Rule-Based Alert Types

For certain Stellar Cyber alert types based on specific rules, the following topics list the rules that may trigger the indicated Alert Type. For details on rule-based alerts, see Rule-Based Alert Details.

Link to Rule	Source(s)	Link to XDR Event Name
Rules Contributing to Suspicious PowerShell Script Alert Type	SigmaHQ, Developed internally by Stellar Cyber	suspicious_powershell_script
Rules Contributing to Suspicious Process Creation Commandline Alert Type	SigmaHQ, Developed internally by Stellar Cyber	suspicious_commandline
Rules Contributing to Parent/Child Suspicious Process Creation Alert Type	SigmaHQ, Developed internally by Stellar Cyber	parent_child

Rule-Based AWS Alert Types

Link to Rule	Source(s)	Link to XDR Event Name
Rules Contributing to Potentially Malicious AWS Activity Alert Type	SigmaHQ, Developed internally by Stellar Cyber	aws_malicious_activity
Rules Contributing to Suspicious AWS Bucket Enumeration Alert Type	SigmaHQ	aws_suspicious_bucket_enumeration
Rules Contributing to Suspicious AWS EBS Activity Alert Type	Developed internally by Stellar Cyber	aws_suspicious_ebs_activity
Rules Contributing to Suspicious AWS EC2 Activity Alert Type	SigmaHQ, Developed internally by Stellar Cyber	aws_suspicious_ec2_activity
Rules Contributing to Suspicious AWS ELB Activity Alert Type	Developed internally by Stellar Cyber	aws_suspicious_elb_activity
Rules Contributing to Suspicious AWS IAM Activity Alert Type	SigmaHQ, Developed internally by Stellar Cyber	aws_suspicious_iam_activity
Rules Contributing to Suspicious AWS Login Failure Alert Type	Developed internally by Stellar Cyber	cloud_account_login_failure_okta
Rules Contributing to Suspicious AWS RDS Event Alert Type	SigmaHQ, Developed internally by Stellar Cyber	aws_suspicious_rds_event
Rules Contributing to Suspicious AWS Root Account Activity Alert Type	SigmaHQ, Developed internally by Stellar Cyber	aws_suspicious_root_account_activity
Rules Contributing to Suspicious AWS Route 53 Activity Alert Type	Developed internally by Stellar Cyber	aws_suspicious_route53_activity
Rules Contributing to Suspicious AWS SSL Certificate Activity Alert Type	Developed internally by Stellar Cyber	aws_suspicious_ssl_certificate_activity
Rules Contributing to Suspicious AWS VPC Flow Logs Modification Alert Type	Developed internally by Stellar Cyber	aws_suspicious_vpc_flow_logs_modification
Rules Contributing to Suspicious AWS VPC Mirror Session Alert Type	Developed internally by Stellar Cyber	aws_suspicious_vpc_mirror_session
Rules Contributing to Suspicious Modification of AWS CloudTrail Logs Alert Type	Developed internally by Stellar Cyber	aws_suspicious_cloudtrail_logs_modification
Rules Contributing to Suspicious Modification of AWS Route Table Alert Type	Developed internally by Stellar Cyber	aws_suspicious_modification_of_route_table
Rules Contributing to Suspicious Modification of S3 Bucket Alert Type	SigmaHQ, Developed internally by Stellar Cyber	aws_suspicious_modification_of_s3_bucket

Rule-Based Microsoft Entra Alert Types

Link to Rule	Source(s)	Link to XDR Event Name
Rules Contributing to Azure Application Gateway Changed Alert Type	SigmaHQ	azure_application_gateway_changed
Rules Contributing to Azure DNS Zone Changed Alert Type	SigmaHQ	azure_dns_zone_change
Rules Contributing to Azure New CloudShell Created Alert Type	SigmaHQ	azure_new_cloudshell_created
Rules Contributing to Azure Security Configuration Changed Alert Type	SigmaHQ	azure_security_config_changed
Rules Contributing to Microsoft Entra Application Configuration Changes Alert Type	SigmaHQ	azure_application_configuration_changes
Rules Contributing to Microsoft Entra Application Deleted Alert Type	SigmaHQ	microsoft_entra_app_deleted
Rules Contributing to Microsoft Entra Application Permission Changes Alert Type	SigmaHQ	azure_application_permission_changes
Rules Contributing to Microsoft Entra BitLocker Key Retrieval Alert Type	SigmaHQ	azure_bitlocker_key_retrieval
Rules Contributing to Microsoft Entra Changes to Conditional Access Policy Alert Type	SigmaHQ	azure_suspicious_changes_to_conditional_access_policy
Rules Contributing to Microsoft Entra Changes to Device Registration Policy Alert Type	SigmaHQ	azure_changes_to_device_registration_policy
Rules Contributing to Microsoft Entra Changes to Privileged Account Alert Type	SigmaHQ	azure_changes_to_privileged_account
Rules Contributing to Microsoft Entra Changes to Privileged Role Assignment Alert Type	SigmaHQ	azure_changes_to_privileged_role_assignment
Rules Contributing to Microsoft Entra Federation Modified Alert Type	SigmaHQ	azure_federation_modified
Rules Contributing to Microsoft Entra Guest User Invited by Non-Approved Inviters Alert Type	SigmaHQ	azure_guest_user_invited_by_non_approved_inviters
Rules Contributing to Microsoft Entra Hybrid Health AD FS New Server Alert Type	SigmaHQ	microsoft_entra_hybrid_health_adfs_new_server
Rules Contributing to Microsoft Entra Hybrid Health AD FS Service Deleted Alert Type	SigmaHQ	microsoft_entra_hybrid_health_adfs_service_deleted
Rules Contributing to Microsoft Entra ID Discovery Using Azurehound Alert Type	SigmaHQ	azure_discovery_using_azurehound
Rules Contributing to Microsoft Entra ID MFA Disabled Alert Type	SigmaHQ	azure_mfa_disabled
Rules Contributing to Microsoft Entra Owner Removed from Application Alert Type	SigmaHQ	microsoft_entra_owner_removed_from_app
Rules Contributing to Microsoft Entra PIM Setting Changed Alert Type	SigmaHQ	azure_pim_setting_changed
Rules Contributing to Microsoft Entra Privileged Account Assignment or Elevation Alert Type	SigmaHQ	azure_privileged_account_assignment_or_elevation
Rules Contributing to Microsoft Entra Sign-in Failure Alert Type	SigmaHQ	azure_sign_in_failures
Rules Contributing to Microsoft Entra Suspicious Sign-in Activity Alert Type	SigmaHQ	azure_suspicious_sign_in_activity
Rules Contributing to Microsoft Entra Unusual Account Creation Alert Type	SigmaHQ	azure_unusual_account_creation
Rules Contributing to Suspicious Azure Account Permission Elevation Alert Type	SigmaHQ	suspicious_azure_account_permission_elevation
Rules Contributing to Suspicious Azure Deployment Activity Alert Type	SigmaHQ	suspicious_azure_deployment_activity
Rules Contributing to Suspicious Azure Firewall Activity Alert Type	SigmaHQ	suspicious_azure_firewall_activity
Rules Contributing to Suspicious Azure Key Vault Activity Alert Type	SigmaHQ	suspicious_azure_key_vault_activity
Rules Contributing to Suspicious Azure Kubernetes Activity: Credential Access Alert Type	SigmaHQ	suspicious_azure_kubernetes_activity_credential_access
Rules Contributing to Suspicious Azure Kubernetes Activity: Defense Evasion Alert Type	SigmaHQ	suspicious_azure_kubernetes_activity_defense_evasion
Rules Contributing to Suspicious Azure Kubernetes Activity: Impact Alert Type	SigmaHQ	suspicious_azure_kubernetes_activity_impact
Rules Contributing to Suspicious Azure Kubernetes Activity: Persistence Alert Type	SigmaHQ	suspicious_azure_kubernetes_activity_persistence
Rules Contributing to Suspicious Azure Kubernetes Activity: Privilege Escalation Alert Type	SigmaHQ	suspicious_azure_kubernetes_activity_privilege_escalation
Rules Contributing to Suspicious Azure Network Activity Alert Type	SigmaHQ	suspicious_azure_network_activity
Rules Contributing to Suspicious Microsoft Entra Device Activity Alert Type	SigmaHQ	suspicious_azure_device_activity
Rules Contributing to Suspicious Microsoft Entra Service Principal Activity Alert Type	SigmaHQ	suspicious_azure_service_principal_activity

Rule-Based DNS Alert Types

Link to Rule	Source(s)	Link to XDR Event Name
Rules Contributing to DNS Query to TOR Proxy Domain Alert Type	Developed internally by Stellar Cyber	dns_tor_proxy_domain
Rules Contributing to Phishing Domain with File Extension TLD Alert Type	Developed internally by Stellar Cyber	dns_phishing_file_extension_tld

Rule-Based Windows Alert Types

Windows-related rules require the updated Windows Detection Profile (Low Volume) in the sensor profile settings.

Link to Rule	Source(s)	Link to XDR Event Name
Rules Contributing to Potentially Malicious Windows Event Alert Type	SigmaHQ, Developed internally by Stellar Cyber	windows_security_malicious_event
Rules Contributing to Sensitive Windows Active Directory Attribute Modification Alert Type	SigmaHQ, Developed internally by Stellar Cyber	windows_security_ad_sensitive_attribute_modification
Rules Contributing to Sensitive Windows Network Share File or Folder Accessed Alert Type	SigmaHQ	windows_security_sensitive_networkshare
Rules Contributing to Suspicious Access Attempt to Windows Object Alert Type	SigmaHQ	windows_security_object_access_suspicious_attempt
Rules Contributing to Suspicious Activity Related to Security-Enabled Group Alert Type	Developed internally by Stellar Cyber	windows_security_suspicious_activity_related_to_security_enabled_group
Rules Contributing to Suspicious Connection to Another Process Alert Type	SigmaHQ	windows_security_suspicious_connection_process
Rules Contributing to Suspicious Handle Request to Sensitive Object Alert Type	SigmaHQ	windows_security_suspicious_handle_request
Rules Contributing to Suspicious Windows Active Directory Operation Alert Type	SigmaHQ, Developed internally by Stellar Cyber	windows_security_ad_suspicious_operation
Rules Contributing to Suspicious Windows Logon Event Alert Type	SigmaHQ	windows_security_suspicious_logon_event
Rules Contributing to Suspicious Windows Process Creation Alert Type	Developed internally by Stellar Cyber	windows_suspicious_process_creation
Rules Contributing to Suspicious Windows Service Installation Alert Type	SigmaHQ	windows_security_suspicious_service_installation
Rules Contributing to Steal or Forge Kerberos Tickets Alert Type	SigmaHQ	windows_security_steal_or_forge_kerberos_tickets
Rules Contributing to Suspicious LSASS Process Access Alert Type	SigmaHQ, Developed internally by Stellar Cyber	suspicious_process_access_lsass
Rules Contributing to Suspicious Windows Network Connection Alert Type	Developed internally by Stellar Cyber	suspicious_windows_network_connection
Rules Contributing to Suspicious Windows Registry Event: Impact Alert Type	SigmaHQ	suspicious_windows_registry_event_impact
Rules Contributing to Suspicious Windows Registry Event: Persistence Alert Type	SigmaHQ	suspicious_windows_registry_event_persistence