Detection rules › By event
Microsoft-Windows-Security-Auditing Event ID 5156
Sigma (3)
Splunk (13)
- Command and Control Detection (Windows Event Log)
- Internal Port Scan - Critical Ports (Windows Event Log)
- Meterpreter Reverse Shell (Windows Event Log)
- Network Connection with Suspicious Folder (Windows Event Log)
- Potential CVE-2024-21413: Outbound SMB from Outlook (Windows Event Log)
- Potential network connection with CVE-2023-21554 (Windows Event Log)
- Process Connection to Mega - Windows (Windows Event Log)
- PuTTY Secure Copy Client Execution (Windows Event Log)
- RDP Brute-force Detection (Windows Event Log)
- RDP Connection (Windows Event Log)
- Script Connected to External Destination - Windows (Windows Event Log)
- Unexpected Network Connection from System Process (Windows Event Log)
- wuauclt.exe Network Connection (Windows Event Log)
Kusto (25)
- AD FS Remote Auth Sync Connection
- ADWS Connection from Process Injection Target
- ADWS Connection from Unexpected Binary
- Anomaly in SMB Traffic(ASIM Network Session schema)
- DCOM Lateral Movement
- Excessive number of failed connections from a single source (ASIM Network Session schema)
- Execution of software vulnerable to webp buffer overflow of CVE-2023-4863
- Google Threat Intelligence - Threat Hunting IP
- Network Port Sweep from External Network (ASIM Network Session schema)
- NTLM Relay Attack
- Port scan detected (ASIM Network Session schema)
- Potential beaconing activity (ASIM Network Session schema)
- Potential Kerberos Relaying Activity - MDE
- RecordedFuture Threat Hunting IP All Actors
- Remote Desktop Network Brute force (ASIM Network Session schema)
- RITA Beacon Analyzer for Windows Firewall Events
- Rouge RDP: Suspicious File Creation
- Server Network Connection Anomalies
- SMB/Windows Admin Shares
- SUNBURST network beacons
- Suspicious Network Beacons - Microsoft Defender for Endpoint Aggregated Reports
- Suspicious Network Beacons - Microsoft Defender(MDE/M365D)
- Suspicious Network Connections - Supply Chain Attack
- Suspicious office child process created
- Zinc Actor IOCs files - October 2022