Detects user authentication failure events. Please note that this rule can be noisy and it is recommended to use with correlation based on "author.name" field.

Read More

Detects the deletion of an AWS SAML provider, potentially indicating malicious intent to disrupt administrative or security team access. An attacker can remove the SAML provider for the information security team or a team of system administrators, to make it difficult for them to work and investigate at the time of the attack and after it.

Read More

Detects when an account is disabled or blocked for sign in but tried to log in

Read More

Detects when a configuration change is made to an applications AppID URI.

Read More

Detects when a configuration change is made to an applications URI. URIs for domain names that no longer exist (dangling URIs), not using HTTPS, wildcards at the end of the domain, URIs that are no unique to that app, or URIs that point to domains you do not control should be investigated.

Read More

Detects S3 Browser utility performing reconnaissance looking for existing IAM Users without a LoginProfile defined then (when found) creating a LoginProfile.

Read More

Detects S3 browser utility creating Inline IAM policy containing default S3 bucket name placeholder value of "".

Read More

Detects S3 Browser utility creating IAM User or AccessKey.

Read More

Detects AWS root account usage

Read More

Detect when users are authenticating without MFA being required.

Read More

Detects when a user has been elevated to manage all Azure Subscriptions. This change should be investigated immediately if it isn't planned. This setting could allow an attacker access to Azure subscriptions in your environment.

Read More

Monitor and alert for Bitlocker key retrieval.

Read More

Detects when changes are made to PIM roles

Read More

Monitor and alert for device registration or join events where MFA was not performed.

Read More

Detect failed authentications from countries you do not operate out of.

Read More

Detects when a user creates action secret for the organization, environment, codespaces or repository.

Read More

A self-hosted runner is a system that you deploy and manage to execute jobs from GitHub Actions on GitHub.com. This rule detects changes to self-hosted runners configurations in the environment. The self-hosted runner configuration changes once detected, it should be validated from GitHub UI because the log entry may not provide full context.

Read More

Detects when changes are made to the SSH certificate configuration of the organization.

Read More

Detects when a user that doesn't have permissions to invite a guest user attempts to invite one.

Read More

Detect failed attempts to sign in to disabled accounts.

Read More

User has indicated they haven't instigated the MFA prompt and could indicate an attacker has the password for the account.

Read More

Identifies user login with multifactor authentication failures, which might be an indication an attacker has the password for the account but can't pass the MFA challenge.

Read More

Detects when Okta identifies new activity in the Admin Console.

Read More

Detect when a user has reset their password in Azure AD

Read More

Detects when a PIM elevation is approved or denied. Outside of normal operations should be investigated.

Read More

Detects successful authentication from potential clients using legacy authentication via user agent strings. This could be a sign of MFA bypass using a password spray attack.

Read More

Detects when a new admin is created.

Read More

Define a baseline threshold for failed sign-ins due to Conditional Access failures

Read More

Monitor and alert for Sign-ins by unknown devices from non-Trusted locations.

Read More

Monitor and alert for sign-ins where the device was non-compliant.

Read More

Detect successful authentications from countries you do not operate out of.

Read More

Detects when a temporary access pass (TAP) is added to an account. TAPs added to priv accounts should be investigated

Read More

Alert on when legacy authentication has been used on an account

Read More

Detect access has been blocked by Conditional Access policies. The access policy does not allow token issuance which might be sights≈ of unauthorizeed login to valid accounts.

Read More

Detects when a user is added to a privileged role.

Read More

Detects the change of user type from "Guest" to "Member" for potential elevation of privilege.

Read More

Monitor and alert for users added to device admin roles.

Read More

Detect when users in your Azure AD tenant are authenticating to other Azure AD Tenants.

Read More