Rule-Based Alert Types

For certain Stellar Cyber alert types based on specific rules, the following topics list the rules that may trigger the indicated Alert Type. For details on rule-based alerts, see Rule-Based Alert Details.

Link to Rule

Source(s)

Link to XDR Event Name

Rules Contributing to Suspicious PowerShell Script Alert Type

SigmaHQ, Developed internally by Stellar Cyber

suspicious_powershell_script

Rules Contributing to Suspicious Process Creation Commandline Alert Type

SigmaHQ, Developed internally by Stellar Cyber

suspicious_commandline

Rules Contributing to Parent/Child Suspicious Process Creation Alert Type

SigmaHQ, Developed internally by Stellar Cyber

parent_child

Rule-Based AWS Alert Types

Link to Rule

Source(s)

Link to XDR Event Name

Rules Contributing to Potentially Malicious AWS Activity Alert Type

SigmaHQ, Developed internally by Stellar Cyber

aws_malicious_activity

Rules Contributing to Suspicious AWS Bucket Enumeration Alert Type

SigmaHQ

aws_suspicious_bucket_enumeration

Rules Contributing to Suspicious AWS EBS Activity Alert Type

Developed internally by Stellar Cyber

aws_suspicious_ebs_activity

Rules Contributing to Suspicious AWS EC2 Activity Alert Type

SigmaHQ, Developed internally by Stellar Cyber

aws_suspicious_ec2_activity

Rules Contributing to Suspicious AWS ELB Activity Alert Type

Developed internally by Stellar Cyber

aws_suspicious_elb_activity

Rules Contributing to Suspicious AWS IAM Activity Alert Type

SigmaHQ, Developed internally by Stellar Cyber

aws_suspicious_iam_activity

Rules Contributing to Suspicious AWS Login Failure Alert Type

Developed internally by Stellar Cyber

cloud_account_login_failure_okta

Rules Contributing to Suspicious AWS RDS Event Alert Type

SigmaHQ, Developed internally by Stellar Cyber

aws_suspicious_rds_event

Rules Contributing to Suspicious AWS Root Account Activity Alert Type

SigmaHQ, Developed internally by Stellar Cyber

aws_suspicious_root_account_activity

Rules Contributing to Suspicious AWS Route 53 Activity Alert Type

Developed internally by Stellar Cyber

aws_suspicious_route53_activity

Rules Contributing to Suspicious AWS SSL Certificate Activity Alert Type

Developed internally by Stellar Cyber

aws_suspicious_ssl_certificate_activity

Rules Contributing to Suspicious AWS VPC Flow Logs Modification Alert Type

Developed internally by Stellar Cyber

aws_suspicious_vpc_flow_logs_modification

Rules Contributing to Suspicious AWS VPC Mirror Session Alert Type

Developed internally by Stellar Cyber

aws_suspicious_vpc_mirror_session

Rules Contributing to Suspicious Modification of AWS CloudTrail Logs Alert Type

Developed internally by Stellar Cyber

aws_suspicious_cloudtrail_logs_modification

Rules Contributing to Suspicious Modification of AWS Route Table Alert Type

Developed internally by Stellar Cyber

aws_suspicious_modification_of_route_table

Rules Contributing to Suspicious Modification of S3 Bucket Alert Type

SigmaHQ, Developed internally by Stellar Cyber

aws_suspicious_modification_of_s3_bucket

Rule-Based Microsoft Entra Alert Types

Link to Rule

Source(s)

Link to XDR Event Name

Rules Contributing to Azure Application Gateway Changed Alert Type

SigmaHQ

azure_application_gateway_changed

Rules Contributing to Azure DNS Zone Changed Alert Type

SigmaHQ

azure_dns_zone_change

Rules Contributing to Azure New CloudShell Created Alert Type

SigmaHQ

azure_new_cloudshell_created

Rules Contributing to Azure Security Configuration Changed Alert Type

SigmaHQ

azure_security_config_changed

Rules Contributing to Microsoft Entra Application Configuration Changes Alert Type

SigmaHQ

azure_application_configuration_changes

Rules Contributing to Microsoft Entra Application Deleted Alert Type

SigmaHQ

microsoft_entra_app_deleted

Rules Contributing to Microsoft Entra Application Permission Changes Alert Type

SigmaHQ

azure_application_permission_changes

Rules Contributing to Microsoft Entra BitLocker Key Retrieval Alert Type

SigmaHQ

azure_bitlocker_key_retrieval

Rules Contributing to Microsoft Entra Changes to Conditional Access Policy Alert Type

SigmaHQ

azure_suspicious_changes_to_conditional_access_policy

Rules Contributing to Microsoft Entra Changes to Device Registration Policy Alert Type

SigmaHQ

azure_changes_to_device_registration_policy

Rules Contributing to Microsoft Entra Changes to Privileged Account Alert Type

SigmaHQ

azure_changes_to_privileged_account

Rules Contributing to Microsoft Entra Changes to Privileged Role Assignment Alert Type

SigmaHQ

azure_changes_to_privileged_role_assignment

Rules Contributing to Microsoft Entra Federation Modified Alert Type

SigmaHQ

azure_federation_modified

Rules Contributing to Microsoft Entra Guest User Invited by Non-Approved Inviters Alert Type

SigmaHQ

azure_guest_user_invited_by_non_approved_inviters

Rules Contributing to Microsoft Entra Hybrid Health AD FS New Server Alert Type

SigmaHQ

microsoft_entra_hybrid_health_adfs_new_server

Rules Contributing to Microsoft Entra Hybrid Health AD FS Service Deleted Alert Type

SigmaHQ

microsoft_entra_hybrid_health_adfs_service_deleted

Rules Contributing to Microsoft Entra ID Discovery Using Azurehound Alert Type

SigmaHQ

azure_discovery_using_azurehound

Rules Contributing to Microsoft Entra ID MFA Disabled Alert Type

SigmaHQ

azure_mfa_disabled

Rules Contributing to Microsoft Entra Owner Removed from Application Alert Type

SigmaHQ

microsoft_entra_owner_removed_from_app

Rules Contributing to Microsoft Entra PIM Setting Changed Alert Type

SigmaHQ

azure_pim_setting_changed

Rules Contributing to Microsoft Entra Privileged Account Assignment or Elevation Alert Type

SigmaHQ

azure_privileged_account_assignment_or_elevation

Rules Contributing to Microsoft Entra Sign-in Failure Alert Type

SigmaHQ

azure_sign_in_failures

Rules Contributing to Microsoft Entra Suspicious Sign-in Activity Alert Type

SigmaHQ

azure_suspicious_sign_in_activity

Rules Contributing to Microsoft Entra Unusual Account Creation Alert Type

SigmaHQ

azure_unusual_account_creation

Rules Contributing to Suspicious Azure Account Permission Elevation Alert Type

SigmaHQ

suspicious_azure_account_permission_elevation

Rules Contributing to Suspicious Azure Deployment Activity Alert Type

SigmaHQ

suspicious_azure_deployment_activity

Rules Contributing to Suspicious Azure Firewall Activity Alert Type

SigmaHQ

suspicious_azure_firewall_activity

Rules Contributing to Suspicious Azure Key Vault Activity Alert Type

SigmaHQ

suspicious_azure_key_vault_activity

Rules Contributing to Suspicious Azure Kubernetes Activity: Credential Access Alert Type

SigmaHQ

suspicious_azure_kubernetes_activity_credential_access

Rules Contributing to Suspicious Azure Kubernetes Activity: Defense Evasion Alert Type

SigmaHQ

suspicious_azure_kubernetes_activity_defense_evasion

Rules Contributing to Suspicious Azure Kubernetes Activity: Impact Alert Type

SigmaHQ

suspicious_azure_kubernetes_activity_impact

Rules Contributing to Suspicious Azure Kubernetes Activity: Persistence Alert Type

SigmaHQ

suspicious_azure_kubernetes_activity_persistence

Rules Contributing to Suspicious Azure Kubernetes Activity: Privilege Escalation Alert Type

SigmaHQ

suspicious_azure_kubernetes_activity_privilege_escalation

Rules Contributing to Suspicious Azure Network Activity Alert Type

SigmaHQ

suspicious_azure_network_activity

Rules Contributing to Suspicious Microsoft Entra Device Activity Alert Type

SigmaHQ

suspicious_azure_device_activity

Rules Contributing to Suspicious Microsoft Entra Service Principal Activity Alert Type

SigmaHQ

suspicious_azure_service_principal_activity

Rule-Based DNS Alert Types

Link to Rule

Source(s)

Link to XDR Event Name

Rules Contributing to DNS Query to TOR Proxy Domain Alert Type

Developed internally by Stellar Cyber

dns_tor_proxy_domain

Rules Contributing to Phishing Domain with File Extension TLD Alert Type

Developed internally by Stellar Cyber

dns_phishing_file_extension_tld

Rule-Based Windows Alert Types

Windows-related rules require the updated Windows Detection Profile (Low Volume) in the sensor profile settings.

Link to Rule

Source(s)

Link to XDR Event Name

Rules Contributing to Potentially Malicious Windows Event Alert Type

SigmaHQ, Developed internally by Stellar Cyber

windows_security_malicious_event

Rules Contributing to Sensitive Windows Active Directory Attribute Modification Alert Type

SigmaHQ, Developed internally by Stellar Cyber

windows_security_ad_sensitive_attribute_modification

Rules Contributing to Sensitive Windows Network Share File or Folder Accessed Alert Type

SigmaHQ

windows_security_sensitive_networkshare

Rules Contributing to Suspicious Access Attempt to Windows Object Alert Type

SigmaHQ

windows_security_object_access_suspicious_attempt

Rules Contributing to Suspicious Activity Related to Security-Enabled Group Alert Type

Developed internally by Stellar Cyber

windows_security_suspicious_activity_related_to_security_enabled_group

Rules Contributing to Suspicious Connection to Another Process Alert Type

SigmaHQ

windows_security_suspicious_connection_process

Rules Contributing to Suspicious Handle Request to Sensitive Object Alert Type

SigmaHQ

windows_security_suspicious_handle_request

Rules Contributing to Suspicious Windows Active Directory Operation Alert Type

SigmaHQ, Developed internally by Stellar Cyber

windows_security_ad_suspicious_operation

Rules Contributing to Suspicious Windows Logon Event Alert Type

SigmaHQ

windows_security_suspicious_logon_event

Rules Contributing to Suspicious Windows Process Creation Alert Type

Developed internally by Stellar Cyber

windows_suspicious_process_creation

Rules Contributing to Suspicious Windows Service Installation Alert Type

SigmaHQ

windows_security_suspicious_service_installation

Rules Contributing to Steal or Forge Kerberos Tickets Alert Type

SigmaHQ

windows_security_steal_or_forge_kerberos_tickets

Rules Contributing to Suspicious LSASS Process Access Alert Type

SigmaHQ, Developed internally by Stellar Cyber

suspicious_process_access_lsass

Rules Contributing to Suspicious Windows Network Connection Alert Type

Developed internally by Stellar Cyber

suspicious_windows_network_connection

Rules Contributing to Suspicious Windows Registry Event: Impact Alert Type

SigmaHQ

suspicious_windows_registry_event_impact

Rules Contributing to Suspicious Windows Registry Event: Persistence Alert Type

SigmaHQ

suspicious_windows_registry_event_persistence