity malicious activity detected available azure (cloud)
Mass secret retrieval from Azure Key Vault available azure (cloud)
Rare subscription-level operations in Azure available azure (cloud)

Credentials from Password Stores T1555 3 rules

Credential added after admin consented to Application available azure (identity)
Modified domain federation trust settings available azure (identity)
NRT Modified domain federation trust settings available azure (identity)

Adversary-in-the-Middle T1557 3 rules

Cross-Cloud Unauthorized Credential Access Detection From AWS RDS Login azure (identity)
Possible AiTM Phishing Attempt Against Microsoft Entra ID available azure (identity)
Unauthorized user access across AWS and Azure azure (identity)

Brute Force: Password Spraying T1110.003 2 rules

Cross-Cloud Unauthorized Credential Access Detection From AWS RDS Login azure (identity)
Unauthorized user access across AWS and Azure azure (identity)

Brute Force: Credential Stuffing T1110.004 2 rules

Cross-Cloud Unauthorized Credential Access Detection From AWS RDS Login azure (identity)
Unauthorized user access across AWS and Azure azure (identity)

Exploitation for Credential Access T1212 2 rules

Azure VM Run Command operation executed during suspicious login window azure (cloud)
Unauthorized user access across AWS and Azure azure (identity)

Unsecured Credentials T1552 2 rules

Azure DevOps Variable Secret Not Secured available azure (saas)
F&O - Unusual sign-in activity using single factor authentication available azure (identity)

Brute Force: Password Guessing T1110.001 1 rule

Credential errors stateful anomaly on database available azure (cloud)

Brute Force: Password Cracking T1110.002 1 rule

Credential errors stateful anomaly on database available azure (cloud)

Multi-Factor Authentication Interception T1111 1 rule

Possible AiTM Phishing Attempt Against Microsoft Entra ID available azure (identity)

No specific technique 1 rule

Vaikora - High severity security alerts available azure (cloud)

Discovery 21 rules, 5 techniques

Account Discovery: Cloud Account T1087.004 8 rules

Cross-tenant Access Settings Organization Added available azure (identity)
Cross-tenant Access Settings Organization Deleted available azure (identity)
Cross-tenant Access Settings Organization Inbound Collaboration Settings Changed available azure (identity)
Cross-tenant Access Settings Organization Inbound Direct Settings Changed available azure (identity)
Cross-tenant Access Settings Organization Outbound Collaboration Settings Changed available azure (identity)
Cross-tenant Access Settings Organization Outbound Direct Settings Changed available azure (identity)
External guest invitation followed by Microsoft Entra ID PowerShell signin available azure (identity)
Guest accounts added in Entra ID Groups other than the ones specified available azure (identity)

Network Service Discovery T1046 7 rules

Abnormal Deny Rate for Source IP available azure (cloud)
CloudNGFW By Palo Alto Networks - possible internal to external port scanning available azure (cloud)
CloudNGFW By Palo Alto Networks - Threat signatures from Unusual IP addresses available azure (cloud)
GSA - Detect Source IP Scanning Multiple Open Ports available azure (identity)
Port Scan available azure (cloud)
Port Sweep available azure (cloud)
Several deny actions registered available azure (cloud)

System Information Discovery T1082 2 rules

Azure Security Benchmark Posture Changed azure (cloud)
M2131_DataConnectorAddedChangedRemoved available azure (cloud)

Account Discovery T1087 1 rule

Unauthorized user access across AWS and Azure azure (identity)

Cloud Infrastructure Discovery T1580 1 rule

Unauthorized user access across AWS and Azure azure (identity)

No specific technique 2 rules

Vaikora - Anomaly detection available azure (cloud)
Vaikora - High severity security alerts available azure (cloud)

Lateral Movement 18 rules, 7 techniques

Use Alternate Authentication Material T1550 4 rules

Microsoft Entra ID Hybrid Health AD FS Suspicious Application available azure (cloud)
NRT New access credential added to Application or Service Principal available azure (identity)
Suspicious application consent similar to O365 Attack Toolkit available azure (identity)
Suspicious application consent similar to PwnAuth available azure (identity)

Use Alternate Authentication Material: Application Access Token T1550.001 4 rules

First access credential added to Application or Service Principal where no credential was present available azure (identity)
full_access_as_app Granted To Application available azure (identity)
New access credential added to Application or Service Principal available azure (identity)
NRT First access credential added to Application or Service Principal where no credential was present azure (identity)

Remote Services: Direct Cloud VM Connections T1021.008 2 rules

Detect Custom Script or Run Command deployment by risky user azure (cloud)
Detect first time Azure Custom Script or Run Command deployment azure (identity)

Exploitation of Remote Services T1210 2 rules

Power Platform - Possibly compromised user accesses Power Platform services available azure (identity)
Several deny actions registered available azure (cloud)

Lateral Tool Transfer T1570 2 rules

Azure VM Run Command operation executed during suspicious login window azure (cloud)
Azure VM Run Command operations executing a unique PowerShell script azure (cloud)

Remote Services T1021 1 rule

Zero Networks Segment - Rare JIT Rule Creation available azure (identity)

Internal Spearphishing T1534 1 rule

Power Apps - Bulk sharing of Power Apps to newly created guest users available azure (identity)

No specific technique 2 rules

Vaikora - Anomaly detection available azure (cloud)
Vaikora - High severity security alerts available azure (cloud)

Collection 5 rules, 3 techniques

Email Collection T1114 1 rule

High risk Office operation conducted by IP Address that recently attempted to log into a disabled account azure (identity)

Automated Collection T1119 1 rule

Azure DevOps Audit Detection for known malicious tooling available azure (saas)

Data from Information Repositories: Databases T1213.006 1 rule

Response rows stateful anomaly on database available azure (cloud)

No specific technique 2 rules

Vaikora - Anomaly detection available azure (cloud)
Vaikora - High severity security alerts available azure (cloud)

Command & Control 45 rules, 7 techniques

Application Layer Protocol T1071 35 rules

Conditional Access - A Conditional Access app exclusion has changed azure (identity)
GreyNoise TI Map IP Entity to SigninLogs azure (identity)
GSA - TI Domain Entity available azure (identity)
GSA - TI IP Entity available azure (identity)
GSA - TI URL Entity available azure (identity)
Linked Malicious Storage Artifacts available azure (saas)
Lumen TI IPAddress in IdentityLogonEvents azure (identity)
Lumen TI IPAddress in SigninLogs azure (identity)
Multiple Sources Affected by the Same TI Destination available azure (cloud)
Outgoing connection attempts stateful anomaly on database available azure (cloud)
Palo Alto - potential beaconing detected available azure (cloud)
Risky user signin observed in non-Microsoft network device azure (identity)
Several deny actions registered available azure (cloud)
SUPERNOVA webshell azure (cloud)
ThreatConnect TI map Email entity to SigninLogs azure (identity)
TI map Domain entity to SecurityAlert azure (saas)
TI map Domain entity to SecurityAlert azure (saas)
TI Map IP Entity to Azure SQL Security Audit Events azure (cloud)
TI Map IP Entity to Azure SQL Security Audit Events azure (cloud)
TI Map IP Entity to AzureActivity azure (cloud)
TI Map IP Entity to AzureActivity azure (cloud)
TI map IP entity to AzureFirewall azure (cloud)
TI map IP entity to AzureFirewall azure (cloud)
TI Map IP Entity to SigninLogs azure (identity)
TI Map IP Entity to SigninLogs azure (identity)
TI Map IP Entity to VMConnection azure (cloud)
TI Map IP Entity to VMConnection azure (cloud)
TI Map IP Entity to W3CIISLog azure (cloud)
TI Map IP Entity to W3CIISLog azure (cloud)
TI Map URL Entity to AuditLogs azure (identity)
TI Map URL Entity to AuditLogs azure (identity)
TI Map URL Entity to EmailUrlInfo azure (identity)
TI Map URL Entity to EmailUrlInfo azure (identity)
TI Map URL Entity to SecurityAlert Data azure (saas)
TI Map URL Entity to SecurityAlert Data azure (saas)

Non-Standard Port T1571 4 rules

Abnormal Port to Protocol available azure (cloud)
GSA - Detect Abnormal Deny Rate for Source to Destination IP available azure (identity)
GSA - Detect Protocol Changes for Destination Ports available azure (identity)
Palo Alto - potential beaconing detected available azure (cloud)

Application Layer Protocol: Web Protocols T1071.001 1 rule

CloudNGFW By Palo Alto Networks - Threat signatures from Unusual IP addresses available azure (cloud)

Ingress Tool Transfer T1105 1 rule

Outgoing connection attempts stateful anomaly on database available azure (cloud)

Dynamic Resolution: Fast Flux DNS T1568.001 1 rule

Abnormal Deny Rate for Source IP available azure (cloud)

Dynamic Resolution: Domain Generation Algorithms T1568.002 1 rule

Abnormal Deny Rate for Source IP available azure (cloud)

Protocol Tunneling T1572 1 rule

Abnormal Port to Protocol available azure (cloud)

No specific technique 1 rule

Vaikora - High severity security alerts available azure (cloud)

Exfiltration 12 rules, 5 techniques

Exfiltration Over C2 Channel T1041 4 rules

Abnormal Deny Rate for Source IP available azure (cloud)
Abnormal Port to Protocol available azure (cloud)
High severity malicious activity detected available azure (cloud)
Multiple Sources Affected by the Same TI Destination available azure (cloud)

Exfiltration Over Web Service T1567 3 rules

Dataverse - Guest user exfiltration following Power Platform defense impairment available azure (identity)
Insider Risk_Sensitive Data Access Outside Organizational Geo-location azure (identity)
Linked Malicious Storage Artifacts available azure (saas)

Data Transfer Size Limits T1030 1 rule

CloudNGFW By Palo Alto Networks - Threat signatures from Unusual IP addresses available azure (cloud)

Exfiltration Over Alternative Protocol T1048 1 rule

Unauthorized user access across AWS and Azure azure (identity)

Exfiltration Over Physical Medium T1052 1 rule

Mass Download & copy to USB device by single user azure (saas)

No specific technique 2 rules

Vaikora - Anomaly detection available azure (cloud)
Vaikora - High severity security alerts available azure (cloud)

Impact 25 rules, 8 techniques

Resource Hijacking T1496 9 rules

Azure DevOps Personal Access Token (PAT) misuse available azure (saas)
Azure DevOps Service Connection Abuse available azure (saas)
Azure DevOps Service Connection Addition/Abuse - Historic allow list available azure (saas)
Azure Machine Learning Write Operations available azure (cloud)
Detect CoreBackUp Deletion Activity from related Security Alerts available azure (cloud)
Medium severity malicious activity detected available azure (cloud)
Subscription moved to another tenant azure (cloud)
Suspicious number of resource creation or deployment activities available azure (cloud)
Suspicious Resource deployment available azure (cloud)

Data Destruction T1485 6 rules

Affected rows stateful anomaly on database available azure (cloud)
Drop attempts stateful anomaly on database available azure (cloud)
Mass Cloud resource deletions Time Series Anomaly available azure (cloud)
NRT Sensitive Azure Key Vault operations available azure (cloud)
Sensitive Azure Key Vault operations available azure (cloud)
Threat Essentials - Mass Cloud resource deletions Time Series Anomaly available azure (cloud)

Network Denial of Service T1498 3 rules

DDoS attack detected available azure (cloud)
DDoS Attack IP Addresses - Percent Threshold available azure (cloud)
DDoS Attack IP Addresses - PPS Threshold available azure (cloud)

Account Access Removal T1531 2 rules

Multiple admin membership removals from newly created admin. available azure (identity)
Threat Essentials - Multiple admin membership removals from newly created admin. available azure (identity)

Data Encrypted for Impact T1486 1 rule

SSG_Security_Incidents azure (cloud)

Service Stop T1489 1 rule

Workspace deletion activity from an infected device azure (identity)

Defacement T1491 1 rule

Affected rows stateful anomaly on database available azure (cloud)

Data Manipulation T1565 1 rule

Affected rows stateful anomaly on database available azure (cloud)

No specific technique 1 rule

Vaikora - High severity security alerts available azure (cloud)

Untagged 6 rules without MITRE techniques

AppServices AV Scan Failure azure (cloud)
AppServices AV Scan with Infected Files azure (cloud)
Hunt for critical credentials on non Credential Guard enabled devices azure (cloud)
Hunt for critical credentials on non-TPM enabled devices azure (cloud)
Hunt MSOL Azure AD Connect / Entra Sync servers azure (identity)
Vaikora - Feed outage detection available azure (cloud)

GCP 66 rules

Resource Development 1 rule, 1 technique

Compromise Infrastructure: DNS Server T1584.002 1 rule

GCP Audit Logs - DNSSEC Disabled on Managed DNS Zone available gcp (cloud)

Initial Access 5 rules, 3 techniques

Phishing T1566 3 rules

Cross-Cloud Suspicious Compute resource creation in GCP gcp (cloud)
Cross-Cloud Suspicious user activity observed in GCP Envourment gcp (cloud)
Google DNS - Exchange online autodiscover abuse gcp (cloud)

Exploit Public-Facing Application T1190 1 rule

GCP Security Command Center - Detect Open/Unrestricted API Keys available gcp (cloud)

Supply Chain Compromise T1195 1 rule

Google DNS - Malicous Python packages gcp (cloud)

Execution 3 rules, 2 techniques

Command and Scripting Interpreter T1059 2 rules

Cross-Cloud Suspicious Compute resource creation in GCP gcp (cloud)
Cross-Cloud Suspicious user activity observed in GCP Envourment gcp (cloud)

Native API T1106 1 rule

Suspicious VM Instance Creation Activity Detected gcp (cloud)

Persistence 5 rules, 3 techniques

External Remote Services T1133 2 rules

GCP Audit Logs - Open Firewall Rule Created or Modified available gcp (cloud)
GCP Security Command Center - Detect Firewall rules allowing unrestricted high-risk ports available gcp (cloud)

Boot or Logon Autostart Execution T1547 2 rules

Cross-Cloud Suspicious Compute resource creation in GCP gcp (cloud)
Cross-Cloud Suspicious user activity observed in GCP Envourment gcp (cloud)

Create Account T1136 1 rule

GCP IAM - New Service Account available gcp (cloud)

Privilege Escalation 5 rules, 2 techniques

Exploitation for Privilege Escalation T1068 3 rules

Google DNS - CVE-2020-1350 (SIGRED) exploitation pattern gcp (cloud)
Google DNS - CVE-2021-34527 (PrintNightmare) external exploit gcp (cloud)
Google DNS - CVE-2021-40444 exploitation gcp (cloud)

Abuse Elevation Control Mechanism T1548 2 rules

Cross-Cloud Suspicious Compute resource creation in GCP gcp (cloud)
Cross-Cloud Suspicious user activity observed in GCP Envourment gcp (cloud)

Stealth 16 rules, 6 techniques

Impair Defenses: Disable or Modify Tools T1562.001 6 rules

GCP Audit Logs - Detect Bulk VM Snapshot Deletion available gcp (cloud)
GCP Audit Logs - Detect Organization Policy Deletion or Updation available gcp (cloud)
GCP Audit Logs - DNSSEC Disabled on Managed DNS Zone available gcp (cloud)
GCP Audit Logs - Open Firewall Rule Created or Modified available gcp (cloud)
GCP Audit Logs - VPC Flow Logs Disabled available gcp (cloud)
GCP Security Command Center - Detect DNSSEC disabled for DNS zones available gcp (cloud)

Valid Accounts T1078 4 rules

Cross-Cloud Suspicious Compute resource creation in GCP gcp (cloud)
Cross-Cloud Suspicious user activity observed in GCP Envourment gcp (cloud)
GCP IAM - High privileged role added to service account available gcp (cloud)
Suspicious VM Instance Creation Activity Detected gcp (cloud)

Valid Accounts: Cloud Accounts T1078.004 2 rules

GCP Audit Logs - Data Access Logging Exemption Added for Principal available gcp (cloud)
GCP Audit Logs - Storage Bucket Made Public available gcp (cloud)

Impair Defenses T1562 2 rules

GCP IAM - Disable Data Access Logging available gcp (cloud)
GCP Security Command Center - Detect Resources with Logging Disabled available gcp (cloud)

Impair Defenses: Disable or Modify System Firewall T1562.004 1 rule

GCP Audit Logs - Open Firewall Rule Created or Modified available gcp (cloud)

Impair Defenses: Disable or Modify Cloud Logs T1562.008 1 rule

GCP Audit Logs - Data Access Logging Exemption Added for Principal available gcp (cloud)

Credential Access 6 rules, 3 techniques

Unsecured Credentials T1552 4 rules

Cross-Cloud Suspicious Compute resource creation in GCP gcp (cloud)
Cross-Cloud Suspicious user activity observed in GCP Envourment gcp (cloud)
GCP Security Command Center - Detect Open/Unrestricted API Keys available gcp (cloud)
GCP Security Command Center - Detect projects with API Keys present available gcp (cloud)

Forced Authentication T1187 1 rule

Google DNS - Exchange online autodiscover abuse gcp (cloud)

Adversary-in-the-Middle T1557 1 rule

GCP Security Command Center - Detect DNSSEC disabled for DNS zones available gcp (cloud)

Discovery 9 rules, 4 techniques

Permission Groups Discovery T1069 5 rules

Cross-Cloud Suspicious Compute resource creation in GCP gcp (cloud)
Cross-Cloud Suspicious user activity observed in GCP Envourment gcp (cloud)
GCP IAM - Privileges Enumeration available gcp (cloud)
GCP IAM - Publicly exposed storage bucket available gcp (cloud)
GCP IAM - Service Account Keys Enumeration available gcp (cloud)

Network Service Discovery T1046 2 rules

Cross-Cloud Suspicious user activity observed in GCP Envourment gcp (cloud)
GCP Security Command Center - Detect Firewall rules allowing unrestricted high-risk ports available gcp (cloud)

Account Discovery T1087 1 rule

GCP IAM - Service Account Enumeration available gcp (cloud)

Cloud Service Discovery T1526 1 rule

Suspicious VM Instance Creation Activity Detected gcp (cloud)

Lateral Movement 4 rules, 2 techniques

Use Alternate Authentication Material T1550 3 rules

GCP IAM - Empty user agent available gcp (cloud)
GCP IAM - New Authentication Token for Service Account available gcp (cloud)
GCP IAM - New Service Account Key available gcp (cloud)

Remote Services T1021 1 rule

GCP Security Command Center - Detect Firewall rules allowing unrestricted high-risk ports available gcp (cloud)

Collection 1 rule, 1 technique

Data from Cloud Storage T1530 1 rule

GCP Audit Logs - Storage Bucket Made Public available gcp (cloud)

Command & Control 7 rules, 2 techniques

Non-Application Layer Protocol T1095 5 rules

Google DNS - IP check activity gcp (cloud)
Google DNS - Multiple errors for source gcp (cloud)
Google DNS - Multiple errors to same domain gcp (cloud)
Google DNS - Request to dynamic DNS service gcp (cloud)
Google DNS - UNC2452 (Nobelium) APT Group activity gcp (cloud)

Application Layer Protocol: DNS T1071.004 2 rules

GCP Audit Logs - DNSSEC Disabled on Managed DNS Zone available gcp (cloud)
GCP Security Command Center - Detect DNSSEC disabled for DNS zones available gcp (cloud)

Exfiltration 2 rules, 2 techniques

Exfiltration Over Web Service T1567 1 rule

Google DNS - Possible data exfiltration gcp (cloud)

Exfiltration Over Web Service: Exfiltration to Cloud Storage T1567.002 1 rule

GCP Audit Logs - Storage Bucket Made Public available gcp (cloud)

Impact 2 rules, 2 techniques

Data Destruction T1485 1 rule

GCP Audit Logs - Detect Bulk VM Snapshot Deletion available gcp (cloud)

Inhibit System Recovery T1490 1 rule

GCP Audit Logs - Detect Bulk VM Snapshot Deletion available gcp (cloud)

Microsoft 365 68 rules

Initial Access 16 rules, 3 techniques

Phishing T1566 13 rules

Accessed files shared by temporary external user available m365 (saas)
Detect Direct Send phishing emails m365 (saas)
Detect Possible Teams BEC Attack by High Teams Recipients m365 (saas)
Phishing link click observed in Network Traffic m365 (saas)
TI map Domain entity to EmailEvents m365 (saas)
TI map Domain entity to EmailEvents m365 (saas)
TI map Domain entity to EmailUrlInfo m365 (saas)
TI map Domain entity to EmailUrlInfo m365 (saas)
TI map Email entity to EmailEvents m365 (saas)
TI map Email entity to EmailEvents m365 (saas)
TI map Email entity to OfficeActivity m365 (saas)
TI map Email entity to OfficeActivity m365 (saas)
VTI - High Severity Domain Collision Detection m365 (saas)

Phishing: Spearphishing Link T1566.002 2 rules

Detect external user sending suspicious link to multiple users m365 (saas)
Detect Malicious Teams Message m365 (saas)

Trusted Relationship T1199 1 rule

Anomalous login followed by Teams action m365 (saas)

Execution 2 rules, 2 techniques

User Execution T1204 1 rule

Insider Risk_Microsoft Purview Insider Risk Management Alert Observed m365 (saas)

User Execution: Malicious Link T1204.001 1 rule

Detect Malicious Teams Message m365 (saas)

Persistence 8 rules, 2 techniques

Account Manipulation T1098 6 rules

Anomalous login followed by Teams action m365 (saas)
Malicious BEC Inbox Rule m365 (saas)
Malicious Inbox Rule available m365 (saas)
NRT Malicious Inbox Rule m365 (saas)
Office Policy Tampering available m365 (saas)
Rare and potentially high-risk Office operations available m365 (saas)

Create Account T1136 2 rules

Anomalous login followed by Teams action m365 (saas)
External user added and removed in short timeframe available m365 (saas)

Privilege Escalation 1 rule, 1 technique

Abuse Elevation Control Mechanism T1548 1 rule

Detect PIM elevation with user risk m365 (saas)

Stealth 8 rules, 2 techniques

Valid Accounts T1078 6 rules

Anomalous login followed by Teams action m365 (saas)
M365D Alerts Correlation to non-Microsoft Network device network activity involved in successful sign-in Activity m365 (saas)
Malicious BEC Inbox Rule m365 (saas)
Malicious Inbox Rule available m365 (saas)
NRT Malicious Inbox Rule m365 (saas)
Suspicious AWS console logins by credential access alerts m365 (saas)

Impair Defenses T1562 2 rules

Exchange AuditLog Disabled available m365 (saas)
Office Policy Tampering available m365 (saas)

Credential Access 1 rule, 1 technique

OS Credential Dumping: LSA Secrets T1003.004 1 rule

Suspicious SPN logon from workstation (DumpGuard) m365 (identity)

Lateral Movement 1 rule, 1 technique

Lateral Tool Transfer T1570 1 rule

New executable via Office FileUploaded Operation available m365 (saas)

Collection 6 rules, 1 technique

Email Collection T1114 6 rules

Exchange workflow MailItemsAccessed operation anomaly available m365 (saas)
Mail redirect via ExO transport rule available m365 (saas)
Multiple users email forwarded to same destination available m365 (saas)
NRT Multiple users email forwarded to same destination m365 (saas)
Rare and potentially high-risk Office operations available m365 (saas)
Threat Essentials - Mail redirect via ExO transport rule available m365 (saas)

Command & Control 8 rules, 2 techniques

Application Layer Protocol T1071 7 rules

GreyNoise TI map IP entity to OfficeActivity m365 (saas)
Lumen TI IPAddress in OfficeActivity m365 (saas)
ThreatConnect TI map Email entity to OfficeActivity m365 (saas)
ThreatConnect TI Map URL Entity to OfficeActivity Data m365 (saas)
TI map IP entity to OfficeActivity m365 (saas)
TI map IP entity to OfficeActivity m365 (saas)
TI Map URL Entity to OfficeActivity Data [Deprecated] m365 (saas)

Ingress Tool Transfer T1105 1 rule

New executable via Office FileUploaded Operation available m365 (saas)

Exfiltration 11 rules, 4 techniques

Automated Exfiltration T1020 6 rules

Mail redirect via ExO transport rule available m365 (saas)
Multiple users email forwarded to same destination available m365 (saas)
NRT Multiple users email forwarded to same destination m365 (saas)
Office365 Sharepoint File transfer above threshold m365 (saas)
Office365 Sharepoint File transfer Folders above threshold m365 (saas)
Threat Essentials - Mail redirect via ExO transport rule available m365 (saas)

Data Transfer Size Limits T1030 2 rules

SharePointFileOperation via devices with previously unseen user agents available m365 (saas)
SharePointFileOperation via previously unseen IPs available m365 (saas)

Exfiltration Over Alternative Protocol T1048 2 rules

Filewall - Blocked emails available m365 (saas)
Filewall - Blocked files available m365 (saas)

Exfiltration Over Web Service T1567 1 rule

Dataverse - Mass download from SharePoint document management available m365 (saas)

Impact 2 rules, 2 techniques

Data Destruction T1485 1 rule

Multiple Teams deleted by a single user available m365 (saas)

Service Stop T1489 1 rule

Multiple Teams deleted by a single user available m365 (saas)

Untagged 2 rules without MITRE techniques

Hunt domains with Seamless SSO enabled in Entra ID Connect m365 (identity)
Hunt for accounts with leaked credentials m365 (identity)

Google Workspace 13 rules

Initial Access 2 rules, 2 techniques

Exploit Public-Facing Application T1190 1 rule

GWorkspace - Alert events available google-workspace (saas)

Phishing T1566 1 rule

GWorkspace - Possible maldoc file name in Google drive available google-workspace (saas)

Persistence 5 rules, 4 techniques

Account Manipulation T1098 2 rules

GWorkspace - Admin permissions granted available google-workspace (saas)
GWorkspace - User access has been changed available google-workspace (saas)

External Remote Services T1133 1 rule

GWorkspace - Alert events available google-workspace (saas)

Software Extensions T1176 1 rule

GWorkspace - Multiple user agents for single source available google-workspace (saas)

Compromise Host Software Binary T1554 1 rule

GWorkspace - Unexpected OS update available google-workspace (saas)

Stealth 1 rule, 1 technique

Masquerading T1036 1 rule

GWorkspace - Unexpected OS update available google-workspace (saas)

Credential Access 2 rules, 2 techniques

Brute Force T1110 1 rule

GWorkspace - Possible brute force attack available google-workspace (saas)

Multi-Factor Authentication Interception T1111 1 rule

GWorkspace - Two-step authentification disabled for a user available google-workspace (saas)

Lateral Movement 1 rule, 1 technique

Use Alternate Authentication Material T1550 1 rule

GWorkspace - API Access Granted available google-workspace (saas)

Collection 2 rules, 2 techniques

Email Collection T1114 1 rule

GWorkspace - An Outbound Relay has been added to a G Suite Domain available google-workspace (saas)

Browser Session Hijacking T1185 1 rule

GWorkspace - Multiple user agents for single source available google-workspace (saas)

Okta 10 rules

Initial Access 1 rule, 1 technique

Phishing T1566 1 rule

Okta Fast Pass phishing Detection available okta (identity)

Persistence 2 rules, 1 technique

Account Manipulation T1098 2 rules

Device Registration from Malicious IP available okta (identity)
High-Risk Admin Activity available okta (identity)

Stealth 3 rules, 3 techniques

Valid Accounts T1078 1 rule

New Device/Location sign-in along with critical operation available okta (identity)

Valid Accounts: Cloud Accounts T1078.004 1 rule

User Login from Different Countries within 3 hours available okta (identity)

Access Token Manipulation: Make and Impersonate Token T1134.003 1 rule

User Session Impersonation(Okta) available okta (identity)

Defense Impairment 1 rule, 1 technique

Modify Authentication Process T1556 1 rule

New Device/Location sign-in along with critical operation available okta (identity)

Credential Access 3 rules, 3 techniques

Brute Force T1110 1 rule

Failed Logins from Unknown or Invalid User available okta (identity)

Brute Force: Password Spraying T1110.003 1 rule

Potential Password Spray Attack available okta (identity)

Multi-Factor Authentication Request Generation T1621 1 rule

MFA Fatigue (OKTA) available okta (identity)

GitHub 22 rules

Initial Access 1 rule, 1 technique

Exploit Public-Facing Application T1190 1 rule

GitHub Security Vulnerability in Repository github (saas)

Execution 1 rule, 1 technique

Exploitation for Client Execution T1203 1 rule

GitHub Security Vulnerability in Repository github (saas)

Privilege Escalation 1 rule, 1 technique

Exploitation for Privilege Escalation T1068 1 rule

GitHub Security Vulnerability in Repository github (saas)

Stealth 14 rules, 3 techniques

Valid Accounts T1078 11 rules

GitHub - A payment method was removed available github (saas)
GitHub - Oauth application - a client secret was removed available github (saas)
GitHub - pull request was created available github (saas)
GitHub - pull request was merged available github (saas)
GitHub - Repository was created available github (saas)
GitHub - Repository was destroyed available github (saas)
GitHub - User visibility Was changed available github (saas)
GitHub - User was added to the organization available github (saas)
GitHub - User was blocked available github (saas)
GitHub - User was invited to the repository available github (saas)
GitHub Activites from a New Country available github (saas)

Impair Defenses T1562 2 rules

GitHub Two Factor Auth Disable available github (saas)
NRT GitHub Two Factor Auth Disable github (saas)

Exploitation for Stealth T1211 1 rule

GitHub Security Vulnerability in Repository github (saas)

Credential Access 2 rules, 2 techniques

Exploitation for Credential Access T1212 1 rule

GitHub Security Vulnerability in Repository github (saas)

Unsecured Credentials T1552 1 rule

Cyble Vision Alerts Github available github (saas)

Lateral Movement 1 rule, 1 technique

Exploitation of Remote Services T1210 1 rule

GitHub Security Vulnerability in Repository github (saas)

Collection 2 rules, 2 techniques

Data from Information Repositories T1213 1 rule

Cyble Vision Alerts Github available github (saas)

Data from Cloud Storage T1530 1 rule

Cyble Vision Alerts Github available github (saas)

Network 564 rules

Reconnaissance 4 rules, 1 technique

Active Scanning T1595 4 rules

App Gateway WAF - Scanner Detection available network (network)
Claroty - Threat detected available network (network)
Palo Alto - possible nmap scan on with top 100 option available network (network)
PaloAlto - Possible port scan available network (network)

Resource Development 1 rule, 1 technique

Develop Capabilities: Malware T1587.001 1 rule

Cisco SDWAN - Maleware Events available network (network)

Initial Access 129 rules, 5 techniques

Exploit Public-Facing Application T1190 92 rules

A potentially malicious web request was executed against a web server available network (network)
AFD WAF - Code Injection available network (network)
AFD WAF - Path Traversal Attack available network (network)
Apache - Apache 2.4.49 flaw CVE-2021-41773 available network (network)
Apache - Command in URI available network (network)
Apache - Known malicious user agent available network (network)
Apache - Multiple client errors from single IP available network (network)
Apache - Multiple server errors from single IP available network (network)
Apache - Private IP in URL available network (network)
Apache - Put suspicious file available network (network)
Apache - Request from private IP available network (network)
Apache - Requests to rare files available network (network)
ApexOne - Attack Discovery Detection available network (network)
ApexOne - Commands in Url available network (network)
ApexOne - Multiple deny or terminate actions on single IP available network (network)
ApexOne - Spyware with failed response available network (network)
App Gateway WAF - Scanner Detection available network (network)
App Gateway WAF - SQLi Detection available network (network)
App GW WAF - Code Injection available network (network)
App GW WAF - Path Traversal Attack available network (network)
Application Gateway WAF - SQLi Detection network (network)
Azure WAF matching for Log4j vuln(CVE-2021-44228) available network (network)
Cisco SDWAN - Intrusion Events available network (network)
Cisco SDWAN - IPS Event Threshold available network (network)
Claroty - Login to uncommon location available network (network)
Claroty - Multiple failed logins by user available network (network)
Claroty - Multiple failed logins to same destinations available network (network)
Claroty - New Asset available network (network)
Cloudflare - Bad client IP available network (network)
Cloudflare - Bad client IP available network (network)
Cloudflare - Client request from country in blocklist available network (network)
Cloudflare - Client request from country in blocklist available network (network)
Cloudflare - Empty user agent available network (network)
Cloudflare - Empty user agent available network (network)
Cloudflare - Multiple error requests from single source available network (network)
Cloudflare - Multiple error requests from single source available network (network)
Cloudflare - Multiple user agents for single source available network (network)
Cloudflare - Multiple user agents for single source available network (network)
Cloudflare - Unexpected client request available network (network)
Cloudflare - Unexpected client request available network (network)
Cloudflare - Unexpected URI available network (network)
Cloudflare - Unexpected URI available network (network)
Cloudflare - WAF Allowed threat available network (network)
Cloudflare - WAF Allowed threat available network (network)
Cloudflare - XSS probing pattern in request available network (network)
Cloudflare - XSS probing pattern in request available network (network)
Fortiweb - WAF Allowed threat available network (network)
Front Door Premium WAF - SQLi Detection available network (network)
NGINX - Command in URI available network (network)
NGINX - Known malicious user agent available network (network)
NGINX - Multiple client errors from single IP address available network (network)
NGINX - Multiple server errors from single IP address available network (network)
NGINX - Multiple user agents for single source available network (network)
NGINX - Private IP address in URL available network (network)
NGINX - Put file and get file from same IP address available network (network)
NGINX - Sql injection patterns available network (network)
Oracle - Command in URI available network (network)
Oracle - Malicious user agent available network (network)
Oracle - Multiple client errors from single IP available network (network)
Oracle - Multiple server errors from single IP available network (network)
Oracle - Multiple user agents for single source available network (network)
Oracle - Oracle WebLogic Exploit CVE-2021-2109 available network (network)
Oracle - Private IP in URL available network (network)
Oracle - Put file and get file from same IP address available network (network)
Oracle - Put suspicious file available network (network)
PaloAlto - Dropping or denying session with traffic available network (network)
PaloAlto - File type changed available network (network)
PaloAlto - Forbidden countries available network (network)
PaloAlto - Inbound connection to high risk ports available network (network)
PaloAlto - MAC address conflict available network (network)
PaloAlto - Possible attack without response available network (network)
PaloAlto - Possible flooding available network (network)
PaloAlto - Put and post method request in high risk file type available network (network)
PaloAlto - User privileges was changed available network (network)
Ping Federate - OAuth old version available network (network)
Ping Federate - SAML old version available network (network)
Silverfort - Log4Shell Incident network (network)
SonicWall - Allowed SSH, Telnet, and RDP Connections experimental network (network)
Tomcat - Commands in URI available network (network)
Tomcat - Known malicious user agent available network (network)
Tomcat - Multiple client errors from single IP address available network (network)
Tomcat - Multiple empty requests from same IP available network (network)
Tomcat - Multiple server errors from single IP address available network (network)
Tomcat - Put file and get file from same IP address available network (network)
Tomcat - Request from localhost IP address available network (network)
Tomcat - Server errors after multiple requests from same IP available network (network)
Tomcat - Sql injection patterns available network (network)
User agent search for log4j exploitation attempt available network (network)
Zscaler - Forbidden countries available network (network)
Zscaler - Unexpected update operation available network (network)
Zscaler - ZPA connections from new country available network (network)
Zscaler - ZPA connections outside operational hours available network (network)

Phishing T1566 19 rules

Cisco SEG - Malicious attachment not blocked available network (network)
Cisco SEG - Multiple suspiciuos attachments received available network (network)
Cisco SEG - Possible outbreak available network (network)
Cisco SEG - Potential phishing link available network (network)
Cisco SEG - Suspicious link available network (network)
Cisco SEG - Suspicious sender domain available network (network)
Cisco SEG - Unexpected attachment available network (network)
Cisco SEG - Unexpected link available network (network)
Cisco SEG - Unscannable attacment available network (network)
Contrast Blocks available network (network)
Contrast Exploits available network (network)
Contrast Probes available network (network)
Contrast Suspicious available network (network)
Corelight - Network Service Scanning Multiple IP Addresses available network (network)
Corelight - Possible Typo Squatting or Punycode Phishing HTTP Request available network (network)
Corelight - SMTP Email containing NON Ascii Characters within the Subject available network (network)
TI map Email entity to PaloAlto CommonSecurityLog network (network)
TI map Email entity to PaloAlto CommonSecurityLog network (network)
Votiro - File Blocked in Email network (network)

Drive-by Compromise T1189 14 rules

A client made a web request to a potentially harmful file (ASIM Web Session schema) network (network)
Apache - Request to sensitive files available network (network)
App Gateway WAF - XSS Detection available network (network)
Application Gateway WAF - XSS Detection network (network)
Cisco Cloud Security - Request to blocklisted file type available network (network)
Cisco SDWAN - Intrusion Events available network (network)
Cisco SDWAN - IPS Event Threshold available network (network)
Critical Risks available network (network)
Front Door Premium WAF - XSS Detection available network (network)
Malformed user agent network (network)
NGINX - Request to sensitive files available network (network)
Oracle - Request to sensitive files available network (network)
Tomcat - Request to sensitive files available network (network)
Vulerabilities available network (network)

Phishing: Spearphishing Attachment T1566.001 1 rule

Acronis - Multiple Inboxes with Malicious Content Detected network (network)

Phishing: Spearphishing Link T1566.002 1 rule

Acronis - Multiple Inboxes with Malicious Content Detected network (network)

No specific technique 2 rules

Cisco Umbrella - Request Allowed to harmful/malicious URI category network (network)
Cisco Umbrella - Request to blocklisted file type network (network)

Execution 26 rules, 7 techniques

Command and Scripting Interpreter T1059 9 rules

A host is potentially running a hacking tool (ASIM Web Session schema) network (network)
ApexOne - Suspicious commandline arguments available network (network)
App Gateway WAF - SQLi Detection available network (network)
Application Gateway WAF - SQLi Detection network (network)
Cisco Cloud Security - Hack Tool User-Agent Detected available network (network)
Critical Risks available network (network)
Front Door Premium WAF - SQLi Detection available network (network)
SonicWall - Allowed SSH, Telnet, and RDP Connections experimental network (network)
Vulerabilities available network (network)

Exploitation for Client Execution T1203 9 rules

AFD WAF - Code Injection available network (network)
AFD WAF - Path Traversal Attack available network (network)
App Gateway WAF - Scanner Detection available network (network)
App Gateway WAF - XSS Detection available network (network)
App GW WAF - Code Injection available network (network)
App GW WAF - Path Traversal Attack available network (network)
Application Gateway WAF - XSS Detection network (network)
Front Door Premium WAF - XSS Detection available network (network)
Malformed user agent network (network)

Scheduled Task/Job T1053 2 rules

Critical Risks available network (network)
Vulerabilities available network (network)

Command and Scripting Interpreter: PowerShell T1059.001 2 rules

A host is potentially running PowerShell to send HTTP(S) requests (ASIM Web Session schema) network (network)
Cisco Cloud Security - Windows PowerShell User-Agent Detected available network (network)

User Execution: Malicious File T1204.002 2 rules

Critical Severity Detection available network (network)
Microsoft COVID-19 file hash indicator matches available network (network)

User Execution T1204 1 rule

SonicWall - Capture ATP Malicious File Detection experimental network (network)

User Execution: Malicious Link T1204.001 1 rule

Acronis - Multiple Endpoints Accessing Malicious URLs network (network)

Persistence 84 rules, 4 techniques

External Remote Services T1133 77 rules

Apache - Apache 2.4.49 flaw CVE-2021-41773 available network (network)
Apache - Command in URI available network (network)
Apache - Known malicious user agent available network (network)
Apache - Multiple client errors from single IP available network (network)
Apache - Multiple server errors from single IP available network (network)
Apache - Private IP in URL available network (network)
Apache - Put suspicious file available network (network)
Apache - Request from private IP available network (network)
Apache - Requests to rare files available network (network)
ApexOne - Commands in Url available network (network)
Claroty - Login to uncommon location available network (network)
Claroty - Multiple failed logins by user available network (network)
Claroty - Multiple failed logins to same destinations available network (network)
Claroty - New Asset available network (network)
Cloudflare - Bad client IP available network (network)
Cloudflare - Bad client IP available network (network)
Cloudflare - Client request from country in blocklist available network (network)
Cloudflare - Client request from country in blocklist available network (network)
Cloudflare - Empty user agent available network (network)
Cloudflare - Empty user agent available network (network)
Cloudflare - Multiple error requests from single source available network (network)
Cloudflare - Multiple error requests from single source available network (network)
Cloudflare - Multiple user agents for single source available network (network)
Cloudflare - Multiple user agents for single source available network (network)
Cloudflare - Unexpected client request available network (network)
Cloudflare - Unexpected client request available network (network)
Cloudflare - Unexpected URI available network (network)
Cloudflare - Unexpected URI available network (network)
Cloudflare - WAF Allowed threat available network (network)
Cloudflare - WAF Allowed threat available network (network)
Cloudflare - XSS probing pattern in request available network (network)
Cloudflare - XSS probing pattern in request available network (network)
Fortiweb - WAF Allowed threat available network (network)
NGINX - Command in URI available network (network)
NGINX - Known malicious user agent available network (network)
NGINX - Multiple client errors from single IP address available network (network)
NGINX - Multiple server errors from single IP address available network (network)
NGINX - Multiple user agents for single source available network (network)
NGINX - Private IP address in URL available network (network)
NGINX - Put file and get file from same IP address available network (network)
Oracle - Command in URI available network (network)
Oracle - Malicious user agent available network (network)
Oracle - Multiple client errors from single IP available network (network)
Oracle - Multiple server errors from single IP available network (network)
Oracle - Multiple user agents for single source available network (network)
Oracle - Private IP in URL available network (network)
Oracle - Put file and get file from same IP address available network (network)
Oracle - Put suspicious file available network (network)
PaloAlto - Dropping or denying session with traffic available network (network)
PaloAlto - File type changed available network (network)
PaloAlto - Forbidden countries available network (network)
PaloAlto - Inbound connection to high risk ports available network (network)
PaloAlto - MAC address conflict available network (network)
PaloAlto - Possible attack without response available network (network)
PaloAlto - Possible flooding available network (network)
PaloAlto - Put and post method request in high risk file type available network (network)
PaloAlto - User privileges was changed available network (network)
SonicWall - Allowed SSH, Telnet, and RDP Connections experimental network (network)
Tomcat - Commands in URI available network (network)
Tomcat - Known malicious user agent available network (network)
Tomcat - Multiple client errors from single IP address available network (network)
Tomcat - Multiple empty requests from same IP available network (network)
Tomcat - Multiple server errors from single IP address available network (network)
Tomcat - Put file and get file from same IP address available network (network)
Tomcat - Request from localhost IP address available network (network)
Tomcat - Server errors after multiple requests from same IP available network (network)
Ubiquiti - RDP from external source available network (network)
Ubiquiti - SSH from external source available network (network)
Ubiquiti - Unknown MAC Joined AP available network (network)
Zscaler - Forbidden countries available network (network)
Zscaler - Shared ZPA session available network (network)
Zscaler - Unexpected event count of rejects by policy available network (network)
Zscaler - Unexpected update operation available network (network)
Zscaler - Unexpected ZPA session duration available network (network)
Zscaler - ZPA connections from new country available network (network)
Zscaler - ZPA connections from new IP available network (network)
Zscaler - ZPA connections outside operational hours available network (network)

Server Software Component T1505 4 rules

Cloudflare - Unexpected POST requests available network (network)
Cloudflare - Unexpected POST requests available network (network)
Corelight - Possible Webshell available network (network)
Corelight - Possible Webshell (Rare PUT or POST) available network (network)

Account Manipulation T1098 2 rules

Illusive Incidents Analytic Rule available network (network)
Ping Federate - Abnormal password resets for user available network (network)

Create Account T1136 1 rule

Ping Federate - New user SSO success login available network (network)

Privilege Escalation 13 rules, 3 techniques

Abuse Elevation Control Mechanism T1548 9 rules

AFD WAF - Code Injection available network (network)
AFD WAF - Path Traversal Attack available network (network)
App Gateway WAF - Scanner Detection available network (network)
App GW WAF - Code Injection available network (network)
App GW WAF - Path Traversal Attack available network (network)
Critical Risks available network (network)
Illusive Incidents Analytic Rule available network (network)
Silverfort - NoPacBreach Incident network (network)
Vulerabilities available network (network)

Exploitation for Privilege Escalation T1068 2 rules

Silverfort - Certifried Incident network (network)
Silverfort - NoPacBreach Incident network (network)

Event Triggered Execution T1546 2 rules

[Deprecated] - Zinc Actor IOCs domains hashes IPs and useragent - October 2022 available network (network)
ApexOne - Possible exploit or execute operation available network (network)

Stealth 31 rules, 7 techniques

Valid Accounts T1078 20 rules

Acronis - Login from Abnormal IP - Low Occurrence network (network)
ApexOne - Device access permissions was changed available network (network)
Cisco - firewall block but success logon to Microsoft Entra ID network (network)
Illusive Incidents Analytic Rule available network (network)
Ping Federate - Abnormal password resets for user available network (network)
Ping Federate - Authentication from new IP. available network (network)
Ping Federate - Forbidden country available network (network)
Ping Federate - New user SSO success login available network (network)
Ping Federate - Password reset request from unexpected source IP address.. available network (network)
Ping Federate - Unexpected authentication URL. available network (network)
Ping Federate - Unexpected country for user available network (network)
Ping Federate - Unusual mail domain. available network (network)
vCenter - Root impersonation available network (network)
VMware vCenter - Root login available network (network)
Zscaler - Connections by dormant user available network (network)
Zscaler - Shared ZPA session available network (network)
Zscaler - Unexpected event count of rejects by policy available network (network)
Zscaler - Unexpected ZPA session duration available network (network)
Zscaler - ZPA connections by new user available network (network)
Zscaler - ZPA connections from new IP available network (network)

Exploitation for Stealth T1211 3 rules

App Gateway WAF - SQLi Detection available network (network)
Application Gateway WAF - SQLi Detection network (network)
Front Door Premium WAF - SQLi Detection available network (network)

Obfuscated Files or Information T1027 2 rules

Cisco Cloud Security - Windows PowerShell User-Agent Detected available network (network)
Votiro - File Blocked in Email network (network)

Masquerading T1036 2 rules

Votiro - File Blocked from Connector network (network)
Votiro - File Blocked in Email network (network)

Access Token Manipulation T1134 1 rule

Ping Federate - Abnormal password resets for user available network (network)

Deobfuscate/Decode Files or Information T1140 1 rule

A host is potentially running PowerShell to send HTTP(S) requests (ASIM Web Session schema) network (network)

Impair Defenses T1562 1 rule

Critical or High Severity Detections by User available network (network)

No specific technique 1 rule

Cisco Umbrella - Windows PowerShell User-Agent Detected network (network)

Defense Impairment 2 rules, 2 techniques

Modify Authentication Process T1556 1 rule

Excessive number of HTTP authentication failures from a source (ASIM Web Session schema) network (network)

Network Boundary Bridging T1599 1 rule

VMware SD-WAN Edge - Network Anomaly Detection - Potential Fragmentation Attack network (network)

Credential Access 17 rules, 4 techniques

OS Credential Dumping T1003 8 rules

Europium - Hash and IP IOCs - September 2022 network (network)
SonicWall - Allowed SSH, Telnet, and RDP Connections experimental network (network)
Vectra Account's Behaviors available network (network)
Vectra AI Detect - Detections with High Severity available network (network)
Vectra AI Detect - Suspected Compromised Account available network (network)
Vectra AI Detect - Suspected Compromised Host available network (network)
Vectra AI Detect - Suspicious Behaviors by Category available network (network)
Vectra Host's Behaviors available network (network)

Brute Force T1110 6 rules

Claroty - Multiple failed logins by user available network (network)
Excessive number of HTTP authentication failures from a source (ASIM Web Session schema) network (network)
Ping Federate - Abnormal password reset attempts available network (network)
Silverfort - UserBruteForce Incident network (network)
SonicWall - Allowed SSH, Telnet, and RDP Connections experimental network (network)
Wazuh - Large Number of Web errors from an IP network (network)

Adversary-in-the-Middle T1557 2 rules

A host is potentially running a hacking tool (ASIM Web Session schema) network (network)
Cisco Cloud Security - Hack Tool User-Agent Detected available network (network)

Forced Authentication T1187 1 rule

Corelight - Forced External Outbound SMB available network (network)

Discovery 28 rules, 7 techniques

Account Discovery T1087 9 rules

AFD WAF - Path Traversal Attack available network (network)
App GW WAF - Path Traversal Attack available network (network)
SonicWall - Allowed SSH, Telnet, and RDP Connections experimental network (network)
Vectra Account's Behaviors available network (network)
Vectra AI Detect - Detections with High Severity available network (network)
Vectra AI Detect - Suspected Compromised Account available network (network)
Vectra AI Detect - Suspected Compromised Host available network (network)
Vectra AI Detect - Suspicious Behaviors by Category available network (network)
Vectra Host's Behaviors available network (network)

Network Service Discovery T1046 8 rules

A host is potentially running a hacking tool (ASIM Web Session schema) network (network)
App Gateway WAF - Scanner Detection available network (network)
Cisco ASA - average attack detection rate increase available network (network)
Cisco ASA - threat detection message fired available network (network)
Cisco Cloud Security - Hack Tool User-Agent Detected available network (network)
Palo Alto - possible internal to external port scanning available network (network)
Palo Alto Threat signatures from Unusual IP addresses available network (network)
Rare client observed with high reverse DNS lookup count available network (network)

Remote System Discovery T1018 5 rules

Claroty - Policy violation available network (network)
Claroty - Suspicious activity available network (network)
Claroty - Suspicious file transfer available network (network)
Claroty - Threat detected available network (network)
SonicWall - Allowed SSH, Telnet, and RDP Connections experimental network (network)

System Information Discovery T1082 2 rules

Claroty - New Asset available network (network)
Votiro - File Blocked from Connector network (network)

Network Share Discovery T1135 2 rules

Claroty - Policy violation available network (network)
vArmour AppController - SMB Realm Traversal available network (network)

Process Discovery T1057 1 rule

Votiro - File Blocked from Connector network (network)

File and Directory Discovery T1083 1 rule

Votiro - File Blocked from Connector network (network)

Lateral Movement 16 rules, 3 techniques

Remote Services T1021 12 rules

A host is potentially running a hacking tool (ASIM Web Session schema) network (network)
ApexOne - Inbound remote access connection available network (network)
Cisco Cloud Security - Hack Tool User-Agent Detected available network (network)
Illusive Incidents Analytic Rule available network (network)
SonicWall - Allowed SSH, Telnet, and RDP Connections experimental network (network)
Vectra Account's Behaviors available network (network)
Vectra AI Detect - Detections with High Severity available network (network)
Vectra AI Detect - New Campaign Detected available network (network)
Vectra AI Detect - Suspected Compromised Account available network (network)
Vectra AI Detect - Suspected Compromised Host available network (network)
Vectra AI Detect - Suspicious Behaviors by Category available network (network)
Vectra Host's Behaviors available network (network)

Exploitation of Remote Services T1210 3 rules

Apache - Apache 2.4.49 flaw CVE-2021-41773 available network (network)
VMware SD-WAN Edge - IDS/IPS Alert triggered (Search API) network (network)
VMware SD-WAN Edge - IDS/IPS Alert triggered (Syslog) network (network)

Lateral Tool Transfer T1570 1 rule

vArmour AppController - SMB Realm Traversal available network (network)

Collection 7 rules, 2 techniques

Automated Collection T1119 6 rules

Vectra Account's Behaviors available network (network)
Vectra AI Detect - Detections with High Severity available network (network)
Vectra AI Detect - Suspected Compromised Account available network (network)
Vectra AI Detect - Suspected Compromised Host available network (network)
Vectra AI Detect - Suspicious Behaviors by Category available network (network)
Vectra Host's Behaviors available network (network)

Data from Local System T1005 1 rule

SonicWall - Allowed SSH, Telnet, and RDP Connections experimental network (network)

Command & Control 97 rules, 15 techniques

Application Layer Protocol T1071 47 rules

ApexOne - C&C callback events available network (network)
Cisco Cloud Security - URI contains IP address available network (network)
Cisco SDWAN - Monitor Critical IPs available network (network)
Cloudflare - Unexpected POST requests available network (network)
Cloudflare - Unexpected POST requests available network (network)
Europium - Hash and IP IOCs - September 2022 network (network)
Fortinet - Beacon pattern detected network (network)
GreyNoise TI Map IP Entity to CommonSecurityLog network (network)
GreyNoise TI Map IP Entity to DnsEvents network (network)
Known Forest Blizzard group domains - July 2019 network (network)
Lumen TI domain in DnsEvents network (network)
Lumen TI IPAddress in CommonSecurityLog network (network)
Malformed user agent network (network)
Mercury - Domain, Hash and IP IOCs - August 2022 network (network)
Palo Alto - potential beaconing detected available network (network)
Request for single resource on domain available network (network)
Threat Connect TI map Domain entity to DnsEvents network (network)
TI map Domain entity to Dns Events (ASIM DNS Schema) network (network)
TI map Domain entity to Dns Events (ASIM DNS Schema) network (network)
TI map Domain entity to DnsEvents network (network)
TI map Domain entity to DnsEvents network (network)
TI map Domain entity to PaloAlto network (network)
TI map Domain entity to PaloAlto network (network)
TI map Domain entity to Web Session Events (ASIM Web Session schema) network (network)
TI map Domain entity to Web Session Events (ASIM Web Session schema) network (network)
TI map File Hash to CommonSecurityLog Event network (network)
TI map File Hash to CommonSecurityLog Event network (network)
TI Map IP Entity to CommonSecurityLog network (network)
TI Map IP Entity to CommonSecurityLog network (network)
TI map IP entity to DNS Events (ASIM DNS schema) network (network)
TI map IP entity to DNS Events (ASIM DNS schema) network (network)
TI Map IP Entity to DnsEvents network (network)
TI Map IP Entity to DnsEvents network (network)
TI map IP entity to Web Session Events (ASIM Web Session schema) network (network)
TI map IP entity to Web Session Events (ASIM Web Session schema) network (network)
TI Map URL Entity to PaloAlto Data network (network)
TI Map URL Entity to PaloAlto Data network (network)
TI map URL entity to Web Session Events (ASIM Web Session schema) network (network)
Ubiquiti - Connection to known malicious IP or C2 available network (network)
Ubiquiti - Possible connection to cryptominning pool available network (network)
Vectra Account's Behaviors available network (network)
Vectra AI Detect - Detections with High Severity available network (network)
Vectra AI Detect - New Campaign Detected available network (network)
Vectra AI Detect - Suspected Compromised Account available network (network)
Vectra AI Detect - Suspected Compromised Host available network (network)
Vectra AI Detect - Suspicious Behaviors by Category available network (network)
Vectra Host's Behaviors available network (network)

Application Layer Protocol: Web Protocols T1071.001 10 rules

Beacon Traffic Based on Common User Agents Visiting Limited Number of Domains available network (network)
Cisco Cloud Security - Connection to Unpopular Website Detected available network (network)
Cisco Cloud Security - Crypto Miner User-Agent Detected available network (network)
Cisco Cloud Security - Rare User Agent Detected available network (network)
Cisco Cloud Security - Request Allowed to harmful/malicious URI category available network (network)
Discord CDN Risky File Download available network (network)
Discord CDN Risky File Download (ASIM Web Session Schema) network (network)
IP address of Windows host encoded in web request network (network)
Palo Alto Threat signatures from Unusual IP addresses available network (network)
RunningRAT request parameters network (network)

Dynamic Resolution T1568 5 rules

Corelight - C2 DGA Detected Via Repetitive Failures available network (network)
Possible contact with a domain generated by a DGA network (network)
Potential communication with a Domain Generation Algorithm (DGA) based hostname (ASIM Web Session schema) network (network)
Potential DGA detected available network (network)
Potential DGA detected (ASIM DNS Schema) network (network)

Web Service T1102 4 rules

A host is potentially running a hacking tool (ASIM Web Session schema) network (network)
ApexOne - Suspicious connections available network (network)
Cisco Cloud Security - Hack Tool User-Agent Detected available network (network)
Request for single resource on domain available network (network)

Non-Standard Port T1571 4 rules

Fortinet - Beacon pattern detected network (network)
Palo Alto - potential beaconing detected available network (network)
Ubiquiti - Connection to known malicious IP or C2 available network (network)
Ubiquiti - Possible connection to cryptominning pool available network (network)

Protocol Tunneling T1572 4 rules

Ubiquiti - Connection to known malicious IP or C2 available network (network)
Ubiquiti - connection to non-corporate DNS server available network (network)
Ubiquiti - Large ICMP to external server available network (network)
Ubiquiti - Unusual DNS connection available network (network)

Fallback Channels T1008 2 rules

Potential DGA detected available network (network)
Potential DGA detected (ASIM DNS Schema) network (network)

Proxy T1090 2 rules

Corelight - External Proxy Detected available network (network)
Ubiquiti - Unusual DNS connection available network (network)

Web Service: Bidirectional Communication T1102.002 2 rules

CreepyDrive request URL sequence network (network)
CreepyDrive URLs network (network)

Data Encoding T1132 2 rules

A host is potentially running PowerShell to send HTTP(S) requests (ASIM Web Session schema) network (network)
Cisco Cloud Security - Windows PowerShell User-Agent Detected available network (network)

Encrypted Channel T1573 2 rules

Cisco Cloud Security - Connection to non-corporate private network available network (network)
Ubiquiti - Unusual traffic available network (network)

Data Obfuscation: Protocol or Service Impersonation T1001.003 1 rule

Cisco Cloud Security - Empty User Agent Detected available network (network)

Application Layer Protocol: File Transfer Protocols T1071.002 1 rule

Ubiquiti - Unusual FTP connection to external server available network (network)

Non-Application Layer Protocol T1095 1 rule

Ubiquiti - Possible connection to cryptominning pool available network (network)

Ingress Tool Transfer T1105 1 rule

Cisco Cloud Security - Request to blocklisted file type available network (network)

No specific technique 9 rules

Cisco Umbrella - Connection to non-corporate private network network (network)
Cisco Umbrella - Connection to Unpopular Website Detected network (network)
Cisco Umbrella - Crypto Miner User-Agent Detected network (network)
Cisco Umbrella - Empty User Agent Detected network (network)
Cisco Umbrella - Hack Tool User-Agent Detected network (network)
Cisco Umbrella - Rare User Agent Detected network (network)
Cisco Umbrella - Request Allowed to harmful/malicious URI category network (network)
Cisco Umbrella - URI contains IP address network (network)
Cisco Umbrella - Windows PowerShell User-Agent Detected network (network)

Exfiltration 38 rules, 7 techniques

Exfiltration Over C2 Channel T1041 16 rules

Cisco Cloud Security - Connection to non-corporate private network available network (network)
Cisco Cloud Security - Connection to Unpopular Website Detected available network (network)
Cisco Cloud Security - Crypto Miner User-Agent Detected available network (network)
Cisco Cloud Security - Rare User Agent Detected available network (network)
Cisco Cloud Security - Request Allowed to harmful/malicious URI category available network (network)
IP address of Windows host encoded in web request network (network)
RunningRAT request parameters network (network)
SonicWall - Allowed SSH, Telnet, and RDP Connections experimental network (network)
Ubiquiti - connection to non-corporate DNS server available network (network)
Ubiquiti - Large ICMP to external server available network (network)
Vectra Account's Behaviors available network (network)
Vectra AI Detect - Detections with High Severity available network (network)
Vectra AI Detect - Suspected Compromised Account available network (network)
Vectra AI Detect - Suspected Compromised Host available network (network)
Vectra AI Detect - Suspicious Behaviors by Category available network (network)
Vectra Host's Behaviors available network (network)

Data Transfer Size Limits T1030 7 rules

Cisco SEG - DLP policy violation available network (network)
Cisco SEG - Multiple large emails sent to external recipient available network (network)
Corelight - Multiple files sent over HTTP with abnormal requests available network (network)
Palo Alto Threat signatures from Unusual IP addresses available network (network)
Threat Essentials - Time series anomaly for data size transferred to public internet available network (network)
Time series anomaly detection for total volume of traffic network (network)
Time series anomaly for data size transferred to public internet network (network)

Exfiltration Over Alternative Protocol T1048 5 rules

Apache - Put suspicious file available network (network)
DNS events related to ToR proxies available network (network)
Oracle - Put suspicious file available network (network)
SonicWall - Allowed SSH, Telnet, and RDP Connections experimental network (network)
Ubiquiti - Unusual FTP connection to external server available network (network)

Automated Exfiltration T1020 3 rules

A host is potentially running a hacking tool (ASIM Web Session schema) network (network)
Cisco Cloud Security - Hack Tool User-Agent Detected available network (network)
Claroty - Suspicious file transfer available network (network)

Exfiltration Over Web Service T1567 3 rules

Cisco Cloud Security - URI contains IP address available network (network)
Corelight - Multiple Compressed Files Transferred over HTTP available network (network)
SonicWall - Allowed SSH, Telnet, and RDP Connections experimental network (network)

Exfiltration Over Web Service: Exfiltration to Cloud Storage T1567.002 2 rules

CreepyDrive request URL sequence network (network)
CreepyDrive URLs network (network)

Exfiltration Over Other Network Medium T1011 1 rule

SonicWall - Allowed SSH, Telnet, and RDP Connections experimental network (network)

No specific technique 1 rule

Cisco Umbrella - Connection to non-corporate private network network (network)

Impact 49 rules, 9 techniques

Network Denial of Service T1498 20 rules

Apache - Multiple server errors from single IP available network (network)
Apache - Request from private IP available network (network)
Cisco ASA - average attack detection rate increase available network (network)
Cisco ASA - threat detection message fired available network (network)
Infoblox - Data Exfiltration Attack available network (network)
Infoblox - High Threat Level Query Not Blocked Detected available network (network)
Infoblox - Many High Threat Level Queries From Single Host Detected available network (network)
Infoblox - Many High Threat Level Single Query Detected available network (network)
Infoblox - Many NXDOMAIN DNS Responses Detected available network (network)
Infoblox - SOC Insight Detected - CDC Source available network (network)
Infoblox - TI - CommonSecurityLog Match Found - MalwareC2 available network (network)
Infoblox - TI - InfobloxCDC Match Found - Lookalike Domains available network (network)
NGINX - Multiple server errors from single IP address available network (network)
Oracle - Multiple server errors from single IP available network (network)
Tomcat - Multiple server errors from single IP address available network (network)
Tomcat - Server errors after multiple requests from same IP available network (network)
VMware SD-WAN Edge - Device Congestion Alert - Packet Drops network (network)
VMware SD-WAN Edge - Network Anomaly Detection - Potential Fragmentation Attack network (network)
VMware SD-WAN Edge - Network Anomaly Detection - RPF Check Failure network (network)
Votiro - File Blocked from Connector network (network)

Endpoint Denial of Service T1499 9 rules

Critical Severity Detection available network (network)
NGINX - Core Dump available network (network)
Tomcat - Multiple empty requests from same IP available network (network)
Vectra Account's Behaviors available network (network)
Vectra AI Detect - Detections with High Severity available network (network)
Vectra AI Detect - Suspected Compromised Account available network (network)
Vectra AI Detect - Suspected Compromised Host available network (network)
Vectra AI Detect - Suspicious Behaviors by Category available network (network)
Vectra Host's Behaviors available network (network)

Data Manipulation T1565 9 rules

Infoblox - Data Exfiltration Attack available network (network)
Infoblox - High Threat Level Query Not Blocked Detected available network (network)
Infoblox - Many High Threat Level Queries From Single Host Detected available network (network)
Infoblox - Many High Threat Level Single Query Detected available network (network)
Infoblox - Many NXDOMAIN DNS Responses Detected available network (network)
Infoblox - SOC Insight Detected - CDC Source available network (network)
Infoblox - TI - CommonSecurityLog Match Found - MalwareC2 available network (network)
Infoblox - TI - InfobloxCDC Match Found - Lookalike Domains available network (network)
Votiro - File Blocked from Connector network (network)

Resource Hijacking T1496 4 rules

A host is potentially running a crypto miner (ASIM Web Session schema) network (network)
Cisco Cloud Security - Crypto Miner User-Agent Detected available network (network)
DNS events related to mining pools available network (network)
NRT DNS events related to mining pools available network (network)

Data Encrypted for Impact T1486 2 rules

Acronis - Multiple Endpoints Infected by Ransomware network (network)
Votiro - File Blocked in Email network (network)

System Shutdown/Reboot T1529 2 rules

Claroty - Asset Down available network (network)
Claroty - Critical baseline deviation available network (network)

Service Stop T1489 1 rule

Critical or High Severity Detections by User available network (network)

Inhibit System Recovery T1490 1 rule

SonicWall - Allowed SSH, Telnet, and RDP Connections experimental network (network)

Data Manipulation: Stored Data Manipulation T1565.001 1 rule

Claroty - Critical baseline deviation available network (network)

Untagged 14 rules without MITRE techniques

Awake Security - High Match Counts By Device available network (network)
Awake Security - High Severity Matches By Device available network (network)
Awake Security - Model With Multiple Destinations available network (network)
Create Incidents from IronDefense available network (network)
Dragos Notifications available network (network)
VMware Cloud Web Security - Data Loss Prevention Violation network (network)
VMware Cloud Web Security - Policy Change Detected network (network)
VMware Cloud Web Security - Policy Publish Event network (network)
VMware Cloud Web Security - Web Access Policy Violation network (network)
VMware Edge Cloud Orchestrator - New LAN-Side Client Device Detected network (network)
VMware SD-WAN - Orchestrator Audit Event network (network)
VMware SD-WAN Edge - All Cloud Security Service Tunnels DOWN network (network)
VMware SD-WAN Edge - IDS/IPS Signature Update Failed network (network)
VMware SD-WAN Edge - IDS/IPS Signature Update Succeeded network (network)

SaaS 52 rules

Initial Access 3 rules, 1 technique

Drive-by Compromise T1189 3 rules

Box - Executable file in folder available saas (saas)
Box - Forbidden file type downloaded available saas (saas)
SlackAudit - Suspicious file downloaded. available saas (saas)

Persistence 2 rules, 2 techniques

Account Manipulation T1098 1 rule

SlackAudit - User role changed to admin or owner available saas (saas)

External Remote Services T1133 1 rule

SlackAudit - Empty User Agent available saas (saas)

Stealth 22 rules, 3 techniques

Valid Accounts T1078 20 rules

Bitglass - Impossible travel distance available saas (saas)
Bitglass - Login from new device available saas (saas)
Bitglass - New admin user available saas (saas)
Bitglass - New risky user available saas (saas)
Bitglass - User Agent string has changed for user available saas (saas)
Bitglass - User login from new geo location available saas (saas)
Box - Inactive user login available saas (saas)
Box - New external user available saas (saas)
Box - User logged in as admin available saas (saas)
Box - User role changed to owner available saas (saas)
Jira - Global permission added available saas (saas)
Jira - New site admin user available saas (saas)
Jira - New site admin user available saas (saas)
Jira - New user created available saas (saas)
Jira - User's password changed multiple times available saas (saas)
SlackAudit - User email linked to account changed. available saas (saas)
SlackAudit - User role changed to admin or owner available saas (saas)
Snowflake - Multiple login failures by user available saas (saas)
Snowflake - Multiple login failures from single IP available saas (saas)
Snowflake - User granted admin privileges available saas (saas)

Indicator Removal T1070 1 rule

Bitglass - The SmartEdge endpoint agent was uninstalled available saas (saas)

Valid Accounts: Cloud Accounts T1078.004 1 rule

SlackAudit - User login after deactivated. available saas (saas)

Credential Access 2 rules, 1 technique

Brute Force T1110 2 rules

Bitglass - Multiple failed logins available saas (saas)
SlackAudit - Multiple failed logins for user available saas (saas)

Discovery 4 rules, 4 techniques

System Information Discovery T1082 1 rule

Snowflake - Multiple failed queries available saas (saas)

Account Discovery T1087 1 rule

Snowflake - Possible privileges discovery activity available saas (saas)

Software Discovery T1518 1 rule

Snowflake - Multiple failed queries available saas (saas)

Cloud Service Discovery T1526 1 rule

Snowflake - Possible discovery activity available saas (saas)

Collection 4 rules, 3 techniques

Automated Collection T1119 2 rules

Snowflake - Query on sensitive or restricted table available saas (saas)
Snowflake - Unusual query available saas (saas)

Data from Information Repositories T1213 1 rule

Jira - Workflow scheme copied available saas (saas)

Data from Cloud Storage T1530 1 rule

Box - Abmormal user activity available saas (saas)

Command & Control 1 rule, 1 technique

Application Layer Protocol: Web Protocols T1071.001 1 rule

SlackAudit - Unknown User Agent available saas (saas)

Exfiltration 7 rules, 4 techniques

Exfiltration Over Web Service T1567 3 rules

Bitglass - Multiple files shared with external entity available saas (saas)
Bitglass - Suspicious file uploads available saas (saas)
SlackAudit - Multiple archived files uploaded in short period of time available saas (saas)

Exfiltration Over Alternative Protocol T1048 2 rules

Box - File containing sensitive data available saas (saas)
SlackAudit - Public link created for file which can contain sensitive information. available saas (saas)

Transfer Data to Cloud Account T1537 1 rule

Box - Item shared to external entity available saas (saas)

Exfiltration Over Web Service: Exfiltration to Cloud Storage T1567.002 1 rule

SlackAudit - Public link created for file which can contain sensitive information. available saas (saas)

Impact 7 rules, 3 techniques

Account Access Removal T1531 4 rules

Jira - Permission scheme updated available saas (saas)
Jira - Project roles changed available saas (saas)
Jira - User removed from group available saas (saas)
Jira - User removed from project available saas (saas)

Data Destruction T1485 2 rules

Box - Many items deleted by user available saas (saas)
Snowflake - Possible data destraction available saas (saas)

Endpoint Denial of Service T1499 1 rule

Snowflake - Abnormal query process time available saas (saas)

Identity 36 rules

Persistence 4 rules, 1 technique

Account Manipulation T1098 4 rules

Empty group with entitlements available identity (identity)
IaaS policy not attached to any identity available identity (identity)
Lateral Movement Risk - Role Chain Length available identity (identity)
Stale IAAS policy attachment to role available identity (identity)

Privilege Escalation 1 rule, 1 technique

Exploitation for Privilege Escalation T1068 1 rule

Unused IaaS Policy available identity (identity)

Stealth 22 rules, 1 technique

Valid Accounts T1078 22 rules

Access to AWS without MFA available identity (identity)
Admin password not updated in 30 days available identity (identity)
Admin SaaS account detected available identity (identity)
AWS role with admin privileges available identity (identity)
AWS role with shadow admin privileges available identity (identity)
Cisco Duo - Admin password reset available identity (identity)
Cisco Duo - Admin user created available identity (identity)
Cisco Duo - Authentication device new location available identity (identity)
Cisco Duo - Multiple admin 2FA failures available identity (identity)
Cisco Duo - Multiple user login failures available identity (identity)
Cisco Duo - New access device available identity (identity)
Cisco Duo - Unexpected authentication factor available identity (identity)
Detect AWS IAM Users available identity (identity)
IaaS admin detected available identity (identity)
IaaS shadow admin detected available identity (identity)
New direct access policy was granted against organizational policy available identity (identity)
New service account gained access to IaaS resource available identity (identity)
Refactor AWS policy based on activities in the last 60 days available identity (identity)
Stale AWS policy attachment to identity available identity (identity)
Unused IaaS Policy available identity (identity)
User assigned to a default admin role available identity (identity)
User without MFA available identity (identity)

Credential Access 3 rules, 3 techniques

Network Sniffing T1040 1 rule

Password Exfiltration over SCIM application available identity (identity)

Unsecured Credentials T1552 1 rule

Password Exfiltration over SCIM application available identity (identity)

Credentials from Password Stores T1555 1 rule

Password Exfiltration over SCIM application available identity (identity)

Discovery 1 rule, 1 technique

Cloud Infrastructure Discovery T1580 1 rule

Privileged Machines Exposed to the Internet available identity (identity)

Command & Control 2 rules, 1 technique

Application Layer Protocol T1071 2 rules

TI Map IP Entity to Duo Security identity (identity)
TI Map IP Entity to Duo Security identity (identity)

Impact 3 rules, 2 techniques

Account Access Removal T1531 2 rules

Cisco Duo - Admin user deleted available identity (identity)
Cisco Duo - Multiple users deleted available identity (identity)

Service Stop T1489 1 rule

Cisco Duo - AD sync failed available identity (identity)

Application 1707 rules

Reconnaissance 107 rules, 12 techniques

Active Scanning T1595 34 rules

API - Kiterunner detection available application (application)
blacklens Insights available application (application)
BTP - Failed access attempts across multiple BAS subaccounts available application (application)
Cyble Advisory Alerts Advisory available application (application)
Cyble Vision Alerts Cyble Web Applications available application (application)
Cyble Vision Alerts Discovered Subdomain available application (application)
Cyble Vision Alerts Hacktivism available application (application)
Cyble Vision Alerts IOC'S available application (application)
Cyble Vision Alerts IP Risk Score available application (application)
Cyble Vision Alerts Postman API Exposure Detection available application (application)
Cyble Vision Alerts Social Media Monitoring available application (application)
Cyble Vision Alerts Suspicious Domain available application (application)
Cyble Vision Alerts TOR Links available application (application)
Cyble Vision Alerts Vulnerability available application (application)
CybleVision Alerts Mobile Apps available application (application)
CYFIRMA - Attack Surface - Configuration High Rule available application (application)
CYFIRMA - Attack Surface - Configuration Medium Rule available application (application)
CYFIRMA - Attack Surface - Malicious Domain/IP Reputation Medium Rule available application (application)
CYFIRMA - Attack Surface - Weak Certificate Exposure - High Rule available application (application)
CYFIRMA - Attack Surface - Weak Certificate Exposure - Medium Rule available application (application)
Disks Alerts From Prancer available application (application)
Flow Logs Alerts for Prancer available application (application)
NetworkSecurityGroups Alert From Prancer available application (application)
OCI - Multiple rejects on rare ports available application (application)
OCI - SSH scanner available application (application)
PAC high severity available application (application)
Registries Alerts for Prancer available application (application)
Sites Alerts for Prancer available application (application)
Storage Accounts Alerts From Prancer available application (application)
Subnets Alerts for Prancer available application (application)
Vaults Alerts for Prancer available application (application)
Virtual Machines Alerts for Prancer available application (application)
VirtualNetworkPeerings Alerts From Prancer available application (application)
XbowNewAssetDiscovered available application (application)

Gather Victim Identity Information T1589 15 rules

API - Anomaly Detection available application (application)
Cyble Vision Alerts Darkweb Data Breaches available application (application)
Cyble Vision Alerts Flash Report available application (application)
Cyble Vision Alerts OSINT Mention Detected available application (application)
Cyble Vision Alerts Social Media Monitoring available application (application)
CybleVision Alerts Cyber Crime Forum Alerts available application (application)
CybleVision Alerts Darkweb Marketplace Alerts available application (application)
CybleVision Alerts Stealer Logs available application (application)
SOCRadar High or Critical Severity Alarm available application (application)
TacitRed - High Confidence Compromise application (application)
Theom Critical Risks available application (application)
Theom High Risks available application (application)
Theom Insights available application (application)
Theom Low Risks available application (application)
Theom Medium Risks available application (application)

Search Open Websites/Domains T1593 13 rules

API - Anomaly Detection available application (application)
API - API Scraping available application (application)
CYFIRMA - Social and Public Exposure - Social Media Threats Activity Detected Rule available application (application)
CYFIRMA - Social and Public Exposure - Social Media Threats Activity Detected Rule available application (application)
CYFIRMA - Social and Public Exposure - Confidential Files Information Exposure Rule available application (application)
CYFIRMA - Social and Public Exposure - Confidential Files Information Exposure Rule available application (application)
Flare chat results available application (application)
Flare cloud bucket results available application (application)
Flare google dork results available application (application)
Flare lookalike domain results available application (application)
Flare marketplace results available application (application)
Flare paste results available application (application)
Flare source code results available application (application)

Gather Victim Host Information T1592 11 rules

API - Invalid host access available application (application)
CyberBlindSpot - Any Issue Detected available application (application)
Cyble Vision Alerts Assets available application (application)
Cyble Vision Alerts Cyble Web Applications available application (application)
Cyble Vision Alerts OSINT Mention Detected available application (application)
HackerView - Any Issue Detected available application (application)
Theom Critical Risks available application (application)
Theom High Risks available application (application)
Theom Insights available application (application)
Theom Low Risks available application (application)
Theom Medium Risks available application (application)

Active Scanning: Vulnerability Scanning T1595.002 10 rules

BitSight - diligence risk category detected available application (application)
CYFIRMA - Attack Surface - Malicious Domain/IP Reputation High Rule available application (application)
CYFIRMA - High severity Malicious Network Indicators with Block Action Rule application (application)
CYFIRMA - High severity Malicious Network Indicators with Monitor Action Rule application (application)
CYFIRMA - High severity TOR Node Network Indicators - Block Recommended Rule application (application)
CYFIRMA - High severity TOR Node Network Indicators - Monitor Recommended Rule application (application)
CYFIRMA - Medium severity Malicious Network Indicators with Block Action Rule application (application)
CYFIRMA - Medium severity Malicious Network Indicators with Monitor Action Rule application (application)
CYFIRMA - Medium severity TOR Node Network Indicators - Block Recommended Rule application (application)
CYFIRMA - Medium severity TOR Node Network Indicators - Monitor Recommended Rule application (application)

Phishing for Information T1598 9 rules

CyberBlindSpot - Any Issue Detected available application (application)
Cyble Vision Alerts Discord Keyword available application (application)
Cyble Vision Alerts Flash Report available application (application)
Cyble Vision Alerts News Feed Alert available application (application)
Cyble Vision Alerts Website Defacement Keyword available application (application)
CybleVision Alerts Cyber Crime Forum Alerts available application (application)
CybleVision Alerts Telegram Mentions available application (application)
HackerView - Any Issue Detected available application (application)
Suspicious link sharing pattern application (application)

Gather Victim Identity Information: Employee Names T1589.003 4 rules

CYFIRMA - Brand Intelligence - Executive/People Impersonation High Rule available application (application)
CYFIRMA - Brand Intelligence - Executive/People Impersonation Medium Rule available application (application)
CYFIRMA - Brand Intelligence - Social Media Handle Impersonation Detected High Rule available application (application)
CYFIRMA - Brand Intelligence - Social Media Handle Impersonation Detected Medium Rule available application (application)

Gather Victim Org Information T1591 3 rules

BitSight - drop in company ratings available application (application)
BitSight - drop in the headline rating available application (application)
Cyble Vision Alerts Pastebin available application (application)

Gather Victim Network Information T1590 2 rules

Contrast ADR - DLP SQL Injection Correlation available application (application)
Cyble Vision Alerts TOR Links available application (application)

Gather Victim Org Information: Business Relationships T1591.002 2 rules

CYFIRMA - Brand Intelligence - Social Media Handle Impersonation Detected High Rule available application (application)
CYFIRMA - Brand Intelligence - Social Media Handle Impersonation Detected Medium Rule available application (application)

Search Open Technical Databases T1596 2 rules

Cyble Advisory Alerts Advisory available application (application)
Flare host results available application (application)

Phishing for Information: Spearphishing Link T1598.003 1 rule

Cyble Vision Alerts Phishing Domain Detected available application (application)

No specific technique 1 rule

XbowMediumFindings available application (application)

Resource Development 40 rules, 12 techniques

Acquire Infrastructure T1583 6 rules

blacklens Insights available application (application)
Cyble Vision Alerts TOR Links available application (application)
ZeroFox Alerts - High Severity Alerts available application (application)
ZeroFox Alerts - Informational Severity Alerts available application (application)
ZeroFox Alerts - Low Severity Alerts available application (application)
ZeroFox Alerts - Medium Severity Alerts available application (application)

Acquire Infrastructure: Domains T1583.001 6 rules

CYFIRMA - Brand Intelligence - Domain Impersonation High Rule available application (application)
CYFIRMA - Brand Intelligence - Domain Impersonation Medium Rule available application (application)
CYFIRMA - Brand Intelligence - Malicious Mobile App High Rule available application (application)
CYFIRMA - Brand Intelligence - Malicious Mobile App Medium Rule available application (application)
CYFIRMA - Brand Intelligence - Product/Solution High Rule available application (application)
CYFIRMA - Brand Intelligence - Product/Solution Medium Rule available application (application)

Establish Accounts: Social Media Accounts T1585.001 6 rules

CYFIRMA - Brand Intelligence - Executive/People Impersonation High Rule available application (application)
CYFIRMA - Brand Intelligence - Executive/People Impersonation Medium Rule available application (application)
CYFIRMA - Brand Intelligence - Social Media Handle Impersonation Detected High Rule available application (application)
CYFIRMA - Brand Intelligence - Social Media Handle Impersonation Detected Medium Rule available application (application)
CYFIRMA - Social and Public Exposure - Social Media Threats Activity Detected Rule available application (application)
CYFIRMA - Social and Public Exposure - Social Media Threats Activity Detected Rule available application (application)

Establish Accounts T1585 5 rules

Cyble Vision Alerts Hacktivism available application (application)
Cyble Vision Alerts I2P Monitoring available application (application)
Cyble Vision Alerts Social Media Monitoring available application (application)
CybleVision Alerts Cyber Crime Forum Alerts available application (application)
CybleVision Alerts Telegram Mentions available application (application)

Compromise Accounts T1586 4 rules

ZeroFox Alerts - High Severity Alerts available application (application)
ZeroFox Alerts - Informational Severity Alerts available application (application)
ZeroFox Alerts - Low Severity Alerts available application (application)
ZeroFox Alerts - Medium Severity Alerts available application (application)

Obtain Capabilities T1588 3 rules

Cyble Vision Alerts Product Vulnerability Detected available application (application)
CYFIRMA - Attack Surface - Weak Certificate Exposure - High Rule available application (application)
CYFIRMA - Attack Surface - Weak Certificate Exposure - Medium Rule available application (application)

Compromise Infrastructure T1584 2 rules

BTP - Malware detected in BAS dev space available application (application)
Cyble Vision Alerts Domain Watchlist available application (application)

Establish Accounts: Email Accounts T1585.002 2 rules

CYFIRMA - Brand Intelligence - Product/Solution High Rule available application (application)
CYFIRMA - Brand Intelligence - Product/Solution Medium Rule available application (application)

Compromise Accounts: Email Accounts T1586.002 2 rules

CYFIRMA - Brand Intelligence - Domain Impersonation High Rule available application (application)
CYFIRMA - Brand Intelligence - Domain Impersonation Medium Rule available application (application)

Develop Capabilities: Malware T1587.001 2 rules

CYFIRMA - Social and Public Exposure - Source Code Exposure on Public Repositories Rule available application (application)
CYFIRMA - Social and Public Exposure - Source Code Exposure on Public Repositories Rule available application (application)

Develop Capabilities T1587 1 rule

Cyble Advisory Alerts Advisory available application (application)

Stage Capabilities T1608 1 rule

CybleVision Alerts Mobile Apps available application (application)

Initial Access 191 rules, 9 techniques

Exploit Public-Facing Application T1190 62 rules

API - JWT validation available application (application)
API - Rate limiting available application (application)
API - Suspicious Login available application (application)
ARGOS Cloud Security - Exploitable Cloud Resources available application (application)
BitSight - new alert found available application (application)
BitSight - new breach found available application (application)
blacklens Insights available application (application)
Contrast ADR - DLP SQL Injection Correlation available application (application)
Contrast ADR - EDR Alert Correlation available application (application)
Contrast ADR - Exploited Attack Event available application (application)
Contrast ADR - Exploited Attack in Production available application (application)
Contrast ADR - Security Incident Alert available application (application)
Contrast ADR - WAF Alert Correlation available application (application)
Cyble Vision Alerts New Vulnerability Detected available application (application)
Cyble Vision Alerts Product Vulnerability Detected available application (application)
Cyble Vision Alerts SSL Certificate Expiry available application (application)
CYFIRMA - Attack Surface - Configuration High Rule available application (application)
CYFIRMA - Attack Surface - Configuration Medium Rule available application (application)
CYFIRMA - Attack Surface - Weak Certificate Exposure - High Rule available application (application)
CYFIRMA - Attack Surface - Weak Certificate Exposure - Medium Rule available application (application)
CYFIRMA - High Severity Asset based Vulnerabilities Rule Alert application (application)
CYFIRMA - High Severity Attack Surface based Vulnerabilities Rule Alert application (application)
CYFIRMA - Medium Severity Asset based Vulnerabilities Rule Alert application (application)
CYFIRMA - Medium Severity Attack Surface based Vulnerabilities Rule application (application)
Detect instances of multiple client errors occurring within a brief period of time (ASIM Web Session) available application (application)
Detect instances of multiple server errors occurring within a brief period of time (ASIM Web Session) available application (application)
Detect known risky user agents (ASIM Web Session) available application (application)
Detect Local File Inclusion(LFI) in web requests (ASIM Web Session) available application (application)
Detect presence of uncommon user agents in web requests (ASIM Web Session) available application (application)
Detect threat information in web requests (ASIM Web Session) available application (application)
Detect URLs containing known malicious keywords or commands (ASIM Web Session) available application (application)
Dynatrace Application Security - Attack detection available application (application)
Exchange Server Suspicious File Downloads. application (application)
High Number of Urgent Vulnerabilities Detected available application (application)
High Urgency IONIX Action Items available application (application)
Hunt for public facing devices and exposed ports over time application (application)
Hunt for public facing devices via public tag application (application)
Hunt for public remotly exploitable devices (with high EPSS) application (application)
Identify instances where a single source is observed using multiple user agents (ASIM Web Session) available application (application)
Imperva - Abnormal protocol usage available application (application)
Imperva - Critical severity event not blocked available application (application)
Imperva - Forbidden HTTP request method in request available application (application)
Imperva - Malicious Client available application (application)
Imperva - Malicious user agent available application (application)
Imperva - Multiple user agents from same source available application (application)
Imperva - Possible command injection available application (application)
Imperva - Request from unexpected countries available application (application)
Imperva - Request from unexpected IP address to admin panel available application (application)
Imperva - Request to unexpected destination port available application (application)
New High Severity Vulnerability Detected Across Multiple Hosts available application (application)
OCI - Inbound SSH connection available application (application)
OCI - Unexpected user agent available application (application)
OMI Vulnerability Exploitation application (application)
Pathlock TDnR - J2EE Security Events available application (application)
Pathlock TDnR - SAP HTTP Webserver Events available application (application)
Pathlock TDnR - SAP Web Dispatcher HTTP Events available application (application)
PulseConnectSecure - CVE-2021-22893 Possible Pulse Connect Secure RCE Vulnerability Attack application (application)
Silk Typhoon Suspicious File Downloads. application (application)
Silk Typhoon Suspicious UM Service Error application (application)
Vulnerable Machines related to log4j CVE-2021-44228 available application (application)
Vulnerable Machines related to OMIGOD CVE-2021-38647 application (application)
XbowCriticalHighFindings available application (application)

Phishing T1566 42 rules

CyberBlindSpot - Any Issue Detected available application (application)
Cyble Vision Alerts Malicious Ads Detected available application (application)
CYFIRMA - Attack Surface - Configuration High Rule available application (application)
CYFIRMA - Attack Surface - Configuration Medium Rule available application (application)
CYFIRMA - Attack Surface - Malicious Domain/IP Reputation Medium Rule available application (application)
CYFIRMA - Attack Surface - Open Ports High Rule available application (application)
CYFIRMA - Attack Surface - Open Ports Medium Rule available application (application)
CYFIRMA - Brand Intelligence - Product/Solution High Rule available application (application)
CYFIRMA - Brand Intelligence - Product/Solution Medium Rule available application (application)
CYFIRMA - Social and Public Exposure - Social Media Threats Activity Detected Rule available application (application)
CYFIRMA - Social and Public Exposure - Social Media Threats Activity Detected Rule available application (application)
Cyren High-Risk URL Indicators available application (application)
Detect web requests to potentially harmful files (ASIM Web Session) available application (application)
Egress Defend - Dangerous Attachment Detected available application (application)
Google Threat Intelligence - Threat Hunting Url application (application)
KnowBe4 Defend - Dangerous Attachment Detected available application (application)
Mimecast Secure Email Gateway - Attachment Protect available application (application)
Mimecast Secure Email Gateway - Attachment Protect application (application)
Mimecast Secure Email Gateway - URL Protect available application (application)
Mimecast Secure Email Gateway - URL Protect application (application)
New Sonrai Ticket available application (application)
ProofpointPOD - High risk message not discarded available application (application)
ProofpointPOD - Suspicious attachment available application (application)
Red Canary Threat Detection application (application)
Red Sift - Email with URL to previously unseen domain available application (application)
Red Sift - New email with URL from previously unseen sender available application (application)
Red Sift - New email with URL from previously unseen source available application (application)
Samsung Knox - Suspicious URL Accessed Events available application (application)
Sonrai Ticket Assigned available application (application)
Sonrai Ticket Closed available application (application)
Sonrai Ticket Escalation Executed available application (application)
Sonrai Ticket Escalation Executed available application (application)
Sonrai Ticket Reopened available application (application)
Sonrai Ticket Risk Accepted available application (application)
Sonrai Ticket Snoozed available application (application)
Sonrai Ticket Updated available application (application)
Stale last password change available application (application)
Valimail Enforce - DMARC Policy Weakened to None available application (application)
ZeroFox Alerts - High Severity Alerts available application (application)
ZeroFox Alerts - Informational Severity Alerts available application (application)
ZeroFox Alerts - Low Severity Alerts available application (application)
ZeroFox Alerts - Medium Severity Alerts available application (application)

Phishing: Spearphishing Link T1566.002 28 rules

CYFIRMA - Attack Surface - Malicious Domain/IP Reputation High Rule available application (application)
CYFIRMA - Brand Intelligence - Domain Impersonation High Rule available application (application)
CYFIRMA - Brand Intelligence - Domain Impersonation Medium Rule available application (application)
CYFIRMA - Brand Intelligence - Executive/People Impersonation High Rule available application (application)
CYFIRMA - Brand Intelligence - Executive/People Impersonation Medium Rule available application (application)
CYFIRMA - Brand Intelligence - Social Media Handle Impersonation Detected High Rule available application (application)
CYFIRMA - Brand Intelligence - Social Media Handle Impersonation Detected Medium Rule available application (application)
CYFIRMA - Data Breach and Web Monitoring - Phishing Campaign Detection Rule available application (application)
CYFIRMA - Data Breach and Web Monitoring - Phishing Campaign Detection Rule available application (application)
CYFIRMA - Data Breach and Web Monitoring - Ransomware Exposure Detected Rule available application (application)
CYFIRMA - Data Breach and Web Monitoring - Ransomware Exposure Detected Rule available application (application)
CYFIRMA - High severity Command & Control Network Indicators with Block Recommendation Rule application (application)
CYFIRMA - High severity Command & Control Network Indicators with Monitor Recommendation Rule application (application)
CYFIRMA - High severity Malicious Network Indicators Associated with Malware - Block Recommended Rule application (application)
CYFIRMA - High severity Malicious Network Indicators Associated with Malware - Monitor Recommended Rule application (application)
CYFIRMA - High severity Malicious Network Indicators with Block Action Rule application (application)
CYFIRMA - High severity Malicious Network Indicators with Monitor Action Rule application (application)
CYFIRMA - High severity Malicious Phishing Network Indicators - Block Recommended Rule application (application)
CYFIRMA - High severity Malicious Phishing Network Indicators - Monitor Recommended Rule application (application)
CYFIRMA - Medium severity Command & Control Network Indicators with Block Recommendation Rule application (application)
CYFIRMA - Medium severity Command & Control Network Indicators with Monitor Recommendation Rule application (application)
CYFIRMA - Medium severity Malicious Network Indicators Associated with Malware - Block Recommended Rule application (application)
CYFIRMA - Medium severity Malicious Network Indicators Associated with Malware - Monitor Recommended Rule application (application)
CYFIRMA - Medium severity Malicious Network Indicators with Block Action Rule application (application)
CYFIRMA - Medium severity Malicious Network Indicators with Monitor Action Rule application (application)
CYFIRMA - Medium severity Malicious Phishing Network Indicators - Block Recommended Rule application (application)
CYFIRMA - Medium severity Malicious Phishing Network Indicators - Monitor Recommended Rule application (application)
Malware Link Clicked available application (application)

Phishing: Spearphishing Attachment T1566.001 23 rules

CYFIRMA - Brand Intelligence - Domain Impersonation High Rule available application (application)
CYFIRMA - Brand Intelligence - Domain Impersonation Medium Rule available application (application)
CYFIRMA - Data Breach and Web Monitoring - Phishing Campaign Detection Rule available application (application)
CYFIRMA - Data Breach and Web Monitoring - Phishing Campaign Detection Rule available application (application)
CYFIRMA - Data Breach and Web Monitoring - Ransomware Exposure Detected Rule available application (application)
CYFIRMA - Data Breach and Web Monitoring - Ransomware Exposure Detected Rule available application (application)
CYFIRMA - High severity File Hash Indicators with Block Action and Malware application (application)
CYFIRMA - High severity File Hash Indicators with Block Action Rule application (application)
CYFIRMA - High severity File Hash Indicators with Monitor Action and Malware application (application)
CYFIRMA - High severity File Hash Indicators with Monitor Action Rule application (application)
CYFIRMA - High severity Malicious Phishing Network Indicators - Block Recommended Rule application (application)
CYFIRMA - High severity Malicious Phishing Network Indicators - Monitor Recommended Rule application (application)
CYFIRMA - High severity Trojan File Hash Indicators with Block Action Rule application (application)
CYFIRMA - High severity Trojan File Hash Indicators with Monitor Action Rule application (application)
CYFIRMA - Medium severity File Hash Indicators with Block Action and Malware application (application)
CYFIRMA - Medium severity File Hash Indicators with Block Action Rule application (application)
CYFIRMA - Medium severity File Hash Indicators with Monitor Action and Malware application (application)
CYFIRMA - Medium severity File Hash Indicators with Monitor Action Rule application (application)
CYFIRMA - Medium severity Malicious Phishing Network Indicators - Block Recommended Rule application (application)
CYFIRMA - Medium severity Malicious Phishing Network Indicators - Monitor Recommended Rule application (application)
CYFIRMA - Medium severity Trojan File Hash Indicators with Block Action Rule application (application)
CYFIRMA - Medium severity Trojan File Hash Indicators with Monitor Action Rule application (application)
Malware attachment delivered available application (application)

Drive-by Compromise T1189 22 rules

Cyble Vision Alerts Malicious Ads Detected available application (application)
CybleVision Alerts Stealer Logs available application (application)
CYFIRMA - High severity Malicious Network Indicators Associated with Malware - Block Recommended Rule application (application)
CYFIRMA - High severity Malicious Network Indicators Associated with Malware - Monitor Recommended Rule application (application)
CYFIRMA - High severity Malicious Network Indicators with Block Action Rule application (application)
CYFIRMA - High severity Malicious Network Indicators with Monitor Action Rule application (application)
CYFIRMA - High severity TOR Node Network Indicators - Block Recommended Rule application (application)
CYFIRMA - High severity TOR Node Network Indicators - Monitor Recommended Rule application (application)
CYFIRMA - High severity Trojan Network Indicators - Block Recommended Rule application (application)
CYFIRMA - High severity Trojan Network Indicators - Monitor Recommended Rule application (application)
CYFIRMA - Medium severity Malicious Network Indicators Associated with Malware - Block Recommended Rule application (application)
CYFIRMA - Medium severity Malicious Network Indicators Associated with Malware - Monitor Recommended Rule application (application)
CYFIRMA - Medium severity Malicious Network Indicators with Block Action Rule application (application)
CYFIRMA - Medium severity Malicious Network Indicators with Monitor Action Rule application (application)
CYFIRMA - Medium severity TOR Node Network Indicators - Block Recommended Rule application (application)
CYFIRMA - Medium severity TOR Node Network Indicators - Monitor Recommended Rule application (application)
CYFIRMA - Medium severity Trojan Network Indicators - Block Recommended Rule application (application)
CYFIRMA - Medium severity Trojan Network Indicators - Monitor Recommended Rule application (application)
CYFIRMA - Social and Public Exposure - Confidential Files Information Exposure Rule available application (application)
CYFIRMA - Social and Public Exposure - Confidential Files Information Exposure Rule available application (application)
Cyren High-Risk URL Indicators available application (application)
Web sites blocked by Eset available application (application)

Phishing: Spearphishing via Service T1566.003 4 rules

CYFIRMA - Data Breach and Web Monitoring - Phishing Campaign Detection Rule available application (application)
CYFIRMA - Data Breach and Web Monitoring - Phishing Campaign Detection Rule available application (application)
CYFIRMA - Data Breach and Web Monitoring - Ransomware Exposure Detected Rule available application (application)
CYFIRMA - Data Breach and Web Monitoring - Ransomware Exposure Detected Rule available application (application)

Content Injection T1659 4 rules

Dynatrace - Problem detection available application (application)
Dynatrace Application Security - Code-Level runtime vulnerability detection available application (application)
Dynatrace Application Security - Non-critical runtime vulnerability detection available application (application)
Dynatrace Application Security - Third-Party runtime vulnerability detection available application (application)

Supply Chain Compromise T1195 3 rules

BTP - Cloud Integration package import or transport available application (application)
CybleVision Alerts Mobile Apps available application (application)
High Urgency IONIX Action Items available application (application)

Trusted Relationship T1199 2 rules

Netskope - New Risky App Access vs 7-Day Baseline available application (application)
Netskope - Unsanctioned/Risky Cloud App Access (Shadow IT) available application (application)

No specific technique 1 rule

Radiflow - Platform Alert available application (application)

Execution 120 rules, 11 techniques

Command and Scripting Interpreter T1059 41 rules

BTP - Cloud Integration artifact deployment available application (application)
Contrast ADR - EDR Alert Correlation available application (application)
Contrast ADR - Exploited Attack Event available application (application)
Contrast ADR - Exploited Attack in Production available application (application)
Critical Severity Incident available application (application)
Cyble Vision Alerts Malicious Ads Detected available application (application)
CYFIRMA - Attack Surface - Configuration High Rule available application (application)
CYFIRMA - Attack Surface - Configuration Medium Rule available application (application)
CYFIRMA - High Severity Asset based Vulnerabilities Rule Alert application (application)
CYFIRMA - High Severity Attack Surface based Vulnerabilities Rule Alert application (application)
CYFIRMA - High severity Malicious Network Indicators Associated with Malware - Block Recommended Rule application (application)
CYFIRMA - High severity Malicious Network Indicators Associated with Malware - Monitor Recommended Rule application (application)
CYFIRMA - Medium Severity Asset based Vulnerabilities Rule Alert application (application)
CYFIRMA - Medium Severity Attack Surface based Vulnerabilities Rule application (application)
CYFIRMA - Medium severity Malicious Network Indicators Associated with Malware - Block Recommended Rule application (application)
CYFIRMA - Medium severity Malicious Network Indicators Associated with Malware - Monitor Recommended Rule application (application)
Detect Local File Inclusion(LFI) in web requests (ASIM Web Session) available application (application)
Device Alert Surge available application (application)
Dynatrace - Problem detection available application (application)
Dynatrace Application Security - Attack detection available application (application)
Dynatrace Application Security - Code-Level runtime vulnerability detection available application (application)
Dynatrace Application Security - Non-critical runtime vulnerability detection available application (application)
Dynatrace Application Security - Third-Party runtime vulnerability detection available application (application)
Field Effect MDR Alert: ARO Alert available application (application)
New Sonrai Ticket available application (application)
Pathlock TDnR - Function Module Tested in Production available application (application)
Pathlock TDnR - Logical OS Command Changes available application (application)
Pathlock TDnR - SAP Batch Job Events available application (application)
Pathlock TDnR - TMS Transport and Import Events available application (application)
Process-Level Anomaly available application (application)
Red Canary Threat Detection application (application)
Sonrai Ticket Assigned available application (application)
Sonrai Ticket Closed available application (application)
Sonrai Ticket Escalation Executed available application (application)
Sonrai Ticket Escalation Executed available application (application)
Sonrai Ticket Reopened available application (application)
Sonrai Ticket Risk Accepted available application (application)
Sonrai Ticket Snoozed available application (application)
Sonrai Ticket Updated available application (application)
Vaikora - Behavioral anomaly detected available application (application)
Vaikora - High severity AI agent action detected available application (application)

User Execution T1204 30 rules

Critical Severity Incident available application (application)
CyberArkEPM - Attack attempt not blocked application (application)
CyberArkEPM - Multiple attack types application (application)
CyberArkEPM - Possible execution of Powershell Empire application (application)
CyberArkEPM - Process started from different locations application (application)
CyberArkEPM - Renamed Windows binary application (application)
CyberArkEPM - Uncommon process Internet access application (application)
CyberArkEPM - Uncommon Windows process started from System folder application (application)
CyberArkEPM - Unexpected executable extension application (application)
CyberArkEPM - Unexpected executable location application (application)
CYFIRMA - High severity File Hash Indicators with Block Action and Malware application (application)
CYFIRMA - High severity File Hash Indicators with Block Action Rule application (application)
CYFIRMA - High severity File Hash Indicators with Monitor Action and Malware application (application)
CYFIRMA - High severity File Hash Indicators with Monitor Action Rule application (application)
CYFIRMA - High severity Trojan File Hash Indicators with Block Action Rule application (application)
CYFIRMA - High severity Trojan File Hash Indicators with Monitor Action Rule application (application)
CYFIRMA - Medium severity File Hash Indicators with Block Action and Malware application (application)
CYFIRMA - Medium severity File Hash Indicators with Block Action Rule application (application)
CYFIRMA - Medium severity File Hash Indicators with Monitor Action and Malware application (application)
CYFIRMA - Medium severity File Hash Indicators with Monitor Action Rule application (application)
CYFIRMA - Medium severity Trojan File Hash Indicators with Block Action Rule application (application)
CYFIRMA - Medium severity Trojan File Hash Indicators with Monitor Action Rule application (application)
Device Alert Surge available application (application)
Egress Defend - Dangerous Attachment Detected available application (application)
Egress Defend - Dangerous Link Click available application (application)
KnowBe4 Defend - Dangerous Attachment Detected available application (application)
KnowBe4 Defend - Dangerous Link Click available application (application)
Netskope - WebTransaction Error Detection available application (application)
Process-Level Anomaly available application (application)
Threats detected by Eset available application (application)

User Execution: Malicious Link T1204.001 16 rules

CYFIRMA - High severity Malicious Network Indicators Associated with Malware - Block Recommended Rule application (application)
CYFIRMA - High severity Malicious Network Indicators Associated with Malware - Monitor Recommended Rule application (application)
CYFIRMA - High severity Malicious Network Indicators with Block Action Rule application (application)
CYFIRMA - High severity Malicious Network Indicators with Monitor Action Rule application (application)
CYFIRMA - High severity Malicious Phishing Network Indicators - Block Recommended Rule application (application)
CYFIRMA - High severity Malicious Phishing Network Indicators - Monitor Recommended Rule application (application)
CYFIRMA - High severity Trojan Network Indicators - Block Recommended Rule application (application)
CYFIRMA - High severity Trojan Network Indicators - Monitor Recommended Rule application (application)
CYFIRMA - Medium severity Malicious Network Indicators Associated with Malware - Block Recommended Rule application (application)
CYFIRMA - Medium severity Malicious Network Indicators Associated with Malware - Monitor Recommended Rule application (application)
CYFIRMA - Medium severity Malicious Network Indicators with Block Action Rule application (application)
CYFIRMA - Medium severity Malicious Network Indicators with Monitor Action Rule application (application)
CYFIRMA - Medium severity Malicious Phishing Network Indicators - Block Recommended Rule application (application)
CYFIRMA - Medium severity Malicious Phishing Network Indicators - Monitor Recommended Rule application (application)
CYFIRMA - Medium severity Trojan Network Indicators - Block Recommended Rule application (application)
CYFIRMA - Medium severity Trojan Network Indicators - Monitor Recommended Rule application (application)

Exploitation for Client Execution T1203 12 rules

BitSight - compromised systems detected available application (application)
BitSight - diligence risk category detected available application (application)
Cyble Vision Alerts Vulnerability available application (application)
CYFIRMA - High Severity Asset based Vulnerabilities Rule Alert application (application)
CYFIRMA - High Severity Attack Surface based Vulnerabilities Rule Alert application (application)
CYFIRMA - High severity File Hash Indicators with Block Action and Malware application (application)
CYFIRMA - Medium Severity Asset based Vulnerabilities Rule Alert application (application)
CYFIRMA - Medium Severity Attack Surface based Vulnerabilities Rule application (application)
CYFIRMA - Medium severity File Hash Indicators with Block Action and Malware application (application)
Detect web requests to potentially harmful files (ASIM Web Session) available application (application)
Vulnerable Machines related to log4j CVE-2021-44228 available application (application)
Vulnerable Machines related to OMIGOD CVE-2021-38647 application (application)

Scheduled Task/Job T1053 6 rules

Mimecast Secure Email Gateway - AV available application (application)
Mimecast Secure Email Gateway - AV application (application)
Mimecast Secure Email Gateway - Virus available application (application)
Mimecast Secure Email Gateway - Virus application (application)
Pathlock TDnR - SAP Batch Job Events available application (application)
Pathlock TDnR - SAP System Job Monitoring Events available application (application)

Scheduled Task/Job: Scheduled Task T1053.005 6 rules

CYFIRMA - High severity File Hash Indicators with Block Action and Malware application (application)
CYFIRMA - High severity Trojan Network Indicators - Block Recommended Rule application (application)
CYFIRMA - High severity Trojan Network Indicators - Monitor Recommended Rule application (application)
CYFIRMA - Medium severity File Hash Indicators with Block Action and Malware application (application)
CYFIRMA - Medium severity Trojan Network Indicators - Block Recommended Rule application (application)
CYFIRMA - Medium severity Trojan Network Indicators - Monitor Recommended Rule application (application)

Command and Scripting Interpreter: PowerShell T1059.001 2 rules

CYFIRMA - High severity File Hash Indicators with Block Action and Malware application (application)
CYFIRMA - Medium severity File Hash Indicators with Block Action and Malware application (application)

Command and Scripting Interpreter: Windows Command Shell T1059.003 2 rules

CYFIRMA - High severity File Hash Indicators with Block Action and Malware application (application)
CYFIRMA - Medium severity File Hash Indicators with Block Action and Malware application (application)

User Execution: Malicious File T1204.002 2 rules

CYFIRMA - Brand Intelligence - Malicious Mobile App High Rule available application (application)
CYFIRMA - Brand Intelligence - Malicious Mobile App Medium Rule available application (application)

Software Deployment Tools T1072 1 rule

BTP - Malware detected in BAS dev space available application (application)

Deploy Container T1610 1 rule

Cyble Vision Alerts Docker available application (application)

No specific technique 1 rule

Radiflow - Platform Alert available application (application)

Persistence 102 rules, 9 techniques

External Remote Services T1133 38 rules

Cyble Vision Alerts IOC'S available application (application)
CYFIRMA - High Severity Asset based Vulnerabilities Rule Alert application (application)
CYFIRMA - High Severity Attack Surface based Vulnerabilities Rule Alert application (application)
CYFIRMA - Medium Severity Asset based Vulnerabilities Rule Alert application (application)
CYFIRMA - Medium Severity Attack Surface based Vulnerabilities Rule application (application)
Detect instances of multiple client errors occurring within a brief period of time (ASIM Web Session) available application (application)
Detect instances of multiple server errors occurring within a brief period of time (ASIM Web Session) available application (application)
Detect known risky user agents (ASIM Web Session) available application (application)
Detect Local File Inclusion(LFI) in web requests (ASIM Web Session) available application (application)
Detect presence of uncommon user agents in web requests (ASIM Web Session) available application (application)
Detect threat information in web requests (ASIM Web Session) available application (application)
Detect URLs containing known malicious keywords or commands (ASIM Web Session) available application (application)
Detect web requests to potentially harmful files (ASIM Web Session) available application (application)
Identify instances where a single source is observed using multiple user agents (ASIM Web Session) available application (application)
Imperva - Abnormal protocol usage available application (application)
Imperva - Critical severity event not blocked available application (application)
Imperva - Forbidden HTTP request method in request available application (application)
Imperva - Malicious Client available application (application)
Imperva - Malicious user agent available application (application)
Imperva - Multiple user agents from same source available application (application)
Imperva - Possible command injection available application (application)
Imperva - Request from unexpected countries available application (application)
Imperva - Request from unexpected IP address to admin panel available application (application)
Imperva - Request to unexpected destination port available application (application)
Jamf Protect - Network Threats available application (application)
Palo Alto Prisma Cloud - High risk score alert available application (application)
Palo Alto Prisma Cloud - High severity alert opened for several days available application (application)
Palo Alto Prisma Cloud - Maximum risk score alert available application (application)
Palo Alto Prisma Cloud - Network ACL allow all outbound traffic available application (application)
Palo Alto Prisma Cloud - Network ACL allow ingress traffic to server administration ports available application (application)
Palo Alto Prisma Cloud - Network ACLs Inbound rule to allow All Traffic available application (application)
Radiflow - New Activity Detected available application (application)
SailPointIdentityNowAlertForTriggers available application (application)
SailPointIdentityNowEventType available application (application)
SailPointIdentityNowEventTypeTechnicalName available application (application)
SailPointIdentityNowFailedEvents available application (application)
SailPointIdentityNowFailedEventsBasedOnTime available application (application)
SailPointIdentityNowUserWithFailedEvent available application (application)

Account Manipulation T1098 23 rules

Copilot - Plugin Created by Non-Admin User available application (application)
CYFIRMA - Compromised Employees Detection Rule available application (application)
External User Access Enabled application (application)
F&O - Non-interactive account mapped to self or sensitive privileged user available application (application)
Pathlock TDnR - Authorization Profile Changes available application (application)
Pathlock TDnR - Authorization Role Changes available application (application)
Pathlock TDnR - CUA Settings Changes available application (application)
Pathlock TDnR - Global System Change Setting Events available application (application)
Pathlock TDnR - Kerberos Keytab Changes available application (application)
Pathlock TDnR - RFC Connection Changes available application (application)
Pathlock TDnR - SAP Authorization Changes available application (application)
Pathlock TDnR - SAP Client Configuration Changes available application (application)
Pathlock TDnR - SAP Instance Profile Changes available application (application)
Pathlock TDnR - System Security Policy Changes available application (application)
Pathlock TDnR - User Access Management Password Resets available application (application)
Pathlock TDnR - User Master Data Changes available application (application)
Pathlock TDnR - User-Profile Assignment Changes available application (application)
Pathlock TDnR - User-Role Assignment Changes available application (application)
RecordedFuture Threat Hunting Url All Actors application (application)
Semperis DSP Recent sIDHistory changes on AD objects available application (application)
Server Oriented Cmdlet And User Oriented Cmdlet used available application (application)
StealthTalk - Multi new devices registration available application (application)
VIP Mailbox manipulation available application (application)

Boot or Logon Autostart Execution T1547 10 rules

New Sonrai Ticket available application (application)
Red Canary Threat Detection application (application)
Sonrai Ticket Assigned available application (application)
Sonrai Ticket Closed available application (application)
Sonrai Ticket Escalation Executed available application (application)
Sonrai Ticket Escalation Executed available application (application)
Sonrai Ticket Reopened available application (application)
Sonrai Ticket Risk Accepted available application (application)
Sonrai Ticket Snoozed available application (application)
Sonrai Ticket Updated available application (application)

Server Software Component T1505 9 rules

CYFIRMA - Attack Surface - Configuration High Rule available application (application)
CYFIRMA - Attack Surface - Configuration Medium Rule available application (application)
CYFIRMA - Attack Surface - Domain/IP Vulnerability Exposure High Rule available application (application)
CYFIRMA - Attack Surface - Domain/IP Vulnerability Exposure Medium Rule available application (application)
CYFIRMA - Attack Surface - Open Ports High Rule available application (application)
CYFIRMA - Attack Surface - Open Ports Medium Rule available application (application)
Detect potential presence of a malicious file with a double extension (ASIM Web Session) available application (application)
Pathlock TDnR - ABAP Source Code Changes available application (application)
Pathlock TDnR - ICF Web Service Changes available application (application)

Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder T1547.001 6 rules

CYFIRMA - High severity File Hash Indicators with Block Action and Malware application (application)
CYFIRMA - High severity Trojan File Hash Indicators with Block Action Rule application (application)
CYFIRMA - High severity Trojan File Hash Indicators with Monitor Action Rule application (application)
CYFIRMA - Medium severity File Hash Indicators with Block Action and Malware application (application)
CYFIRMA - Medium severity Trojan File Hash Indicators with Block Action Rule application (application)
CYFIRMA - Medium severity Trojan File Hash Indicators with Monitor Action Rule application (application)

Create Account T1136 4 rules

CYFIRMA - Attack Surface - Configuration High Rule available application (application)
CYFIRMA - Attack Surface - Configuration Medium Rule available application (application)
F&O - Non-interactive account mapped to self or sensitive privileged user available application (application)
Pathlock TDnR - SAP Cloud Account Administration Events available application (application)

Server Software Component: Web Shell T1505.003 4 rules

CYFIRMA - High severity TOR Node Network Indicators - Block Recommended Rule application (application)
CYFIRMA - High severity TOR Node Network Indicators - Monitor Recommended Rule application (application)
CYFIRMA - Medium severity TOR Node Network Indicators - Block Recommended Rule application (application)
CYFIRMA - Medium severity TOR Node Network Indicators - Monitor Recommended Rule application (application)

Compromise Host Software Binary T1554 4 rules

Dynatrace - Problem detection available application (application)
Dynatrace Application Security - Code-Level runtime vulnerability detection available application (application)
Dynatrace Application Security - Non-critical runtime vulnerability detection available application (application)
Dynatrace Application Security - Third-Party runtime vulnerability detection available application (application)

Create or Modify System Process T1543 2 rules

Pathlock TDnR - Logical OS Command Changes available application (application)
Pathlock TDnR - TMS Transport and Import Events available application (application)

No specific technique 2 rules

SAP LogServ - HANA DB - Audit Trail Policy Changes available application (application)
SAP LogServ - HANA DB - Deactivation of Audit Trail available application (application)

Privilege Escalation 66 rules, 4 techniques

Abuse Elevation Control Mechanism T1548 34 rules

BTP - Cloud Integration access policy tampering available application (application)
Dynatrace - Problem detection available application (application)
Dynatrace Application Security - Code-Level runtime vulnerability detection available application (application)
Dynatrace Application Security - Non-critical runtime vulnerability detection available application (application)
Dynatrace Application Security - Third-Party runtime vulnerability detection available application (application)
New Sonrai Ticket available application (application)
Pathlock TDnR - Authorization Check Value Changes (SU24) available application (application)
Pathlock TDnR - Authorization Profile Changes available application (application)
Pathlock TDnR - Authorization Role Changes available application (application)
Pathlock TDnR - Database Cockpit Audit Events available application (application)
Pathlock TDnR - Dynamic Access Control Events available application (application)
Pathlock TDnR - Emergency User (AdminTrack) Activity available application (application)
Pathlock TDnR - GRC Access Control Change Documents available application (application)
Pathlock TDnR - SAP Authorization Changes available application (application)
Pathlock TDnR - SU24 Table USOBT_C Changes available application (application)
Pathlock TDnR - SU24 Table USOBX_C Changes available application (application)
Pathlock TDnR - Switchable Authorization Design Changes available application (application)
Pathlock TDnR - Switchable Authorization Runtime Changes available application (application)
Pathlock TDnR - User Authorization Buffer Manipulation available application (application)
Pathlock TDnR - User Master Data Changes available application (application)
Pathlock TDnR - User-Profile Assignment Changes available application (application)
Pathlock TDnR - User-Role Assignment Changes available application (application)
Red Canary Threat Detection application (application)
Samsung Knox - Application Privilege Escalation or Change Events available application (application)
Sonrai Ticket Assigned available application (application)
Sonrai Ticket Closed available application (application)
Sonrai Ticket Escalation Executed available application (application)
Sonrai Ticket Escalation Executed available application (application)
Sonrai Ticket Reopened available application (application)
Sonrai Ticket Risk Accepted available application (application)
Sonrai Ticket Snoozed available application (application)
Sonrai Ticket Updated available application (application)
Threats detected by Eset available application (application)
Vaikora - High severity AI agent action detected available application (application)

Event Triggered Execution T1546 17 rules

BTP - Cloud Integration artifact deployment available application (application)
BTP - Cloud Integration package import or transport available application (application)
Copilot - Plugin Created by Non-Admin User available application (application)
Dataminr - urgent alerts detected available application (application)
Egress Defend - Dangerous Attachment Detected available application (application)
Generate alerts based on ExtraHop detections recommended for triage available application (application)
KnowBe4 Defend - Dangerous Attachment Detected available application (application)
Mimecast Secure Email Gateway - Internal Email Protect available application (application)
Mimecast Secure Email Gateway - Internal Email Protect application (application)
Rubrik Critical Anomaly available application (application)
Rubrik Threat Monitoring available application (application)
Vectra Create Detection Alert for Accounts available application (application)
Vectra Create Detection Alert for Hosts available application (application)
Vectra Create Incident Based on Priority for Accounts available application (application)
Vectra Create Incident Based on Priority for Hosts available application (application)
Vectra Create Incident Based on Tag for Accounts available application (application)
Vectra Create Incident Based on Tag for Hosts available application (application)

Exploitation for Privilege Escalation T1068 8 rules

CYFIRMA - Attack Surface - Domain/IP Vulnerability Exposure High Rule available application (application)
CYFIRMA - Attack Surface - Domain/IP Vulnerability Exposure Medium Rule available application (application)
CYFIRMA - High Severity Asset based Vulnerabilities Rule Alert application (application)
CYFIRMA - High Severity Attack Surface based Vulnerabilities Rule Alert application (application)
CYFIRMA - Medium Severity Asset based Vulnerabilities Rule Alert application (application)
CYFIRMA - Medium Severity Attack Surface based Vulnerabilities Rule application (application)
Dynatrace Application Security - Attack detection available application (application)
Semperis DSP Zerologon vulnerability available application (application)

Abuse Elevation Control Mechanism: Bypass User Account Control T1548.002 4 rules

CYFIRMA - High Severity Asset based Vulnerabilities Rule Alert application (application)
CYFIRMA - High Severity Attack Surface based Vulnerabilities Rule Alert application (application)
CYFIRMA - Medium Severity Asset based Vulnerabilities Rule Alert application (application)
CYFIRMA - Medium Severity Attack Surface based Vulnerabilities Rule application (application)

No specific technique 3 rules

Radiflow - Platform Alert available application (application)
SAP LogServ - HANA DB - Assign Admin Authorizations available application (application)
SAP LogServ - HANA DB - User Admin actions available application (application)

Stealth 155 rules, 17 techniques

Valid Accounts T1078 46 rules

BTP - Build Work Zone unauthorized access and role tampering available application (application)
BTP - User added to Cloud Identity Service privileged Administrators list available application (application)
BTP - User added to sensitive privileged role collection available application (application)
Copilot - Jailbreak Attempt Detected available application (application)
Cyble Vision Alerts Darkweb Data Breaches available application (application)
CYFIRMA - Compromised Employees Detection Rule available application (application)
CYFIRMA - Customer Accounts Leaks Detection Rule available application (application)
CYFIRMA - Public Accounts Leaks Detection Rule available application (application)
CYFIRMA - Social and Public Exposure - Exposure of PII/CII in Public Domain Rule available application (application)
CYFIRMA - Social and Public Exposure - Exposure of PII/CII in Public Domain Rule available application (application)
F&O - Bank account change following network alias reassignment available application (application)
F&O - Non-interactive account mapped to self or sensitive privileged user available application (application)
Netskope - Impossible Travel Detection (Two Countries in Less Than 1 Hour) available application (application)
Non-admin guest available application (application)
Palo Alto Prisma Cloud - Access keys are not rotated for 90 days available application (application)
Palo Alto Prisma Cloud - Anomalous access key usage available application (application)
Palo Alto Prisma Cloud - IAM Group with Administrator Access Permissions available application (application)
Palo Alto Prisma Cloud - Inactive user available application (application)
Pathlock TDnR - Emergency User (AdminTrack) Activity available application (application)
Pathlock TDnR - Multiple Login Sessions Detected available application (application)
Pathlock TDnR - SAP Cloud Account Administration Events available application (application)
Pathlock TDnR - SAP HANA Database Audit Trail available application (application)
Pathlock TDnR - User Access Management Password Resets available application (application)
ProofpointPOD - Binary file in attachment available application (application)
ProofpointPOD - Email sender in TI list application (application)
ProofpointPOD - Email sender IP in TI list application (application)
ProofpointPOD - Possible data exfiltration to private email available application (application)
RecordedFuture Threat Hunting Url All Actors application (application)
Red Sift - Login from previously unseen IP address available application (application)
Service principal not using client credentials available application (application)
SOCRadar High or Critical Severity Alarm available application (application)
StealthTalk - After hours work available application (application)
StealthTalk - Login outside work zone available application (application)
StealthTalk - Multi new devices registration available application (application)
Successful logins to SOC Prime platform from bad IP addresses available application (application)
TacitRed - High Confidence Compromise application (application)
TacitRed - Repeat Compromise Detection application (application)
Theom - Overprovisioned Roles Shadow DB available application (application)
Theom - Shadow DB with atypical accesses available application (application)
User joining Zoom meeting from suspicious timezone application (application)
User Sign in from different countries available application (application)
UserAccountDisabled available application (application)
Vaikora - Agent policy violation available application (application)
Vaikora - High severity AI agent action detected available application (application)
Valimail Enforce - High-Value User Management Event available application (application)
Valimail Enforce - Unusual Rate of Configuration Changes or User Additions available application (application)

Impair Defenses T1562 42 rules

blacklens Insights available application (application)
Check Point Exposure Management - Alert Ingestion Anomaly available application (application)
Copilot - Plugin Tampering (Enable and Disable Within 5 Minutes) available application (application)
Cyren Feed Outage Detection available application (application)
Field Effect MDR Alert: ARO Alert available application (application)
Netskope - Repeated or Critical Policy Violations available application (application)
New Sonrai Ticket available application (application)
Pathlock TDnR - ABAP Source Code Changes available application (application)
Pathlock TDnR - Authorization Check Value Changes (SU24) available application (application)
Pathlock TDnR - Critical File Integrity Changes available application (application)
Pathlock TDnR - DDIC Table Utility Changes (SE14) available application (application)
Pathlock TDnR - Generic SAP Change Documents available application (application)
Pathlock TDnR - Generic Table Content Changes available application (application)
Pathlock TDnR - Global System Change Setting Events available application (application)
Pathlock TDnR - ICM Security Events available application (application)
Pathlock TDnR - SAP Client Configuration Changes available application (application)
Pathlock TDnR - SAP HANA Parameter Changes available application (application)
Pathlock TDnR - SAP Instance Profile Changes available application (application)
Pathlock TDnR - SAP Security Audit Log Events available application (application)
Pathlock TDnR - SE16N Direct Table Change Documents available application (application)
Pathlock TDnR - SU24 Table USOBT_C Changes available application (application)
Pathlock TDnR - SU24 Table USOBX_C Changes available application (application)
Pathlock TDnR - Switchable Authorization Design Changes available application (application)
Pathlock TDnR - Switchable Authorization Runtime Changes available application (application)
Pathlock TDnR - System Security Policy Changes available application (application)
Pathlock TDnR - Table Parameter Setting Changes available application (application)
Pathlock TDnR - User Authorization Buffer Manipulation available application (application)
Power Automate - Unusual bulk deletion of flow resources available application (application)
Red Canary Threat Detection application (application)
Sonrai Ticket Assigned available application (application)
Sonrai Ticket Closed available application (application)
Sonrai Ticket Escalation Executed available application (application)
Sonrai Ticket Escalation Executed available application (application)
Sonrai Ticket Reopened available application (application)
Sonrai Ticket Risk Accepted available application (application)
Sonrai Ticket Snoozed available application (application)
Sonrai Ticket Updated available application (application)
Vaikora - Agent policy violation available application (application)
Valimail Enforce - DMARC Policy Weakened to None available application (application)
Valimail Enforce - Email Authentication Key Deleted available application (application)
Valimail Enforce - Unusual Rate of Configuration Changes or User Additions available application (application)
Zero Networks Segement - Machine Removed from protection available application (application)

Obfuscated Files or Information T1027 15 rules

CYFIRMA - Attack Surface - Configuration High Rule available application (application)
CYFIRMA - Attack Surface - Configuration Medium Rule available application (application)
CYFIRMA - High severity File Hash Indicators with Block Action and Malware application (application)
CYFIRMA - High severity File Hash Indicators with Block Action Rule application (application)
CYFIRMA - High severity File Hash Indicators with Monitor Action and Malware application (application)
CYFIRMA - High severity File Hash Indicators with Monitor Action Rule application (application)
CYFIRMA - High severity Trojan File Hash Indicators with Block Action Rule application (application)
CYFIRMA - High severity Trojan File Hash Indicators with Monitor Action Rule application (application)
CYFIRMA - Medium severity File Hash Indicators with Block Action and Malware application (application)
CYFIRMA - Medium severity File Hash Indicators with Block Action Rule application (application)
CYFIRMA - Medium severity File Hash Indicators with Monitor Action and Malware application (application)
CYFIRMA - Medium severity File Hash Indicators with Monitor Action Rule application (application)
CYFIRMA - Medium severity Trojan File Hash Indicators with Block Action Rule application (application)
CYFIRMA - Medium severity Trojan File Hash Indicators with Monitor Action Rule application (application)
Vaikora - Behavioral anomaly detected available application (application)

Masquerading T1036 11 rules

CyberArkEPM - Process started from different locations application (application)
CyberArkEPM - Renamed Windows binary application (application)
CyberArkEPM - Uncommon process Internet access application (application)
CyberArkEPM - Uncommon Windows process started from System folder application (application)
CyberArkEPM - Unexpected executable extension application (application)
CyberArkEPM - Unexpected executable location application (application)
CYFIRMA - Attack Surface - Malicious Domain/IP Reputation Medium Rule available application (application)
CYFIRMA - High severity File Hash Indicators with Block Action and Malware application (application)
CYFIRMA - Medium severity File Hash Indicators with Block Action and Malware application (application)
Detect potential presence of a malicious file with a double extension (ASIM Web Session) available application (application)
Pathlock TDnR - Critical File Integrity Changes available application (application)

Indicator Removal T1070 10 rules

BTP - Build Work Zone unauthorized access and role tampering available application (application)
BTP - Cloud Integration tampering with security material available application (application)
CYFIRMA - Attack Surface - Configuration High Rule available application (application)
CYFIRMA - Attack Surface - Configuration Medium Rule available application (application)
OCI - Event rule deleted available application (application)
Theom Critical Risks available application (application)
Theom High Risks available application (application)
Theom Insights available application (application)
Theom Low Risks available application (application)
Theom Medium Risks available application (application)

Process Injection T1055 6 rules

Contrast ADR - EDR Alert Correlation available application (application)
Contrast ADR - Exploited Attack Event available application (application)
Contrast ADR - Exploited Attack in Production available application (application)
Contrast ADR - Security Incident Alert available application (application)
CYFIRMA - High severity File Hash Indicators with Block Action and Malware application (application)
CYFIRMA - Medium severity File Hash Indicators with Block Action and Malware application (application)

Impair Defenses: Disable or Modify Tools T1562.001 5 rules

Copilot - File Uploads Disabled available application (application)
CYFIRMA - High severity File Hash Indicators with Block Action and Malware application (application)
CYFIRMA - Medium severity File Hash Indicators with Block Action and Malware application (application)
Deleted a Custom Field Mapping profile available application (application)
Deleted a Tenant available application (application)

Access Token Manipulation T1134 4 rules

BTP - Cloud Identity Service application configuration monitor available application (application)
BTP - Trust and authorization Identity Provider monitor available application (application)
Pathlock TDnR - Dynamic Access Control Events available application (application)
Semperis DSP Well-known privileged SIDs in sIDHistory available application (application)

Deobfuscate/Decode Files or Information T1140 4 rules

Dynatrace - Problem detection available application (application)
Dynatrace Application Security - Code-Level runtime vulnerability detection available application (application)
Dynatrace Application Security - Non-critical runtime vulnerability detection available application (application)
Dynatrace Application Security - Third-Party runtime vulnerability detection available application (application)

System Binary Proxy Execution T1218 2 rules

CYFIRMA - High severity File Hash Indicators with Monitor Action and Malware application (application)
CYFIRMA - Medium severity File Hash Indicators with Monitor Action and Malware application (application)

Impair Defenses: Indicator Blocking T1562.006 2 rules

SAP ETD - No new data received available application (application)
SAP ETD - SAP system stopped reporting data available application (application)

Masquerading: Match Legitimate Resource Name or Location T1036.005 1 rule

CYFIRMA - Attack Surface - Malicious Domain/IP Reputation High Rule available application (application)

Trusted Developer Utilities Proxy Execution T1127 1 rule

CyberArkEPM - MSBuild usage as LOLBin application (application)

Exploitation for Stealth T1211 1 rule

Contrast ADR - WAF Alert Correlation available application (application)

Execution Guardrails T1480 1 rule

Power Platform - DLP policy updated or removed available application (application)

Impair Defenses: Disable or Modify Cloud Logs T1562.008 1 rule

BTP - Audit log service unavailable available application (application)

Hide Artifacts T1564 1 rule

Missing Domain Controller Heartbeat application (application)

No specific technique 2 rules

SAP LogServ - HANA DB - Audit Trail Policy Changes available application (application)
SAP LogServ - HANA DB - Deactivation of Audit Trail available application (application)

Defense Impairment 23 rules, 6 techniques

Modify Authentication Process T1556 9 rules

Azure secure score block legacy authentication available application (application)
BTP - Cloud Identity Service application configuration monitor available application (application)
BTP - Trust and authorization Identity Provider monitor available application (application)
External User Access Enabled application (application)
F&O - Bank account change following network alias reassignment available application (application)
F&O - Non-interactive account mapped to self or sensitive privileged user available application (application)
Keeper Security - Password Changed available application (application)
Keeper Security - User MFA Changed available application (application)
Red Sift - MFA disabled on account available application (application)

Subvert Trust Controls T1553 7 rules

CYFIRMA - Attack Surface - Weak Certificate Exposure - High Rule available application (application)
CYFIRMA - Attack Surface - Weak Certificate Exposure - Medium Rule available application (application)
CYFIRMA - High Severity Asset based Vulnerabilities Rule Alert application (application)
CYFIRMA - High Severity Attack Surface based Vulnerabilities Rule Alert application (application)
CYFIRMA - Medium Severity Asset based Vulnerabilities Rule Alert application (application)
CYFIRMA - Medium Severity Attack Surface based Vulnerabilities Rule application (application)
Pathlock TDnR - STRUST PSE Certificate Changes available application (application)

Modify Authentication Process: Password Filter DLL T1556.002 4 rules

CYFIRMA - High severity Malicious Phishing Network Indicators - Block Recommended Rule application (application)
CYFIRMA - High severity Malicious Phishing Network Indicators - Monitor Recommended Rule application (application)
CYFIRMA - Medium severity Malicious Phishing Network Indicators - Block Recommended Rule application (application)
CYFIRMA - Medium severity Malicious Phishing Network Indicators - Monitor Recommended Rule application (application)

Rogue Domain Controller T1207 1 rule

Semperis DSP Mimikatz's DCShadow Alert available application (application)

File and Directory Permissions Modification T1222 1 rule

BTP - Cloud Integration access policy tampering available application (application)

Modify Cloud Compute Infrastructure T1578 1 rule

Commvault Cloud Alert available application (application)

Credential Access 111 rules, 17 techniques

Unsecured Credentials T1552 22 rules

BTP - Cloud Integration JDBC data source changes available application (application)
BTP - Cloud Integration tampering with security material available application (application)
Contrast ADR - DLP SQL Injection Correlation available application (application)
Cyble Vision Alerts Bitbucket available application (application)
Cyble Vision Alerts Compromised Files available application (application)
Cyble Vision Alerts Leaked Credentials available application (application)
Cyble Vision Alerts Postman API Exposure Detection available application (application)
CYFIRMA - Attack Surface - Weak Certificate Exposure - High Rule available application (application)
CYFIRMA - Attack Surface - Weak Certificate Exposure - Medium Rule available application (application)
CYFIRMA - Compromised Employees Detection Rule available application (application)
CYFIRMA - Customer Accounts Leaks Detection Rule available application (application)
CYFIRMA - Public Accounts Leaks Detection Rule available application (application)
Cynerio - IoT - Default password application (application)
Cynerio - IoT - Weak password application (application)
Pathlock TDnR - LDAP Synchronization Application Log Events available application (application)
Pathlock TDnR - STRUST PSE Certificate Changes available application (application)
Theom - Dev secrets unencrypted available application (application)
Theom Critical Risks available application (application)
Theom High Risks available application (application)
Theom Insights available application (application)
Theom Low Risks available application (application)
Theom Medium Risks available application (application)

OS Credential Dumping T1003 21 rules

CYFIRMA - Compromised Employees Detection Rule available application (application)
CYFIRMA - High Severity Asset based Vulnerabilities Rule Alert application (application)
CYFIRMA - High Severity Attack Surface based Vulnerabilities Rule Alert application (application)
CYFIRMA - High severity Trojan File Hash Indicators with Block Action Rule application (application)
CYFIRMA - High severity Trojan File Hash Indicators with Monitor Action Rule application (application)
CYFIRMA - Medium Severity Asset based Vulnerabilities Rule Alert application (application)
CYFIRMA - Medium Severity Attack Surface based Vulnerabilities Rule application (application)
CYFIRMA - Medium severity Trojan File Hash Indicators with Block Action Rule application (application)
CYFIRMA - Medium severity Trojan File Hash Indicators with Monitor Action Rule application (application)
CYFIRMA - Social and Public Exposure - Exposure of PII/CII in Public Domain Rule available application (application)
CYFIRMA - Social and Public Exposure - Exposure of PII/CII in Public Domain Rule available application (application)
New Sonrai Ticket available application (application)
Red Canary Threat Detection application (application)
Sonrai Ticket Assigned available application (application)
Sonrai Ticket Closed available application (application)
Sonrai Ticket Escalation Executed available application (application)
Sonrai Ticket Escalation Executed available application (application)
Sonrai Ticket Reopened available application (application)
Sonrai Ticket Risk Accepted available application (application)
Sonrai Ticket Snoozed available application (application)
Sonrai Ticket Updated available application (application)

Brute Force T1110 17 rules

API - Account Takeover available application (application)
API - Password Cracking available application (application)
API - Suspicious Login available application (application)
blacklens Insights available application (application)
Brute force attack against user credentials available application (application)
Copilot - Jailbreak Attempt Detected available application (application)
Detect potential file enumeration activity (ASIM Web Session) available application (application)
Flare leaked credentials results available application (application)
Mimecast Audit - Logon Authentication Failed application (application)
Mimecast Audit - Logon Authentication Failed application (application)
Multiple failed attempts of NetBackup login available application (application)
Palo Alto Prisma Cloud - Multiple failed logins for user available application (application)
Pathlock TDnR - Multiple Login Sessions Detected available application (application)
Potential Password Spray Attack available application (application)
Samsung Knox - Password Lockout Events available application (application)
StealthTalk - Password brute force available application (application)
Versasec CMS - Multiple Failed Login Attempts available application (application)

Credentials from Password Stores T1555 11 rules

API - Password Cracking available application (application)
Azure secure score PW age policy new available application (application)
CybleVision Alerts Darkweb Marketplace Alerts available application (application)
CybleVision Alerts Stealer Logs available application (application)
CYFIRMA - Attack Surface - Configuration High Rule available application (application)
CYFIRMA - Attack Surface - Configuration Medium Rule available application (application)
Flare infected device results available application (application)
Highly Sensitive Password Accessed available application (application)
SpyCloud Enterprise Breach Detection available application (application)
SpyCloud Enterprise Malware Detection available application (application)
Trust Monitor Event application (application)

Credentials from Password Stores: Credentials from Web Browsers T1555.003 8 rules

CYFIRMA - Data Breach and Web Monitoring - Dark Web High Rule available application (application)
CYFIRMA - Data Breach and Web Monitoring - Dark Web Medium Rule available application (application)
CYFIRMA - High severity File Hash Indicators with Block Action and Malware application (application)
CYFIRMA - High severity Trojan Network Indicators - Block Recommended Rule application (application)
CYFIRMA - High severity Trojan Network Indicators - Monitor Recommended Rule application (application)
CYFIRMA - Medium severity File Hash Indicators with Block Action and Malware application (application)
CYFIRMA - Medium severity Trojan Network Indicators - Block Recommended Rule application (application)
CYFIRMA - Medium severity Trojan Network Indicators - Monitor Recommended Rule application (application)

Exploitation for Credential Access T1212 5 rules

Azure secure score block legacy authentication available application (application)
CYFIRMA - Data Breach and Web Monitoring - Dark Web High Rule available application (application)
CYFIRMA - Data Breach and Web Monitoring - Dark Web Medium Rule available application (application)
Multiple failed attempts of NetBackup login available application (application)
Threats detected by Eset available application (application)

Steal Application Access Token T1528 5 rules

API - JWT validation available application (application)
Contrast ADR - DLP SQL Injection Correlation available application (application)
Identify instances where a single source is observed using multiple user agents (ASIM Web Session) available application (application)
Trust Monitor Event application (application)
Zero Networks Segment - New API Token created available application (application)

Brute Force: Password Spraying T1110.003 4 rules

CYFIRMA - High severity Malicious Phishing Network Indicators - Block Recommended Rule application (application)
CYFIRMA - High severity Malicious Phishing Network Indicators - Monitor Recommended Rule application (application)
CYFIRMA - Medium severity Malicious Phishing Network Indicators - Block Recommended Rule application (application)
CYFIRMA - Medium severity Malicious Phishing Network Indicators - Monitor Recommended Rule application (application)

Forge Web Credentials T1606 3 rules

Azure secure score PW age policy new available application (application)
BTP - Cloud Identity Service application configuration monitor available application (application)
BTP - Trust and authorization Identity Provider monitor available application (application)

OS Credential Dumping: LSASS Memory T1003.001 2 rules

CYFIRMA - High severity File Hash Indicators with Block Action and Malware application (application)
CYFIRMA - Medium severity File Hash Indicators with Block Action and Malware application (application)

Network Sniffing T1040 2 rules

Azure secure score PW age policy new available application (application)
Zoom E2E Encryption Disabled application (application)

Unsecured Credentials: Credentials In Files T1552.001 2 rules

CYFIRMA - Data Breach and Web Monitoring - Dark Web High Rule available application (application)
CYFIRMA - Data Breach and Web Monitoring - Dark Web Medium Rule available application (application)

Forge Web Credentials: Web Cookies T1606.001 2 rules

CYFIRMA - Social and Public Exposure - Source Code Exposure on Public Repositories Rule available application (application)
CYFIRMA - Social and Public Exposure - Source Code Exposure on Public Repositories Rule available application (application)

Forced Authentication T1187 1 rule

API - Password Cracking available application (application)

Steal Web Session Cookie T1539 1 rule

Cyble Vision Alerts Compromised Endpoint Cookies available application (application)

Steal or Forge Kerberos Tickets T1558 1 rule

Pathlock TDnR - Kerberos Keytab Changes available application (application)

Steal or Forge Kerberos Tickets: Golden Ticket T1558.001 1 rule

Semperis DSP Kerberos krbtgt account with old password available application (application)

No specific technique 3 rules

Recorded Future Identity - Credential Exposure Detected available application (application)
RSA ID Plus - Locked Administrator Account Detected available application (application)
XbowMediumFindings available application (application)

Discovery 87 rules, 11 techniques

System Information Discovery T1082 30 rules

CDM_ContinuousDiagnostics&Mitigation_PostureChanged available application (application)
CMMC 2.0 Level 1 (Foundational) Readiness Posture available application (application)
CMMC 2.0 Level 2 (Advanced) Readiness Posture available application (application)
Cyble Vision Alerts Leaked Credentials available application (application)
CYFIRMA - High severity File Hash Indicators with Block Action and Malware application (application)
CYFIRMA - Medium severity File Hash Indicators with Block Action and Malware application (application)
CYFIRMA - Social and Public Exposure - Source Code Exposure on Public Repositories Rule available application (application)
CYFIRMA - Social and Public Exposure - Source Code Exposure on Public Repositories Rule available application (application)
Datawiza - massive errors detected application (application)
M2131_AssetStoppedLogging available application (application)
M2131_EventLogManagementPostureChanged_EL0 available application (application)
M2131_EventLogManagementPostureChanged_EL1 available application (application)
M2131_EventLogManagementPostureChanged_EL2 available application (application)
M2131_EventLogManagementPostureChanged_EL3 available application (application)
M2131_LogRetentionLessThan1Year available application (application)
M2131_RecommendedDatatableUnhealthy available application (application)
NIST SP 800-53 Posture Changed available application (application)
Pathlock TDnR - ABAP Runtime Dumps available application (application)
Pathlock TDnR - Database Cockpit Audit Events available application (application)
Pathlock TDnR - J2EE Security Audit Events available application (application)
Pathlock TDnR - J2EE Security Events available application (application)
Pathlock TDnR - Missing SAP Security Notes available application (application)
Pathlock TDnR - Pathlock Security Radar Internal Events available application (application)
Pathlock TDnR - RiskTrack Audit Results available application (application)
Pathlock TDnR - SAP BTP Cloud Foundry Events available application (application)
Pathlock TDnR - SAP HANA Database Audit Trail available application (application)
Pathlock TDnR - SAP Public Cloud Security Audit Events available application (application)
Pathlock TDnR - SAP Security Audit Log Events available application (application)
Pathlock TDnR - Transaction and Report Statistics available application (application)
ZeroTrust(TIC3.0) Control Assessment Posture Change available application (application)

Account Discovery T1087 19 rules

API - Account Takeover available application (application)
API - Rate limiting available application (application)
Copilot - Plugin Tampering (Enable and Disable Within 5 Minutes) available application (application)
CYFIRMA - Attack Surface - Configuration High Rule available application (application)
CYFIRMA - Attack Surface - Configuration Medium Rule available application (application)
CYFIRMA - Public Accounts Leaks Detection Rule available application (application)
Highly Sensitive Password Accessed available application (application)
New Sonrai Ticket available application (application)
Red Canary Threat Detection application (application)
Sensitive Data Discovered in the Last 24 Hours application (application)
Sensitive Data Discovered in the Last 24 Hours - Customized application (application)
Sonrai Ticket Assigned available application (application)
Sonrai Ticket Closed available application (application)
Sonrai Ticket Escalation Executed available application (application)
Sonrai Ticket Escalation Executed available application (application)
Sonrai Ticket Reopened available application (application)
Sonrai Ticket Risk Accepted available application (application)
Sonrai Ticket Snoozed available application (application)
Sonrai Ticket Updated available application (application)

Network Service Discovery T1046 8 rules

Contrast ADR - DLP SQL Injection Correlation available application (application)
Cyble Vision Alerts IOC'S available application (application)
Cyble Vision Alerts Vulnerability available application (application)
CYFIRMA - Attack Surface - Configuration High Rule available application (application)
CYFIRMA - Attack Surface - Configuration Medium Rule available application (application)
CYFIRMA - Attack Surface - Domain/IP Vulnerability Exposure High Rule available application (application)
CYFIRMA - Attack Surface - Domain/IP Vulnerability Exposure Medium Rule available application (application)
Netskope - Suspicious Network Context (Unusual IPs/Geo/Ports) available application (application)

File and Directory Discovery T1083 8 rules

API - Kiterunner detection available application (application)
Cyble Vision Alerts Bitbucket available application (application)
Cyble Vision Alerts Cloud Storage available application (application)
Cyble Vision Alerts Docker available application (application)
Detect potential file enumeration activity (ASIM Web Session) available application (application)
Mimecast Secure Email Gateway - Spam Event Thread available application (application)
Mimecast Secure Email Gateway - Spam Event Thread application (application)
NetClean ProActive Incidents available application (application)

Cloud Storage Object Discovery T1619 5 rules

Theom Critical Risks available application (application)
Theom High Risks available application (application)
Theom Insights available application (application)
Theom Low Risks available application (application)
Theom Medium Risks available application (application)

Process Discovery T1057 3 rules

CYFIRMA - High severity File Hash Indicators with Block Action and Malware application (application)
CYFIRMA - Medium severity File Hash Indicators with Block Action and Malware application (application)
Lookout - New Threat events found. available application (application)

Cloud Service Discovery T1526 3 rules

BTP - Failed access attempts across multiple BAS subaccounts available application (application)
Netskope - New Risky App Access vs 7-Day Baseline available application (application)
SOCRadar Unsynced Closed Incident available application (application)

Permission Groups Discovery T1069 2 rules

OCI - Insecure metadata endpoint available application (application)
OCI - Instance metadata access available application (application)

Account Discovery: Cloud Account T1087.004 2 rules

CYFIRMA - Attack Surface - Cloud Weakness High Rule available application (application)
CYFIRMA - Attack Surface - Cloud Weakness Medium Rule available application (application)

Cloud Infrastructure Discovery T1580 2 rules

API - Kiterunner detection available application (application)
OCI - Discovery activity available application (application)

Remote System Discovery T1018 1 rule

Contrast ADR - Security Incident Alert available application (application)

No specific technique 4 rules

SAP ETD - Execution of Sensitive Function Module available application (application)
SAP ETD - Login from unexpected network available application (application)
XbowLowFindings available application (application)
XbowMediumFindings available application (application)

Lateral Movement 40 rules, 5 techniques

Remote Services T1021 17 rules

BTP - Cloud Integration JDBC data source changes available application (application)
Contrast ADR - DLP SQL Injection Correlation available application (application)
New Sonrai Ticket available application (application)
Pathlock TDnR - HANA Standalone DB Connection Events available application (application)
Pathlock TDnR - RFC Connection Changes available application (application)
Pathlock TDnR - SAP Cloud Connector Events available application (application)
Pathlock TDnR - SAP RFC Gateway Events available application (application)
Pathlock TDnR - SAP Router Log Events available application (application)
Red Canary Threat Detection application (application)
Sonrai Ticket Assigned available application (application)
Sonrai Ticket Closed available application (application)
Sonrai Ticket Escalation Executed available application (application)
Sonrai Ticket Escalation Executed available application (application)
Sonrai Ticket Reopened available application (application)
Sonrai Ticket Risk Accepted available application (application)
Sonrai Ticket Snoozed available application (application)
Sonrai Ticket Updated available application (application)

Exploitation of Remote Services T1210 11 rules

Contrast ADR - Exploited Attack Event available application (application)
Contrast ADR - Exploited Attack in Production available application (application)
CYFIRMA - High Severity Asset based Vulnerabilities Rule Alert application (application)
CYFIRMA - High Severity Attack Surface based Vulnerabilities Rule Alert application (application)
CYFIRMA - Medium Severity Asset based Vulnerabilities Rule Alert application (application)
CYFIRMA - Medium Severity Attack Surface based Vulnerabilities Rule application (application)
Dynatrace - Problem detection available application (application)
Dynatrace Application Security - Code-Level runtime vulnerability detection available application (application)
Dynatrace Application Security - Non-critical runtime vulnerability detection available application (application)
Dynatrace Application Security - Third-Party runtime vulnerability detection available application (application)
NRT GravityZone Incident Alerts available application (application)

Remote Services: SMB/Windows Admin Shares T1021.002 6 rules

CYFIRMA - High Severity Asset based Vulnerabilities Rule Alert application (application)
CYFIRMA - High Severity Attack Surface based Vulnerabilities Rule Alert application (application)
CYFIRMA - High severity File Hash Indicators with Block Action and Malware application (application)
CYFIRMA - Medium Severity Asset based Vulnerabilities Rule Alert application (application)
CYFIRMA - Medium Severity Attack Surface based Vulnerabilities Rule application (application)
CYFIRMA - Medium severity File Hash Indicators with Block Action and Malware application (application)

Internal Spearphishing T1534 2 rules

Mimecast Secure Email Gateway - Internal Email Protect available application (application)
Mimecast Secure Email Gateway - Internal Email Protect application (application)

Use Alternate Authentication Material T1550 1 rule

Cyble Vision Alerts Compromised Endpoint Cookies available application (application)

No specific technique 3 rules

Radiflow - Platform Alert available application (application)
SAP LogServ - HANA DB - Audit Trail Policy Changes available application (application)
SAP LogServ - HANA DB - Deactivation of Audit Trail available application (application)

Collection 112 rules, 10 techniques

Data from Cloud Storage T1530 38 rules

Cognni Incidents for Highly Sensitive Business Information available application (application)
Cognni Incidents for Highly Sensitive Financial Information available application (application)
Cognni Incidents for Highly Sensitive Governance Information available application (application)
Cognni Incidents for Highly Sensitive HR Information available application (application)
Cognni Incidents for Highly Sensitive Legal Information available application (application)
Cognni Incidents for Low Sensitivity Business Information available application (application)
Cognni Incidents for Low Sensitivity Financial Information available application (application)
Cognni Incidents for Low Sensitivity Governance Information available application (application)
Cognni Incidents for Low Sensitivity HR Information available application (application)
Cognni Incidents for Low Sensitivity Legal Information available application (application)
Cognni Incidents for Medium Sensitivity Business Information available application (application)
Cognni Incidents for Medium Sensitivity Financial Information available application (application)
Cognni Incidents for Medium Sensitivity Governance Information available application (application)
Cognni Incidents for Medium Sensitivity HR Information available application (application)
Cognni Incidents for Medium Sensitivity Legal Information available application (application)
Cyble Vision Alerts Darkweb Data Breaches available application (application)
Netskope - Excessive Downloads Detection (Spike vs Baseline) available application (application)
Netskope - Heavy Personal Cloud Storage Usage (Shadow IT) available application (application)
Pathlock TDnR - Credit Card Data Changes available application (application)
Theom - Dark Data with large fin value available application (application)
Theom - Dev secrets exposed available application (application)
Theom - Financial data exposed available application (application)
Theom - Financial data unencrypted available application (application)
Theom - Healthcare data exposed available application (application)
Theom - Healthcare data unencrypted available application (application)
Theom - Least priv large value shadow DB available application (application)
Theom - National IDs exposed available application (application)
Theom - National IDs unencrypted available application (application)
Theom - Overprovisioned Roles Shadow DB available application (application)
Theom - Shadow DB large datastore value available application (application)
Theom - Shadow DB with atypical accesses available application (application)
Theom - Unencrypted public data stores available application (application)
Theom Critical Risks available application (application)
Theom High Risks available application (application)
Theom Insights available application (application)
Theom Low Risks available application (application)
Theom Medium Risks available application (application)
Users searching for VIP user activity application (application)

Data from Information Repositories T1213 23 rules

CYFIRMA - Social and Public Exposure - Confidential Files Information Exposure Rule available application (application)
CYFIRMA - Social and Public Exposure - Confidential Files Information Exposure Rule available application (application)
CYFIRMA - Social and Public Exposure - Exposure of PII/CII in Public Domain Rule available application (application)
CYFIRMA - Social and Public Exposure - Exposure of PII/CII in Public Domain Rule available application (application)
Pathlock TDnR - HR User Master Change Requests available application (application)
Pathlock TDnR - OData Application Log Events available application (application)
Pathlock TDnR - SAP Read Access Logging Audit available application (application)
Pathlock TDnR - SAP Read Access Logging Data available application (application)
Pathlock TDnR - Spool Job Changes available application (application)
Theom - Dev secrets exposed available application (application)
Theom - Financial data exposed available application (application)
Theom - Financial data unencrypted available application (application)
Theom - Healthcare data exposed available application (application)
Theom - Healthcare data unencrypted available application (application)
Theom - National IDs exposed available application (application)
Theom - National IDs unencrypted available application (application)
Theom - Unencrypted public data stores available application (application)
Theom Critical Risks available application (application)
Theom High Risks available application (application)
Theom Insights available application (application)
Theom Low Risks available application (application)
Theom Medium Risks available application (application)
Users searching for VIP user activity application (application)

Automated Collection T1119 19 rules

API - API Scraping available application (application)
CYFIRMA - Data Breach and Web Monitoring - Dark Web High Rule available application (application)
CYFIRMA - Data Breach and Web Monitoring - Dark Web Medium Rule available application (application)
New Sonrai Ticket available application (application)
Red Canary Threat Detection application (application)
Sonrai Ticket Assigned available application (application)
Sonrai Ticket Closed available application (application)
Sonrai Ticket Escalation Executed available application (application)
Sonrai Ticket Escalation Executed available application (application)
Sonrai Ticket Reopened available application (application)
Sonrai Ticket Risk Accepted available application (application)
Sonrai Ticket Snoozed available application (application)
Sonrai Ticket Updated available application (application)
Theom - Critical data in API headers or body available application (application)
Theom Critical Risks available application (application)
Theom High Risks available application (application)
Theom Insights available application (application)
Theom Low Risks available application (application)
Theom Medium Risks available application (application)

Email Collection T1114 10 rules

CYFIRMA - Attack Surface - Configuration High Rule available application (application)
CYFIRMA - Attack Surface - Configuration Medium Rule available application (application)
Mimecast Secure Email Gateway - Attachment Protect available application (application)
Mimecast Secure Email Gateway - Attachment Protect application (application)
Mimecast Secure Email Gateway - Impersonation Protect available application (application)
Mimecast Secure Email Gateway - Impersonation Protect application (application)
Mimecast Targeted Threat Protection - Impersonation Protect available application (application)
Mimecast Targeted Threat Protection - Impersonation Protect application (application)
Server Oriented Cmdlet And User Oriented Cmdlet used available application (application)
VIP Mailbox manipulation available application (application)

Archive Collected Data T1560 10 rules

Theom - Dark Data with large fin value available application (application)
Theom - Least priv large value shadow DB available application (application)
Theom - Overprovisioned Roles Shadow DB available application (application)
Theom - Shadow DB large datastore value available application (application)
Theom - Shadow DB with atypical accesses available application (application)
Theom Critical Risks available application (application)
Theom High Risks available application (application)
Theom Insights available application (application)
Theom Low Risks available application (application)
Theom Medium Risks available application (application)

Data from Local System T1005 5 rules

blacklens Insights available application (application)
Contrast ADR - DLP SQL Injection Correlation available application (application)
CybleVision Alerts Darkweb Marketplace Alerts available application (application)
CybleVision Alerts Stealer Logs available application (application)
SailPointIdentityNowAlertForTriggers available application (application)

Data Staged T1074 3 rules

Netskope - Anomalous User Behavior (High Volume from Unmanaged Device) available application (application)
Netskope - Data Movement Tracking (Upload/Download Monitoring) available application (application)
Netskope - Excessive Downloads Detection (Spike vs Baseline) available application (application)

Screen Capture T1113 2 rules

CYFIRMA - High severity File Hash Indicators with Block Action and Malware application (application)
CYFIRMA - Medium severity File Hash Indicators with Block Action and Malware application (application)

Data from Removable Media T1025 1 rule

Removable storage ONLINE event from secRMM application (application)

Input Capture T1056 1 rule

Azure secure score MFA registration V2 available application (application)

Command & Control 134 rules, 17 techniques

Application Layer Protocol T1071 43 rules

blacklens Insights available application (application)
Cyble Vision Alerts IOC'S available application (application)
CYFIRMA - Attack Surface - Malicious Domain/IP Reputation Medium Rule available application (application)
CYFIRMA - Attack Surface - Open Ports High Rule available application (application)
CYFIRMA - Attack Surface - Open Ports Medium Rule available application (application)
CYFIRMA - High severity Trojan File Hash Indicators with Block Action Rule application (application)
CYFIRMA - High severity Trojan File Hash Indicators with Monitor Action Rule application (application)
CYFIRMA - Medium severity Trojan File Hash Indicators with Block Action Rule application (application)
CYFIRMA - Medium severity Trojan File Hash Indicators with Monitor Action Rule application (application)
Cyren High-Risk IP Indicators available application (application)
Detect instances of multiple client errors occurring within a brief period of time (ASIM Web Session) available application (application)
Detect known risky user agents (ASIM Web Session) available application (application)
Detect potential file enumeration activity (ASIM Web Session) available application (application)
Detect potential presence of a malicious file with a double extension (ASIM Web Session) available application (application)
Detect requests for an uncommon resources on the web (ASIM Web Session) available application (application)
Detect URLs containing known malicious keywords or commands (ASIM Web Session) available application (application)
Netskope - Suspicious Network Context (Unusual IPs/Geo/Ports) available application (application)
New Sonrai Ticket available application (application)
Pathlock TDnR - SAP HTTP Webserver Events available application (application)
Pathlock TDnR - SAP RFC Gateway Events available application (application)
Pathlock TDnR - SAP Web Dispatcher HTTP Events available application (application)
Red Canary Threat Detection application (application)
Sonrai Ticket Assigned available application (application)
Sonrai Ticket Closed available application (application)
Sonrai Ticket Escalation Executed available application (application)
Sonrai Ticket Escalation Executed available application (application)
Sonrai Ticket Reopened available application (application)
Sonrai Ticket Risk Accepted available application (application)
Sonrai Ticket Snoozed available application (application)
Sonrai Ticket Updated available application (application)
ThreatConnect TI map IP entity to Network Session Events (ASIM Network Session schema) application (application)
TI map Domain entity to PaloAlto CommonSecurityLog application (application)
TI map Domain entity to PaloAlto CommonSecurityLog application (application)
TI map IP entity to AppServiceHTTPLogs application (application)
TI map IP entity to AppServiceHTTPLogs application (application)
TI map IP entity to Azure Key Vault logs application (application)
TI map IP entity to Azure Key Vault logs application (application)
TI map IP entity to AzureNetworkAnalytics_CL (NSG Flow Logs) application (application)
TI map IP entity to AzureNetworkAnalytics_CL (NSG Flow Logs) application (application)
TI map IP entity to GitHub_CL application (application)
TI map IP entity to GitHub_CL application (application)
TI map IP entity to Workday(ASimAuditEventLogs) application (application)
TI map IP entity to Workday(ASimAuditEventLogs) application (application)

Application Layer Protocol: Web Protocols T1071.001 22 rules

CYFIRMA - Attack Surface - Malicious Domain/IP Reputation High Rule available application (application)
CYFIRMA - Brand Intelligence - Domain Impersonation High Rule available application (application)
CYFIRMA - Brand Intelligence - Domain Impersonation Medium Rule available application (application)
CYFIRMA - High severity Command & Control Network Indicators with Block Recommendation Rule application (application)
CYFIRMA - High severity Command & Control Network Indicators with Monitor Recommendation Rule application (application)
CYFIRMA - High severity Malicious Network Indicators Associated with Malware - Block Recommended Rule application (application)
CYFIRMA - High severity Malicious Network Indicators Associated with Malware - Monitor Recommended Rule application (application)
CYFIRMA - High severity TOR Node Network Indicators - Block Recommended Rule application (application)
CYFIRMA - High severity TOR Node Network Indicators - Monitor Recommended Rule application (application)
CYFIRMA - High severity Trojan Network Indicators - Block Recommended Rule application (application)
CYFIRMA - High severity Trojan Network Indicators - Monitor Recommended Rule application (application)
CYFIRMA - Medium severity Command & Control Network Indicators with Block Recommendation Rule application (application)
CYFIRMA - Medium severity Command & Control Network Indicators with Monitor Recommendation Rule application (application)
CYFIRMA - Medium severity Malicious Network Indicators Associated with Malware - Block Recommended Rule application (application)
CYFIRMA - Medium severity Malicious Network Indicators Associated with Malware - Monitor Recommended Rule application (application)
CYFIRMA - Medium severity TOR Node Network Indicators - Block Recommended Rule application (application)
CYFIRMA - Medium severity TOR Node Network Indicators - Monitor Recommended Rule application (application)
CYFIRMA - Medium severity Trojan Network Indicators - Block Recommended Rule application (application)
CYFIRMA - Medium severity Trojan Network Indicators - Monitor Recommended Rule application (application)
Detect presence of private IP addresses in URLs (ASIM Web Session) available application (application)
The download of potentially risky files from the Discord Content Delivery Network (CDN) (ASIM Web Session) available application (application)
Web sites blocked by Eset available application (application)

Proxy T1090 15 rules

BitSight - drop in company ratings available application (application)
BitSight - drop in the headline rating available application (application)
CYFIRMA - Attack Surface - Malicious Domain/IP Reputation Medium Rule available application (application)
CYFIRMA - High severity Command & Control Network Indicators with Block Recommendation Rule application (application)
CYFIRMA - High severity Command & Control Network Indicators with Monitor Recommendation Rule application (application)
CYFIRMA - High severity Malicious Network Indicators Associated with Malware - Block Recommended Rule application (application)
CYFIRMA - High severity Malicious Network Indicators Associated with Malware - Monitor Recommended Rule application (application)
CYFIRMA - High severity Trojan Network Indicators - Block Recommended Rule application (application)
CYFIRMA - High severity Trojan Network Indicators - Monitor Recommended Rule application (application)
CYFIRMA - Medium severity Command & Control Network Indicators with Block Recommendation Rule application (application)
CYFIRMA - Medium severity Command & Control Network Indicators with Monitor Recommendation Rule application (application)
CYFIRMA - Medium severity Malicious Network Indicators Associated with Malware - Block Recommended Rule application (application)
CYFIRMA - Medium severity Malicious Network Indicators Associated with Malware - Monitor Recommended Rule application (application)
CYFIRMA - Medium severity Trojan Network Indicators - Block Recommended Rule application (application)
CYFIRMA - Medium severity Trojan Network Indicators - Monitor Recommended Rule application (application)

Fallback Channels T1008 9 rules

Contrast ADR - DLP SQL Injection Correlation available application (application)
Contrast ADR - EDR Alert Correlation available application (application)
Contrast ADR - Exploited Attack Event available application (application)
Contrast ADR - Exploited Attack in Production available application (application)
Contrast ADR - Security Incident Alert available application (application)
Contrast ADR - WAF Alert Correlation available application (application)
Detect DNS queries reporting multiple errors from different clients - Anomaly Based (ASIM DNS Solution) available application (application)
Detect excessive NXDOMAIN DNS queries - Anomaly based (ASIM DNS Solution) available application (application)
Potential DGA(Domain Generation Algorithm) detected via Repetitive Failures - Anomaly based (ASIM DNS Solution) available application (application)

Dynamic Resolution: Domain Generation Algorithms T1568.002 8 rules

CYFIRMA - High severity Command & Control Network Indicators with Block Recommendation Rule application (application)
CYFIRMA - High severity Command & Control Network Indicators with Monitor Recommendation Rule application (application)
CYFIRMA - High severity Malicious Network Indicators Associated with Malware - Block Recommended Rule application (application)
CYFIRMA - High severity Malicious Network Indicators Associated with Malware - Monitor Recommended Rule application (application)
CYFIRMA - Medium severity Command & Control Network Indicators with Block Recommendation Rule application (application)
CYFIRMA - Medium severity Command & Control Network Indicators with Monitor Recommendation Rule application (application)
CYFIRMA - Medium severity Malicious Network Indicators Associated with Malware - Block Recommended Rule application (application)
CYFIRMA - Medium severity Malicious Network Indicators Associated with Malware - Monitor Recommended Rule application (application)

Data Obfuscation T1001 6 rules

Detect presence of private IP addresses in URLs (ASIM Web Session) available application (application)
Theom Critical Risks available application (application)
Theom High Risks available application (application)
Theom Insights available application (application)
Theom Low Risks available application (application)
Theom Medium Risks available application (application)

Protocol Tunneling T1572 5 rules

CYFIRMA - High severity TOR Node Network Indicators - Block Recommended Rule application (application)
CYFIRMA - High severity TOR Node Network Indicators - Monitor Recommended Rule application (application)
CYFIRMA - Medium severity TOR Node Network Indicators - Block Recommended Rule application (application)
CYFIRMA - Medium severity TOR Node Network Indicators - Monitor Recommended Rule application (application)
Pathlock TDnR - SAP Router Log Events available application (application)

Proxy: Multi-hop Proxy T1090.003 4 rules

CYFIRMA - High severity TOR Node Network Indicators - Block Recommended Rule application (application)
CYFIRMA - High severity TOR Node Network Indicators - Monitor Recommended Rule application (application)
CYFIRMA - Medium severity TOR Node Network Indicators - Block Recommended Rule application (application)
CYFIRMA - Medium severity TOR Node Network Indicators - Monitor Recommended Rule application (application)

Ingress Tool Transfer T1105 4 rules

CYFIRMA - High severity Command & Control Network Indicators with Block Recommendation Rule application (application)
CYFIRMA - High severity Command & Control Network Indicators with Monitor Recommendation Rule application (application)
CYFIRMA - Medium severity Command & Control Network Indicators with Block Recommendation Rule application (application)
CYFIRMA - Medium severity Command & Control Network Indicators with Monitor Recommendation Rule application (application)

Dynamic Resolution T1568 4 rules

Cyren High-Risk IP Indicators available application (application)
Detect DNS queries reporting multiple errors from different clients - Anomaly Based (ASIM DNS Solution) available application (application)
Detect excessive NXDOMAIN DNS queries - Anomaly based (ASIM DNS Solution) available application (application)
Potential DGA(Domain Generation Algorithm) detected via Repetitive Failures - Anomaly based (ASIM DNS Solution) available application (application)

Encrypted Channel: Symmetric Cryptography T1573.001 4 rules

CYFIRMA - High severity Command & Control Network Indicators with Block Recommendation Rule application (application)
CYFIRMA - High severity Command & Control Network Indicators with Monitor Recommendation Rule application (application)
CYFIRMA - Medium severity Command & Control Network Indicators with Block Recommendation Rule application (application)
CYFIRMA - Medium severity Command & Control Network Indicators with Monitor Recommendation Rule application (application)

Application Layer Protocol: Mail Protocols T1071.003 2 rules

CYFIRMA - Brand Intelligence - Domain Impersonation High Rule available application (application)
CYFIRMA - Brand Intelligence - Domain Impersonation Medium Rule available application (application)

Web Service T1102 2 rules

CybleVision Alerts Telegram Mentions available application (application)
Detect requests for an uncommon resources on the web (ASIM Web Session) available application (application)

Encrypted Channel T1573 2 rules

Detect DNS queries reporting multiple errors from different clients - Anomaly Based (ASIM DNS Solution) available application (application)
ProofpointPOD - Weak ciphers available application (application)

Proxy: External Proxy T1090.002 1 rule

CYFIRMA - Attack Surface - Malicious Domain/IP Reputation High Rule available application (application)

Non-Application Layer Protocol T1095 1 rule

CyberArkEPM - Uncommon process Internet access application (application)

Non-Standard Port T1571 1 rule

Contrast ADR - DLP SQL Injection Correlation available application (application)

No specific technique 1 rule

Radiflow - Platform Alert available application (application)

Exfiltration 86 rules, 8 techniques

Exfiltration Over C2 Channel T1041 32 rules

blacklens Insights available application (application)
Contrast ADR - DLP SQL Injection Correlation available application (application)
Cyble Vision Alerts Compromised Files available application (application)
Cyble Vision Alerts Postman API Exposure Detection available application (application)
CybleVision Alerts Darkweb Marketplace Alerts available application (application)
CybleVision Alerts Stealer Logs available application (application)
CYFIRMA - Attack Surface - Malicious Domain/IP Reputation High Rule available application (application)
CYFIRMA - Attack Surface - Malicious Domain/IP Reputation Medium Rule available application (application)
CYFIRMA - High severity Command & Control Network Indicators with Block Recommendation Rule application (application)
CYFIRMA - High severity Command & Control Network Indicators with Monitor Recommendation Rule application (application)
CYFIRMA - High severity Malicious Phishing Network Indicators - Block Recommended Rule application (application)
CYFIRMA - High severity Malicious Phishing Network Indicators - Monitor Recommended Rule application (application)
CYFIRMA - Medium severity Command & Control Network Indicators with Block Recommendation Rule application (application)
CYFIRMA - Medium severity Command & Control Network Indicators with Monitor Recommendation Rule application (application)
CYFIRMA - Medium severity Malicious Phishing Network Indicators - Block Recommended Rule application (application)
CYFIRMA - Medium severity Malicious Phishing Network Indicators - Monitor Recommended Rule application (application)
Detect presence of private IP addresses in URLs (ASIM Web Session) available application (application)
New Sonrai Ticket available application (application)
Red Canary Threat Detection application (application)
Sonrai Ticket Assigned available application (application)
Sonrai Ticket Closed available application (application)
Sonrai Ticket Escalation Executed available application (application)
Sonrai Ticket Escalation Executed available application (application)
Sonrai Ticket Reopened available application (application)
Sonrai Ticket Risk Accepted available application (application)
Sonrai Ticket Snoozed available application (application)
Sonrai Ticket Updated available application (application)
Theom Critical Risks available application (application)
Theom High Risks available application (application)
Theom Insights available application (application)
Theom Low Risks available application (application)
Theom Medium Risks available application (application)

Exfiltration Over Web Service T1567 14 rules

Netskope - Anomalous User Behavior (High Volume from Unmanaged Device) available application (application)
Netskope - Data Movement Tracking (Upload/Download Monitoring) available application (application)
Netskope - Heavy Personal Cloud Storage Usage (Shadow IT) available application (application)
Netskope - Large Outbound Data Transfer / Sensitive Upload (DLP) available application (application)
Netskope - Unsanctioned/Risky Cloud App Access (Shadow IT) available application (application)
Power Automate - Departing employee flow activity available application (application)
Power Platform - Connector added to a sensitive environment available application (application)
ProofpointPOD - Email sender in TI list application (application)
ProofpointPOD - Email sender IP in TI list application (application)
ProofpointPOD - Multiple archived attachments to the same recipient available application (application)
ProofpointPOD - Multiple large emails to the same recipient available application (application)
ProofpointPOD - Multiple protected emails to unknown recipient available application (application)
SOCRadar Alarm Volume Spike available application (application)
Web sites blocked by Eset available application (application)

Exfiltration Over Alternative Protocol T1048 12 rules

Cyble Vision Alerts Darkweb Data Breaches available application (application)
CYFIRMA - Data Breach and Web Monitoring - Dark Web High Rule available application (application)
CYFIRMA - Data Breach and Web Monitoring - Dark Web Medium Rule available application (application)
Netskope - Large Outbound Data Transfer / Sensitive Upload (DLP) available application (application)
Netskope - Repeated or Critical Policy Violations available application (application)
Netskope - Suspicious Network Context (Unusual IPs/Geo/Ports) available application (application)
Pathlock TDnR - OData Application Log Events available application (application)
Pathlock TDnR - Outbound SAP SMTP Email available application (application)
Pathlock TDnR - Outgoing Spool Print Job Events available application (application)
Pathlock TDnR - SAP Download Observer Events available application (application)
Pathlock TDnR - SAP Read Access Logging Data available application (application)
Pathlock TDnR - SE16N Direct Table Change Documents available application (application)

Transfer Data to Cloud Account T1537 11 rules

Cyble Vision Alerts Bitbucket available application (application)
Cyble Vision Alerts Cloud Storage available application (application)
Cyble Vision Alerts Docker available application (application)
CYFIRMA - Social and Public Exposure - Exposure of PII/CII in Public Domain Rule available application (application)
CYFIRMA - Social and Public Exposure - Exposure of PII/CII in Public Domain Rule available application (application)
Power Platform - Connector added to a sensitive environment available application (application)
Theom Critical Risks available application (application)
Theom High Risks available application (application)
Theom Insights available application (application)
Theom Low Risks available application (application)
Theom Medium Risks available application (application)

Automated Exfiltration T1020 5 rules

API - BOLA available application (application)
Server Oriented Cmdlet And User Oriented Cmdlet used available application (application)
Third party integrated apps available application (application)
Users searching for VIP user activity application (application)
VIP Mailbox manipulation available application (application)

Data Transfer Size Limits T1030 5 rules

Detect unauthorized data transfers using timeseries anomaly (ASIM Web Session) available application (application)
Mimecast Data Leak Prevention - Hold application (application)
Mimecast Data Leak Prevention - Hold application (application)
Mimecast Data Leak Prevention - Notifications application (application)
Mimecast Data Leak Prevention - Notifications application (application)

Exfiltration Over Alternative Protocol: Exfiltration Over Asymmetric Encrypted Non-C2 Protocol T1048.002 4 rules

CYFIRMA - High severity TOR Node Network Indicators - Block Recommended Rule application (application)
CYFIRMA - High severity TOR Node Network Indicators - Monitor Recommended Rule application (application)
CYFIRMA - Medium severity TOR Node Network Indicators - Block Recommended Rule application (application)
CYFIRMA - Medium severity TOR Node Network Indicators - Monitor Recommended Rule application (application)

Exfiltration Over Web Service: Exfiltration to Cloud Storage T1567.002 2 rules

CYFIRMA - Social and Public Exposure - Confidential Files Information Exposure Rule available application (application)
CYFIRMA - Social and Public Exposure - Confidential Files Information Exposure Rule available application (application)

No specific technique 1 rule

Radiflow - Platform Alert available application (application)

Impact 126 rules, 11 techniques

Data Manipulation T1565 27 rules

Copilot - Jailbreak Attempt Detected available application (application)
Dynatrace - Problem detection available application (application)
Dynatrace Application Security - Attack detection available application (application)
Dynatrace Application Security - Code-Level runtime vulnerability detection available application (application)
Dynatrace Application Security - Non-critical runtime vulnerability detection available application (application)
Dynatrace Application Security - Third-Party runtime vulnerability detection available application (application)
F&O - Mass update or deletion of user records available application (application)
F&O - Reverted bank account number modifications available application (application)
Infoblox - SOC Insight Detected - API Source available application (application)
Infoblox - SOC Insight Detected - API Source available application (application)
Infoblox - SOC Insight Detected - CDC Source available application (application)
Pathlock TDnR - Bank Master Data Changes available application (application)
Pathlock TDnR - Business Partner Bank Data Changes available application (application)
Pathlock TDnR - Credit Card Data Changes available application (application)
Pathlock TDnR - Debitor Change Documents available application (application)
Pathlock TDnR - G/L Account Changes available application (application)
Pathlock TDnR - Generic SAP Change Documents available application (application)
Pathlock TDnR - Generic Table Content Changes available application (application)
Pathlock TDnR - HR User Master Change Requests available application (application)
Pathlock TDnR - IBAN Change Documents available application (application)
Pathlock TDnR - Payment Request Changes available application (application)
Pathlock TDnR - Vendor Change Documents available application (application)
Theom Critical Risks available application (application)
Theom High Risks available application (application)
Theom Insights available application (application)
Theom Low Risks available application (application)
Theom Medium Risks available application (application)

Endpoint Denial of Service T1499 19 rules

API - Rate limiting available application (application)
Cyble Vision Alerts Domain Expiry Alert available application (application)
Cyble Vision Alerts SSL Certificate Expiry available application (application)
CYFIRMA - Attack Surface - Domain/IP Vulnerability Exposure High Rule available application (application)
CYFIRMA - Attack Surface - Domain/IP Vulnerability Exposure Medium Rule available application (application)
CYFIRMA - Attack Surface - Malicious Domain/IP Reputation High Rule available application (application)
CYFIRMA - Attack Surface - Malicious Domain/IP Reputation Medium Rule available application (application)
D3 Smart SOAR - High or critical severity incident detected available application (application)
Missing Domain Controller Heartbeat application (application)
New Sonrai Ticket available application (application)
Red Canary Threat Detection application (application)
Sonrai Ticket Assigned available application (application)
Sonrai Ticket Closed available application (application)
Sonrai Ticket Escalation Executed available application (application)
Sonrai Ticket Escalation Executed available application (application)
Sonrai Ticket Reopened available application (application)
Sonrai Ticket Risk Accepted available application (application)
Sonrai Ticket Snoozed available application (application)
Sonrai Ticket Updated available application (application)

Data Destruction T1485 18 rules

BTP - Mass user deletion in a sub account available application (application)
BTP - Mass user deletion in SAP Cloud Identity Service available application (application)
CYFIRMA - High severity File Hash Indicators with Monitor Action and Malware application (application)
CYFIRMA - Medium severity File Hash Indicators with Monitor Action and Malware application (application)
Employee account deleted available application (application)
F&O - Mass update or deletion of user records available application (application)
Power Apps - Multiple apps deleted available application (application)
Power Automate - Departing employee flow activity available application (application)
Power Automate - Unusual bulk deletion of flow resources available application (application)
SenservaPro AD Applications Not Using Client Credentials available application (application)
SOCRadar Alarm Volume Spike available application (application)
Theom Critical Risks available application (application)
Theom High Risks available application (application)
Theom Insights available application (application)
Theom Low Risks available application (application)
Theom Medium Risks available application (application)
TI map IP entity to LastPass data available application (application)
Unusual Volume of Password Updated or Removed available application (application)

Data Encrypted for Impact T1486 18 rules

Cyble Vision Alerts Darkweb Ransomware Leak available application (application)
Cyble Vision Alerts IOC'S available application (application)
Cyble Vision Alerts Physical Threat Alert available application (application)
CYFIRMA - Data Breach and Web Monitoring - Dark Web High Rule available application (application)
CYFIRMA - Data Breach and Web Monitoring - Dark Web Medium Rule available application (application)
CYFIRMA - High severity File Hash Indicators with Block Action and Malware application (application)
CYFIRMA - High severity File Hash Indicators with Block Action Rule application (application)
CYFIRMA - High severity File Hash Indicators with Monitor Action and Malware application (application)
CYFIRMA - High severity File Hash Indicators with Monitor Action Rule application (application)
CYFIRMA - Medium severity File Hash Indicators with Block Action and Malware application (application)
CYFIRMA - Medium severity File Hash Indicators with Block Action Rule application (application)
CYFIRMA - Medium severity File Hash Indicators with Monitor Action and Malware application (application)
CYFIRMA - Medium severity File Hash Indicators with Monitor Action Rule application (application)
Theom Critical Risks available application (application)
Theom High Risks available application (application)
Theom Insights available application (application)
Theom Low Risks available application (application)
Theom Medium Risks available application (application)

Defacement T1491 10 rules

BitSight - new alert found available application (application)
BitSight - new breach found available application (application)
Cyble Vision Alerts Hacktivism available application (application)
Cyble Vision Alerts Website Defacement Content available application (application)
Cyble Vision Alerts Website Defacement Keyword available application (application)
Cyble Vision Alerts Website Defacement URL available application (application)
CYFIRMA - Social and Public Exposure - Social Media Threats Activity Detected Rule available application (application)
CYFIRMA - Social and Public Exposure - Social Media Threats Activity Detected Rule available application (application)
F&O - Mass update or deletion of user records available application (application)
Power Automate - Departing employee flow activity available application (application)

Network Denial of Service T1498 10 rules

Azure secure score admin MFA available application (application)
Cyble Vision Alerts Hacktivism available application (application)
CYFIRMA - High severity Malicious Network Indicators with Block Action Rule application (application)
CYFIRMA - High severity Malicious Network Indicators with Monitor Action Rule application (application)
CYFIRMA - Medium severity Malicious Network Indicators with Block Action Rule application (application)
CYFIRMA - Medium severity Malicious Network Indicators with Monitor Action Rule application (application)
Detect instances of multiple server errors occurring within a brief period of time (ASIM Web Session) available application (application)
Infoblox - SOC Insight Detected - API Source available application (application)
Infoblox - SOC Insight Detected - API Source available application (application)
Infoblox - SOC Insight Detected - CDC Source available application (application)

System Shutdown/Reboot T1529 8 rules

Azure secure score admin MFA available application (application)
Azure secure score one admin available application (application)
Azure secure score role overlap available application (application)
Azure Secure Score Self Service Password Reset available application (application)
Azure secure score sign in risk policy available application (application)
Azure secure score user risk policy available application (application)
OCI - Multiple instances terminated available application (application)
SenservaPro AD Applications Not Using Client Credentials available application (application)

Resource Hijacking T1496 6 rules

CYFIRMA - High severity Trojan Network Indicators - Block Recommended Rule application (application)
CYFIRMA - High severity Trojan Network Indicators - Monitor Recommended Rule application (application)
CYFIRMA - Medium severity Trojan Network Indicators - Block Recommended Rule application (application)
CYFIRMA - Medium severity Trojan Network Indicators - Monitor Recommended Rule application (application)
F&O - Reverted bank account number modifications available application (application)
OCI - Multiple instances launched available application (application)

Account Access Removal T1531 6 rules

BTP - Build Work Zone unauthorized access and role tampering available application (application)
BTP - Mass user deletion in a sub account available application (application)
BTP - Mass user deletion in SAP Cloud Identity Service available application (application)
Commvault Cloud Alert available application (application)
Valimail Enforce - High-Value User Management Event available application (application)
Valimail Enforce - Unusual Rate of Configuration Changes or User Additions available application (application)

Service Stop T1489 2 rules

BTP - Mass user deletion in a sub account available application (application)
BTP - Mass user deletion in SAP Cloud Identity Service available application (application)

Financial Theft T1657 1 rule

Cyble Vision Alerts Darkweb Ransomware Leak available application (application)

No specific technique 1 rule

RSA ID Plus - Locked Administrator Account Detected available application (application)

Untagged 84 rules without MITRE techniques

AIShield - Image classification AI Model Evasion high suspicious vulnerability detection available application (application)
AIShield - Image classification AI Model Evasion low suspicious vulnerability detection available application (application)
AIShield - Image classification AI Model extraction high suspicious vulnerability detection available application (application)
AIShield - Image Segmentation AI Model extraction high suspicious vulnerability detection available application (application)
AIShield - Natural language processing AI model extraction high suspicious vulnerability detection available application (application)
AIShield - Tabular classification AI Model Evasion high suspicious vulnerability detection available application (application)
AIShield - Tabular classification AI Model Evasion low suspicious vulnerability detection available application (application)
AIShield - Tabular classification AI Model extraction high suspicious vulnerability detection available application (application)
AIShield - Timeseries Forecasting AI Model extraction high suspicious vulnerability detection available application (application)
Anvilogic Alert available application (application)
Armorblox Needs Review Alert available application (application)
Atlassian Beacon Alert available application (application)
Best Practice Compliance Check Not Passed available application (application)
Configuration Backup Failed available application (application)
Cortex XDR Incident - High application (application)
Cortex XDR Incident - Low application (application)
Cortex XDR Incident - Medium application (application)
Darktrace AI Analyst application (application)
Darktrace Model Breach application (application)
Darktrace System Status application (application)
Digital Shadows Incident Creation for exclude-app application (application)
Digital Shadows Incident Creation for include-app application (application)
Forescout-DNS_Sniff_Event_Monitor application (application)
Guardian- Additional check JSON Policy Violation Detection available application (application)
Guardian- Ban Topic Policy Violation Detection available application (application)
Guardian- BII Detection Policy Violation Detection available application (application)
Guardian- Block Competitor Policy Violation Detection available application (application)
Guardian- Blocks specific strings of text Policy Violation Detection available application (application)
Guardian- Code Detection Policy Violation Detection available application (application)
Guardian- Content Access Control Allowed List Policy Violation Detection available application (application)
Guardian- Content Access Control Blocked List Policy Violation Detection available application (application)
Guardian- Content Safety Profanity Policy Violation Detection available application (application)
Guardian- Content Safety Toxicity Policy Violation Detection. available application (application)
Guardian- Gender Bias Policy Violation Detection available application (application)
Guardian- Input Output Relevance Policy Violation Detection available application (application)
Guardian- Input Rate Limiter Policy Violation Detection available application (application)
Guardian- Invisible Text Policy Violation Detection available application (application)
Guardian- Language Detection Policy Violation Detection available application (application)
Guardian- Malicious URL Policy Violation Detection available application (application)
Guardian- No LLM Output Policy Violation Detection available application (application)
Guardian- Not Safe For Work Policy Violation Detection available application (application)
Guardian- Privacy Protection PII Policy Violation Detection available application (application)
Guardian- Racial Bias Policy Violation Detection available application (application)
Guardian- Regex Policy Violation Detection available application (application)
Guardian- Same Input/Output Language Detection Policy Violation Detection available application (application)
Guardian- Secrets Policy Violation Detection available application (application)
Guardian- Security Integrity Checks Prompt Injection Policy Violation Detection available application (application)
Guardian- Sentiment Policy Violation Detection available application (application)
Guardian- Special PII Detection Policy Violation Detection available application (application)
Guardian- Token Limit Policy Violation Detection available application (application)
Guardian- URL Detection Policy Violation Detection available application (application)
Guardian- URL Reachability Policy Violation Detection available application (application)
Hunt Device Discovery Subnet Ranges application (application)
Hunt devices supporting MDE Containment application (application)
Hunt for Defender for Identity not installed but eligible application (application)
Hunt for devices organized by subnet application (application)
Jamf Protect - Alerts available application (application)
Jamf Protect - Unified Logs available application (application)
Malware Event Detected available application (application)
Samsung Knox - Peripheral Access Detection with Camera Events available application (application)
Samsung Knox - Peripheral Access Detection with Mic Events available application (application)
Samsung Knox - Security Log Full Events available application (application)
SAP ETD - Synch alerts available application (application)
SAP ETD - Synch investigations available application (application)
Tanium Threat Response Alerts application (application)
Valence Security Alerts available application (application)
Veeam ONE Application with No Recent Data Backup Sessions available application (application)
Veeam ONE Backup Copy RPO available application (application)
Veeam ONE Backup Server Security and Compliance State available application (application)
Veeam ONE Computer with No Backup available application (application)
Veeam ONE Immutability Change Tracking available application (application)
Veeam ONE Immutability State available application (application)
Veeam ONE Job Disabled available application (application)
Veeam ONE Job Disabled (Veeam Backup for Microsoft 365) available application (application)
Veeam ONE Malware Detection Change Tracking available application (application)
Veeam ONE Possible Ransomware Activity (Hyper-V) available application (application)
Veeam ONE Possible Ransomware Activity (vSphere) available application (application)
Veeam ONE Suspicious Incremental Backup Size available application (application)
Veeam ONE Unusual Job Duration available application (application)
Veeam ONE Unusual Job Duration (Veeam Backup for Microsoft 365) available application (application)
Veeam ONE VM with No Backup available application (application)
Veeam ONE VM with No Backup (Hyper-V) available application (application)
Veeam ONE VM with No Replica available application (application)
Veeam ONE VM with No Replica (Hyper-V) available application (application)

`j` / `k`	Scroll down / up
`d` / `u`	Half-page down / up
`gg` / `G`	Top / bottom
`h` / `l`	History back / forward
`f`	Follow link (`Shift` = new tab)
`/`	Focus search
`?`	Toggle this help
`↑` / `↓`	Navigate search results
`Enter`	Open highlighted result
`Esc`	Close results / dialog

`type:`	`events` / `rules` / `providers`
`vendor:`	`sigma` / `elastic` / `splunk` / `kusto` / `chronicle` (vendor name alone also works: `sigma:`, `kql:`, `secops:`…)
`tactic:`	TA-id, slug, or name: `credential_access`, `TA0006`
`technique:`	technique or sub-technique ID: `T1003`, `T1003.001` (alias `tech:`)
`severity:`	`critical` / `high` / `medium` / `low` / `informational` (alias `sev:`)
`risk_score`	Numeric comparison on the Elastic risk score (0 to 100): `risk_score>50`, `risk_score<=20`, `risk_score=99` (alias `risk`; Elastic rules only)
`stages:`	Rules with exactly N pipeline stages
`correlation:`	`single_event` / `sequence` / `alternatives` / `alternatives_cross_log` / `all_required` / `correlated`
`with:`	Co-occurrence event-id; stacks (`with:4624 with:4769`) to require all, while a comma list in one occurrence (`with:4624,4769`) is an either-or group. Implies multi-event
`like:`	Structural neighbors of a rule slug (equivalents + subsumption stricter / broader): `like:comsvcs_lsass_memory_dump-splunk-sysmon`
`groupby:`	Entity-grouping substring match against `group_by_keys`: `groupby:user`, `groupby:host`
`uses:`	Rules whose predicate tree touches the field (any kind, any value): `uses:CommandLine`
`excludes:`	Rules with top-level `not()` clauses on the field (FP whitelists): `excludes:ParentImage`
`field:` / `value:`	Predicate search; narrows rule cards to those with a matching leaf and drives the indicator tier. Unquoted = substring, wildcards allowed (`value:mimikatz`)
`indicator:`	Shorthand for `field:F value:V`: `indicator:Image=*\powershell.exe`
`kind:`	Filter by predicate kind. Narrows rule cards to those carrying a matching predicate leaf (`vendor:elastic kind:cidr_match`) and drives the indicator tier: `contains` / `starts_with` / `ends_with` / `regex` / `cidr` / `eq` / `in` … (operator aliases `op:`/`match:`)
`has:` / `no:`	`sample`, `field`, `notes`, `refs`, `trace`, `thirdparty`, `rule`, `pattern`, `timewindow`, `threshold`, `newterms`, `sigma`/`elastic`/`splunk`/`kusto`/`chronicle`
`-op:val`	Exclude matches; works on most operators but not `type:`/`like:`/`has:`/`no:` (use `no:<flag>` to exclude a rule flag): `tactic:execution -vendor:splunk`. Standalone `-kind:`/`-field:`/`-value:` drop every rule carrying a matching predicate leaf (`type:rules -kind:is_null`)
`field:"…"` / `value:"…"`	Quoted value = anchored exact match (also allows spaces): `value:"net user"`
`a,b`	Comma = OR inside one operator (`vendor:sigma,elastic`, `severity:high,critical`); repeating a facet merges the same way. `field:`/`value:` never split (literal commas)
`vendors:` / `stage:`	Singular and plural spellings fold to the canonical operator and value: `tactics:` = `tactic:`, `type:event` = `type:events`, `correlation:sequences` = `correlation:sequence`, `has:thresholds` = `has:threshold`
`"quoted phrase"`	Exact-match a multi-word phrase (free text)

Kusto non-Windows coverage

Linux 455 rules

Reconnaissance 1 rule, 1 technique

Initial Access 47 rules, 6 techniques

Execution 17 rules, 7 techniques

Persistence 18 rules, 4 techniques

Privilege Escalation 8 rules, 3 techniques

Stealth 74 rules, 9 techniques

Defense Impairment 2 rules, 1 technique

Credential Access 16 rules, 6 techniques

Discovery 9 rules, 5 techniques

Lateral Movement 6 rules, 2 techniques

Collection 4 rules, 3 techniques

Command & Control 40 rules, 7 techniques

Exfiltration 29 rules, 7 techniques

Impact 30 rules, 8 techniques

Untagged 113 rules without MITRE techniques

macOS 183 rules

Reconnaissance 1 rule, 1 technique

Initial Access 28 rules, 4 techniques

Execution 12 rules, 7 techniques

Persistence 10 rules, 2 techniques

Privilege Escalation 4 rules, 2 techniques

Stealth 26 rules, 6 techniques

Credential Access 5 rules, 4 techniques

Discovery 7 rules, 3 techniques

Lateral Movement 4 rules, 2 techniques

Command & Control 20 rules, 2 techniques

Exfiltration 12 rules, 4 techniques

Impact 13 rules, 4 techniques

Untagged 2 rules without MITRE techniques

AWS 127 rules

Reconnaissance 7 rules, 7 techniques

Resource Development 1 rule, 1 technique

Initial Access 3 rules, 2 techniques

Execution 9 rules, 4 techniques

Persistence 32 rules, 4 techniques

Stealth 23 rules, 12 techniques

Defense Impairment 13 rules, 2 techniques

Credential Access 4 rules, 1 technique

Discovery 6 rules, 4 techniques

Lateral Movement 2 rules, 2 techniques

Collection 3 rules, 1 technique

Command & Control 10 rules, 2 techniques

Exfiltration 7 rules, 3 techniques

Impact 6 rules, 4 techniques

Untagged 1 rule without MITRE techniques

Azure 400 rules

Reconnaissance 2 rules, 1 technique

Resource Development 2 rules, 2 techniques

Initial Access 23 rules, 3 techniques

Execution 19 rules, 9 techniques

Persistence 47 rules, 7 techniques

Privilege Escalation 5 rules, 2 techniques

Stealth 99 rules, 7 techniques

Defense Impairment 15 rules, 8 techniques

Credential Access 55 rules, 13 techniques

Discovery 21 rules, 5 techniques

Lateral Movement 18 rules, 7 techniques

Collection 5 rules, 3 techniques

Command & Control 45 rules, 7 techniques

Exfiltration 12 rules, 5 techniques

Impact 25 rules, 8 techniques

Untagged 6 rules without MITRE techniques

GCP 66 rules

Resource Development 1 rule, 1 technique

Initial Access 5 rules, 3 techniques

Execution 3 rules, 2 techniques

Persistence 5 rules, 3 techniques

Privilege Escalation 5 rules, 2 techniques

Stealth 16 rules, 6 techniques

Credential Access 6 rules, 3 techniques

Discovery 9 rules, 4 techniques

Lateral Movement 4 rules, 2 techniques

Collection 1 rule, 1 technique

Command & Control 7 rules, 2 techniques

Exfiltration 2 rules, 2 techniques

Impact 2 rules, 2 techniques

Microsoft 365 68 rules

Initial Access 16 rules, 3 techniques