| Detection | Log Type | Type | Description |
|---|---|---|---|
| 1Password Login From CrowdStrike Unmanaged Device | Crowdstrike.AIDMaster OnePassword.SignInAttempt | Scheduled Rule | Detects 1Password Logins from IP addresses not found in CrowdStrike's AIP list. May indicate unmanaged device being used, or faulty CrowdStrike Sensor. |
| 1Password Login From CrowdStrike Unmanaged Device Query | Crowdstrike.AIDMaster OnePassword.SignInAttempt | Scheduled Query | Looks for OnePassword Logins from IP Addresses that aren't seen in CrowdStrike's AIP List. |
| 1Password Login From CrowdStrike Unmanaged Device Query (crowdstrike_fdrevent table) | Crowdstrike.FDREvent OnePassword.SignInAttempt | Scheduled Query | Looks for OnePassword Logins from IP Addresses that aren't seen in CrowdStrike's AIP List. (crowdstrike_fdrevent table) |
| A backdoored version of XZ or liblzma is vulnerable to CVE-2024-3094 | Osquery.Differential | Rule | Detects vulnerable versions of XZ and liblzma on Linux and MacOS using Osquery logs. Versions 5.6.0 and 5.6.1 of xz and liblzma are most likely vulnerable to backdoor exploit. Vuln management pack must be enabled: https://github.com/osquery/osquery/blob/master/packs/vuln-management.conf |
| A CloudTrail Was Created or Updated | AWS.CloudTrail | Rule | A CloudTrail Trail was created, updated, or enabled. |
| A Login from Outside the Corporate Office | Osquery.Differential | Rule | A system has been logged into from a non approved IP space. |
| A long-lived cert was created | Gravitational.TeleportAudit | Rule | An unusually long-lived Teleport certificate was created |
| A SAML Connector was created or modified | Gravitational.TeleportAudit | Rule | A SAML connector was created or modified |
| A Teleport Lock was created | Gravitational.TeleportAudit | Rule | A Teleport Lock was created |
| A Teleport Role was modified or created | Gravitational.TeleportAudit | Rule | A Teleport Role was modified or created |
| A user authenticated with SAML, but from an unknown company domain | Gravitational.TeleportAudit | Rule | A user authenticated with SAML, but from an unknown company domain |
| A User from the company domain(s) Logged in without SAML | Gravitational.TeleportAudit | Rule | A User from the company domain(s) Logged in without SAML |
| A User Role with Sensitive Permissions has been Created | Panther.Audit | Rule | A Panther user role has been created that contains admin level permissions. |
| A User's Panther Account was Modified | Panther.Audit | Rule | A Panther user's role has been modified. This could mean password, email, or role has changed for the user. |
| Account Security Configuration Changed | AWS.CloudTrail | Rule | An account wide security configuration was changed. |
| Action Performed by Netskope Personnel | Netskope.Audit | Rule | An action was performed by Netskope personnel. |
| Admin logged out because of successive login failures | Netskope.Audit | Rule | An admin was logged out because of successive login failures. |
| Admin Role Assigned | Asana.Audit Atlassian.Audit GCP.AuditLog GSuite.Reports GitHub.Audit OneLogin.Events Zendesk.Audit | Rule | Assigning an admin role manually could be a sign of privilege escalation |
| Amazon Machine Image (AMI) Modified to Allow Public Access | AWS.CloudTrail | Rule | An Amazon Machine Image (AMI) was modified to allow it to be launched by anyone. Any sensitive configuration or application data stored in the AMI's block devices is at risk. |
| An administrator account was created, deleted, or modified. | Netskope.Audit | Rule | An administrator account was created, deleted, or modified. |
| Anomalous AccessDenied Requests | AWS.CloudTrail | Scheduled Query | ARNs with a high Access Denied error rate could indicate an error or compromised credentials attempting to perform reconnaissance. |
| AppOmni Alert Passthrough | AppOmni.Alerts | Rule | |
| Asana Service Account Created | Asana.Audit | Rule | An Asana service account was created by someone in your organization. |
| Asana Team Privacy Public | Asana.Audit | Rule | An Asana team's privacy setting was changed to public to the organization (not public to internet) |
| Asana Workspace Default Session Duration Never | Asana.Audit | Rule | An Asana workspace's default session duration (how often users need to re-authenticate) has been changed to never. |
| Asana Workspace Email Domain Added | Asana.Audit | Rule | A new email domain has been added to an Asana workspace. Reviewer should validate that the new domain is a part of the organization. |
| Asana Workspace Form Link Auth Requirement Disabled | Asana.Audit | Rule | An Asana Workspace Form Link is a unique URL that allows you to create a task directly within a specific Workspace or Project in Asana, using a web form. Disabling authentication requirements may allow unauthorized users to create tasks. |
| Asana Workspace Guest Invite Permissions Anyone | Asana.Audit | Rule | Typically inviting guests to Asana is permitted by few users. Enabling anyone to invite guests can potentially lead to unauthorized users gaining access to Asana. |
| Asana Workspace New Admin | Asana.Audit | Rule | Admin role was granted to the user who previously did not have admin permissions |
| Asana Workspace Org Export | Asana.Audit | Rule | An Asana user started an org export. |
| Asana Workspace Password Requirements Simple | Asana.Audit | Rule | An asana user made your organization's password requirements less strict. |
| Asana Workspace Require App Approvals Disabled | Asana.Audit | Rule | An Asana user turned off app approval requirements for an application type for your organization. |
| Asana Workspace SAML Optional | Asana.Audit | Rule | An Asana user made SAML optional for your organization. |
| Atlassian admin impersonated another user | Atlassian.Audit | Rule | Reports when an Atlassian user logs in (impersonates) another user. |
| Auth0 CIC Credential Stuffing | Auth0.Events | Rule | Okta has determined that the cross-origin authentication feature in Customer Identity Cloud (CIC) is prone to being targeted by threat actors orchestrating credential-stuffing attacks. Okta has observed suspicious activity that started on April 15, 2024. Review tenant logs for unexpected fcoa, scoa, and pwd_leak events. |
| Auth0 CIC Credential Stuffing Query | Auth0.Events | Saved Query | Okta has determined that the cross-origin authentication feature in Customer Identity Cloud (CIC) is prone to being targeted by threat actors orchestrating credential-stuffing attacks. Okta has observed suspicious activity that started on April 15, 2024. Review tenant logs for unexpected fcoa, scoa, and pwd_leak events. https://sec.okta.com/articles/2024/05/detecting-cross-origin-authentication-credential-stuffing-attacks |
| Auth0 Custom Role Created | Auth0.Events | Rule | An Auth0 User created a role in your organization's tenant. |
| Auth0 Integration Installed | Auth0.Events | Rule | An Auth0 integration was installed from the auth0 action library. |
| Auth0 mfa factor enabled | Auth0.Events | Rule | An Auth0 user enabled an mfa factor in your organization's mfa settings. |
| Auth0 MFA Policy Disabled | Auth0.Events | Rule | An Auth0 User disabled MFA for your organization's tenant. |
| Auth0 MFA Policy Enabled | Auth0.Events | Rule | An Auth0 User enabled MFA Policy for your organization's tenant. |
| Auth0 MFA Risk Assessment Disabled | Auth0.Events | Rule | An Auth0 User disabled the mfa risk assessment setting for your organization's tenant. |
| Auth0 MFA Risk Assessment Enabled | Auth0.Events | Rule | An Auth0 User enabled the mfa risk assessment setting for your organization's tenant. |
| Auth0 Post Login Action Flow Updated | Auth0.Events | Rule | An Auth0 User updated a post login action flow for your organization's tenant. |
| Auth0 User Invitation Created | Auth0.Events | Rule | |
| Auth0 User Joined Tenant | Auth0.Events | Rule | User accepted invitation from Auth0 member to join an Auth0 tenant. |
| AWS Access Key Rotation | AWS.IAM.RootUser AWS.IAM.User | Policy | This policy validates that AWS IAM account access keys are rotated every 90 days. Rotating access keys will reduce the window of opportunity for an access key that is associated with a compromised or terminated account to be used. |
| AWS Access Key Uploaded to Github | AWS.CloudTrail | Rule | A users static AWS API key was uploaded to a public github repo. |
| AWS Access Keys At Account Creation | AWS.IAM.RootUser AWS.IAM.User | Policy | This policy validates that AWS IAM user accounts do not have access keys that were created during account creation. This results in excess keys being generated, and unnecessary management work in auditing and rotating these keys. |
| AWS ACM Certificate Expiration | AWS.ACM.Certificate | Policy | When a certificate is 60 days away from expiration, ACM automatically attempts to renew it every hour. |
| AWS ACM Certificate Status | AWS.ACM.Certificate | Policy | This policy checks if an ACM certificate renewal is pending or has failed and is in use by any other resources within the account. |
| AWS ACM Secure Algorithms | AWS.ACM.Certificate | Policy | This policy validates that all ACM certificates are using secure key and signature algorithms. |
| AWS AMI Sharing | AWS.EC2.AMI | Policy | This policy ensures that AMIs you have created are not configured to allow public access, which could result in accidental data loss. AMI's that you use but do not own are not evaluated by this policy. |
| AWS Application Load Balancer Web ACL | AWS.ELBV2.ApplicationLoadBalancer | Policy | This policy validates that all application load balancers have an associated Web ACl to enforce protections against various web attacks. |
| AWS Authentication from CrowdStrike Unmanaged Device | AWS.CloudTrail Crowdstrike.AIDMaster | Scheduled Query | Detects AWS Authentication events with IP Addresses not found in CrowdStrike's AIP List |
| AWS Authentication from CrowdStrike Unmanaged Device (crowdstrike_fdrevent table) | AWS.CloudTrail Crowdstrike.FDREvent | Scheduled Query | Detects AWS Authentication events with IP Addresses not found in CrowdStrike's AIP List |
| AWS CDE EC2 Volume Encryption | AWS.EC2.Volume | Policy | This policy ensures that all EC2 volumes that contain CDE are encrypted. Be sure to configure CDE definitions before enabling this policy. |
| AWS CloudFormation Stack Drift | AWS.CloudFormation.Stack | Policy | A stack has drifted from its defined configuration. |
| AWS CloudFormation Stack IAM Service Role | AWS.CloudFormation.Stack | Policy | Associating IAM roles with CloudFormation stacks ensures least privilege when making changes to your account. |
| AWS CloudFormation Stack Termination Protection | AWS.CloudFormation.Stack | Policy | Protects a CloudFormation stack from accidentally being deleted. If you attempt to delete a stack with termination protection enabled, the deletion fails and the stack, including its status, will remain unchanged. |
| AWS CloudTrail Account Discovery | AWS.CloudTrail | Rule | Adversaries may attempt to get a listing of accounts on a system or within an environment. This information can help adversaries determine which accounts exist to aid in follow-on behavior. |
| AWS CloudTrail CloudWatch Logs | AWS.CloudTrail | Policy | CloudTrail supports sending data and management events to CloudWatch Logs. This setup can be used for real-time processing of all CloudTrail data events. |
| AWS CloudTrail Least Privilege Access | AWS.IAM.Group | Policy | Users with permissions to disable or reconfigure CloudTrail should be limited. |
| AWS CloudTrail Log Encryption | AWS.CloudTrail | Policy | This policy validates that CloudTrail Logs are encrypted at rest with customer managed KMS key. |
| AWS CloudTrail Log Validation | AWS.CloudTrail | Policy | This policy ensures that CloudTrail logs have file integrity validation enabled. |
| AWS CloudTrail Management Events Enabled | AWS.CloudTrail.Meta | Policy | This policy ensures that at least one CloudTrail has management (control plane) operations logged. |
| AWS CloudTrail Password Policy Discovery | AWS.CloudTrail | Rule | This detection looks for *AccountPasswordPolicy events in AWS CloudTrail logs. If these events occur in a short period of time from the same ARN, it could constitute Password Policy reconnaissance. |
| AWS CloudTrail S3 Bucket Access Logging | AWS.CloudTrail | Policy | This policy validates that the bucket receiving CloudTrail Logs is configured with S3 Access Logging. This audits all creation, modification, or deletion to CloudTrail audit logs. |
| AWS CloudTrail S3 Bucket Public | AWS.CloudTrail | Policy | This policy validates that CloudTrail S3 buckets are not publicly accessible. |
| AWS CloudWatch Log Encryption | AWS.CloudWatch.LogGroup | Policy | AWS automatically performs server-side encryption of logs, but you can encrypt with your own CMK to protect extra sensitive log data. |
| AWS CloudWatch Logs Data Retention | AWS.CloudWatch.LogGroup | Policy | By default, logs are kept indefinitely and never expire. You can adjust the retention policy for each log group, keeping the indefinite retention, or choosing a specific retention period. |
| AWS command executed on the command line | Osquery.Differential | Rule | An AWS command was executed on a Linux instance |
| AWS Compromised IAM Key Quarantine | AWS.CloudTrail | Rule | Detects when an IAM user has the AWSCompromisedKeyQuarantineV2 policy attached to their account. |
| AWS Config Global Resources | AWS.Config.Recorder.Meta | Policy | You can have AWS Config record supported types of global resources, such as IAM users, groups, roles, and customer managed policies. |
| AWS Config Recording Status | AWS.Config.Recorder | Policy | This policy ensures that the config recorder is operational and capturing changes to your account without error. |
| AWS Config Records All Resource Types | AWS.Config.Recorder | Policy | This policy ensurers that you have a comprehensive configuration audit in place for all resource types in AWS. |
| AWS Config Service Created | AWS.CloudTrail | Rule | An AWS Config Recorder or Delivery Channel was created |
| AWS Config Service Disabled | AWS.CloudTrail | Rule | An AWS Config Recorder or Delivery Channel was disabled or deleted |
| AWS Config Status | AWS.Config.Recorder | Policy | This policy ensures that the config recorder is operational and capturing changes to your account. |
| AWS Console Login | AWS.CloudTrail | Rule | |
| AWS Console Sign-In NOT PRECEDED BY Okta Redirect | AWS.CloudTrail Okta.SystemLog | Correlation Rule | A user has logged into the AWS console without authenticating via Okta. This rule requires AWS SSO via Okta, both log sources configured, and Actor Profiles enabled. |
| AWS DNS Crypto Domain | AWS.VPCDns OCSF.DnsActivity | Rule | Identifies clients that may be performing DNS lookups associated with common currency mining pools. |
| AWS DynamoDB Table Autoscaling | AWS.DynamoDB.Table | Policy | DynamoDB Auto Scaling can dynamically adjust provisioned throughput capacity in response to traffic patterns. This enables a table to increase its provisioned read and write capacity to handle sudden increases in traffic |
| AWS DynamoDB Table Autoscaling Configuration | AWS.DynamoDB.Table | Policy | DynamoDB Auto Scaling can dynamically adjust provisioned throughput capacity in response to traffic patterns. This enables a table to increase its provisioned read and write capacity to handle sudden increases in traffic |
| AWS DynamoDB Table TTL | AWS.DynamoDB.Table | Policy | This policy validates that all DynamoDB tables have a TTL field configured. |
| AWS EC2 AMI Approved Host | AWS.EC2.Instance | Policy | Checks that AWS EC2 AMI's are only launched on approved dedicated hosts. |
| AWS EC2 AMI Approved Instance Type | AWS.EC2.Instance | Policy | This policy ensures that the EC2 instance is running with an instance type approved for its AMI. |
| AWS EC2 AMI Approved Tenancy | AWS.EC2.Instance | Policy | This policy ensures that the EC2 instance was launched with a tenancy approved for its AMI. |
| AWS EC2 EBS Encryption Disabled | AWS.CloudTrail | Rule | Identifies disabling of default EBS encryption. Disabling default encryption does not change the encryption status of existing volumes. |
| AWS EC2 Image Monitoring | AWS.CloudTrail | Rule | Checks CloudTrail for occurrences of EC2 Image Actions. |
| AWS EC2 Instance Approved AMI | AWS.EC2.Instance | Policy | This policy ensures the given EC2 instance is running an AMI from the approved list of AMI's. |
| AWS EC2 Instance Approved Host | AWS.EC2.Instance | Policy | This policy ensures the given EC2 Instance is running on an approved dedicated host. |
| AWS EC2 Instance Approved Instance Type | AWS.EC2.Instance | Policy | This policy ensures that the EC2 instance is running on one of the approved instance types. |
| AWS EC2 Instance Approved Tenancy | AWS.EC2.Instance | Policy | This policy ensures the given EC2 Instance is running with an approved tenancy option. The possible tenancy options are dedicated, host, and default. |
| AWS EC2 Instance Approved VPC | AWS.EC2.Instance | Policy | This policy ensures that the given EC2 Instance is running in an approved VPC. |
| AWS EC2 Instance Detailed Monitoring | AWS.EC2.Instance | Policy | This policy ensures that the AWS Instance has Detailed Monitoring Enabled |
| AWS EC2 Instance EBS Optimization | AWS.EC2.Instance | Policy | This policy ensures EBS optimization is enabled for the given EC2 instance, if applicable. |
| AWS EC2 Manual Security Group Change | AWS.CloudTrail | Rule | An EC2 security group was manually updated without abiding by the organization's accepted processes. This rule expects organizations to either use the Console, CloudFormation, or Terraform, configurable in the rule's ALLOWED_USER_AGENTS. |
| AWS EC2 Startup Script Change | AWS.CloudTrail | Rule | Detects changes to the EC2 instance startup script. The shell script will be executed as root/SYSTEM every time the specific instances are booted up. |
| AWS EC2 Traffic Mirroring | AWS.CloudTrail | Rule | This rule captures multiple traffic mirroring events in AWS Cloudtrail. |
| AWS EC2 Volume Encryption | AWS.EC2.Volume | Policy | You can encrypt both the boot and data volumes of an EC2 instance. |
| AWS EC2 Volume Snapshot Encryption | AWS.EC2.Volume | Policy | You can encrypt the snapshot of an EC2 volume to protect against accidental data loss |
| AWS EC2 Vulnerable XZ Image Launched | AWS.CloudTrail | Rule | Detecting EC2 instances launched with AMIs containing potentially vulnerable versions of XZ (CVE-2024-3094) |
| AWS ECR Events | AWS.CloudTrail | Rule | An ECR event occurred outside of an expected account or region |
| AWS ELB SSL Policies | AWS.ELBV2.ApplicationLoadBalancer | Policy | Ensures that deprecated TLS versions are not supported in internet-facing load balancers |
| AWS Enforces SSL Policies | AWS.ELBV2.ApplicationLoadBalancer | Policy | This policy validates that ELBV2 load balancer listeners are using an SSL policy. |
| AWS GuardDuty Enabled | AWS.GuardDuty.Detector.Meta | Policy | GuardDuty is a threat detection service that continuously monitors for malicious activity and unauthorized behavior. |
| AWS GuardDuty High Severity Finding | AWS.GuardDuty | Rule | A high-severity GuardDuty finding has been identified. |
| AWS GuardDuty Low Severity Finding | AWS.GuardDuty | Rule | A low-severity GuardDuty finding has been identified. |
| AWS GuardDuty Master Account | AWS.GuardDuty.Detector | Policy | Ensure that all GuardDuty logs are sending into a single Master account. This is a best practice for centralizing detection logic and useful data during an investigation. |
| AWS GuardDuty Medium Severity Finding | AWS.GuardDuty | Rule | A medium-severity GuardDuty finding has been identified. |
| AWS IAM Group Read Only Events | AWS.CloudTrail | Rule | This rule captures multiple read/list events related to IAM group management in AWS Cloudtrail. |
| AWS IAM Group Users | AWS.IAM.Group | Policy | This Policy ensures that all IAM groups have at least one IAM user. If they are vacant, they should be deleted. |
| AWS IAM Password Unused | AWS.IAM.User | Policy | This policy validates IAM users with console passwords have logged in within the past 90 days. |
| AWS IAM Policy Administrative Privileges | AWS.IAM.Policy | Policy | This policy validates that there are no IAM policies that grant full administrative privileges to IAM users or groups. |
| AWS IAM Policy Assigned to User | AWS.IAM.User | Policy | This policy validates that there are no IAM policies assigned directly to users. Best practice suggests assigning to an IAM group and placing users within that group. |
| AWS IAM Policy Blocklist | AWS.IAM.Group AWS.IAM.Role AWS.IAM.User | Policy | This detects the usage of highly permissive IAM Policies that should only be assigned to a small number of users, roles, or groups. |
| AWS IAM Policy Does Not Grant Any Administrative Access | AWS.IAM.Policy | Policy | This policy validates that no IAM policies grant admin access. This should be combined with suppressions on the legitimate IAM admin policies in your account so that it only fires when new and unexpected policies granting admin access are created. |
| AWS IAM Policy Does Not Grant Network Admin Access | AWS.IAM.Policy | Policy | This policy validates that no IAM policies grant admin privileges on network resources. This should be used in conjunction with suppressions for the legitimate network admin policies in your account. |
| AWS IAM Policy Role Mapping | AWS.IAM.Policy | Policy | This policy validates that policies that have been explicitly configured to be set to certain roles are still attached to those roles. |
| AWS IAM Resource Does Not Have Inline Policy | AWS.IAM.Group AWS.IAM.User | Policy | This policy validates that no IAM entities have inline policies assigned. Inline policies are more difficult to administer and audit, and may lead to access that lasts longer than intended. |
| AWS IAM Role Grants (permission) to Non-organizational Account | AWS.IAM.Role | Policy | This policy validates that IAM roles that grant the (specified) permission do not allow accounts outside the organization to assume them. |
| AWS IAM Role Restricts Usage | AWS.IAM.Role | Policy | This policy validates that IAM roles in the account are restrictive in what entities may assume them. This can help prevent malicious actors from assuming roles they should not be assuming. |
| AWS IAM User MFA | AWS.IAM.User | Policy | This policy validates that all AWS IAM users with access to the AWS Console have Multi-Factor Authentication (MFA) enabled. |
| AWS IAM User Not In Conflicting Groups | AWS.IAM.User | Policy | This policy validates that IAM users are not in IAM groups that are considered mutually exclusive. For example, in some workflows developers are responsible for dev environments and sysadmins are responsible for prod environments. In this situation no (or very few) users should be in both sysadmin and developer groups. This is in following with the principle of least privilege. |
| AWS KMS CMK Key Rotation | AWS.KMS.Key | Policy | This policy validates that customer master keys (CMKs) have automatic key rotation enabled. |
| AWS KMS Key Restricts Usage | AWS.KMS.Key | Policy | This policy validates that KMS Keys restrict what entities can use them and how. This is to ensure that encryption keys are limited in who can use them in order to prevent unapproved decryption. |
| AWS Macie Disabled/Updated | AWS.CloudTrail | Rule | Amazon Macie is a data security and data privacy service to discover and protect sensitive data. Security teams use Macie to detect open S3 Buckets that could have potentially sensitive data in it along with policy violations, such as missing Encryption. If an attacker disables Macie, it could potentially hide data exfiltration. |
| AWS Modify Cloud Compute Infrastructure | AWS.CloudTrail | Rule | Detection when EC2 compute infrastructure is modified outside of expected automation methods. |
| AWS Network ACL Overly Permissive Entry Created | AWS.CloudTrail | Rule | A Network ACL entry that allows access from anywhere was added. |
| AWS Network ACL Restricts Inbound Traffic | AWS.EC2.NetworkACL | Policy | This policy validates that Network ACLs restrict inbound traffic in some way. |
| AWS Network ACL Restricts Insecure Protocols | AWS.EC2.NetworkACL | Policy | This policy validates that Network ACLs block the usage of ports typically associated with insecure or unencrypted protocols. |
| AWS Network ACL Restricts Outbound Traffic | AWS.EC2.NetworkACL | Policy | This policy validates that Network ACLs have some restrictions on outbound traffic. |
| AWS Network ACL Restricts SSH | AWS.EC2.NetworkACL | Policy | SSH access should only be granted from protected network CIDR ranges. |
| AWS Password Policy Complexity Guidelines | AWS.PasswordPolicy | Policy | This policy validates that the account password policy enforces the recommended password complexity requirements. |
| AWS Password Policy Password Age Limit | AWS.PasswordPolicy | Policy | This policy validates that the account password policy enforces a maximum password age of 90 days or less. |
| AWS Password Policy Password Reuse | AWS.PasswordPolicy | Policy | This policy validates that the account password policy prevents users from re-using previous passwords, and prevents password reuse for 24 or more prior passwords. |
| AWS Potentially Stolen Service Role | AWS.CloudTrail | Scheduled Query | A role was assumed by an AWS service, followed by a user within 24 hours. This could indicate a stolen or compromised AWS service role. |
| AWS Privilege Escalation Via User Compromise | AWS.CloudTrail | Correlation Rule | |
| AWS Public RDS Restore | AWS.CloudTrail | Rule | Detects the recovery of a new public database instance from a snapshot. It may be part of data exfiltration. |
| AWS RDS Instance Backup | AWS.RDS.Instance | Policy | This Policy ensures that RDS Instances have Backups enabled. Backups are an important aspect of disaster recovery that can protect sensitive data from destruction. |
| AWS RDS Instance Encryption | AWS.RDS.Instance | Policy | This policy validates that RDS instances have encryption enabled. |
| AWS RDS Instance Has Acceptable Backup Retention Period | AWS.RDS.Instance | Policy | This policy validates that RDS instances are configured with a backup retention period that is acceptable to company policy. This ensures for both compliance and security reasons that records are kept for a minimum period of time, and for compliance and performance reasons that records are not kept indefinitely. |
| AWS RDS Instance High Availability | AWS.RDS.Instance | Policy | This Policy ensures that RDS Instances have are running in High Availability mode to provide redundancy in the event of an operational failure. For Aurora, storage is replicated across all the Availability Zones and doesn't require this setting. |
| AWS RDS Instance Minor Version Upgrades | AWS.RDS.Instance | Policy | If you want Amazon RDS to upgrade the DB engine version of a database automatically, you can enable auto minor version upgrades for the database. |
| AWS RDS Instance Public Access | AWS.RDS.Instance | Policy | This Policy checks that an RDS Instance is not accessible from the public internet. |
| AWS RDS Instance Snapshot Public Access | AWS.RDS.Instance | Policy | This policy validates that RDS Instance snapshots are not publicly restorable. This would allow anyone to restore an old version of your database and have full access to its contents. |
| AWS RDS Manual/Public Snapshot Created | AWS.CloudTrail | Rule | A manual snapshot of an RDS database was created. An attacker may use this to exfiltrate the DB contents to another account; use this as a correlation rule. |
| AWS RDS Master Password Updated | AWS.CloudTrail | Rule | A sensitive database operation that should be performed carefully or rarely |
| AWS RDS Snapshot Shared | AWS.CloudTrail | Rule | An RDS snapshot was shared with another account. This could be an indicator of exfiltration. |
| AWS Redshift Cluster Encryption | AWS.Redshift.Cluster | Policy | This policy validates that Redshift Clusters have encryption enabled. |
| AWS Redshift Cluster Has Acceptable Snapshot Retention Period | AWS.Redshift.Cluster | Policy | This policy validates that Redshift Cluster snapshot retention periods are set to an appropriate time. This ensures that records are kept long enough for compliance and security reasons, but no too long for compliance and performance reasons. |
| AWS Redshift Cluster Logging | AWS.Redshift.Cluster | Policy | This policy validates that Redshift Cluster have logging enabled. This includes audit logs. |
| AWS Redshift Cluster Maintenance Window | AWS.Redshift.Cluster | Policy | This policy validates that Redshift Clusters have the correct preferred maintenance window configured. |
| AWS Redshift Cluster Snapshot Retention | AWS.Redshift.Cluster | Policy | This policy validates that Redshift Clusters have sufficient snapshot retention periods, so that snapshots are not lost before they are needed. |
| AWS Redshift Cluster Version Upgrade | AWS.Redshift.Cluster | Policy | This policy validates that Redshift Clusters automatically perform upgrades during scheduled maintenance windows. |
| AWS Resource Made Public | AWS.CloudTrail | Rule | Some AWS resource was made publicly accessible over the internet. Checks ECR, Elasticsearch, KMS, S3, S3 Glacier, SNS, SQS, and Secrets Manager. |
| AWS Resource Minimum Tags | AWS.EC2.Instance AWS.EC2.SecurityGroup AWS.EC2.VPC AWS.IAM.User | Policy | This policy ensures that applicable resources have a minimum number of tags set. |
| AWS Resource Required Tags | AWS.EC2.Instance AWS.EC2.SecurityGroup AWS.EC2.VPC AWS.IAM.User | Policy | This policy ensures that AWS resources have specific tags, dependent on their resource type. |
| AWS Root Account Access Keys | AWS.IAM.RootUser | Policy | This policy validates that no programmatic access keys exist for the root account. |
| AWS Root Account Hardware MFA | AWS.IAM.RootUser | Policy | This policy validates that a hardware MFA device is in use for access to the root account. |
| AWS Root Account MFA | AWS.IAM.RootUser | Policy | This policy validates that Multi Factor Authentication (MFA) is required for access to the root account. |
| AWS S3 Access Error | AWS.S3ServerAccess | Rule | Checks for errors during S3 Object access. This could be due to insufficient access permissions, non-existent buckets, or other reasons. |
| AWS S3 Access IP Allowlist | AWS.S3ServerAccess | Rule | Checks that the remote IP accessing the S3 bucket is in the IP allowlist. |
| AWS S3 Bucket Action Restrictions | AWS.S3.Bucket | Policy | Ensures that the S3 bucket policy does not allow any action on the bucket, in accordance with the principal of least privilege. |
| AWS S3 Bucket Encryption | AWS.S3.Bucket | Policy | Ensures that the S3 bucket has encryption enabled. |
| AWS S3 Bucket Lifecycle Configuration | AWS.S3.Bucket | Policy | Verifies that the S3 Bucket Object Lifecycle configuration expires data within 90 and 365 days. |
| AWS S3 Bucket Logging | AWS.S3.Bucket | Policy | Ensures that a logging policy is set for the S3 bucket. |
| AWS S3 Bucket MFA Delete | AWS.S3.Bucket | Policy | Ensures that MFA delete is enabled for a bucket so that all objects can only be deleted by users authenticated with MFA. |
| AWS S3 Bucket Name DNS Compliance | AWS.S3.Bucket | Policy | This policy validates that the AWS S3 bucket name is DNS compliant. |
| AWS S3 Bucket Object Lock Configured | AWS.S3.Bucket | Policy | This policy validates that S3 buckets have an Object Lock configuration enabled. This should be used with specific suppression lists to ensure it is applied only to appropriate S3 buckets, such as those containing CloudTrail or other auditable records. |
| AWS S3 Bucket Policy Allow With Not Principal | AWS.S3.Bucket | Policy | Prevents the use of a 'Not' principal in conjunction with an allow effect in an S3 bucket policy, which would allow global access for the resource besides the principals specified. |
| AWS S3 Bucket Policy Modified | AWS.CloudTrail | Rule | An S3 Bucket was modified. |
| AWS S3 Bucket Principal Restrictions | AWS.S3.Bucket | Policy | This policy validates that S3 Bucket access policies do not allow all users (Principal:"*") for a given action on the bucket, in accordance with the principle of least privilege. |
| AWS S3 Bucket Public Access Block | AWS.S3.Bucket | Policy | Ensures that a Public Access Block Configuration is set for the given S3 bucket. |
| AWS S3 Bucket Public Read | AWS.S3.Bucket | Policy | Ensures that the S3 bucket is not publicly readable. |
| AWS S3 Bucket Public Write | AWS.S3.Bucket | Policy | Ensures that the S3 bucket is not publicly writeable. |
| AWS S3 Bucket Secure Access | AWS.S3.Bucket | Policy | Ensures access to S3 buckets is forced to use a secure (HTTPS) connection. |
| AWS S3 Bucket Versioning | AWS.S3.Bucket | Policy | Checks that object versioning is enabled in the S3 bucket. |
| AWS S3 Insecure Access | AWS.S3ServerAccess | Rule | Checks if HTTP (unencrypted) was used to access objects in an S3 bucket, as opposed to HTTPS (encrypted). |
| AWS S3 Unauthenticated Access | AWS.S3ServerAccess | Rule | Checks for S3 access attempts where the requester is not an authenticated AWS user. |
| AWS S3 Unknown Requester | AWS.S3ServerAccess | Rule | Validates that proper IAM entities are accessing sensitive data buckets. |
| AWS SAML Activity | AWS.CloudTrail | Rule | Identifies when SAML activity has occurred in AWS. An adversary could gain backdoor access via SAML. |
| AWS Security Group - Only DMZ Publicly Accessible | AWS.EC2.SecurityGroup | Policy | This policy validates that only Security Groups designated as DMZs allow inbound traffic from public IP space. This helps ensure no traffic is bypassing the DMZ. |
| AWS Security Group Administrative Ingress | AWS.EC2.SecurityGroup | Policy | This policy validates that AWS Security Groups don't allow unrestricted inbound traffic on port 3389 or 22, ports commonly used for the remote access protocols RDP and SSH respectively. |
| AWS Security Group Restricts Access To CDE | AWS.EC2.SecurityGroup | Policy | This policy validates that are considered part of the PCI CDE do not allow any access from public IP space. |
| AWS Security Group Restricts Inbound Traffic | AWS.EC2.SecurityGroup | Policy | This policy validates that Security Groups have some restrictions on inbound traffic. |
| AWS Security Group Restricts Inter-SG Traffic | AWS.EC2.SecurityGroup | Policy | This policy validates that Security Groups have restrictions on inter Security Group traffic. Administrators may assume there is an implicit level of trust between Security Groups in the same account, but this is not always a good assumption in cases one Security Group contains far more sensitive data that another. |
| AWS Security Group Restricts Outbound Traffic | AWS.EC2.SecurityGroup | Policy | This policy validates that Security Groups have some restrictions on outbound traffic. |
| AWS Security Group Restricts Traffic Leaving CDE | AWS.EC2.SecurityGroup | Policy | This policy validates that there are restrictions on what type of traffic may leave Security Groups that are considered with the scope of the PCI CDE. These restrictions help ensure that cardholder data does not leave the CDE. |
| AWS Security Group Tightly Restricts Inbound Traffic | AWS.EC2.SecurityGroup | Policy | This policy validates that Security Groups have restrictive permission sets that both limit the total number of open ports, as well as limiting ports typically associated with insecure protocols. |
| AWS Security Group Tightly Restricts Outbound Traffic | AWS.EC2.SecurityGroup | Policy | This policy validates that Security Groups have restrictive controls on outbound traffic. |
| AWS SecurityHub Finding Evasion | AWS.CloudTrail | Rule | Detections modification of findings in SecurityHub |
| AWS Snapshot Made Public | AWS.CloudTrail | Rule | An AWS storage snapshot was made public. |
| AWS Software Discovery | AWS.CloudTrail | Rule | A user is obtaining a list of security software, configurations, defensive tools, and sensors that are in AWS. |
| AWS SSO Access Token Retrieved by Unauthenticated IP | AWS.CloudTrail | Correlation Rule | When using AWS in an enterprise environment, best practices dictate to use a single sign-on service for identity and access management. AWS SSO is a popular solution, integrating with third-party providers such as Okta and allowing to centrally manage roles and permissions in multiple AWS accounts.In this post, we demonstrate that AWS SSO is vulnerable by design to device code authentication phishing – just like any identity provider implementing OpenID Connect device code authentication. This technique was first demonstrated by Dr. Nestori Syynimaa for Azure AD. The feature provides a powerful phishing vector for attackers, rendering ineffective controls such as MFA (including Yubikeys) or IP allow-listing at the IdP level. |
| AWS Trusted IPSet Modified | AWS.CloudTrail | Rule | Detects creation and updates of the list of trusted IPs used by GuardDuty and WAF. Potentially to disable security alerts against malicious IPs. |
| AWS Unsuccessful MFA attempt | AWS.CloudTrail | Rule | Monitor application logs for suspicious events including repeated MFA failures that may indicate user's primary credentials have been compromised. |
| AWS Unused Access Key | AWS.IAM.User | Policy | This policy validates that IAM user access keys are used at least once every 90 days. |
| AWS User API Key Created | AWS.CloudTrail | Rule | Detects AWS API key creation for a user by another user. Backdoored users can be used to obtain persistence in the AWS environment. |
| AWS User Login Profile Created or Modified | AWS.CloudTrail | Rule | An attacker with iam:UpdateLoginProfile permission on other users can change the password used to login to the AWS console. May be legitimate account administration. |
| AWS User Login Profile Modified | AWS.CloudTrail | Rule | An attacker with iam:UpdateLoginProfile permission on other users can change the password used to login to the AWS console. May be legitimate account administration. |
| AWS User Takeover Via Password Reset | AWS.CloudTrail | Correlation Rule | |
| AWS VPC Default Network ACL Restricts All Traffic | AWS.EC2.VPC | Policy | This policy validates that the default Network ACL for a given AWS VPC is restricting all inbound and outbound traffic. |
| AWS VPC Default Security Group Restrictions | AWS.EC2.VPC | Policy | This policy validates that the default Security Group for a given AWS VPC is restricting all inbound and outbound traffic. |
| AWS VPC Flow Logs | AWS.EC2.VPC | Policy | This policy validates that AWS VPCs (Virtual Private Clouds) have network flow logging enabled. |
| AWS VPC Healthy Log Status | AWS.VPCFlow OCSF.NetworkActivity | Rule | Checks for the log status `SKIP-DATA`, which indicates that data was lost either to an internal server error or due to capacity constraints. |
| AWS WAF Disassociation | AWS.CloudTrail | Rule | Detection to alert when a WAF disassociates from a source. |
| AWS WAF Has XSS Predicate | AWS.WAF.Regional.WebACL AWS.WAF.WebACL | Policy | This policy validates that all WAF's have at least one rule with a predicate matching on and blocking XSS attacks. |
| AWS WAF Logging Configured | AWS.WAF.Regional.WebACL AWS.WAF.WebACL | Policy | Ensures that AWS WAF logging is enabled and that the logs are being sent to a valid destination (S3, CloudWatch, or Kinesis Firehose). Without logging, visibility into WAF activity is severely limited, increasing the risk of undetected attacks. |
| AWS WAF Rule Ordering | AWS.WAF.Regional.WebACL AWS.WAF.WebACL | Policy | This policy validates that all WAF's have the correct rule ordering. Incorrect rule ordering could lead to less restrictive rules being matched and allowing traffic through before more restrictive rules that should have blocked the traffic. |
| AWS WAF WebACL Has Associated Resources | AWS.WAF.Regional.WebACL AWS.WAF.WebACL | Policy | This policy ensures that AWS WAF WebACLs are associated with at least one resource (ALB, CloudFront Distribution, or API Gateway). If a WebACL is not associated with any resources, it is inactive and not providing any protection. |
| AWS. | AWS.CloudTrail | Rule | |
| Azure Many Failed SignIns | Azure.Audit | Rule | This detection looks for a number of failed sign-ins for the same ServicePrincipalName or UserPrincipalName |
| Azure RiskLevel Passthrough | Azure.Audit | Rule | This detection surfaces an alert based on riskLevelAggregated, riskLevelDuringSignIn, and riskState.riskLevelAggregated and riskLevelDuringSignIn are only expected for Azure AD Premium P2 customers. |
| Azure SignIn via Legacy Authentication Protocol | Azure.Audit | Rule | This detection looks for Successful Logins that have used legacy authentication protocols |
| BETA - Sensitive 1Password Item Accessed | OnePassword.ItemUsage | Rule | Alerts when a user defined list of sensitive items in 1Password is accessed |
| Box Access Granted | Box.Event | Rule | A user granted access to their box account to Box technical support from account settings. |
| Box Content Workflow Policy Violation | Box.Event | Rule | A user violated the content workflow policy. |
| Box event triggered by unknown or external user | Box.Event | Rule | An external user has triggered a box enterprise event. |
| Box item shared externally | Box.Event | Rule | A user has shared an item and it is accessible to anyone with the share link (internal or external to the company). This rule requires that the boxsdk[jwt] be installed in the environment. |
| Box Large Number of Downloads | Box.Event | Rule | A user has exceeded the threshold for number of downloads within a single time frame. |
| Box Large Number of Permission Changes | Box.Event | Rule | A user has exceeded the threshold for number of folder permission changes within a single time frame. |
| Box New Login | Box.Event | Rule | A user logged in from a new device. |
| Box Shield Detected Anomalous Download Activity | Box.Event | Rule | A user's download activity has altered significantly. |
| Box Shield Suspicious Alert Triggered | Box.Event | Rule | A user login event or session event was tagged as medium to high severity by Box Shield. |
| Box Untrusted Device Login | Box.Event | Rule | A user attempted to login from an untrusted device. |
| Brute Force By IP | AWS.CloudTrail Asana.Audit Atlassian.Audit Box.Event GSuite.Reports Okta.SystemLog OneLogin.Events OnePassword.SignInAttempt | Rule | An actor user was denied login access more times than the configured threshold. |
| Carbon Black Admin Role Granted | CarbonBlack.Audit | Rule | Detects when a user is granted Admin or Super Admin permissions. |
| Carbon Black API Key Created or Retrieved | CarbonBlack.Audit | Rule | Detects when a user creates a new API key or retrieves an existing key. |
| Carbon Black Data Forwarder Stopped | CarbonBlack.Audit | Rule | Detects when a user disables or deletes a Data Forwarder. |
| Carbon Black Log Entry Flagged | CarbonBlack.Audit | Rule | Detects when Carbon Black has flagged a log as important, such as failed login attempts and locked accounts. |
| Carbon Black Passthrough Rule | CarbonBlack.AlertV2 | Rule | This rule enriches and contextualizes security alerts generated by Carbon Black. The alert title and description are dynamically updated based on data included in the alert log. |
| Carbon Black User Added Outside Org | CarbonBlack.Audit | Rule | Detects when a user from a different organization is added to Carbon Black. |
| Cisco Umbrella Domain Blocked | CiscoUmbrella.DNS | Rule | Monitor blocked domains |
| Cisco Umbrella Domain Name Fuzzy Matching | CiscoUmbrella.DNS | Rule | Identify lookups to suspicious domains that could indicate a phishing attack. |
| Cisco Umbrella Suspicious Domains | CiscoUmbrella.DNS | Rule | Monitor suspicious or known malicious domains |
| Cloudflare Bot High Volume | Cloudflare.HttpRequest | Rule | Monitors for bots making HTTP Requests at a rate higher than 2req/sec |
| Cloudflare L7 DDoS | Cloudflare.Firewall | Rule | Layer 7 Distributed Denial of Service (DDoS) detected |
| CloudTrail EC2 StopInstances | AWS.CloudTrail | Rule | A CloudTrail instances were stopped. It makes further changes of instances possible |
| CloudTrail Password Spraying | AWS.CloudTrail | Scheduled Rule | Detect password spraying account using a scheduled query |
| CloudTrail Stopped | AWS.CloudTrail | Rule | A CloudTrail Trail was modified. |
| CodeBuild Project made Public | AWS.CloudTrail | Rule | An AWS CodeBuild Project was made publicly accessible |
| Configuration Required - Sensitive 1Password Item Accessed | OnePassword.ItemUsage | Rule | Alerts when a user defined list of sensitive items in 1Password is accessed |
| Connection to Embargoed Country | Crowdstrike.FDREvent | Rule | Detection to alert when internal asset is communicating with an sanctioned destination. This detection leverages Panther UDM and IPInfo enrichment. |
| Crowdstrike Admin Role Assigned | Crowdstrike.EventStreams | Rule | A user was assigned a priviledged role |
| Crowdstrike Allowlist Removed | Crowdstrike.EventStreams | Rule | A user deleted an allowlist |
| Crowdstrike API Key Created | Crowdstrike.EventStreams | Rule | A user created an API Key in CrowdStrike |
| Crowdstrike API Key Deleted | Crowdstrike.EventStreams | Rule | A user deleted an API Key in CrowdStrike |
| Crowdstrike Credential Dumping Tool | Crowdstrike.FDREvent | Rule | Detects usage of tools commonly used for credential dumping. |
| Crowdstrike Cryptomining Tools | Crowdstrike.FDREvent | Rule | Detects the execution of known crytocurrency mining tools. |
| Crowdstrike Detection Passthrough | Crowdstrike.DetectionSummary Crowdstrike.FDREvent | Rule | Crowdstrike Falcon has detected malicious activity on a host. |
| Crowdstrike Ephemeral User Account | Crowdstrike.EventStreams | Correlation Rule | Detects when a user account is created and deleted within 12 hours. This aims to detect ephemeral user accounts infiltrators might use to avoid suspicion. |
| Crowdstrike FDR LOLBAS | Crowdstrike.FDREvent | Rule | Living off the land binaries and script usage |
| Crowdstrike IP Allowlist Changed | Crowdstrike.EventStreams | Rule | Updates were made to Falcon console's allowlist. This could indicate a bad actor permitting access from another machine, or could be attackers preventing legitimate actors from accessing the console. |
| CrowdStrike Large Zip Creation | Crowdstrike.Unknown | Scheduled Query | Detects creation of large zip files, which can indicate attempts of exfiltration |
| CrowdStrike Large Zip Creation (crowdstrike_fdrevent table) | Crowdstrike.FDREvent | Scheduled Query | Detects creation of large zip files, which can indicate attempts of exfiltration (crowdstrike_fdrevent table) |
| CrowdStrike MacOS Added Trusted Cert | Crowdstrike.FDREvent | Rule | Detects attempt to install a root certificate on MacOS |
| CrowdStrike MacOS Osascript as Administrator | Crowdstrike.FDREvent | Rule | Detects usage of osascript with administrator privileges |
| CrowdStrike MacOS plutil Usage | Crowdstrike.FDREvent | Rule | Detects the usage of plutil to modify plist files. Plist files run on start up and are often used by attackers to maintain persistence. |
| Crowdstrike New Admin User Created | Crowdstrike.EventStreams | Correlation Rule | Detects when a user account is created and assigned admin permissions |
| Crowdstrike New User Created | Crowdstrike.EventStreams | Rule | A new Crowdstrike user was created |
| Crowdstrike Real Time Response (RTS) Session | Crowdstrike.FDREvent Crowdstrike.Unknown | Rule | Alert when someone uses Crowdstrike’s RTR (real-time response) capability to access a machine remotely to run commands. |
| Crowdstrike Remote Access Tool Execution | Crowdstrike.FDREvent | Rule | Detects usage of common remote access tools. |
| Crowdstrike Reverse Shell Tool Executed | Crowdstrike.FDREvent | Rule | Detects usage of tools commonly used to to establish reverse shells on Windows machines. |
| Crowdstrike Single IP Allowlisted | Crowdstrike.EventStreams | Rule | A single IP (instead of a CIDR range) was allowlisted. This could indicate a bad actor permitting access from another machine. |
| Crowdstrike Systemlog Tampering | Crowdstrike.FDREvent | Rule | Detects when a user attempts to clear system logs. |
| Crowdstrike Unusual Parent Child Processes | Crowdstrike.FDREvent | Rule | Detects unusual parent child process pairings. |
| Crowdstrike User Deleted | Crowdstrike.EventStreams | Rule | Someone has deleted multiple users. |
| Crowdstrike User Password Changed | Crowdstrike.EventStreams | Rule | A user's password was changed |
| Crowdstrike WMI Query Detection | Crowdstrike.FDREvent | Rule | Detects execution of WMI queries involving information gathering or actions on remote systems, which could indicate reconnaissance or lateral movement. |
| CVE-2023-7028 - GitLab Audit Password Reset Multiple Emails | GitLab.Audit | Rule | Attackers are exploiting a Critical (CVSS 10.0) GitLab vulnerability in which user account password reset emails could be delivered to an unverified email address. |
| CVE-2023-7028 - GitLab Production Password Reset Multiple Emails | GitLab.Production | Rule | Attackers are exploiting a Critical (CVSS 10.0) GitLab vulnerability in which user account password reset emails could be delivered to an unverified email address. |
| Decoy DynamoDB Accessed | AWS.SecurityFindingFormat | Rule | Actor accessed Decoy DynamoDB |
| Decoy IAM Assumed | AWS.SecurityFindingFormat | Rule | Actor assumed decoy IAM role |
| Decoy S3 Accessed | AWS.SecurityFindingFormat | Rule | Actor accessed S3 Manager decoy secret |
| Decoy Secret Accessed | AWS.SecurityFindingFormat | Rule | Actor accessed Secrets Manager decoy secret |
| Decoy Systems Manager Parameter Accessed | AWS.SecurityFindingFormat | Rule | Actor accessed Decoy Systems Manager parameter |
| Detect Reconnaissance from IAM Users | AWS.CloudTrail | Rule | An IAM user has a high volume of access denied API calls. |
| Detection content has been deleted from Panther | Panther.Audit | Rule | Detection content has been removed from Panther. |
| DNS Base64 Encoded Query | AWS.VPCDns CiscoUmbrella.DNS Crowdstrike.FDREvent | Rule | Detects DNS queries with Base64 encoded subdomains, which could indicate an attempt to obfuscate data exfil. |
| DNS request to denylisted domain | Crowdstrike.DNSRequest Crowdstrike.FDREvent | Rule | A DNS request was made to a domain on an explicit denylist |
| Dropbox Admin sign-in-as Session | Dropbox.TeamEvent | Rule | Alerts when an admin starts a sign-in-as session. |
| Dropbox Document/Folder Ownership Transfer | Dropbox.TeamEvent | Rule | Dropbox ownership of a document or folder has been transferred. |
| Dropbox External Share | Dropbox.TeamEvent | Rule | Dropbox item shared externally |
| Dropbox Linked Team Application Added | Dropbox.TeamEvent | Rule | An application was linked to your Dropbox Account |
| Dropbox Many Deletes | Dropbox.TeamEvent | Scheduled Query | Dropbox Many Deletes |
| Dropbox Many Downloads | Dropbox.TeamEvent | Scheduled Query | Dropbox Many Downloads |
| Dropbox User Disabled 2FA | Dropbox.TeamEvent | Rule | Dropbox user has disabled 2fa login |
| Duo Admin App Integration Secret Key Viewed | Duo.Administrator | Rule | An administrator viewed a Secret Key for an Application Integration |
| Duo Admin Bypass Code Created | Duo.Administrator | Rule | A Duo administrator created an MFA bypass code for an application. |
| Duo Admin Bypass Code Viewed | Duo.Administrator | Rule | An administrator viewed the MFA bypass code for a user. |
| Duo Admin Create Admin | Duo.Administrator | Rule | A new Duo Administrator was created. |
| Duo Admin Lockout | Duo.Administrator | Rule | Alert when a duo administrator is locked out of their account. |
| Duo Admin Marked Push Fraudulent | Duo.Administrator | Rule | A Duo push was marked fraudulent by an admin. |
| Duo Admin MFA Restrictions Updated | Duo.Administrator | Rule | Detects changes to allowed MFA factors administrators can use to log into the admin panel. |
| Duo Admin New Admin API App Integration | Duo.Administrator | Rule | Identifies creation of new Admin API integrations for Duo. |
| Duo Admin Policy Updated | Duo.Administrator | Rule | A Duo Administrator updated a Policy, which governs how users authenticate. |
| Duo Admin SSO SAML Requirement Disabled | Duo.Administrator | Rule | Detects when SAML Authentication for Administrators is marked as Disabled or Optional. |
| Duo Admin User MFA Bypass Enabled | Duo.Administrator | Rule | An Administrator enabled a user to authenticate without MFA. |
| Duo User Action Reported as Fraudulent | Duo.Authentication | Rule | Alert when a user reports a Duo action as fraudulent. |
| Duo User Auth Denied For Anomalous Push | Duo.Authentication | Rule | A Duo authentication was denied due to an anomalous 2FA push. |
| Duo User Bypass Code Used | Duo.Authentication | Rule | A Duo user's bypass code was used to authenticate |
| Duo User Denied For Endpoint Error | Duo.Authentication | Rule | A Duo user's authentication was denied due to a suspicious error on the endpoint |
| EC2 Network ACL Modified | AWS.CloudTrail | Rule | An EC2 Network ACL was modified. |
| EC2 Network Gateway Modified | AWS.CloudTrail | Rule | An EC2 Network Gateway was modified. |
| EC2 Route Table Modified | AWS.CloudTrail | Rule | An EC2 Route Table was modified. |
| EC2 Security Group Modified | AWS.CloudTrail | Rule | An EC2 Security Group was modified. |
| EC2 VPC Modified | AWS.CloudTrail | Rule | An EC2 VPC was modified. |
| ECR CRUD Actions | AWS.CloudTrail | Rule | Unauthorized ECR Create, Read, Update, or Delete event occurred. |
| EKS Audit Log based single sourceIP is generating multiple 403s | Amazon.EKS.Audit | Rule | This detection identifies if a public sourceIP is generating multiple 403s with the Kubernetes API server. |
| EKS Audit Log Reporting system Namespace is Used From A Public IP | Amazon.EKS.Audit | Rule | This detection identifies if an activity is recorded in the Kubernetes audit log where the user:username attribute begins with "system:" or "eks:" and the requests originating IP Address is a Public IP Address |
| Enabled Zendesk Support to Assume Users | Zendesk.Audit | Rule | User enabled or disabled zendesk support user assumption. |
| Exec into Pod | GCP.AuditLog | Rule | Alerts when users exec into pod. Possible to specify specific projects and allowed users. |
| Execution of Command Line Tool with Base64 Encoded Arguments | Crowdstrike.FDREvent | Rule | Detects the execution of common command line tools (e.g., PowerShell, cmd.exe) with Base64 encoded arguments, which could indicate an attempt to obfuscate malicious commands. |
| External GSuite File Share | GSuite.Reports | Rule | An employee shared a sensitive file externally with another organization |
| Failed Root Console Login | AWS.CloudTrail | Rule | A Root console login failed. |
| GCP Access Attempts Violating IAP Access Controls | GCP.HTTPLoadBalancer | Rule | GCP Access Attempts Violating IAP Access Controls |
| GCP Access Attempts Violating VPC Service Controls | GCP.AuditLog | Rule | An access attempt violating VPC service controls (such as Perimeter controls) has been made. |
| GCP BigQuery Large Scan | GCP.AuditLog | Rule | Detect any BigQuery query that is doing a very large scan (> 1 GB). |
| GCP Cloud Run Service Created | GCP.AuditLog | Rule | Detects creation of new Cloud Run Service, which, if configured maliciously, may be part of the attack aimed to invoke the service and retrieve the access token. |
| GCP Cloud Run Service Created FOLLOWED BY Set IAM Policy | GCP.AuditLog | Correlation Rule | Detects run.services.create method for privilege escalation in GCP. The exploit creates a new Cloud Run Service that, when invoked, returns the Service Account's access token by accessing the metadata API of the server it is running on. |
| GCP Cloud Run Set IAM Policy | GCP.AuditLog | Rule | Detects new roles granted to users to Cloud Run Services. This could potentially allow the user to perform actions within the project and its resources, which could pose a security risk. |
| GCP Cloud Storage Buckets Modified Or Deleted | GCP.AuditLog | Rule | Detects GCP cloud storage bucket updates and deletes. |
| GCP CloudBuild Potential Privilege Escalation | GCP.AuditLog | Rule | Detects privilege escalation attacks designed to gain access to the Cloud Build Service Account. A user with permissions to start a new build with Cloud Build can gain access to the Cloud Build Service Account and abuse it for more access to the environment. |
| GCP cloudfunctions functions create | GCP.AuditLog | Rule | The Identity and Access Management (IAM) service manages authorization and authentication for a GCP environment. This means that there are very likely multiple privilege escalation methods that use the IAM service and/or its permissions. |
| GCP cloudfunctions functions update | GCP.AuditLog | Rule | The Identity and Access Management (IAM) service manages authorization and authentication for a GCP environment. This means that there are very likely multiple privilege escalation methods that use the IAM service and/or its permissions. |
| GCP compute. | GCP.AuditLog | Rule | Detects compute.instances.create method for privilege escalation in GCP. |
| GCP Corporate Email Not Used | GCP.AuditLog | Rule | A Gmail account is being used instead of a corporate email |
| GCP Destructive Queries | GCP.AuditLog | Rule | Detect any destructive BigQuery queries or jobs such as update, delete, drop, alter or truncate. |
| GCP DNS Zone Modified or Deleted | GCP.AuditLog | Rule | Detection for GCP DNS zones that are deleted, patched, or updated. |
| GCP Firewall Rule Created | GCP.AuditLog | Rule | This rule detects creations of GCP firewall rules. |
| GCP Firewall Rule Deleted | GCP.AuditLog | Rule | This rule detects deletions of GCP firewall rules. |
| GCP Firewall Rule Modified | GCP.AuditLog | Rule | This rule detects modifications to GCP firewall rules. |
| GCP GCS IAM Permission Changes | GCP.AuditLog | Rule | Monitoring changes to Cloud Storage bucket permissions may reduce time to detect and correct permissions on sensitive Cloud Storage bucket and objects inside the bucket. |
| GCP GKE Kubernetes Cron Job Created Or Modified | GCP.AuditLog | Rule | This detection monitor for any modifications or creations of a cron job in GKE. Attackers may create or modify an existing scheduled job in order to achieve cluster persistence. |
| GCP IAM Role Has Changed | GCP.AuditLog | Rule | A custom role has been created, deleted, or updated. |
| GCP IAM serviceAccounts getAccessToken Privilege Escalation | GCP.AuditLog | Rule | The Identity and Access Management (IAM) service manages authorization and authentication for a GCP environment. This means that there are very likely multiple privilege escalation methods that use the IAM service and/or its permissions. |
| GCP IAM serviceAccounts signBlob | GCP.AuditLog | Rule | The iam.serviceAccounts.signBlob permission "allows signing of arbitrary payloads" in GCP. This means we can create a signed blob that requests an access token from the Service Account we are targeting. |
| GCP IAM serviceAccounts. | GCP.AuditLog | Rule | Detects iam.serviceAccounts.signJwt method for privilege escalation in GCP. This method works by signing well-formed JSON web tokens (JWTs). The script for this method will sign a well-formed JWT and request a new access token belonging to the Service Account with it. |
| GCP iam. | GCP.AuditLog | Rule | If your user is assigned a custom IAM role, then iam.roles.update will allow you to update the “includedPermissons” on that role. Because it is assigned to you, you will gain the additional privileges, which could be anything you desire. |
| GCP Inbound SSO Profile Created | GCP.AuditLog | Rule | |
| GCP K8s IOCActivity | GCP.AuditLog | Rule | This detection monitors for any kubernetes API Request originating from an Indicator of Compromise. |
| GCP K8s New Daemonset Deployed | GCP.AuditLog | Rule | Detects Daemonset creation in GCP Kubernetes clusters. |
| GCP K8s Pod Attached To Node Host Network | GCP.AuditLog | Rule | This detection monitor for the creation of pods which are attached to the host's network. This allows a pod to listen to all network traffic for all deployed computer on that particular node and communicate with other compute on the network namespace. Attackers can use this to capture secrets passed in arguments or connections. |
| GCP K8S Pod Create Or Modify Host Path Volume Mount | GCP.AuditLog | Rule | This detection monitors for pod creation with a hostPath volume mount. The attachment to a node's volume can allow for privilege escalation through underlying vulnerabilities or it can open up possibilities for data exfiltration or unauthorized file access. It is very rare to see this being a pod requirement. |
| GCP K8s Pod Using Host PID Namespace | GCP.AuditLog | Rule | This detection monitors for any pod creation or modification using the host PID namespace. The Host PID namespace enables a pod and its containers to have direct access and share the same view as of the host’s processes. This can offer a powerful escape hatch to the underlying host. |
| GCP K8S Privileged Pod Created | GCP.AuditLog | Rule | Alerts when a user creates privileged pod. These particular pods have full access to the host’s namespace and devices, have the ability to exploit the kernel, have dangerous linux capabilities, and can be a powerful launching point for further attacks. In the event of a successful container escape where a user is operating with root privileges, the attacker retains this role on the node. |
| GCP K8S Service Type NodePort Deployed | GCP.AuditLog | Rule | This detection monitors for any kubernetes service deployed with type node port. A Node Port service allows an attacker to expose a set of pods hosting the service to the internet by opening their port and redirecting traffic here. This can be used to bypass network controls and intercept traffic, creating a direct line to the outside network. |
| GCP Log Bucket or Sink Deleted | GCP.AuditLog | Rule | This rule detects deletions of GCP Log Buckets or Sinks. |
| GCP Logging Settings Modified | GCP.AuditLog | Rule | Detects any changes made to logging settings |
| GCP Logging Sink Modified | GCP.AuditLog | Rule | This rule detects modifications to GCP Log Sinks. |
| GCP Org or Folder Policy Was Changed Manually | GCP.AuditLog | Rule | Alert if a GCP Org or Folder Policy Was Changed Manually. |
| GCP Permissions Granted to Create or Manage Service Account Key | GCP.AuditLog | Rule | Permissions granted to impersonate a service account. This includes predefined service account IAM roles granted at the parent project, folder or organization-level. |
| GCP Resource in Unused Region | GCP.AuditLog | Rule | Adversaries may create cloud instances in unused geographic service regions in order to evade detection. |
| GCP Service Account Access Denied | GCP.AuditLog | Rule | This rule detects deletions of GCP Log Buckets or Sinks. |
| GCP Service Account or Keys Created | GCP.AuditLog | Rule | Detects when a service account or key is created manually by a user instead of an automated workflow. |
| GCP serviceusage. | GCP.AuditLog | Rule | Detects serviceusage.apiKeys.create method for privilege escalation in GCP. By default, API Keys are created with no restrictions, which means they have access to the entire GCP project they were created in. We can capitalize on that fact by creating a new API key that may have more privileges than our own user. |
| GCP SQL Config Changes | GCP.AuditLog | Rule | Monitoring changes to Sql Instance configuration may reduce time to detect and correct misconfigurations done on sql server. |
| GCP storage hmac keys create | GCP.AuditLog | Rule | There is a feature of Cloud Storage, “interoperability”, that provides a way for Cloud Storage to interact with storage offerings from other cloud providers, like AWS S3. As part of that, there are HMAC keys that can be created for both Service Accounts and regular users. We can escalate Cloud Storage permissions by creating an HMAC key for a higher-privileged Service Account. |
| GCP User Added to IAP Protected Service | GCP.AuditLog | Rule | A user has been granted access to a IAP protected service. |
| GCP User Added to Privileged Group | GCP.AuditLog | Rule | A user was added to a group with special previleges |
| GCP VPC Flow Logs Disabled | GCP.AuditLog | Rule | VPC flow logs were disabled for a subnet. |
| GCP Workforce Pool Created or Updated | GCP.AuditLog | Rule | |
| GCP Workload Identity Pool Created or Updated | GCP.AuditLog | Rule | |
| GCP. | GCP.AuditLog | Rule | If your user is assigned a custom IAM role, then iam.roles.update will allow you to update the “includedPermissons” on that role. Because it is assigned to you, you will gain the additional privileges, which could be anything you desire. |
| GCP. | GCP.AuditLog | Rule | Detects privilege escalation in GCP by taking over the deploymentsmanager.deployments.create permission |
| GCS Bucket Made Public | GCP.AuditLog | Rule | Adversaries may access data objects from improperly secured cloud storage. |
| GitHub Action Failed | GitHub.Audit | Rule | A monitored github action has failed. |
| GitHub Advanced Security Change WITHOUT Repo Archived | GitHub.Audit | Correlation Rule | Identifies when advances security change was made not to archive a repo. Eliminates false positives in the Advances Security Change Rule when the repo is archived. |
| GitHub Branch Protection Disabled | GitHub.Audit | Rule | Disabling branch protection controls could indicate malicious use of admin credentials in an attempt to hide activity. |
| GitHub Branch Protection Policy Override | GitHub.Audit | Rule | Bypassing branch protection controls could indicate malicious use of admin credentials in an attempt to hide activity. |
| GitHub Dependabot Vulnerability Dismissed | GitHub.Audit | Rule | Creates an alert if a dependabot alert is dismissed without being fixed. |
| GitHub Org Authentication Method Changed | GitHub.Audit | Rule | Detects changes to GitHub org authentication changes. |
| GitHub Org IP Allow List modified | GitHub.Audit | Rule | Detects changes to a GitHub Org IP Allow List |
| Github Organization App Integration Installed | GitHub.Audit | Rule | An application integration was installed to your organization's Github account by someone in your organization. |
| Github Public Repository Created | GitHub.Audit | Rule | A public Github repository was created. |
| GitHub Repository Archived | GitHub.Audit | Rule | Detects when a repository is archived. |
| GitHub Repository Collaborator Change | GitHub.Audit | Rule | Detects when a repository collaborator is added or removed. |
| GitHub Repository Created | GitHub.Audit | Rule | Detects when a repository is created. |
| Github Repository Transfer | GitHub.Audit | Rule | A user accepted a request to receive a transferred Github repository, a Github repository was transferred to another repository network, or a user sent a request to transfer a repository to another user or organization. |
| GitHub Repository Visibility Change | GitHub.Audit | Rule | Detects when an organization repository visibility changes. |
| GitHub Secret Scanning Alert Created | GitHub.Audit | Rule | GitHub detected a secret and created a secret scanning alert. |
| GitHub Security Change, includes GitHub Advanced Security | GitHub.Audit | Rule | The rule alerts when GitHub Security tools (Dependabot, Secret Scanner, etc) are disabled. |
| GitHub Team Modified | GitHub.Audit | Rule | Detects when a team is modified in some way, such as adding a new team, deleting a team, modifying members, or a change in repository control. |
| GitHub User Access Key Created | GitHub.Audit | Rule | Detects when a GitHub user access key is created. |
| GitHub User Added or Removed from Org | GitHub.Audit | Rule | Detects when a user is added or removed from a GitHub Org. |
| GitHub User Added to Org Moderators | GitHub.Audit | Rule | Detects when a user is added to a GitHub org's list of moderators. |
| GitHub User Initial Access to Private Repo | GitHub.Audit | Rule | Detects when a user initially accesses a private organization repository. |
| GitHub User Role Updated | GitHub.Audit | Rule | Detects when a GitHub user role is upgraded to an admin or downgraded to a member |
| GitHub Web Hook Modified | GitHub.Audit | Rule | Detects when a webhook is added, modified, or deleted |
| Google Accessed a GSuite Resource | GSuite.ActivityEvent | Rule | Google accessed one of your GSuite resources directly, most likely in response to a support incident. |
| Google Drive High Download Count | GSuite.ActivityEvent | Scheduled Rule | Scheduled rule for the High Google Drive Download Count query which looks for incidents of more than 10 (tunable) downloads by a user in the past day. |
| Google Workspace Admin Custom Role | GSuite.ActivityEvent | Rule | A Google Workspace administrator created a new custom administrator role. |
| Google Workspace Advanced Protection Program | GSuite.ActivityEvent | Rule | Your organization's Google Workspace Advanced Protection Program settings were modified. |
| Google Workspace Apps Marketplace Allowlist | GSuite.ActivityEvent | Rule | Google Workspace Marketplace application allowlist settings were modified. |
| Google Workspace Apps Marketplace New Domain Application | GSuite.ActivityEvent | Rule | A Google Workspace User configured a new domain application from the Google Workspace Apps Marketplace. |
| Google Workspace Apps New Mobile App Installed | GSuite.ActivityEvent | Rule | A new mobile application was added to your organization's mobile apps whitelist in Google Workspace Apps. |
| GSuite Calendar Has Been Made Public | GSuite.ActivityEvent | Rule | A User or Admin Has Modified A Calendar To Be Public |
| GSuite Device Suspicious Activity | GSuite.ActivityEvent | Rule | GSuite reported a suspicious activity on a user's device. |
| GSuite Document External Ownership Transfer | GSuite.ActivityEvent | Rule | A GSuite document's ownership was transferred to an external party. |
| GSuite Drive Many Documents Deleted | GSuite.ActivityEvent | Scheduled Rule | Scheduled rule for the GSuite Drive Many Documents Deleted query. Looks for users who have deleted more than 10 (tunable) documents the past day. |
| GSuite External Drive Document | GSuite.Reports | Rule | A Google drive resource became externally accessible. |
| GSuite Government Backed Attack | GSuite.ActivityEvent | Rule | GSuite reported that it detected a government backed attack against your account. |
| GSuite Login Type | GSuite.ActivityEvent | Rule | A login of a non-approved type was detected for this user. |
| Gsuite Mail forwarded to external domain | GSuite.ActivityEvent | Rule | A user has configured mail forwarding to an external domain |
| GSuite Many Docs Deleted Query | GSuite.ActivityEvent | Scheduled Query | Query to search for a user deleting many documents. |
| GSuite Many Docs Downloaded Query | GSuite.ActivityEvent | Scheduled Query | Query to search high document download counts by users. |
| GSuite Overly Visible Drive Document | GSuite.Reports | Rule | A Google drive resource that is overly visible has been modified. |
| GSuite Passthrough Rule Triggered | GSuite.ActivityEvent | Rule | A GSuite rule was triggered. |
| GSuite User Advanced Protection Change | GSuite.ActivityEvent | Rule | A user disabled advanced protection for themselves. |
| GSuite User Banned from Group | GSuite.ActivityEvent | Rule | A GSuite user was banned from an enterprise group by moderator action. |
| GSuite User Device Compromised | GSuite.ActivityEvent | Rule | GSuite reported a user's device has been compromised. |
| GSuite User Device Unlock Failures | GSuite.ActivityEvent | Rule | Someone failed to unlock a user's device multiple times in quick succession. |
| GSuite User Password Leaked | GSuite.ActivityEvent | Rule | GSuite reported a user's password has been compromised, so they disabled the account. |
| GSuite User Suspended | GSuite.ActivityEvent | Rule | A GSuite user was suspended, the account may have been compromised by a spam network. |
| GSuite User Two Step Verification Change | GSuite.ActivityEvent | Rule | A user disabled two step verification for themselves. |
| GSuite Workspace Calendar External Sharing Setting Change | GSuite.ActivityEvent | Rule | A Workspace Admin Changed The Sharing Settings for Primary Calendars |
| GSuite Workspace Data Export Has Been Created | GSuite.ActivityEvent | Rule | A Workspace Admin Has Created a Data Export |
| GSuite Workspace Gmail Default Routing Rule Modified | GSuite.ActivityEvent | Rule | A Workspace Admin Has Modified A Default Routing Rule In Gmail |
| GSuite Workspace Gmail Pre-Delivery Message Scanning Disabled | GSuite.ActivityEvent | Rule | A Workspace Admin Has Disabled Pre-Delivery Scanning For Gmail. |
| GSuite Workspace Gmail Security Sandbox Disabled | GSuite.ActivityEvent | Rule | A Workspace Admin Has Disabled The Security Sandbox |
| GSuite Workspace Password Reuse Has Been Enabled | GSuite.ActivityEvent | Rule | A Workspace Admin Has Enabled Password Reuse |
| GSuite Workspace Strong Password Enforcement Has Been Disabled | GSuite.ActivityEvent | Rule | A Workspace Admin Has Disabled The Enforcement Of Strong Passwords |
| GSuite Workspace Trusted Domain Allowlist Modified | GSuite.ActivityEvent | Rule | A Workspace Admin Has Modified The Trusted Domains List |
| IAM Assume Role Blocklist Ignored | AWS.CloudTrail | Rule | A user assumed a role that was explicitly blocklisted for manual user assumption. |
| IAM Change | AWS.CloudTrail | Rule | A change occurred in the IAM configuration. This could be a resource being created, deleted, or modified. This is a high level view of changes, helfpul to indicate how dynamic a certain IAM environment is. |
| IAM Entity Created Without CloudFormation | AWS.CloudTrail | Rule | An IAM Entity (Group, Policy, Role, or User) was created manually. IAM entities should be created in code to ensure that permissions are tracked and managed correctly. |
| IAM Inline Policy Network Admin | AWS.IAM.Group AWS.IAM.Role AWS.IAM.User | Policy | This policy validates that IAM entities (Groups, Roles, and Users) do not have inline policies attached that grant network admin privileges. Inline policies are more difficult to track and audit than managed policies, and can lead to persistent unexpected access. |
| IAM Policy Modified | AWS.CloudTrail | Rule | An IAM Policy was changed. |
| Impossible Travel for Login Action | AWS.CloudTrail Asana.Audit Notion.AuditLogs Okta.SystemLog | Rule | A user has subsequent logins from two geographic locations that are very far apart |
| IOC Activity in K8 Control Plane | Amazon.EKS.Audit | Scheduled Query | This detection monitors for any kubernetes API Request originating from an Indicator of Compromise. |
| KMS CMK Disabled or Deleted | AWS.CloudTrail | Rule | A KMS Customer Managed Key was disabled or scheduled for deletion. This could potentially lead to permanent loss of encrypted data. |
| Kubernetes Cron Job Created or Modified | Amazon.EKS.Audit | Scheduled Query | This detection monitor for any modifications or creations of a cron job. Attackers may create or modify an existing scheduled job in order to achieve cluster persistence. |
| Kubernetes Pod Created in Pre-Configured or Default Name Spaces | Amazon.EKS.Audit | Scheduled Query | This detection monitors for any pod created in pre-configured or default namespaces. Only Cluster Admins should be creating pods in the kube-system namespace, and it is best practice not to run any cluster critical infrastructure here. The kube-public namespace is intended to be readable by unauthenticated users. The default namespace is shipped with the cluster and it is best practice not to deploy production workloads here. These namespaces may be used to evade defenses or hide attacker infrastructure. |
| Kubernetes Service with Type Node Port Deployed | Scheduled Query | This detection monitors for any kubernetes service deployed with type node port. A Node Port service allows an attacker to expose a set of pods hosting the service to the internet by opening their port and redirecting traffic here. This can be used to bypass network controls and intercept traffic, creating a direct line to the outside network. | |
| Lambda CRUD Actions | AWS.CloudTrail | Rule | Unauthorized lambda Create, Read, Update, or Delete event occurred. |
| Logins Without MFA | AWS.CloudTrail | Rule | A console login was made without multi-factor authentication. |
| Logins Without SAML | AWS.CloudTrail | Rule | An AWS console login was made without SAML/SSO. |
| MacOS ALF is misconfigured | Osquery.Differential | Rule | The application level firewall blocks unwanted network connections made to your computer from other computers on your network. |
| MacOS Browser Credential Access | Scheduled Query | Detects processes that contain known browser credential files in arguments. | |
| MacOS Browser Credential Access (crowdstrike_fdrevent table) | Crowdstrike.FDREvent | Scheduled Query | Detects processes that contain known browser credential files in arguments. (crowdstrike_fdrevent table) |
| MacOS Keyboard Events | Osquery.Differential | Rule | A Key Logger has potentially been detected on a macOS system |
| macOS Malware Detected with osquery | Osquery.Differential | Rule | Malware has potentially been detected on a macOS system |
| Malicious Content Detected | Box.Event | Rule | Box has detect malicious content, such as a virus. |
| Malicious SSO DNS Lookup | CiscoUmbrella.DNS Crowdstrike.DNSRequest Crowdstrike.FDREvent Suricata.DNS Zeek.DNS | Rule | The rule looks for DNS requests to sites potentially posing as SSO domains. |
| MFA Disabled | Atlassian.Audit GitHub.Audit Okta.SystemLog Zendesk.Audit | Rule | Detects when Multi-Factor Authentication (MFA) is disabled |
| Microsoft Exchange External Forwarding | Microsoft365.Audit.Exchange | Rule | Detects creation of forwarding rule to external domains |
| Microsoft Graph Passthrough | MicrosoftGraph.SecurityAlert | Rule | The Microsoft Graph security API federates queries to all onboarded security providers, including Azure AD Identity Protection, Microsoft 365, Microsoft Defender (Cloud, Endpoint, Identity) and Microsoft Sentinel |
| Microsoft365 Brute Force Login by User | Microsoft365.Audit.AzureActiveDirectory | Rule | A Microsoft365 user was denied login access several times |
| Microsoft365 External Document Sharing | Microsoft365.Audit.SharePoint | Rule | Document shared externally |
| Microsoft365 MFA Disabled | Microsoft365.Audit.AzureActiveDirectory | Rule | A user's MFA has been removed |
| MongoDB 2FA Disabled | MongoDB.OrganizationEvent | Rule | 2FA was disabled. |
| MongoDB access allowed from anywhere | MongoDB.ProjectEvent | Rule | Atlas only allows client connections to the database deployment from entries in the project's IP access list. This rule detects when 0.0.0.0/0 is added to that list, which allows access from anywhere. |
| MongoDB Atlas API Key Created | MongoDB.OrganizationEvent | Rule | A MongoDB Atlas api key's access list was updated |
| MongoDB External User Invited | MongoDB.OrganizationEvent | Rule | An external user has been invited to a MongoDB org. |
| MongoDB External User Invited (no config) | MongoDB.OrganizationEvent | Rule | An external user has been invited to a MongoDB org (no config). |
| MongoDB Identity Provider Activity | MongoDB.OrganizationEvent | Rule | Changes to identity provider settings are privileged activities that should be carefully audited. Attackers may add or change IDP integrations to gain persistence to environments |
| MongoDB logging toggled | MongoDB.ProjectEvent | Rule | MongoDB logging toggled |
| MongoDB org membership restriction disabled | MongoDB.OrganizationEvent | Rule | You can configure Atlas to require API access lists at the organization level. When you enable IP access list for the Atlas Administration API, all API calls in that organization must originate from a valid entry in the associated Atlas Administration API key access list. This rule detects when IP access list is disabled |
| MongoDB security alerts disabled or deleted | MongoDB.OrganizationEvent | Rule | MongoDB provides security alerting policies for notifying admins when certain conditions are met. This rule detects when these policies are disabled or deleted. |
| MongoDB user roles changed | MongoDB.OrganizationEvent | Rule | User roles changed. |
| MongoDB user was created or deleted | MongoDB.OrganizationEvent | Rule | User was created or deleted. |
| Monitor Unauthorized API Calls | AWS.CloudTrail | Rule | An unauthorized AWS API call was made |
| Netskope Many Objects Deleted | Netskope.Audit | Rule | A user deleted a large number of objects in a short period of time. |
| Netskope Many Unauthorized API Calls | Netskope.Audit | Rule | Many unauthorized API calls were observed for a user in a short period of time. |
| New Admission Controller Created | Amazon.EKS.Audit | Scheduled Query | This detection monitors for a new admission controller being created in the cluster. Admission controllers allows an attack to intercept all API requests made within a cluster, allowing for enumeration of resources and common actions. This can be a very powerful tool to understand where to pivot to next. |
| New AWS Account Created | AWS.CloudTrail | Rule | A new AWS account was created |
| New DaemonSet Deployed to Kubernetes | Amazon.EKS.Audit | Scheduled Query | This detection monitors for a new DaemonSet deployed to a kubernetes cluster. A daemonset is a workload that guarantees the presence of exactly one instance of a specific pod on every node in the cluster. This can be a very powerful tool for establishing peristence. |
| New IAM Credentials Updated | AWS.CloudTrail | Rule | A console password, access key, or user has been created. |
| New User Account Created | AWS.CloudTrail OneLogin.Events Zoom.Operation | Rule | A new account was created |
| Notion Audit Log Exported | Notion.AuditLogs | Rule | A Notion User exported audit logs for your organization’s workspace. |
| Notion Login FOLLOWED BY AccountChange | Notion.AuditLogs | Correlation Rule | A Notion User logged in then changed their account details. |
| Notion Login From Blocked IP | Notion.AuditLogs | Rule | A user attempted to access Notion from a blocked IP address. Note: before deployinh, make sure to add Rule Filters checking if event.ip_address is in a certain CIDR range(s). |
| Notion Login from New Location | Notion.AuditLogs | Rule | A Notion User logged in from a new location. |
| Notion Many Pages Deleted | Notion.AuditLogs | Scheduled Rule | A Notion User deleted multiple pages, which were not created or restored from the trash within the same hour. |
| Notion Many Pages Deleted Query | Notion.AuditLogs | Scheduled Query | A Notion User deleted multiple pages, which were not created or restored from the trash within the same hour. |
| Notion Many Pages Exported | Notion.AuditLogs | Rule | A Notion User exported multiple pages. |
| Notion Page API Permissions Changed | Notion.AuditLogs | Rule | A new API integration was added to a Notion page, or it's permissions were changed. |
| Notion Page Guest Permissions Changed | Notion.AuditLogs | Rule | The external guest permissions for a Notion page have been altered. |
| Notion Page Published to Web | Notion.AuditLogs | Rule | A Notion User published a page to the web. |
| Notion SAML SSO Configuration Changed | Notion.AuditLogs | Rule | A Notion User changed settings to enforce SAML SSO configurations for your organization. |
| Notion SCIM Token Generated | Notion.AuditLogs | Rule | A Notion User generated a SCIM token. |
| Notion Sharing Settings Updated | Notion.AuditLogs | Rule | A Notion User enabled sharing for a Workspace or Teamspace. |
| Notion Teamspace Owner Added | Notion.AuditLogs | Rule | A Notion User was added as a Teamspace owner. |
| Notion Workspace Exported | Notion.AuditLogs | Rule | A Notion User exported an existing workspace. |
| Notion Workspace public page added | Notion.AuditLogs | Rule | A Notion page was set to public in your worksace. |
| Okta Admin Access Granted | Okta.SystemLog | Scheduled Query | Audit instances of admin access granted in your okta tenant |
| Okta Admin Role Assigned | Okta.SystemLog | Rule | A user has been granted administrative privileges in Okta |
| Okta AiTM Phishing Attempt Blocked by FastPass | Okta.SystemLog | Rule | Okta FastPass detected a user targeted by attackers wielding real-time (AiTM) proxies. |
| Okta API Key Created | Okta.SystemLog | Rule | A user created an API Key in Okta |
| Okta API Key Revoked | Okta.SystemLog | Rule | A user has revoked an API Key in Okta |
| Okta App Refresh Access Token Reuse | Okta.SystemLog | Rule | When a client wants to renew an access token, it sends the refresh token with the access token request to the /token Okta endpoint.Okta validates the incoming refresh token, issues a new set of tokens and invalidates the refresh token that was passed with the initial request.This detection alerts when a previously used refresh token is used again with the token request |
| Okta App Unauthorized Access Attempt | Okta.SystemLog | Rule | Detects when a user is denied access to an Okta application |
| Okta Cleartext Passwords Extracted via SCIM Application | Okta.SystemLog | Rule | An application admin has extracted cleartext user passwords via SCIM app. Malcious actors can extract plaintext passwords by creating a SCIM application under their control and configuring it to sync passwords from Okta. |
| Okta Group Admin Role Assigned | Okta.SystemLog | Rule | Detect when an admin role is assigned to a group |
| Okta HAR File IOCs | Okta.SystemLog | Saved Query | https://sec.okta.com/harfiles |
| Okta Identity Provider Created or Modified | Okta.SystemLog | Rule | A new 3rd party Identity Provider has been created or modified. Attackers have been observed configuring a second Identity Provider to act as an "impersonation app" to access applications within the compromised Org on behalf of other users. This second Identity Provider, also controlled by the attacker, would act as a “source” IdP in an inbound federation relationship (sometimes called “Org2Org”) with the target. |
| Okta Identity Provider Sign-in | Okta.SystemLog | Rule | A user has signed in using a 3rd party Identity Provider. Attackers have been observed configuring a second Identity Provider to act as an "impersonation app" to access applications within the compromised Org on behalf of other users. This second Identity Provider, also controlled by the attacker, would act as a “source” IdP in an inbound federation relationship (sometimes called “Org2Org”) with the target. From this “source” IdP, the threat actor manipulated the username parameter for targeted users in the second “source” Identity Provider to match a real user in the compromised “target” Identity Provider. This provided the ability to Single sign-on (SSO) into applications in the target IdP as the targeted user. Do not use this rule if your organization uses legitimate 3rd-party Identity Providers. |
| Okta Investigate MFA and Password resets | Okta.SystemLog | Scheduled Query | Investigate Password and MFA resets for the last 7 days |
| Okta Investigate Session ID Activity | Okta.SystemLog | Scheduled Query | Search for activity related to a specific SessionID in Okta panther_logs.okta_systemlog |
| Okta Investigate User Activity | Okta.SystemLog | Scheduled Query | Audit user activity across your environment. Customize to filter on specific users, time ranges, etc |
| Okta Login From CrowdStrike Unmanaged Device | Crowdstrike.AIDMaster Okta.SystemLog | Scheduled Query | Okta Logins from an IP Address not found in CrowdStrike's AIP List |
| Okta Login From CrowdStrike Unmanaged Device (crowdstrike_fdrevent table) | Crowdstrike.FDREvent Okta.SystemLog | Scheduled Query | Okta Logins from an IP Address not found in CrowdStrike's AIP List (crowdstrike_fdrevent table) |
| Okta MFA Globally Disabled | Okta.SystemLog | Rule | An admin user has disabled the MFA requirement for your Okta account |
| Okta New Behaviors Acessing Admin Console | Okta.SystemLog | Rule | New Behaviors Observed while Accessing Okta Admin Console. A user attempted to access the Okta Admin Console from a new device with a new IP. |
| Okta Org2Org application created of modified | Okta.SystemLog | Rule | An Okta Org2Org application has been created or modified. Okta's Org2Org applications instances are used to push and match users from one Okta organization to another. A malicious actor can add an Org2Org application instance and create a user in the source organization (controlled by the attacker) with the same identifier as a Super Administrator in the target organization. |
| Okta Password Accessed | Okta.SystemLog | Rule | User accessed another user's application password |
| Okta Potentially Stolen Session | Okta.SystemLog | Rule | This rule looks for the same session being used from two devices, indicating a compromised session token. |
| Okta Rate Limits | Okta.SystemLog | Rule | Potential DoS/Bruteforce attack or hitting limits (system degradation) |
| Okta Sign-In from VPN Anonymizer | Okta.SystemLog | Rule | A user is attempting to sign-in to Okta from a known VPN anonymizer. The threat actor would access the compromised account using anonymizing proxy services. |
| Okta Support Access | Okta.SystemLog | Scheduled Query | Show instances that Okta support was granted to your account |
| Okta Support Access Granted | Okta.SystemLog | Rule | An admin user has granted access to Okta Support to your account |
| Okta Support Reset Credential | Okta.SystemLog | Rule | A Password or MFA factor was reset by Okta Support |
| Okta ThreatInsight Security Threat Detected | Okta.SystemLog | Rule | Okta ThreatInsight identified request from potentially malicious IP address |
| Okta User Account Locked | Okta.SystemLog | Rule | An Okta user has locked their account. |
| Okta User MFA Factor Suspend | Okta.SystemLog | Rule | Suspend factor or authenticator enrollment method for user. |
| Okta User MFA Own Reset | Okta.SystemLog | Rule | User has reset one of their own MFA factors |
| Okta User MFA Reset All | Okta.SystemLog | Rule | All MFA factors have been reset for a user. |
| Okta User Reported Suspicious Activity | Okta.SystemLog | Rule | Suspicious Activity Reporting provides an end user with the option to report unrecognized activity from an account activity email notification.This detection alerts when a user marks the raised activity as suspicious. |
| Okta Username Above 52 Characters Security Advisory | Okta.SystemLog | Saved Query | On October 30, 2024, a vulnerability was internally identified in generating the cache key for AD/LDAP DelAuth. The Bcrypt algorithm was used to generate the cache key where we hash a combined string of userId + username + password. Under a specific set of conditions, listed below, this could allow users to authenticate by providing the username with the stored cache key of a previous successful authentication. Customers meeting the pre-conditions should investigate their Okta System Log for unexpected authentications from usernames greater than 52 characters between the period of July 23rd, 2024 to October 30th, 2024. https://trust.okta.com/security-advisories/okta-ad-ldap-delegated-authentication-username/ |
| OneLogin Active Login Activity | OneLogin.Events | Rule | Multiple user accounts logged in from the same ip address. |
| OneLogin Authentication Factor Removed | OneLogin.Events | Rule | A user removed an authentication factor or otp device. |
| OneLogin Failed High Risk Login | OneLogin.Events | Rule | A OneLogin attempt with a high risk factor (>50) resulted in a failed authentication. |
| OneLogin High Risk Failed Login FOLLOWED BY Successful Login | OneLogin.Events | Correlation Rule | A OneLogin user successfully logged in after a failed high-risk login attempt. |
| OneLogin Multiple Accounts Deleted | OneLogin.Events | Rule | Possible Denial of Service detected. Threshold for user account deletions exceeded. |
| OneLogin Multiple Accounts Modified | OneLogin.Events | Rule | Possible Denial of Service detected. Threshold for user account password changes exceeded. |
| OneLogin Password Access | OneLogin.Events | Rule | User accessed another user's application password |
| OneLogin Unauthorized Access | OneLogin.Events | Rule | A OneLogin user was denied access to an app more times than the configured threshold. |
| OneLogin User Assumed Another User | OneLogin.Events | Rule | User assumed another user account |
| OneLogin User Locked | OneLogin.Events | Rule | User locked or suspended from their account. |
| OneLogin User Password Changed | OneLogin.Events | Rule | A user password was updated. |
| Osquery Agent Outdated | Osquery.Differential | Rule | Keep track of osquery versions, current is 5.10.2. |
| OSQuery Detected SSH Listener | Osquery.Differential | Rule | Check if SSH is listening in a non-production environment. This could be an indicator of persistent access within an environment. |
| OSQuery Detected Unwanted Chrome Extensions | Osquery.Differential | Rule | Monitor for chrome extensions that could lead to a credential compromise. |
| OSQuery Reports Application Firewall Disabled | Osquery.Differential | Rule | Verifies that MacOS has automatic software updates enabled. |
| OSSEC Rootkit Detected via Osquery | Osquery.Differential | Rule | Checks if any results are returned for the Osquery OSSEC Rootkit pack. |
| Panther SAML configuration has been modified | Panther.Audit | Rule | An Admin has modified Panther's SAML configuration. |
| Pod attached to the Node Host Network | Amazon.EKS.Audit | Scheduled Query | This detection monitor for the creation of pods which are attached to the host's network. This allows a pod to listen to all network traffic for all deployed computer on that particular node and communicate with other compute on the network namespace. Attackers can use this to capture secrets passed in arguments or connections. |
| Pod Created or Modified Using the Host IPC Namespace | Amazon.EKS.Audit | Scheduled Query | This detection monitors for any pod creation or modification using the host IPC Namespace. Deploying pods in the Host IPC Namespace, breaks isolation between the pod and the underlying host meaning the pod has direct access to the same IPC objects and communications channels as the host system. |
| Pod Created or Modified Using the Host PID Namespace | Amazon.EKS.Audit | Scheduled Query | This detection monitors for any pod creation or modification using the host PID namespace. The Host PID namespace enables a pod and its containers to have direct access and share the same view as of the host’s processes. This can offer a powerful escape hatch to the underlying host. |
| Pod Created with Overly Permissive Linux Capabilities | Amazon.EKS.Audit | Scheduled Query | This detection monitors for a pod created with overly permissive linux capabilities. Excessive pod permissions and capabilities can be a launch point for privilege escalation or container breakout. |
| Pod creation or modification to a Host Path Volume Mount | Amazon.EKS.Audit | Scheduled Query | This detection monitors for pod creation with a hostPath volume mount. The attachment to a node's volume can allow for privilege escalation through underlying vulnerabilities or it can open up possibilities for data exfiltration or unauthorized file access. It is very rare to see this being a pod requirement. |
| Privileged Pod Created | Amazon.EKS.Audit | Scheduled Query | This detection monitors for a privileged pod is created either by default or with permissions to run as root. These particular pods have full access to the hosts namespace and devices, ability to exploit the kernel, have dangerous linux capabilities, and can be a powerful launching point for further attacks. |
| Push Security App Banner Acknowledged | PushSecurity.Activity | Rule | |
| Push Security Authorized IdP Login | PushSecurity.Activity | Rule | Login to application with unauthorized identity provider which could indicate a SAMLjacking attack. |
| Push Security New App Detected | PushSecurity.Entities | Rule | |
| Push Security New SaaS Account Created | PushSecurity.Entities | Rule | |
| Push Security Open Security Finding | PushSecurity.Entities | Rule | |
| Push Security Phishable MFA Method | PushSecurity.Entities | Rule | |
| Push Security Phishing Attack | PushSecurity.Controls | Rule | |
| Push Security SaaS App MFA Method Changed | PushSecurity.Entities | Rule | MFA method on SaaS app changed |
| Push Security Unauthorized IdP Login | PushSecurity.Activity | Rule | Login to application with unauthorized identity provider which could indicate a SAMLjacking attack. |
| RoleAssumes by Multiple Useragents | AWS.CloudTrail | Scheduled Query | RoleAssumes with multiple Useragents could indicate compromised credentials. |
| Root Account Access Key Created | AWS.CloudTrail | Rule | An access key was created for the Root account |
| Root Account Activity | AWS.CloudTrail | Rule | Root account activity was detected. |
| Root Console Login | AWS.CloudTrail | Rule | The root account has been logged into. |
| Root Password Changed | AWS.CloudTrail | Rule | Someone manually changed the Root console login password. |
| S3 Bucket Deleted | AWS.CloudTrail | Rule | A S3 Bucket, Policy, or Website was deleted |
| S3 Bucket Policy Confused Deputy Protection for Service Principals | AWS.S3.Bucket | Policy | Ensures that S3 bucket policies with service principals include conditions to prevent the confused deputy problem. |
| Salesforce Admin Login As User | Salesforce.LoginAs | Rule | Salesforce detection that alerts when an admin logs in as another user. |
| Secret Enumeration by a User | Amazon.EKS.Audit | Scheduled Query | This detection monitors for a large number of secrets requests by a single user. This could potentially indicate secret enumeration, which can potentially enable lateral or vertical movement and unauthorized access to critical resources. |
| Secret Exposed and not Quarantined | AWS.CloudTrail GitHub.Audit | Correlation Rule | The rule detects when a GitHub Secret Scan detects an exposed secret, which is not followed by the expected quarantine operation in AWS. When you make a repository public, or push changes to a public repository, GitHub always scans the code for secrets that match partner patterns. Public packages on the npm registry are also scanned. If secret scanning detects a potential secret, we notify the service provider who issued the secret. The service provider validates the string and then decides whether they should revoke the secret, issue a new secret, or contact you directly. Their action will depend on the associated risks to you or them. |
| Sensitive AWS CloudWatch Log Encryption | AWS.CloudWatch.LogGroup | Policy | AWS automatically performs server-side encryption of logs, but you can encrypt with your own CMK to protect extra sensitive log data. |
| SentinelOne Alert Passthrough | SentinelOne.Activity | Rule | SentinelOne Alert Passthrough |
| SentinelOne Threats | SentinelOne.Activity | Rule | Passthrough SentinelOne Threats |
| Sign In from Rogue State | AWS.CloudTrail Asana.Audit Atlassian.Audit Azure.Audit Box.Event Notion.AuditLogs Okta.SystemLog OneLogin.Events OnePassword.SignInAttempt Zendesk.Audit Zoom.Activity | Rule | Detects when an entity signs in from a nation associated with cyber attacks |
| Slack Anomaly Detected | Slack.AuditLogs | Rule | Passthrough for anomalies detected by Slack |
| Slack App Access Expanded | Slack.AuditLogs | Rule | Detects when a Slack App has had its permission scopes expanded |
| Slack App Added | Slack.AuditLogs | Rule | Detects when a Slack App has been added to a workspace |
| Slack App Removed | Slack.AuditLogs | Rule | Detects when a Slack App has been removed |
| Slack Denial of Service | Slack.AuditLogs | Rule | Detects when slack admin invalidates user session(s). If it happens more than once in a 24 hour period it can lead to DoS |
| Slack DLP Modified | Slack.AuditLogs | Rule | Detects when a Data Loss Prevention (DLP) rule has been deactivated or a violation has been deleted |
| Slack EKM Config Changed | Slack.AuditLogs | Rule | Detects when the logging settings for a workspace's EKM configuration has changed |
| Slack EKM Slackbot Unenrolled | Slack.AuditLogs | Rule | Detects when a workspace is longer enrolled in EKM |
| Slack EKM Unenrolled | Slack.AuditLogs | Rule | Detects when a workspace is no longer enrolled or managed by EKM |
| Slack IDP Configuration Changed | Slack.AuditLogs | Rule | Detects changes to the identity provider (IdP) configuration for Slack organizations. |
| Slack Information Barrier Modified | Slack.AuditLogs | Rule | Detects when a Slack information barrier is deleted/updated |
| Slack Intune MDM Disabled | Slack.AuditLogs | Rule | Detects the disabling of Microsoft Intune Enterprise MDM within Slack |
| Slack Legal Hold Policy Modified | Slack.AuditLogs | Rule | Detects changes to configured legal hold policies |
| Slack MFA Settings Changed | Slack.AuditLogs | Rule | Detects changes to Multi-Factor Authentication requirements |
| Slack Organization Created | Slack.AuditLogs | Rule | Detects when a Slack organization is created |
| Slack Organization Deleted | Slack.AuditLogs | Rule | Detects when a Slack organization is deleted |
| Slack Potentially Malicious File Shared | Slack.AuditLogs | Rule | Detects when a potentially malicious file is shared within Slack |
| Slack Private Channel Made Public | Slack.AuditLogs | Rule | Detects when a channel that was previously private is made public |
| Slack Service Owner Transferred | Slack.AuditLogs | Rule | Detects transferring of service owner on request from primary owner |
| Slack SSO Settings Changed | Slack.AuditLogs | Rule | Detects changes to Single Sign On (SSO) restrictions |
| Slack User Privilege Escalation | Slack.AuditLogs | Rule | Detects when a Slack user gains escalated privileges |
| Slack User Privileges Changed to User | Slack.AuditLogs | Rule | Detects when a Slack account is changed to User from an elevated role. |
| Snowflake Account Admin Granted | Snowflake.AccountUsage | Scheduled Rule | Detect when account admin is granted. |
| Snowflake Attempted Login With Disabled User | Snowflake.LoginHistory | Scheduled Query | Returns instances where a disabled user's login credentials were used in a login attempt. |
| Snowflake Brute Force Attacks by IP | Snowflake.AccountUsage | Scheduled Rule | Detect brute force attacks by monitoring for failed logins from the same IP address |
| Snowflake Brute Force Attacks by User | Snowflake.LoginHistory | Rule | Detect brute force attacks by monitorign failed logins from the same IP address |
| Snowflake Brute Force Attacks by Username | Snowflake.AccountUsage | Scheduled Rule | Detect brute force attacks by monitoring for failed logins by the same username |
| Snowflake Brute Force Login Success | Snowflake.LoginHistory | Correlation Rule | Detecting brute force activity and reporting when a user has incorrectly logged in multiple times and then had a successful login. |
| Snowflake Client IP | Snowflake.AccountUsage | Scheduled Rule | Monitor for malicious IPs interacting with Snowflake as part of ongoing cyber threat activity reported May 31st, 2024 |
| Snowflake Configuration Drift | Snowflake.AccountUsage | Scheduled Rule | Monitor for configuration drift made by malicious actors as part of ongoing cyber threat activity reported May 31st, 2024 |
| Snowflake Data Exfiltration | Snowflake.AccountUsage | Correlation Rule | In April 2024, Mandiant received threat intelligence on database records that were subsequently determined to have originated from a victim’s Snowflake instance. Mandiant notified the victim, who then engaged Mandiant to investigate suspected data theft involving their Snowflake instance. During this investigation, Mandiant determined that the organization’s Snowflake instance had been compromised by a threat actor using credentials previously stolen via infostealer malware. The threat actor used these stolen credentials to access the customer’s Snowflake instance and ultimately exfiltrate valuable data. At the time of the compromise, the account did not have multi-factor authentication (MFA) enabled. |
| Snowflake External Data Share | Snowflake.DataTransferHistory | Rule | Detect when an external share has been initiated from one source cloud to another target cloud. |
| Snowflake External Share | Snowflake.AccountUsage | Scheduled Rule | Detect when an external share has been initiated from one source cloud to another target cloud. |
| Snowflake File Downloaded | Snowflake.AccountUsage | Scheduled Rule | A file was downloaded from a stage |
| Snowflake Grant to Public Role | Snowflake.GrantsToRoles | Rule | Detect additional grants to the public role. |
| Snowflake Login Without MFA | Snowflake.AccountUsage | Scheduled Rule | Detect snowflake logins without multifactor authentication |
| Snowflake Multiple Failed Logins Followed By Success | Snowflake.AccountUsage | Scheduled Rule | Detecting brute force activity and reporting when a user has incorrectly logged in multiple times and then had a successful login. |
| Snowflake Successful Login | Snowflake.LoginHistory | Rule | Track successful login signals for correlation. |
| Snowflake Table Copied Into Stage | Snowflake.AccountUsage | Scheduled Rule | A table was copied into a stage |
| Snowflake Temporary Stage Created | Snowflake.AccountUsage | Scheduled Rule | A temporary stage was created |
| Snowflake User Access | Snowflake.AccountUsage | Scheduled Rule | Return sessions of suspected clients as part of ongoing cyber threat activity reported May 31st, 2024 |
| Snowflake User Created | Snowflake.AccountUsage | Scheduled Rule | Detect new users created in snowflake |
| Snowflake User Daily Query Volume Spike | Snowflake.QueryHistory | Scheduled Query | Returns instances where a user's cumulative daily query volume is much larger than normal. Could indicate exfiltration attempts. |
| Snowflake User Daily Query Volume Spike - Threat Hunting | Panther.Audit Snowflake.QueryHistory | Saved Query | This query returns the most voluminous queries executed by a specific user over the past 48 hours. |
| Snowflake User Enabled | Snowflake.AccountUsage | Scheduled Rule | Detect users being re-enabled in your environment |
| Snowflake user with key-based auth logged in with password auth | Snowflake.AccountUsage | Scheduled Rule | Detect when a user that has key-based authentication configured logs in with a password |
| Snowflake. | Snowflake.LoginHistory | Scheduled Rule | Detects when a login is attempted by a disabled user account. |
| Snyk Miscellaneous Settings | Snyk.GroupAudit Snyk.OrgAudit | Rule | Detects when Snyk settings that lack a clear security impact are changed |
| Snyk Org or Group Settings Change | Snyk.GroupAudit Snyk.OrgAudit | Rule | Detects when Snyk Group or Organization Settings are changed. |
| Snyk Org Settings | Snyk.GroupAudit Snyk.OrgAudit | Rule | Detects when Snyk Organization settings, like Integrations and Webhooks, are changed |
| Snyk Project Settings | Snyk.GroupAudit Snyk.OrgAudit | Rule | Detects when Snyk Project settings are changed |
| Snyk Role Change | Snyk.GroupAudit Snyk.OrgAudit | Rule | Detects when Snyk Roles are changed |
| Snyk Service Account Change | Snyk.GroupAudit Snyk.OrgAudit | Rule | Detects when Snyk Service Accounts are changed |
| Snyk System External Access Settings Changed | Snyk.GroupAudit Snyk.OrgAudit | Rule | Detects when Snyk Settings that control access for external parties have been changed. |
| Snyk System Policy Settings Changed | Snyk.GroupAudit Snyk.OrgAudit | Rule | Detects Snyk Policy Settings have been changed. Policies define Snyk's behavior when encountering security and licensing issues. |
| Snyk System SSO Settings Changed | Snyk.GroupAudit | Rule | Detects Snyk SSO Settings have been changed. The reference URL from Snyk indicates that these events are likely to originate exclusively from Snyk Support. |
| Snyk User Management | Snyk.GroupAudit Snyk.OrgAudit | Rule | Detects when Snyk Users are changed |
| StopInstance FOLLOWED BY ModifyInstanceAttributes | AWS.CloudTrail | Correlation Rule | Identifies when StopInstance and ModifyInstanceAttributes CloudTrail events occur in a short period of time. Since EC2 startup scripts cannot be modified without first stopping the instance, StopInstances should be a signal. |
| Sublime Flagged an Email | Sublime.MessageEvent | Rule | Sublime flagged some messages as suspicious. |
| Sublime Mailbox Deactivated | Sublime.Audit | Rule | A Sublime User disabled some mailbox(es). |
| Sublime Message Source Deleted Or Deactivated | Sublime.Audit | Rule | A Sublime User disabled or deleted some message source(s). |
| Sublime Rules Deleted Or Deactivated | Sublime.Audit | Rule | A Sublime User disabled or deleted some rule(s). |
| Suspicious cron detected | Osquery.Differential | Rule | A suspicious cron has been added |
| Suspicious GSuite Login | GSuite.ActivityEvent | Rule | GSuite reported a suspicious login for this user. |
| Suspicious Snowflake Sessions - Unusual Application | Scheduled Query | This query can be used for the detection of unusual, non-common applications and client characteristics that had been used to connect to the Snowflake account, using a comparison to the previous usage baseline. | |
| Tailscale HTTPS Disabled | Tailscale.Audit | Rule | A Tailscale User disabled HTTPS settings in your organization's tenant. |
| Tailscale Machine Approval Requirements Disabled | Tailscale.Audit | Rule | A Tailscale User disabled machine approval requirement settings in your organization's tenant. This means devices can access your network without requiring approval. |
| Tailscale Magic DNS Disabled | Tailscale.Audit | Rule | A Tailscale User disabled magic dns settings in your organization's tenant. |
| Teleport Create User Accounts | Gravitational.TeleportAudit | Rule | A user has been manually created, modified, or deleted |
| Teleport Network Scan Initiated | Gravitational.TeleportAudit | Rule | A user has invoked a network scan that could potentially indicate enumeration of the network. |
| Teleport Scheduled Jobs | Gravitational.TeleportAudit | Rule | A user has manually edited the Linux crontab |
| Teleport SSH Auth Errors | Gravitational.TeleportAudit | Rule | A high volume of SSH errors could indicate a brute-force attack |
| Teleport Suspicious Commands Executed | Gravitational.TeleportAudit | Rule | A user has invoked a suspicious command that could lead to a host compromise |
| Thinkst Canary DCRC | ThinkstCanary.Alert | Rule | A Canary has disconnected/reconnected. |
| Thinkst Canary Incident | ThinkstCanary.Alert | Rule | A Canary incident has been detected. |
| Thinkst Canarytoken Incident | ThinkstCanary.Alert | Rule | A Canarytoken incident has been detected. |
| Tines Actions Disabled Change | Tines.Audit | Rule | Detections when Tines Actions are set to Disabled Change |
| Tines Custom CertificateAuthority setting changed | Tines.Audit | Rule | Detects when Tines Custom CertificateAuthority settings are changed |
| Tines Enqueued/Retrying Job Deletion | Tines.Audit | Rule | Currently enqueued or retrying jobs were cleared |
| Tines Global Resource Destruction | Tines.Audit | Rule | A Tines user has destroyed a global resource. |
| Tines SSO Settings | Tines.Audit | Rule | Detects when Tines SSO settings are changed |
| Tines Story Items Destruction | Tines.Audit | Rule | A user has destroyed a story item |
| Tines Story Jobs Clearance | Tines.Audit | Rule | A Tines User has cleared story jobs. |
| Tines Team Destruction | Tines.Audit | Rule | A user has destroyed a team |
| Tines Tenant API Keys Added | Tines.Audit | Rule | Detects when Tines Tenant API Keys are added |
| Unauthenticated Kubernetes API Request | Amazon.EKS.Audit | Scheduled Query | This detection monitors for any unauthenticated kubernetes api request. Unauthenticated Requests are performed by the anonymous user and have unfederated access to the cluster. |
| Unauthorized Kubernetes Pod Execution | Amazon.EKS.Audit | Scheduled Query | This detection monitors for any pod execution in a kubernetes cluster. Pod execution should never be done in a production cluster, and can indicate a user performing unauthorized actions. |
| Unsupported macOS version | Osquery.Differential | Rule | Check that all laptops on the corporate environment are on a version of MacOS supported by IT. |
| Unused AWS Region | AWS.CloudTrail | Rule | CloudTrail logged non-read activity from a verboten AWS region. |
| Unusual 1Password Client Detected | OnePassword.SignInAttempt | Rule | Detects when unusual or undesirable 1Password clients access your 1Password account |
| User Logged in as root | Gravitational.TeleportAudit | Rule | A User logged in as root |
| User Logged in wihout MFA | Gravitational.TeleportAudit | Rule | A local User logged in without MFA |
| VPC DNS Tunneling | AWS.VPCDns | Scheduled Rule | Detect dns tunneling traffic using a scheduled query |
| VPC Flow Logs Inbound Port Allowlist | AWS.VPCFlow OCSF.NetworkActivity | Rule | VPC Flow Logs observed inbound traffic violating the port allowlist. |
| VPC Flow Logs Inbound Port Blocklist | AWS.VPCFlow OCSF.NetworkActivity | Rule | VPC Flow Logs observed inbound traffic violating the port blocklist. |
| VPC Flow Logs Unapproved Outbound DNS Traffic | AWS.VPCFlow OCSF.NetworkActivity | Rule | Alerts if outbound DNS traffic is detected to a non-approved DNS server. DNS is often used as a means to exfiltrate data or perform command and control for compromised hosts. All DNS traffic should be routed through internal DNS servers or trusted 3rd parties. |
| VPC Flow Port Scanning | AWS.VPCFlow | Scheduled Query | Instances of a srcAddr communicating with multiple ports on a dstAddr could indicate port scanning activity. |
| Wiz Alert Passthrough Rule | Wiz.Issues | Rule | This rule enriches and contextualizes security alerts generated by Wiz. |
| Wiz CICD Scan Policy Updated Or Deleted | Wiz.Audit | Rule | This rule detects updates and deletions of CICD scan policies. |
| Wiz Connector Updated Or Deleted | Wiz.Audit | Rule | This rule detects updates and deletions of connectors. |
| Wiz Data Classifier Updated Or Deleted | Wiz.Audit | Rule | This rule detects updates and deletions of data classifiers. |
| Wiz Image Integrity Validator Updated Or Deleted | Wiz.Audit | Rule | This rule detects updates and deletions of image integrity validators. |
| Wiz Integration Updated Or Deleted | Wiz.Audit | Rule | This rule detects updates and deletions of Wiz integrations. |
| Wiz Revoke User Sessions | Wiz.Audit | Rule | This rule detects user sessions revoked. |
| Wiz Rotate Service Account Secret | Wiz.Audit | Rule | This rule detects service account secrets rotations. |
| Wiz Rule Change | Wiz.Audit | Rule | This rule detects creations, updates and deletions of Wiz rules. |
| Wiz SAML Identity Provider Change | Wiz.Audit | Rule | This rule detects creations, updates and deletions of SAML identity providers. |
| Wiz Service Account Change | Wiz.Audit | Rule | This rule detects creations, updates and deletions of service accounts. |
| Wiz Update IP Restrictions | Wiz.Audit | Rule | This rule detects updates of IP restrictions. |
| Wiz Update Login Settings | Wiz.Audit | Rule | This rule detects updates of Wiz login settings. |
| Wiz Update Scanner Settings | Wiz.Audit | Rule | This rule detects updates of Wiz scanner settings. |
| Wiz Update Support Contact List | Wiz.Audit | Rule | This rule detects updates of Wiz support contact list. |
| Wiz User Created Or Deleted | Wiz.Audit | Rule | This rule detects creations and deletions of Wiz users. |
| Wiz User Role Updated Or Deleted | Wiz.Audit | Rule | This rule detects updates and deletions of Wiz user roles. |
| Zendesk Account Owner Changed | Zendesk.Audit | Rule | Only one admin user can be the account owner. Ensure the change in ownership is expected. |
| Zendesk API Token Created | Zendesk.Audit | Rule | A user created a new API token to be used with Zendesk. |
| Zendesk Credit Card Redaction Off | Zendesk.Audit | Rule | A user updated account setting that disabled credit card redaction. |
| Zendesk Mobile App Access Modified | Zendesk.Audit | Rule | A user updated account setting that enabled or disabled mobile app access. |
| Zendesk User Role Changed | Zendesk.Audit | Rule | A user's Zendesk role was changed |
| Zendesk User Suspension Status Changed | Zendesk.Audit | Rule | A user's Zendesk suspension status was changed. |
| ZIA Account Access Removed | Zscaler.ZIA.AdminAuditLog | Rule | This rule detects when admin user/role was deleted. |
| ZIA Additional Cloud Roles | Zscaler.ZIA.AdminAuditLog | Rule | This rule detects when an additional cloud role was created. |
| ZIA Backup Deleted | Zscaler.ZIA.AdminAuditLog | Rule | This rule detects when ZIA backup data was deleted. |
| ZIA Cloud Account Created | Zscaler.ZIA.AdminAuditLog | Rule | This rule detects when new cloud account was created. |
| ZIA Golden Restore Point Dropped | Zscaler.ZIA.AdminAuditLog | Rule | This rule detects when ZIA goldenRestorePoint was dropped. It means that some piece of information that was impossible to delete before, now is deletable |
| ZIA Insecure Password Settings | Zscaler.ZIA.AdminAuditLog | Rule | This rule detects when password settings are insecure. |
| ZIA Log Streaming Disabled | Zscaler.ZIA.AdminAuditLog | Rule | This rule detects when ZIA log streaming was disabled. |
| ZIA Logs Downloaded | Zscaler.ZIA.AdminAuditLog | Rule | This rule detects when ZIA Audit Logs were downloaded. |
| ZIA Password Expiration | Zscaler.ZIA.AdminAuditLog | Rule | This rule detects when password expiration eas set/removed. |
| ZIA Trust Modification | Zscaler.ZIA.AdminAuditLog | Rule | This rule detects when SAML authentication was enabled/disabled. |
| Zoom All Meetings Secured With One Option Disabled | Zoom.Operation | Rule | A Zoom User turned off your organization's requirement that all meetings are secured with one security option. |
| Zoom Automatic Sign Out Disabled | Zoom.Operation | Rule | A Zoom User turned off your organization's setting to automatically sign users out after a specified period of time. |
| Zoom Meeting Passcode Disabled | Zoom.Operation | Rule | Meeting passcode requirement has been disabled from usergroup |
| Zoom New Meeting Passcode Required Disabled | Zoom.Operation | Rule | A Zoom User turned off your organization's setting to require passcodes for new meetings. |
| Zoom Sign In Method Modified | Zoom.Operation | Rule | A Zoom User modified your organizations sign in method. |
| Zoom Sign In Requirements Changed | Zoom.Operation | Rule | A Zoom User changed your organization's sign in requirements. |
| Zoom Two Factor Authentication Disabled | Zoom.Operation | Rule | A Zoom User disabled your organization's setting to sign in with Two-Factor Authentication. |
| Zoom User Promoted to Privileged Role | Zoom.Operation | Rule | A Zoom user was promoted to a privileged role. |
