| AddTasks - (Preview) TI map Domain entity to Dns Events (ASIM DNS Schema) |
 |
| AddTasks - (Preview) TI map Domain entity to Web Session Events (ASIM Web Session schema) |
|
| AddTasks - (Preview) TI map IP entity to DNS Events (ASIM DNS schema) |
|
| AddTasks - (Preview) TI map IP entity to Network Session Events (ASIM Network Session schema) |
|
| AddTasks - (Preview) TI map IP entity to Web Session Events (ASIM Web Session schema) |
|
| AddTasks - A client made a web request to a potentially harmful file (ASIM Web Session schema) |
|
| AddTasks - A host is potentially running PowerShell to send HTTP(S) requests (ASIM Web Session schema) |
|
| AddTasks - A host is potentially running a crypto miner (ASIM Web Session schema) |
|
| AddTasks - A host is potentially running a hacking tool (ASIM Web Session schema) |
|
| AddTasks - AD FS Abnormal EKU object identifier attribute |
|
| AddTasks - Account Created and Deleted in Short Timeframe |
|
| AddTasks - Admin promotion after Role Management Application Permission Grant |
|
| AddTasks - Anomalous sign-in location by user account and authenticating application |
|
| AddTasks - Attempts to sign in to disabled accounts |
|
| AddTasks - Azure AD Role Management Permission Grant |
|
| AddTasks - Azure DevOps Personal Access Token (PAT) misuse |
|
| AddTasks - Azure Portal Signin from another Azure Tenant |
|
| AddTasks - Base64 encoded Windows process command-lines (Normalized Process Events) |
|
| AddTasks - Brute force attack against user credentials (Uses Authentication Normalization) |
|
| AddTasks - Bulk Changes to Privileged Account Permissions |
|
| AddTasks - Credential Dumping Tools - File Artifacts |
|
| AddTasks - Credential Dumping Tools - Service Installation |
|
| AddTasks - DEV-0586 Actor IOC - January 2022 |
|
| AddTasks - DNS events related to ToR proxies (ASIM DNS Schema) |
|
| AddTasks - DNS events related to mining pools (ASIM DNS Schema) |
|
| AddTasks - Detect CoreBackUp Deletion Activity from related Security Alerts |
|
| AddTasks - Dev-0228 File Path Hashes November 2021 (ASIM Version) |
|
| AddTasks - Dev-0270 WMIC Discovery |
|
| AddTasks - Discord CDN Risky File Download (ASIM Web Session Schema) |
|
| AddTasks - Dynamics 365 - User Bulk Retrieval Outside Normal Activity |
|
| AddTasks - Excessive NXDOMAIN DNS Queries (ASIM DNS Schema) |
|
| AddTasks - Excessive number of HTTP authentication failures from a source (ASIM Web Session schema) |
|
| AddTasks - Excessive number of failed connections from a single source (ASIM Network Session schema) |
|
| AddTasks - Exchange OAB Virtual Directory Attribute Containing Potential Webshell |
|
| AddTasks - Failed logon attempts in authpriv |
|
| AddTasks - First access credential added to Application or Service Principal where no credential was present |
|
| AddTasks - Insider Risk_High User Security Alert Correlations |
|
| AddTasks - Insider Risk_High User Security Incidents Correlation |
|
| AddTasks - Insider Risk_Microsoft Purview Insider Risk Management Alert Observed |
|
| AddTasks - Insider Risk_Risky User Access By Application |
|
| AddTasks - Linked Malicious Storage Artifacts |
|
| AddTasks - M2131_DataConnectorAddedChangedRemoved |
|
| AddTasks - M2131_RecommendedDatatableUnhealthy |
|
| AddTasks - MFA Rejected by User |
|
| AddTasks - Mail redirect via ExO transport rule |
|
| AddTasks - Mail.Read Permissions Granted to Application |
|
| AddTasks - Malicious Inbox Rule |
|
| AddTasks - Malware in the recycle bin (Normalized Process Events) |
|
| AddTasks - Mass Cloud resource deletions Time Series Anomaly |
|
| AddTasks - Midnight Blizzard - suspicious rundll32.exe execution of vbscript (Normalized Process Events) |
|
| AddTasks - Modified domain federation trust settings |
|
| AddTasks - Multiple RDP connections from Single System |
|
| AddTasks - Multiple users email forwarded to same destination |
|
| AddTasks - NRT Modified domain federation trust settings |
|
| AddTasks - Network Port Sweep from External Network (ASIM Network Session schema) |
|
| AddTasks - New Agent Added to Pool by New User or Added to a New OS Type. |
|
| AddTasks - New EXE deployed via Default Domain or Default Domain Controller Policies (ASIM Version) |
|
| AddTasks - Non Domain Controller Active Directory Replication |
|
| AddTasks - Office policy tampering |
|
| AddTasks - PIM Elevation Request Rejected |
|
| AddTasks - Password spray attack against ADFSSignInLogs |
|
| AddTasks - Password spray attack against Azure AD Seamless SSO |
|
| AddTasks - Password spray attack against Azure AD application |
|
| AddTasks - Port scan detected (ASIM Network Session schema) |
|
| AddTasks - Potential Build Process Compromise - MDE |
|
| AddTasks - Potential Fodhelper UAC Bypass (ASIM Version) |
|
| AddTasks - Potential Fodhelper UAC Bypass |
|
| AddTasks - Potential Password Spray Attack (Uses Authentication Normalization) |
|
| AddTasks - Potential communication with a Domain Generation Algorithm (DGA) based hostname (ASIM Web Session schema) |
|
| AddTasks - Powershell Empire Cmdlets Executed in Command Line |
|
| AddTasks - Prestige ransomware IOCs Oct 2022 |
|
| AddTasks - Probable AdFind Recon Tool Usage (Normalized Process Events) |
|
| AddTasks - Rare RDP Connections |
|
| AddTasks - Rare application consent |
|
| AddTasks - SUNBURST and SUPERNOVA backdoor hashes (Normalized File Events) |
|
| AddTasks - SUNBURST suspicious SolarWinds child processes (Normalized Process Events) |
|
| AddTasks - Scheduled Task Hide |
|
| AddTasks - Sdelete deployed via GPO and run recursively (ASIM Version) |
|
| AddTasks - SharePointFileOperation via devices with previously unseen user agents |
|
| AddTasks - SharePointFileOperation via previously unseen IPs |
|
| AddTasks - Sign-ins from IPs that attempt sign-ins to disabled accounts (Uses Authentication Normalization) |
|
| AddTasks - Sign-ins from IPs that attempt sign-ins to disabled accounts |
|
| AddTasks - Successful logon from IP and failure from a different IP |
|
| AddTasks - Suspicious application consent for offline access |
|
| AddTasks - Suspicious application consent similar to O365 Attack Toolkit |
|
| AddTasks - Suspicious application consent similar to PwnAuth |
|
| AddTasks - Suspicious number of resource creation or deployment activities |
|
| AddTasks - TEARDROP memory-only dropper |
|
| AddTasks - Threat Essentials - Mail redirect via ExO transport rule |
|
| AddTasks - Threat Essentials - User Assigned Privileged Role |
|
| AddTasks - URL Added to Application from Unknown Domain |
|
| AddTasks - User Accounts - Sign in Failure due to CA Spikes |
|
| AddTasks - User Assigned Privileged Role |
|
| AddTasks - User agent search for log4j exploitation attempt |
|
| AddTasks - User login from different countries within 3 hours (Uses Authentication Normalization) |
|