Detections tagged with Sentinel

Jan 1, 2025 2025-01-01: Azure Active Directory - Conditional Access Policy Modified
#KQL#Sentinel#CAP#AzureAD#T1556.009
Jan 2, 2025 2025-01-02: Azure Active Directory - Credential Added to App Registration
#KQL#Sentinel#AzureAD#SPN#T1098.001
Jan 3, 2025 2025-01-03: Azure Activity - Public Access Enabled on Storage Account
#KQL#Sentinel#Azure Storage Account#Misconfiguration#T1562.007#T1530
Jan 4, 2025 2025-01-04: Azure Activity - New IP Address Added to Storage Account Firewall
#KQL#Sentinel#Azure Storage Account#T1562.007#T1530
Jan 5, 2025 2025-01-05: Azure Storage Account - Mass Download
#KQL#Sentinel#Azure Storage Account#T1530
Jan 6, 2025 2025-01-06: Azure Key Vault - New IP Address Added to Key Vault Firewall
#KQL#Sentinel#Azure Key Vault#T1562.007#T1555.006
Jan 7, 2025 Azure Key Vault - Vault Access Configuration Modified
#KQL#Sentinel#Azure Key Vault#Misconfiguration#T1555.006#T1556
Jan 8, 2025 Azure Key Vault - Large Number of Keys, Secrets, Certs Deleted
#KQL#Sentinel#Azure Key Vault#T1555.006#T1485
Jan 9, 2025 Azure Key Vault - Large Number of Keys, Secrets, or Certs Accessed
#KQL#Sentinel#Azure Key Vault#T1555.006
Jan 10, 2025 Azure Key Vault - Potential Privilege Escalation Activity
#KQL#Sentinel#Azure Key Vault#T1555.006#T1556
Jan 11, 2025 AWS CloudTrail - CVE-2024-50603 Potential Exploitation Activity
#KQL#Sentinel#AWS CloudTrail#CVE-2024-50603#T1203
Jan 12, 2025 AWS CloudTrail - New Access Key Created for Root User
#KQL#Sentinel#AWS CloudTrail#T1556#T1098.001
Jan 13, 2025 AWS CloudTrail - CloudTrail Log Stopped
#KQL#Sentinel#AWS CloudTrail#T1562
Jan 14, 2025 AWS CloudTrail - Console Login Without MFA
#KQL#Sentinel#AWS CloudTrail#Misconfiguration#T1078.004
Jan 15, 2025 AWS CloudTrail - Failed Login from Root User
#KQL#Sentinel#AWS CloudTrail#T1078.004#T1110
Jan 16, 2025 AWS VPC - Changes to Inbound Rules Allowing Management Ports
#KQL#Sentinel#AWS CloudTrail#AWS VPC#T1562.007
Jan 17, 2025 AWS S3 - Changes to Block Public Access Settings
#KQL#Sentinel#AWS CloudTrail#AWS S3#T1562.007
Jan 18, 2025 Azure NSG - Changes to Inbound Rules Allowing Management Ports
#KQL#Sentinel#Azure NSG#T1562.007
Jan 19, 2025 Azure Key Vault - User Adds Themselves to a Vault Access Policy
#KQL#Sentinel#Azure Key Vault#Misconfiguration#T1555.006#T1556
Jan 20, 2025 MDE - MDE Exclusion Added or Modified
#KQL#Sentinel#MDE#Misconfiguration#T1562.001
Jan 21, 2025 AzureActivity - VM: Password Reset through EnableAccess VM Extension
#KQL#Sentinel#AzureActivity#Azure VM#T1651
Jan 22, 2025 AzureActivity - VM: Azure Run Command Started On VM
#KQL#Sentinel#AzureActivity#Azure VM#T1651
Jan 23, 2025 AzureAD - SigninLogs: Multiple AAD Users Failing to Authenticate from Same Source IP
#KQL#Sentinel#AzureAD#SigninLogs#T1110
Jan 24, 2025 AzureAD - CAP: Conditional Access Policy Deleted
#KQL#Sentinel#AzureAD#CAP#AuditLogs#T1556.009
Jan 25, 2025 Azure AD - App/OAuth: Admin Consented to Risky API Permissions on Behalf of the Organization
#KQL#Sentinel#AzureAD#OAuth#AuditLogs#T1199
Jan 26, 2025 Azure AD - SigninLogs: Large Number of Failed Logins Followed by a Successful Login to the Azure Portal
#KQL#Sentinel#AzureAD#SigninLogs#T1110
Jan 27, 2025 Azure AD - CAP: New Trusted Location Created
#KQL#Sentinel#AzureAD#CAP#AuditLogs#T1556.009
Jan 28, 2025 Azure AD - CAP: Named Location Modified
#KQL#Sentinel#AzureAD#CAP#AuditLogs#T1556.009
Jan 29, 2025 Azure AD - CAP: Trusted Location Modified
#KQL#Sentinel#AzureAD#CAP#AuditLogs#T1556.009
Jan 30, 2025 Azure Activity: Diagnostic Setting Deleted
#KQL#Sentinel#AzureActivity#T1562.008
Jan 31, 2025 Azure Activity: Diagnostic Setting Modified
#KQL#Sentinel#AzureActivity#T1562.008
Jan 26, 2025 Azure AD - SigninLogs: Large Number of Failed Logins Followed by a Successful Login to the Azure Portal
#KQL#Sentinel#AzureAD#SigninLogs#T1110
Mar 1, 2025 AWS - IAM: STS Get-Caller-Identity from the AWS CLI
#KQL#Sentinel#AWS#AWS CLI#T1528#T1552
Mar 2, 2025 AWS - IAM: AccessKey Created and Deleted in Short Period of Time
#KQL#Sentinel#AWS#AWS IAM#T1098.001#T1550