Panther has hundreds of detections ready to use out-of-the-box. Use the filtered search above to find detections based on keyword or log type.
| Detection | Log Type | Type | Description |
|---|---|---|---|
| 1Password Login From CrowdStrike Unmanaged Device | Scheduled Rule | Detects 1Password Logins from IP addresses not found in CrowdStrike's AIP list. May indicate unmanaged device being used, or faulty CrowdStrike Sensor. | |
| 1Password Login From CrowdStrike Unmanaged Device Query | Scheduled Query | Looks for OnePassword Logins from IP Addresses that aren't seen in CrowdStrike's AIP List. | |
| 1Password Login From CrowdStrike Unmanaged Device Query (crowdstrike_fdrevent table) | Scheduled Query | Looks for OnePassword Logins from IP Addresses that aren't seen in CrowdStrike's AIP List. (crowdstrike_fdrevent table) | |
| A CloudTrail Was Created or Updated | AWS. | Rule | A CloudTrail Trail was created, updated, or enabled. |
| A Login from Outside the Corporate Office | Osquery. | Rule | A system has been logged into from a non approved IP space. |
| A User Role with Sensitive Permissions has been Created | Panther. | Rule | A Panther user role has been created that contains admin level permissions. |
| A User's Panther Account was Modified | Panther. | Rule | A Panther user's role has been modified. This could mean password, email, or role has changed for the user. |
| Account Security Configuration Changed | AWS. | Rule | An account wide security configuration was changed. |
| Admin Role Assigned | Asana. Atlassian. GCP. GSuite. GitHub. OneLogin. Zendesk. | Rule | Attaching an audit role manually could be a sign of privilege escalation |
| Amazon Machine Image (AMI) Modified to Allow Public Access | AWS. | Rule | An Amazon Machine Image (AMI) was modified to allow it to be launched by anyone. Any sensitive configuration or application data stored in the AMI's block devices is at risk. |
| Anomalous AccessDenied Requests | Scheduled Query | ARNs with a high Access Denied error rate could indicate an error or compromised credentials attempting to perform reconnaissance. | |
| Asana Service Account Created | Asana. | Rule | An Asana service account was created by someone in your organization. |
| Asana Team Privacy Public | Asana. | Rule | An Asana team's setting was changed to public to the organization (not public to internet). |
| Asana Workspace Default Session Duration Never | Asana. | Rule | An Asana workspace's default session duration (how often users need to re-authenticate) has been changed to never. |
| Asana Workspace Email Domain Added | Asana. | Rule | A new email domain has been added to an Asana workspace. Reviewer should validate that the new domain is a part of the organization. |
| Asana Workspace Form Link Auth Requirement Disabled | Asana. | Rule | An Asana Workspace Form Link is a unique URL that allows you to create a task directly within a specific Workspace or Project in Asana, using a web form. Disabling authentication requirements may allow unauthorized users to create tasks. |
| Asana Workspace Guest Invite Permissions Anyone | Asana. | Rule | Typically inviting guests to Asana is permitted by few users. Enabling anyone to invite guests can potentially lead to unauthorized users gaining access to Asana. |
| Asana Workspace New Admin | Asana. | Rule | Asana Workspace New Admin |
| Asana Workspace Org Export | Asana. | Rule | An Asana user started an org export. |
| Asana Workspace Password Requirements Simple | Asana. | Rule | An asana user made your organization's password requirements less strict. |
| Asana Workspace Require App Approvals Disabled | Asana. | Rule | An Asana user turned off app approval requirements for an application type for your organization. |
| Asana Workspace SAML Optional | Asana. | Rule | An Asana user made SAML optional for your organization. |
| Atlassian user logged in as user | Atlassian. | Rule | Reports when an Atlassian user logs in (impersonates) another user. |
| AWS Access Key Rotation | AWS. AWS. | Policy | This policy validates that AWS IAM account access keys are rotated every 90 days. Rotating access keys will reduce the window of opportunity for an access key that is associated with a compromised or terminated account to be used. |
| AWS Access Key Uploaded to Github | AWS. | Rule | A users static AWS API key was uploaded to a public github repo. |
| AWS Access Keys At Account Creation | AWS. AWS. | Policy | This policy validates that AWS IAM user accounts do not have access keys that were created during account creation. This results in excess keys being generated, and unnecessary management work in auditing and rotating these keys. |
| AWS ACM Certificate Expiration | AWS. | Policy | When a certificate is 60 days away from expiration, ACM automatically attempts to renew it every hour. |
| AWS ACM Certificate Status | AWS. | Policy | This policy checks if an ACM certificate renewal is pending or has failed and is in use by any other resources within the account. |
| AWS ACM Secure Algorithms | AWS. | Policy | This policy validates that all ACM certificates are using secure key and signature algorithms. |
| AWS AMI Sharing | AWS. | Policy | This policy ensures that AMIs you have created are not configured to allow public access, which could result in accidental data loss. AMI's that you use but do not own are not evaluated by this policy. |
| AWS Application Load Balancer Web ACL | AWS. | Policy | This policy validates that all application load balancers have an associated Web ACl to enforce protections against various web attacks. |
| AWS Authentication from CrowdStrike Unmanaged Device | Scheduled Query | Detects AWS Authentication events with IP Addresses not found in CrowdStrike's AIP List | |
| AWS Authentication From CrowdStrike Unmanaged Device | Scheduled Rule | Detects AWS Logins from IP addresses not found in CrowdStrike's AIP list. May indicate unmanaged device being used, or faulty CrowdStrike Sensor. | |
| AWS Authentication from CrowdStrike Unmanaged Device (crowdstrike_fdrevent table) | Scheduled Query | Detects AWS Authentication events with IP Addresses not found in CrowdStrike's AIP List | |
| AWS CDE EC2 Volume Encryption | AWS. | Policy | This policy ensures that all EC2 volumes that contain CDE are encrypted. Be sure to configure CDE definitions before enabling this policy. |
| AWS CloudFormation Stack Drift | AWS. | Policy | A stack has drifted from its defined configuration. |
| AWS CloudFormation Stack IAM Service Role | AWS. | Policy | Associating IAM roles with CloudFormation stacks ensures least privilege when making changes to your account. |
| AWS CloudFormation Stack Termination Protection | AWS. | Policy | Protects a CloudFormation stack from accidentally being deleted. If you attempt to delete a stack with termination protection enabled, the deletion fails and the stack, including its status, will remain unchanged. |
| AWS CloudTrail Account Discovery | AWS. | Rule | Adversaries may attempt to get a listing of accounts on a system or within an environment. This information can help adversaries determine which accounts exist to aid in follow-on behavior. |
| AWS CloudTrail CloudWatch Logs | AWS. | Policy | CloudTrail supports sending data and management events to CloudWatch Logs. This setup can be used for real-time processing of all CloudTrail data events. |
| AWS CloudTrail Least Privilege Access | AWS. | Policy | Users with permissions to disable or reconfigure CloudTrail should be limited. |
| AWS CloudTrail Log Encryption | AWS. | Policy | This policy validates that CloudTrail Logs are encrypted at rest with customer managed KMS key. |
| AWS CloudTrail Log Validation | AWS. | Policy | This policy ensures that CloudTrail logs have file integrity validation enabled. |
| AWS CloudTrail Management Events Enabled | AWS. | Policy | This policy ensures that at least one CloudTrail has management (control plane) operations logged. |
| AWS CloudTrail S3 Bucket Access Logging | AWS. | Policy | This policy validates that the bucket receiving CloudTrail Logs is configured with S3 Access Logging. This audits all creation, modification, or deletion to CloudTrail audit logs. |
| AWS CloudTrail S3 Bucket Public | AWS. | Policy | This policy validates that CloudTrail S3 buckets are not publicly accessible. |
| AWS CloudWatch Log Encryption | AWS. | Policy | AWS automatically performs server-side encryption of logs, but you can encrypt with your own CMK to protect extra sensitive log data. |
| AWS CloudWatch Logs Data Retention | AWS. | Policy | By default, logs are kept indefinitely and never expire. You can adjust the retention policy for each log group, keeping the indefinite retention, or choosing a specific retention period. |
| AWS command executed on the command line | Osquery. | Rule | An AWS command was executed on a Linux instance |
| AWS Config Global Resources | AWS. | Policy | You can have AWS Config record supported types of global resources, such as IAM users, groups, roles, and customer managed policies. |
| AWS Config Recording Status | AWS. | Policy | This policy ensures that the config recorder is operational and capturing changes to your account without error. |
| AWS Config Records All Resource Types | AWS. | Policy | This policy ensurers that you have a comprehensive configuration audit in place for all resource types in AWS. |
| AWS Config Service Created | AWS. | Rule | An AWS Config Recorder or Delivery Channel was created |
| AWS Config Service Disabled | AWS. | Rule | An AWS Config Recorder or Delivery Channel was disabled or deleted |
| AWS Config Status | AWS. | Policy | This policy ensures that the config recorder is operational and capturing changes to your account. |
| AWS DNS Crypto Domain | AWS. | Rule | Identifies clients that may be performing DNS lookups associated with common currency mining pools. |
| AWS DynamoDB Table Autoscaling | AWS. | Policy | DynamoDB Auto Scaling can dynamically adjust provisioned throughput capacity in response to traffic patterns. This enables a table to increase its provisioned read and write capacity to handle sudden increases in traffic |
| AWS DynamoDB Table Autoscaling Configuration | AWS. | Policy | DynamoDB Auto Scaling can dynamically adjust provisioned throughput capacity in response to traffic patterns. This enables a table to increase its provisioned read and write capacity to handle sudden increases in traffic |
| AWS DynamoDB Table Encryption | AWS. | Policy | Table encryption provides an additional layer of data protection by securing from unauthorized access to the underlying storage |
| AWS DynamoDB Table TTL | AWS. | Policy | This policy validates that all DynamoDB tables have a TTL field configured. |
| AWS EC2 AMI Approved Host | AWS. | Policy | Checks that AWS EC2 AMI's are only launched on approved dedicated hosts. |
| AWS EC2 AMI Approved Instance Type | AWS. | Policy | This policy ensures that the EC2 instance is running with an instance type approved for its AMI. |
| AWS EC2 AMI Approved Tenancy | AWS. | Policy | This policy ensures that the EC2 instance was launched with a tenancy approved for its AMI. |
| AWS EC2 EBS Encryption Disabled | AWS. | Rule | Identifies disabling of default EBS encryption. Disabling default encryption does not change the encryption status of existing volumes. |
| AWS EC2 Image Monitoring | AWS. | Rule | Checks CloudTrail for occurrences of EC2 Image Actions. |
| AWS EC2 Instance Approved AMI | AWS. | Policy | This policy ensures the given EC2 instance is running an AMI from the approved list of AMI's. |
| AWS EC2 Instance Approved Host | AWS. | Policy | This policy ensures the given EC2 Instance is running on an approved dedicated host. |
| AWS EC2 Instance Approved Instance Type | AWS. | Policy | This policy ensures that the EC2 instance is running on one of the approved instance types. |
| AWS EC2 Instance Approved Tenancy | AWS. | Policy | This policy ensures the given EC2 Instance is running with an approved tenancy option. The possible tenancy options are dedicated, host, and default. |
| AWS EC2 Instance Approved VPC | AWS. | Policy | This policy ensures that the given EC2 Instance is running in an approved VPC. |
| AWS EC2 Instance Detailed Monitoring | AWS. | Policy | This policy ensures that the AWS Instance has Detailed Monitoring Enabled |
| AWS EC2 Instance EBS Optimization | AWS. | Policy | This policy ensures EBS optimization is enabled for the given EC2 instance, if applicable. |
| AWS EC2 Manual Security Group Change | AWS. | Rule | An EC2 security group was manually updated without abiding by the organization's accepted processes. This rule expects organizations to either use the Console, CloudFormation, or Terraform, configurable in the rule's ALLOWED_USER_AGENTS. |
| AWS EC2 Startup Script Change | AWS. | Rule | Detects changes to the EC2 instance startup script. The shell script will be executed as root/SYSTEM every time the specific instances are booted up. |
| AWS EC2 Traffic Mirroring | AWS. | Rule | This rule captures multiple traffic mirroring events in AWS Cloudtrail. |
| AWS EC2 Volume Encryption | AWS. | Policy | You can encrypt both the boot and data volumes of an EC2 instance. |
| AWS EC2 Volume Snapshot Encryption | AWS. | Policy | You can encrypt the snapshot of an EC2 volume to protect against accidental data loss |
| AWS ECR Events | AWS. | Rule | An ECR event occurred outside of an expected account or region |
| AWS ELB SSL Policies | AWS. | Policy | Ensures that deprecated TLS versions are not supported in internet-facing load balancers |
| AWS Enforces SSL Policies | AWS. | Policy | This policy validates that ELBV2 load balancer listeners are using an SSL policy. |
| AWS GuardDuty Enabled | AWS. | Policy | GuardDuty is a threat detection service that continuously monitors for malicious activity and unauthorized behavior. |
| AWS GuardDuty High Severity Finding | AWS. | Rule | A high-severity GuardDuty finding has been identified. |
| AWS GuardDuty Low Severity Finding | AWS. | Rule | A low-severity GuardDuty finding has been identified. |
| AWS GuardDuty Master Account | AWS. | Policy | Ensure that all GuardDuty logs are sending into a single Master account. This is a best practice for centralizing detection logic and useful data during an investigation. |
| AWS GuardDuty Medium Severity Finding | AWS. | Rule | A medium-severity GuardDuty finding has been identified. |
| AWS IAM Group Read Only Events | AWS. | Rule | This rule captures multiple read/list events related to IAM group management in AWS Cloudtrail. |
| AWS IAM Group Users | AWS. | Policy | This Policy ensures that all IAM groups have at least one IAM user. If they are vacant, they should be deleted. |
| AWS IAM Password Unused | AWS. | Policy | This policy validates IAM users with console passwords have logged in within the past 90 days. |
| AWS IAM Policy Administrative Privileges | AWS. | Policy | This policy validates that there are no IAM policies that grant full administrative privileges to IAM users or groups. |
| AWS IAM Policy Assigned to User | AWS. | Policy | This policy validates that there are no IAM policies assigned directly to users. Best practice suggests assigning to an IAM group and placing users within that group. |
| AWS IAM Policy Blocklist | AWS. AWS. AWS. | Policy | This detects the usage of highly permissive IAM Policies that should only be assigned to a small number of users, roles, or groups. |
| AWS IAM Policy Does Not Grant Any Administrative Access | AWS. | Policy | This policy validates that no IAM policies grant admin access. This should be combined with suppressions on the legitimate IAM admin policies in your account so that it only fires when new and unexpected policies granting admin access are created. |
| AWS IAM Policy Does Not Grant Network Admin Access | AWS. | Policy | This policy validates that no IAM policies grant admin privileges on network resources. This should be used in conjunction with suppressions for the legitimate network admin policies in your account. |
| AWS IAM Policy Role Mapping | AWS. | Policy | This policy validates that policies that have been explicitly configured to be set to certain roles are still attached to those roles. |
| AWS IAM Resource Does Not Have Inline Policy | AWS. AWS. | Policy | This policy validates that no IAM entities have inline policies assigned. Inline policies are more difficult to administer and audit, and may lead to access that lasts longer than intended. |
| AWS IAM Role Grants (permission) to Non-organizational Account | AWS. | Policy | This policy validates that IAM roles that grant the (specified) permission do not allow accounts outside the organization to assume them. |
| AWS IAM Role Restricts Usage | AWS. | Policy | This policy validates that IAM roles in the account are restrictive in what entities may assume them. This can help prevent malicious actors from assuming roles they should not be assuming. |
| AWS IAM User MFA | AWS. | Policy | This policy validates that all AWS IAM users with access to the AWS Console have Multi-Factor Authentication (MFA) enabled. |
| AWS IAM User Not In Conflicting Groups | AWS. | Policy | This policy validates that IAM users are not in IAM groups that are considered mutually exclusive. For example, in some workflows developers are responsible for dev environments and sysadmins are responsible for prod environments. In this situation no (or very few) users should be in both sysadmin and developer groups. This is in following with the principle of least privilege. |
| AWS KMS CMK Key Rotation | AWS. | Policy | This policy validates that customer master keys (CMKs) have automatic key rotation enabled. |
| AWS KMS Key Restricts Usage | AWS. | Policy | This policy validates that KMS Keys restrict what entities can use them and how. This is to ensure that encryption keys are limited in who can use them in order to prevent unapproved decryption. |
| AWS Macie Disabled/Updated | AWS. | Rule | Amazon Macie is a data security and data privacy service to discover and protect sensitive data. Security teams use Macie to detect open S3 Buckets that could have potentially sensitive data in it along with policy violations, such as missing Encryption. If an attacker disables Macie, it could potentially hide data exfiltration. |
| AWS Modify Cloud Compute Infrastructure | AWS. | Rule | Detection when EC2 compute infrastructure is modified outside of expected automation methods. |
| AWS Network ACL Overly Permissive Entry Created | AWS. | Rule | A Network ACL entry that allows access from anywhere was added. |
| AWS Network ACL Restricts Inbound Traffic | AWS. | Policy | This policy validates that Network ACLs restrict inbound traffic in some way. |
| AWS Network ACL Restricts Insecure Protocols | AWS. | Policy | This policy validates that Network ACLs block the usage of ports typically associated with insecure or unencrypted protocols. |
| AWS Network ACL Restricts Outbound Traffic | AWS. | Policy | This policy validates that Network ACLs have some restrictions on outbound traffic. |
| AWS Network ACL Restricts SSH | AWS. | Policy | SSH access should only be granted from protected network CIDR ranges. |
| AWS Password Policy Complexity Guidelines | AWS. | Policy | This policy validates that the account password policy enforces the recommended password complexity requirements. |
| AWS Password Policy Password Age Limit | AWS. | Policy | This policy validates that the account password policy enforces a maximum password age of 90 days or less. |
| AWS Password Policy Password Reuse | AWS. | Policy | This policy validates that the account password policy prevents users from re-using previous passwords, and prevents password reuse for 24 or more prior passwords. |
| AWS Public RDS Restore | AWS. | Rule | Detects the recovery of a new public database instance from a snapshot. It may be part of data exfiltration. |
| AWS RDS Instance Backup | AWS. | Policy | This Policy ensures that RDS Instances have Backups enabled. Backups are an important aspect of disaster recovery that can protect sensitive data from destruction. |
| AWS RDS Instance Encryption | AWS. | Policy | This policy validates that RDS instances have encryption enabled. |
| AWS RDS Instance Has Acceptable Backup Retention Period | AWS. | Policy | This policy validates that RDS instances are configured with a backup retention period that is acceptable to company policy. This ensures for both compliance and security reasons that records are kept for a minimum period of time, and for compliance and performance reasons that records are not kept indefinitely. |
| AWS RDS Instance High Availability | AWS. | Policy | This Policy ensures that RDS Instances have are running in High Availability mode to provide redundancy in the event of an operational failure. For Aurora, storage is replicated across all the Availability Zones and doesn't require this setting. |
| AWS RDS Instance Minor Version Upgrades | AWS. | Policy | If you want Amazon RDS to upgrade the DB engine version of a database automatically, you can enable auto minor version upgrades for the database. |
| AWS RDS Instance Public Access | AWS. | Policy | This Policy checks that an RDS Instance is not accessible from the public internet. |
| AWS RDS Instance Snapshot Public Access | AWS. | Policy | This policy validates that RDS Instance snapshots are not publicly restorable. This would allow anyone to restore an old version of your database and have full access to its contents. |
| AWS RDS Master Password Updated | AWS. | Rule | A sensitive database operation that should be performed carefully or rarely |
| AWS Redshift Cluster Encryption | AWS. | Policy | This policy validates that Redshift Clusters have encryption enabled. |
| AWS Redshift Cluster Has Acceptable Snapshot Retention Period | AWS. | Policy | This policy validates that Redshift Cluster snapshot retention periods are set to an appropriate time. This ensures that records are kept long enough for compliance and security reasons, but no too long for compliance and performance reasons. |
| AWS Redshift Cluster Logging | AWS. | Policy | This policy validates that Redshift Cluster have logging enabled. This includes audit logs. |
| AWS Redshift Cluster Maintenance Window | AWS. | Policy | This policy validates that Redshift Clusters have the correct preferred maintenance window configured. |
| AWS Redshift Cluster Snapshot Retention | AWS. | Policy | This policy validates that Redshift Clusters have sufficient snapshot retention periods, so that snapshots are not lost before they are needed. |
| AWS Redshift Cluster Version Upgrade | AWS. | Policy | This policy validates that Redshift Clusters automatically perform upgrades during scheduled maintenance windows. |
| AWS Resource Made Public | AWS. | Rule | Some AWS resource was made publicly accessible over the internet. Checks ECR, Elasticsearch, KMS, S3, S3 Glacier, SNS, SQS, and Secrets Manager. |
| AWS Resource Minimum Tags | AWS. AWS. AWS. AWS. | Policy | This policy ensures that applicable resources have a minimum number of tags set. |
| AWS Resource Required Tags | AWS. AWS. AWS. AWS. | Policy | This policy ensures that AWS resources have specific tags, dependent on their resource type. |
| AWS Root Account Access Keys | AWS. | Policy | This policy validates that no programmatic access keys exist for the root account. |
| AWS Root Account Hardware MFA | AWS. | Policy | This policy validates that a hardware MFA device is in use for access to the root account. |
| AWS Root Account MFA | AWS. | Policy | This policy validates that Multi Factor Authentication (MFA) is required for access to the root account. |
| AWS S3 Access Error | AWS. | Rule | Checks for errors during S3 Object access. This could be due to insufficient access permissions, non-existent buckets, or other reasons. |
| AWS S3 Access IP Allowlist | AWS. | Rule | Checks that the remote IP accessing the S3 bucket is in the IP allowlist. |
| AWS S3 Bucket Action Restrictions | AWS. | Policy | Ensures that the S3 bucket policy does not allow any action on the bucket, in accordance with the principal of least privilege. |
| AWS S3 Bucket Encryption | AWS. | Policy | Ensures that the S3 bucket has encryption enabled. |
| AWS S3 Bucket Lifecycle Configuration | AWS. | Policy | Verifies that the S3 Bucket Object Lifecycle configuration expires data within 90 and 365 days. |
| AWS S3 Bucket Logging | AWS. | Policy | Ensures that a logging policy is set for the S3 bucket. |
| AWS S3 Bucket MFA Delete | AWS. | Policy | Ensures that MFA delete is enabled for a bucket so that all objects can only be deleted by users authenticated with MFA. |
| AWS S3 Bucket Name DNS Compliance | AWS. | Policy | This policy validates that the AWS S3 bucket name is DNS compliant. |
| AWS S3 Bucket Object Lock Configured | AWS. | Policy | This policy validates that S3 buckets have an Object Lock configuration enabled. This should be used with specific suppression lists to ensure it is applied only to appropriate S3 buckets, such as those containing CloudTrail or other auditable records. |
| AWS S3 Bucket Policy Allow With Not Principal | AWS. | Policy | Prevents the use of a 'Not' principal in conjunction with an allow effect in an S3 bucket policy, which would allow global access for the resource besides the principals specified. |
| AWS S3 Bucket Policy Modified | AWS. | Rule | An S3 Bucket was modified. |
| AWS S3 Bucket Principal Restrictions | AWS. | Policy | This policy validates that S3 Bucket access policies do not allow all users (Principal:"*") for a given action on the bucket, in accordance with the principle of least privilege. |
| AWS S3 Bucket Public Access Block | AWS. | Policy | Ensures that a Public Access Block Configuration is set for the given S3 bucket. |
| AWS S3 Bucket Public Read | AWS. | Policy | Ensures that the S3 bucket is not publicly readable. |
| AWS S3 Bucket Public Write | AWS. | Policy | Ensures that the S3 bucket is not publicly writeable. |
| AWS S3 Bucket Secure Access | AWS. | Policy | Ensures access to S3 buckets is forced to use a secure (HTTPS) connection. |
| AWS S3 Bucket Versioning | AWS. | Policy | Checks that object versioning is enabled in the S3 bucket. |
| AWS S3 Insecure Access | AWS. | Rule | Checks if HTTP (unencrypted) was used to access objects in an S3 bucket, as opposed to HTTPS (encrypted). |
| AWS S3 Unauthenticated Access | AWS. | Rule | Checks for S3 access attempts where the requester is not an authenticated AWS user. |
| AWS S3 Unknown Requester | AWS. | Rule | Validates that proper IAM entities are accessing sensitive data buckets. |
| AWS SAML Activity | AWS. | Rule | Identifies when SAML activity has occurred in AWS. An adversary could gain backdoor access via SAML. |
| AWS Security Group - Only DMZ Publicly Accessible | AWS. | Policy | This policy validates that only Security Groups designated as DMZs allow inbound traffic from public IP space. This helps ensure no traffic is bypassing the DMZ. |
| AWS Security Group Administrative Ingress | AWS. | Policy | This policy validates that AWS Security Groups don't allow unrestricted inbound traffic on port 3389 or 22, ports commonly used for the remote access protocols RDP and SSH respectively. |
| AWS Security Group Restricts Access To CDE | AWS. | Policy | This policy validates that are considered part of the PCI CDE do not allow any access from public IP space. |
| AWS Security Group Restricts Inbound Traffic | AWS. | Policy | This policy validates that Security Groups have some restrictions on inbound traffic. |
| AWS Security Group Restricts Inter-SG Traffic | AWS. | Policy | This policy validates that Security Groups have restrictions on inter Security Group traffic. Administrators may assume there is an implicit level of trust between Security Groups in the same account, but this is not always a good assumption in cases one Security Group contains far more sensitive data that another. |
| AWS Security Group Restricts Outbound Traffic | AWS. | Policy | This policy validates that Security Groups have some restrictions on outbound traffic. |
| AWS Security Group Restricts Traffic Leaving CDE | AWS. | Policy | This policy validates that there are restrictions on what type of traffic may leave Security Groups that are considered with the scope of the PCI CDE. These restrictions help ensure that cardholder data does not leave the CDE. |
| AWS Security Group Tightly Restricts Inbound Traffic | AWS. | Policy | This policy validates that Security Groups have restrictive permission sets that both limit the total number of open ports, as well as limiting ports typically associated with insecure protocols. |
| AWS Security Group Tightly Restricts Outbound Traffic | AWS. | Policy | This policy validates that Security Groups have restrictive controls on outbound traffic. |
| AWS SecurityHub Finding Evasion | AWS. | Rule | Detections modification of findings in SecurityHub |
| AWS Snapshot Made Public | AWS. | Rule | An AWS storage snapshot was made public. |
| AWS Software Discovery | AWS. | Rule | A user is obtaining a list of security software, configurations, defensive tools, and sensors that are in AWS. |
| AWS Trusted IPSet Modified | AWS. | Rule | Detects creation and updates of the list of trusted IPs used by GuardDuty and WAF. Potentially to disable security alerts against malicious IPs. |
| AWS Unsuccessful MFA attempt | AWS. | Rule | Monitor application logs for suspicious events including repeated MFA failures that may indicate user's primary credentials have been compromised. |
| AWS Unused Access Key | AWS. | Policy | This policy validates that IAM user access keys are used at least once every 90 days. |
| AWS User API Key Created | AWS. | Rule | Detects AWS API key creation for a user by another user. Backdoored users can be used to obtain persistence in the AWS environment. |
| AWS User Login Profile Modified | AWS. | Rule | An attacker with iam:UpdateLoginProfile permission on other users can change the password used to login to the AWS console. May be legitimate account administration. |
| AWS VPC Default Network ACL Restricts All Traffic | AWS. | Policy | This policy validates that the default Network ACL for a given AWS VPC is restricting all inbound and outbound traffic. |
| AWS VPC Default Security Group Restrictions | AWS. | Policy | This policy validates that the default Security Group for a given AWS VPC is restricting all inbound and outbound traffic. |
| AWS VPC Flow Logs | AWS. | Policy | This policy validates that AWS VPCs (Virtual Private Clouds) have network flow logging enabled. |
| AWS VPC Healthy Log Status | AWS. | Rule | Checks for the log status `SKIP-DATA`, which indicates that data was lost either to an internal server error or due to capacity constraints. |
| AWS WAF Disassociation | AWS. | Rule | Detection to alert when a WAF disassociates from a source. |
| AWS WAF Has XSS Predicate | AWS. AWS. | Policy | This policy validates that all WAF's have at least one rule with a predicate matching on and blocking XSS attacks. |
| AWS WAF Rule Ordering | AWS. AWS. | Policy | This policy validates that all WAF's have the correct rule ordering. Incorrect rule ordering could lead to less restrictive rules being matched and allowing traffic through before more restrictive rules that should have blocked the traffic. |
| BETA - Sensitive 1Password Item Accessed | OnePassword. | Rule | Alerts when a user defined list of sensitive items in 1Password is accessed |
| Box Access Granted | Box. | Rule | A user granted access to their box account to Box technical support from account settings. |
| Box Content Workflow Policy Violation | Box. | Rule | A user violated the content workflow policy. |
| Box event triggered by unknown or external user | Box. | Rule | An external user has triggered a box enterprise event. |
| Box item shared externally | Box. | Rule | A user has shared an item and it is accessible to anyone with the share link (internal or external to the company). This rule requires that the boxsdk[jwt] be installed in the environment. |
| Box Large Number of Downloads | Box. | Rule | A user has exceeded the threshold for number of downloads within a single time frame. |
| Box Large Number of Permission Changes | Box. | Rule | A user has exceeded the threshold for number of folder permission changes within a single time frame. |
| Box New Login | Box. | Rule | A user logged in from a new device. |
| Box Shield Detected Anomalous Download Activity | Box. | Rule | A user's download activity has altered significantly. |
| Box Shield Suspicious Alert Triggered | Box. | Rule | A user login event or session event was tagged as medium to high severity by Box Shield. |
| Box Untrusted Device Login | Box. | Rule | A user attempted to login from an untrusted device. |
| Brute Force By IP | AWS. Asana. Atlassian. Box. GSuite. Okta. OneLogin. OnePassword. | Rule | An actor user was denied login access more times than the configured threshold. |
| Cisco Umbrella Domain Blocked | CiscoUmbrella. | Rule | Monitor blocked domains |
| Cisco Umbrella Domain Name Fuzzy Matching | CiscoUmbrella. | Rule | Identify lookups to suspicious domains that could indicate a phishing attack. |
| Cisco Umbrella Suspicious Domains | CiscoUmbrella. | Rule | Monitor suspicious or known malicious domains |
| Cloudflare - High Volume Events Blocked | Cloudflare. | Rule | Monitors high volume events blocked from the same IP |
| Cloudflare Bot High Volume | Cloudflare. | Rule | Monitors for high volume of likely automated HTTP Requests |
| Cloudflare Bot High Volume GreyNoise | Cloudflare. | Rule | Monitors for high volume of likely automated HTTP Requests with GreyNoise enrichment |
| Cloudflare High Volume Events Blocked - GreyNoise | Cloudflare. | Rule | Monitors high volume events blocked from the same IP enriched with GreyNoise |
| Cloudflare L7 DDoS | Cloudflare. | Rule | Layer 7 Distributed Denial of Service (DDoS) detected |
| Cloudflare Suspicious Event - GreyNoise | Cloudflare. | Rule | Monitors for non-blocked requests from Greynoise identified malicious IP Addresses |
| CloudTrail Password Spraying | Scheduled Rule | Detect password spraying account using a scheduled query | |
| CloudTrail Stopped | AWS. | Rule | A CloudTrail Trail was modified. |
| CodeBuild Project made Public | AWS. | Rule | An AWS CodeBuild Project was made publicly accessible |
| Configuration Required - Sensitive 1Password Item Accessed | OnePassword. | Rule | Alerts when a user defined list of sensitive items in 1Password is accessed |
| Confluence 0-Day Indicators of Compromise (IOCs) | AWS. AWS. AWS. AWS. AWS. Apache. Apache. Cloudflare. Cloudflare. GCP. Juniper. Nginx. | Rule | Detects IP addresses observed exploiting the 0-Day CVE-2022-26134 |
| Crowdstrike Detection Passthrough | Crowdstrike. Crowdstrike. | Rule | Crowdstrike Falcon has detected malicious activity on a host. |
| CrowdStrike Large Zip Creation | Scheduled Query | Detects creation of large zip files, which can indicate attempts of exfiltration | |
| CrowdStrike Large Zip Creation (crowdstrike_fdrevent table) | Scheduled Query | Detects creation of large zip files, which can indicate attempts of exfiltration (crowdstrike_fdrevent table) | |
| Crowdstrike Real Time Response (RTS) Session | Crowdstrike. Crowdstrike. | Rule | Alert when someone uses Crowdstrike’s RTR (real-time response) capability to access a machine remotely to run commands. |
| Detect Reconnaissance from IAM Users | AWS. | Rule | An IAM user has a high volume of access denied API calls. |
| Detection content has been deleted from Panther | Panther. | Rule | Detection content has been removed from Panther. |
| DNS request to denylisted domain | Crowdstrike. Crowdstrike. | Rule | A DNS request was made to a domain on an explicit denylist |
| Dropbox Linked Team Application Added | Dropbox. | Rule | An application was linked to your Dropbox Account |
| Duo Admin App Integration Secret Key Viewed | Duo. | Rule | An administrator viewed a Secret Key for an Application Integration |
| Duo Admin Bypass Code Created | Duo. | Rule | A Duo administrator created an MFA bypass code for an application. |
| Duo Admin Bypass Code Viewed | Duo. | Rule | An administrator viewed the MFA bypass code for a user. |
| Duo Admin Create Admin | Duo. | Rule | A new Duo Administrator was created. |
| Duo Admin Lockout | Duo. | Rule | Alert when a duo administrator is locked out of their account. |
| Duo Admin Marked Push Fraudulent | Duo. | Rule | A Duo push was marked fraudulent by an admin. |
| Duo Admin MFA Restrictions Updated | Duo. | Rule | Detects changes to allowed MFA factors administrators can use to log into the admin panel. |
| Duo Admin New Admin API App Integration | Duo. | Rule | Identifies creation of new Admin API integrations for Duo. |
| Duo Admin Policy Updated | Duo. | Rule | A Duo Administrator updated a Policy, which governs how users authenticate. |
| Duo Admin SSO SAML Requirement Disabled | Duo. | Rule | Detects when SAML Authentication for Administrators is marked as Disabled or Optional. |
| Duo Admin User MFA Bypass Enabled | Duo. | Rule | An Administrator enabled a user to authenticate without MFA. |
| Duo User Action Reported as Fraudulent | Duo. | Rule | Alert when a user reports a Duo action as fraudulent. |
| Duo User Auth Denied For Anomalous Push | Duo. | Rule | A Duo authentication was denied due to an anomalous 2FA push. |
| Duo User Bypass Code Used | Duo. | Rule | A Duo user's bypass code was used to authenticate |
| Duo User Denied For Endpoint Error | Duo. | Rule | A Duo user's authentication was denied due to a suspicious error on the endpoint |
| EC2 Network ACL Modified | AWS. | Rule | An EC2 Network ACL was modified. |
| EC2 Network Gateway Modified | AWS. | Rule | An EC2 Network Gateway was modified. |
| EC2 Route Table Modified | AWS. | Rule | An EC2 Route Table was modified. |
| EC2 Security Group Modified | AWS. | Rule | An EC2 Security Group was modified. |
| EC2 VPC Modified | AWS. | Rule | An EC2 VPC was modified. |
| ECR CRUD Actions | AWS. | Rule | Unauthorized ECR Create, Read, Update, or Delete event occurred. |
| EKS Audit Log based single sourceIP is generating multiple 403s | Amazon. | Rule | This detection identifies if a public sourceIP is generating multiple 403s with the Kubernetes API server. |
| EKS Audit Log Reporting system Namespace is Used From A Public IP | Amazon. | Rule | This detection identifies if an activity is recorded in the Kubernetes audit log where the user:username attribute begins with "system:" or "eks:" and the requests originating IP Address is a Public IP Address |
| Enabled Zendesk Support to Assume Users | Zendesk. | Rule | User enabled or disabled zendesk support user assumption. |
| Exec into Pod | GCP. | Rule | Alerts when users exec into pod. Possible to specify specific projects and allowed users. |
| External GSuite File Share | GSuite. | Rule | An employee shared a sensitive file externally with another organization |
| Failed Root Console Login | AWS. | Rule | A Root console login failed. |
| GCP Access Attempts Violating IAP Access Controls | GCP. | Rule | GCP Access Attempts Violating IAP Access Controls |
| GCP Access Attempts Violating VPC Service Controls | GCP. | Rule | An access attempt violating VPC service controls (such as Perimeter controls) has been made. |
| GCP Corporate Email Not Used | GCP. | Rule | A Gmail account is being used instead of a corporate email |
| GCP GCS IAM Permission Changes | GCP. | Rule | Monitoring changes to Cloud Storage bucket permissions may reduce time to detect and correct permissions on sensitive Cloud Storage bucket and objects inside the bucket. |
| GCP IAM Role Has Changed | GCP. | Rule | A custom role has been created, deleted, or updated. |
| GCP Org or Folder Policy Was Changed Manually | GCP. | Rule | Alert if a GCP Org or Folder Policy Was Changed Manually. |
| GCP Resource in Unused Region | GCP. | Rule | Adversaries may create cloud instances in unused geographic service regions in order to evade detection. |
| GCP SQL Config Changes | GCP. | Rule | Monitoring changes to Sql Instance configuration changes may reduce time to detect and correct misconfigurations done on sql server. |
| GCP VPC Flow Logs Disabled | GCP. | Rule | VPC flow logs were disabled for a subnet. |
| GCS Bucket Made Public | GCP. | Rule | Adversaries may access data objects from improperly secured cloud storage. |
| Geographically Improbable Okta Login | Okta. | Rule | A user has subsequent logins from two geographic locations that are very far apart |
| GitHub Action Failed | GitHub. | Rule | A monitored github action has failed. |
| GitHub Branch Protection Disabled | GitHub. | Rule | Disabling branch protection controls could indicate malicious use of admin credentials in an attempt to hide activity. |
| GitHub Branch Protection Policy Override | GitHub. | Rule | Bypassing branch protection controls could indicate malicious use of admin credentials in an attempt to hide activity. |
| GitHub Org Authentication Method Changed | GitHub. | Rule | Detects changes to GitHub org authentication changes. |
| GitHub Org IP Allow List modified | GitHub. | Rule | Detects changes to a GitHub Org IP Allow List |
| Github Organization App Integration Installed | GitHub. | Rule | An application integration was installed to your organization's Github account by someone in your organization. |
| Github Public Repository Created | GitHub. | Rule | A public Github repository was created. |
| GitHub Repository Created | GitHub. | Rule | Detects when a repository is created. |
| Github Repository Transfer | GitHub. | Rule | A user accepted a request to receive a transferred Github repository, a Github repository was transferred to another repository network, or a user sent a request to transfer a repository to another user or organization. |
| GitHub Repository Visibility Change | GitHub. | Rule | Detects when an organization repository visibility changes. |
| GitHub Repository Visibility Change | GitHub. | Rule | Detects when a repository collaborator is added or removed. |
| GitHub Secret Scanning Alert Created | GitHub. | Rule | GitHub detected a secret and created a secret scanning alert. |
| GitHub Security Change, includes GitHub Advanced Security | GitHub. | Rule | The rule alerts when GitHub Security tools (Dependabot, Secret Scanner, etc) are disabled. |
| GitHub Team Modified | GitHub. | Rule | Detects when a team is modified in some way, such as adding a new team, deleting a team, modifying members, or a change in repository control. |
| GitHub User Access Key Created | GitHub. | Rule | Detects when a GitHub user access key is created. |
| GitHub User Added or Removed from Org | GitHub. | Rule | Detects when a user is added or removed from a GitHub Org. |
| GitHub User Initial Access to Private Repo | GitHub. | Rule | Detects when a user initially accesses a private organization repository. |
| GitHub User Role Updated | GitHub. | Rule | Detects when a GitHub user role is upgraded to an admin or downgraded to a member |
| GitHub Web Hook Modified | GitHub. | Rule | Detects when a web hook is added, modified, or deleted in an org repository. |
| Google Accessed a GSuite Resource | GSuite. | Rule | Google accessed one of your GSuite resources directly, most likely in response to a support incident. |
| Google Drive High Download Count | Scheduled Rule | Scheduled rule for the High Google Drive Download Count query which looks for incidents of more than 10 (tunable) downloads by a user in the past day. | |
| Google Workspace Admin Custom Role | GSuite. | Rule | A Google Workspace administrator created a new custom administrator role. |
| Google Workspace Advanced Protection Program | GSuite. | Rule | Your organization's Google Workspace Advanced Protection Program settings were modified. |
| Google Workspace Apps Marketplace Allowlist | GSuite. | Rule | Google Workspace Marketplace application allowlist settings were modified. |
| Google Workspace Apps Marketplace New Domain Application | GSuite. | Rule | A Google Workspace User configured a new domain application from the Google Workspace Apps Marketplace. |
| Google Workspace Apps New Mobile App Installed | GSuite. | Rule | A new mobile application was added to your organization's mobile apps whitelist in Google Workspace Apps. |
| GreyNoise Malicious AWS S3 Get/List Object | AWS. | Rule | S3 operations from known malicious GreyNoise classifications. Note that this rule will only work with S3 object-level logging enabled for a given bucket. |
| GSuite Calendar Has Been Made Public | GSuite. | Rule | A User or Admin Has Modified A Calendar To Be Public |
| GSuite Device Suspicious Activity | GSuite. | Rule | GSuite reported a suspicious activity on a user's device. |
| GSuite Document External Ownership Transfer | GSuite. | Rule | A GSuite document's ownership was transferred to an external party. |
| GSuite Drive Many Documents Deleted | Scheduled Rule | Scheduled rule for the GSuite Drive Many Documents Deleted query. Looks for users who have deleted more than 10 (tunable) documents the past day. | |
| GSuite External Drive Document | GSuite. | Rule | A Google drive resource became externally accessible. |
| GSuite Government Backed Attack | GSuite. | Rule | GSuite reported that it detected a government backed attack against your account. |
| GSuite Login Type | GSuite. | Rule | A login of a non-approved type was detected for this user. |
| Gsuite Mail forwarded to external domain | GSuite. | Rule | A user has configured mail forwarding to an external domain |
| GSuite Many Docs Deleted Query | Scheduled Query | Query to search for a user deleting many documents. | |
| GSuite Many Docs Downloaded Query | Scheduled Query | Query to search high document download counts by users. | |
| GSuite Overly Visible Drive Document | GSuite. | Rule | A Google drive resource that is overly visible has been modified. |
| GSuite Passthrough Rule Triggered | GSuite. | Rule | A GSuite rule was triggered. |
| GSuite User Advanced Protection Change | GSuite. | Rule | A user disabled advanced protection for themselves. |
| GSuite User Banned from Group | GSuite. | Rule | A GSuite user was banned from an enterprise group by moderator action. |
| GSuite User Device Compromised | GSuite. | Rule | GSuite reported a user's device has been compromised. |
| GSuite User Device Unlock Failures | GSuite. | Rule | Someone failed to unlock a user's device multiple times in quick succession. |
| GSuite User Password Leaked | GSuite. | Rule | GSuite reported a user's password has been compromised, so they disabled the account. |
| GSuite User Suspended | GSuite. | Rule | A GSuite user was suspended, the account may have been compromised by a spam network. |
| GSuite User Two Step Verification Change | GSuite. | Rule | A user disabled two step verification for themselves. |
| GSuite Workspace Calendar External Sharing Setting Change | GSuite. | Rule | A Workspace Admin Changed The Sharing Settings for Primary Calendars |
| GSuite Workspace Data Export Has Been Created | GSuite. | Rule | A Workspace Admin Has Created a Data Export |
| GSuite Workspace Gmail Default Routing Rule Modified | GSuite. | Rule | A Workspace Admin Has Modified A Default Routing Rule In Gmail |
| GSuite Workspace Gmail Pre-Delivery Message Scanning Disabled | GSuite. | Rule | A Workspace Admin Has Disabled Pre-Delivery Scanning For Gmail. |
| GSuite Workspace Gmail Security Sandbox Disabled | GSuite. | Rule | A Workspace Admin Has Disabled The Security Sandbox |
| GSuite Workspace Password Reuse Has Been Enabled | GSuite. | Rule | A Workspace Admin Has Enabled Password Reuse |
| GSuite Workspace Strong Password Enforcement Has Been Disabled | GSuite. | Rule | A Workspace Admin Has Disabled The Enforcement Of Strong Passwords |
| GSuite Workspace Trusted Domain Allowlist Modified | GSuite. | Rule | A Workspace Admin Has Modified The Trusted Domains List |
| IAM Assume Role Blocklist Ignored | AWS. | Rule | A user assumed a role that was explicitly blocklisted for manual user assumption. |
| IAM Change | AWS. | Rule | A change occurred in the IAM configuration. This could be a resource being created, deleted, or modified. This is a high level view of changes, helfpul to indicate how dynamic a certain IAM environment is. |
| IAM Entity Created Without CloudFormation | AWS. | Rule | An IAM Entity (Group, Policy, Role, or User) was created manually. IAM entities should be created in code to ensure that permissions are tracked and managed correctly. |
| IAM Inline Policy Network Admin | AWS. AWS. AWS. | Policy | This policy validates that IAM entities (Groups, Roles, and Users) do not have inline policies attached that grant network admin privileges. Inline policies are more difficult to track and audit than managed policies, and can lead to persistent unexpected access. |
| IAM Policy Modified | AWS. | Rule | An IAM Policy was changed. |
| KMS CMK Disabled or Deleted | AWS. | Rule | A KMS Customer Managed Key was disabled or scheduled for deletion. This could potentially lead to permanent loss of encrypted data. |
| Lambda CRUD Actions | AWS. | Rule | Unauthorized lambda Create, Read, Update, or Delete event occurred. |
| Log4J Exploit IOC Search | AWS. AWS. AWS. Apache. Apache. Cloudflare. Cloudflare. Fastly. GCP. Juniper. Juniper. Nginx. Syslog. Syslog. | Rule | Monitors for potential exploit attempts agains CVE-2021-44228, Log4J remote code execution |
| Logins Without MFA | AWS. | Rule | A console login was made without multi-factor authentication. |
| Logins Without SAML | AWS. | Rule | An AWS console login was made without SAML/SSO. |
| MacOS ALF is misconfigured | Osquery. | Rule | The application level firewall blocks unwanted network connections made to your computer from other computers on your network. |
| MacOS Browser Credential Access | Scheduled Query | Detects processes that contain known browser credential files in arguments. | |
| MacOS Browser Credential Access (crowdstrike_fdrevent table) | Scheduled Query | Detects processes that contain known browser credential files in arguments. (crowdstrike_fdrevent table) | |
| MacOS Keyboard Events | Osquery. | Rule | A Key Logger has potentially been detected on a macOS system |
| macOS Malware Detected with osquery | Osquery. | Rule | Malware has potentially been detected on a macOS system |
| Malicious Content Detected | Box. | Rule | Box has detect malicious content, such as a virus. |
| Malicious SSO DNS Lookup | CiscoUmbrella. Crowdstrike. Crowdstrike. Suricata. Zeek. | Rule | The rule looks for DNS requests to sites potentially posing as SSO domains. |
| MFA Disabled | Atlassian. GitHub. Okta. Zendesk. | Rule | Detects when Multi-Factor Authentication (MFA) is disabled |
| Microsoft Exchange External Forwarding | Microsoft365. | Rule | Detects creation of forwarding rule to external domains |
| Microsoft Graph Passthrough | MicrosoftGraph. | Rule | The Microsoft Graph security API federates queries to all onboarded security providers, including Azure AD Identity Protection, Microsoft 365, Microsoft Defender (Cloud, Endpoint, Identity) and Microsoft Sentinel. Details https://learn.microsoft.com/en-us/graph/api/resources/security-api-overview |
| Microsoft365 Brute Force Login by User | Microsoft365. | Rule | A Microsoft365 user was denied login access several times |
| Microsoft365 External Document Sharing | Microsoft365. | Rule | Document shared externally |
| Microsoft365 MFA Disabled | Microsoft365. | Rule | A user's MFA has been removed |
| Monitor Unauthorized API Calls | AWS. | Rule | An unauthorized AWS API call was made |
| New AWS Account Created | AWS. | Rule | A new AWS account was created |
| New IAM Credentials Updated | AWS. | Rule | A console password, access key, or user has been created. |
| New User Account Created | AWS. OneLogin. Zoom. | Rule | A new account was created |
| Okta Admin Access Granted | Scheduled Query | Audit instances of admin access granted in your okta tenant | |
| Okta Admin Role Assigned | Okta. | Rule | A user has been granted administrative privileges in Okta |
| Okta API Key Created | Okta. | Rule | A user created an API Key in Okta |
| Okta API Key Revoked | Okta. | Rule | A user has revoked an API Key in Okta |
| Okta App Refresh Access Token Reuse | Okta. | Rule | https://developer.okta.com/docs/guides/refresh-tokens/main/#refresh-token-reuse-detection |
| Okta App Unauthorized Access Attempt | Okta. | Rule | Detects when a user is denied access to an Okta application |
| Okta Group Admin Role Assigned | Okta. | Rule | Detect when an admin role is assigned to a group |
| Okta Investigate MFA and Password resets | Scheduled Query | Investigate Password and MFA resets for the last 7 days | |
| Okta Investigate Session ID Activity | Scheduled Query | Search for activity related to a specific SessionID in Okta panther_logs.okta_systemlog | |
| Okta Investigate User Activity | Scheduled Query | Audit user activity across your environment. Customize to filter on specific users, time ranges, etc | |
| Okta Login From CrowdStrike Unmanaged Device | Scheduled Query | Okta Logins from an IP Address not found in CrowdStrike's AIP List | |
| Okta Login From CrowdStrike Unmanaged Device | Scheduled Rule | Detects Okta Logins from IP addresses not found in CrowdStrike's AIP list. May indicate unmanaged device being used, or faulty CrowdStrike Sensor. | |
| Okta Login From CrowdStrike Unmanaged Device (crowdstrike_fdrevent table) | Scheduled Query | Okta Logins from an IP Address not found in CrowdStrike's AIP List (crowdstrike_fdrevent table) | |
| Okta MFA Globally Disabled | Okta. | Rule | An admin user has disabled the MFA requirement for your Okta account |
| Okta Password Accessed | Okta. | Rule | User accessed another user's application password |
| Okta Rate Limits | Okta. | Rule | Potential DoS/Bruteforce attack or hitting limits (system degradation) |
| Okta Support Access | Scheduled Query | Show instances that Okta support was granted to your account | |
| Okta Support Access Granted | Okta. | Rule | An admin user has granted access to Okta Support to your account |
| Okta Support Reset Credential | Okta. | Rule | A Password or MFA factor was reset by Okta Support |
| Okta ThreatInsight Security Threat Detected | Okta. | Rule | https://help.okta.com/en-us/Content/Topics/Security/threat-insight/configure-threatinsight-system-log.htm |
| Okta User Account Locked | Okta. | Rule | An Okta user has locked their account. |
| Okta User MFA Factor Suspend | Okta. | Rule | A user's authentication factor has been disabled due to suspected compromise. |
| Okta User MFA Own Reset | Okta. | Rule | User has reset one of their own MFA factors |
| Okta User MFA Reset All | Okta. | Rule | All MFA factors have been reset for a user. |
| Okta User Reported Suspicious Activity | Okta. | Rule | Suspicious Activity Reporting provides an end user with the option to report unrecognized activity from an account activity email notification.This detection alerts when a user marks the raised activity as suspicious. https://help.okta.com/en-us/Content/Topics/Security/suspicious-activity-reporting.htm |
| OneLogin Active Login Activity | OneLogin. | Rule | Multiple user accounts logged in from the same ip address. |
| OneLogin Authentication Factor Removed | OneLogin. | Rule | A user removed an authentication factor or otp device. |
| OneLogin Failed High Risk Login | OneLogin. | Rule | A OneLogin attempt with a high risk factor (>50) resulted in a failed authentication. |
| OneLogin High Risk Login | OneLogin. | Rule | A OneLogin user successfully logged in after a failed high-risk login attempt. |
| OneLogin Multiple Accounts Deleted | OneLogin. | Rule | Possible Denial of Service detected. Threshold for user account deletions exceeded. |
| OneLogin Multiple Accounts Modified | OneLogin. | Rule | Possible Denial of Service detected. Threshold for user account password changes exceeded. |
| OneLogin Password Access | OneLogin. | Rule | User accessed another user's application password |
| OneLogin Unauthorized Access | OneLogin. | Rule | A OneLogin user was denied access to an app more times than the configured threshold. |
| OneLogin User Assumed Another User | OneLogin. | Rule | User assumed another user account |
| OneLogin User Locked | OneLogin. | Rule | User locked or suspended from their account. |
| OneLogin User Password Changed | OneLogin. | Rule | A user password was updated. |
| Osquery Agent Outdated | Osquery. | Rule | Keep track of osquery versions, current is 4.1.2. |
| OSQuery Detected SSH Listener | Osquery. | Rule | Check if SSH is listening in a non-production environment. This could be an indicator of persistent access within an environment. |
| OSQuery Detected Unwanted Chrome Extensions | Osquery. | Rule | Monitor for chrome extensions that could lead to a credential compromise. |
| OSQuery Reports Application Firewall Disabled | Osquery. | Rule | Verifies that MacOS has automatic software updates enabled. |
| OSSEC Rootkit Detected via Osquery | Osquery. | Rule | Checks if any results are returned for the Osquery OSSEC Rootkit pack. |
| Panther SAML configuration has been modified | Panther. | Rule | An Admin has modified Panther's SAML configuration. |
| RoleAssumes by Multiple Useragents | Scheduled Query | RoleAssumes with multiple Useragents could indicate compromised credentials. | |
| Root Account Access Key Created | AWS. | Rule | An access key was created for the Root account |
| Root Account Activity | AWS. | Rule | Root account activity was detected. |
| Root Console Login | AWS. | Rule | The root account has been logged into. |
| Root Password Changed | AWS. | Rule | Someone manually changed the Root console login password. |
| S3 Bucket Deleted | AWS. | Rule | A S3 Bucket, Policy, or Website was deleted |
| Sensitive AWS CloudWatch Log Encryption | AWS. | Policy | AWS automatically performs server-side encryption of logs, but you can encrypt with your own CMK to protect extra sensitive log data. |
| SentinelOne Alert Passthrough | SentinelOne. | Rule | SentinelOne Alert Passthrough |
| SentinelOne Threats | SentinelOne. | Rule | Passthrough SentinelOne Threats |
| Slack Anomaly Detected | Slack. | Rule | Passthrough for anomalies detected by Slack |
| Slack App Access Expanded | Slack. | Rule | Detects when a Slack App has had its permission scopes expanded |
| Slack App Access Expanded | Slack. | Rule | Detects when a Slack App has been removed |
| Slack App Access Expanded | Slack. | Rule | Detects when a workspace is no longer enrolled or managed by EKM |
| Slack App Added | Slack. | Rule | Detects when a Slack App has been added to a workspace |
| Slack Denial of Service | Slack. | Rule | Detects when slack admin invalidates user session(s) more than once in a 24 hour period which can lead to DoS |
| Slack DLP Modified | Slack. | Rule | Detects when a Data Loss Prevention (DLP) rule has been deactivated or a violation has been deleted |
| Slack EKM Config Changed | Slack. | Rule | Detects when the logging settings for a workspace's EKM configuration has changed |
| Slack EKM Slackbot Unenrolled | Slack. | Rule | Detects when a workspace is longer enrolled in EKM |
| Slack IDP Configuration Changed | Slack. | Rule | Detects changes to the identity provider (IdP) configuration for Slack organizations. |
| Slack Information Barrier Modified | Slack. | Rule | Detects when a Slack information barrier is deleted/updated |
| Slack Intune MDM Disabled | Slack. | Rule | Detects the disabling of Microsoft Intune Enterprise MDM within Slack |
| Slack Legal Hold Policy Modified | Slack. | Rule | Detects changes to configured legal hold policies |
| Slack MFA Settings Changed | Slack. | Rule | Detects changes to Multi-Factor Authentication requirements |
| Slack Organization Created | Slack. | Rule | Detects when a Slack organization is created |
| Slack Organization Deleted | Slack. | Rule | Detects when a Slack organization is deleted |
| Slack Potentially Malicious File Shared | Slack. | Rule | Detects when a Slack App has had its permission scopes expanded |
| Slack Private Channel Made Public | Slack. | Rule | Detects when a channel that was previously private is made public |
| Slack Service Owner Transferred | Slack. | Rule | Detects transferring of service owner on request from primary owner |
| Slack SSO Settings Changed | Slack. | Rule | Detects changes to Single Sign On (SSO) restrictions |
| Slack User Privilege Escalation | Slack. | Rule | Detects when a Slack user gains escalated privileges |
| Snowflake Account Admin Granted | Scheduled Rule | Detect when account admin is granted. | |
| Snowflake Brute Force Attacks by IP | Scheduled Rule | Detect brute force attacks by monitoring for failed logins from the same IP address | |
| Snowflake Brute Force Attacks by Username | Scheduled Rule | Detect brute force attacks by monitoring for failed logins by the same username | |
| Snowflake Grant to Public Role | Scheduled Rule | Detect additional grants to the public role | |
| Snowflake Login Without MFA | Scheduled Rule | Detect snowflake logins without multifactor authentication | |
| Snowflake Network Policy Modified | Scheduled Rule | Detect Snowflake network policy modifications | |
| Snowflake Privileged Object Changes | Scheduled Rule | Monitor changes to database objects that require highly privileged roles | |
| Snowflake SCIM Access Token Created | Scheduled Rule | Alerts when a SCIM token is created | |
| Snowflake User Created | Scheduled Rule | Detect new users created in snowflake | |
| Snowflake User Enabled | Scheduled Rule | Detect users being re-enabled in your environment | |
| Snowflake user with key-based auth logged in with password auth | Scheduled Rule | Detect when a user that has key-based authentication configured logs in with a password | |
| Snyk System Policy Settings Changed | Snyk. Snyk. | Rule | Detects Snyk Policy Settings have been changed. Policies define Snyk's behavior when encountering security and licensing issues. |
| Snyk System SSO Settings Changed | Snyk. | Rule | Detects Snyk SSO Settings have been changed. The reference URL from Snyk indicates that these events are likely to originate exclusively from Snyk Support. |
| Sunburst Indicators of Compromise (FQDN) | AWS. AWS. AWS. AWS. AWS. Box. CiscoUmbrella. GCP. GSuite. Gravitational. Okta. OneLogin. Osquery. | Rule | Monitors for communication to known Sunburst Backdoor FQDNs. These IOCs indicate a potential breach and have been associated with a sophisticated nation-state actor. |
| Sunburst Indicators of Compromise (SHA-256) | AWS. AWS. AWS. AWS. Box. GCP. GSuite. Gravitational. Okta. OneLogin. Osquery. | Rule | Monitors for hashes to known Sunburst Backdoor SHA256. These IOCs indicate a potential breach and have been associated with a sophisticated nation-state actor. |
| Suspicious cron detected | Osquery. | Rule | A suspicious cron has been added |
| Suspicious GSuite Login | GSuite. | Rule | GSuite reported a suspicious login for this user. |
| Teleport Create User Accounts | Gravitational. | Rule | A user has been manually created, modified, or deleted |
| Teleport Network Scan Initiated | Gravitational. | Rule | A user has invoked a network scan that could potentially indicate enumeration of the network. |
| Teleport Scheduled Jobs | Gravitational. | Rule | A user has manually edited the Linux crontab |
| Teleport SSH Auth Errors | Gravitational. | Rule | A high volume of SSH errors could indicate a brute-force attack |
| Teleport Suspicious Commands Executed | Gravitational. | Rule | A user has invoked a suspicious command that could lead to a host compromise |
| Unsupported macOS version | Osquery. | Rule | Check that all laptops on the corporate environment are on a version of MacOS supported by IT. |
| Unused AWS Region | AWS. | Rule | CloudTrail logged non-read activity from a verboten AWS region. |
| Unusual 1Password Client Detected | OnePassword. | Rule | Detects when unusual or undesirable 1Password clients access your 1Password account |
| Unusual Volume of Snowflake Logins Detected | Scheduled Rule | Alerts when the number of logins to Snowflake exceeds a baselined threshold | |
| VPC DNS Tunneling | Scheduled Rule | Detect dns tunneling traffic using a scheduled query | |
| VPC Flow Logs Inbound Port Allowlist | AWS. | Rule | VPC Flow Logs observed inbound traffic violating the port allowlist. |
| VPC Flow Logs Inbound Port Blocklist | AWS. | Rule | VPC Flow Logs observed inbound traffic violating the port blocklist. |
| VPC Flow Logs Unapproved Outbound DNS Traffic | AWS. | Rule | Alerts if outbound DNS traffic is detected to a non-approved DNS server. DNS is often used as a means to exfiltrate data or perform command and control for compromised hosts. All DNS traffic should be routed through internal DNS servers or trusted 3rd parties. |
| VPC Flow Port Scanning | Scheduled Query | Instances of a srcAddr communicating with multiple ports on a dstAddr could indicate port scanning activity. | |
| VPC Flow Port Scanning | Scheduled Rule | Searches for potential port scanning activity in VPC Flow logs | |
| Zendesk Account Owner Changed | Zendesk. | Rule | Only one admin user can be the account owner. Ensure the change in ownership is expected. |
| Zendesk API Token Created | Zendesk. | Rule | A user created a new API token to be used with Zendesk. |
| Zendesk Credit Card Redaction Off | Zendesk. | Rule | A user updated account setting that disabled credit card redaction. |
| Zendesk Mobile App Access Modified | Zendesk. | Rule | A user updated account setting that enabled or disabled mobile app access. |
| Zendesk User Role Changed | Zendesk. | Rule | A user's Zendesk role was changed |
| Zendesk User Suspension Status Changed | Zendesk. | Rule | A user's Zendesk suspension status was changed. |
| Zoom All Meetings Secured With One Option Disabled | Zoom. | Rule | A Zoom User turned off your organization's requirement that all meetings are secured with one security option. |
| Zoom Automatic Sign Out Disabled | Zoom. | Rule | A Zoom User turned off your organization's setting to automatically sign users out after a specified period of time. |
| Zoom Meeting Passcode Disabled | Zoom. | Rule | Meeting passcode requirement has been disabled from usergroup |
| Zoom New Meeting Passcode Required Disabled | Zoom. | Rule | A Zoom User turned off your organization's setting to require passcodes for new meetings. |
| Zoom Sign In Method Modified | Zoom. | Rule | A Zoom User modified your organizations sign in method. |
| Zoom Sign In Requirements Changed | Zoom. | Rule | A Zoom User changed your organization's sign in requirements. |
| Zoom Two Factor Authentication Disabled | Zoom. | Rule | A Zoom User disabled your organization's setting to sign in with Two-Factor Authentication. |
| Zoom User Promoted to Privileged Role | Zoom. | Rule | A Zoom user was promoted to a privileged role. |