Rule-Based Alert Types

For certain Stellar Cyber alert types based on specific rules, the following topics list the rules that may trigger the indicated Alert Type. For details on rule-based alerts, see Rule-Based Alert Details.

Link to Rule	Source(s)	Link to XDR Event Name
Rules Contributing to Suspicious PowerShell Script Alert Type	SigmaHQ, Developed internally by Stellar Cyber	suspicious_powershell_script
Rules Contributing to Suspicious Process Creation Commandline Alert Type	SigmaHQ, Developed internally by Stellar Cyber	suspicious_commandline
Rules Contributing to Parent/Child Suspicious Process Creation Alert Type	SigmaHQ, Developed internally by Stellar Cyber	parent_child

Rule-Based AWS Alert Types

Link to Rule	Source(s)	Link to XDR Event Name
Rules Contributing to Potentially Malicious AWS Activity Alert Type	SigmaHQ, Developed internally by Stellar Cyber	aws_malicious_activity
Rules Contributing to Suspicious AWS Bucket Enumeration Alert Type	SigmaHQ	aws_suspicious_bucket_enumeration
Rules Contributing to Suspicious AWS EBS Activity Alert Type	Developed internally by Stellar Cyber	aws_suspicious_ebs_activity
Rules Contributing to Suspicious AWS EC2 Activity Alert Type	SigmaHQ, Developed internally by Stellar Cyber	aws_suspicious_ec2_activity
Rules Contributing to Suspicious AWS ELB Activity Alert Type	Developed internally by Stellar Cyber	aws_suspicious_elb_activity
Rules Contributing to Suspicious AWS IAM Activity Alert Type	SigmaHQ, Developed internally by Stellar Cyber	aws_suspicious_iam_activity
Rules Contributing to Suspicious AWS Login Failure Alert Type	Developed internally by Stellar Cyber	cloud_account_login_failure_okta
Rules Contributing to Suspicious AWS RDS Event Alert Type	SigmaHQ, Developed internally by Stellar Cyber	aws_suspicious_rds_event
Rules Contributing to Suspicious AWS Root Account Activity Alert Type	SigmaHQ, Developed internally by Stellar Cyber	aws_suspicious_root_account_activity
Rules Contributing to Suspicious AWS Route 53 Activity Alert Type	Developed internally by Stellar Cyber	aws_suspicious_route53_activity
Rules Contributing to Suspicious AWS SSL Certificate Activity Alert Type	Developed internally by Stellar Cyber	aws_suspicious_ssl_certificate_activity
Rules Contributing to Suspicious AWS VPC Flow Logs Modification Alert Type	Developed internally by Stellar Cyber	aws_suspicious_vpc_flow_logs_modification
Rules Contributing to Suspicious AWS VPC Mirror Session Alert Type	Developed internally by Stellar Cyber	aws_suspicious_vpc_mirror_session
Rules Contributing to Suspicious Modification of AWS CloudTrail Logs Alert Type	Developed internally by Stellar Cyber	aws_suspicious_cloudtrail_logs_modification
Rules Contributing to Suspicious Modification of AWS Route Table Alert Type	Developed internally by Stellar Cyber	aws_suspicious_modification_of_route_table
Rules Contributing to Suspicious Modification of S3 Bucket Alert Type	SigmaHQ, Developed internally by Stellar Cyber	aws_suspicious_modification_of_s3_bucket

Rule-Based Microsoft Entra Alert Types

Link to Rule	Source(s)	Link to XDR Event Name
Rules Contributing to Azure Application Gateway Changed Alert Type	SigmaHQ	azure_application_gateway_changed
Rules Contributing to Azure DNS Zone Changed Alert Type	SigmaHQ	azure_dns_zone_change
Rules Contributing to Azure New CloudShell Created Alert Type	SigmaHQ	azure_new_cloudshell_created
Rules Contributing to Azure Security Configuration Changed Alert Type	SigmaHQ	azure_security_config_changed
Rules Contributing to Microsoft Entra Application Configuration Changes Alert Type	SigmaHQ	azure_application_configuration_changes
Rules Contributing to Microsoft Entra Application Deleted Alert Type	SigmaHQ	microsoft_entra_app_deleted
Rules Contributing to Microsoft Entra Application Permission Changes Alert Type	SigmaHQ	azure_application_permission_changes
Rules Contributing to Microsoft Entra BitLocker Key Retrieval Alert Type	SigmaHQ	azure_bitlocker_key_retrieval
Rules Contributing to Microsoft Entra Changes to Conditional Access Policy Alert Type	SigmaHQ	azure_suspicious_changes_to_conditional_access_policy
Rules Contributing to Microsoft Entra Changes to Device Registration Policy Alert Type	SigmaHQ	azure_changes_to_device_registration_policy
Rules Contributing to Microsoft Entra Changes to Privileged Account Alert Type	SigmaHQ	azure_changes_to_privileged_account
Rules Contributing to Microsoft Entra Changes to Privileged Role Assignment Alert Type	SigmaHQ	azure_changes_to_privileged_role_assignment
Rules Contributing to Microsoft Entra Federation Modified Alert Type	SigmaHQ	azure_federation_modified
Rules Contributing to Microsoft Entra Guest User Invited by Non-Approved Inviters Alert Type	SigmaHQ	azure_guest_user_invited_by_non_approved_inviters
Rules Contributing to Microsoft Entra Hybrid Health AD FS New Server Alert Type	SigmaHQ	microsoft_entra_hybrid_health_adfs_new_server
Rules Contributing to Microsoft Entra Hybrid Health AD FS Service Deleted Alert Type	SigmaHQ	microsoft_entra_hybrid_health_adfs_service_deleted
Rules Contributing to Microsoft Entra ID Discovery Using Azurehound Alert Type	SigmaHQ	azure_discovery_using_azurehound
Rules Contributing to Microsoft Entra ID MFA Disabled Alert Type	SigmaHQ	azure_mfa_disabled
Rules Contributing to Microsoft Entra Owner Removed from Application Alert Type	SigmaHQ	microsoft_entra_owner_removed_from_app
Rules Contributing to Microsoft Entra PIM Setting Changed Alert Type	SigmaHQ	azure_pim_setting_changed
Rules Contributing to Microsoft Entra Privileged Account Assignment or Elevation Alert Type	SigmaHQ	azure_privileged_account_assignment_or_elevation
Rules Contributing to Microsoft Entra Sign-in Failure Alert Type	SigmaHQ	azure_sign_in_failures
Rules Contributing to Password Reset By User Account Alert Type	SigmaHQ	password_reset_by_user_account
Rules Contributing to Suspicious Azure Account Permission Elevation Alert Type	SigmaHQ	suspicious_azure_account_permission_elevation
Rules Contributing to Suspicious Azure Deployment Activity Alert Type	SigmaHQ	suspicious_azure_deployment_activity
Rules Contributing to Suspicious Azure Firewall Activity Alert Type	SigmaHQ	suspicious_azure_firewall_activity
Rules Contributing to Suspicious Azure Key Vault Activity Alert Type	SigmaHQ	suspicious_azure_key_vault_activity
Rules Contributing to Suspicious Azure Kubernetes Activity: Credential Access Alert Type	SigmaHQ	suspicious_azure_kubernetes_activity_credential_access
Rules Contributing to Suspicious Azure Kubernetes Activity: Defense Evasion Alert Type	SigmaHQ	suspicious_azure_kubernetes_activity_defense_evasion
Rules Contributing to Suspicious Azure Kubernetes Activity: Impact Alert Type	SigmaHQ	suspicious_azure_kubernetes_activity_impact
Rules Contributing to Suspicious Azure Kubernetes Activity: Persistence Alert Type	SigmaHQ	suspicious_azure_kubernetes_activity_persistence
Rules Contributing to Suspicious Azure Kubernetes Activity: Privilege Escalation Alert Type	SigmaHQ	suspicious_azure_kubernetes_activity_privilege_escalation
Rules Contributing to Suspicious Azure Network Activity Alert Type	SigmaHQ	suspicious_azure_network_activity
Rules Contributing to Suspicious Microsoft Entra Device Activity Alert Type	SigmaHQ	suspicious_azure_device_activity
Rules Contributing to Suspicious Microsoft Entra Service Principal Activity Alert Type	SigmaHQ	suspicious_azure_service_principal_activity
Rules Contributing to Suspicious Microsoft Entra Sign-in Activity Alert Type	SigmaHQ	azure_suspicious_sign_in_activity

Rule-Based DNS Alert Types

Link to Rule	Source(s)	Link to XDR Event Name
Rules Contributing to DNS Query to TOR Proxy Domain Alert Type	Developed internally by Stellar Cyber	dns_tor_proxy_domain
Rules Contributing to Phishing Domain with File Extension TLD Alert Type	Developed internally by Stellar Cyber	dns_phishing_file_extension_tld
Rules Contributing to DNS Query to External Service Interaction Domains Alert Type	SigmaHQ	dns_external_service_interaction_domains
Rules Contributing to DNS Query to Monero Crypto Coin Mining Pool Domains Alert Type	SigmaHQ	dns_pua_cryptocoin_mining_xmr
Rules Contributing to DNS Query to Anonymous File Upload Domains Alert Type	Developed internally by Stellar Cyber	dns_anonymous_file_upload_domains

Rule-Based OCI Alert Types

Link to Rule	Source(s)	Link to XDR Event Name
Rules Contributing to OCI Discovery Activity Alert Type	Developed internally by Stellar Cyber	oci_discovery_activity
Rules Contributing to OCI Insecure Metadata Endpoint Alert Type	Developed internally by Stellar Cyber	oci_insecure_metadata_endpoint
Rules Contributing to OCI Insecure NFS Export Configuration Alert Type	Developed internally by Stellar Cyber	oci_insecure_nfs_export_configuration
Rules Contributing to OCI Instance Metadata Access Alert Type	Developed internally by Stellar Cyber	oci_instance_metadata_access
Rules Contributing to OCI Unexpected User Agent Alert Type	Developed internally by Stellar Cyber	oci_unexpected_user_agent
Rules Contributing to Suspicious OCI Configuration Change to Network Security Group Alert Typw	Developed internally by Stellar Cyber	suspicious_oci_configuration_change_to_network_security_group
Rules Contributing to Suspicious OCI Modification of Route Table Alert Type	Developed internally by Stellar Cyber	suspicious_oci_modification_of_route_table
Rules Contributing to Suspicious OCI Bucket Enumeration Alert Type	Developed internally by Stellar Cyber	suspicious_oci_bucket_enumeration
Rules Contributing to Suspicious OCI Bucket Public Access Type Configuration Alert Type	Developed internally by Stellar Cyber	suspicious_oci_bucket_public_access_type_configuration
Rules Contributing to Suspicious OCI Event Rule Deletion Alert Type	Developed internally by Stellar Cyber	suspicious_oci_event_rule_deletion
Rules Contributing to Suspicious OCI IAM Activity: Impact Alert Type	Developed internally by Stellar Cyber	suspicious_oci_iam_activity_impact
Rules Contributing to Suspicious OCI IAM Activity: Persistence Alert Type	Developed internally by Stellar Cyber	suspicious_oci_iam_activity_persistence
Rules Contributing to Suspicious OCI Inbound SSH Connection Alert Type	Developed internally by Stellar Cyber	suspicious_oci_inbound_ssh_connection
Rules Contributing to Suspicious OCI Instance Activity Alert Type	Developed internally by Stellar Cyber	suspicious_oci_instance_activity
Rules Contributing to Suspicious OCI Instance Image Export Alert Type	Developed internally by Stellar Cyber	suspicious_oci_instance_image_export
Rules Contributing to Suspicious OCI Kubernetes Activity Alert Type	Developed internally by Stellar Cyber	suspicious_oci_kubernetes_activity
Rules Contributing to Suspicious OCI Logging Activity Alert Type	Developed internally by Stellar Cyber	suspicious_oci_logging_activity
Rules Contributing to Suspicious OCI Object Storage Activity Alert Type	Developed internally by Stellar Cyber	suspicious_oci_object_storage_activity
Rules Contributing to Suspicious OCI Scanning Activity Alert Type	Developed internally by Stellar Cyber	suspicious_oci_scanning_activity
Rules Contributing to Suspicious OCI Security Service Impairment Alert Type	Developed internally by Stellar Cyber	suspicious_oci_security_service_impairment

Rule-Based Traffic Alert Types

Link to Rule	Source(s)	Link to XDR Event Name
Rules Contributing to ICMP Based Exfiltration or Tunneling Alert Type	Developed internally by Stellar Cyber	traffic_icmp_exfiltration
Rules Contributing to Possible Impacket SecretDump Remote Activity Alert Type	Developed internally by Stellar Cyber	network_security_impacket_secretdump
Rules Contributing to Windows Network Access Suspicious desktop.ini Action Alert Type	Developed internally by Stellar Cyber	network_security_net_share_obj_susp_desktop_ini
Rules Contributing to Possible PetitPotam Coerce Authentication Attempt Alert Type	Developed internally by Stellar Cyber	network_security_petitpotam_network_share
Rules Contributing to Protected Storage Service Access Alert Type	Developed internally by Stellar Cyber	network_security_protected_storage_service_access
Rules Contributing to Startup/Logon Script Added to Group Policy Object Alert Type	Developed internally by Stellar Cyber	network_security_win_group_policy_iniscript
Rules Contributing to Remote Task Creation via ATSVC Named Pipe Alert Type	Developed internally by Stellar Cyber	network_security_win_security_atsvc_task
Rules Contributing to DCERPC SMB Spoolss Named Pipe Alert Type	Developed internally by Stellar Cyber	network_security_win_security_dce_rpc_smb_spoolss_named_pipe
Rules Contributing to Persistence and Execution at Scale via GPO Scheduled Task Alert Type	Developed internally by Stellar Cyber	network_security_win_security_gpo_scheduledtasks
Rules Contributing to Impacket PsExec Execution Alert Type	Developed internally by Stellar Cyber	network_security_win_security_impacket_psexec
Rules Contributing to Suspicious PsExec Execution Alert Type	Developed internally by Stellar Cyber	network_security_win_security_susp_psexec
Rules Contributing to Remote Service Activity via SVCCTL Named Pipe Alert Type	Developed internally by Stellar Cyber	network_security_win_security_svcctl_remote_service
Rules Contributing to T1047 Wmiprvse Wbemcomn DLL Hijack Alert Type	Developed internally by Stellar Cyber	network_security_win_security_wmiprvse_wbemcomn_dll_hijack
Rules Contributing to BloodHound Enumeration Activity Alert Type	Developed internally by Stellar Cyber	network_security_bloodhound_enumeration_activity

Rule-Based Windows Alert Types

Windows-related rules require the updated Windows Detection Profile (Low Volume) in the sensor profile settings.

Link to Rule	Source(s)	Link to XDR Event Name
Rules Contributing to Potentially Malicious Windows Event Alert Type	SigmaHQ, Developed internally by Stellar Cyber	windows_security_malicious_event
Rules Contributing to Sensitive Windows Active Directory Attribute Modification Alert Type	SigmaHQ, Developed internally by Stellar Cyber	windows_security_ad_sensitive_attribute_modification
Rules Contributing to Sensitive Windows Network Share File or Folder Accessed Alert Type	SigmaHQ	windows_security_sensitive_networkshare
Rules Contributing to Suspicious Access Attempt to Windows Object Alert Type	SigmaHQ	windows_security_object_access_suspicious_attempt
Rules Contributing to Suspicious Activity Related to Security-Enabled Group Alert Type	Developed internally by Stellar Cyber	windows_security_suspicious_activity_related_to_security_enabled_group
Rules Contributing to Suspicious Connection to Another Process Alert Type	SigmaHQ	windows_security_suspicious_connection_process
Rules Contributing to Suspicious Handle Request to Sensitive Object Alert Type	SigmaHQ	windows_security_suspicious_handle_request
Rules Contributing to Suspicious Windows Active Directory Operation Alert Type	SigmaHQ, Developed internally by Stellar Cyber	windows_security_ad_suspicious_operation
Rules Contributing to Suspicious Windows Logon Event Alert Type	SigmaHQ	windows_security_suspicious_logon_event
Rules Contributing to Suspicious Windows Process Creation Alert Type	Developed internally by Stellar Cyber	windows_suspicious_process_creation
Rules Contributing to Suspicious Windows Service Installation Alert Type	SigmaHQ	windows_security_suspicious_service_installation
Rules Contributing to Steal or Forge Kerberos Tickets Alert Type	SigmaHQ	windows_security_steal_or_forge_kerberos_tickets
Rules Contributing to Suspicious LSASS Process Access Alert Type	SigmaHQ, Developed internally by Stellar Cyber	suspicious_process_access_lsass
Rules Contributing to Suspicious Windows Network Connection Alert Type	Developed internally by Stellar Cyber	suspicious_windows_network_connection
Rules Contributing to Suspicious Windows Registry Event: Impact Alert Type	SigmaHQ	suspicious_windows_registry_event_impact
Rules Contributing to Suspicious Windows Registry Event: Persistence Alert Type	SigmaHQ	suspicious_windows_registry_event_persistence