Identifies newly seen removable devices by device friendly name using registry modification events. While this activity
is not inherently malicious, analysts can use those events to aid monitoring for data exfiltration over those devices.
Identifies potential Traffic Mirroring in an Amazon Elastic Compute Cloud (EC2) instance. Traffic Mirroring is an Amazon
VPC feature that you can use to copy network traffic from an Elastic network interface. This feature can potentially be
abused to exfiltrate sensitive data from unencrypted internal traffic.
An attempt was made to modify AWS EC2 snapshot attributes. Snapshots are sometimes shared by threat actors in order to
exfiltrate bulk data from an EC2 fleet. If the permissions were modified, verify the snapshot was not shared with an
unauthorized or unexpected AWS account.
Identifies a modification to a Logging sink in Google Cloud Platform (GCP). Logging compares the log entry to the sinks
in that resource. Each sink whose filter matches the log entry writes a copy of the log entry to the sink's export
destination. An adversary may update a Logging sink to exfiltrate logs to a different export destination.
Identifies a transport rule creation in Microsoft 365. As a best practice, Exchange Online mail transport rules should
not be set to forward email to domains outside of your organization. An adversary may create transport rules to
Identifies when a transport rule has been disabled or deleted in Microsoft 365. Mail flow rules (also known as transport
rules) are used to identify and take action on messages that flow through your organization. An adversary or insider
threat may modify a transport rule to exfiltrate data or evade defenses.