Indicates that there are anomalous patterns of behavior like suspicious changes to the directory.

Read More

Detects activity when a member is added to a security-enabled global group

Read More

Detects activity when a member is removed from a security-enabled global group

Read More

Detects activity when a security-enabled global group is deleted

Read More

Detects the renaming of an existing computer account to a account name that doesn't contain a $ symbol as seen in attacks against CVE-2021-42287

Read More

Detects scenario where if a user is assigned the SeEnableDelegationPrivilege right in Active Directory it would allow control of other AD user objects.

Read More

Detects suspicious command line that adds an account to the local administrators/administrateurs group

Read More

This rule triggers on user accounts that are added to the local Administrators group, which could be legitimate activity or a sign of privilege escalation activity

Read More

Change to authentication method could be an indicator of an attacker adding an auth method to the account so they can have continued access.

Read More

Adversaries may manipulate accounts to maintain access to victim systems. Account manipulation may consist of any action that preserves adversary access to a compromised account, such as modifying credentials or permission groups

Read More

Number of VM creations or deployment activities occur in Azure via the azureactivity log.

Read More

Find local accounts being created or modified as well as remote authentication configurations

Read More

Detects the addition of a new user to a privileged group such as "root" or "sudo"

Read More

Backdooring domain object to grant the rights associated with DCSync to a regular user or machine account using Powerview\Add-DomainObjectAcl DCSync Extended Right cmdlet, will allow to re-obtain the pwd hashes of any user/computer

Read More

Detects AWS API key creation for a user by another user. Backdoored users can be used to obtain persistence in the AWS environment. Also with this alert, you can detect a flow of AWS keys in your org.

Read More

An attacker with the iam:UpdateLoginProfile permission on other users can change the password used to login to the AWS console on any user that already has a login profile setup. With this alert, it is used to detect anyone is changing password on behalf of other users.

Read More

Detects when a user is removed from a privileged role. Bulk changes should be investigated.

Read More

Addition of domains is seldom and should be verified for legitimacy.

Read More

The Directory Service Restore Mode (DSRM) account is a local administrator account on Domain Controllers. Attackers may change the password to gain persistence.

Read More

Detects when a transfer lock was removed from a Route 53 domain. It is recommended to refrain from performing this action unless intending to transfer the domain to a different registrar.

Read More

Detects when a request has been made to transfer a Route 53 domain to another AWS account.

Read More

Detects when an API access service account is granted domain authority.

Read More

Detects when an Google Workspace user is granted admin privileges.

Read More