Alert Types with a Detection Time of Write Time

The following built-in alert types or subtypes have a detection time of write_time:

  • Account Created and Deleted in Short Timeframe

  • Account MFA Login Failure Anomaly, Subtype: Machine Learning Anomaly Alert Type

  • AWS AMI Made Public

  • AWS Logging Stopped

  • AWS S3 Ransomware

  • Backup Catalogs Deleted by Ransomware

  • Bad Reputation Login

  • Dormant Account Anomaly

  • Emerging Threat

  • External Account Login Failure Anomaly

  • External Credential Stuffing

  • External IP / Port Scan Anomaly, Subtype: Connection Failure Anomaly (Sensor Traffic)

  • External Protocol Account Login Failure Anomaly

  • External RDP Suspicious Outbound

  • External SQL Dumpfile Execution

  • External URL Reconnaissance Anomaly

  • External User Login Failure Anomaly

  • Google Workspace Account Manipulation

  • Google Workspace Attack Warning

  • Google Workspace Suspicious Activities

  • Google Workspace User Suspended

  • Impossible Travel Anomaly

  • Internal Account Login Failure Anomaly

  • Internal Credential Stuffing

  • Internal Handshake Failure

  • Internal IP / Port Scan Anomaly, Subtype: Connection Failure Anomaly (Sensor Traffic)

  • Internal Plain Text Passwords Detected

  • Internal Protocol Account Login Failure Anomaly

  • Internal SQL Shell Command

  • Internal URL Reconnaissance Anomaly

  • Internal User Login Failure Anomaly

  • Login Time Anomaly

  • Malicious Site Access

  • Malware on Disk

  • Microsoft Entra Apps Modified to Allow Multi-Tenant Access

  • Microsoft Entra Custom Domains Changed

  • Mimikatz Credential Dump

  • Office 365 Admin Audit Logging Disabled

  • Office 365 Content Filter Policy Changed

  • Office 365 File Sharing with Outside Entities

  • Office 365 Malware Filter Policy Changed

  • Office 365 Multiple Files Restored

  • Office 365 Multiple Users Deleted

  • Office 365 Network Security Configuration Changed

  • Office 365 Password Policy Changed

  • Office 365 Sharing Policy Changed

  • Office 365 User Network Admin Changed

  • Possible Encrypted Phishing Site Visit

  • Possible Unencrypted Phishing Site Visit

  • PowerShell Remote Access

  • RDP Port Opening

  • RDP Registry Modification

  • RDP Reverse Tunnel

  • RDP Session Hijacking

  • RDP Settings Hijacking

  • RDP Suspicious Logon

  • RDP Suspicious Logon Attempt

  • Recently Registered Domains

  • SMB Impacket Lateralization

  • SMB Specific Service Installation

  • SMB Suspicious Copy

  • User Login Location Anomaly

  • Volume Shadow Copy Deletion via VssAdmin

  • Volume Shadow Copy Deletion via WMIC

All Sigma rule-based alert types have a detection time of write_time:

  • Azure Application Gateway Changed

  • Azure DNS Zone Changed

  • Azure New CloudShell Created

  • Azure Security Configuration Changed

  • BloodHound Enumeration Activity

  • DCERPC SMB Spoolss Named Pipe

  • DNS Query to Anonymous File Upload Domains

  • DNS Query to External Service Interaction Domains

  • DNS Query to Monero Crypto Coin Mining Pool Domains

  • DNS Query to TOR Proxy Domain

  • ICMP Based Exfiltration or Tunneling

  • Impacket PsExec Execution

  • Microsoft Entra Application Configuration Changes

  • Microsoft Entra Application Deleted

  • Microsoft Entra Application Permission Changes

  • Microsoft Entra BitLocker Key Retrieval

  • Microsoft Entra Changes to Conditional Access Policy

  • Microsoft Entra Changes to Device Registration Policy

  • Microsoft Entra Changes to Privileged Account

  • Microsoft Entra Changes to Privileged Role Assignment

  • Microsoft Entra Federation Modified

  • Microsoft Entra Guest User Invited By Non-Approved Inviters

  • Microsoft Entra Hybrid Health AD FS New Server

  • Microsoft Entra Hybrid Health AD FS Service Deleted

  • Microsoft Entra ID Discovery Using AzureHound

  • Microsoft Entra ID MFA Disabled

  • Microsoft Entra Owner Removed from Application

  • Microsoft Entra PIM Setting Changed

  • Microsoft Entra Privileged Account Assignment or Elevation

  • Microsoft Entra Sign-in Failures

  • Microsoft Entra Suspicious Sign-in Activity

  • OCI Discovery Activity

  • OCI Insecure Metadata Endpoint

  • OCI Insecure NFS Export Configuration

  • OCI Instance Metadata Access

  • OCI Unexpected User Agent

  • Parent/Child Suspicious Process Creation, Subtype: Rule Based Detection

  • Password Reset By User Account

  • Persistence and Execution at Scale via GPO Scheduled Task

  • Phishing Domain with File Extension TLD

  • Possible Impacket SecretDump Remote Activity

  • Possible PetitPotam Coerce Authentication Attempt

  • Potentially Malicious AWS Activity

  • Potentially Malicious Windows Event

  • Protected Storage Service Access

  • Remote Service Activity via SVCCTL Named Pipe

  • Remote Task Creation via ATSVC Named Pipe

  • Sensitive Windows Active Directory Attribute Modification

  • Sensitive Windows Network Share File or Folder Accessed

  • Startup/Logon Script added to Group Policy Object

  • Steal or Forge Kerberos Tickets

  • Suspicious Access Attempt to Windows Object

  • Suspicious Activity Related to Security-Enabled Group

  • Suspicious AWS Bucket Enumeration

  • Suspicious AWS EBS Activity

  • Suspicious AWS EC2 Activity

  • Suspicious AWS ELB Activity

  • Suspicious AWS IAM Activity

  • Suspicious AWS Login Failure, Subtype: Rule Based Alert Type

  • Suspicious AWS RDS Event

  • Suspicious AWS Root Account Activity

  • Suspicious AWS Route 53 Activity

  • Suspicious AWS SSL Certificate Activity

  • Suspicious AWS VPC Flow Logs Modification

  • Suspicious AWS VPC Mirror Session

  • Suspicious Azure Account Permission Elevation

  • Suspicious Azure Deployment Activity

  • Suspicious Azure Firewall Activity

  • Suspicious Azure Key Vault Activity

  • Suspicious Azure Kubernetes Activity: Credential Access

  • Suspicious Azure Kubernetes Activity: Defense Evasion

  • Suspicious Azure Kubernetes Activity: Impact

  • Suspicious Azure Kubernetes Activity: Persistence

  • Suspicious Azure Kubernetes Activity: Privilege Escalation

  • Suspicious Azure Network Activity

  • Suspicious Configuration Change to OCI Network Security Group

  • Suspicious Connection to Another Process

  • Suspicious Handle Request to Sensitive Object

  • Suspicious LSASS Process Access

  • Suspicious Microsoft Entra Device Activity

  • Suspicious Microsoft Entra Service Principal Activity

  • Suspicious Modification of AWS CloudTrail Logs

  • Suspicious Modification of AWS Route Table

  • Suspicious Modification of OCI Route Table

  • Suspicious Modification of S3 Bucket

  • Suspicious OCI Bucket Enumeration

  • Suspicious OCI Bucket Public Access Type Configuration

  • Suspicious OCI Event Rule Deletion

  • Suspicious OCI IAM Activity: Impact

  • Suspicious OCI IAM Activity: Persistence

  • Suspicious OCI Inbound SSH Connection

  • Suspicious OCI Instance Activity

  • Suspicious OCI Instance Image Export

  • Suspicious OCI Kubernetes Activity

  • Suspicious OCI Logging Activity

  • Suspicious OCI Object Storage Activity

  • Suspicious OCI Scanning Activity

  • Suspicious OCI Security Service Impairment

  • Suspicious PowerShell Script

  • Suspicious PsExec Execution

  • Suspicious Process Creation Commandline

  • Suspicious Windows Active Directory Operation

  • Suspicious Windows Logon Event

  • Suspicious Windows Network Connection

  • Suspicious Windows Process Creation

  • Suspicious Windows Registry Event: Impact

  • Suspicious Windows Registry Event: Persistence

  • Suspicious Windows Service Installation

  • T1047 Wmiprvse Wbemcomn DLL Hijack

  • Windows Network Access Suspicious desktop.ini Action