Alert Types Based on Write Time

Release: 5.4

The following built-in alert types are based on write_time:

Account MFA Login Failure Anomaly, Subtype: Machine Learning Anomaly Alert Type
AWS AMI Made Public
AWS Logging Stopped
AWS S3 Ransomware
Backup Catalogs Deleted by Ransomware
Bad Reputation Login
Emerging Threat
External Account Login Failure Anomaly
External Credential Stuffing
External IP / Port Scan Anomaly, Subtype: Connection Failure Anomaly (Sensor Traffic)
External Protocol Account Login Failure Anomaly
External RDP Suspicious Outbound
External SQL Dumpfile Execution
External URL Reconnaissance Anomaly
External User Login Failure Anomaly
Google Workspace Account Manipulation
Google Workspace Attack Warning
Google Workspace Suspicious Activities
Google Workspace User Suspended
Impossible Travel Anomaly
Internal Account Login Failure Anomaly
Internal Credential Stuffing
Internal Handshake Failure
Internal IP / Port Scan Anomaly, Subtype: Connection Failure Anomaly (Sensor Traffic)
Internal Plain Text Passwords Detected
Internal Protocol Account Login Failure Anomaly
Internal SQL Shell Command
Internal URL Reconnaissance Anomaly
Internal User Login Failure Anomaly
Login Time Anomaly
Malicious Site Access
Malware on Disk
Microsoft Entra Apps Modified to Allow Multi-Tenant Access
Microsoft Entra Custom Domains Changed
Mimikatz Credential Dump
Office 365 Admin Audit Logging Disabled
Office 365 Content Filter Policy Changed
Office 365 File Sharing with Outside Entities
Office 365 Malware Filter Policy Changed
Office 365 Multiple Files Restored
Office 365 Multiple Users Deleted
Office 365 Network Security Configuration Changed
Office 365 Password Policy Changed
Office 365 Sharing Policy Changed
Office 365 User Network Admin Changed
Possible Encrypted Phishing Site Visit
Possible Unencrypted Phishing Site Visit
PowerShell Remote Access
RDP Port Opening
RDP Registry Modification
RDP Reverse Tunnel
RDP Session Hijacking
RDP Settings Hijacking
RDP Suspicious Logon
RDP Suspicious Logon Attempt
Recently Registered Domains
SMB Impacket Lateralization
SMB Specific Service Installation
SMB Suspicious Copy
User Login Location Anomaly
Volume Shadow Copy Deletion via VssAdmin
Volume Shadow Copy Deletion via WMIC

All Sigma rule-based alert types are based on write_time:

Azure Application Gateway Changed
Azure DNS Zone Changed
Azure New CloudShell Created
Azure Security Configuration Changed
DCERPC SMB Spoolss Named Pipe
DNS Query to TOR Proxy Domain
ICMP Based Exfiltration or Tunneling
Impacket PsExec Execution
Microsoft Entra Application Configuration Changes
Microsoft Entra Application Deleted
Microsoft Entra Application Permission Changes
Microsoft Entra BitLocker Key Retrieval
Microsoft Entra Changes to Conditional Access Policy
Microsoft Entra Changes to Device Registration Policy
Microsoft Entra Changes to Privileged Account
Microsoft Entra Changes to Privileged Role Assignment
Microsoft Entra Federation Modified
Microsoft Entra Guest User Invited By Non-Approved Inviters
Microsoft Entra Hybrid Health AD FS New Server
Microsoft Entra Hybrid Health AD FS Service Deleted
Microsoft Entra ID Discovery Using AzureHound
Microsoft Entra ID MFA Disabled
Microsoft Entra Owner Removed from Application
Microsoft Entra PIM Setting Changed
Microsoft Entra Privileged Account Assignment or Elevation
Microsoft Entra Sign-in Failures
Microsoft Entra Suspicious Sign-in Activity
Microsoft Entra Unusual Account Creation
Parent/Child Suspicious Process Creation, Subtype: Rule Based Detection
Password Reset By User Account
Persistence and Execution at Scale via GPO Scheduled Task
Phishing Domain with File Extension TLD
Possible Impacket SecretDump Remote Activity
Possible PetitPotam Coerce Authentication Attempt
Potentially Malicious AWS Activity
Potentially Malicious Windows Event
Protected Storage Service Access
Remote Service Activity via SVCCTL Named Pipe
Remote Task Creation via ATSVC Named Pipe
Sensitive Windows Active Directory Attribute Modification
Sensitive Windows Network Share File or Folder Accessed
Startup/Logon Script added to Group Policy Object
Steal or Forge Kerberos Tickets
Suspicious Access Attempt to Windows Object
Suspicious Activity Related to Security-Enabled Group
Suspicious AWS Bucket Enumeration
Suspicious AWS EBS Activity
Suspicious AWS EC2 Activity
Suspicious AWS ELB Activity
Suspicious AWS IAM Activity
Suspicious AWS Login Failure, Subtype: Rule Based Alert Type
Suspicious AWS RDS Event
Suspicious AWS Root Account Activity
Suspicious AWS Route 53 Activity
Suspicious AWS SSL Certificate Activity
Suspicious AWS VPC Flow Logs Modification
Suspicious AWS VPC Mirror Session
Suspicious Azure Account Permission Elevation
Suspicious Azure Deployment Activity
Suspicious Azure Firewall Activity
Suspicious Azure Key Vault Activity
Suspicious Azure Kubernetes Activity: Credential Access
Suspicious Azure Kubernetes Activity: Defense Evasion
Suspicious Azure Kubernetes Activity: Impact
Suspicious Azure Kubernetes Activity: Persistence
Suspicious Azure Kubernetes Activity: Privilege Escalation
Suspicious Azure Network Activity
Suspicious Connection to Another Process
Suspicious Handle Request to Sensitive Object
Suspicious LSASS Process Access
Suspicious Microsoft Entra Device Activity
Suspicious Microsoft Entra Service Principal Activity
Suspicious Modification of AWS CloudTrail Logs
Suspicious Modification of AWS Route Table
Suspicious Modification of S3 Bucket
Suspicious PowerShell Script
Suspicious PsExec Execution
Suspicious Process Creation Commandline
Suspicious Windows Active Directory Operation
Suspicious Windows Logon Event
Suspicious Windows Network Connection
Suspicious Windows Process Creation
Suspicious Windows Registry Event: Impact
Suspicious Windows Registry Event: Persistence
Suspicious Windows Service Installation
T1047 Wmiprvse Wbemcomn DLL Hijack
Windows Network Access Suspicious desktop.ini Action