Alert Types Based on Write Time

Release: 5.1.1

The following built-in alert types, with model type Analytics, are based on write_time:

AWS AMI Made Public
AWS Logging Stopped
AWS S3 Ransomware
Azure AD Apps Modified To Allow Multi-Tenant Access
Azure AD Custom Domains Changed
Backup Catalogs Deleted by Ransomware
Bad Reputation Login
Emerging Threat
External RDP Suspicious Outbound
External SQL Dumpfile Execution
Google Workspace Account Manipulation
Google Workspace Attack Warning
Google Workspace Suspicious Activities
Google Workspace User Suspended
Internal Handshake Failure
Internal Plain Text Passwords Detected
Internal SQL Shell Command
Malicious Site Access
Malware on Disk
Mimikatz Credential Dump
Office 365 Access Governance Anomaly
Office 365 Admin Audit Logging Disabled
Office 365 Blocked User
Office 365 Content Filter Policy Changed
Office 365 Data Exfiltration Attempt Anomaly
Office 365 Data Loss Prevention
Office 365 File Sharing with Outside Entities
Office 365 Malware Filter Policy Changed
Office 365 Multiple Files Restored
Office 365 Multiple Users Deleted
Office 365 Network Security Configuration Changed
Office 365 Password Policy Changed
Office 365 Sharing Policy Changed
Office 365 User Network Admin Changed
Possible Encrypted Phishing Site Visit
Possible Unencrypted Phishing Site Visit
PowerShell Remote Access
RDP Port Opening
RDP Registry Modification
RDP Reverse Tunnel
RDP Session Hijacking
RDP Settings Hijacking
RDP Suspicious Logon
RDP Suspicious Logon Attempt
Recently Registered Domains
SMB Impacket Lateralization
SMB Specific Service Installation
SMB Suspicious Copy
Volume Shadow Copy Deletion via VssAdmin
Volume Shadow Copy Deletion via WMIC

The following built-in alert types, with model type Unsupervised, are based on write_time:

External Credential Stuffing
Internal Credential Stuffing

All Sigma rule-based alert types are based on write_time:

Microsoft Entra Application Configuration Changes
Microsoft Entra Application Permission Changes
Microsoft Entra BitLocker Key Retrieval
Microsoft Entra Changes to Conditional Access Policy
Microsoft Entra Changes to Device Registration Policy
Microsoft Entra Changes to Privileged Account
Microsoft Entra Changes to Privileged Role Assignment
Microsoft Entra Federation Modified
Microsoft Entra Guest User Invited By Non-Approved Inviters
Microsoft Entra ID Discovery Using AzureHound
Microsoft Entra PIM Setting Changed
Microsoft Entra Privileged Account Assignment or Elevation
Microsoft Entra Sign-in Failures
Microsoft Entra Suspicious Sign-in Activity
Microsoft Entra Unusual Account Creation
Parent/Child Suspicious Process Creation
Potentially Malicious AWS Activity
Potentially Malicious Windows Event
Sensitive Windows Active Directory Attribute Modification
Sensitive Windows Network Share File or Folder Accessed
Steal or Forge Kerberos Tickets
Suspicious Access Attempt to Windows Object
Suspicious Activity Related to Security-Enabled Group
Suspicious AWS Bucket Enumeration
Suspicious AWS EBS Activity
Suspicious AWS EC2 Activity
Suspicious AWS ELB Activity
Suspicious AWS IAM Activity
Suspicious AWS Login Failure
Suspicious AWS RDS Event
Suspicious AWS Root Account Activity
Suspicious AWS Route 53 Activity
Suspicious AWS SSL Certificate Activity
Suspicious AWS VPC Flow Logs Modification
Suspicious AWS VPC Mirror Session
Suspicious Connection to Another Process
Suspicious Handle Request to Sensitive Object
Suspicious LSASS Process Access
Suspicious Modification of AWS CloudTrail Logs
Suspicious Modification of AWS Route Table
Suspicious Modification of S3 Bucket
Suspicious PowerShell Script
Suspicious Process Creation Commandline
Suspicious Windows Active Directory Operation
Suspicious Windows Logon Event
Suspicious Windows Network Connection
Suspicious Windows Process Creation
Suspicious Windows Registry Event: Impact
Suspicious Windows Registry Event: Persistence
Suspicious Windows Service Installation