WASOC Automation Rules
Use the following deploy button to deploy the paired automation rules for the WASOC Analytic Rule package:
| Rule Name | Deploy Rule |
|---|---|
| Complete Automation Rule Package |
To add individual autmation rules, deploy each of the preferred rules below:
| Rule Name | Deploy Rule |
|---|---|
| AddTasks - (Preview) TI map Domain entity to Dns Events (ASIM DNS Schema) | |
| AddTasks - (Preview) TI map Domain entity to Web Session Events (ASIM Web Session schema) | |
| AddTasks - (Preview) TI map IP entity to DNS Events (ASIM DNS schema) | |
| AddTasks - (Preview) TI map IP entity to Network Session Events (ASIM Network Session schema) | |
| AddTasks - (Preview) TI map IP entity to Web Session Events (ASIM Web Session schema) | |
| AddTasks - A client made a web request to a potentially harmful file (ASIM Web Session schema) | |
| AddTasks - A host is potentially running PowerShell to send HTTP(S) requests (ASIM Web Session schema) | |
| AddTasks - A host is potentially running a crypto miner (ASIM Web Session schema) | |
| AddTasks - A host is potentially running a hacking tool (ASIM Web Session schema) | |
| AddTasks - AD FS Abnormal EKU object identifier attribute | |
| AddTasks - Account Created and Deleted in Short Timeframe | |
| AddTasks - Admin promotion after Role Management Application Permission Grant | |
| AddTasks - Anomalous sign-in location by user account and authenticating application | |
| AddTasks - Attempts to sign in to disabled accounts | |
| AddTasks - Azure AD Role Management Permission Grant | |
| AddTasks - Azure DevOps Personal Access Token (PAT) misuse | |
| AddTasks - Azure Portal Signin from another Azure Tenant | |
| AddTasks - Base64 encoded Windows process command-lines (Normalized Process Events) | |
| AddTasks - Brute force attack against user credentials (Uses Authentication Normalization) | |
| AddTasks - Bulk Changes to Privileged Account Permissions | |
| AddTasks - Credential Dumping Tools - File Artifacts | |
| AddTasks - Credential Dumping Tools - Service Installation | |
| AddTasks - DEV-0586 Actor IOC - January 2022 | |
| AddTasks - DNS events related to ToR proxies (ASIM DNS Schema) | |
| AddTasks - DNS events related to mining pools (ASIM DNS Schema) | |
| AddTasks - Detect CoreBackUp Deletion Activity from related Security Alerts | |
| AddTasks - Dev-0228 File Path Hashes November 2021 (ASIM Version) | |
| AddTasks - Dev-0270 WMIC Discovery | |
| AddTasks - Discord CDN Risky File Download (ASIM Web Session Schema) | |
| AddTasks - Dynamics 365 - User Bulk Retrieval Outside Normal Activity | |
| AddTasks - Excessive NXDOMAIN DNS Queries (ASIM DNS Schema) | |
| AddTasks - Excessive number of HTTP authentication failures from a source (ASIM Web Session schema) | |
| AddTasks - Excessive number of failed connections from a single source (ASIM Network Session schema) | |
| AddTasks - Exchange OAB Virtual Directory Attribute Containing Potential Webshell | |
| AddTasks - Failed logon attempts in authpriv | |
| AddTasks - First access credential added to Application or Service Principal where no credential was present | |
| AddTasks - Insider Risk_High User Security Alert Correlations | |
| AddTasks - Insider Risk_High User Security Incidents Correlation | |
| AddTasks - Insider Risk_Microsoft Purview Insider Risk Management Alert Observed | |
| AddTasks - Insider Risk_Risky User Access By Application | |
| AddTasks - Linked Malicious Storage Artifacts | |
| AddTasks - M2131_DataConnectorAddedChangedRemoved | |
| AddTasks - M2131_RecommendedDatatableUnhealthy | |
| AddTasks - MFA Rejected by User | |
| AddTasks - Mail redirect via ExO transport rule | |
| AddTasks - Mail.Read Permissions Granted to Application | |
| AddTasks - Malicious Inbox Rule | |
| AddTasks - Malware in the recycle bin (Normalized Process Events) | |
| AddTasks - Mass Cloud resource deletions Time Series Anomaly | |
| AddTasks - Midnight Blizzard - suspicious rundll32.exe execution of vbscript (Normalized Process Events) | |
| AddTasks - Modified domain federation trust settings | |
| AddTasks - Multiple RDP connections from Single System | |
| AddTasks - Multiple users email forwarded to same destination | |
| AddTasks - NRT Modified domain federation trust settings | |
| AddTasks - Network Port Sweep from External Network (ASIM Network Session schema) | |
| AddTasks - New Agent Added to Pool by New User or Added to a New OS Type. | |
| AddTasks - New EXE deployed via Default Domain or Default Domain Controller Policies (ASIM Version) | |
| AddTasks - Non Domain Controller Active Directory Replication | |
| AddTasks - Office policy tampering | |
| AddTasks - PIM Elevation Request Rejected | |
| AddTasks - Password spray attack against ADFSSignInLogs | |
| AddTasks - Password spray attack against Azure AD Seamless SSO | |
| AddTasks - Password spray attack against Azure AD application | |
| AddTasks - Port scan detected (ASIM Network Session schema) | |
| AddTasks - Potential Build Process Compromise - MDE | |
| AddTasks - Potential Fodhelper UAC Bypass (ASIM Version) | |
| AddTasks - Potential Fodhelper UAC Bypass | |
| AddTasks - Potential Password Spray Attack (Uses Authentication Normalization) | |
| AddTasks - Potential communication with a Domain Generation Algorithm (DGA) based hostname (ASIM Web Session schema) | |
| AddTasks - Powershell Empire Cmdlets Executed in Command Line | |
| AddTasks - Prestige ransomware IOCs Oct 2022 | |
| AddTasks - Probable AdFind Recon Tool Usage (Normalized Process Events) | |
| AddTasks - Rare RDP Connections | |
| AddTasks - Rare application consent | |
| AddTasks - SUNBURST and SUPERNOVA backdoor hashes (Normalized File Events) | |
| AddTasks - SUNBURST suspicious SolarWinds child processes (Normalized Process Events) | |
| AddTasks - Scheduled Task Hide | |
| AddTasks - Sdelete deployed via GPO and run recursively (ASIM Version) | |
| AddTasks - SharePointFileOperation via devices with previously unseen user agents | |
| AddTasks - SharePointFileOperation via previously unseen IPs | |
| AddTasks - Sign-ins from IPs that attempt sign-ins to disabled accounts (Uses Authentication Normalization) | |
| AddTasks - Sign-ins from IPs that attempt sign-ins to disabled accounts | |
| AddTasks - Successful logon from IP and failure from a different IP | |
| AddTasks - Suspicious application consent for offline access | |
| AddTasks - Suspicious application consent similar to O365 Attack Toolkit | |
| AddTasks - Suspicious application consent similar to PwnAuth | |
| AddTasks - Suspicious number of resource creation or deployment activities | |
| AddTasks - TEARDROP memory-only dropper | |
| AddTasks - Threat Essentials - Mail redirect via ExO transport rule | |
| AddTasks - Threat Essentials - User Assigned Privileged Role | |
| AddTasks - URL Added to Application from Unknown Domain | |
| AddTasks - User Accounts - Sign in Failure due to CA Spikes | |
| AddTasks - User Assigned Privileged Role | |
| AddTasks - User agent search for log4j exploitation attempt | |
| AddTasks - User login from different countries within 3 hours (Uses Authentication Normalization) |