Splunk non-Windows coverage
814 non-Windows Splunk detection rules across 13 platforms, grouped by MITRE ATT&CK technique within each platform. The Windows coverage matrix lives at /rules/splunk/; this page reorganizes the same corpus along platform × technique because non-Windows rules have no catalog event IDs to plot.
For coverage organized by each platform's native action vocabulary across all vendors, see the platform matrices: AWS, Azure AD, GCP, M365, Okta. This page is the vendor-organized browse of the same rules.
Linux
Reconnaissance
Initial Access
Exploit Public-Facing Application T1190 2 rules
- Java Writing JSP File production
- Linux Suspicious React or Next.js Child Process production
Hardware Additions T1200 2 rules
- Linux Auditd Hardware Addition Swapoff production
- Linux Hardware Addition SwapOff production
Execution
Scheduled Task/Job: Cron T1053.003 8 rules
- Linux Add Files In Known Crontab Directories production
- Linux Adding Crontab Using List Parameter production
- Linux At Allow Config File Creation production
- Linux Auditd Edit Cron Table Parameter production
- Linux Auditd Possible Append Cronjob Entry On Existing Cronjob File production
- Linux Edit Cron Table Parameter production
- Linux Possible Append Cronjob Entry on Existing Cronjob File production
- Linux Possible Cronjob Modification With Editor production
Command and Scripting Interpreter: Unix Shell T1059.004 5 rules
- Linux Decode Base64 to Shell production
- Linux Magic SysRq Key Abuse production
- Linux Suspicious React or Next.js Child Process production
- Linux Unix Shell Enable All SysRq Functions production
- Suspicious Linux Discovery Commands production
Scheduled Task/Job: Systemd Timers T1053.006 4 rules
- Linux Auditd Service Restarted production
- Linux Service File Created In Systemd Directory production
- Linux Service Restarted production
- Linux Service Started Or Enabled production
Scheduled Task/Job: At T1053.002 3 rules
- Linux At Application Execution production
- Linux Auditd At Application Execution production
- Linux Possible Append Command To At Allow Config File production
Command and Scripting Interpreter T1059 1 rule
- ESXi Reverse Shell Patterns production
Command and Scripting Interpreter: Container CLI/API T1059.013 1 rule
- Linux Docker Shell Execution production
System Services: Service Execution T1569.002 1 rule
- Linux Auditd Service Started production
Persistence
Boot or Logon Autostart Execution: Kernel Modules and Extensions T1547.006 7 rules
- Linux Auditd Insert Kernel Module Using Insmod Utility production
- Linux Auditd Install Kernel Module Using Modprobe Utility production
- Linux Auditd Kernel Module Using Rmmod Utility production
- Linux Auditd Unload Module Via Modprobe production
- Linux File Created In Kernel Driver Directory production
- Linux Insert Kernel Module Using Insmod Utility production
- Linux Install Kernel Module Using Modprobe Utility production
Create Account: Local Account T1136.001 4 rules
- ESXi Account Modified production
- Linux Add User Account production
- Linux Auditd Add User Account production
- Linux Auditd Add User Account Type production
Account Manipulation T1098 2 rules
- ESXi Account Modified production
- ESXi User Granted Admin Role production
Boot or Logon Initialization Scripts: RC Scripts T1037.004 1 rule
- Linux File Creation In Init Boot Directory production
External Remote Services T1133 1 rule
- Java Writing JSP File production
Privilege Escalation
Abuse Elevation Control Mechanism: Sudo and Sudo Caching T1548.003 35 rules
- Linux APT Privilege Escalation production
- Linux Auditd Doas Conf File Creation production
- Linux Auditd Doas Tool Execution production
- Linux Auditd Nopasswd Entry In Sudoers File production
- Linux Auditd Possible Access To Sudoers File production
- Linux Auditd Sudo Or Su Execution production
- Linux AWK Privilege Escalation production
- Linux Busybox Privilege Escalation production
- Linux c89 Privilege Escalation production
- Linux c99 Privilege Escalation production
- Linux Composer Privilege Escalation production
- Linux Cpulimit Privilege Escalation production
- Linux Csvtool Privilege Escalation production
- Linux Doas Conf File Creation production
- Linux Doas Tool Execution production
- Linux Emacs Privilege Escalation production
- Linux Find Privilege Escalation production
- Linux GDB Privilege Escalation production
- Linux Gem Privilege Escalation production
- Linux GNU Awk Privilege Escalation production
- Linux Make Privilege Escalation production
- Linux MySQL Privilege Escalation production
- Linux Node Privilege Escalation production
- Linux NOPASSWD Entry In Sudoers File production
- Linux Octave Privilege Escalation production
- Linux OpenVPN Privilege Escalation production
- Linux PHP Privilege Escalation production
- Linux Possible Access To Sudoers File production
- Linux Puppet Privilege Escalation production
- Linux RPM Privilege Escalation production
- Linux Ruby Privilege Escalation production
- Linux Sqlite3 Privilege Escalation production
- Linux Sudo OR Su Execution production
- Linux Sudoers Tmp File Creation production
- Linux Visudo Utility Execution production
Exploitation for Privilege Escalation T1068 5 rules
- Detect Baron Samedit CVE-2021-3156 experimental
- Detect Baron Samedit CVE-2021-3156 Segfault experimental
- Detect Baron Samedit CVE-2021-3156 via OSQuery experimental
- Linux Auditd Copy Fail Privilege Escalation production
- Linux pkexec Privilege Escalation production
Abuse Elevation Control Mechanism: Setuid and Setgid T1548.001 5 rules
- Linux Auditd Setuid Using Chmod Utility production
- Linux Auditd Setuid Using Setcap Utility production
- Linux Common Process For Elevation Control production
- Linux Setuid Using Chmod Utility production
- Linux Setuid Using Setcap Utility production
Abuse Elevation Control Mechanism T1548 2 rules
- Linux Persistence and Privilege Escalation Risk Behavior production
- Linux Telnet Authentication Bypass production
Escape to Host T1611 1 rule
- Linux Docker Root Directory Mount production
Stealth
Indicator Removal: File Deletion T1070.004 8 rules
- Linux Account Manipulation Of SSH Config and Keys production
- Linux Deletion Of Cron Jobs production
- Linux Deletion Of Init Daemon Script production
- Linux Deletion Of Services production
- Linux Deletion of SSL Certificate production
- Linux High Frequency Of File Deletion In Boot Folder production
- Linux High Frequency Of File Deletion In Etc Folder production
- Linux Indicator Removal Service File Deletion production
Valid Accounts T1078 4 rules
- ESXi Account Modified production
- ESXi External Root Login Activity production
- ESXi Shared or Stolen Root Account production
- ESXi User Granted Admin Role production
Rootkit T1014 3 rules
- Linux Auditd Kernel Module Enumeration production
- Linux Kernel Module Enumeration production
- Linux Medusa Rootkit production
Hijack Execution Flow: Dynamic Linker Hijacking T1574.006 3 rules
- Linux Auditd Preload Hijack Library Calls production
- Linux Auditd Preload Hijack Via Preload File production
- Linux Preload Hijack Library Calls production
Obfuscated Files or Information T1027 2 rules
- Linux Decode Base64 to Shell production
- Linux Obfuscated Files or Information Base64 Decode production
Indicator Removal T1070 2 rules
- ESXi Audit Tampering production
- Linux Indicator Removal Clear Cache production
Indicator Removal: Timestomp T1070.006 1 rule
- ESXi System Clock Manipulation production
Valid Accounts: Local Accounts T1078.003 1 rule
- Potential password in username production
Execution Guardrails T1480 1 rule
Defense Impairment
Disable or Modify Tools T1685 6 rules
- ESXi Download Errors production
- ESXi Encryption Settings Modified production
- ESXi Lockdown Mode Disabled production
- ESXi Loghost Config Tampering production
- ESXi VIB Acceptance Level Tampering production
- Linux Impair Defenses Process Kill production
File and Directory Permissions Modification: Linux and Mac Permissions T1222.002 4 rules
- Linux Auditd Change File Owner To Root production
- Linux Auditd File Permission Modification Via Chmod production
- Linux Auditd File Permissions Modification Via Chattr production
- Linux Change File Owner To Root production
Disable or Modify System Firewall T1686 4 rules
- ESXi Firewall Disabled production
- Linux Auditd Disable Or Modify System Firewall production
- Linux Iptables Firewall Modification production
- Linux Stdout Redirection To Dev Null File production
Disable or Modify Tools: Disable or Modify Linux Audit System Log T1685.004 3 rules
- Linux Auditd Auditd Daemon Abort production
- Linux Auditd Auditd Daemon Shutdown production
- Linux Auditd Auditd Daemon Start production
Prevent Command History Logging T1690 2 rules
- ESXi Audit Tampering production
- ESXi Syslog Config Change production
Modify System Image: Patch System Image T1601.001 1 rule
- ESXi Download Errors production
Credential Access
Brute Force T1110 10 rules
- Crowdstrike Admin Weak Password Policy production
- Crowdstrike Admin With Duplicate Password production
- Crowdstrike High Identity Risk Severity production
- Crowdstrike Medium Identity Risk Severity production
- Crowdstrike Medium Severity Alert production
- Crowdstrike Multiple LOW Severity Alerts production
- Crowdstrike Privilege Escalation For Non-Admin User production
- Crowdstrike User Weak Password Policy production
- Crowdstrike User with Duplicate Password production
- ESXi SSH Brute Force production
OS Credential Dumping: /etc/passwd and /etc/shadow T1003.008 3 rules
- ESXi Sensitive Files Accessed production
- Linux Auditd Possible Access To Credential Files production
- Linux Possible Access To Credential Files production
Unsecured Credentials: Private Keys T1552.004 2 rules
- Linux Auditd Find Ssh Private Keys production
- Linux Auditd Private Keys and Certificate Enumeration production
Discovery
System Information Discovery T1082 3 rules
- ESXi System Information Discovery production
- Linux Auditd Kernel Module Enumeration production
- Linux Kernel Module Enumeration production
System Network Configuration Discovery T1016 2 rules
- Linux Auditd System Network Configuration Discovery production
- Linux System Network Discovery production
Virtual Machine Discovery T1673 2 rules
- ESXi Bulk VM Termination production
- ESXi VM Discovery production
System Owner/User Discovery T1033 1 rule
- Linux Auditd Whoami User Discovery production
Lateral Movement
Remote Services: SSH T1021.004 2 rules
- ESXi SSH Enabled production
- Linux SSH Remote Services Script Execute production
Remote Services T1021 1 rule
- ESXi Shell Access Enabled production
Collection
Data from Local System T1005 2 rules
- ESXi Sensitive Files Accessed production
- ESXi VM Exported via Remote Tool production
Clipboard Data T1115 2 rules
- Linux Auditd Clipboard Data Copy production
- Linux Clipboard Data Copy production
Command & Control
Ingress Tool Transfer T1105 3 rules
- Linux Curl Upload File production
- Linux Ingress Tool Transfer Hunting production
- Linux Ingress Tool Transfer with Curl production
Proxy T1090 2 rules
- Linux Ngrok Reverse Proxy Usage production
- Linux Proxy Socks Curl production
Non-Application Layer Protocol T1095 1 rule
- Linux Proxy Socks Curl production
Web Service T1102 1 rule
- Linux Ngrok Reverse Proxy Usage production
Protocol Tunneling T1572 1 rule
- Linux Ngrok Reverse Proxy Usage production
Exfiltration
Data Transfer Size Limits T1030 2 rules
Exfiltration Over Web Service T1567 1 rule
- Linux Gdrive Binary Activity production
Impact
Data Destruction T1485 14 rules
- Linux Account Manipulation Of SSH Config and Keys production
- Linux Auditd Data Destruction Command production
- Linux Auditd Dd File Overwrite production
- Linux Auditd Shred Overwrite Command production
- Linux Data Destruction Command production
- Linux DD File Overwrite production
- Linux Deleting Critical Directory Using RM Command production
- Linux Deletion Of Cron Jobs production
- Linux Deletion Of Init Daemon Script production
- Linux Deletion Of Services production
- Linux Deletion of SSL Certificate production
- Linux High Frequency Of File Deletion In Boot Folder production
- Linux High Frequency Of File Deletion In Etc Folder production
- Linux Shred Overwrite Command production
Service Stop T1489 7 rules
- Linux Auditd Auditd Service Stop production
- Linux Auditd Osquery Service Stop production
- Linux Auditd Stop Services production
- Linux Auditd Sysmon Service Stop production
- Linux Disable Services production
- Linux Magic SysRq Key Abuse production
- Linux Stop Services production
System Shutdown/Reboot T1529 3 rules
- ESXi Bulk VM Termination production
- Linux Magic SysRq Key Abuse production
- Linux System Reboot Via System Request Key production
Endpoint Denial of Service T1499 2 rules
- ESXi Bulk VM Termination production
- Linux Magic SysRq Key Abuse production
Untagged
- CrowdStrike Falcon Stream Alerts production
- Processes Tapping Keyboard Events experimental
macOS
Execution
Command and Scripting Interpreter T1059 1 rule
- ESXi Reverse Shell Patterns production
Command and Scripting Interpreter: Unix Shell T1059.004 1 rule
- MacOS LOLbin production
Persistence
Account Manipulation T1098 2 rules
- ESXi Account Modified production
- ESXi User Granted Admin Role production
Boot or Logon Initialization Scripts: Login Hook T1037.002 1 rule
- MacOS LoginHook Persistence production
Create Account T1136 1 rule
- MacOS Account Created production
Create Account: Local Account T1136.001 1 rule
- ESXi Account Modified production
Server Software Component: vSphere Installation Bundles T1505.006 1 rule
- ESXi Malicious VIB Forced Install production
Create or Modify System Process T1543 1 rule
- MacOS Kextload Usage production
Stealth
Valid Accounts T1078 4 rules
- ESXi Account Modified production
- ESXi External Root Login Activity production
- ESXi Shared or Stolen Root Account production
- ESXi User Granted Admin Role production
Indicator Removal T1070 2 rules
- ESXi Audit Tampering production
- MacOS Log Removal production
Indicator Removal: Timestomp T1070.006 1 rule
- ESXi System Clock Manipulation production
Defense Impairment
Disable or Modify Tools T1685 5 rules
- ESXi Download Errors production
- ESXi Encryption Settings Modified production
- ESXi Lockdown Mode Disabled production
- ESXi Loghost Config Tampering production
- ESXi VIB Acceptance Level Tampering production
Prevent Command History Logging T1690 2 rules
- ESXi Audit Tampering production
- ESXi Syslog Config Change production
Subvert Trust Controls: Gatekeeper Bypass T1553.001 1 rule
- MacOS Gatekeeper Bypass production
Modify System Image: Patch System Image T1601.001 1 rule
- ESXi Download Errors production
Plist File Modification T1647 1 rule
- MacOS plutil production
Disable or Modify System Firewall T1686 1 rule
- ESXi Firewall Disabled production
Credential Access
Brute Force T1110 10 rules
- Crowdstrike Admin Weak Password Policy production
- Crowdstrike Admin With Duplicate Password production
- Crowdstrike High Identity Risk Severity production
- Crowdstrike Medium Identity Risk Severity production
- Crowdstrike Medium Severity Alert production
- Crowdstrike Multiple LOW Severity Alerts production
- Crowdstrike Privilege Escalation For Non-Admin User production
- Crowdstrike User Weak Password Policy production
- Crowdstrike User with Duplicate Password production
- ESXi SSH Brute Force production
OS Credential Dumping: /etc/passwd and /etc/shadow T1003.008 1 rule
- ESXi Sensitive Files Accessed production
Credentials from Password Stores: Keychain T1555.001 1 rule
- MacOS Keychains Dumped production
Discovery
Virtual Machine Discovery T1673 2 rules
- ESXi Bulk VM Termination production
- ESXi VM Discovery production
System Network Configuration Discovery T1016 1 rule
- MacOS List Firewall Rules production
System Information Discovery T1082 1 rule
- ESXi System Information Discovery production
Network Share Discovery T1135 1 rule
- MacOS Network Share Discovery production
Lateral Movement
Remote Services T1021 1 rule
- ESXi Shell Access Enabled production
Remote Services: SSH T1021.004 1 rule
- ESXi SSH Enabled production
Collection
Data from Local System T1005 2 rules
- ESXi Sensitive Files Accessed production
- ESXi VM Exported via Remote Tool production
Exfiltration
Data Transfer Size Limits T1030 1 rule
- MacOS Data Chunking production
Impact
Endpoint Denial of Service T1499 1 rule
- ESXi Bulk VM Termination production
System Shutdown/Reboot T1529 1 rule
- ESXi Bulk VM Termination production
Untagged
- CrowdStrike Falcon Stream Alerts production
- Processes Tapping Keyboard Events experimental
AWS
Resource Development
Compromise Accounts: Cloud Accounts T1586.003 15 rules
- ASL AWS Credential Access GetPasswordData production
- ASL AWS Credential Access RDS Password reset production
- ASL AWS Multi-Factor Authentication Disabled production
- AWS Console Login Failed During MFA Challenge production
- AWS Credential Access Failed Login production
- AWS Credential Access GetPasswordData production
- AWS Credential Access RDS Password reset production
- AWS Multi-Factor Authentication Disabled production
- AWS Multiple Failed MFA Requests For User production
- AWS Successful Single-Factor Authentication production
- AWS Unusual Number of Failed Authentications From Ip production
- Detect AWS Console Login by New User production
- Detect AWS Console Login by User from New City production
- Detect AWS Console Login by User from New Country production
- Detect AWS Console Login by User from New Region production
Initial Access
Phishing: Spearphishing Attachment T1566.001 4 rules
- GSuite Email Suspicious Attachment production
- Gsuite Email Suspicious Subject With Attachment production
- Gsuite Email With Known Abuse Web Service Link production
- Gsuite Suspicious Shared File Name experimental
Phishing T1566 2 rules
- Gdrive suspicious file sharing experimental
- Gsuite suspicious calendar invite experimental
Execution
User Execution T1204 15 rules
- AWS Lambda UpdateFunctionCode production
- Kubernetes Anomalous Inbound Network Activity from Process experimental
- Kubernetes Anomalous Inbound Outbound Network IO experimental
- Kubernetes Anomalous Inbound to Outbound Network IO Ratio experimental
- Kubernetes Anomalous Outbound Network Activity from Process experimental
- Kubernetes Anomalous Traffic on Network Edge experimental
- Kubernetes newly seen TCP edge experimental
- Kubernetes newly seen UDP edge experimental
- Kubernetes Previously Unseen Container Image Name experimental
- Kubernetes Previously Unseen Process experimental
- Kubernetes Process Running From New Path experimental
- Kubernetes Process with Anomalous Resource Utilisation experimental
- Kubernetes Process with Resource Ratio Anomalies experimental
- Kubernetes Shell Running on Worker Node experimental
- Kubernetes Shell Running on Worker Node with CPU Activity experimental
User Execution: Malicious Image T1204.003 8 rules
- ASL AWS ECR Container Upload Outside Business Hours production
- ASL AWS ECR Container Upload Unknown User production
- AWS ECR Container Scanning Findings High production
- AWS ECR Container Scanning Findings Low Informational Unknown production
- AWS ECR Container Scanning Findings Medium production
- AWS ECR Container Upload Outside Business Hours production
- AWS ECR Container Upload Unknown User production
- Risk Rule for Dev Sec Ops by Repository production
Persistence
Create Account: Cloud Account T1136.003 7 rules
- ASL AWS Create Access Key production
- ASL AWS UpdateLoginProfile production
- AWS CreateAccessKey production
- AWS CreateLoginProfile production
- AWS UpdateLoginProfile production
- O365 Added Service Principal production
- O365 New Federated Domain Added production
Account Manipulation T1098 6 rules
- ASL AWS IAM Delete Policy production
- ASL AWS IAM Failure Group Deletion production
- ASL AWS IAM Successful Group Deletion production
- AWS IAM Delete Policy production
- AWS IAM Failure Group Deletion production
- AWS IAM Successful Group Deletion production
Compromise Host Software Binary T1554 2 rules
- Circle CI Disable Security Job production
- Circle CI Disable Security Step experimental
Stealth
Valid Accounts T1078 9 rules
- ASL AWS SAML Update identity provider production
- AWS Bedrock Invoke Model Access Denied production
- AWS SAML Update identity provider production
- Cloud API Calls From Previously Unseen User Roles production
- Cloud Provisioning Activity From Previously Unseen City production
- Cloud Provisioning Activity From Previously Unseen Country production
- Cloud Provisioning Activity From Previously Unseen IP Address production
- Cloud Provisioning Activity From Previously Unseen Region production
- GCP Detect gcploit framework experimental
Valid Accounts: Cloud Accounts T1078.004 7 rules
- ASL AWS Create Policy Version to allow all resources production
- AWS Create Policy Version to allow all resources production
- AWS SetDefaultPolicyVersion production
- AWS Successful Single-Factor Authentication production
- Cloud Compute Instance Created By Previously Unseen User production
- Cloud Instance Modified By Previously Unseen User production
- O365 Security And Compliance Alert Triggered production
Unused/Unsupported Cloud Regions T1535 5 rules
- AWS Successful Console Authentication From Multiple IPs production
- Cloud Compute Instance Created In Previously Unused Region production
- Detect AWS Console Login by User from New City production
- Detect AWS Console Login by User from New Country production
- Detect AWS Console Login by User from New Region production
Defense Impairment
Disable or Modify Tools: Disable or Modify Cloud Log T1685.002 14 rules
- ASL AWS Defense Evasion Delete Cloudtrail production
- ASL AWS Defense Evasion Delete CloudWatch Log Group production
- ASL AWS Defense Evasion Impair Security Services production
- ASL AWS Defense Evasion PutBucketLifecycle production
- ASL AWS Defense Evasion Stop Logging Cloudtrail production
- ASL AWS Defense Evasion Update Cloudtrail production
- AWS Bedrock Delete GuardRails production
- AWS Bedrock Delete Model Invocation Logging Configuration production
- AWS Defense Evasion Delete Cloudtrail production
- AWS Defense Evasion Delete CloudWatch Log Group production
- AWS Defense Evasion Impair Security Services production
- AWS Defense Evasion PutBucketLifecycle production
- AWS Defense Evasion Stop Logging Cloudtrail production
- AWS Defense Evasion Update Cloudtrail production
Modify Authentication Process: Multi-Factor Authentication T1556.006 4 rules
- ASL AWS Multi-Factor Authentication Disabled production
- ASL AWS New MFA Method Registered For User production
- AWS Multi-Factor Authentication Disabled production
- AWS New MFA Method Registered For User production
Credential Access
Brute Force T1110 5 rules
- ASL AWS Credential Access RDS Password reset production
- ASL AWS IAM Assume Role Policy Brute Force production
- AWS Credential Access RDS Password reset production
- AWS IAM Assume Role Policy Brute Force production
- O365 Excessive Authentication Failures Alert production
Multi-Factor Authentication Request Generation T1621 4 rules
- ASL AWS Multi-Factor Authentication Disabled production
- AWS Console Login Failed During MFA Challenge production
- AWS Multi-Factor Authentication Disabled production
- AWS Multiple Failed MFA Requests For User production
Brute Force: Password Guessing T1110.001 3 rules
- ASL AWS Credential Access GetPasswordData production
- AWS Credential Access Failed Login production
- AWS Credential Access GetPasswordData production
Exploitation for Credential Access T1212 2 rules
- Kubernetes Nginx Ingress LFI production
- Kubernetes Nginx Ingress RFI production
Unsecured Credentials T1552 1 rule
- Detect AWS Console Login by New User production
Discovery
Cloud Service Discovery T1526 5 rules
- Amazon EKS Kubernetes cluster scan detection experimental
- Amazon EKS Kubernetes Pod scan detection experimental
- AWS Excessive Security Scanning production
- GCP Kubernetes cluster pod scan detection experimental
- Kubernetes Scanner Image Pulling production
Cloud Infrastructure Discovery T1580 5 rules
- ASL AWS IAM AccessDenied Discovery Events production
- ASL AWS IAM Assume Role Policy Brute Force production
- AWS Bedrock High Number List Foundation Model Failures production
- AWS IAM AccessDenied Discovery Events production
- AWS IAM Assume Role Policy Brute Force production
Network Service Discovery T1046 3 rules
- Internal Horizontal Port Scan production
- Internal Horizontal Port Scan NMAP Top 20 production
- Internal Vertical Port Scan production
Permission Groups Discovery: Cloud Groups T1069.003 2 rules
- ASL AWS IAM Successful Group Deletion production
- AWS IAM Successful Group Deletion production
Password Policy Discovery T1201 2 rules
- AWS High Number Of Failed Authentications For User production
- AWS Password Policy Changes production
Lateral Movement
Collection
Data from Cloud Storage T1530 6 rules
- Detect GCP Storage access from a new IP experimental
- Detect New Open GCP Storage Buckets experimental
- Detect New Open S3 buckets production
- Detect New Open S3 Buckets over AWS CLI production
- Detect S3 access from a new IP experimental
- Detect Spike in S3 Bucket deletion experimental
Email Collection: Email Forwarding Rule T1114.003 3 rules
- O365 Mailbox Email Forwarding Enabled production
- O365 New Email Forwarding Rule Created production
- O365 New Email Forwarding Rule Enabled production
Automated Collection T1119 3 rules
- AWS Exfiltration via Anomalous GetObject API Activity production
- AWS Exfiltration via Batch Service production
- AWS Exfiltration via DataSync Task production
Email Collection T1114 2 rules
- O365 New Forwarding Mailflow Rule Created production
- O365 PST export alert production
Email Collection: Remote Email Collection T1114.002 2 rules
- O365 Compliance Content Search Exported production
- O365 Compliance Content Search Started production
Browser Session Hijacking T1185 2 rules
- ASL AWS Concurrent Sessions From Different Ips production
- AWS Concurrent Sessions From Different Ips production
Exfiltration
Transfer Data to Cloud Account T1537 6 rules
- ASL AWS EC2 Snapshot Shared Externally production
- AWS AMI Attribute Modification for Exfiltration production
- AWS EC2 Snapshot Shared Externally production
- AWS Exfiltration via Bucket Replication production
- AWS Exfiltration via EC2 Snapshot production
- AWS S3 Exfiltration Behavior Identified production
Impact
Data Encrypted for Impact T1486 3 rules
Data Destruction T1485 2 rules
- AWS Bedrock Delete Knowledge Base production
- Detect Web Access to Decommissioned S3 Bucket experimental
Data Destruction: Lifecycle-Triggered Deletion T1485.001 2 rules
- ASL AWS Defense Evasion PutBucketLifecycle production
- AWS Defense Evasion PutBucketLifecycle production
Inhibit System Recovery T1490 2 rules
- ASL AWS Disable Bucket Versioning production
- AWS Disable Bucket Versioning production
Untagged
Azure
Resource Development
Compromise Accounts: Cloud Accounts T1586.003 9 rules
- Azure Active Directory High Risk Sign-in production
- Azure AD Authentication Failed During MFA Challenge production
- Azure AD Multi-Factor Authentication Disabled production
- Azure AD Multi-Source Failed Authentications Spike production
- Azure AD Multiple Failed MFA Requests For User production
- Azure AD Multiple Users Failing To Authenticate From Ip production
- Azure AD Successful PowerShell Authentication production
- Azure AD Successful Single-Factor Authentication production
- Azure AD Unusual Number of Failed Authentications From Ip production
Initial Access
Phishing: Spearphishing Attachment T1566.001 4 rules
- GSuite Email Suspicious Attachment production
- Gsuite Email Suspicious Subject With Attachment production
- Gsuite Email With Known Abuse Web Service Link production
- Gsuite Suspicious Shared File Name experimental
Phishing T1566 2 rules
- Gdrive suspicious file sharing experimental
- Gsuite suspicious calendar invite experimental
Phishing: Spearphishing Link T1566.002 1 rule
- Azure AD Device Code Authentication production
Execution
User Execution T1204 14 rules
- Kubernetes Anomalous Inbound Network Activity from Process experimental
- Kubernetes Anomalous Inbound Outbound Network IO experimental
- Kubernetes Anomalous Inbound to Outbound Network IO Ratio experimental
- Kubernetes Anomalous Outbound Network Activity from Process experimental
- Kubernetes Anomalous Traffic on Network Edge experimental
- Kubernetes newly seen TCP edge experimental
- Kubernetes newly seen UDP edge experimental
- Kubernetes Previously Unseen Container Image Name experimental
- Kubernetes Previously Unseen Process experimental
- Kubernetes Process Running From New Path experimental
- Kubernetes Process with Anomalous Resource Utilisation experimental
- Kubernetes Process with Resource Ratio Anomalies experimental
- Kubernetes Shell Running on Worker Node experimental
- Kubernetes Shell Running on Worker Node with CPU Activity experimental
Software Deployment Tools T1072 4 rules
- Microsoft Intune Device Health Scripts production
- Microsoft Intune DeviceManagementConfigurationPolicies production
- Microsoft Intune Manual Device Management production
- Microsoft Intune Mobile Apps experimental
Persistence
Account Manipulation: Additional Cloud Roles T1098.003 10 rules
- Azure AD Admin Consent Bypassed by Service Principal production
- Azure AD Application Administrator Role Assigned production
- Azure AD FullAccessAsApp Permission Assigned production
- Azure AD Global Administrator Role Assigned production
- Azure AD PIM Role Assigned production
- Azure AD PIM Role Assignment Activated production
- Azure AD Privileged Role Assigned production
- Azure AD Privileged Role Assigned to Service Principal production
- Azure AD Service Principal Privilege Escalation production
- Azure AD Tenant Wide Admin Consent Granted production
Create Account: Cloud Account T1136.003 8 rules
- Azure AD External Guest User Invited production
- Azure AD Multiple Service Principals Created by SP production
- Azure AD Multiple Service Principals Created by User production
- Azure AD Service Principal Created production
- Azure Automation Account Created production
- Azure Automation Runbook Created production
- O365 Added Service Principal production
- O365 New Federated Domain Added production
Account Manipulation T1098 3 rules
- Azure AD Service Principal Owner Added production
- Azure AD User Enabled And Password Reset production
- Azure AD User ImmutableId Attribute Updated production
Account Manipulation: Additional Email Delegate Permissions T1098.002 2 rules
- Azure AD FullAccessAsApp Permission Assigned production
- O365 ApplicationImpersonation Role Assigned production
Compromise Host Software Binary T1554 2 rules
- Circle CI Disable Security Job production
- Circle CI Disable Security Step experimental
Stealth
Valid Accounts: Cloud Accounts T1078.004 7 rules
- Azure AD Authentication Failed During MFA Challenge production
- Azure AD Multiple Failed MFA Requests For User production
- Azure AD Service Principal Authentication production
- Azure AD Successful PowerShell Authentication production
- Azure AD Successful Single-Factor Authentication production
- Azure Runbook Webhook Created production
- O365 Security And Compliance Alert Triggered production
Valid Accounts T1078 2 rules
- Azure AD Multiple AppIDs and UserAgents Authentication Spike production
- GCP Detect gcploit framework experimental
Indirect Command Execution T1202 2 rules
- Microsoft Intune Device Health Scripts production
- Microsoft Intune Mobile Apps experimental
Defense Impairment
Domain or Tenant Policy Modification: Trust Modification T1484.002 2 rules
- Azure AD New Custom Domain Added production
- Azure AD New Federated Domain Added production
Modify Authentication Process: Multi-Factor Authentication T1556.006 2 rules
- Azure AD Multi-Factor Authentication Disabled production
- Azure AD New MFA Method Registered For User production
Disable or Modify Tools T1685 2 rules
Credential Access
Brute Force: Password Spraying T1110.003 7 rules
- Azure Active Directory High Risk Sign-in production
- Azure AD High Number Of Failed Authentications From Ip production
- Azure AD Multi-Source Failed Authentications Spike production
- Azure AD Multiple Users Failing To Authenticate From Ip production
- Azure AD Successful Authentication From Different Ips production
- Azure AD Unusual Number of Failed Authentications From Ip production
- Detect Distributed Password Spray Attempts production
Steal Application Access Token T1528 5 rules
- Azure AD Device Code Authentication production
- Azure AD OAuth Application Consent Granted By User production
- Azure AD User Consent Blocked for Risky Application production
- Azure AD User Consent Denied for OAuth Application production
- O365 User Consent Denied for OAuth Application production
Exploitation for Credential Access T1212 2 rules
- Kubernetes Nginx Ingress LFI production
- Kubernetes Nginx Ingress RFI production
Brute Force T1110 1 rule
- O365 Excessive Authentication Failures Alert production
Discovery
Cloud Service Discovery T1526 6 rules
- Amazon EKS Kubernetes cluster scan detection experimental
- Amazon EKS Kubernetes Pod scan detection experimental
- Azure AD AzureHound UserAgent Detected production
- Azure AD Service Principal Enumeration production
- GCP Kubernetes cluster pod scan detection experimental
- Kubernetes Scanner Image Pulling production
Account Discovery: Cloud Account T1087.004 2 rules
- Azure AD AzureHound UserAgent Detected production
- Azure AD Service Principal Enumeration production
Lateral Movement
Remote Services: Cloud Services T1021.007 4 rules
- Microsoft Intune Device Health Scripts production
- Microsoft Intune DeviceManagementConfigurationPolicies production
- Microsoft Intune Manual Device Management production
- Microsoft Intune Mobile Apps experimental
Collection
Email Collection: Email Forwarding Rule T1114.003 3 rules
- O365 Mailbox Email Forwarding Enabled production
- O365 New Email Forwarding Rule Created production
- O365 New Email Forwarding Rule Enabled production
Data from Cloud Storage T1530 3 rules
- Detect GCP Storage access from a new IP experimental
- Detect New Open GCP Storage Buckets experimental
- Detect S3 access from a new IP experimental
Email Collection T1114 2 rules
- O365 New Forwarding Mailflow Rule Created production
- O365 PST export alert production
Email Collection: Remote Email Collection T1114.002 2 rules
- O365 Compliance Content Search Exported production
- O365 Compliance Content Search Started production
Command & Control
Ingress Tool Transfer T1105 2 rules
- Microsoft Intune Device Health Scripts production
- Microsoft Intune Mobile Apps experimental
Exfiltration
Exfiltration Over Alternative Protocol: Exfiltration Over Unencrypted Non-C2 Protocol T1048.003 1 rule
Transfer Data to Cloud Account T1537 1 rule
- AWS S3 Exfiltration Behavior Identified production
Impact
System Shutdown/Reboot T1529 1 rule
- Microsoft Intune Manual Device Management production
Disk Wipe: Disk Content Wipe T1561.001 1 rule
- Microsoft Intune Bulk Wipe production
Untagged
GCP
Initial Access
Phishing: Spearphishing Attachment T1566.001 4 rules
- GSuite Email Suspicious Attachment production
- Gsuite Email Suspicious Subject With Attachment production
- Gsuite Email With Known Abuse Web Service Link production
- Gsuite Suspicious Shared File Name experimental
Phishing T1566 2 rules
- Gdrive suspicious file sharing experimental
- Gsuite suspicious calendar invite experimental
Execution
User Execution T1204 14 rules
- Kubernetes Anomalous Inbound Network Activity from Process experimental
- Kubernetes Anomalous Inbound Outbound Network IO experimental
- Kubernetes Anomalous Inbound to Outbound Network IO Ratio experimental
- Kubernetes Anomalous Outbound Network Activity from Process experimental
- Kubernetes Anomalous Traffic on Network Edge experimental
- Kubernetes newly seen TCP edge experimental
- Kubernetes newly seen UDP edge experimental
- Kubernetes Previously Unseen Container Image Name experimental
- Kubernetes Previously Unseen Process experimental
- Kubernetes Process Running From New Path experimental
- Kubernetes Process with Anomalous Resource Utilisation experimental
- Kubernetes Process with Resource Ratio Anomalies experimental
- Kubernetes Shell Running on Worker Node experimental
- Kubernetes Shell Running on Worker Node with CPU Activity experimental
Persistence
Create Account: Cloud Account T1136.003 2 rules
- O365 Added Service Principal production
- O365 New Federated Domain Added production
Compromise Host Software Binary T1554 2 rules
- Circle CI Disable Security Job production
- Circle CI Disable Security Step experimental
Stealth
Valid Accounts T1078 1 rule
- GCP Detect gcploit framework experimental
Credential Access
Exploitation for Credential Access T1212 2 rules
- Kubernetes Nginx Ingress LFI production
- Kubernetes Nginx Ingress RFI production
Brute Force T1110 1 rule
- O365 Excessive Authentication Failures Alert production
Discovery
Cloud Service Discovery T1526 4 rules
- Amazon EKS Kubernetes cluster scan detection experimental
- Amazon EKS Kubernetes Pod scan detection experimental
- GCP Kubernetes cluster pod scan detection experimental
- Kubernetes Scanner Image Pulling production
Collection
Email Collection: Email Forwarding Rule T1114.003 3 rules
- O365 Mailbox Email Forwarding Enabled production
- O365 New Email Forwarding Rule Created production
- O365 New Email Forwarding Rule Enabled production
Data from Cloud Storage T1530 3 rules
- Detect GCP Storage access from a new IP experimental
- Detect New Open GCP Storage Buckets experimental
- Detect S3 access from a new IP experimental
Email Collection T1114 2 rules
- O365 New Forwarding Mailflow Rule Created production
- O365 PST export alert production
Email Collection: Remote Email Collection T1114.002 2 rules
- O365 Compliance Content Search Exported production
- O365 Compliance Content Search Started production
Exfiltration
Exfiltration Over Alternative Protocol: Exfiltration Over Unencrypted Non-C2 Protocol T1048.003 1 rule
Transfer Data to Cloud Account T1537 1 rule
- AWS S3 Exfiltration Behavior Identified production
Untagged
Microsoft 365
Resource Development
Initial Access
Phishing: Spearphishing Attachment T1566.001 5 rules
- O365 Email Reported By Admin Found Malicious production
- O365 Email Reported By User Found Malicious production
- O365 Safe Links Detection production
- O365 Threat Intelligence Suspicious Email Delivered production
- O365 ZAP Activity Detection production
Phishing: Spearphishing Link T1566.002 4 rules
- O365 Email Reported By Admin Found Malicious production
- O365 Email Reported By User Found Malicious production
- O365 Threat Intelligence Suspicious Email Delivered production
- O365 ZAP Activity Detection production
Execution
User Execution: Malicious File T1204.002 2 rules
- O365 SharePoint Malware Detection production
- O365 Threat Intelligence Suspicious File Detected production
Persistence
Account Manipulation: Additional Cloud Roles T1098.003 9 rules
- O365 Admin Consent Bypassed by Service Principal production
- O365 Application Available To Other Tenants production
- O365 FullAccessAsApp Permission Assigned production
- O365 High Privilege Role Granted production
- O365 Mailbox Read Access Granted to Application production
- O365 Privileged Role Assigned production
- O365 Privileged Role Assigned To Service Principal production
- O365 Service Principal Privilege Escalation production
- O365 Tenant Wide Admin Consent Granted production
Create Account: Cloud Account T1136.003 6 rules
- O365 Add App Role Assignment Grant User production
- O365 External Guest User Invited production
- O365 External Identity Policy Changed production
- O365 Multiple Service Principals Created by SP production
- O365 Multiple Service Principals Created by User production
- O365 SharePoint Allowed Domains Policy Changed production
Account Manipulation: Additional Email Delegate Permissions T1098.002 4 rules
- O365 Elevated Mailbox Permission Assigned production
- O365 FullAccessAsApp Permission Assigned production
- O365 Mailbox Folder Read Permission Assigned production
- O365 Mailbox Folder Read Permission Granted production
Account Manipulation T1098 1 rule
- O365 Application Registration Owner Added production
Stealth
Indicator Removal: Clear Mailbox Data T1070.008 6 rules
- O365 Email Hard Delete Excessive Volume production
- O365 Email Password and Payroll Compromise Behavior production
- O365 Email Receive and Hard Delete Takeover Behavior production
- O365 Email Send and Hard Delete Exfiltration Behavior production
- O365 Email Send and Hard Delete Suspicious Behavior production
- O365 Email Send Attachments Excessive Volume production
Hide Artifacts: Email Hiding Rules T1564.008 2 rules
- O365 Email New Inbox Rule Created production
- O365 Email Transport Rule Changed production
Valid Accounts T1078 1 rule
Defense Impairment
Modify Authentication Process T1556 2 rules
- O365 Disable MFA production
- O365 Excessive SSO logon errors production
Disable or Modify Tools: Disable or Modify Cloud Log T1685.002 2 rules
- O365 Advanced Audit Disabled production
- O365 Email Security Feature Changed production
Domain or Tenant Policy Modification: Trust Modification T1484.002 1 rule
- O365 Cross-Tenant Access Change production
Credential Access
Unsecured Credentials T1552 2 rules
- O365 Email Suspicious Search Behavior production
- O365 SharePoint Suspicious Search Behavior production
Brute Force T1110 1 rule
Collection
Email Collection: Remote Email Collection T1114.002 7 rules
- O365 Email Access By Security Administrator production
- O365 Email Suspicious Search Behavior production
- O365 Mailbox Inbox Folder Shared with All Users production
- O365 Mailbox Read Access Granted to Application production
- O365 Multiple Mailboxes Accessed via API production
- O365 OAuth App Mailbox Access via EWS production
- O365 OAuth App Mailbox Access via Graph API production
Email Collection: Email Forwarding Rule T1114.003 3 rules
- O365 Email New Inbox Rule Created production
- O365 Email Suspicious Behavior Alert production
- O365 Email Transport Rule Changed production
Data from Cloud Storage T1530 3 rules
- O365 Exfiltration via File Access production
- O365 Exfiltration via File Download production
- O365 Exfiltration via File Sync Download production
Browser Session Hijacking T1185 1 rule
- O365 Concurrent Sessions From Different Ips production
Exfiltration
Exfiltration Over Web Service T1567 5 rules
- O365 DLP Rule Triggered production
- O365 Email Access By Security Administrator production
- O365 Exfiltration via File Access production
- O365 Exfiltration via File Download production
- O365 Exfiltration via File Sync Download production
Exfiltration Over Alternative Protocol T1048 1 rule
- O365 DLP Rule Triggered production
Impact
Data Destruction T1485 6 rules
- O365 Email Hard Delete Excessive Volume production
- O365 Email Password and Payroll Compromise Behavior production
- O365 Email Receive and Hard Delete Takeover Behavior production
- O365 Email Send and Hard Delete Exfiltration Behavior production
- O365 Email Send and Hard Delete Suspicious Behavior production
- O365 Email Send Attachments Excessive Volume production
Google Workspace
Resource Development
Compromise Accounts: Cloud Accounts T1586.003 6 rules
- GCP Authentication Failed During MFA Challenge production
- GCP Multi-Factor Authentication Disabled production
- GCP Multiple Failed MFA Requests For User production
- GCP Multiple Users Failing To Authenticate From Ip production
- GCP Successful Single-Factor Authentication production
- GCP Unusual Number of Failed Authentications From Ip production
Stealth
Valid Accounts: Cloud Accounts T1078.004 3 rules
- GCP Authentication Failed During MFA Challenge production
- GCP Multiple Failed MFA Requests For User production
- GCP Successful Single-Factor Authentication production
Defense Impairment
Credential Access
Okta
Resource Development
Compromise Accounts: Cloud Accounts T1586.003 3 rules
- Okta Authentication Failed During MFA Challenge production
- Okta Successful Single Factor Authentication production
- Okta User Logins from Multiple Cities production
Persistence
Stealth
Valid Accounts T1078 3 rules
- Geographic Improbable Location experimental
- Okta Non-Standard VPN Usage experimental
- Okta Risk Threshold Exceeded production
Valid Accounts: Default Accounts T1078.001 3 rules
- Okta New API Token Created production
- Okta Phishing Detection with FastPass Origin Check experimental
- Okta Suspicious Activity Reported production
Valid Accounts: Cloud Accounts T1078.004 3 rules
- Okta Authentication Failed During MFA Challenge production
- Okta Successful Single Factor Authentication production
- Okta ThreatInsight Threat Detected production
Defense Impairment
Credential Access
Brute Force T1110 3 rules
- Okta MFA Exhaustion Hunt production
- Okta Multiple Accounts Locked Out production
- Okta Risk Threshold Exceeded production
Steal Web Session Cookie T1539 1 rule
- Okta Suspicious Use of a Session Cookie production
Discovery
Account Discovery: Cloud Account T1087.004 2 rules
- Okta IDP Lifecycle Modifications production
- Okta Unauthorized Access to Application production
Cloud Service Dashboard T1538 1 rule
- Okta Multiple Failed Requests to Access Applications experimental
Lateral Movement
Command & Control
Proxy T1090 1 rule
- Okta Non-Standard VPN Usage experimental
Protocol Tunneling T1572 1 rule
- Okta Non-Standard VPN Usage experimental
GitHub
Initial Access
Supply Chain Compromise T1195 18 rules
- GitHub Enterprise Delete Branch Ruleset production
- GitHub Enterprise Disable 2FA Requirement production
- GitHub Enterprise Disable Audit Log Event Stream production
- GitHub Enterprise Disable Classic Branch Protection Rule production
- GitHub Enterprise Disable Dependabot production
- GitHub Enterprise Disable IP Allow List production
- GitHub Enterprise Modify Audit Log Event Stream production
- GitHub Enterprise Pause Audit Log Event Stream production
- GitHub Enterprise Register Self Hosted Runner production
- GitHub Enterprise Remove Organization production
- GitHub Enterprise Repository Archived production
- GitHub Enterprise Repository Deleted production
- GitHub Organizations Delete Branch Ruleset production
- GitHub Organizations Disable 2FA Requirement production
- GitHub Organizations Disable Classic Branch Protection Rule production
- GitHub Organizations Disable Dependabot production
- GitHub Organizations Repository Archived production
- GitHub Organizations Repository Deleted production
Defense Impairment
Disable or Modify Tools T1685 10 rules
- GitHub Enterprise Delete Branch Ruleset production
- GitHub Enterprise Disable 2FA Requirement production
- GitHub Enterprise Disable Classic Branch Protection Rule production
- GitHub Enterprise Disable Dependabot production
- GitHub Enterprise Disable IP Allow List production
- GitHub Enterprise Register Self Hosted Runner production
- GitHub Organizations Delete Branch Ruleset production
- GitHub Organizations Disable 2FA Requirement production
- GitHub Organizations Disable Classic Branch Protection Rule production
- GitHub Organizations Disable Dependabot production
Impact
Data Destruction T1485 5 rules
- GitHub Enterprise Remove Organization production
- GitHub Enterprise Repository Archived production
- GitHub Enterprise Repository Deleted production
- GitHub Organizations Repository Archived production
- GitHub Organizations Repository Deleted production
Kubernetes
Execution
User Execution T1204 7 rules
- Kubernetes Create or Update Privileged Pod production
- Kubernetes DaemonSet Deployed production
- Kubernetes Falco Shell Spawned production
- Kubernetes Node Port Creation production
- Kubernetes Pod Created in Default Namespace production
- Kubernetes Pod With Host Network Attachment production
- Kubernetes Unauthorized Access production
Credential Access
Discovery
Network Service Discovery T1046 2 rules
- Kubernetes Access Scanning production
- Kubernetes Scanning by Unauthenticated IP Address production
Cloud Service Discovery T1526 1 rule
- Kubernetes Suspicious Image Pulling production
Untagged
- Kubernetes AWS detect suspicious kubectl calls experimental
Network
Reconnaissance
Active Scanning: Vulnerability Scanning T1595.002 4 rules
- Cisco Secure Firewall - Blocked Connection production
- Cisco Secure Firewall - High Volume of Intrusion Events Per Host production
- Cisco Secure Firewall - Repeated Blocked Connections production
- Internal Vulnerability Scan experimental
Active Scanning T1595 2 rules
Gather Victim Network Information T1590 1 rule
- Cisco IOS XE Reconnaissance Command Activity production
Resource Development
Develop Capabilities: Malware T1587.001 1 rule
- Cisco Secure Firewall - Possibly Compromised Host experimental
Initial Access
Exploit Public-Facing Application T1190 54 rules
- Access to Vulnerable Ivanti Connect Secure Bookmark Endpoint production
- Adobe ColdFusion Access Control Bypass production
- Adobe ColdFusion Unauthenticated Arbitrary File Read production
- Cisco IOS XE Implant Access production
- Cisco IOS XE Request Platform Package Describe Shell Pattern production
- Cisco IOS XE WebUI Login From IOSd Local Port production
- Cisco IOS XE WebUI Programmatic Configuration production
- Cisco NVM - Webserver Download From File Sharing Website production
- Cisco SD-WAN - Arbitrary File Overwrite Exploitation Activity production
- Cisco SD-WAN - Low Frequency Rogue Peer production
- Cisco SD-WAN - Peering Activity production
- Cisco Secure Firewall - High Priority Intrusion Classification production
- Cisco Secure Firewall - Lumma Stealer Activity production
- Cisco Secure Firewall - Oracle E-Business Suite Correlation production
- Cisco Secure Firewall - Oracle E-Business Suite Exploitation production
- Cisco Secure Firewall - React Server Components RCE Attempt production
- Cisco Secure Firewall - Static Tundra Smart Install Abuse production
- Cisco Secure Firewall - Veeam CVE-2023-27532 Exploitation Activity production
- Cisco Smart Install Oversized Packet Detection production
- Cisco Smart Install Port Discovery and Status production
- Citrix ADC and Gateway CitrixBleed 2 Memory Disclosure production
- Citrix ADC and Gateway Unauthorized Data Disclosure production
- Citrix ADC Exploitation CVE-2023-3519 production
- Citrix ShareFile Exploitation CVE-2023-24489 production
- Confluence CVE-2023-22515 Trigger Vulnerability production
- Confluence Pre-Auth RCE via OGNL Injection CVE-2023-22527 production
- Confluence Unauthenticated Remote Code Execution CVE-2022-26134 production
- ConnectWise ScreenConnect Authentication Bypass production
- Detect Outbound LDAP Traffic production
- Detect Zerologon via Zeek experimental
- Exploit Public-Facing Fortinet FortiNAC CVE-2022-39952 production
- F5 BIG-IP iControl REST Vulnerability CVE-2022-1388 production
- Fortinet Appliance Auth bypass production
- HTTP Duplicated Header production
- HTTP Request to Reserved Name on IIS Server production
- Ivanti Connect Secure Command Injection Attempts production
- Ivanti Connect Secure SSRF in SAML Component production
- Ivanti Connect Secure System Information Access via Auth Bypass production
- Ivanti EPM SQL Injection Remote Code Execution production
- Ivanti EPMM Remote Unauthenticated API Access CVE-2023-35078 production
- Ivanti EPMM Remote Unauthenticated API Access CVE-2023-35082 production
- JetBrains TeamCity Authentication Bypass CVE-2024-27198 production
- JetBrains TeamCity Authentication Bypass Suricata CVE-2024-27198 production
- JetBrains TeamCity Limited Auth Bypass Suricata CVE-2024-27199 production
- JetBrains TeamCity RCE Attempt production
- Juniper Networks Remote Code Execution Exploit Detection production
- PaperCut NG Remote Web Access Attempt production
- SAP NetWeaver Visual Composer Exploitation Attempt production
- VMWare Aria Operations Exploit Attempt production
- VMware Server Side Template Injection Hunt production
- VMware Workspace ONE Freemarker Server-side Template Injection production
- Windows SharePoint Spinstall0 GET Request production
- Windows SharePoint ToolPane Endpoint Exploitation Attempt production
- WS FTP Remote Code Execution production
Hardware Additions T1200 5 rules
- Detect ARP Poisoning experimental
- Detect IPv6 Network Infrastructure Threats experimental
- Detect Port Security Violation experimental
- Detect Rogue DHCP Server experimental
- Detect Traffic Mirroring experimental
Execution
Command and Scripting Interpreter T1059 12 rules
- Cisco IOS XE Guestshell Activation and Destroy production
- Cisco IOS XE Request Platform Package Describe Shell Pattern production
- Cisco NVM - Installation of Typosquatted Python Package production
- Cisco NVM - Suspicious File Download via Headless Browser production
- Cisco Secure Firewall - Binary File Type Download production
- Cisco Secure Firewall - Citrix NetScaler Memory Overread Attempt production
- Cisco Secure Firewall - High Volume of Intrusion Events Per Host production
- Cisco Secure Firewall - Possibly Compromised Host experimental
- Cisco Secure Firewall - Privileged Command Execution via HTTP production
- Cisco Secure Firewall - Wget or Curl Download production
- Detect Outbound LDAP Traffic production
- Juniper Networks Remote Code Execution Exploit Detection production
Exploitation for Client Execution T1203 9 rules
- Cisco Secure Firewall - Binary File Type Download production
- Cisco Secure Firewall - Blocked Connection production
- Cisco Secure Firewall - Citrix NetScaler Memory Overread Attempt production
- Cisco Secure Firewall - High Priority Intrusion Classification production
- Cisco Secure Firewall - Malware File Downloaded production
- Cisco Secure Firewall - Possibly Compromised Host experimental
- Cisco Secure Firewall - Repeated Blocked Connections production
- Detect Windows DNS SIGRed via Splunk Stream experimental
- Detect Windows DNS SIGRed via Zeek experimental
Scheduled Task/Job: Cron T1053.003 2 rules
- Cisco Isovalent - Cron Job Creation production
- Cisco Secure Firewall - Wget or Curl Download production
User Execution: Malicious Image T1204.003 2 rules
- Cisco Isovalent - Non Allowlisted Image Use production
- Cisco Isovalent - Pods Running Offensive Tools production
Scheduled Task/Job: Container Orchestration Job T1053.007 1 rule
- Cisco Isovalent - Cron Job Creation production
User Execution T1204 1 rule
Persistence
External Remote Services T1133 11 rules
- Cisco Network Interface Modifications production
- Confluence Unauthenticated Remote Code Execution CVE-2022-26134 production
- Exploit Public-Facing Fortinet FortiNAC CVE-2022-39952 production
- F5 BIG-IP iControl REST Vulnerability CVE-2022-1388 production
- Fortinet Appliance Auth bypass production
- Ivanti EPMM Remote Unauthenticated API Access CVE-2023-35078 production
- Ivanti EPMM Remote Unauthenticated API Access CVE-2023-35082 production
- PaperCut NG Remote Web Access Attempt production
- VMWare Aria Operations Exploit Attempt production
- VMware Server Side Template Injection Hunt production
- VMware Workspace ONE Freemarker Server-side Template Injection production
Create Account T1136 3 rules
Create or Modify System Process T1543 3 rules
- Cisco Isovalent - Late Process Execution production
- Cisco Isovalent - Nsenter Usage in Kubernetes Pod production
- Cisco Isovalent - Shell Execution production
Account Manipulation T1098 2 rules
- Cisco ASA - User Privilege Level Change production
- Cisco Configuration Archive Logging Analysis production
Privilege Escalation
Exploitation for Privilege Escalation T1068 3 rules
- Cisco Isovalent - Kprobe Spike production
- Microsoft SharePoint Server Elevation of Privilege production
- VMWare Aria Operations Exploit Attempt production
Escape to Host T1611 2 rules
- Cisco IOS XE Guestshell Activation and Destroy production
- Cisco Isovalent - Potential Escape to Host production
Stealth
Valid Accounts T1078 6 rules
- Cisco IOS Suspicious Privileged Account Creation production
- Cisco IOS XE WebUI Login From IOSd Local Port production
- Cisco IOS XE WebUI Programmatic Configuration production
- Cisco Privileged Account Creation with HTTP Command Execution production
- Cisco Privileged Account Creation with Suspicious SSH Activity production
- Cisco Secure Firewall - High Priority Intrusion Classification production
Process Injection T1055 3 rules
Valid Accounts: Local Accounts T1078.003 2 rules
- Cisco ASA - New Local User Account Created production
- Cisco ASA - User Privilege Level Change production
BITS Jobs T1197 2 rules
Impair Defenses T1562 2 rules
Masquerading T1036 1 rule
Indicator Removal T1070 1 rule
- Cisco ASA - Logging Message Suppression production
XSL Script Processing T1220 1 rule
Pre-OS Boot: TFTP Boot T1542.005 1 rule
- Detect Software Download To Network Device experimental
Defense Impairment
Modify Authentication Process T1556 15 rules
- Cisco Duo Admin Login Unusual Browser production
- Cisco Duo Admin Login Unusual Country production
- Cisco Duo Admin Login Unusual Os production
- Cisco Duo Bulk Policy Deletion production
- Cisco Duo Bypass Code Generation production
- Cisco Duo Policy Allow Devices Without Screen Lock production
- Cisco Duo Policy Allow Network Bypass 2FA production
- Cisco Duo Policy Allow Old Flash production
- Cisco Duo Policy Allow Old Java production
- Cisco Duo Policy Allow Tampered Devices production
- Cisco Duo Policy Bypass 2FA production
- Cisco Duo Policy Deny Access production
- Cisco Duo Policy Skip 2FA for Other Countries production
- Cisco Duo Set User Status to Bypass 2FA production
- Cisco Network Interface Modifications production
Disable or Modify Tools T1685 5 rules
- Cisco ASA - Core Syslog Message Volume Drop production
- Cisco ASA - Logging Disabled via CLI production
- Cisco ASA - Logging Filters Configuration Tampering production
- Cisco Configuration Archive Logging Analysis production
- Cisco SNMP Community String Configuration Changes production
Rogue Domain Controller T1207 2 rules
- Windows AD Replication Service Traffic experimental
- Windows AD Rogue Domain Controller Network Activity experimental
Credential Access
Adversary-in-the-Middle: ARP Cache Poisoning T1557.002 3 rules
- Detect ARP Poisoning experimental
- Detect IPv6 Network Infrastructure Threats experimental
- Detect Port Security Violation experimental
Network Sniffing T1040 2 rules
- Cisco ASA - Packet Capture Activity production
- Cisco SNMP Community String Configuration Changes production
Brute Force T1110 2 rules
Unsecured Credentials T1552 2 rules
- Cisco SNMP Community String Configuration Changes production
- Windows SharePoint Spinstall0 GET Request production
Adversary-in-the-Middle T1557 2 rules
- Cisco ASA - Packet Capture Activity production
- Detect Rogue DHCP Server experimental
OS Credential Dumping T1003 1 rule
OS Credential Dumping: DCSync T1003.006 1 rule
- Windows AD Replication Service Traffic experimental
Discovery
Network Service Discovery T1046 7 rules
- Cisco IOS XE Remote Access Probe Burst production
- Cisco Secure Firewall - Blocked Connection production
- Cisco Secure Firewall - Repeated Blocked Connections production
- Internal Horizontal Port Scan production
- Internal Horizontal Port Scan NMAP Top 20 production
- Internal Vertical Port Scan production
- Internal Vulnerability Scan experimental
Remote System Discovery T1018 3 rules
- Cisco IOS XE Remote Access Probe Burst production
- Cisco Secure Firewall - Blocked Connection production
- Cisco Secure Firewall - Repeated Blocked Connections production
System Information Discovery T1082 2 rules
- Cisco ASA - Reconnaissance Command Activity production
- Cisco IOS XE Reconnaissance Command Activity production
Lateral Movement
Remote Services: SSH T1021.004 5 rules
- Cisco IOS XE Remote Access Probe Burst production
- Cisco Privileged Account Creation with HTTP Command Execution production
- Cisco Privileged Account Creation with Suspicious SSH Activity production
- Cisco Secure Firewall - SSH Connection to Non-Standard Port production
- Cisco Secure Firewall - SSH Connection to sshd_operns production
Remote Services T1021 3 rules
- Cisco IOS XE VTY Access Class Tampering production
- Cisco Network Interface Modifications production
- Cisco Secure Firewall - Communication Over Suspicious Ports production
Remote Services: SMB/Windows Admin Shares T1021.002 1 rule
- SMB Traffic Spike experimental
Collection
Data from Local System T1005 3 rules
- Cisco ASA - Device File Copy Activity production
- Cisco ASA - Device File Copy to Remote Location production
- Cisco TFTP Server Configuration for Data Exfiltration production
Data from Cloud Storage T1530 1 rule
- Cisco ASA - Device File Copy Activity production
Command & Control
Ingress Tool Transfer T1105 12 rules
- Cisco Isovalent - Curl Execution With Insecure Flags production
- Cisco NVM - Suspicious File Download via Headless Browser production
- Cisco NVM - Webserver Download From File Sharing Website production
- Cisco Secure Firewall - Communication Over Suspicious Ports production
- Cisco Secure Firewall - Connection to File Sharing Domain production
- Cisco Secure Firewall - File Download Over Uncommon Port production
- Cisco Secure Firewall - High EVE Threat Confidence production
- Cisco Secure Firewall - Malware File Downloaded production
- Cisco Secure Firewall - Repeated Malware Downloads production
- Cisco Secure Firewall - Snort Rule Triggered Across Multiple Hosts production
- Cisco Secure Firewall - Wget or Curl Download production
- Juniper Networks Remote Code Execution Exploit Detection production
Application Layer Protocol: Web Protocols T1071.001 11 rules
- Cisco Secure Firewall - Blacklisted SSL Certificate Fingerprint production
- Cisco Secure Firewall - Connection to File Sharing Domain production
- Cisco Secure Firewall - High EVE Threat Confidence production
- Cisco Secure Firewall - Wget or Curl Download production
- HTTP C2 Framework User Agent production
- HTTP Duplicated Header production
- HTTP Malware User Agent production
- HTTP Possible Request Smuggling production
- HTTP PUA User Agent production
- HTTP Request to Reserved Name on IIS Server production
- HTTP RMM User Agent production
Remote Access Tools T1219 5 rules
- Cisco Secure Firewall - Communication Over Suspicious Ports production
- Cisco Secure Firewall - Remote Access Software Usage Traffic production
- Detect Remote Access Software Usage Traffic production
- Detect Remote Access Software Usage URL production
- HTTP RMM User Agent production
Encrypted Channel: Asymmetric Cryptography T1573.002 5 rules
- Cisco Secure Firewall - Blacklisted SSL Certificate Fingerprint production
- Cisco Secure Firewall - High EVE Threat Confidence production
- Cisco Secure Firewall - Intrusion Events by Threat Activity production
- Cisco Secure Firewall - Lumma Stealer Download Attempt production
- Cisco Secure Firewall - Lumma Stealer Outbound Connection Attempt production
Non-Standard Port T1571 3 rules
Application Layer Protocol T1071 2 rules
Proxy: Multi-hop Proxy T1090.003 2 rules
- Cisco SA - Access to Anonymizer Services production
- TOR Traffic production
Encrypted Channel T1573 2 rules
- SSL Certificates with Punycode experimental
- Zeek x509 Certificate with Punycode experimental
Application Layer Protocol: File Transfer Protocols T1071.002 1 rule
- Detect Outbound SMB Traffic production
Application Layer Protocol: DNS T1071.004 1 rule
- Excessive DNS Failures experimental
Proxy T1090 1 rule
- Cisco IOS XE Tunnel Interface Configuration production
Non-Application Layer Protocol T1095 1 rule
- Detect Large ICMP Traffic production
Protocol Tunneling T1572 1 rule
- Cisco IOS XE Tunnel Interface Configuration production
Exfiltration
Exfiltration Over C2 Channel T1041 7 rules
- Cisco ASA - Device File Copy to Remote Location production
- Cisco Secure Firewall - High EVE Threat Confidence production
- Cisco Secure Firewall - Intrusion Events by Threat Activity production
- Cisco Secure Firewall - Lumma Stealer Download Attempt production
- Cisco Secure Firewall - Lumma Stealer Outbound Connection Attempt production
- Cisco Secure Firewall - Potential Data Exfiltration production
- Detect SNICat SNI Exfiltration experimental
Exfiltration Over Alternative Protocol: Exfiltration Over Unencrypted Non-C2 Protocol T1048.003 3 rules
- Cisco ASA - Device File Copy to Remote Location production
- Cisco Secure Firewall - Potential Data Exfiltration production
- Protocol or Port Mismatch production
Automated Exfiltration: Traffic Duplication T1020.001 1 rule
- Detect Traffic Mirroring experimental
Impact
Network Denial of Service T1498 5 rules
- Detect ARP Poisoning experimental
- Detect IPv6 Network Infrastructure Threats experimental
- Detect Port Security Violation experimental
- Detect Rogue DHCP Server experimental
- Detect Traffic Mirroring experimental
Network Denial of Service: Reflection Amplification T1498.002 1 rule
- Large Volume of DNS ANY Queries experimental
Untagged
- Cisco AI Defense Security Alerts by Application Name production
- Cisco Secure Firewall - Bits Network Activity production
- Detect Unauthorized Assets by MAC address experimental
- F5 TMUI Authentication Bypass production
- Protocols passing authentication in cleartext production
Web
Reconnaissance
Active Scanning T1595 1 rule
- HTTP Rapid POST with Mixed Status Codes production
Initial Access
Exploit Public-Facing Application T1190 23 rules
- Confluence Data Center and Server Privilege Escalation production
- CrushFTP Authentication Bypass Exploitation production
- Detect F5 TMUI RCE CVE-2020-5902 experimental
- Exploit Public Facing Application via Apache Commons Text production
- HTTP Rapid POST with Mixed Status Codes production
- Hunting for Log4Shell production
- Java Class File download by Java User Agent production
- Jenkins Arbitrary File Read CVE-2024-23897 production
- Log4Shell JNDI Payload Injection Attempt production
- Log4Shell JNDI Payload Injection with Outbound Connection production
- Nginx ConnectWise ScreenConnect Authentication Bypass production
- ProxyShell ProxyNotShell Behavior Detected production
- Spring4Shell Payload URL Request production
- SQL Injection with Long URLs experimental
- Tomcat Session Deserialization Attempt production
- Tomcat Session File Upload Attempt production
- Web JSP Request via URL production
- Web Remote ShellServlet Access production
- Web Spring Cloud Function FunctionRouter production
- Web Spring4Shell HTTP Request Class Module production
- Windows Exchange Autodiscover SSRF Abuse production
- Windows IIS Server PSWA Console Access production
- WordPress Bricks Builder plugin RCE production
Phishing T1566 12 rules
- Zscaler Adware Activities Threat Blocked production
- Zscaler Behavior Analysis Threat Blocked production
- Zscaler CryptoMiner Downloaded Threat Blocked production
- Zscaler Employment Search Web Activity production
- Zscaler Exploit Threat Blocked production
- Zscaler Legal Liability Threat Blocked production
- Zscaler Malware Activity Threat Blocked production
- Zscaler Phishing Activity Threat Blocked production
- Zscaler Potentially Abused File Download production
- Zscaler Privacy Risk Destinations Threat Blocked production
- Zscaler Scam Destinations Threat Blocked production
- Zscaler Virus Download threat blocked production
Execution
Persistence
External Remote Services T1133 12 rules
- Detect attackers scanning for vulnerable JBoss servers experimental
- Exploit Public Facing Application via Apache Commons Text production
- Hunting for Log4Shell production
- Log4Shell JNDI Payload Injection Attempt production
- Log4Shell JNDI Payload Injection with Outbound Connection production
- ProxyShell ProxyNotShell Behavior Detected production
- Spring4Shell Payload URL Request production
- Supernova Webshell experimental
- Web JSP Request via URL production
- Web Spring Cloud Function FunctionRouter production
- Web Spring4Shell HTTP Request Class Module production
- Windows Exchange Autodiscover SSRF Abuse production
Server Software Component: Web Shell T1505.003 6 rules
- Exploit Public Facing Application via Apache Commons Text production
- Spring4Shell Payload URL Request production
- Supernova Webshell experimental
- Tomcat Session Deserialization Attempt production
- Tomcat Session File Upload Attempt production
- Web JSP Request via URL production
Credential Access
Discovery
Command & Control
Application Layer Protocol: Web Protocols T1071.001 2 rules
- HTTP Rapid POST with Mixed Status Codes production
- HTTP Scripting Tool User Agent production
Exfiltration
Exfiltration Over Alternative Protocol: Exfiltration Over Unencrypted Non-C2 Protocol T1048.003 2 rules
- Multiple Archive Files Http Post Traffic production
- Plain HTTP POST Exfiltrated Data production
Exfiltration Over Web Service T1567 1 rule
- High Volume of Bytes Out to Url production
Untagged
- Detect malicious requests to exploit JBoss servers experimental
- Monitor Web Traffic For Brand Abuse experimental
- Unusually Long Content-Type Length experimental
Application
Reconnaissance
Active Scanning T1595 1 rule
- Ollama Possible API Endpoint Scan Reconnaissance experimental
Initial Access
Exploit Public-Facing Application T1190 5 rules
- CrushFTP Server Side Template Injection production
- Ivanti VTM New Account Creation production
- Ollama Possible RCE via Model Loading experimental
- Ollama Suspicious Prompt Injection Jailbreak experimental
- Suspicious Java Classes experimental
Phishing: Spearphishing Attachment T1566.001 2 rules
- Email Attachments With Lots Of Spaces experimental
- Suspicious Email Attachment Extensions experimental
Execution
Command and Scripting Interpreter T1059 3 rules
- MCP Filesystem Server Suspicious Extension Write production
- MCP Prompt Injection production
- Ollama Suspicious Prompt Injection Jailbreak experimental
Persistence
Stealth
Valid Accounts T1078 4 rules
- M365 Copilot Application Usage Pattern Anomalies production
- M365 Copilot Session Origin Anomalies production
- PingID Multiple Failed MFA Requests For User production
- Zoom High Video Latency experimental
Masquerading: Masquerade File Type T1036.008 1 rule
- Email Attachments With Lots Of Spaces experimental
Defense Impairment
Disable or Modify Tools T1685 5 rules
- M365 Copilot Agentic Jailbreak Attack experimental
- M365 Copilot Impersonation Jailbreak Attack experimental
- M365 Copilot Information Extraction Jailbreak Attack experimental
- M365 Copilot Jailbreak Attempts experimental
- M365 Copilot Non Compliant Devices Accessing M365 Copilot production
Credential Access
Multi-Factor Authentication Request Generation T1621 3 rules
- PingID Mismatch Auth Source and Verification Response production
- PingID Multiple Failed MFA Requests For User production
- PingID New MFA Method Registered For User production
Brute Force T1110 2 rules
- M365 Copilot Failed Authentication Patterns production
- PingID Multiple Failed MFA Requests For User production
Unsecured Credentials: Credentials In Files T1552.001 2 rules
- MCP Github Suspicious Operation production
- MCP Sensitive System File Search production
Credentials from Password Stores T1555 1 rule
- MCP Postgres Suspicious Query production
Collection
Audio Capture T1123 3 rules
- Zoom Rare Audio Devices experimental
- Zoom Rare Input Devices experimental
- Zoom Rare Video Devices experimental
Command & Control
Non-Standard Port T1571 1 rule
- Ollama Abnormal Network Connectivity experimental
Exfiltration
Impact
Service Stop T1489 1 rule
- Ollama Abnormal Service Crash Availability Attack experimental
Network Denial of Service T1498 1 rule
- Ollama Excessive API Requests experimental
Endpoint Denial of Service T1499 1 rule
- Ollama Possible Memory Exhaustion Resource Abuse experimental
Untagged
- Detect New Login Attempts to Routers experimental
- Monitor Email For Brand Abuse experimental
- No Windows Updates in a time frame experimental
- Splunk AppDynamics Secure Application Alerts production