| Access - Access App Tracker - Lookup Gen | Maintains a list of Authentication app values and the first and last time they have been seen. |
| Access - Authentication Tracker - Lookup Gen | Maintains a list of users that have authenticated to each system and the first, second to last, and last time they have been seen |
| Access - First Time Account Access | Identifies user and service they are connecting to |
| Abnormally High Number of Endpoint Changes By User | Detects an abnormally high number of endpoint changes by user account, as they relate to restarts, audits, filesystem, user, and registry modifications. |
| Account Deleted | Detects user and computer account deletion |
| Anomalous New Process | Alerts when an anomalous number hosts are detected with a new process. |
| Anomalous New Service | Alerts when an anomalous number hosts are detected with a new service. |
| Audit - Active Risk Factors Usage - Telemetry Gen | Sends anonymous usage statistics pertaining to the usage of risk_factors |
| Audit - Active Users - Telemetry Gen | Sends anonymous usage statistics pertaining to the unique number of active users. |
| AWS IAM AccessDenied Discovery Events | The following detection identifies excessive AccessDenied events within an hour timeframe. It is possible that an access key to AWS may have been stolen and is being misused to perform discovery events. In these instances, the access is not available with the key stolen therefore these events will be generated. |
| Allow Network Discovery In Firewall - Rule | |
| Brute Force Access Behavior Detected | Detects excessive number of failed login attempts along with a successful attempt (this could indicate a successful brute force attack) |
| Brute Force Access Behavior Detected Over One Day | Detects an excessive number of failed login attempts, along with a successful attempt, over a one day period (this could indicate a successful brute force attack) |
| Concurrent App Accesses | Duplicate resources or apps in use |
| Concurrent Login Attempts Detected | |
| Endpoint - Local Processes Tracker - Lookup Gen | Maintains a list of all processes on each system and the first and last time they were seen |
| Endpoint - Malware Tracker - Lookup Gen | Maintains a list of all detections (regardless of status) for each system and the first and last time they were seen |
| Endpoint - Services Tracker - Lookup Gen | Maintains a list of all services (and the most recent startmode) for each system and the first and last time they were seen |
| Endpoint - Update Signature Reference - Lookup Gen | Maintains a list of all updates by vendor and the first and last time they were seen |
| Endpoint - User Account Tracker - Lookup Gen | Maintains a list of all local user accounts on each system and the first and last time they were seen |
| ESCU - Abnormally High Number Of Cloud Instances Destroyed - Rule | This search finds for the number successfully destroyed cloud instances for every 4 hour block. This is split up between weekdays and the weekend. It then applies the probability density model previously created and alerts on any outliers. |
| ESCU - Abnormally High Number Of Cloud Instances Launched - Rule | This search finds for the number successfully created cloud instances for every 4 hour block. This is split up between weekdays and the weekend. It then applies the probability density model previously created and alerts on any outliers. |
| ESCU - Allow File And Printing Sharing In Firewall - Rule | This search is to detect a suspicious modification of firewall to allow file and printer sharing. This technique was seen in ransomware to be able to discover more machine connected to the compromised host to encrypt more files |
| ESCU - Allow Inbound Traffic By Firewall Rule Registry - Rule | This analytic detects a potential suspicious modification of firewall rule registry allowing inbound traffic in specific port with public profile. This technique was identified when an adversary wants to grant remote access to a machine by allowing the traffic in a firewall rule. |
| ESCU - Allow Network Discovery In Firewall - Rule | This search is to detect a suspicious modification to the firewall to allow network discovery on a machine. This technique was seen in a couple of ransomware (revil, reddot) to discover other machine connected to the compromised host to encrypt more files. |
| ESCU - Attacker Tools On Endpoint - Rule | This search looks for execution of commonly used attacker tools on an endpoint. |
| ESCU - Attempted Credential Dump From Registry via Reg exe - Rule | Monitor for execution of reg.exe with parameters specifying an export of keys that contain hashed credentials that attackers may try to crack offline. |
| ESCU - AWS Create Policy Version to allow all resources - Rule | This search looks for AWS CloudTrail events where a user created a policy version that allows them to access any resource in their account |
| ESCU - AWS CreateAccessKey - Rule | This search looks for AWS CloudTrail events where a user A who has already permission to create access keys, makes an API call to create access keys for another user B. Attackers have been know to use this technique for Privilege Escalation in case new victim(user B) has more permissions than old victim(user B) |
| ESCU - AWS CreateLoginProfile - Rule | This search looks for AWS CloudTrail events where a user A(victim A) creates a login profile for user B, followed by an AWS Console login event from user B from the same src_ip as user B. This correlated event can be indicative of privilege escalation since both events happened from the same src_ip |
| ESCU - AWS Cross Account Activity From Previously Unseen Account - Rule | This search looks for AssumeRole events where an IAM role in a different account is requested for the first time. |
| ESCU - aws detect permanent key creation - Rule | This search provides detection of accounts creating permanent keys. Permanent keys are not created by default and they are only needed for programmatic calls. Creation of Permanent key is an important event to monitor. |
| ESCU - aws detect role creation - Rule | This search provides detection of role creation by IAM users. Role creation is an event by itself if user is creating a new role with trust policies different than the available in AWS and it can be used for lateral movement and escalation of privileges. |
| ESCU - AWS Detect Users creating keys with encrypt policy without MFA - Rule | This search provides detection of KMS keys where action kms:Encrypt is accessible for everyone (also outside of your organization). This is an indicator that your account is compromised and the attacker uses the encryption key to compromise another company. |
| ESCU - Prohibited Network Traffic Allowed - Rule | This search looks for network traffic defined by port and transport layer protocol in the Enterprise Security lookup table "lookup_interesting_ports", that is marked as prohibited, and has an associated 'allow' action in the Network_Traffic data model. This could be indicative of a misconfigured network device. |
| ESCU - Remote Desktop Network Traffic - Rule | This search looks for network traffic on TCP/3389, the default port used by remote desktop. While remote desktop traffic is not uncommon on a network, it is usually associated with known hosts. This search will ignore common RDP sources and common RDP destinations so you can focus on the uncommon uses of remote desktop on your network. |
| ESCU - Suspicious Event Log Service Behavior - Rule | The following analytic utilizes Windows Event ID 1100 to identify when Windows event log service is shutdown. Note that this is a voluminous analytic that will require tuning or restricted to specific endpoints based on criticality. This event generates every time Windows Event Log service has shut down. It also generates during normal system shutdown. During triage, based on time of day and user, determine if this was planned. If not planned, follow through with reviewing parallel alerts and other data sources to determine what else may have occurred. |
| Excessive Failed Logins | Detects excessive number of failed login attempts (this is likely a brute force attack) |
| Unapproved Port Activity Detected | |
| Remote Desktop Process Running On System | This search looks for the remote desktop process mstsc.exe running on systems upon which it doesn't typically run. This is accomplished by filtering out all systems that are noted in the common_rdp_source category in the Assets and Identity framework. |
| Protocols passing authentication in cleartext | The following analytic identifies cleartext protocols at risk of leaking sensitive information. Currently, this consists of legacy protocols such as telnet (port 23), POP3 (port 110), IMAP (port 143), and non-anonymous FTP (port 21) sessions. While some of these protocols may be used over SSL, they typically are found on different assigned ports in those instances. |
| Detect Outbound SMB Traffic | This search looks for outbound SMB connections made by hosts within your network to the Internet. SMB traffic is used for Windows file-sharing activity. One of the techniques often used by attackers involves retrieving the credential hash using an SMB request made to a compromised server controlled by the threat actor. |
| Detect New Local Admin account | This search looks for newly created accounts that have been elevated to local administrators. |
| Email servers sending high volume traffic to hosts | This search looks for an increase of data transfers from your email server to your clients. This could be indicative of a malicious actor collecting data using your email server. |
| Malicious PowerShell Process - Execution Policy Bypass | This search looks for PowerShell processes started with parameters used to bypass the local execution policy for scripts. These parameters are often observed in attacks leveraging PowerShell scripts as they override the default PowerShell execution policy. |
| Detect New Open S3 buckets | This search looks for AWS CloudTrail events where a user has created an open/public S3 bucket. |
| Detect Exchange Web Shell | The following query identifies suspicious .aspx created in 3 paths identified by Microsoft as known drop locations for Exchange exploitation related to HAFNIUM group and recently disclosed vulnerablity named ProxyShell and ProxyNotShell. |
| CMD Echo Pipe | This analytic identifies a common behavior by Cobalt Strike and other frameworks where the adversary will escalate privileges, either via jump (Cobalt Strike PTH) or getsystem, using named-pipe impersonation. A suspicious event will look like cmd.exe /c echo 4sgryt3436 > \\.\Pipe\5erg53. |
| Scheduled Task Deleted Or Created via CMD | The following analytic identifies the creation or deletion of a scheduled task using schtasks.exe with flags - create or delete being passed on the command-line. This has been associated with the Dragonfly threat actor, and the SUNBURST attack against Solarwinds. This analytic replaces "Scheduled Task used in BadRabbit Ransomware". |
| Disabling CMD Application | this search is to identify modification in registry to disable cmd prompt application. This technique is commonly seen in RAT, Trojan, or WORM to prevent triaging or deleting there samples through cmd application which is one of the tool of analyst to traverse on directory and files. |
| Detect Large Outbound ICMP Packets | This search looks for outbound ICMP packets with a packet size larger than 1,000 bytes. Various threat actors have been known to use ICMP as a command and control channel for their attack infrastructure. Large ICMP packets from an endpoint to a remote host may be indicative of this activity. |
