Products: Microsoft - Defender Advanced Hunting

Rules

Rule ID	Rule Name
MATCH-S00574	.NET Framework Remote Code Execution Vulnerability
MATCH-S00814	Abnormal Child Process - sdiagnhost.exe - CVE-2022-30190
MATCH-S00686	Base64 Decode in Command Line
MATCH-S00443	Create Windows Share
MATCH-S00527	Email Files Written Outside Of The Outlook Directory
FIRST-S00028	First Seen Common Windows Recon Commands From User
FIRST-S00072	First Seen Group Policy Discovery Operation
FIRST-S00030	First Seen Outbound Connection to External IP Address on Port 445 from IP Address
FIRST-S00079	First Seen gpresult execution on host
MATCH-S00837	Kubernetes Secrets Enumeration via Kubectl
MATCH-S00687	Linux Security Tool Usage
MATCH-S00729	MacOS Gatekeeper Bypass
MATCH-S00725	Microsoft CHM File Observed
MATCH-S00466	MsiExec Web Install
MATCH-S00554	Outbound IRC Traffic
MATCH-S00167	Recon Using Common Windows Commands
MATCH-S00507	Spoolsv Child Process Created
AGGREGATION-S00004	Suspicious K8s Enumeration
MATCH-S00164	Suspicious Shells Spawned by Web Servers
AGGREGATION-S00005	Suspicious System Enumeration Occurring in Quick Succession
MATCH-S00147	WMI Managed Object Format (MOF) Process Execution
MATCH-S00570	WMIPRVSE Spawning Process
MATCH-S00400	Web Download via Office Binaries
MATCH-S00181	Windows - Domain Trust Discovery
MATCH-S00281	Windows - PowerShell Process Discovery
MATCH-S00192	Windows - System Network Configuration Discovery
MATCH-S00532	Windows Adfind Exe
MATCH-S00724	Windows Update Agent DLL Changed
MATCH-S00508	Zoom Child Process
MATCH-S00726	macOS Kernel Extension Load

Log Mapper ID	Log Mapper Name
81021214-c85d-428d-93d3-6052bf8e1f5d	Microsoft Defender Advanced Hunting - Alert
018cfe17-c930-46f0-8002-c83c02d53bc5	Microsoft Defender Advanced Hunting - Audit
f6ac7b16-78ea-4c5e-a4ea-68694729d0b8	Microsoft Defender Advanced Hunting - Email events
ea3dcd90-359f-4b1c-b851-b6f9cb75b12e	Microsoft Defender Advanced Hunting - Logon
3a1a724e-ed99-4080-a9cf-cc35b72a2d11	Microsoft Defender Advanced Hunting - Network