Detection Coverage

Panther offers hundreds of ready-to-use detections! Search by keyword or log type below.

Detection Log Type Type Description
1Password Login From CrowdStrike Unmanaged Device
Crowdstrike.AIDMaster
OnePassword.SignInAttempt
Scheduled RuleDetects 1Password Logins from IP addresses not found in CrowdStrike's AIP list. May indicate unmanaged device being used, or faulty CrowdStrike Sensor.
1Password Login From CrowdStrike Unmanaged Device Query
Crowdstrike.AIDMaster
OnePassword.SignInAttempt
Scheduled QueryLooks for OnePassword Logins from IP Addresses that aren't seen in CrowdStrike's AIP List.
1Password Login From CrowdStrike Unmanaged Device Query (crowdstrike_fdrevent table)
Crowdstrike.FDREvent
OnePassword.SignInAttempt
Scheduled QueryLooks for OnePassword Logins from IP Addresses that aren't seen in CrowdStrike's AIP List. (crowdstrike_fdrevent table)
A backdoored version of XZ or liblzma is vulnerable to CVE-2024-3094
Osquery.Differential
RuleDetects vulnerable versions of XZ and liblzma on Linux and MacOS using Osquery logs. Versions 5.6.0 and 5.6.1 of xz and liblzma are most likely vulnerable to backdoor exploit. Vuln management pack must be enabled: https://github.com/osquery/osquery/blob/master/packs/vuln-management.conf
A CloudTrail Was Created or Updated
AWS.CloudTrail
RuleA CloudTrail Trail was created, updated, or enabled.
A Login from Outside the Corporate Office
Osquery.Differential
RuleA system has been logged into from a non approved IP space.
A long-lived cert was created
Gravitational.TeleportAudit
RuleAn unusually long-lived Teleport certificate was created
A SAML Connector was created or modified
Gravitational.TeleportAudit
RuleA SAML connector was created or modified
A Teleport Lock was created
Gravitational.TeleportAudit
RuleA Teleport Lock was created
A Teleport Role was modified or created
Gravitational.TeleportAudit
RuleA Teleport Role was modified or created
A user authenticated with SAML, but from an unknown company domain
Gravitational.TeleportAudit
RuleA user authenticated with SAML, but from an unknown company domain
A User from the company domain(s) Logged in without SAML
Gravitational.TeleportAudit
RuleA User from the company domain(s) Logged in without SAML
A User Role with Sensitive Permissions has been Created
Panther.Audit
RuleA Panther user role has been created that contains admin level permissions.
A User's Panther Account was Modified
Panther.Audit
RuleA Panther user's role has been modified. This could mean password, email, or role has changed for the user.
Account Security Configuration Changed
AWS.CloudTrail
RuleAn account wide security configuration was changed.
Action Performed by Netskope Personnel
Netskope.Audit
RuleAn action was performed by Netskope personnel.
Admin logged out because of successive login failures
Netskope.Audit
RuleAn admin was logged out because of successive login failures.
Admin Role Assigned
Asana.Audit
Atlassian.Audit
GCP.AuditLog
GSuite.Reports
GitHub.Audit
OneLogin.Events
Zendesk.Audit
RuleAssigning an admin role manually could be a sign of privilege escalation
Amazon Machine Image (AMI) Modified to Allow Public Access
AWS.CloudTrail
RuleAn Amazon Machine Image (AMI) was modified to allow it to be launched by anyone. Any sensitive configuration or application data stored in the AMI's block devices is at risk.
An administrator account was created, deleted, or modified.
Netskope.Audit
RuleAn administrator account was created, deleted, or modified.
Anomalous AccessDenied Requests
AWS.CloudTrail
Scheduled QueryARNs with a high Access Denied error rate could indicate an error or compromised credentials attempting to perform reconnaissance.
AppOmni Alert Passthrough
AppOmni.Alerts
Rule
Asana Service Account Created
Asana.Audit
RuleAn Asana service account was created by someone in your organization.
Asana Team Privacy Public
Asana.Audit
RuleAn Asana team's privacy setting was changed to public to the organization (not public to internet)
Asana Workspace Default Session Duration Never
Asana.Audit
RuleAn Asana workspace's default session duration (how often users need to re-authenticate) has been changed to never.
Asana Workspace Email Domain Added
Asana.Audit
RuleA new email domain has been added to an Asana workspace. Reviewer should validate that the new domain is a part of the organization.
Asana Workspace Form Link Auth Requirement Disabled
Asana.Audit
RuleAn Asana Workspace Form Link is a unique URL that allows you to create a task directly within a specific Workspace or Project in Asana, using a web form. Disabling authentication requirements may allow unauthorized users to create tasks.
Asana Workspace Guest Invite Permissions Anyone
Asana.Audit
RuleTypically inviting guests to Asana is permitted by few users. Enabling anyone to invite guests can potentially lead to unauthorized users gaining access to Asana.
Asana Workspace New Admin
Asana.Audit
RuleAdmin role was granted to the user who previously did not have admin permissions
Asana Workspace Org Export
Asana.Audit
RuleAn Asana user started an org export.
Asana Workspace Password Requirements Simple
Asana.Audit
RuleAn asana user made your organization's password requirements less strict.
Asana Workspace Require App Approvals Disabled
Asana.Audit
RuleAn Asana user turned off app approval requirements for an application type for your organization.
Asana Workspace SAML Optional
Asana.Audit
RuleAn Asana user made SAML optional for your organization.
Atlassian admin impersonated another user
Atlassian.Audit
RuleReports when an Atlassian user logs in (impersonates) another user.
Auth0 CIC Credential Stuffing
Auth0.Events
RuleOkta has determined that the cross-origin authentication feature in Customer Identity Cloud (CIC) is prone to being targeted by threat actors orchestrating credential-stuffing attacks. Okta has observed suspicious activity that started on April 15, 2024. Review tenant logs for unexpected fcoa, scoa, and pwd_leak events.
Auth0 CIC Credential Stuffing Query
Auth0.Events
Saved QueryOkta has determined that the cross-origin authentication feature in Customer Identity Cloud (CIC) is prone to being targeted by threat actors orchestrating credential-stuffing attacks. Okta has observed suspicious activity that started on April 15, 2024. Review tenant logs for unexpected fcoa, scoa, and pwd_leak events. https://sec.okta.com/articles/2024/05/detecting-cross-origin-authentication-credential-stuffing-attacks
Auth0 Custom Role Created
Auth0.Events
RuleAn Auth0 User created a role in your organization's tenant.
Auth0 Integration Installed
Auth0.Events
RuleAn Auth0 integration was installed from the auth0 action library.
Auth0 mfa factor enabled
Auth0.Events
RuleAn Auth0 user enabled an mfa factor in your organization's mfa settings.
Auth0 MFA Policy Disabled
Auth0.Events
RuleAn Auth0 User disabled MFA for your organization's tenant.
Auth0 MFA Policy Enabled
Auth0.Events
RuleAn Auth0 User enabled MFA Policy for your organization's tenant.
Auth0 MFA Risk Assessment Disabled
Auth0.Events
RuleAn Auth0 User disabled the mfa risk assessment setting for your organization's tenant.
Auth0 MFA Risk Assessment Enabled
Auth0.Events
RuleAn Auth0 User enabled the mfa risk assessment setting for your organization's tenant.
Auth0 Post Login Action Flow Updated
Auth0.Events
RuleAn Auth0 User updated a post login action flow for your organization's tenant.
Auth0 User Invitation Created
Auth0.Events
Rule
Auth0 User Joined Tenant
Auth0.Events
RuleUser accepted invitation from Auth0 member to join an Auth0 tenant.
AWS Access Key Rotation
AWS.IAM.RootUser
AWS.IAM.User
PolicyThis policy validates that AWS IAM account access keys are rotated every 90 days. Rotating access keys will reduce the window of opportunity for an access key that is associated with a compromised or terminated account to be used.
AWS Access Key Uploaded to Github
AWS.CloudTrail
RuleA users static AWS API key was uploaded to a public github repo.
AWS Access Keys At Account Creation
AWS.IAM.RootUser
AWS.IAM.User
PolicyThis policy validates that AWS IAM user accounts do not have access keys that were created during account creation. This results in excess keys being generated, and unnecessary management work in auditing and rotating these keys.
AWS ACM Certificate Expiration
AWS.ACM.Certificate
PolicyWhen a certificate is 60 days away from expiration, ACM automatically attempts to renew it every hour.
AWS ACM Certificate Status
AWS.ACM.Certificate
PolicyThis policy checks if an ACM certificate renewal is pending or has failed and is in use by any other resources within the account.
AWS ACM Secure Algorithms
AWS.ACM.Certificate
PolicyThis policy validates that all ACM certificates are using secure key and signature algorithms.
AWS AMI Sharing
AWS.EC2.AMI
PolicyThis policy ensures that AMIs you have created are not configured to allow public access, which could result in accidental data loss. AMI's that you use but do not own are not evaluated by this policy.
AWS Application Load Balancer Web ACL
AWS.ELBV2.ApplicationLoadBalancer
PolicyThis policy validates that all application load balancers have an associated Web ACl to enforce protections against various web attacks.
AWS Authentication from CrowdStrike Unmanaged Device
AWS.CloudTrail
Crowdstrike.AIDMaster
Scheduled QueryDetects AWS Authentication events with IP Addresses not found in CrowdStrike's AIP List
AWS Authentication from CrowdStrike Unmanaged Device (crowdstrike_fdrevent table)
AWS.CloudTrail
Crowdstrike.FDREvent
Scheduled QueryDetects AWS Authentication events with IP Addresses not found in CrowdStrike's AIP List
AWS CDE EC2 Volume Encryption
AWS.EC2.Volume
PolicyThis policy ensures that all EC2 volumes that contain CDE are encrypted. Be sure to configure CDE definitions before enabling this policy.
AWS CloudFormation Stack Drift
AWS.CloudFormation.Stack
PolicyA stack has drifted from its defined configuration.
AWS CloudFormation Stack IAM Service Role
AWS.CloudFormation.Stack
PolicyAssociating IAM roles with CloudFormation stacks ensures least privilege when making changes to your account.
AWS CloudFormation Stack Termination Protection
AWS.CloudFormation.Stack
PolicyProtects a CloudFormation stack from accidentally being deleted. If you attempt to delete a stack with termination protection enabled, the deletion fails and the stack, including its status, will remain unchanged.
AWS CloudTrail Account Discovery
AWS.CloudTrail
RuleAdversaries may attempt to get a listing of accounts on a system or within an environment. This information can help adversaries determine which accounts exist to aid in follow-on behavior.
AWS CloudTrail CloudWatch Logs
AWS.CloudTrail
PolicyCloudTrail supports sending data and management events to CloudWatch Logs. This setup can be used for real-time processing of all CloudTrail data events.
AWS CloudTrail Least Privilege Access
AWS.IAM.Group
PolicyUsers with permissions to disable or reconfigure CloudTrail should be limited.
AWS CloudTrail Log Encryption
AWS.CloudTrail
PolicyThis policy validates that CloudTrail Logs are encrypted at rest with customer managed KMS key.
AWS CloudTrail Log Validation
AWS.CloudTrail
PolicyThis policy ensures that CloudTrail logs have file integrity validation enabled.
AWS CloudTrail Management Events Enabled
AWS.CloudTrail.Meta
PolicyThis policy ensures that at least one CloudTrail has management (control plane) operations logged.
AWS CloudTrail Password Policy Discovery
AWS.CloudTrail
RuleThis detection looks for *AccountPasswordPolicy events in AWS CloudTrail logs. If these events occur in a short period of time from the same ARN, it could constitute Password Policy reconnaissance.
AWS CloudTrail Retention Lifecycle Too Short
AWS.CloudTrail
RuleDetects when an S3 bucket containing CloudTrail logs has been modified to delete data after a short period of time.
AWS CloudTrail S3 Bucket Access Logging
AWS.CloudTrail
PolicyThis policy validates that the bucket receiving CloudTrail Logs is configured with S3 Access Logging. This audits all creation, modification, or deletion to CloudTrail audit logs.
AWS CloudTrail S3 Bucket Public
AWS.CloudTrail
PolicyThis policy validates that CloudTrail S3 buckets are not publicly accessible.
AWS CloudWatch Log Encryption
AWS.CloudWatch.LogGroup
PolicyAWS automatically performs server-side encryption of logs, but you can encrypt with your own CMK to protect extra sensitive log data.
AWS CloudWatch Logs Data Retention
AWS.CloudWatch.LogGroup
PolicyBy default, logs are kept indefinitely and never expire. You can adjust the retention policy for each log group, keeping the indefinite retention, or choosing a specific retention period.
AWS command executed on the command line
Osquery.Differential
RuleAn AWS command was executed on a Linux instance
AWS Compromised IAM Key Quarantine
AWS.CloudTrail
RuleDetects when an IAM user has the AWSCompromisedKeyQuarantineV2 policy attached to their account.
AWS Config Global Resources
AWS.Config.Recorder.Meta
PolicyYou can have AWS Config record supported types of global resources, such as IAM users, groups, roles, and customer managed policies.
AWS Config Recording Status
AWS.Config.Recorder
PolicyThis policy ensures that the config recorder is operational and capturing changes to your account without error.
AWS Config Records All Resource Types
AWS.Config.Recorder
PolicyThis policy ensurers that you have a comprehensive configuration audit in place for all resource types in AWS.
AWS Config Service Created
AWS.CloudTrail
RuleAn AWS Config Recorder or Delivery Channel was created
AWS Config Service Disabled
AWS.CloudTrail
RuleAn AWS Config Recorder or Delivery Channel was disabled or deleted
AWS Config Status
AWS.Config.Recorder
PolicyThis policy ensures that the config recorder is operational and capturing changes to your account.
AWS Console Login
AWS.CloudTrail
Rule
AWS Console Sign-In NOT PRECEDED BY Okta Redirect
AWS.CloudTrail
Okta.SystemLog
Correlation RuleA user has logged into the AWS console without authenticating via Okta. This rule requires AWS SSO via Okta, both log sources configured, and Actor Profiles enabled.
AWS DNS Crypto Domain
AWS.VPCDns
OCSF.DnsActivity
RuleIdentifies clients that may be performing DNS lookups associated with common currency mining pools.
AWS DNS Logs Deleted
AWS.CloudTrail
RuleDetects when logs for a DNS Resolver have been removed.
AWS DynamoDB Table Autoscaling
AWS.DynamoDB.Table
PolicyDynamoDB Auto Scaling can dynamically adjust provisioned throughput capacity in response to traffic patterns. This enables a table to increase its provisioned read and write capacity to handle sudden increases in traffic
AWS DynamoDB Table Autoscaling Configuration
AWS.DynamoDB.Table
PolicyDynamoDB Auto Scaling can dynamically adjust provisioned throughput capacity in response to traffic patterns. This enables a table to increase its provisioned read and write capacity to handle sudden increases in traffic
AWS DynamoDB Table TTL
AWS.DynamoDB.Table
PolicyThis policy validates that all DynamoDB tables have a TTL field configured.
AWS EC2 AMI Approved Host
AWS.EC2.Instance
PolicyChecks that AWS EC2 AMI's are only launched on approved dedicated hosts.
AWS EC2 AMI Approved Instance Type
AWS.EC2.Instance
PolicyThis policy ensures that the EC2 instance is running with an instance type approved for its AMI.
AWS EC2 AMI Approved Tenancy
AWS.EC2.Instance
PolicyThis policy ensures that the EC2 instance was launched with a tenancy approved for its AMI.
AWS EC2 EBS Encryption Disabled
AWS.CloudTrail
RuleIdentifies disabling of default EBS encryption. Disabling default encryption does not change the encryption status of existing volumes.
AWS EC2 Image Monitoring
AWS.CloudTrail
RuleChecks CloudTrail for occurrences of EC2 Image Actions.
AWS EC2 Instance Approved AMI
AWS.EC2.Instance
PolicyThis policy ensures the given EC2 instance is running an AMI from the approved list of AMI's.
AWS EC2 Instance Approved Host
AWS.EC2.Instance
PolicyThis policy ensures the given EC2 Instance is running on an approved dedicated host.
AWS EC2 Instance Approved Instance Type
AWS.EC2.Instance
PolicyThis policy ensures that the EC2 instance is running on one of the approved instance types.
AWS EC2 Instance Approved Tenancy
AWS.EC2.Instance
PolicyThis policy ensures the given EC2 Instance is running with an approved tenancy option. The possible tenancy options are dedicated, host, and default.
AWS EC2 Instance Approved VPC
AWS.EC2.Instance
PolicyThis policy ensures that the given EC2 Instance is running in an approved VPC.
AWS EC2 Instance Detailed Monitoring
AWS.EC2.Instance
PolicyThis policy ensures that the AWS Instance has Detailed Monitoring Enabled
AWS EC2 Instance EBS Optimization
AWS.EC2.Instance
PolicyThis policy ensures EBS optimization is enabled for the given EC2 instance, if applicable.
AWS EC2 Manual Security Group Change
AWS.CloudTrail
RuleAn EC2 security group was manually updated without abiding by the organization's accepted processes. This rule expects organizations to either use the Console, CloudFormation, or Terraform, configurable in the rule's ALLOWED_USER_AGENTS.
AWS EC2 Startup Script Change
AWS.CloudTrail
RuleDetects changes to the EC2 instance startup script. The shell script will be executed as root/SYSTEM every time the specific instances are booted up.
AWS EC2 Traffic Mirroring
AWS.CloudTrail
RuleThis rule captures multiple traffic mirroring events in AWS Cloudtrail.
AWS EC2 Volume Encryption
AWS.EC2.Volume
PolicyYou can encrypt both the boot and data volumes of an EC2 instance.
AWS EC2 Volume Snapshot Encryption
AWS.EC2.Volume
PolicyYou can encrypt the snapshot of an EC2 volume to protect against accidental data loss
AWS EC2 Vulnerable XZ Image Launched
AWS.CloudTrail
RuleDetecting EC2 instances launched with AMIs containing potentially vulnerable versions of XZ (CVE-2024-3094)
AWS ECR Events
AWS.CloudTrail
RuleAn ECR event occurred outside of an expected account or region
AWS ELB SSL Policies
AWS.ELBV2.ApplicationLoadBalancer
PolicyEnsures that deprecated TLS versions are not supported in internet-facing load balancers
AWS Enforces SSL Policies
AWS.ELBV2.ApplicationLoadBalancer
PolicyThis policy validates that ELBV2 load balancer listeners are using an SSL policy.
AWS GuardDuty Enabled
AWS.GuardDuty.Detector.Meta
PolicyGuardDuty is a threat detection service that continuously monitors for malicious activity and unauthorized behavior.
AWS GuardDuty High Severity Finding
AWS.GuardDuty
RuleA high-severity GuardDuty finding has been identified.
AWS GuardDuty Low Severity Finding
AWS.GuardDuty
RuleA low-severity GuardDuty finding has been identified.
AWS GuardDuty Master Account
AWS.GuardDuty.Detector
PolicyEnsure that all GuardDuty logs are sending into a single Master account. This is a best practice for centralizing detection logic and useful data during an investigation.
AWS GuardDuty Medium Severity Finding
AWS.GuardDuty
RuleA medium-severity GuardDuty finding has been identified.
AWS IAM Group Read Only Events
AWS.CloudTrail
RuleThis rule captures multiple read/list events related to IAM group management in AWS Cloudtrail.
AWS IAM Group Users
AWS.IAM.Group
PolicyThis Policy ensures that all IAM groups have at least one IAM user. If they are vacant, they should be deleted.
AWS IAM Password Unused
AWS.IAM.User
PolicyThis policy validates IAM users with console passwords have logged in within the past 90 days.
AWS IAM Policy Administrative Privileges
AWS.IAM.Policy
PolicyThis policy validates that there are no IAM policies that grant full administrative privileges to IAM users or groups.
AWS IAM Policy Assigned to User
AWS.IAM.User
PolicyThis policy validates that there are no IAM policies assigned directly to users. Best practice suggests assigning to an IAM group and placing users within that group.
AWS IAM Policy Blocklist
AWS.IAM.Group
AWS.IAM.Role
AWS.IAM.User
PolicyThis detects the usage of highly permissive IAM Policies that should only be assigned to a small number of users, roles, or groups.
AWS IAM Policy Does Not Grant Any Administrative Access
AWS.IAM.Policy
PolicyThis policy validates that no IAM policies grant admin access. This should be combined with suppressions on the legitimate IAM admin policies in your account so that it only fires when new and unexpected policies granting admin access are created.
AWS IAM Policy Does Not Grant Network Admin Access
AWS.IAM.Policy
PolicyThis policy validates that no IAM policies grant admin privileges on network resources. This should be used in conjunction with suppressions for the legitimate network admin policies in your account.
AWS IAM Policy Role Mapping
AWS.IAM.Policy
PolicyThis policy validates that policies that have been explicitly configured to be set to certain roles are still attached to those roles.
AWS IAM Resource Does Not Have Inline Policy
AWS.IAM.Group
AWS.IAM.User
PolicyThis policy validates that no IAM entities have inline policies assigned. Inline policies are more difficult to administer and audit, and may lead to access that lasts longer than intended.
AWS IAM Role Grants (permission) to Non-organizational Account
AWS.IAM.Role
PolicyThis policy validates that IAM roles that grant the (specified) permission do not allow accounts outside the organization to assume them.
AWS IAM Role Restricts Usage
AWS.IAM.Role
PolicyThis policy validates that IAM roles in the account are restrictive in what entities may assume them. This can help prevent malicious actors from assuming roles they should not be assuming.
AWS IAM User MFA
AWS.IAM.User
PolicyThis policy validates that all AWS IAM users with access to the AWS Console have Multi-Factor Authentication (MFA) enabled.
AWS IAM User Not In Conflicting Groups
AWS.IAM.User
PolicyThis policy validates that IAM users are not in IAM groups that are considered mutually exclusive. For example, in some workflows developers are responsible for dev environments and sysadmins are responsible for prod environments. In this situation no (or very few) users should be in both sysadmin and developer groups. This is in following with the principle of least privilege.
AWS KMS CMK Key Rotation
AWS.KMS.Key
PolicyThis policy validates that customer master keys (CMKs) have automatic key rotation enabled.
AWS KMS Key Restricts Usage
AWS.KMS.Key
PolicyThis policy validates that KMS Keys restrict what entities can use them and how. This is to ensure that encryption keys are limited in who can use them in order to prevent unapproved decryption.
AWS Macie Disabled/Updated
AWS.CloudTrail
RuleAmazon Macie is a data security and data privacy service to discover and protect sensitive data. Security teams use Macie to detect open S3 Buckets that could have potentially sensitive data in it along with policy violations, such as missing Encryption. If an attacker disables Macie, it could potentially hide data exfiltration.
AWS Modify Cloud Compute Infrastructure
AWS.CloudTrail
RuleDetection when EC2 compute infrastructure is modified outside of expected automation methods.
AWS Network ACL Overly Permissive Entry Created
AWS.CloudTrail
RuleA Network ACL entry that allows access from anywhere was added.
AWS Network ACL Restricts Inbound Traffic
AWS.EC2.NetworkACL
PolicyThis policy validates that Network ACLs restrict inbound traffic in some way.
AWS Network ACL Restricts Insecure Protocols
AWS.EC2.NetworkACL
PolicyThis policy validates that Network ACLs block the usage of ports typically associated with insecure or unencrypted protocols.
AWS Network ACL Restricts Outbound Traffic
AWS.EC2.NetworkACL
PolicyThis policy validates that Network ACLs have some restrictions on outbound traffic.
AWS Network ACL Restricts SSH
AWS.EC2.NetworkACL
PolicySSH access should only be granted from protected network CIDR ranges.
AWS Password Policy Complexity Guidelines
AWS.PasswordPolicy
PolicyThis policy validates that the account password policy enforces the recommended password complexity requirements.
AWS Password Policy Password Age Limit
AWS.PasswordPolicy
PolicyThis policy validates that the account password policy enforces a maximum password age of 90 days or less.
AWS Password Policy Password Reuse
AWS.PasswordPolicy
PolicyThis policy validates that the account password policy prevents users from re-using previous passwords, and prevents password reuse for 24 or more prior passwords.
AWS Potentially Stolen Service Role
AWS.CloudTrail
Scheduled QueryA role was assumed by an AWS service, followed by a user within 24 hours. This could indicate a stolen or compromised AWS service role.
AWS Privilege Escalation Via User Compromise
AWS.CloudTrail
Correlation Rule
AWS Public RDS Restore
AWS.CloudTrail
RuleDetects the recovery of a new public database instance from a snapshot. It may be part of data exfiltration.
AWS RDS Instance Backup
AWS.RDS.Instance
PolicyThis Policy ensures that RDS Instances have Backups enabled. Backups are an important aspect of disaster recovery that can protect sensitive data from destruction.
AWS RDS Instance Encryption
AWS.RDS.Instance
PolicyThis policy validates that RDS instances have encryption enabled.
AWS RDS Instance Has Acceptable Backup Retention Period
AWS.RDS.Instance
PolicyThis policy validates that RDS instances are configured with a backup retention period that is acceptable to company policy. This ensures for both compliance and security reasons that records are kept for a minimum period of time, and for compliance and performance reasons that records are not kept indefinitely.
AWS RDS Instance High Availability
AWS.RDS.Instance
PolicyThis Policy ensures that RDS Instances have are running in High Availability mode to provide redundancy in the event of an operational failure. For Aurora, storage is replicated across all the Availability Zones and doesn't require this setting.
AWS RDS Instance Minor Version Upgrades
AWS.RDS.Instance
PolicyIf you want Amazon RDS to upgrade the DB engine version of a database automatically, you can enable auto minor version upgrades for the database.
AWS RDS Instance Public Access
AWS.RDS.Instance
PolicyThis Policy checks that an RDS Instance is not accessible from the public internet.
AWS RDS Instance Snapshot Public Access
AWS.RDS.Instance
PolicyThis policy validates that RDS Instance snapshots are not publicly restorable. This would allow anyone to restore an old version of your database and have full access to its contents.
AWS RDS Manual/Public Snapshot Created
AWS.CloudTrail
RuleA manual snapshot of an RDS database was created. An attacker may use this to exfiltrate the DB contents to another account; use this as a correlation rule.
AWS RDS Master Password Updated
AWS.CloudTrail
RuleA sensitive database operation that should be performed carefully or rarely
AWS RDS Snapshot Shared
AWS.CloudTrail
RuleAn RDS snapshot was shared with another account. This could be an indicator of exfiltration.
AWS Redshift Cluster Encryption
AWS.Redshift.Cluster
PolicyThis policy validates that Redshift Clusters have encryption enabled.
AWS Redshift Cluster Has Acceptable Snapshot Retention Period
AWS.Redshift.Cluster
PolicyThis policy validates that Redshift Cluster snapshot retention periods are set to an appropriate time. This ensures that records are kept long enough for compliance and security reasons, but no too long for compliance and performance reasons.
AWS Redshift Cluster Logging
AWS.Redshift.Cluster
PolicyThis policy validates that Redshift Cluster have logging enabled. This includes audit logs.
AWS Redshift Cluster Maintenance Window
AWS.Redshift.Cluster
PolicyThis policy validates that Redshift Clusters have the correct preferred maintenance window configured.
AWS Redshift Cluster Snapshot Retention
AWS.Redshift.Cluster
PolicyThis policy validates that Redshift Clusters have sufficient snapshot retention periods, so that snapshots are not lost before they are needed.
AWS Redshift Cluster Version Upgrade
AWS.Redshift.Cluster
PolicyThis policy validates that Redshift Clusters automatically perform upgrades during scheduled maintenance windows.
AWS Resource Made Public
AWS.CloudTrail
RuleSome AWS resource was made publicly accessible over the internet. Checks ECR, Elasticsearch, KMS, S3, S3 Glacier, SNS, SQS, and Secrets Manager.
AWS Resource Minimum Tags
AWS.EC2.Instance
AWS.EC2.SecurityGroup
AWS.EC2.VPC
AWS.IAM.User
PolicyThis policy ensures that applicable resources have a minimum number of tags set.
AWS Resource Required Tags
AWS.EC2.Instance
AWS.EC2.SecurityGroup
AWS.EC2.VPC
AWS.IAM.User
PolicyThis policy ensures that AWS resources have specific tags, dependent on their resource type.
AWS Root Account Access Keys
AWS.IAM.RootUser
PolicyThis policy validates that no programmatic access keys exist for the root account.
AWS Root Account Hardware MFA
AWS.IAM.RootUser
PolicyThis policy validates that a hardware MFA device is in use for access to the root account.
AWS Root Account MFA
AWS.IAM.RootUser
PolicyThis policy validates that Multi Factor Authentication (MFA) is required for access to the root account.
AWS S3 Access Error
AWS.S3ServerAccess
RuleChecks for errors during S3 Object access. This could be due to insufficient access permissions, non-existent buckets, or other reasons.
AWS S3 Access IP Allowlist
AWS.S3ServerAccess
RuleChecks that the remote IP accessing the S3 bucket is in the IP allowlist.
AWS S3 Bucket Action Restrictions
AWS.S3.Bucket
PolicyEnsures that the S3 bucket policy does not allow any action on the bucket, in accordance with the principal of least privilege.
AWS S3 Bucket Encryption
AWS.S3.Bucket
PolicyEnsures that the S3 bucket has encryption enabled.
AWS S3 Bucket Lifecycle Configuration
AWS.S3.Bucket
PolicyVerifies that the S3 Bucket Object Lifecycle configuration expires data within 90 and 365 days.
AWS S3 Bucket Logging
AWS.S3.Bucket
PolicyEnsures that a logging policy is set for the S3 bucket.
AWS S3 Bucket MFA Delete
AWS.S3.Bucket
PolicyEnsures that MFA delete is enabled for a bucket so that all objects can only be deleted by users authenticated with MFA.
AWS S3 Bucket Name DNS Compliance
AWS.S3.Bucket
PolicyThis policy validates that the AWS S3 bucket name is DNS compliant.
AWS S3 Bucket Object Lock Configured
AWS.S3.Bucket
PolicyThis policy validates that S3 buckets have an Object Lock configuration enabled. This should be used with specific suppression lists to ensure it is applied only to appropriate S3 buckets, such as those containing CloudTrail or other auditable records.
AWS S3 Bucket Policy Allow With Not Principal
AWS.S3.Bucket
PolicyPrevents the use of a 'Not' principal in conjunction with an allow effect in an S3 bucket policy, which would allow global access for the resource besides the principals specified.
AWS S3 Bucket Policy Modified
AWS.CloudTrail
RuleAn S3 Bucket was modified.
AWS S3 Bucket Principal Restrictions
AWS.S3.Bucket
PolicyThis policy validates that S3 Bucket access policies do not allow all users (Principal:"*") for a given action on the bucket, in accordance with the principle of least privilege.
AWS S3 Bucket Public Access Block
AWS.S3.Bucket
PolicyEnsures that a Public Access Block Configuration is set for the given S3 bucket.
AWS S3 Bucket Public Read
AWS.S3.Bucket
PolicyEnsures that the S3 bucket is not publicly readable.
AWS S3 Bucket Public Write
AWS.S3.Bucket
PolicyEnsures that the S3 bucket is not publicly writeable.
AWS S3 Bucket Secure Access
AWS.S3.Bucket
PolicyEnsures access to S3 buckets is forced to use a secure (HTTPS) connection.
AWS S3 Bucket Versioning
AWS.S3.Bucket
PolicyChecks that object versioning is enabled in the S3 bucket.
AWS S3 Insecure Access
AWS.S3ServerAccess
RuleChecks if HTTP (unencrypted) was used to access objects in an S3 bucket, as opposed to HTTPS (encrypted).
AWS S3 Unauthenticated Access
AWS.S3ServerAccess
RuleChecks for S3 access attempts where the requester is not an authenticated AWS user.
AWS S3 Unknown Requester
AWS.S3ServerAccess
RuleValidates that proper IAM entities are accessing sensitive data buckets.
AWS SAML Activity
AWS.CloudTrail
RuleIdentifies when SAML activity has occurred in AWS. An adversary could gain backdoor access via SAML.
AWS Security Group - Only DMZ Publicly Accessible
AWS.EC2.SecurityGroup
PolicyThis policy validates that only Security Groups designated as DMZs allow inbound traffic from public IP space. This helps ensure no traffic is bypassing the DMZ.
AWS Security Group Administrative Ingress
AWS.EC2.SecurityGroup
PolicyThis policy validates that AWS Security Groups don't allow unrestricted inbound traffic on port 3389 or 22, ports commonly used for the remote access protocols RDP and SSH respectively.
AWS Security Group Restricts Access To CDE
AWS.EC2.SecurityGroup
PolicyThis policy validates that are considered part of the PCI CDE do not allow any access from public IP space.
AWS Security Group Restricts Inbound Traffic
AWS.EC2.SecurityGroup
PolicyThis policy validates that Security Groups have some restrictions on inbound traffic.
AWS Security Group Restricts Inter-SG Traffic
AWS.EC2.SecurityGroup
PolicyThis policy validates that Security Groups have restrictions on inter Security Group traffic. Administrators may assume there is an implicit level of trust between Security Groups in the same account, but this is not always a good assumption in cases one Security Group contains far more sensitive data that another.
AWS Security Group Restricts Outbound Traffic
AWS.EC2.SecurityGroup
PolicyThis policy validates that Security Groups have some restrictions on outbound traffic.
AWS Security Group Restricts Traffic Leaving CDE
AWS.EC2.SecurityGroup
PolicyThis policy validates that there are restrictions on what type of traffic may leave Security Groups that are considered with the scope of the PCI CDE. These restrictions help ensure that cardholder data does not leave the CDE.
AWS Security Group Tightly Restricts Inbound Traffic
AWS.EC2.SecurityGroup
PolicyThis policy validates that Security Groups have restrictive permission sets that both limit the total number of open ports, as well as limiting ports typically associated with insecure protocols.
AWS Security Group Tightly Restricts Outbound Traffic
AWS.EC2.SecurityGroup
PolicyThis policy validates that Security Groups have restrictive controls on outbound traffic.
AWS SecurityHub Finding Evasion
AWS.CloudTrail
RuleDetections modification of findings in SecurityHub
AWS Snapshot Made Public
AWS.CloudTrail
RuleAn AWS storage snapshot was made public.
AWS Software Discovery
AWS.CloudTrail
RuleA user is obtaining a list of security software, configurations, defensive tools, and sensors that are in AWS.
AWS SSO Access Token Retrieved by Unauthenticated IP
AWS.CloudTrail
Correlation RuleWhen using AWS in an enterprise environment, best practices dictate to use a single sign-on service for identity and access management. AWS SSO is a popular solution, integrating with third-party providers such as Okta and allowing to centrally manage roles and permissions in multiple AWS accounts.In this post, we demonstrate that AWS SSO is vulnerable by design to device code authentication phishing – just like any identity provider implementing OpenID Connect device code authentication. This technique was first demonstrated by Dr. Nestori Syynimaa for Azure AD. The feature provides a powerful phishing vector for attackers, rendering ineffective controls such as MFA (including Yubikeys) or IP allow-listing at the IdP level.
AWS Trusted IPSet Modified
AWS.CloudTrail
RuleDetects creation and updates of the list of trusted IPs used by GuardDuty and WAF. Potentially to disable security alerts against malicious IPs.
AWS Unsuccessful MFA attempt
AWS.CloudTrail
RuleMonitor application logs for suspicious events including repeated MFA failures that may indicate user's primary credentials have been compromised.
AWS Unused Access Key
AWS.IAM.User
PolicyThis policy validates that IAM user access keys are used at least once every 90 days.
AWS User API Key Created
AWS.CloudTrail
RuleDetects AWS API key creation for a user by another user. Backdoored users can be used to obtain persistence in the AWS environment.
AWS User Login Profile Created or Modified
AWS.CloudTrail
RuleAn attacker with iam:UpdateLoginProfile permission on other users can change the password used to login to the AWS console. May be legitimate account administration.
AWS User Login Profile Modified
AWS.CloudTrail
RuleAn attacker with iam:UpdateLoginProfile permission on other users can change the password used to login to the AWS console. May be legitimate account administration.
AWS User Takeover Via Password Reset
AWS.CloudTrail
Correlation Rule
AWS VPC Default Network ACL Restricts All Traffic
AWS.EC2.VPC
PolicyThis policy validates that the default Network ACL for a given AWS VPC is restricting all inbound and outbound traffic.
AWS VPC Default Security Group Restrictions
AWS.EC2.VPC
PolicyThis policy validates that the default Security Group for a given AWS VPC is restricting all inbound and outbound traffic.
AWS VPC Flow Logs
AWS.EC2.VPC
PolicyThis policy validates that AWS VPCs (Virtual Private Clouds) have network flow logging enabled.
AWS VPC Flow Logs Removed
AWS.CloudTrail
RuleDetects when logs for a VPC have been removed.
AWS VPC Healthy Log Status
AWS.VPCFlow
OCSF.NetworkActivity
RuleChecks for the log status `SKIP-DATA`, which indicates that data was lost either to an internal server error or due to capacity constraints.
AWS WAF Disassociation
AWS.CloudTrail
RuleDetection to alert when a WAF disassociates from a source.
AWS WAF Has XSS Predicate
AWS.WAF.Regional.WebACL
AWS.WAF.WebACL
PolicyThis policy validates that all WAF's have at least one rule with a predicate matching on and blocking XSS attacks.
AWS WAF Logging Configured
AWS.WAF.Regional.WebACL
AWS.WAF.WebACL
PolicyEnsures that AWS WAF logging is enabled and that the logs are being sent to a valid destination (S3, CloudWatch, or Kinesis Firehose). Without logging, visibility into WAF activity is severely limited, increasing the risk of undetected attacks.
AWS WAF Rule Ordering
AWS.WAF.Regional.WebACL
AWS.WAF.WebACL
PolicyThis policy validates that all WAF's have the correct rule ordering. Incorrect rule ordering could lead to less restrictive rules being matched and allowing traffic through before more restrictive rules that should have blocked the traffic.
AWS WAF WebACL Has Associated Resources
AWS.WAF.Regional.WebACL
AWS.WAF.WebACL
PolicyThis policy ensures that AWS WAF WebACLs are associated with at least one resource (ALB, CloudFront Distribution, or API Gateway). If a WebACL is not associated with any resources, it is inactive and not providing any protection.
AWS.CloudTrail.UserAccessKeyAuth
AWS.CloudTrail
Rule
Azure Many Failed SignIns
Azure.Audit
RuleThis detection looks for a number of failed sign-ins for the same ServicePrincipalName or UserPrincipalName
Azure RiskLevel Passthrough
Azure.Audit
RuleThis detection surfaces an alert based on riskLevelAggregated, riskLevelDuringSignIn, and riskState.riskLevelAggregated and riskLevelDuringSignIn are only expected for Azure AD Premium P2 customers.
Azure SignIn via Legacy Authentication Protocol
Azure.Audit
RuleThis detection looks for Successful Logins that have used legacy authentication protocols
BETA - Sensitive 1Password Item Accessed
OnePassword.ItemUsage
RuleAlerts when a user defined list of sensitive items in 1Password is accessed
Box Access Granted
Box.Event
RuleA user granted access to their box account to Box technical support from account settings.
Box Content Workflow Policy Violation
Box.Event
RuleA user violated the content workflow policy.
Box event triggered by unknown or external user
Box.Event
RuleAn external user has triggered a box enterprise event.
Box item shared externally
Box.Event
RuleA user has shared an item and it is accessible to anyone with the share link (internal or external to the company). This rule requires that the boxsdk[jwt] be installed in the environment.
Box Large Number of Downloads
Box.Event
RuleA user has exceeded the threshold for number of downloads within a single time frame.
Box Large Number of Permission Changes
Box.Event
RuleA user has exceeded the threshold for number of folder permission changes within a single time frame.
Box New Login
Box.Event
RuleA user logged in from a new device.
Box Shield Detected Anomalous Download Activity
Box.Event
RuleA user's download activity has altered significantly.
Box Shield Suspicious Alert Triggered
Box.Event
RuleA user login event or session event was tagged as medium to high severity by Box Shield.
Box Untrusted Device Login
Box.Event
RuleA user attempted to login from an untrusted device.
Brute Force By IP
AWS.CloudTrail
Asana.Audit
Atlassian.Audit
Box.Event
GSuite.Reports
Okta.SystemLog
OneLogin.Events
OnePassword.SignInAttempt
RuleAn actor user was denied login access more times than the configured threshold.
Carbon Black Admin Role Granted
CarbonBlack.Audit
RuleDetects when a user is granted Admin or Super Admin permissions.
Carbon Black API Key Created or Retrieved
CarbonBlack.Audit
RuleDetects when a user creates a new API key or retrieves an existing key.
Carbon Black Data Forwarder Stopped
CarbonBlack.Audit
RuleDetects when a user disables or deletes a Data Forwarder.
Carbon Black Log Entry Flagged
CarbonBlack.Audit
RuleDetects when Carbon Black has flagged a log as important, such as failed login attempts and locked accounts.
Carbon Black Passthrough Rule
CarbonBlack.AlertV2
RuleThis rule enriches and contextualizes security alerts generated by Carbon Black. The alert title and description are dynamically updated based on data included in the alert log.
Carbon Black User Added Outside Org
CarbonBlack.Audit
RuleDetects when a user from a different organization is added to Carbon Black.
Cisco Umbrella Domain Blocked
CiscoUmbrella.DNS
RuleMonitor blocked domains
Cisco Umbrella Domain Name Fuzzy Matching
CiscoUmbrella.DNS
RuleIdentify lookups to suspicious domains that could indicate a phishing attack.
Cisco Umbrella Suspicious Domains
CiscoUmbrella.DNS
RuleMonitor suspicious or known malicious domains
Cloudflare Bot High Volume
Cloudflare.HttpRequest
RuleMonitors for bots making HTTP Requests at a rate higher than 2req/sec
Cloudflare L7 DDoS
Cloudflare.Firewall
RuleLayer 7 Distributed Denial of Service (DDoS) detected
CloudTrail EC2 StopInstances
AWS.CloudTrail
RuleA CloudTrail instances were stopped. It makes further changes of instances possible
CloudTrail Event Delectors Disabled
AWS.CloudTrail
RuleA CloudTrail Trail was modified to exclude management events for 1 or more resource types.
CloudTrail Password Spraying
AWS.CloudTrail
Scheduled RuleDetect password spraying account using a scheduled query
CloudTrail Stopped
AWS.CloudTrail
RuleA CloudTrail Trail was modified.
CodeBuild Project made Public
AWS.CloudTrail
RuleAn AWS CodeBuild Project was made publicly accessible
Configuration Required - Sensitive 1Password Item Accessed
OnePassword.ItemUsage
RuleAlerts when a user defined list of sensitive items in 1Password is accessed
Connection to Embargoed Country
Crowdstrike.FDREvent
RuleDetection to alert when internal asset is communicating with an sanctioned destination. This detection leverages Panther UDM and IPInfo enrichment.
Crowdstrike Admin Role Assigned
Crowdstrike.EventStreams
RuleA user was assigned a priviledged role
Crowdstrike Allowlist Removed
Crowdstrike.EventStreams
RuleA user deleted an allowlist
Crowdstrike API Key Created
Crowdstrike.EventStreams
RuleA user created an API Key in CrowdStrike
Crowdstrike API Key Deleted
Crowdstrike.EventStreams
RuleA user deleted an API Key in CrowdStrike
Crowdstrike Credential Dumping Tool
Crowdstrike.FDREvent
RuleDetects usage of tools commonly used for credential dumping.
Crowdstrike Cryptomining Tools
Crowdstrike.FDREvent
RuleDetects the execution of known crytocurrency mining tools.
Crowdstrike Detection Passthrough
Crowdstrike.DetectionSummary
Crowdstrike.FDREvent
RuleCrowdstrike Falcon has detected malicious activity on a host.
Crowdstrike Detection Summary
Crowdstrike.EventStreams
RuleForwards any alerts generated by CrowdStrike to your Panther destinations.
Crowdstrike Ephemeral User Account
Crowdstrike.EventStreams
Correlation RuleDetects when a user account is created and deleted within 12 hours. This aims to detect ephemeral user accounts infiltrators might use to avoid suspicion.
Crowdstrike FDR LOLBAS
Crowdstrike.FDREvent
RuleLiving off the land binaries and script usage
Crowdstrike IP Allowlist Changed
Crowdstrike.EventStreams
RuleUpdates were made to Falcon console's allowlist. This could indicate a bad actor permitting access from another machine, or could be attackers preventing legitimate actors from accessing the console.
CrowdStrike Large Zip Creation
Crowdstrike.Unknown
Scheduled QueryDetects creation of large zip files, which can indicate attempts of exfiltration
CrowdStrike Large Zip Creation (crowdstrike_fdrevent table)
Crowdstrike.FDREvent
Scheduled QueryDetects creation of large zip files, which can indicate attempts of exfiltration (crowdstrike_fdrevent table)
CrowdStrike MacOS Added Trusted Cert
Crowdstrike.FDREvent
RuleDetects attempt to install a root certificate on MacOS
CrowdStrike MacOS Osascript as Administrator
Crowdstrike.FDREvent
RuleDetects usage of osascript with administrator privileges
CrowdStrike MacOS plutil Usage
Crowdstrike.FDREvent
RuleDetects the usage of plutil to modify plist files. Plist files run on start up and are often used by attackers to maintain persistence.
Crowdstrike New Admin User Created
Crowdstrike.EventStreams
Correlation RuleDetects when a user account is created and assigned admin permissions
Crowdstrike New User Created
Crowdstrike.EventStreams
RuleA new Crowdstrike user was created
Crowdstrike Real Time Response (RTS) Session
Crowdstrike.FDREvent
Crowdstrike.Unknown
RuleAlert when someone uses Crowdstrike’s RTR (real-time response) capability to access a machine remotely to run commands.
Crowdstrike Remote Access Tool Execution
Crowdstrike.FDREvent
RuleDetects usage of common remote access tools.
Crowdstrike Reverse Shell Tool Executed
Crowdstrike.FDREvent
RuleDetects usage of tools commonly used to to establish reverse shells on Windows machines.
Crowdstrike Single IP Allowlisted
Crowdstrike.EventStreams
RuleA single IP (instead of a CIDR range) was allowlisted. This could indicate a bad actor permitting access from another machine.
Crowdstrike Systemlog Tampering
Crowdstrike.FDREvent
RuleDetects when a user attempts to clear system logs.
Crowdstrike Unusual Parent Child Processes
Crowdstrike.FDREvent
RuleDetects unusual parent child process pairings.
Crowdstrike User Deleted
Crowdstrike.EventStreams
RuleSomeone has deleted multiple users.
Crowdstrike User Password Changed
Crowdstrike.EventStreams
RuleA user's password was changed
Crowdstrike WMI Query Detection
Crowdstrike.FDREvent
RuleDetects execution of WMI queries involving information gathering or actions on remote systems, which could indicate reconnaissance or lateral movement.
CVE-2023-7028 - GitLab Audit Password Reset Multiple Emails
GitLab.Audit
RuleAttackers are exploiting a Critical (CVSS 10.0) GitLab vulnerability in which user account password reset emails could be delivered to an unverified email address.
CVE-2023-7028 - GitLab Production Password Reset Multiple Emails
GitLab.Production
RuleAttackers are exploiting a Critical (CVSS 10.0) GitLab vulnerability in which user account password reset emails could be delivered to an unverified email address.
Decoy DynamoDB Accessed
AWS.SecurityFindingFormat
RuleActor accessed Decoy DynamoDB
Decoy IAM Assumed
AWS.SecurityFindingFormat
RuleActor assumed decoy IAM role
Decoy S3 Accessed
AWS.SecurityFindingFormat
RuleActor accessed S3 Manager decoy secret
Decoy Secret Accessed
AWS.SecurityFindingFormat
RuleActor accessed Secrets Manager decoy secret
Decoy Systems Manager Parameter Accessed
AWS.SecurityFindingFormat
RuleActor accessed Decoy Systems Manager parameter
Detect Reconnaissance from IAM Users
AWS.CloudTrail
RuleAn IAM user has a high volume of access denied API calls.
Detection content has been deleted from Panther
Panther.Audit
RuleDetection content has been removed from Panther.
DNS Base64 Encoded Query
AWS.VPCDns
CiscoUmbrella.DNS
Crowdstrike.FDREvent
RuleDetects DNS queries with Base64 encoded subdomains, which could indicate an attempt to obfuscate data exfil.
DNS request to denylisted domain
Crowdstrike.DNSRequest
Crowdstrike.FDREvent
RuleA DNS request was made to a domain on an explicit denylist
Dropbox Admin sign-in-as Session
Dropbox.TeamEvent
RuleAlerts when an admin starts a sign-in-as session.
Dropbox Document/Folder Ownership Transfer
Dropbox.TeamEvent
RuleDropbox ownership of a document or folder has been transferred.
Dropbox External Share
Dropbox.TeamEvent
RuleDropbox item shared externally
Dropbox Linked Team Application Added
Dropbox.TeamEvent
RuleAn application was linked to your Dropbox Account
Dropbox Many Deletes
Dropbox.TeamEvent
Scheduled QueryDropbox Many Deletes
Dropbox Many Downloads
Dropbox.TeamEvent
Scheduled QueryDropbox Many Downloads
Dropbox User Disabled 2FA
Dropbox.TeamEvent
RuleDropbox user has disabled 2fa login
Duo Admin App Integration Secret Key Viewed
Duo.Administrator
RuleAn administrator viewed a Secret Key for an Application Integration
Duo Admin Bypass Code Created
Duo.Administrator
RuleA Duo administrator created an MFA bypass code for an application.
Duo Admin Bypass Code Viewed
Duo.Administrator
RuleAn administrator viewed the MFA bypass code for a user.
Duo Admin Create Admin
Duo.Administrator
RuleA new Duo Administrator was created.
Duo Admin Lockout
Duo.Administrator
RuleAlert when a duo administrator is locked out of their account.
Duo Admin Marked Push Fraudulent
Duo.Administrator
RuleA Duo push was marked fraudulent by an admin.
Duo Admin MFA Restrictions Updated
Duo.Administrator
RuleDetects changes to allowed MFA factors administrators can use to log into the admin panel.
Duo Admin New Admin API App Integration
Duo.Administrator
RuleIdentifies creation of new Admin API integrations for Duo.
Duo Admin Policy Updated
Duo.Administrator
RuleA Duo Administrator updated a Policy, which governs how users authenticate.
Duo Admin SSO SAML Requirement Disabled
Duo.Administrator
RuleDetects when SAML Authentication for Administrators is marked as Disabled or Optional.
Duo Admin User MFA Bypass Enabled
Duo.Administrator
RuleAn Administrator enabled a user to authenticate without MFA.
Duo User Action Reported as Fraudulent
Duo.Authentication
RuleAlert when a user reports a Duo action as fraudulent.
Duo User Auth Denied For Anomalous Push
Duo.Authentication
RuleA Duo authentication was denied due to an anomalous 2FA push.
Duo User Bypass Code Used
Duo.Authentication
RuleA Duo user's bypass code was used to authenticate
Duo User Denied For Endpoint Error
Duo.Authentication
RuleA Duo user's authentication was denied due to a suspicious error on the endpoint
EC2 Network ACL Modified
AWS.CloudTrail
RuleAn EC2 Network ACL was modified.
EC2 Network Gateway Modified
AWS.CloudTrail
RuleAn EC2 Network Gateway was modified.
EC2 Route Table Modified
AWS.CloudTrail
RuleAn EC2 Route Table was modified.
EC2 Security Group Modified
AWS.CloudTrail
RuleAn EC2 Security Group was modified.
EC2 VPC Modified
AWS.CloudTrail
RuleAn EC2 VPC was modified.
ECR CRUD Actions
AWS.CloudTrail
RuleUnauthorized ECR Create, Read, Update, or Delete event occurred.
EKS Anonymous API Access Detected
Amazon.EKS.Audit
RuleThis rule detects anonymous API requests made to the Kubernetes API server. In production environments, anonymous access should be disabled to prevent unauthorized access to the API server.
EKS Audit Log based single sourceIP is generating multiple 403s
Amazon.EKS.Audit
RuleThis detection identifies if a public sourceIP is generating multiple 403s with the Kubernetes API server.
EKS Audit Log Reporting system Namespace is Used From A Public IP
Amazon.EKS.Audit
RuleThis detection identifies if an activity is recorded in the Kubernetes audit log where the user:username attribute begins with "system:" or "eks:" and the requests originating IP Address is a Public IP Address
Enabled Zendesk Support to Assume Users
Zendesk.Audit
RuleUser enabled or disabled zendesk support user assumption.
Exec into Pod
GCP.AuditLog
RuleAlerts when users exec into pod. Possible to specify specific projects and allowed users.
Execution of Command Line Tool with Base64 Encoded Arguments
Crowdstrike.FDREvent
RuleDetects the execution of common command line tools (e.g., PowerShell, cmd.exe) with Base64 encoded arguments, which could indicate an attempt to obfuscate malicious commands.
External GSuite File Share
GSuite.Reports
RuleAn employee shared a sensitive file externally with another organization
Failed Root Console Login
AWS.CloudTrail
RuleA Root console login failed.
GCP Access Attempts Violating IAP Access Controls
GCP.HTTPLoadBalancer
RuleGCP Access Attempts Violating IAP Access Controls
GCP Access Attempts Violating VPC Service Controls
GCP.AuditLog
RuleAn access attempt violating VPC service controls (such as Perimeter controls) has been made.
GCP BigQuery Large Scan
GCP.AuditLog
RuleDetect any BigQuery query that is doing a very large scan (> 1 GB).
GCP Cloud Run Service Created
GCP.AuditLog
RuleDetects creation of new Cloud Run Service, which, if configured maliciously, may be part of the attack aimed to invoke the service and retrieve the access token.
GCP Cloud Run Service Created FOLLOWED BY Set IAM Policy
GCP.AuditLog
Correlation RuleDetects run.services.create method for privilege escalation in GCP. The exploit creates a new Cloud Run Service that, when invoked, returns the Service Account's access token by accessing the metadata API of the server it is running on.
GCP Cloud Run Set IAM Policy
GCP.AuditLog
RuleDetects new roles granted to users to Cloud Run Services. This could potentially allow the user to perform actions within the project and its resources, which could pose a security risk.
GCP Cloud Storage Buckets Modified Or Deleted
GCP.AuditLog
RuleDetects GCP cloud storage bucket updates and deletes.
GCP CloudBuild Potential Privilege Escalation
GCP.AuditLog
RuleDetects privilege escalation attacks designed to gain access to the Cloud Build Service Account. A user with permissions to start a new build with Cloud Build can gain access to the Cloud Build Service Account and abuse it for more access to the environment.
GCP cloudfunctions functions create
GCP.AuditLog
RuleThe Identity and Access Management (IAM) service manages authorization and authentication for a GCP environment. This means that there are very likely multiple privilege escalation methods that use the IAM service and/or its permissions.
GCP cloudfunctions functions update
GCP.AuditLog
RuleThe Identity and Access Management (IAM) service manages authorization and authentication for a GCP environment. This means that there are very likely multiple privilege escalation methods that use the IAM service and/or its permissions.
GCP compute.instances.create Privilege Escalation
GCP.AuditLog
RuleDetects compute.instances.create method for privilege escalation in GCP.
GCP Corporate Email Not Used
GCP.AuditLog
RuleA Gmail account is being used instead of a corporate email
GCP Destructive Queries
GCP.AuditLog
RuleDetect any destructive BigQuery queries or jobs such as update, delete, drop, alter or truncate.
GCP DNS Zone Modified or Deleted
GCP.AuditLog
RuleDetection for GCP DNS zones that are deleted, patched, or updated.
GCP Firewall Rule Created
GCP.AuditLog
RuleThis rule detects creations of GCP firewall rules.
GCP Firewall Rule Deleted
GCP.AuditLog
RuleThis rule detects deletions of GCP firewall rules.
GCP Firewall Rule Modified
GCP.AuditLog
RuleThis rule detects modifications to GCP firewall rules.
GCP GCS IAM Permission Changes
GCP.AuditLog
RuleMonitoring changes to Cloud Storage bucket permissions may reduce time to detect and correct permissions on sensitive Cloud Storage bucket and objects inside the bucket.
GCP GKE Kubernetes Cron Job Created Or Modified
GCP.AuditLog
RuleThis detection monitor for any modifications or creations of a cron job in GKE. Attackers may create or modify an existing scheduled job in order to achieve cluster persistence.
GCP IAM Role Has Changed
GCP.AuditLog
RuleA custom role has been created, deleted, or updated.
GCP IAM serviceAccounts getAccessToken Privilege Escalation
GCP.AuditLog
RuleThe Identity and Access Management (IAM) service manages authorization and authentication for a GCP environment. This means that there are very likely multiple privilege escalation methods that use the IAM service and/or its permissions.
GCP IAM serviceAccounts signBlob
GCP.AuditLog
RuleThe iam.serviceAccounts.signBlob permission "allows signing of arbitrary payloads" in GCP. This means we can create a signed blob that requests an access token from the Service Account we are targeting.
GCP IAM serviceAccounts.signJwt Privilege Escalation
GCP.AuditLog
RuleDetects iam.serviceAccounts.signJwt method for privilege escalation in GCP. This method works by signing well-formed JSON web tokens (JWTs). The script for this method will sign a well-formed JWT and request a new access token belonging to the Service Account with it.
GCP iam.roles.update Privilege Escalation
GCP.AuditLog
RuleIf your user is assigned a custom IAM role, then iam.roles.update will allow you to update the “includedPermissons” on that role. Because it is assigned to you, you will gain the additional privileges, which could be anything you desire.
GCP Inbound SSO Profile Created
GCP.AuditLog
Rule
GCP K8s IOCActivity
GCP.AuditLog
RuleThis detection monitors for any kubernetes API Request originating from an Indicator of Compromise.
GCP K8s New Daemonset Deployed
GCP.AuditLog
RuleDetects Daemonset creation in GCP Kubernetes clusters.
GCP K8s Pod Attached To Node Host Network
GCP.AuditLog
RuleThis detection monitor for the creation of pods which are attached to the host's network. This allows a pod to listen to all network traffic for all deployed computer on that particular node and communicate with other compute on the network namespace. Attackers can use this to capture secrets passed in arguments or connections.
GCP K8S Pod Create Or Modify Host Path Volume Mount
GCP.AuditLog
RuleThis detection monitors for pod creation with a hostPath volume mount. The attachment to a node's volume can allow for privilege escalation through underlying vulnerabilities or it can open up possibilities for data exfiltration or unauthorized file access. It is very rare to see this being a pod requirement.
GCP K8s Pod Using Host PID Namespace
GCP.AuditLog
RuleThis detection monitors for any pod creation or modification using the host PID namespace. The Host PID namespace enables a pod and its containers to have direct access and share the same view as of the host’s processes. This can offer a powerful escape hatch to the underlying host.
GCP K8S Privileged Pod Created
GCP.AuditLog
RuleAlerts when a user creates privileged pod. These particular pods have full access to the host’s namespace and devices, have the ability to exploit the kernel, have dangerous linux capabilities, and can be a powerful launching point for further attacks. In the event of a successful container escape where a user is operating with root privileges, the attacker retains this role on the node.
GCP K8S Service Type NodePort Deployed
GCP.AuditLog
RuleThis detection monitors for any kubernetes service deployed with type node port. A Node Port service allows an attacker to expose a set of pods hosting the service to the internet by opening their port and redirecting traffic here. This can be used to bypass network controls and intercept traffic, creating a direct line to the outside network.
GCP Log Bucket or Sink Deleted
GCP.AuditLog
RuleThis rule detects deletions of GCP Log Buckets or Sinks.
GCP Logging Settings Modified
GCP.AuditLog
RuleDetects any changes made to logging settings
GCP Logging Sink Modified
GCP.AuditLog
RuleThis rule detects modifications to GCP Log Sinks.
GCP Org or Folder Policy Was Changed Manually
GCP.AuditLog
RuleAlert if a GCP Org or Folder Policy Was Changed Manually.
GCP Permissions Granted to Create or Manage Service Account Key
GCP.AuditLog
RulePermissions granted to impersonate a service account. This includes predefined service account IAM roles granted at the parent project, folder or organization-level.
GCP Resource in Unused Region
GCP.AuditLog
RuleAdversaries may create cloud instances in unused geographic service regions in order to evade detection.
GCP Service Account Access Denied
GCP.AuditLog
RuleThis rule detects deletions of GCP Log Buckets or Sinks.
GCP Service Account or Keys Created
GCP.AuditLog
RuleDetects when a service account or key is created manually by a user instead of an automated workflow.
GCP serviceusage.apiKeys.create Privilege Escalation
GCP.AuditLog
RuleDetects serviceusage.apiKeys.create method for privilege escalation in GCP. By default, API Keys are created with no restrictions, which means they have access to the entire GCP project they were created in. We can capitalize on that fact by creating a new API key that may have more privileges than our own user.
GCP SQL Config Changes
GCP.AuditLog
RuleMonitoring changes to Sql Instance configuration may reduce time to detect and correct misconfigurations done on sql server.
GCP storage hmac keys create
GCP.AuditLog
RuleThere is a feature of Cloud Storage, “interoperability”, that provides a way for Cloud Storage to interact with storage offerings from other cloud providers, like AWS S3. As part of that, there are HMAC keys that can be created for both Service Accounts and regular users. We can escalate Cloud Storage permissions by creating an HMAC key for a higher-privileged Service Account.
GCP User Added to IAP Protected Service
GCP.AuditLog
RuleA user has been granted access to a IAP protected service.
GCP User Added to Privileged Group
GCP.AuditLog
RuleA user was added to a group with special previleges
GCP VPC Flow Logs Disabled
GCP.AuditLog
RuleVPC flow logs were disabled for a subnet.
GCP Workforce Pool Created or Updated
GCP.AuditLog
Rule
GCP Workload Identity Pool Created or Updated
GCP.AuditLog
Rule
GCP.Iam.ServiceAccountKeys.Create
GCP.AuditLog
RuleIf your user is assigned a custom IAM role, then iam.roles.update will allow you to update the “includedPermissons” on that role. Because it is assigned to you, you will gain the additional privileges, which could be anything you desire.
GCP.Privilege.Escalation.By.Deployments.Create
GCP.AuditLog
RuleDetects privilege escalation in GCP by taking over the deploymentsmanager.deployments.create permission
GCS Bucket Made Public
GCP.AuditLog
RuleAdversaries may access data objects from improperly secured cloud storage.
GitHub Action Failed
GitHub.Audit
RuleA monitored github action has failed.
GitHub Advanced Security Change WITHOUT Repo Archived
GitHub.Audit
Correlation RuleIdentifies when advances security change was made not to archive a repo. Eliminates false positives in the Advances Security Change Rule when the repo is archived.
GitHub Branch Protection Disabled
GitHub.Audit
RuleDisabling branch protection controls could indicate malicious use of admin credentials in an attempt to hide activity.
GitHub Branch Protection Policy Override
GitHub.Audit
RuleBypassing branch protection controls could indicate malicious use of admin credentials in an attempt to hide activity.
GitHub Dependabot Vulnerability Dismissed
GitHub.Audit
RuleCreates an alert if a dependabot alert is dismissed without being fixed.
GitHub Org Authentication Method Changed
GitHub.Audit
RuleDetects changes to GitHub org authentication changes.
GitHub Org IP Allow List modified
GitHub.Audit
RuleDetects changes to a GitHub Org IP Allow List
Github Organization App Integration Installed
GitHub.Audit
RuleAn application integration was installed to your organization's Github account by someone in your organization.
Github Public Repository Created
GitHub.Audit
RuleA public Github repository was created.
GitHub Repository Archived
GitHub.Audit
RuleDetects when a repository is archived.
GitHub Repository Collaborator Change
GitHub.Audit
RuleDetects when a repository collaborator is added or removed.
GitHub Repository Created
GitHub.Audit
RuleDetects when a repository is created.
Github Repository Transfer
GitHub.Audit
RuleA user accepted a request to receive a transferred Github repository, a Github repository was transferred to another repository network, or a user sent a request to transfer a repository to another user or organization.
GitHub Repository Visibility Change
GitHub.Audit
RuleDetects when an organization repository visibility changes.
GitHub Secret Scanning Alert Created
GitHub.Audit
RuleGitHub detected a secret and created a secret scanning alert.
GitHub Security Change, includes GitHub Advanced Security
GitHub.Audit
RuleThe rule alerts when GitHub Security tools (Dependabot, Secret Scanner, etc) are disabled.
GitHub Team Modified
GitHub.Audit
RuleDetects when a team is modified in some way, such as adding a new team, deleting a team, modifying members, or a change in repository control.
GitHub User Access Key Created
GitHub.Audit
RuleDetects when a GitHub user access key is created.
GitHub User Added or Removed from Org
GitHub.Audit
RuleDetects when a user is added or removed from a GitHub Org.
GitHub User Added to Org Moderators
GitHub.Audit
RuleDetects when a user is added to a GitHub org's list of moderators.
GitHub User Initial Access to Private Repo
GitHub.Audit
RuleDetects when a user initially accesses a private organization repository.
GitHub User Role Updated
GitHub.Audit
RuleDetects when a GitHub user role is upgraded to an admin or downgraded to a member
GitHub Web Hook Modified
GitHub.Audit
RuleDetects when a webhook is added, modified, or deleted
Google Accessed a GSuite Resource
GSuite.ActivityEvent
RuleGoogle accessed one of your GSuite resources directly, most likely in response to a support incident.
Google Drive High Download Count
GSuite.ActivityEvent
Scheduled RuleScheduled rule for the High Google Drive Download Count query which looks for incidents of more than 10 (tunable) downloads by a user in the past day.
Google Workspace Admin Custom Role
GSuite.ActivityEvent
RuleA Google Workspace administrator created a new custom administrator role.
Google Workspace Advanced Protection Program
GSuite.ActivityEvent
RuleYour organization's Google Workspace Advanced Protection Program settings were modified.
Google Workspace Apps Marketplace Allowlist
GSuite.ActivityEvent
RuleGoogle Workspace Marketplace application allowlist settings were modified.
Google Workspace Apps Marketplace New Domain Application
GSuite.ActivityEvent
RuleA Google Workspace User configured a new domain application from the Google Workspace Apps Marketplace.
Google Workspace Apps New Mobile App Installed
GSuite.ActivityEvent
RuleA new mobile application was added to your organization's mobile apps whitelist in Google Workspace Apps.
GSuite Calendar Has Been Made Public
GSuite.ActivityEvent
RuleA User or Admin Has Modified A Calendar To Be Public
GSuite Device Suspicious Activity
GSuite.ActivityEvent
RuleGSuite reported a suspicious activity on a user's device.
GSuite Document External Ownership Transfer
GSuite.ActivityEvent
RuleA GSuite document's ownership was transferred to an external party.
GSuite Drive Many Documents Deleted
GSuite.ActivityEvent
Scheduled RuleScheduled rule for the GSuite Drive Many Documents Deleted query. Looks for users who have deleted more than 10 (tunable) documents the past day.
GSuite External Drive Document
GSuite.Reports
RuleA Google drive resource became externally accessible.
GSuite Government Backed Attack
GSuite.ActivityEvent
RuleGSuite reported that it detected a government backed attack against your account.
GSuite Login Type
GSuite.ActivityEvent
RuleA login of a non-approved type was detected for this user.
Gsuite Mail forwarded to external domain
GSuite.ActivityEvent
RuleA user has configured mail forwarding to an external domain
GSuite Many Docs Deleted Query
GSuite.ActivityEvent
Scheduled QueryQuery to search for a user deleting many documents.
GSuite Many Docs Downloaded Query
GSuite.ActivityEvent
Scheduled QueryQuery to search high document download counts by users.
GSuite Overly Visible Drive Document
GSuite.Reports
RuleA Google drive resource that is overly visible has been modified.
GSuite Passthrough Rule Triggered
GSuite.ActivityEvent
RuleA GSuite rule was triggered.
GSuite User Advanced Protection Change
GSuite.ActivityEvent
RuleA user disabled advanced protection for themselves.
GSuite User Banned from Group
GSuite.ActivityEvent
RuleA GSuite user was banned from an enterprise group by moderator action.
GSuite User Device Compromised
GSuite.ActivityEvent
RuleGSuite reported a user's device has been compromised.
GSuite User Device Unlock Failures
GSuite.ActivityEvent
RuleSomeone failed to unlock a user's device multiple times in quick succession.
GSuite User Password Leaked
GSuite.ActivityEvent
RuleGSuite reported a user's password has been compromised, so they disabled the account.
GSuite User Suspended
GSuite.ActivityEvent
RuleA GSuite user was suspended, the account may have been compromised by a spam network.
GSuite User Two Step Verification Change
GSuite.ActivityEvent
RuleA user disabled two step verification for themselves.
GSuite Workspace Calendar External Sharing Setting Change
GSuite.ActivityEvent
RuleA Workspace Admin Changed The Sharing Settings for Primary Calendars
GSuite Workspace Data Export Has Been Created
GSuite.ActivityEvent
RuleA Workspace Admin Has Created a Data Export
GSuite Workspace Gmail Default Routing Rule Modified
GSuite.ActivityEvent
RuleA Workspace Admin Has Modified A Default Routing Rule In Gmail
GSuite Workspace Gmail Pre-Delivery Message Scanning Disabled
GSuite.ActivityEvent
RuleA Workspace Admin Has Disabled Pre-Delivery Scanning For Gmail.
GSuite Workspace Gmail Security Sandbox Disabled
GSuite.ActivityEvent
RuleA Workspace Admin Has Disabled The Security Sandbox
GSuite Workspace Password Reuse Has Been Enabled
GSuite.ActivityEvent
RuleA Workspace Admin Has Enabled Password Reuse
GSuite Workspace Strong Password Enforcement Has Been Disabled
GSuite.ActivityEvent
RuleA Workspace Admin Has Disabled The Enforcement Of Strong Passwords
GSuite Workspace Trusted Domain Allowlist Modified
GSuite.ActivityEvent
RuleA Workspace Admin Has Modified The Trusted Domains List
IAM Assume Role Blocklist Ignored
AWS.CloudTrail
RuleA user assumed a role that was explicitly blocklisted for manual user assumption.
IAM Change
AWS.CloudTrail
RuleA change occurred in the IAM configuration. This could be a resource being created, deleted, or modified. This is a high level view of changes, helfpul to indicate how dynamic a certain IAM environment is.
IAM Entity Created Without CloudFormation
AWS.CloudTrail
RuleAn IAM Entity (Group, Policy, Role, or User) was created manually. IAM entities should be created in code to ensure that permissions are tracked and managed correctly.
IAM Inline Policy Network Admin
AWS.IAM.Group
AWS.IAM.Role
AWS.IAM.User
PolicyThis policy validates that IAM entities (Groups, Roles, and Users) do not have inline policies attached that grant network admin privileges. Inline policies are more difficult to track and audit than managed policies, and can lead to persistent unexpected access.
IAM Policy Modified
AWS.CloudTrail
RuleAn IAM Policy was changed.
Impossible Travel for Login Action
AWS.CloudTrail
Asana.Audit
Notion.AuditLogs
Okta.SystemLog
RuleA user has subsequent logins from two geographic locations that are very far apart
IOC Activity in K8 Control Plane
Amazon.EKS.Audit
Scheduled QueryThis detection monitors for any kubernetes API Request originating from an Indicator of Compromise.
KMS CMK Disabled or Deleted
AWS.CloudTrail
RuleA KMS Customer Managed Key was disabled or scheduled for deletion. This could potentially lead to permanent loss of encrypted data.
Kubernetes Cron Job Created or Modified
Amazon.EKS.Audit
Scheduled QueryThis detection monitor for any modifications or creations of a cron job. Attackers may create or modify an existing scheduled job in order to achieve cluster persistence.
Kubernetes Pod Created in Pre-Configured or Default Name Spaces
Amazon.EKS.Audit
Scheduled QueryThis detection monitors for any pod created in pre-configured or default namespaces. Only Cluster Admins should be creating pods in the kube-system namespace, and it is best practice not to run any cluster critical infrastructure here. The kube-public namespace is intended to be readable by unauthenticated users. The default namespace is shipped with the cluster and it is best practice not to deploy production workloads here. These namespaces may be used to evade defenses or hide attacker infrastructure.
Kubernetes Service with Type Node Port DeployedScheduled QueryThis detection monitors for any kubernetes service deployed with type node port. A Node Port service allows an attacker to expose a set of pods hosting the service to the internet by opening their port and redirecting traffic here. This can be used to bypass network controls and intercept traffic, creating a direct line to the outside network.
Lambda CRUD Actions
AWS.CloudTrail
RuleUnauthorized lambda Create, Read, Update, or Delete event occurred.
Logins Without MFA
AWS.CloudTrail
RuleA console login was made without multi-factor authentication.
Logins Without SAML
AWS.CloudTrail
RuleAn AWS console login was made without SAML/SSO.
MacOS ALF is misconfigured
Osquery.Differential
RuleThe application level firewall blocks unwanted network connections made to your computer from other computers on your network.
MacOS Browser Credential AccessScheduled QueryDetects processes that contain known browser credential files in arguments.
MacOS Browser Credential Access (crowdstrike_fdrevent table)
Crowdstrike.FDREvent
Scheduled QueryDetects processes that contain known browser credential files in arguments. (crowdstrike_fdrevent table)
MacOS Keyboard Events
Osquery.Differential
RuleA Key Logger has potentially been detected on a macOS system
macOS Malware Detected with osquery
Osquery.Differential
RuleMalware has potentially been detected on a macOS system
Malicious Content Detected
Box.Event
RuleBox has detect malicious content, such as a virus.
Malicious SSO DNS Lookup
CiscoUmbrella.DNS
Crowdstrike.DNSRequest
Crowdstrike.FDREvent
Suricata.DNS
Zeek.DNS
RuleThe rule looks for DNS requests to sites potentially posing as SSO domains.
MFA Disabled
Atlassian.Audit
GitHub.Audit
Okta.SystemLog
Zendesk.Audit
RuleDetects when Multi-Factor Authentication (MFA) is disabled
Microsoft Exchange External Forwarding
Microsoft365.Audit.Exchange
RuleDetects creation of forwarding rule to external domains
Microsoft Graph Passthrough
MicrosoftGraph.SecurityAlert
RuleThe Microsoft Graph security API federates queries to all onboarded security providers, including Azure AD Identity Protection, Microsoft 365, Microsoft Defender (Cloud, Endpoint, Identity) and Microsoft Sentinel
Microsoft365 Brute Force Login by User
Microsoft365.Audit.AzureActiveDirectory
RuleA Microsoft365 user was denied login access several times
Microsoft365 External Document Sharing
Microsoft365.Audit.SharePoint
RuleDocument shared externally
Microsoft365 MFA Disabled
Microsoft365.Audit.AzureActiveDirectory
RuleA user's MFA has been removed
MongoDB 2FA Disabled
MongoDB.OrganizationEvent
Rule2FA was disabled.
MongoDB access allowed from anywhere
MongoDB.ProjectEvent
RuleAtlas only allows client connections to the database deployment from entries in the project's IP access list. This rule detects when 0.0.0.0/0 is added to that list, which allows access from anywhere.
MongoDB Atlas API Key Created
MongoDB.OrganizationEvent
RuleA MongoDB Atlas api key's access list was updated
MongoDB External User Invited
MongoDB.OrganizationEvent
RuleAn external user has been invited to a MongoDB org.
MongoDB External User Invited (no config)
MongoDB.OrganizationEvent
RuleAn external user has been invited to a MongoDB org (no config).
MongoDB Identity Provider Activity
MongoDB.OrganizationEvent
RuleChanges to identity provider settings are privileged activities that should be carefully audited. Attackers may add or change IDP integrations to gain persistence to environments
MongoDB logging toggled
MongoDB.ProjectEvent
RuleMongoDB logging toggled
MongoDB org membership restriction disabled
MongoDB.OrganizationEvent
RuleYou can configure Atlas to require API access lists at the organization level. When you enable IP access list for the Atlas Administration API, all API calls in that organization must originate from a valid entry in the associated Atlas Administration API key access list. This rule detects when IP access list is disabled
MongoDB security alerts disabled or deleted
MongoDB.OrganizationEvent
RuleMongoDB provides security alerting policies for notifying admins when certain conditions are met. This rule detects when these policies are disabled or deleted.
MongoDB user roles changed
MongoDB.OrganizationEvent
RuleUser roles changed.
MongoDB user was created or deleted
MongoDB.OrganizationEvent
RuleUser was created or deleted.
Monitor Unauthorized API Calls
AWS.CloudTrail
RuleAn unauthorized AWS API call was made
Netskope Many Objects Deleted
Netskope.Audit
RuleA user deleted a large number of objects in a short period of time.
Netskope Many Unauthorized API Calls
Netskope.Audit
RuleMany unauthorized API calls were observed for a user in a short period of time.
New Admission Controller Created
Amazon.EKS.Audit
Scheduled QueryThis detection monitors for a new admission controller being created in the cluster. Admission controllers allows an attack to intercept all API requests made within a cluster, allowing for enumeration of resources and common actions. This can be a very powerful tool to understand where to pivot to next.
New AWS Account Created
AWS.CloudTrail
RuleA new AWS account was created
New DaemonSet Deployed to Kubernetes
Amazon.EKS.Audit
Scheduled QueryThis detection monitors for a new DaemonSet deployed to a kubernetes cluster. A daemonset is a workload that guarantees the presence of exactly one instance of a specific pod on every node in the cluster. This can be a very powerful tool for establishing peristence.
New IAM Credentials Updated
AWS.CloudTrail
RuleA console password, access key, or user has been created.
New User Account Created
AWS.CloudTrail
OneLogin.Events
Zoom.Operation
RuleA new account was created
Notion Audit Log Exported
Notion.AuditLogs
RuleA Notion User exported audit logs for your organization’s workspace.
Notion Login FOLLOWED BY AccountChange
Notion.AuditLogs
Correlation RuleA Notion User logged in then changed their account details.
Notion Login From Blocked IP
Notion.AuditLogs
RuleA user attempted to access Notion from a blocked IP address. Note: before deployinh, make sure to add Rule Filters checking if event.ip_address is in a certain CIDR range(s).
Notion Login from New Location
Notion.AuditLogs
RuleA Notion User logged in from a new location.
Notion Many Pages Deleted
Notion.AuditLogs
Scheduled RuleA Notion User deleted multiple pages, which were not created or restored from the trash within the same hour.
Notion Many Pages Deleted Query
Notion.AuditLogs
Scheduled QueryA Notion User deleted multiple pages, which were not created or restored from the trash within the same hour.
Notion Many Pages Exported
Notion.AuditLogs
RuleA Notion User exported multiple pages.
Notion Page API Permissions Changed
Notion.AuditLogs
RuleA new API integration was added to a Notion page, or it's permissions were changed.
Notion Page Guest Permissions Changed
Notion.AuditLogs
RuleThe external guest permissions for a Notion page have been altered.
Notion Page Published to Web
Notion.AuditLogs
RuleA Notion User published a page to the web.
Notion SAML SSO Configuration Changed
Notion.AuditLogs
RuleA Notion User changed settings to enforce SAML SSO configurations for your organization.
Notion SCIM Token Generated
Notion.AuditLogs
RuleA Notion User generated a SCIM token.
Notion Sharing Settings Updated
Notion.AuditLogs
RuleA Notion User enabled sharing for a Workspace or Teamspace.
Notion Teamspace Owner Added
Notion.AuditLogs
RuleA Notion User was added as a Teamspace owner.
Notion Workspace Exported
Notion.AuditLogs
RuleA Notion User exported an existing workspace.
Notion Workspace public page added
Notion.AuditLogs
RuleA Notion page was set to public in your worksace.
Okta Admin Access Granted
Okta.SystemLog
Scheduled QueryAudit instances of admin access granted in your okta tenant
Okta Admin Role Assigned
Okta.SystemLog
RuleA user has been granted administrative privileges in Okta
Okta AiTM Phishing Attempt Blocked by FastPass
Okta.SystemLog
RuleOkta FastPass detected a user targeted by attackers wielding real-time (AiTM) proxies.
Okta API Key Created
Okta.SystemLog
RuleA user created an API Key in Okta
Okta API Key Revoked
Okta.SystemLog
RuleA user has revoked an API Key in Okta
Okta App Refresh Access Token Reuse
Okta.SystemLog
RuleWhen a client wants to renew an access token, it sends the refresh token with the access token request to the /token Okta endpoint.Okta validates the incoming refresh token, issues a new set of tokens and invalidates the refresh token that was passed with the initial request.This detection alerts when a previously used refresh token is used again with the token request
Okta App Unauthorized Access Attempt
Okta.SystemLog
RuleDetects when a user is denied access to an Okta application
Okta Cleartext Passwords Extracted via SCIM Application
Okta.SystemLog
RuleAn application admin has extracted cleartext user passwords via SCIM app. Malcious actors can extract plaintext passwords by creating a SCIM application under their control and configuring it to sync passwords from Okta.
Okta Group Admin Role Assigned
Okta.SystemLog
RuleDetect when an admin role is assigned to a group
Okta HAR File IOCs
Okta.SystemLog
Saved Queryhttps://sec.okta.com/harfiles
Okta Identity Provider Created or Modified
Okta.SystemLog
RuleA new 3rd party Identity Provider has been created or modified. Attackers have been observed configuring a second Identity Provider to act as an "impersonation app" to access applications within the compromised Org on behalf of other users. This second Identity Provider, also controlled by the attacker, would act as a “source” IdP in an inbound federation relationship (sometimes called “Org2Org”) with the target.
Okta Identity Provider Sign-in
Okta.SystemLog
RuleA user has signed in using a 3rd party Identity Provider. Attackers have been observed configuring a second Identity Provider to act as an "impersonation app" to access applications within the compromised Org on behalf of other users. This second Identity Provider, also controlled by the attacker, would act as a “source” IdP in an inbound federation relationship (sometimes called “Org2Org”) with the target. From this “source” IdP, the threat actor manipulated the username parameter for targeted users in the second “source” Identity Provider to match a real user in the compromised “target” Identity Provider. This provided the ability to Single sign-on (SSO) into applications in the target IdP as the targeted user. Do not use this rule if your organization uses legitimate 3rd-party Identity Providers.
Okta Investigate MFA and Password resets
Okta.SystemLog
Scheduled QueryInvestigate Password and MFA resets for the last 7 days
Okta Investigate Session ID Activity
Okta.SystemLog
Scheduled QuerySearch for activity related to a specific SessionID in Okta panther_logs.okta_systemlog
Okta Investigate User Activity
Okta.SystemLog
Scheduled QueryAudit user activity across your environment. Customize to filter on specific users, time ranges, etc
Okta Login From CrowdStrike Unmanaged Device
Crowdstrike.AIDMaster
Okta.SystemLog
Scheduled QueryOkta Logins from an IP Address not found in CrowdStrike's AIP List
Okta Login From CrowdStrike Unmanaged Device (crowdstrike_fdrevent table)
Crowdstrike.FDREvent
Okta.SystemLog
Scheduled QueryOkta Logins from an IP Address not found in CrowdStrike's AIP List (crowdstrike_fdrevent table)
Okta MFA Globally Disabled
Okta.SystemLog
RuleAn admin user has disabled the MFA requirement for your Okta account
Okta New Behaviors Acessing Admin Console
Okta.SystemLog
RuleNew Behaviors Observed while Accessing Okta Admin Console. A user attempted to access the Okta Admin Console from a new device with a new IP.
Okta Org2Org application created of modified
Okta.SystemLog
RuleAn Okta Org2Org application has been created or modified. Okta's Org2Org applications instances are used to push and match users from one Okta organization to another. A malicious actor can add an Org2Org application instance and create a user in the source organization (controlled by the attacker) with the same identifier as a Super Administrator in the target organization.
Okta Password Accessed
Okta.SystemLog
RuleUser accessed another user's application password
Okta Potentially Stolen Session
Okta.SystemLog
RuleThis rule looks for the same session being used from two devices, indicating a compromised session token.
Okta Rate Limits
Okta.SystemLog
RulePotential DoS/Bruteforce attack or hitting limits (system degradation)
Okta Sign-In from VPN Anonymizer
Okta.SystemLog
RuleA user is attempting to sign-in to Okta from a known VPN anonymizer. The threat actor would access the compromised account using anonymizing proxy services.
Okta Support Access
Okta.SystemLog
Scheduled QueryShow instances that Okta support was granted to your account
Okta Support Access Granted
Okta.SystemLog
RuleAn admin user has granted access to Okta Support to your account
Okta Support Reset Credential
Okta.SystemLog
RuleA Password or MFA factor was reset by Okta Support
Okta ThreatInsight Security Threat Detected
Okta.SystemLog
RuleOkta ThreatInsight identified request from potentially malicious IP address
Okta User Account Locked
Okta.SystemLog
RuleAn Okta user has locked their account.
Okta User MFA Factor Suspend
Okta.SystemLog
RuleSuspend factor or authenticator enrollment method for user.
Okta User MFA Own Reset
Okta.SystemLog
RuleUser has reset one of their own MFA factors
Okta User MFA Reset All
Okta.SystemLog
RuleAll MFA factors have been reset for a user.
Okta User Reported Suspicious Activity
Okta.SystemLog
RuleSuspicious Activity Reporting provides an end user with the option to report unrecognized activity from an account activity email notification.This detection alerts when a user marks the raised activity as suspicious.
Okta Username Above 52 Characters Security Advisory
Okta.SystemLog
Saved QueryOn October 30, 2024, a vulnerability was internally identified in generating the cache key for AD/LDAP DelAuth. The Bcrypt algorithm was used to generate the cache key where we hash a combined string of userId + username + password. Under a specific set of conditions, listed below, this could allow users to authenticate by providing the username with the stored cache key of a previous successful authentication. Customers meeting the pre-conditions should investigate their Okta System Log for unexpected authentications from usernames greater than 52 characters between the period of July 23rd, 2024 to October 30th, 2024. https://trust.okta.com/security-advisories/okta-ad-ldap-delegated-authentication-username/
OneLogin Active Login Activity
OneLogin.Events
RuleMultiple user accounts logged in from the same ip address.
OneLogin Authentication Factor Removed
OneLogin.Events
RuleA user removed an authentication factor or otp device.
OneLogin Failed High Risk Login
OneLogin.Events
RuleA OneLogin attempt with a high risk factor (>50) resulted in a failed authentication.
OneLogin High Risk Failed Login FOLLOWED BY Successful Login
OneLogin.Events
Correlation RuleA OneLogin user successfully logged in after a failed high-risk login attempt.
OneLogin Multiple Accounts Deleted
OneLogin.Events
RulePossible Denial of Service detected. Threshold for user account deletions exceeded.
OneLogin Multiple Accounts Modified
OneLogin.Events
RulePossible Denial of Service detected. Threshold for user account password changes exceeded.
OneLogin Password Access
OneLogin.Events
RuleUser accessed another user's application password
OneLogin Unauthorized Access
OneLogin.Events
RuleA OneLogin user was denied access to an app more times than the configured threshold.
OneLogin User Assumed Another User
OneLogin.Events
RuleUser assumed another user account
OneLogin User Locked
OneLogin.Events
RuleUser locked or suspended from their account.
OneLogin User Password Changed
OneLogin.Events
RuleA user password was updated.
Osquery Agent Outdated
Osquery.Differential
RuleKeep track of osquery versions, current is 5.10.2.
OSQuery Detected SSH Listener
Osquery.Differential
RuleCheck if SSH is listening in a non-production environment. This could be an indicator of persistent access within an environment.
OSQuery Detected Unwanted Chrome Extensions
Osquery.Differential
RuleMonitor for chrome extensions that could lead to a credential compromise.
OSQuery Reports Application Firewall Disabled
Osquery.Differential
RuleVerifies that MacOS has automatic software updates enabled.
OSSEC Rootkit Detected via Osquery
Osquery.Differential
RuleChecks if any results are returned for the Osquery OSSEC Rootkit pack.
Panther SAML configuration has been modified
Panther.Audit
RuleAn Admin has modified Panther's SAML configuration.
Pod attached to the Node Host Network
Amazon.EKS.Audit
Scheduled QueryThis detection monitor for the creation of pods which are attached to the host's network. This allows a pod to listen to all network traffic for all deployed computer on that particular node and communicate with other compute on the network namespace. Attackers can use this to capture secrets passed in arguments or connections.
Pod Created or Modified Using the Host IPC Namespace
Amazon.EKS.Audit
Scheduled QueryThis detection monitors for any pod creation or modification using the host IPC Namespace. Deploying pods in the Host IPC Namespace, breaks isolation between the pod and the underlying host meaning the pod has direct access to the same IPC objects and communications channels as the host system.
Pod Created or Modified Using the Host PID Namespace
Amazon.EKS.Audit
Scheduled QueryThis detection monitors for any pod creation or modification using the host PID namespace. The Host PID namespace enables a pod and its containers to have direct access and share the same view as of the host’s processes. This can offer a powerful escape hatch to the underlying host.
Pod Created with Overly Permissive Linux Capabilities
Amazon.EKS.Audit
Scheduled QueryThis detection monitors for a pod created with overly permissive linux capabilities. Excessive pod permissions and capabilities can be a launch point for privilege escalation or container breakout.
Pod creation or modification to a Host Path Volume Mount
Amazon.EKS.Audit
Scheduled QueryThis detection monitors for pod creation with a hostPath volume mount. The attachment to a node's volume can allow for privilege escalation through underlying vulnerabilities or it can open up possibilities for data exfiltration or unauthorized file access. It is very rare to see this being a pod requirement.
Privileged Pod Created
Amazon.EKS.Audit
Scheduled QueryThis detection monitors for a privileged pod is created either by default or with permissions to run as root. These particular pods have full access to the hosts namespace and devices, ability to exploit the kernel, have dangerous linux capabilities, and can be a powerful launching point for further attacks.
Push Security App Banner Acknowledged
PushSecurity.Activity
Rule
Push Security Authorized IdP Login
PushSecurity.Activity
RuleLogin to application with unauthorized identity provider which could indicate a SAMLjacking attack.
Push Security New App Detected
PushSecurity.Entities
Rule
Push Security New SaaS Account Created
PushSecurity.Entities
Rule
Push Security Open Security Finding
PushSecurity.Entities
Rule
Push Security Phishable MFA Method
PushSecurity.Entities
Rule
Push Security Phishing Attack
PushSecurity.Controls
Rule
Push Security SaaS App MFA Method Changed
PushSecurity.Entities
RuleMFA method on SaaS app changed
Push Security Unauthorized IdP Login
PushSecurity.Activity
RuleLogin to application with unauthorized identity provider which could indicate a SAMLjacking attack.
RoleAssumes by Multiple Useragents
AWS.CloudTrail
Scheduled QueryRoleAssumes with multiple Useragents could indicate compromised credentials.
Root Account Access Key Created
AWS.CloudTrail
RuleAn access key was created for the Root account
Root Account Activity
AWS.CloudTrail
RuleRoot account activity was detected.
Root Console Login
AWS.CloudTrail
RuleThe root account has been logged into.
Root Password Changed
AWS.CloudTrail
RuleSomeone manually changed the Root console login password.
S3 Bucket Deleted
AWS.CloudTrail
RuleA S3 Bucket, Policy, or Website was deleted
S3 Bucket Policy Confused Deputy Protection for Service Principals
AWS.S3.Bucket
PolicyEnsures that S3 bucket policies with service principals include conditions to prevent the confused deputy problem.
Salesforce Admin Login As User
Salesforce.LoginAs
RuleSalesforce detection that alerts when an admin logs in as another user.
Secret Enumeration by a User
Amazon.EKS.Audit
Scheduled QueryThis detection monitors for a large number of secrets requests by a single user. This could potentially indicate secret enumeration, which can potentially enable lateral or vertical movement and unauthorized access to critical resources.
Secret Exposed and not Quarantined
AWS.CloudTrail
GitHub.Audit
Correlation RuleThe rule detects when a GitHub Secret Scan detects an exposed secret, which is not followed by the expected quarantine operation in AWS. When you make a repository public, or push changes to a public repository, GitHub always scans the code for secrets that match partner patterns. Public packages on the npm registry are also scanned. If secret scanning detects a potential secret, we notify the service provider who issued the secret. The service provider validates the string and then decides whether they should revoke the secret, issue a new secret, or contact you directly. Their action will depend on the associated risks to you or them.
Sensitive AWS CloudWatch Log Encryption
AWS.CloudWatch.LogGroup
PolicyAWS automatically performs server-side encryption of logs, but you can encrypt with your own CMK to protect extra sensitive log data.
SentinelOne Alert Passthrough
SentinelOne.Activity
RuleSentinelOne Alert Passthrough
SentinelOne Threats
SentinelOne.Activity
RulePassthrough SentinelOne Threats
Sign In from Rogue State
AWS.CloudTrail
Asana.Audit
Atlassian.Audit
Azure.Audit
Box.Event
Notion.AuditLogs
Okta.SystemLog
OneLogin.Events
OnePassword.SignInAttempt
Zendesk.Audit
Zoom.Activity
RuleDetects when an entity signs in from a nation associated with cyber attacks
Slack Anomaly Detected
Slack.AuditLogs
RulePassthrough for anomalies detected by Slack
Slack App Access Expanded
Slack.AuditLogs
RuleDetects when a Slack App has had its permission scopes expanded
Slack App Added
Slack.AuditLogs
RuleDetects when a Slack App has been added to a workspace
Slack App Removed
Slack.AuditLogs
RuleDetects when a Slack App has been removed
Slack Denial of Service
Slack.AuditLogs
RuleDetects when slack admin invalidates user session(s). If it happens more than once in a 24 hour period it can lead to DoS
Slack DLP Modified
Slack.AuditLogs
RuleDetects when a Data Loss Prevention (DLP) rule has been deactivated or a violation has been deleted
Slack EKM Config Changed
Slack.AuditLogs
RuleDetects when the logging settings for a workspace's EKM configuration has changed
Slack EKM Slackbot Unenrolled
Slack.AuditLogs
RuleDetects when a workspace is longer enrolled in EKM
Slack EKM Unenrolled
Slack.AuditLogs
RuleDetects when a workspace is no longer enrolled or managed by EKM
Slack IDP Configuration Changed
Slack.AuditLogs
RuleDetects changes to the identity provider (IdP) configuration for Slack organizations.
Slack Information Barrier Modified
Slack.AuditLogs
RuleDetects when a Slack information barrier is deleted/updated
Slack Intune MDM Disabled
Slack.AuditLogs
RuleDetects the disabling of Microsoft Intune Enterprise MDM within Slack
Slack Legal Hold Policy Modified
Slack.AuditLogs
RuleDetects changes to configured legal hold policies
Slack MFA Settings Changed
Slack.AuditLogs
RuleDetects changes to Multi-Factor Authentication requirements
Slack Organization Created
Slack.AuditLogs
RuleDetects when a Slack organization is created
Slack Organization Deleted
Slack.AuditLogs
RuleDetects when a Slack organization is deleted
Slack Potentially Malicious File Shared
Slack.AuditLogs
RuleDetects when a potentially malicious file is shared within Slack
Slack Private Channel Made Public
Slack.AuditLogs
RuleDetects when a channel that was previously private is made public
Slack Service Owner Transferred
Slack.AuditLogs
RuleDetects transferring of service owner on request from primary owner
Slack SSO Settings Changed
Slack.AuditLogs
RuleDetects changes to Single Sign On (SSO) restrictions
Slack User Privilege Escalation
Slack.AuditLogs
RuleDetects when a Slack user gains escalated privileges
Slack User Privileges Changed to User
Slack.AuditLogs
RuleDetects when a Slack account is changed to User from an elevated role.
Snowflake Account Admin Granted
Snowflake.AccountUsage
Scheduled RuleDetect when account admin is granted.
Snowflake Brute Force Attacks by IP
Snowflake.AccountUsage
Scheduled RuleDetect brute force attacks by monitoring for failed logins from the same IP address
Snowflake Brute Force Attacks by User
Snowflake.LoginHistory
RuleDetect brute force attacks by monitorign failed logins from the same IP address
Snowflake Brute Force Attacks by Username
Snowflake.AccountUsage
Scheduled RuleDetect brute force attacks by monitoring for failed logins by the same username
Snowflake Brute Force Login Success
Snowflake.LoginHistory
Correlation RuleDetecting brute force activity and reporting when a user has incorrectly logged in multiple times and then had a successful login.
Snowflake Client IP
Snowflake.AccountUsage
Scheduled RuleMonitor for malicious IPs interacting with Snowflake as part of ongoing cyber threat activity reported May 31st, 2024
Snowflake Configuration Drift
Snowflake.AccountUsage
Scheduled RuleMonitor for configuration drift made by malicious actors as part of ongoing cyber threat activity reported May 31st, 2024
Snowflake Data Exfiltration
Snowflake.AccountUsage
Correlation RuleIn April 2024, Mandiant received threat intelligence on database records that were subsequently determined to have originated from a victim’s Snowflake instance. Mandiant notified the victim, who then engaged Mandiant to investigate suspected data theft involving their Snowflake instance. During this investigation, Mandiant determined that the organization’s Snowflake instance had been compromised by a threat actor using credentials previously stolen via infostealer malware. The threat actor used these stolen credentials to access the customer’s Snowflake instance and ultimately exfiltrate valuable data. At the time of the compromise, the account did not have multi-factor authentication (MFA) enabled.
Snowflake External Data Share
Snowflake.DataTransferHistory
RuleDetect when an external share has been initiated from one source cloud to another target cloud.
Snowflake External Share
Snowflake.AccountUsage
Scheduled RuleDetect when an external share has been initiated from one source cloud to another target cloud.
Snowflake File Downloaded
Snowflake.AccountUsage
Scheduled RuleA file was downloaded from a stage
Snowflake Grant to Public Role
Snowflake.GrantsToRoles
RuleDetect additional grants to the public role.
Snowflake Login Without MFA
Snowflake.AccountUsage
Scheduled RuleDetect snowflake logins without multifactor authentication
Snowflake Multiple Failed Logins Followed By Success
Snowflake.AccountUsage
Scheduled RuleDetecting brute force activity and reporting when a user has incorrectly logged in multiple times and then had a successful login.
Snowflake Successful Login
Snowflake.LoginHistory
RuleTrack successful login signals for correlation.
Snowflake Table Copied Into Stage
Snowflake.AccountUsage
Scheduled RuleA table was copied into a stage
Snowflake Temporary Stage Created
Snowflake.AccountUsage
Scheduled RuleA temporary stage was created
Snowflake User Access
Snowflake.AccountUsage
Scheduled RuleReturn sessions of suspected clients as part of ongoing cyber threat activity reported May 31st, 2024
Snowflake User Created
Snowflake.AccountUsage
Scheduled RuleDetect new users created in snowflake
Snowflake User Daily Query Volume Spike
Snowflake.QueryHistory
Scheduled QueryReturns instances where a user's cumulative daily query volume is much larger than normal. Could indicate exfiltration attempts.
Snowflake User Daily Query Volume Spike - Threat Hunting
Panther.Audit
Snowflake.QueryHistory
Saved QueryThis query returns the most voluminous queries executed by a specific user over the past 48 hours.
Snowflake User Enabled
Snowflake.AccountUsage
Scheduled RuleDetect users being re-enabled in your environment
Snowflake user with key-based auth logged in with password auth
Snowflake.AccountUsage
Scheduled RuleDetect when a user that has key-based authentication configured logs in with a password
Snyk Miscellaneous Settings
Snyk.GroupAudit
Snyk.OrgAudit
RuleDetects when Snyk settings that lack a clear security impact are changed
Snyk Org or Group Settings Change
Snyk.GroupAudit
Snyk.OrgAudit
RuleDetects when Snyk Group or Organization Settings are changed.
Snyk Org Settings
Snyk.GroupAudit
Snyk.OrgAudit
RuleDetects when Snyk Organization settings, like Integrations and Webhooks, are changed
Snyk Project Settings
Snyk.GroupAudit
Snyk.OrgAudit
RuleDetects when Snyk Project settings are changed
Snyk Role Change
Snyk.GroupAudit
Snyk.OrgAudit
RuleDetects when Snyk Roles are changed
Snyk Service Account Change
Snyk.GroupAudit
Snyk.OrgAudit
RuleDetects when Snyk Service Accounts are changed
Snyk System External Access Settings Changed
Snyk.GroupAudit
Snyk.OrgAudit
RuleDetects when Snyk Settings that control access for external parties have been changed.
Snyk System Policy Settings Changed
Snyk.GroupAudit
Snyk.OrgAudit
RuleDetects Snyk Policy Settings have been changed. Policies define Snyk's behavior when encountering security and licensing issues.
Snyk System SSO Settings Changed
Snyk.GroupAudit
RuleDetects Snyk SSO Settings have been changed. The reference URL from Snyk indicates that these events are likely to originate exclusively from Snyk Support.
Snyk User Management
Snyk.GroupAudit
Snyk.OrgAudit
RuleDetects when Snyk Users are changed
StopInstance FOLLOWED BY ModifyInstanceAttributes
AWS.CloudTrail
Correlation RuleIdentifies when StopInstance and ModifyInstanceAttributes CloudTrail events occur in a short period of time. Since EC2 startup scripts cannot be modified without first stopping the instance, StopInstances should be a signal.
Sublime Flagged an Email
Sublime.MessageEvent
RuleSublime flagged some messages as suspicious.
Sublime Mailbox Deactivated
Sublime.Audit
RuleA Sublime User disabled some mailbox(es).
Sublime Message Source Deleted Or Deactivated
Sublime.Audit
RuleA Sublime User disabled or deleted some message source(s).
Sublime Rules Deleted Or Deactivated
Sublime.Audit
RuleA Sublime User disabled or deleted some rule(s).
Suspicious cron detected
Osquery.Differential
RuleA suspicious cron has been added
Suspicious GSuite Login
GSuite.ActivityEvent
RuleGSuite reported a suspicious login for this user.
Suspicious Snowflake Sessions - Unusual ApplicationScheduled QueryThis query can be used for the detection of unusual, non-common applications and client characteristics that had been used to connect to the Snowflake account, using a comparison to the previous usage baseline.
Tailscale HTTPS Disabled
Tailscale.Audit
RuleA Tailscale User disabled HTTPS settings in your organization's tenant.
Tailscale Machine Approval Requirements Disabled
Tailscale.Audit
RuleA Tailscale User disabled machine approval requirement settings in your organization's tenant. This means devices can access your network without requiring approval.
Tailscale Magic DNS Disabled
Tailscale.Audit
RuleA Tailscale User disabled magic dns settings in your organization's tenant.
Teleport Create User Accounts
Gravitational.TeleportAudit
RuleA user has been manually created, modified, or deleted
Teleport Network Scan Initiated
Gravitational.TeleportAudit
RuleA user has invoked a network scan that could potentially indicate enumeration of the network.
Teleport Scheduled Jobs
Gravitational.TeleportAudit
RuleA user has manually edited the Linux crontab
Teleport SSH Auth Errors
Gravitational.TeleportAudit
RuleA high volume of SSH errors could indicate a brute-force attack
Teleport Suspicious Commands Executed
Gravitational.TeleportAudit
RuleA user has invoked a suspicious command that could lead to a host compromise
Thinkst Canary DCRC
ThinkstCanary.Alert
RuleA Canary has disconnected/reconnected.
Thinkst Canary Incident
ThinkstCanary.Alert
RuleA Canary incident has been detected.
Thinkst Canarytoken Incident
ThinkstCanary.Alert
RuleA Canarytoken incident has been detected.
Tines Actions Disabled Change
Tines.Audit
RuleDetections when Tines Actions are set to Disabled Change
Tines Custom CertificateAuthority setting changed
Tines.Audit
RuleDetects when Tines Custom CertificateAuthority settings are changed
Tines Enqueued/Retrying Job Deletion
Tines.Audit
RuleCurrently enqueued or retrying jobs were cleared
Tines Global Resource Destruction
Tines.Audit
RuleA Tines user has destroyed a global resource.
Tines SSO Settings
Tines.Audit
RuleDetects when Tines SSO settings are changed
Tines Story Items Destruction
Tines.Audit
RuleA user has destroyed a story item
Tines Story Jobs Clearance
Tines.Audit
RuleA Tines User has cleared story jobs.
Tines Team Destruction
Tines.Audit
RuleA user has destroyed a team
Tines Tenant API Keys Added
Tines.Audit
RuleDetects when Tines Tenant API Keys are added
Unauthenticated Kubernetes API Request
Amazon.EKS.Audit
Scheduled QueryThis detection monitors for any unauthenticated kubernetes api request. Unauthenticated Requests are performed by the anonymous user and have unfederated access to the cluster.
Unauthorized Kubernetes Pod Execution
Amazon.EKS.Audit
Scheduled QueryThis detection monitors for any pod execution in a kubernetes cluster. Pod execution should never be done in a production cluster, and can indicate a user performing unauthorized actions.
Unsupported macOS version
Osquery.Differential
RuleCheck that all laptops on the corporate environment are on a version of MacOS supported by IT.
Unused AWS Region
AWS.CloudTrail
RuleCloudTrail logged non-read activity from a verboten AWS region.
Unusual 1Password Client Detected
OnePassword.SignInAttempt
RuleDetects when unusual or undesirable 1Password clients access your 1Password account
User Logged in as root
Gravitational.TeleportAudit
RuleA User logged in as root
User Logged in wihout MFA
Gravitational.TeleportAudit
RuleA local User logged in without MFA
VPC DNS Tunneling
AWS.VPCDns
Scheduled RuleDetect dns tunneling traffic using a scheduled query
VPC Flow Logs Inbound Port Allowlist
AWS.VPCFlow
OCSF.NetworkActivity
RuleVPC Flow Logs observed inbound traffic violating the port allowlist.
VPC Flow Logs Inbound Port Blocklist
AWS.VPCFlow
OCSF.NetworkActivity
RuleVPC Flow Logs observed inbound traffic violating the port blocklist.
VPC Flow Logs Unapproved Outbound DNS Traffic
AWS.VPCFlow
OCSF.NetworkActivity
RuleAlerts if outbound DNS traffic is detected to a non-approved DNS server. DNS is often used as a means to exfiltrate data or perform command and control for compromised hosts. All DNS traffic should be routed through internal DNS servers or trusted 3rd parties.
VPC Flow Port Scanning
AWS.VPCFlow
Scheduled QueryInstances of a srcAddr communicating with multiple ports on a dstAddr could indicate port scanning activity.
Wiz Alert Passthrough Rule
Wiz.Issues
RuleThis rule enriches and contextualizes security alerts generated by Wiz.
Wiz CICD Scan Policy Updated Or Deleted
Wiz.Audit
RuleThis rule detects updates and deletions of CICD scan policies.
Wiz Connector Updated Or Deleted
Wiz.Audit
RuleThis rule detects updates and deletions of connectors.
Wiz Data Classifier Updated Or Deleted
Wiz.Audit
RuleThis rule detects updates and deletions of data classifiers.
Wiz Image Integrity Validator Updated Or Deleted
Wiz.Audit
RuleThis rule detects updates and deletions of image integrity validators.
Wiz Integration Updated Or Deleted
Wiz.Audit
RuleThis rule detects updates and deletions of Wiz integrations.
Wiz Revoke User Sessions
Wiz.Audit
RuleThis rule detects user sessions revoked.
Wiz Rotate Service Account Secret
Wiz.Audit
RuleThis rule detects service account secrets rotations.
Wiz Rule Change
Wiz.Audit
RuleThis rule detects creations, updates and deletions of Wiz rules.
Wiz SAML Identity Provider Change
Wiz.Audit
RuleThis rule detects creations, updates and deletions of SAML identity providers.
Wiz Service Account Change
Wiz.Audit
RuleThis rule detects creations, updates and deletions of service accounts.
Wiz Update IP Restrictions
Wiz.Audit
RuleThis rule detects updates of IP restrictions.
Wiz Update Login Settings
Wiz.Audit
RuleThis rule detects updates of Wiz login settings.
Wiz Update Scanner Settings
Wiz.Audit
RuleThis rule detects updates of Wiz scanner settings.
Wiz Update Support Contact List
Wiz.Audit
RuleThis rule detects updates of Wiz support contact list.
Wiz User Created Or Deleted
Wiz.Audit
RuleThis rule detects creations and deletions of Wiz users.
Wiz User Role Updated Or Deleted
Wiz.Audit
RuleThis rule detects updates and deletions of Wiz user roles.
Zendesk Account Owner Changed
Zendesk.Audit
RuleOnly one admin user can be the account owner. Ensure the change in ownership is expected.
Zendesk API Token Created
Zendesk.Audit
RuleA user created a new API token to be used with Zendesk.
Zendesk Credit Card Redaction Off
Zendesk.Audit
RuleA user updated account setting that disabled credit card redaction.
Zendesk Mobile App Access Modified
Zendesk.Audit
RuleA user updated account setting that enabled or disabled mobile app access.
Zendesk User Role Changed
Zendesk.Audit
RuleA user's Zendesk role was changed
Zendesk User Suspension Status Changed
Zendesk.Audit
RuleA user's Zendesk suspension status was changed.
ZIA Account Access Removed
Zscaler.ZIA.AdminAuditLog
RuleThis rule detects when admin user/role was deleted.
ZIA Additional Cloud Roles
Zscaler.ZIA.AdminAuditLog
RuleThis rule detects when an additional cloud role was created.
ZIA Backup Deleted
Zscaler.ZIA.AdminAuditLog
RuleThis rule detects when ZIA backup data was deleted.
ZIA Cloud Account Created
Zscaler.ZIA.AdminAuditLog
RuleThis rule detects when new cloud account was created.
ZIA Golden Restore Point Dropped
Zscaler.ZIA.AdminAuditLog
RuleThis rule detects when ZIA goldenRestorePoint was dropped. It means that some piece of information that was impossible to delete before, now is deletable
ZIA Insecure Password Settings
Zscaler.ZIA.AdminAuditLog
RuleThis rule detects when password settings are insecure.
ZIA Log Streaming Disabled
Zscaler.ZIA.AdminAuditLog
RuleThis rule detects when ZIA log streaming was disabled.
ZIA Logs Downloaded
Zscaler.ZIA.AdminAuditLog
RuleThis rule detects when ZIA Audit Logs were downloaded.
ZIA Password Expiration
Zscaler.ZIA.AdminAuditLog
RuleThis rule detects when password expiration eas set/removed.
ZIA Trust Modification
Zscaler.ZIA.AdminAuditLog
RuleThis rule detects when SAML authentication was enabled/disabled.
Zoom All Meetings Secured With One Option Disabled
Zoom.Operation
RuleA Zoom User turned off your organization's requirement that all meetings are secured with one security option.
Zoom Automatic Sign Out Disabled
Zoom.Operation
RuleA Zoom User turned off your organization's setting to automatically sign users out after a specified period of time.
Zoom Meeting Passcode Disabled
Zoom.Operation
RuleMeeting passcode requirement has been disabled from usergroup
Zoom New Meeting Passcode Required Disabled
Zoom.Operation
RuleA Zoom User turned off your organization's setting to require passcodes for new meetings.
Zoom Sign In Method Modified
Zoom.Operation
RuleA Zoom User modified your organizations sign in method.
Zoom Sign In Requirements Changed
Zoom.Operation
RuleA Zoom User changed your organization's sign in requirements.
Zoom Two Factor Authentication Disabled
Zoom.Operation
RuleA Zoom User disabled your organization's setting to sign in with Two-Factor Authentication.
Zoom User Promoted to Privileged Role
Zoom.Operation
RuleA Zoom user was promoted to a privileged role.