Detection rules › By event
Microsoft-Windows-Security-Auditing event 4663
Sigma (14)
- Azure AD Health Monitoring Agent Registry Keys Access
- Azure AD Health Service Agents Registry Keys Access
- File Access Of Signal Desktop Sensitive Data
- ISO Image Mounted
- LSASS Access From Non System Account
- Potential Secure Deletion with SDelete
- Potentially Suspicious AccessMask Requested From LSASS
- Processes Accessing the Microphone and Webcam
- Service Registry Key Read Access Request
- Suspicious Teams Application Related ObjectAcess Event
- SysKey Registry Keys Access
- Sysmon Channel Reference Deletion
- WCE wceaux.dll Access
- Windows Defender Exclusion Registry Key - Write Access Requested
Splunk (17)
- ConnectWise ScreenConnect Path Traversal Windows SACL
- Non Chrome Process Accessing Chrome Default Dir
- Non Firefox Process Access Firefox Profile Dir
- SAM Database File Access Attempt
- Windows Credential Access From Browser Password Store
- Windows Credentials from Password Stores Chrome Extension Access
- Windows Credentials from Password Stores Chrome LocalState Access
- Windows Credentials from Password Stores Chrome Login Data Access
- Windows Hosts File Access
- Windows Increase in Group or Object Modification Activity
- Windows Non Discord App Access Discord LevelDB
- Windows Product Key Registry Query
- Windows Query Registry Browser List Application
- Windows Query Registry UnInstall Program List
- Windows Unsecured Outlook Credentials Access In Registry
- Windows Unusual FileZilla XML Config Access
- Windows Unusual Intelliform Storage Registry Access