Skip to content

[Rule Tuning] Change event.dataset to data_stream.dataset#5943

Merged
terrancedejesus merged 4 commits intomainfrom
event-dataset-to-data-stream-dataset
Apr 10, 2026
Merged

[Rule Tuning] Change event.dataset to data_stream.dataset#5943
terrancedejesus merged 4 commits intomainfrom
event-dataset-to-data-stream-dataset

Conversation

@terrancedejesus
Copy link
Copy Markdown
Contributor

@terrancedejesus terrancedejesus commented Apr 10, 2026
edited
Loading

Pull Request

Issue link(s):

Summary - What I changed

Changes event.dataset to data_stream.dataset. Please see issue for more details.

How To Test

No testing of the rules were done. Logic has not changed, instead all integration related rules now depend on data_stream.dataset as defined in each integration.

This PR is a bit large and there are additional considerations. To help others when reviewing, here is a prompt that will help review nuances regarding these changes. Please let me know if you have any questions.

Review the changes on branch `event-dataset-to-data-stream-dataset` compared to `main`. This PR migrates detection rules from using `event.dataset` to `data_stream.dataset` in rule queries.

## Required checks

1. **Rule query changes**: Confirm that `event.dataset` was replaced with `data_stream.dataset` only inside query fields (not in investigation guide notes or documentation text).
2. **No deprecated rules touched**: Verify no files under `rules/_deprecated/` were modified.
3. **updated_date**: Check that all modified TOML rules have `updated_date = "2026/04/10"`.
4. **No functional regressions**: The extraction logic in `detection_rules/esql.py` and `detection_rules/beats.py` already supports both `event.dataset` and `data_stream.dataset`. Confirm these files were not inadvertently modified. Explain why the parsing code in `esql.py` (regex patterns) and `beats.py` (EQL/KQL AST field matching) was already written to accept either `event.dataset` or `data_stream.dataset`, and how this means the migration is purely a rule-content change with no parser modifications needed.
5. **Threshold keys/filters**: If any rules used `event.dataset` in threshold config (e.g., `key = "event.dataset"`), verify those were also updated.

## Optional checks

6. **Validator messages**: Confirm error messages in `detection_rules/rule_validators.py` now suggest `data_stream.dataset` instead of `event.dataset`.
7. **Test updates**: Review changes in `tests/test_rules_remote.py` — existing ES|QL tests should now use `data_stream.dataset` in their queries. These tests require a remote Elastic stack and config to run, so this is not a blocking change.
8. **Build verification**: Run `python -m detection_rules dev build-release` to generate the JSON release artifacts and confirm `data_stream.dataset` appears correctly in the built output.
9. **related_integrations coverage**: Check if any rules that now use `data_stream.dataset` in their query are missing `related_integrations` in the generated JSON artifacts under `releases/<version>/rules/`. Cross-reference the `related_integrations` field against the dataset values in the query to ensure the correct integration package and version are populated.
10. **Query spot-check on TRaDE lab**: Use the trade-lab MCP server to pick a few modified rules at random and run their queries via `platform_core_execute_esql` (for ES|QL rules) or `platform_core_search` (for KQL/EQL rules). Confirm they return results or at least parse without errors against live data.

## Build command

To generate the release artifacts locally:

python -m detection_rules dev build-release

## MCP live query validation

To spot-check queries against the TRaDE lab cluster, use these MCP tools:
- **ES|QL rules**: `trade-lab > platform_core_execute_esql` — pass the rule's query directly
- **KQL/EQL rules**: `trade-lab > platform_core_search` — pass the query with the rule's index patterns

Pick a sample of modified rules across different integrations (e.g., AWS, Azure, GCP, Okta) to get broad coverage.

Flag anything that looks inconsistent or was missed.

Checklist

  • Added a label for the type of pr: bug, enhancement, schema, maintenance, Rule: New, Rule: Deprecation, Rule: Tuning, Hunt: New, or Hunt: Tuning so guidelines can be generated
  • Added the meta:rapid-merge label if planning to merge within 24 hours
  • Secret and sensitive material has been managed correctly
  • Automated testing was updated or added to match the most common scenarios
  • Documentation and comments were added for features that require explanation

Contributor checklist

@tradebot-elastic
Copy link
Copy Markdown

tradebot-elastic commented Apr 10, 2026
edited
Loading

⛔️ Test failed

Results
  • ❌ Attempt to Modify an Okta Policy Rule (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Google Workspace Suspended User Account Renewed (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Deprecated - M365 Security Compliance User Restricted from Sending Email (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Direct Interactive Kubernetes API Request by Unusual Utilities (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Azure Arc Cluster Credential Access by Identity from Unusual Source (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ M365 Exchange Email Safe Attachment Rule Disabled (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ GitHub Actions Unusual Bot Push to Repository (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ First Time AWS CloudFormation Stack Creation (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ High Number of Protected Branch Force Pushes by User (esql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Entra ID Global Administrator Role Assigned (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Tainted Kernel Module Load (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Entra ID Protection - Risk Detection - Sign-in Risk (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ GitHub Protected Branch Settings Changed (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Google Drive Ownership Transferred via Google Workspace (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ High Number of Closed Pull Requests by User (esql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Azure VNet Firewall Front Door WAF Policy Deleted (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ AWS IAM CompromisedKeyQuarantine Policy Attached to User (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Elastic Defend and Network Security Alerts Correlation (esql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ M365 Identity OAuth Illicit Consent Grant by Rare Client and User (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ M365 Exchange Mailbox High-Risk Permission Delegated (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Multiple Alerts Involving a User (esql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Entra ID OAuth User Impersonation to Microsoft Graph (esql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ AWS Access Token Used from Multiple Addresses (esql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ M365 SharePoint Malware File Detected (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ M365 OneDrive/SharePoint Excessive File Downloads (esql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ GCP Service Account Key Creation (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ AWS SSM Inventory Reconnaissance by Rare User (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Abnormally Large DNS Response (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ AWS RDS Snapshot Export (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ AWS Route 53 Domain Transfer Lock Disabled (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Kubernetes Suspicious Self-Subject Review via Unusual User Agent (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Kubernetes Pod Created With HostNetwork (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Entra ID External Guest User Invited (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ RPC (Remote Procedure Call) from the Internet (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Kubernetes User Exec into Pod (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Entra ID OAuth Phishing via First-Party Microsoft Application (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Successful Application SSO from Rare Unknown Client Device (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ AWS Lambda Function Policy Updated to Allow Public Invocation (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Azure Automation Runbook Created or Modified (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ AWS IAM Group Creation (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ AWS S3 Static Site JavaScript File Uploaded (esql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ GCP Logging Sink Modification (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ AWS Secrets Manager Rapid Secrets Retrieval (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Potential Persistence via File Modification (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ AWS Service Quotas Multi-Region GetServiceQuota Requests (esql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ GitHub Exfiltration via High Number of Repository Clones by User (esql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Azure RBAC Built-In Administrator Roles Assigned (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Entra ID Application Credential Modified (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Newly Observed High Severity Detection Alert (esql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ AWS CloudTrail Log Suspended (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ React2Shell Network Security Alert (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Azure Kubernetes Services (AKS) Kubernetes Rolebindings Created (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ New GitHub App Installed (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Okta Sign-In Events via Third-Party IdP (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Entra ID Domain Federation Configuration Change (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Initial Access via File Upload Followed by GET Request (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ AWS IAM Roles Anywhere Profile Creation (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Azure Storage Account Key Regenerated (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ AWS Sign-In Console Login with Federated User (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ High Number of Egress Network Connections from Unusual Executable (esql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ AWS Route 53 Domain Transferred to Another Account (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ AWS SNS Topic Message Publish by Rare User (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ New GitHub Personal Access Token (PAT) Added (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ First Time Seen Google Workspace OAuth Login from Third-Party Application (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ GitHub Secret Scanning Disabled (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ AWS S3 Bucket Configuration Deletion (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ GCP Storage Bucket Permissions Modification (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Potential Okta Brute Force (Device Token Rotation) (esql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ New GitHub Owner Added (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Insecure AWS EC2 VPC Security Group Ingress Rule Added (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Azure Blob Storage Container Access Level Modified (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ AWS EC2 Deprecated AMI Discovery (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Entra ID High Risk User Sign-in Heuristic (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ M365 Identity User Brute Force Attempted (esql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ M365 Exchange Mail Flow Transport Rule Modified (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ GCP Firewall Rule Modification (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Deprecated - M365 Teams External Access Enabled (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Newly Observed Palo Alto Network Alert (esql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ AWS STS Role Assumption by User (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ AWS EC2 Security Group Configuration Change (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Alerts in Different ATT&CK Tactics by Host (esql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ New Okta Identity Provider (IdP) Added by Admin (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Microsoft Graph Request User Impersonation by Unusual Client (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Kubernetes Pod Created with a Sensitive hostPath Volume (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Potential Okta Password Spray (Multi-Source) (esql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Command and Scripting Interpreter via Windows Scripts (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Entra ID Excessive Account Lockouts Detected (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ M365 Identity Unusual SSO Authentication Errors for User (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Potential File Transfer via Curl for Windows (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Okta User Sessions Started from Different Geolocations (esql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Halfbaked Command and Control Beacon (lucene)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ GCP Firewall Rule Creation (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ AWS S3 Object Versioning Suspended (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ AWS STS GetCallerIdentity API Called for the First Time (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Inbound Connection to an Unsecure Elasticsearch Node (lucene)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ GCP Pub/Sub Topic Deletion (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Azure VNet Network Watcher Deleted (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ RPC (Remote Procedure Call) to the Internet (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ M365 Identity Login from Atypical Travel Location (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Potential Masquerading as Svchost (esql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ AWS IAM User Addition to Group (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Kubernetes Events Deleted (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Elastic Defend Alert from Package Manager Install Ancestry (esql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ GitHub Repository Deleted (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Accepted Default Telnet Port Connection (kuery)
    • stack_validation_failed: no_alerts - 0 alerts
  • ❌ Entra ID Sign-in Brute Force Attempted (Microsoft 365) (esql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ M365 Identity OAuth Flow by First-Party Microsoft App from Multiple IPs (esql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Entra ID OAuth Flow by Microsoft Authentication Broker to Device Registration Service (DRS) (esql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Entra ID High Risk Sign-in (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ AWS SSM SendCommand Execution by Rare User (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Attempted Bypass of Okta MFA (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ M365 Identity Login from Impossible Travel Location (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Entra ID User Added as Service Principal Owner (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ External User Added to Google Workspace Group (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ AWS EC2 Network Access Control List Creation (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Kubernetes Anonymous User Create/Update/Patch Pods Request (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ VNC (Virtual Network Computing) to the Internet (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Azure VNet Full Network Packet Capture Enabled (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ AWS SNS Topic Created by Rare User (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ AWS GuardDuty Member Account Manipulation (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Kubernetes Sensitive RBAC Change Followed by Workload Modification (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Entra ID OAuth Device Code Flow with Concurrent Sign-ins (esql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ LLM-Based Compromised User Triage by User (esql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ AWS SNS Rare Protocol Subscription by User (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ AWS CloudTrail Log Updated (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ CyberArk Privileged Access Security Error (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Entra ID MFA TOTP Brute Force Attempted (esql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ New GitHub Self Hosted Action Runner (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Entra ID OAuth PRT Issuance to Non-Managed Device Detected (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ M365 Exchange Inbox Phishing Evasion Rule Created (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ AWS Sensitive IAM Operations Performed via CloudShell (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ AWS EC2 EBS Snapshot Shared or Made Public (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Potential Okta Password Spray (Single Source) (esql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Entra ID External Authentication Methods (EAM) Modified (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ AWS Account Discovery By Rare User (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ AWS Route 53 Resolver Query Log Configuration Deleted (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ AWS RDS DB Snapshot Shared with Another Account (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Web Server Potential Remote File Inclusion Activity (esql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Multiple Cloud Secrets Accessed by Source Address (esql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ AWS IAM OIDC Provider Created by Rare User (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ M365 Exchange Mailbox Accessed by Unusual Client (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ M365 SharePoint/OneDrive File Access via PowerShell (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Application Removed from Blocklist in Google Workspace (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Possible FIN7 DGA Command and Control Behavior (lucene)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Entra ID Protection - Risk Detection - User Risk (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Kubernetes Forbidden Request from Unusual User Agent (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Service Account Token or Certificate Access Followed by Kubernetes API Request (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Azure Storage Account Blob Public Access Enabled (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ AWS Management Console Brute Force of Root User Identity (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Unauthorized Access to an Okta Application (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ M365 SharePoint Search for Sensitive Content (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Okta Successful Login After Credential Attack (esql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Multiple Okta User Auth Events with Same Device Token Hash Behind a Proxy (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ AWS SSM Command Document Created by Rare User (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ M365 Exchange DKIM Signing Configuration Disabled (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ GCP Logging Sink Deletion (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Tainted Out-Of-Tree Kernel Module Load (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ AWS GuardDuty Detector Deletion (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ AWS EFS File System Deleted (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Azure Diagnostic Settings Deleted (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ First-Time FortiGate Administrator Login (esql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Stolen Credentials Used to Login to Okta Account After MFA Reset (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ GCP Logging Bucket Deletion (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ VNC (Virtual Network Computing) from the Internet (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Potential Okta Brute Force (Multi-Source) (esql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Zoom Meeting with no Passcode (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Deprecated - M365 Security Compliance Email Reported by User as Malware or Phish (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ AWS CloudTrail Log Created (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ AWS S3 Unauthenticated Bucket Access by Rare Source (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ AWS WAF Rule or Rule Group Deletion (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Forbidden Direct Interactive Kubernetes API Request (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Google Workspace 2SV Policy Disabled (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Deprecated - M365 Teams Guest Access Enabled (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ AWS S3 Bucket Enumeration or Brute Force (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Azure Compute VM Command Executed (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Entra ID Service Principal Created (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Deprecated - M365 Exchange DLP Policy Deleted (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Entra ID Service Principal Federated Credential Authentication by Unusual Client (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ FortiGate FortiCloud SSO Login from Unusual Source (esql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ AWS S3 Bucket Policy Added to Allow Public Access (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Multiple Okta Sessions Detected for a Single User (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ M365 SharePoint Site Sharing Policy Weakened (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Kubernetes Suspicious Assignment of Controller Service Account (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Kubernetes Denied Service Account Request via Unusual User Agent (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Kubernetes Anonymous Request Authorized by Unusual User Agent (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Kubernetes Exposed Service Created With Type NodePort (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Potential Spike in Web Server Error Logs (esql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Unauthorized Scope for Public App OAuth2 Token Grant with Client Credentials (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Attempt to Modify an Okta Policy (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ M365 Exchange Mailbox Audit Logging Bypass Added (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Attempt to Revoke Okta API Token (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ M365 Exchange Federated Domain Created or Modified (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Okta ThreatInsight Threat Suspected Promotion (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Google Workspace Admin Role Assigned to a User (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ AWS CloudWatch Log Group Deletion (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ FortiGate SOCKS Traffic from an Unusual Process (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ AWS KMS Customer Managed Key Disabled or Scheduled for Deletion (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ AWS IAM User Created Access Keys For Another User (esql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Suspicious rc.local Error Message (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ AWS Sign-In Root Password Recovery Requested (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ AWS EC2 AMI Shared with Another Account (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Potential Port Scanning Activity from Compromised Host (esql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Multiple Alerts in Same ATT&CK Tactic by Host (esql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ First Occurrence of Okta User Session Started via Proxy (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Google Workspace Role Modified (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Web Server Potential Spike in Error Response Codes (esql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Multiple Vulnerabilities by Asset via Wiz (esql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ AWS CloudTrail Log Deleted (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ AWS Config Resource Deletion (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ AWS EC2 EBS Snapshot Access Removed (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Kubernetes Container Created with Excessive Linux Capabilities (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ AWS IAM Roles Anywhere Trust Anchor Created with External CA (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Deprecated - M365 Security Compliance Potential Ransomware Activity (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Attempt to Reset MFA Factors for an Okta User Account (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Entra ID User Sign-in with Unusual Non-Managed Device (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ AWS API Activity from Uncommon S3 Client by Rare User (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ AWS Discovery API Calls via CLI from a Single Resource (esql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Azure Key Vault Unusual Secret Key Usage (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Kubernetes Pod Created With HostIPC (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Potential Malware-Driven SSH Brute Force Attempt (esql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Entra ID User Added as Registered Application Owner (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Application Added to Google Workspace Domain (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Entra ID Privileged Identity Management (PIM) Role Modified (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Unusual Kubernetes Sensitive Workload Modification (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Azure Key Vault Modified (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ AWS First Occurrence of STS GetFederationToken Request by User (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Google Workspace Bitlocker Setting Disabled (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ GCP Service Account Creation (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ AWS Lambda Layer Added to Existing Function (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Entra ID Custom Domain Added or Verified (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Potential Webshell Deployed via Apache Struts CVE-2023-50164 Exploitation (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ M365 Exchange Mailbox Items Accessed Excessively (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Potential AWS S3 Bucket Ransomware Note Uploaded (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ AWS SSM Session Started to EC2 Instance (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Potential Linux Local Account Brute Force Detected (esql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Web Server Discovery or Fuzzing Activity (esql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Azure Kubernetes Services (AKS) Kubernetes Pods Deleted (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Suspicious Windows Powershell Arguments (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ AWS EC2 Unauthorized Admin Credential Fetch via Assumed Role (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Enumerating Domain Trusts via NLTEST.EXE (eql)
    • stack_validation_failed: no_alerts - 0 alerts
  • ❌ Potential Subnet Scanning Activity from Compromised Host (esql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ AWS EC2 Network Access Control List Deletion (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ AWS IAM Group Deletion (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ AWS EC2 Instance Connect SSH Public Key Uploaded (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ AWS EventBridge Rule Disabled or Deleted (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ M365 Identity Global Administrator Role Assigned (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ FortiGate Overly Permissive Firewall Policy Created (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Potential Okta MFA Bombing via Push Notifications (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Kubernetes Unusual Decision by User Agent (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ FortiGate Administrator Login from Multiple IP Addresses (esql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Attempt to Deactivate an Okta Network Zone (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Unusual Command Execution from Web Server Parent (esql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Azure Storage Account Keys Accessed by Privileged User (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Azure Kubernetes Services (AKS) Kubernetes Events Deleted (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Several Failed Protected Branch Force Pushes by User (esql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ RDP (Remote Desktop Protocol) from the Internet (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ GitHub Private Repository Turned Public (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Multiple External EDR Alerts by Host (esql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Entra ID OAuth ROPC Grant Login Detected (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Entra ID Elevated Access to User Access Administrator (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Azure Automation Runbook Deleted (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ File Transfer Utility Launched from Unusual Parent (esql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ GCP Service Account Deletion (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ AWS RDS DB Instance or Cluster Deleted (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Excessive AWS S3 Object Encryption with SSE-C (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Web Server Local File Inclusion Activity (esql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Entra ID Unusual Cloud Device Registration (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ GCP Virtual Private Cloud Route Creation (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ AWS WAF Access Control List Deletion (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ M365 Identity OAuth Phishing via First-Party Microsoft Application (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ AWS STS Role Assumption by Service (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ AWS VPC Flow Logs Deletion (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Google Workspace Admin Role Deletion (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Potential Okta Credential Stuffing (Single Source) (esql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Google Workspace Custom Gmail Route Created or Modified (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Entra ID OAuth user_impersonation Scope for Unusual User and Client (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Multiple Okta User Authentication Events with Same Device Token Hash (esql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ AWS STS AssumeRoot by Rare User and Member Account (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ AWS DynamoDB Scan by Unusual User (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Attempt to Create Okta API Token (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ M365 Exchange Anti-Phish Rule Modification (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ GCP Storage Bucket Configuration Modification (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Unusual Process Spawned from Web Server Parent (esql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ AWS IAM SAML Provider Updated (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Potentially Successful Okta MFA Bombing via Push Notifications (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Google Workspace Drive Encryption Key(s) Accessed from Anonymous User (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ GCP IAM Service Account Key Deletion (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ M365 Exchange Management Group Role Assigned (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ M365 SharePoint Site Administrator Added (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ AWS IAM AdministratorAccess Policy Attached to User (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ GitHub Owner Role Granted To User (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Direct Interactive Kubernetes API Request by Common Utilities (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Entra ID User Sign-in with Unusual Authentication Type (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Potential Password Spraying Attack via SSH (esql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ AWS CloudTrail Log Evasion (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Suricata and Elastic Defend Network Correlation (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ AWS RDS DB Instance Made Public (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ AWS IAM Long-Term Access Key First Seen from Source IP (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ First Time Seen AWS Secret Value Accessed in Secrets Manager (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ GCP Pub/Sub Topic Creation (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ GCP Virtual Private Cloud Route Deletion (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Azure Storage Account Deletion by Unusual User (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Entra ID Protection Admin Confirmed Compromise (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Web Server Suspicious User Agent Requests (esql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ AWS STS AssumeRole with New MFA Device (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Google Workspace Restrictions for Marketplace Modified to Allow Any App (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Kubernetes Cluster-Admin Role Binding Created (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Entra ID Sharepoint or OneDrive Accessed by Unusual Client (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ AWS IAM Assume Role Policy Update (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Entra ID PowerShell Sign-in (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ M365 Azure Monitor Alert Email with Financial or Billing Theme (esql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ AWS S3 Bucket Server Access Logging Disabled (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Entra ID Protection User Alert and Device Registration (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ AWS S3 Rapid Bucket Posture API Calls from a Single Principal (esql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ FortiGate SSL VPN Login Followed by SIEM Alert by User (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ AWS IAM SAML Provider Created (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Entra ID OAuth Device Code Grant by Microsoft Authentication Broker (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Azure Storage Blob Retrieval via AzCopy (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ AWS EC2 LOLBin Execution via SSM SendCommand (esql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ M365 Exchange Email Safe Link Policy Disabled (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Google Workspace Password Policy Modified (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ IPSEC NAT Traversal Port Activity (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ GCP IAM Custom Role Creation (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ AWS S3 Object Encryption Using External KMS Key (esql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Google Workspace API Access Granted via Domain-Wide Delegation (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Google Workspace Custom Admin Role Created (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Entra ID OAuth Device Code Grant by Unusual User (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Okta Alerts Following Unusual Proxy Authentication (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Deprecated - M365 Security Compliance Unusual Volume of File Deletion (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Azure Storage Account Deletions by User (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ AWS RDS Snapshot Deleted (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Suspicious Python Shell Command Execution (esql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Attempt to Delete an Okta Policy (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ AWS CloudShell Environment Created (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Azure Event Hub Authorization Rule Created or Updated (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Attempt to Deactivate an Okta Policy (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ FortiGate Configuration File Downloaded (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Administrator Privileges Assigned to an Okta Group (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ AWS STS Role Chaining (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ AWS SQS Queue Purge (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Azure Resource Group Deleted (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ AWS EC2 Encryption Disabled (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ M365 OneDrive Malware File Upload (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ M365 Teams Custom Application Interaction Enabled (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ GCP Storage Bucket Deletion (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Entra ID Conditional Access Policy (CAP) Modified (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ GCP Service Account Disabled (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Entra ID Protection Alerts for User Detected (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ AWS RDS DB Instance Restored (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ AWS IAM Login Profile Added for Root (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Azure Key Vault Excessive Secret or Key Retrieved (esql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ AWS EC2 Full Network Packet Capture Detected (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Azure Compute Restore Point Collection Deleted by Unusual User (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Unusual AWS S3 Object Encryption with SSE-C (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ AWS EC2 User Data Retrieval for EC2 Instance (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Entra ID Sign-in BloodHound Suite User-Agent Detected (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Suspicious Usage of bpf_probe_write_user Helper (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Azure Compute Snapshot Deletion by Unusual User and Resource Group (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Multiple Rare Elastic Defend Behavior Rules by Host (esql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Elastic Defend and Email Alerts Correlation (esql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Unusual Base64 Encoding/Decoding Activity (esql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ GCP Virtual Private Cloud Network Deletion (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Potential Credential Access via Renamed COM+ Services DLL (eql)
    • stack_validation_failed: no_alerts - 0 alerts
  • ❌ CyberArk Privileged Access Security Recommended Monitor (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ AWS IAM API Calls via Temporary Session Tokens (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Attempt to Delete an Okta Network Zone (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Attempt to Modify an Okta Application (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Entra ID User Sign-in with Unusual Client (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Kubernetes Privileged Pod Created (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ SMB (Windows File Sharing) Activity to the Internet (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Entra ID OAuth Authorization Code Grant for Unusual User, App, and Resource (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ M365 Exchange MFA Notification Email Deleted or Moved (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ M365 Exchange Malware Filter Rule Modified (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Entra ID User Reported Suspicious Activity (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Google Workspace MFA Enforcement Disabled (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ FortiGate Super Admin Account Creation (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Kubernetes Secret Access via Unusual User Agent (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Multiple Device Token Hashes for Single Okta Session (esql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Google Workspace User Organizational Unit Changed (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ GCP Pub/Sub Subscription Deletion (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Attempt to Deactivate an Okta Policy Rule (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Entra ID User Sign-in Brute Force Attempted (esql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Modification or Removal of an Okta Application Sign-On Policy (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ MFA Deactivation with no Re-Activation for Okta User Account (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Okta User Session Impersonation (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Cobalt Strike Command and Control Beacon (lucene)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Domain Added to Google Workspace Trusted Domains (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ FortiGate Administrator Account Creation from Unusual Source (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Entra ID ADRS Token Request by Microsoft Authentication Broker (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ AWS EC2 Instance Console Login via Assumed Role (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ AWS S3 Bucket Replicated to Another Account (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Attempt to Delete an Okta Application (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Azure Compute Snapshot Deletions by User (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Elastic Defend Alert from GenAI Utility or Descendant (esql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Attempt to Delete an Okta Policy Rule (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ AWS CloudWatch Log Stream Deletion (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ GCP Pub/Sub Subscription Creation (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ M365 Exchange Anti-Phish Policy Deleted (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ M365 Exchange Malware Filter Policy Deleted (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Azure Blob Storage Permissions Modified (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ SMTP on Port 26/TCP (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Azure Compute Restore Point Collections Deleted (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ AWS IAM Deactivation of MFA Device (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Suspicious Windows Command Shell Arguments (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Azure Service Principal Sign-In Followed by Arc Cluster Credential Access (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Github Activity on a Private Repository from an Unusual IP (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Entra ID MFA Disabled for User (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Execution via Windows Subsystem for Linux (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Entra ID Service Principal with Unusual Source ASN (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ AWS IAM AdministratorAccess Policy Attached to Role (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ M365 Identity User Account Lockouts (esql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ AWS EC2 Export Task (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Azure Automation Account Created (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Kubernetes Pod Created With HostPID (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ AWS IAM AdministratorAccess Policy Attached to Group (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Azure VNet Firewall Policy Deleted (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Attempts to Brute Force an Okta User Account (kuery)
    • stack_validation_failed: no_alerts - 0 alerts
  • ❌ Azure Event Hub Deleted (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ AWS EC2 Route Table Created (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ AWS Management Console Root Login (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ GCP IAM Role Deletion (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ FortiGate SSO Login Followed by Administrator Account Creation (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Entra ID Concurrent Sign-in with Suspicious Properties (esql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ AWS Route 53 Private Hosted Zone Associated With a VPC (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Attempt to Modify an Okta Network Zone (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ AWS IAM Virtual MFA Device Registration Attempt with Session Token (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ MFA Disabled for Google Workspace Organization (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Possible Okta DoS Attack (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Default Cobalt Strike Team Server Certificate (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Suspicious WMI Event Subscription Created (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ AWS EC2 Route Table Modified or Deleted (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Microsoft Graph Request Email Access by Unusual User and Client (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ AWS S3 Bucket Policy Added to Share with External Account (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ AWS DynamoDB Table Exported to S3 (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ High Number of Okta User Password Reset or Unlock Attempts (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ AWS EC2 Serial Console Access Enabled (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Azure Automation Webhook Created (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ AWS IAM Principal Enumeration via UpdateAssumeRolePolicy (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Kubernetes Forbidden Creation Request (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Entra ID Global Administrator Role Assigned (PIM User) (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Attempt to Deactivate an Okta Application (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Okta FastPass Phishing Detection (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Whoami Process Activity (eql)
    • stack_validation_failed: no_alerts - 0 alerts
  • ❌ Okta User Assigned Administrator Role (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Azure Diagnostic Settings Alert Suppression Rule Created or Modified (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ M365 or Entra ID Identity Sign-in from a Suspicious Source (esql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Forwarded Google Workspace Security Alert (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ AWS RDS DB Instance or Cluster Password Modified (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Kubernetes Service Account Modified RBAC Objects (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Google Workspace Object Copied to External Drive with App Consent (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ WMI Incoming Lateral Movement (eql)
    • stack_validation_failed: no_alerts - 0 alerts
  • ❌ Web Server Potential Command Injection Request (esql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Entra ID Sign-in TeamFiltration User-Agent Detected (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ AWS RDS DB Instance or Cluster Deletion Protection Disabled (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ AWS IAM Customer-Managed Policy Attached to Role by Rare User (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Entra ID Service Principal Credentials Created by Unusual User (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ AWS CloudWatch Alarm Deletion (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ AWS IAM Create User via Assumed Role on EC2 Instance (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ AWS Suspicious User Agent Fingerprint (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Suspicious Activity Reported by Okta User (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ High Number of Cloned GitHub Repos From PAT (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ AWS Configuration Recorder Stopped (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Process Started with Executable Stack (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Elastic Defend Alert Followed by Telemetry Loss (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ M365 Identity OAuth Flow by User Sign-in to Device Registration (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Kubernetes Creation of a RoleBinding Referencing a ServiceAccount (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ GitHub App Deleted (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ AWS Systems Manager SecureString Parameter Request with Decryption Flag (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Roshal Archive (RAR) or PowerShell File Downloaded from the Internet (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ AWS S3 Bucket Expiration Lifecycle Configuration Added (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ M365 Exchange Mail Flow Transport Rule Created (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ GCP Firewall Rule Deletion (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta

@terrancedejesus terrancedejesus linked an issue Apr 10, 2026 that may be closed by this pull request
[Rule Tuning] Add data_stream.dataset to all applicable integration rules #5940
Closed
@terrancedejesus terrancedejesus self-assigned this Apr 10, 2026
@terrancedejesus terrancedejesus added the Rule: Tuning tweaking or tuning an existing rule label Apr 10, 2026
@github-actions
Copy link
Copy Markdown
Contributor

github-actions Bot commented Apr 10, 2026

Rule: Tuning - Guidelines

These guidelines serve as a reminder set of considerations when tuning an existing rule.

Documentation and Context

  • Detailed description of the suggested changes.
  • Provide example JSON data or screenshots.
  • Provide evidence of reducing benign events mistakenly identified as threats (False Positives).
  • Provide evidence of enhancing detection of true threats that were previously missed (False Negatives).
  • Provide evidence of optimizing resource consumption and execution time of detection rules (Performance).
  • Provide evidence of specific environment factors influencing customized rule tuning (Contextual Tuning).
  • Provide evidence of improvements made by modifying sensitivity by changing alert triggering thresholds (Threshold Adjustments).
  • Provide evidence of refining rules to better detect deviations from typical behavior (Behavioral Tuning).
  • Provide evidence of improvements of adjusting rules based on time-based patterns (Temporal Tuning).
  • Provide reasoning of adjusting priority or severity levels of alerts (Severity Tuning).
  • Provide evidence of improving quality integrity of our data used by detection rules (Data Quality).
  • Ensure the tuning includes necessary updates to the release documentation and versioning.

Rule Metadata Checks

  • updated_date matches the date of tuning PR merged.
  • min_stack_version should support the widest stack versions.
  • name and description should be descriptive and not include typos.
  • query should be inclusive, not overly exclusive. Review to ensure the original intent of the rule is maintained.

Testing and Validation

  • Validate that the tuned rule's performance is satisfactory and does not negatively impact the stack.
  • Ensure that the tuned rule has a low false positive rate.

@terrancedejesus terrancedejesus marked this pull request as ready for review April 10, 2026 13:22
@tradebot-elastic
Copy link
Copy Markdown

tradebot-elastic commented Apr 10, 2026
edited
Loading

⛔️ Test failed

Results
  • ❌ Attempt to Modify an Okta Policy Rule (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Google Workspace Suspended User Account Renewed (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Deprecated - M365 Security Compliance User Restricted from Sending Email (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Direct Interactive Kubernetes API Request by Unusual Utilities (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Azure Arc Cluster Credential Access by Identity from Unusual Source (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ M365 Exchange Email Safe Attachment Rule Disabled (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ GitHub Actions Unusual Bot Push to Repository (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ First Time AWS CloudFormation Stack Creation (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ High Number of Protected Branch Force Pushes by User (esql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Entra ID Global Administrator Role Assigned (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Tainted Kernel Module Load (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Entra ID Protection - Risk Detection - Sign-in Risk (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ GitHub Protected Branch Settings Changed (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Google Drive Ownership Transferred via Google Workspace (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ High Number of Closed Pull Requests by User (esql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Azure VNet Firewall Front Door WAF Policy Deleted (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ AWS IAM CompromisedKeyQuarantine Policy Attached to User (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Elastic Defend and Network Security Alerts Correlation (esql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ M365 Identity OAuth Illicit Consent Grant by Rare Client and User (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ M365 Exchange Mailbox High-Risk Permission Delegated (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Multiple Alerts Involving a User (esql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Entra ID OAuth User Impersonation to Microsoft Graph (esql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ AWS Access Token Used from Multiple Addresses (esql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ M365 SharePoint Malware File Detected (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ M365 OneDrive/SharePoint Excessive File Downloads (esql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ GCP Service Account Key Creation (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ AWS SSM Inventory Reconnaissance by Rare User (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Abnormally Large DNS Response (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ AWS RDS Snapshot Export (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ AWS Route 53 Domain Transfer Lock Disabled (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Kubernetes Suspicious Self-Subject Review via Unusual User Agent (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Kubernetes Pod Created With HostNetwork (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Entra ID External Guest User Invited (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ RPC (Remote Procedure Call) from the Internet (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Kubernetes User Exec into Pod (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Entra ID OAuth Phishing via First-Party Microsoft Application (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Successful Application SSO from Rare Unknown Client Device (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ AWS Lambda Function Policy Updated to Allow Public Invocation (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Azure Automation Runbook Created or Modified (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ AWS IAM Group Creation (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ AWS S3 Static Site JavaScript File Uploaded (esql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ GCP Logging Sink Modification (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ AWS Secrets Manager Rapid Secrets Retrieval (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Potential Persistence via File Modification (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ AWS Service Quotas Multi-Region GetServiceQuota Requests (esql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ GitHub Exfiltration via High Number of Repository Clones by User (esql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Azure RBAC Built-In Administrator Roles Assigned (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Entra ID Application Credential Modified (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Newly Observed High Severity Detection Alert (esql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ AWS CloudTrail Log Suspended (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ React2Shell Network Security Alert (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Azure Kubernetes Services (AKS) Kubernetes Rolebindings Created (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ New GitHub App Installed (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Okta Sign-In Events via Third-Party IdP (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Entra ID Domain Federation Configuration Change (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Initial Access via File Upload Followed by GET Request (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ AWS IAM Roles Anywhere Profile Creation (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Azure Storage Account Key Regenerated (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ AWS Sign-In Console Login with Federated User (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ High Number of Egress Network Connections from Unusual Executable (esql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ AWS Route 53 Domain Transferred to Another Account (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ AWS SNS Topic Message Publish by Rare User (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ New GitHub Personal Access Token (PAT) Added (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ First Time Seen Google Workspace OAuth Login from Third-Party Application (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ GitHub Secret Scanning Disabled (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ AWS S3 Bucket Configuration Deletion (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ GCP Storage Bucket Permissions Modification (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Potential Okta Brute Force (Device Token Rotation) (esql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ New GitHub Owner Added (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Insecure AWS EC2 VPC Security Group Ingress Rule Added (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Azure Blob Storage Container Access Level Modified (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ AWS EC2 Deprecated AMI Discovery (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Entra ID High Risk User Sign-in Heuristic (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ M365 Identity User Brute Force Attempted (esql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ M365 Exchange Mail Flow Transport Rule Modified (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ GCP Firewall Rule Modification (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Deprecated - M365 Teams External Access Enabled (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Newly Observed Palo Alto Network Alert (esql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ AWS STS Role Assumption by User (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ AWS EC2 Security Group Configuration Change (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Alerts in Different ATT&CK Tactics by Host (esql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ New Okta Identity Provider (IdP) Added by Admin (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Microsoft Graph Request User Impersonation by Unusual Client (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Kubernetes Pod Created with a Sensitive hostPath Volume (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Potential Okta Password Spray (Multi-Source) (esql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Command and Scripting Interpreter via Windows Scripts (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Entra ID Excessive Account Lockouts Detected (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ M365 Identity Unusual SSO Authentication Errors for User (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Potential File Transfer via Curl for Windows (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Okta User Sessions Started from Different Geolocations (esql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Halfbaked Command and Control Beacon (lucene)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ GCP Firewall Rule Creation (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ AWS S3 Object Versioning Suspended (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ AWS STS GetCallerIdentity API Called for the First Time (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Inbound Connection to an Unsecure Elasticsearch Node (lucene)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ GCP Pub/Sub Topic Deletion (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Azure VNet Network Watcher Deleted (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ RPC (Remote Procedure Call) to the Internet (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ M365 Identity Login from Atypical Travel Location (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Potential Masquerading as Svchost (esql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ AWS IAM User Addition to Group (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Kubernetes Events Deleted (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Elastic Defend Alert from Package Manager Install Ancestry (esql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ GitHub Repository Deleted (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Accepted Default Telnet Port Connection (kuery)
    • stack_validation_failed: no_alerts - 0 alerts
  • ❌ Entra ID Sign-in Brute Force Attempted (Microsoft 365) (esql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ M365 Identity OAuth Flow by First-Party Microsoft App from Multiple IPs (esql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Entra ID OAuth Flow by Microsoft Authentication Broker to Device Registration Service (DRS) (esql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Entra ID High Risk Sign-in (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ AWS SSM SendCommand Execution by Rare User (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Attempted Bypass of Okta MFA (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ M365 Identity Login from Impossible Travel Location (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Entra ID User Added as Service Principal Owner (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ External User Added to Google Workspace Group (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ AWS EC2 Network Access Control List Creation (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Kubernetes Anonymous User Create/Update/Patch Pods Request (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ VNC (Virtual Network Computing) to the Internet (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Azure VNet Full Network Packet Capture Enabled (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ AWS SNS Topic Created by Rare User (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ AWS GuardDuty Member Account Manipulation (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Kubernetes Sensitive RBAC Change Followed by Workload Modification (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Entra ID OAuth Device Code Flow with Concurrent Sign-ins (esql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ LLM-Based Compromised User Triage by User (esql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ AWS SNS Rare Protocol Subscription by User (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ AWS CloudTrail Log Updated (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ CyberArk Privileged Access Security Error (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Entra ID MFA TOTP Brute Force Attempted (esql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ New GitHub Self Hosted Action Runner (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Entra ID OAuth PRT Issuance to Non-Managed Device Detected (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ M365 Exchange Inbox Phishing Evasion Rule Created (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ AWS Sensitive IAM Operations Performed via CloudShell (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ AWS EC2 EBS Snapshot Shared or Made Public (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Potential Okta Password Spray (Single Source) (esql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Entra ID External Authentication Methods (EAM) Modified (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ AWS Account Discovery By Rare User (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ AWS Route 53 Resolver Query Log Configuration Deleted (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ AWS RDS DB Snapshot Shared with Another Account (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Web Server Potential Remote File Inclusion Activity (esql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Multiple Cloud Secrets Accessed by Source Address (esql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ AWS IAM OIDC Provider Created by Rare User (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ M365 Exchange Mailbox Accessed by Unusual Client (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ M365 SharePoint/OneDrive File Access via PowerShell (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Application Removed from Blocklist in Google Workspace (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Possible FIN7 DGA Command and Control Behavior (lucene)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Entra ID Protection - Risk Detection - User Risk (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Kubernetes Forbidden Request from Unusual User Agent (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Service Account Token or Certificate Access Followed by Kubernetes API Request (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Azure Storage Account Blob Public Access Enabled (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ AWS Management Console Brute Force of Root User Identity (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Unauthorized Access to an Okta Application (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ M365 SharePoint Search for Sensitive Content (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Okta Successful Login After Credential Attack (esql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Multiple Okta User Auth Events with Same Device Token Hash Behind a Proxy (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ AWS SSM Command Document Created by Rare User (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ M365 Exchange DKIM Signing Configuration Disabled (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ GCP Logging Sink Deletion (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Tainted Out-Of-Tree Kernel Module Load (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ AWS GuardDuty Detector Deletion (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ AWS EFS File System Deleted (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Azure Diagnostic Settings Deleted (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ First-Time FortiGate Administrator Login (esql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Stolen Credentials Used to Login to Okta Account After MFA Reset (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ GCP Logging Bucket Deletion (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ VNC (Virtual Network Computing) from the Internet (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Potential Okta Brute Force (Multi-Source) (esql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Zoom Meeting with no Passcode (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Deprecated - M365 Security Compliance Email Reported by User as Malware or Phish (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ AWS CloudTrail Log Created (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ AWS S3 Unauthenticated Bucket Access by Rare Source (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ AWS WAF Rule or Rule Group Deletion (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Forbidden Direct Interactive Kubernetes API Request (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Google Workspace 2SV Policy Disabled (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Deprecated - M365 Teams Guest Access Enabled (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ AWS S3 Bucket Enumeration or Brute Force (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Azure Compute VM Command Executed (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Entra ID Service Principal Created (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Deprecated - M365 Exchange DLP Policy Deleted (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Entra ID Service Principal Federated Credential Authentication by Unusual Client (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ FortiGate FortiCloud SSO Login from Unusual Source (esql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ AWS S3 Bucket Policy Added to Allow Public Access (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Multiple Okta Sessions Detected for a Single User (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ M365 SharePoint Site Sharing Policy Weakened (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Kubernetes Suspicious Assignment of Controller Service Account (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Kubernetes Denied Service Account Request via Unusual User Agent (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Kubernetes Anonymous Request Authorized by Unusual User Agent (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Kubernetes Exposed Service Created With Type NodePort (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Potential Spike in Web Server Error Logs (esql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Unauthorized Scope for Public App OAuth2 Token Grant with Client Credentials (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Attempt to Modify an Okta Policy (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ M365 Exchange Mailbox Audit Logging Bypass Added (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Attempt to Revoke Okta API Token (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ M365 Exchange Federated Domain Created or Modified (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Okta ThreatInsight Threat Suspected Promotion (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Google Workspace Admin Role Assigned to a User (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ AWS CloudWatch Log Group Deletion (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ FortiGate SOCKS Traffic from an Unusual Process (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ AWS KMS Customer Managed Key Disabled or Scheduled for Deletion (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ AWS IAM User Created Access Keys For Another User (esql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Suspicious rc.local Error Message (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ AWS Sign-In Root Password Recovery Requested (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ AWS EC2 AMI Shared with Another Account (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Potential Port Scanning Activity from Compromised Host (esql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Multiple Alerts in Same ATT&CK Tactic by Host (esql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ First Occurrence of Okta User Session Started via Proxy (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Google Workspace Role Modified (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Web Server Potential Spike in Error Response Codes (esql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Multiple Vulnerabilities by Asset via Wiz (esql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ AWS CloudTrail Log Deleted (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ AWS Config Resource Deletion (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ AWS EC2 EBS Snapshot Access Removed (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Kubernetes Container Created with Excessive Linux Capabilities (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ AWS IAM Roles Anywhere Trust Anchor Created with External CA (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Deprecated - M365 Security Compliance Potential Ransomware Activity (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Attempt to Reset MFA Factors for an Okta User Account (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Entra ID User Sign-in with Unusual Non-Managed Device (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ AWS API Activity from Uncommon S3 Client by Rare User (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ AWS Discovery API Calls via CLI from a Single Resource (esql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Azure Key Vault Unusual Secret Key Usage (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Kubernetes Pod Created With HostIPC (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Potential Malware-Driven SSH Brute Force Attempt (esql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Entra ID User Added as Registered Application Owner (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Application Added to Google Workspace Domain (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Entra ID Privileged Identity Management (PIM) Role Modified (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Unusual Kubernetes Sensitive Workload Modification (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Azure Key Vault Modified (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ AWS First Occurrence of STS GetFederationToken Request by User (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Google Workspace Bitlocker Setting Disabled (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ GCP Service Account Creation (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ AWS Lambda Layer Added to Existing Function (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Entra ID Custom Domain Added or Verified (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Potential Webshell Deployed via Apache Struts CVE-2023-50164 Exploitation (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ M365 Exchange Mailbox Items Accessed Excessively (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Potential AWS S3 Bucket Ransomware Note Uploaded (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ AWS SSM Session Started to EC2 Instance (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Potential Linux Local Account Brute Force Detected (esql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Web Server Discovery or Fuzzing Activity (esql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Azure Kubernetes Services (AKS) Kubernetes Pods Deleted (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Suspicious Windows Powershell Arguments (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ AWS EC2 Unauthorized Admin Credential Fetch via Assumed Role (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Enumerating Domain Trusts via NLTEST.EXE (eql)
    • stack_validation_failed: no_alerts - 0 alerts
  • ❌ Potential Subnet Scanning Activity from Compromised Host (esql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ AWS EC2 Network Access Control List Deletion (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ AWS IAM Group Deletion (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ AWS EC2 Instance Connect SSH Public Key Uploaded (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ AWS EventBridge Rule Disabled or Deleted (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ M365 Identity Global Administrator Role Assigned (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ FortiGate Overly Permissive Firewall Policy Created (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Potential Okta MFA Bombing via Push Notifications (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Kubernetes Unusual Decision by User Agent (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ FortiGate Administrator Login from Multiple IP Addresses (esql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Attempt to Deactivate an Okta Network Zone (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Unusual Command Execution from Web Server Parent (esql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Azure Storage Account Keys Accessed by Privileged User (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Azure Kubernetes Services (AKS) Kubernetes Events Deleted (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Several Failed Protected Branch Force Pushes by User (esql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ RDP (Remote Desktop Protocol) from the Internet (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ GitHub Private Repository Turned Public (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Multiple External EDR Alerts by Host (esql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Entra ID OAuth ROPC Grant Login Detected (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Entra ID Elevated Access to User Access Administrator (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Azure Automation Runbook Deleted (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ File Transfer Utility Launched from Unusual Parent (esql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ GCP Service Account Deletion (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ AWS RDS DB Instance or Cluster Deleted (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Excessive AWS S3 Object Encryption with SSE-C (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Web Server Local File Inclusion Activity (esql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Entra ID Unusual Cloud Device Registration (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ GCP Virtual Private Cloud Route Creation (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ AWS WAF Access Control List Deletion (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ M365 Identity OAuth Phishing via First-Party Microsoft Application (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ AWS STS Role Assumption by Service (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ AWS VPC Flow Logs Deletion (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Google Workspace Admin Role Deletion (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Potential Okta Credential Stuffing (Single Source) (esql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Google Workspace Custom Gmail Route Created or Modified (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Entra ID OAuth user_impersonation Scope for Unusual User and Client (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Multiple Okta User Authentication Events with Same Device Token Hash (esql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ AWS STS AssumeRoot by Rare User and Member Account (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ AWS DynamoDB Scan by Unusual User (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Attempt to Create Okta API Token (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ M365 Exchange Anti-Phish Rule Modification (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ GCP Storage Bucket Configuration Modification (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Unusual Process Spawned from Web Server Parent (esql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ AWS IAM SAML Provider Updated (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Potentially Successful Okta MFA Bombing via Push Notifications (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Google Workspace Drive Encryption Key(s) Accessed from Anonymous User (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ GCP IAM Service Account Key Deletion (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ M365 Exchange Management Group Role Assigned (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ M365 SharePoint Site Administrator Added (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ AWS IAM AdministratorAccess Policy Attached to User (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ GitHub Owner Role Granted To User (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Direct Interactive Kubernetes API Request by Common Utilities (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Entra ID User Sign-in with Unusual Authentication Type (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Potential Password Spraying Attack via SSH (esql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ AWS CloudTrail Log Evasion (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Suricata and Elastic Defend Network Correlation (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ AWS RDS DB Instance Made Public (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ AWS IAM Long-Term Access Key First Seen from Source IP (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ First Time Seen AWS Secret Value Accessed in Secrets Manager (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ GCP Pub/Sub Topic Creation (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ GCP Virtual Private Cloud Route Deletion (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Azure Storage Account Deletion by Unusual User (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Entra ID Protection Admin Confirmed Compromise (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Web Server Suspicious User Agent Requests (esql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ AWS STS AssumeRole with New MFA Device (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Google Workspace Restrictions for Marketplace Modified to Allow Any App (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Kubernetes Cluster-Admin Role Binding Created (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Entra ID Sharepoint or OneDrive Accessed by Unusual Client (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ AWS IAM Assume Role Policy Update (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Entra ID PowerShell Sign-in (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ M365 Azure Monitor Alert Email with Financial or Billing Theme (esql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ AWS S3 Bucket Server Access Logging Disabled (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Entra ID Protection User Alert and Device Registration (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ AWS S3 Rapid Bucket Posture API Calls from a Single Principal (esql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ FortiGate SSL VPN Login Followed by SIEM Alert by User (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ AWS IAM SAML Provider Created (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Entra ID OAuth Device Code Grant by Microsoft Authentication Broker (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Azure Storage Blob Retrieval via AzCopy (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ AWS EC2 LOLBin Execution via SSM SendCommand (esql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ M365 Exchange Email Safe Link Policy Disabled (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Google Workspace Password Policy Modified (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ IPSEC NAT Traversal Port Activity (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ GCP IAM Custom Role Creation (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ AWS S3 Object Encryption Using External KMS Key (esql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Google Workspace API Access Granted via Domain-Wide Delegation (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Google Workspace Custom Admin Role Created (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Entra ID OAuth Device Code Grant by Unusual User (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Okta Alerts Following Unusual Proxy Authentication (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Deprecated - M365 Security Compliance Unusual Volume of File Deletion (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Azure Storage Account Deletions by User (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ AWS RDS Snapshot Deleted (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Suspicious Python Shell Command Execution (esql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Attempt to Delete an Okta Policy (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ AWS CloudShell Environment Created (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Azure Event Hub Authorization Rule Created or Updated (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Attempt to Deactivate an Okta Policy (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ FortiGate Configuration File Downloaded (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Administrator Privileges Assigned to an Okta Group (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ AWS STS Role Chaining (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ AWS SQS Queue Purge (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Azure Resource Group Deleted (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ AWS EC2 Encryption Disabled (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ M365 OneDrive Malware File Upload (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ M365 Teams Custom Application Interaction Enabled (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ GCP Storage Bucket Deletion (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Entra ID Conditional Access Policy (CAP) Modified (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ GCP Service Account Disabled (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Entra ID Protection Alerts for User Detected (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ AWS RDS DB Instance Restored (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ AWS IAM Login Profile Added for Root (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Azure Key Vault Excessive Secret or Key Retrieved (esql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ AWS EC2 Full Network Packet Capture Detected (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Azure Compute Restore Point Collection Deleted by Unusual User (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Unusual AWS S3 Object Encryption with SSE-C (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ AWS EC2 User Data Retrieval for EC2 Instance (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Entra ID Sign-in BloodHound Suite User-Agent Detected (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Suspicious Usage of bpf_probe_write_user Helper (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Azure Compute Snapshot Deletion by Unusual User and Resource Group (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Multiple Rare Elastic Defend Behavior Rules by Host (esql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Elastic Defend and Email Alerts Correlation (esql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Unusual Base64 Encoding/Decoding Activity (esql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ GCP Virtual Private Cloud Network Deletion (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Potential Credential Access via Renamed COM+ Services DLL (eql)
    • stack_validation_failed: no_alerts - 0 alerts
  • ❌ CyberArk Privileged Access Security Recommended Monitor (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ AWS IAM API Calls via Temporary Session Tokens (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Attempt to Delete an Okta Network Zone (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Attempt to Modify an Okta Application (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Entra ID User Sign-in with Unusual Client (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Kubernetes Privileged Pod Created (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ SMB (Windows File Sharing) Activity to the Internet (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Entra ID OAuth Authorization Code Grant for Unusual User, App, and Resource (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ M365 Exchange MFA Notification Email Deleted or Moved (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ M365 Exchange Malware Filter Rule Modified (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Entra ID User Reported Suspicious Activity (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Google Workspace MFA Enforcement Disabled (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ FortiGate Super Admin Account Creation (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Kubernetes Secret Access via Unusual User Agent (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Multiple Device Token Hashes for Single Okta Session (esql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Google Workspace User Organizational Unit Changed (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ GCP Pub/Sub Subscription Deletion (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Attempt to Deactivate an Okta Policy Rule (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Entra ID User Sign-in Brute Force Attempted (esql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Modification or Removal of an Okta Application Sign-On Policy (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ MFA Deactivation with no Re-Activation for Okta User Account (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Okta User Session Impersonation (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Cobalt Strike Command and Control Beacon (lucene)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Domain Added to Google Workspace Trusted Domains (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ FortiGate Administrator Account Creation from Unusual Source (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Entra ID ADRS Token Request by Microsoft Authentication Broker (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ AWS EC2 Instance Console Login via Assumed Role (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ AWS S3 Bucket Replicated to Another Account (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Attempt to Delete an Okta Application (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Azure Compute Snapshot Deletions by User (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Elastic Defend Alert from GenAI Utility or Descendant (esql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Attempt to Delete an Okta Policy Rule (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ AWS CloudWatch Log Stream Deletion (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ GCP Pub/Sub Subscription Creation (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ M365 Exchange Anti-Phish Policy Deleted (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ M365 Exchange Malware Filter Policy Deleted (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Azure Blob Storage Permissions Modified (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ SMTP on Port 26/TCP (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Azure Compute Restore Point Collections Deleted (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ AWS IAM Deactivation of MFA Device (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Suspicious Windows Command Shell Arguments (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Azure Service Principal Sign-In Followed by Arc Cluster Credential Access (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Github Activity on a Private Repository from an Unusual IP (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Entra ID MFA Disabled for User (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Execution via Windows Subsystem for Linux (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Entra ID Service Principal with Unusual Source ASN (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ AWS IAM AdministratorAccess Policy Attached to Role (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ M365 Identity User Account Lockouts (esql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ AWS EC2 Export Task (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Azure Automation Account Created (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Kubernetes Pod Created With HostPID (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ AWS IAM AdministratorAccess Policy Attached to Group (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Azure VNet Firewall Policy Deleted (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Attempts to Brute Force an Okta User Account (kuery)
    • stack_validation_failed: no_alerts - 0 alerts
  • ❌ Azure Event Hub Deleted (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ AWS EC2 Route Table Created (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ AWS Management Console Root Login (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ GCP IAM Role Deletion (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ FortiGate SSO Login Followed by Administrator Account Creation (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Entra ID Concurrent Sign-in with Suspicious Properties (esql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ AWS Route 53 Private Hosted Zone Associated With a VPC (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Attempt to Modify an Okta Network Zone (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ AWS IAM Virtual MFA Device Registration Attempt with Session Token (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ MFA Disabled for Google Workspace Organization (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Possible Okta DoS Attack (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Default Cobalt Strike Team Server Certificate (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Suspicious WMI Event Subscription Created (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ AWS EC2 Route Table Modified or Deleted (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Microsoft Graph Request Email Access by Unusual User and Client (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ AWS S3 Bucket Policy Added to Share with External Account (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ AWS DynamoDB Table Exported to S3 (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ High Number of Okta User Password Reset or Unlock Attempts (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ AWS EC2 Serial Console Access Enabled (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Azure Automation Webhook Created (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ AWS IAM Principal Enumeration via UpdateAssumeRolePolicy (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Kubernetes Forbidden Creation Request (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Entra ID Global Administrator Role Assigned (PIM User) (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Attempt to Deactivate an Okta Application (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Okta FastPass Phishing Detection (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Whoami Process Activity (eql)
    • stack_validation_failed: no_alerts - 0 alerts
  • ❌ Okta User Assigned Administrator Role (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Azure Diagnostic Settings Alert Suppression Rule Created or Modified (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ M365 or Entra ID Identity Sign-in from a Suspicious Source (esql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Forwarded Google Workspace Security Alert (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ AWS RDS DB Instance or Cluster Password Modified (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Kubernetes Service Account Modified RBAC Objects (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Google Workspace Object Copied to External Drive with App Consent (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ WMI Incoming Lateral Movement (eql)
    • stack_validation_failed: no_alerts - 0 alerts
  • ❌ Web Server Potential Command Injection Request (esql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Entra ID Sign-in TeamFiltration User-Agent Detected (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ AWS RDS DB Instance or Cluster Deletion Protection Disabled (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ AWS IAM Customer-Managed Policy Attached to Role by Rare User (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Entra ID Service Principal Credentials Created by Unusual User (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ AWS CloudWatch Alarm Deletion (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ AWS IAM Create User via Assumed Role on EC2 Instance (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ AWS Suspicious User Agent Fingerprint (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Suspicious Activity Reported by Okta User (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ High Number of Cloned GitHub Repos From PAT (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ AWS Configuration Recorder Stopped (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Process Started with Executable Stack (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Elastic Defend Alert Followed by Telemetry Loss (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ M365 Identity OAuth Flow by User Sign-in to Device Registration (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Kubernetes Creation of a RoleBinding Referencing a ServiceAccount (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ GitHub App Deleted (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ AWS Systems Manager SecureString Parameter Request with Decryption Flag (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Roshal Archive (RAR) or PowerShell File Downloaded from the Internet (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ AWS S3 Bucket Expiration Lifecycle Configuration Added (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ M365 Exchange Mail Flow Transport Rule Created (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ GCP Firewall Rule Deletion (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta

Mikaayenson
Mikaayenson approved these changes Apr 10, 2026
View reviewed changes
Copy link
Copy Markdown
Contributor

@Mikaayenson Mikaayenson left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM. The only concern is that we will have to open a maintenance window to stitch together the minstacked rules. If we can prepare ahead of time, that would be great so we can minimize the window.

Here are the ones I found:

  • rules/cross-platform/discovery_web_server_local_file_inclusion_activity.toml
  • rules/cross-platform/discovery_web_server_remote_file_inclusion_activity.toml
  • rules/cross-platform/execution_d4c_k8s_mda_direct_interactive_kubernetes_api_request_by_usual_utilities.toml
  • rules/cross-platform/execution_d4c_k8s_mda_forbidden_direct_interactive_kubernetes_api_request.toml
  • rules/cross-platform/execution_d4c_k8s_mda_kubernetes_api_activity_by_unusual_utilities.toml
  • rules/cross-platform/execution_d4c_k8s_mda_service_account_token_access_followed_by_kubernetes_api_request.toml
  • rules/cross-platform/initial_access_elastic_defend_alert_genai_utility_descendant.toml
  • rules/cross-platform/initial_access_elastic_defend_alert_package_manager_ancestor.toml
  • rules/cross-platform/multiple_alerts_llm_compromised_user_triage.toml
  • rules/cross-platform/multiple_elastic_defend_behavior_rules_same_host_prevalence.toml
  • rules/integrations/aws/discovery_multiple_discovery_api_calls_via_cli.toml
  • rules/integrations/aws/discovery_organization_discovery_by_rare_user.toml
  • rules/integrations/aws/discovery_s3_rapid_bucket_posture_api_calls.toml
  • rules/integrations/aws/initial_access_iam_session_token_used_from_multiple_addresses.toml
  • rules/integrations/aws/persistence_aws_attempt_to_register_virtual_mfa_device.toml
  • rules/integrations/aws/persistence_iam_api_calls_via_user_session_token.toml
  • rules/integrations/aws/privilege_escalation_iam_customer_managed_policy_attached_to_role.toml
  • rules/integrations/aws/privilege_escalation_iam_update_assume_role_policy.toml
  • rules/integrations/azure/credential_access_entra_id_excessive_account_lockouts.toml
  • rules/integrations/github/impact_high_number_of_protected_branch_force_pushes_by_user.toml
  • rules/windows/defense_evasion_masquerading_as_svchost.toml

@tradebot-elastic
Copy link
Copy Markdown

tradebot-elastic commented Apr 10, 2026
edited
Loading

⛔️ Test failed

Results
  • ❌ Attempt to Modify an Okta Policy Rule (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Google Workspace Suspended User Account Renewed (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Deprecated - M365 Security Compliance User Restricted from Sending Email (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Direct Interactive Kubernetes API Request by Unusual Utilities (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Azure Arc Cluster Credential Access by Identity from Unusual Source (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ M365 Exchange Email Safe Attachment Rule Disabled (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ GitHub Actions Unusual Bot Push to Repository (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ First Time AWS CloudFormation Stack Creation (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ High Number of Protected Branch Force Pushes by User (esql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Entra ID Global Administrator Role Assigned (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Tainted Kernel Module Load (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Entra ID Protection - Risk Detection - Sign-in Risk (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ GitHub Protected Branch Settings Changed (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Google Drive Ownership Transferred via Google Workspace (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ High Number of Closed Pull Requests by User (esql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Azure VNet Firewall Front Door WAF Policy Deleted (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ AWS IAM CompromisedKeyQuarantine Policy Attached to User (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Elastic Defend and Network Security Alerts Correlation (esql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ M365 Identity OAuth Illicit Consent Grant by Rare Client and User (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ M365 Exchange Mailbox High-Risk Permission Delegated (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Multiple Alerts Involving a User (esql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Entra ID OAuth User Impersonation to Microsoft Graph (esql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ AWS Access Token Used from Multiple Addresses (esql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ M365 SharePoint Malware File Detected (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ M365 OneDrive/SharePoint Excessive File Downloads (esql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ GCP Service Account Key Creation (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ AWS SSM Inventory Reconnaissance by Rare User (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Abnormally Large DNS Response (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ AWS RDS Snapshot Export (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ AWS Route 53 Domain Transfer Lock Disabled (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Kubernetes Suspicious Self-Subject Review via Unusual User Agent (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Kubernetes Pod Created With HostNetwork (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Entra ID External Guest User Invited (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ RPC (Remote Procedure Call) from the Internet (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Kubernetes User Exec into Pod (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Entra ID OAuth Phishing via First-Party Microsoft Application (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Successful Application SSO from Rare Unknown Client Device (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ AWS Lambda Function Policy Updated to Allow Public Invocation (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Azure Automation Runbook Created or Modified (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ AWS IAM Group Creation (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ AWS S3 Static Site JavaScript File Uploaded (esql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ GCP Logging Sink Modification (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ AWS Secrets Manager Rapid Secrets Retrieval (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Potential Persistence via File Modification (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ AWS Service Quotas Multi-Region GetServiceQuota Requests (esql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ GitHub Exfiltration via High Number of Repository Clones by User (esql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Azure RBAC Built-In Administrator Roles Assigned (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Entra ID Application Credential Modified (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Newly Observed High Severity Detection Alert (esql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ AWS CloudTrail Log Suspended (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ React2Shell Network Security Alert (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Azure Kubernetes Services (AKS) Kubernetes Rolebindings Created (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ New GitHub App Installed (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Okta Sign-In Events via Third-Party IdP (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Entra ID Domain Federation Configuration Change (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Initial Access via File Upload Followed by GET Request (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ AWS IAM Roles Anywhere Profile Creation (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Azure Storage Account Key Regenerated (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ AWS Sign-In Console Login with Federated User (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ High Number of Egress Network Connections from Unusual Executable (esql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ AWS Route 53 Domain Transferred to Another Account (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ AWS SNS Topic Message Publish by Rare User (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ New GitHub Personal Access Token (PAT) Added (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ First Time Seen Google Workspace OAuth Login from Third-Party Application (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ GitHub Secret Scanning Disabled (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ AWS S3 Bucket Configuration Deletion (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ GCP Storage Bucket Permissions Modification (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Potential Okta Brute Force (Device Token Rotation) (esql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ New GitHub Owner Added (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Insecure AWS EC2 VPC Security Group Ingress Rule Added (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Azure Blob Storage Container Access Level Modified (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ AWS EC2 Deprecated AMI Discovery (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Entra ID High Risk User Sign-in Heuristic (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ M365 Identity User Brute Force Attempted (esql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ M365 Exchange Mail Flow Transport Rule Modified (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ GCP Firewall Rule Modification (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Deprecated - M365 Teams External Access Enabled (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Newly Observed Palo Alto Network Alert (esql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ AWS STS Role Assumption by User (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ AWS EC2 Security Group Configuration Change (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Alerts in Different ATT&CK Tactics by Host (esql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ New Okta Identity Provider (IdP) Added by Admin (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Microsoft Graph Request User Impersonation by Unusual Client (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Kubernetes Pod Created with a Sensitive hostPath Volume (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Potential Okta Password Spray (Multi-Source) (esql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Command and Scripting Interpreter via Windows Scripts (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Entra ID Excessive Account Lockouts Detected (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ M365 Identity Unusual SSO Authentication Errors for User (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Potential File Transfer via Curl for Windows (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Okta User Sessions Started from Different Geolocations (esql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Halfbaked Command and Control Beacon (lucene)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ GCP Firewall Rule Creation (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ AWS S3 Object Versioning Suspended (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ AWS STS GetCallerIdentity API Called for the First Time (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Inbound Connection to an Unsecure Elasticsearch Node (lucene)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ GCP Pub/Sub Topic Deletion (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Azure VNet Network Watcher Deleted (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ RPC (Remote Procedure Call) to the Internet (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ M365 Identity Login from Atypical Travel Location (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Potential Masquerading as Svchost (esql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ AWS IAM User Addition to Group (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Kubernetes Events Deleted (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Elastic Defend Alert from Package Manager Install Ancestry (esql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ GitHub Repository Deleted (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Accepted Default Telnet Port Connection (kuery)
    • stack_validation_failed: no_alerts - 0 alerts
  • ❌ Entra ID Sign-in Brute Force Attempted (Microsoft 365) (esql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ M365 Identity OAuth Flow by First-Party Microsoft App from Multiple IPs (esql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Entra ID OAuth Flow by Microsoft Authentication Broker to Device Registration Service (DRS) (esql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Entra ID High Risk Sign-in (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ AWS SSM SendCommand Execution by Rare User (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Attempted Bypass of Okta MFA (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ M365 Identity Login from Impossible Travel Location (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Entra ID User Added as Service Principal Owner (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ External User Added to Google Workspace Group (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ AWS EC2 Network Access Control List Creation (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Kubernetes Anonymous User Create/Update/Patch Pods Request (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ VNC (Virtual Network Computing) to the Internet (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Azure VNet Full Network Packet Capture Enabled (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ AWS SNS Topic Created by Rare User (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ AWS GuardDuty Member Account Manipulation (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Kubernetes Sensitive RBAC Change Followed by Workload Modification (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Entra ID OAuth Device Code Flow with Concurrent Sign-ins (esql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ LLM-Based Compromised User Triage by User (esql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ AWS SNS Rare Protocol Subscription by User (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ AWS CloudTrail Log Updated (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ CyberArk Privileged Access Security Error (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Entra ID MFA TOTP Brute Force Attempted (esql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ New GitHub Self Hosted Action Runner (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Entra ID OAuth PRT Issuance to Non-Managed Device Detected (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ M365 Exchange Inbox Phishing Evasion Rule Created (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ AWS Sensitive IAM Operations Performed via CloudShell (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ AWS EC2 EBS Snapshot Shared or Made Public (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Potential Okta Password Spray (Single Source) (esql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Entra ID External Authentication Methods (EAM) Modified (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ AWS Account Discovery By Rare User (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ AWS Route 53 Resolver Query Log Configuration Deleted (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ AWS RDS DB Snapshot Shared with Another Account (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Web Server Potential Remote File Inclusion Activity (esql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Multiple Cloud Secrets Accessed by Source Address (esql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ AWS IAM OIDC Provider Created by Rare User (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ M365 Exchange Mailbox Accessed by Unusual Client (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ M365 SharePoint/OneDrive File Access via PowerShell (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Application Removed from Blocklist in Google Workspace (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Possible FIN7 DGA Command and Control Behavior (lucene)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Entra ID Protection - Risk Detection - User Risk (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Kubernetes Forbidden Request from Unusual User Agent (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Service Account Token or Certificate Access Followed by Kubernetes API Request (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Azure Storage Account Blob Public Access Enabled (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ AWS Management Console Brute Force of Root User Identity (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Unauthorized Access to an Okta Application (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ M365 SharePoint Search for Sensitive Content (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Okta Successful Login After Credential Attack (esql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Multiple Okta User Auth Events with Same Device Token Hash Behind a Proxy (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ AWS SSM Command Document Created by Rare User (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ M365 Exchange DKIM Signing Configuration Disabled (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ GCP Logging Sink Deletion (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Tainted Out-Of-Tree Kernel Module Load (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ AWS GuardDuty Detector Deletion (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ AWS EFS File System Deleted (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Azure Diagnostic Settings Deleted (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ First-Time FortiGate Administrator Login (esql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Stolen Credentials Used to Login to Okta Account After MFA Reset (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ GCP Logging Bucket Deletion (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ VNC (Virtual Network Computing) from the Internet (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Potential Okta Brute Force (Multi-Source) (esql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Zoom Meeting with no Passcode (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Deprecated - M365 Security Compliance Email Reported by User as Malware or Phish (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ AWS CloudTrail Log Created (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ AWS S3 Unauthenticated Bucket Access by Rare Source (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ AWS WAF Rule or Rule Group Deletion (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Forbidden Direct Interactive Kubernetes API Request (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Google Workspace 2SV Policy Disabled (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Deprecated - M365 Teams Guest Access Enabled (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ AWS S3 Bucket Enumeration or Brute Force (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Azure Compute VM Command Executed (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Entra ID Service Principal Created (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Deprecated - M365 Exchange DLP Policy Deleted (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Entra ID Service Principal Federated Credential Authentication by Unusual Client (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ FortiGate FortiCloud SSO Login from Unusual Source (esql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ AWS S3 Bucket Policy Added to Allow Public Access (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Multiple Okta Sessions Detected for a Single User (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ M365 SharePoint Site Sharing Policy Weakened (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Kubernetes Suspicious Assignment of Controller Service Account (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Kubernetes Denied Service Account Request via Unusual User Agent (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Kubernetes Anonymous Request Authorized by Unusual User Agent (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Kubernetes Exposed Service Created With Type NodePort (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Potential Spike in Web Server Error Logs (esql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Unauthorized Scope for Public App OAuth2 Token Grant with Client Credentials (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Attempt to Modify an Okta Policy (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ M365 Exchange Mailbox Audit Logging Bypass Added (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Attempt to Revoke Okta API Token (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ M365 Exchange Federated Domain Created or Modified (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Okta ThreatInsight Threat Suspected Promotion (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Google Workspace Admin Role Assigned to a User (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ AWS CloudWatch Log Group Deletion (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ FortiGate SOCKS Traffic from an Unusual Process (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ AWS KMS Customer Managed Key Disabled or Scheduled for Deletion (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ AWS IAM User Created Access Keys For Another User (esql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Suspicious rc.local Error Message (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ AWS Sign-In Root Password Recovery Requested (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ AWS EC2 AMI Shared with Another Account (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Potential Port Scanning Activity from Compromised Host (esql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Multiple Alerts in Same ATT&CK Tactic by Host (esql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ First Occurrence of Okta User Session Started via Proxy (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Google Workspace Role Modified (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Web Server Potential Spike in Error Response Codes (esql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Multiple Vulnerabilities by Asset via Wiz (esql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ AWS CloudTrail Log Deleted (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ AWS Config Resource Deletion (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ AWS EC2 EBS Snapshot Access Removed (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Kubernetes Container Created with Excessive Linux Capabilities (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ AWS IAM Roles Anywhere Trust Anchor Created with External CA (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Deprecated - M365 Security Compliance Potential Ransomware Activity (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Attempt to Reset MFA Factors for an Okta User Account (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Entra ID User Sign-in with Unusual Non-Managed Device (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ AWS API Activity from Uncommon S3 Client by Rare User (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ AWS Discovery API Calls via CLI from a Single Resource (esql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Azure Key Vault Unusual Secret Key Usage (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Kubernetes Pod Created With HostIPC (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Potential Malware-Driven SSH Brute Force Attempt (esql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Entra ID User Added as Registered Application Owner (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Application Added to Google Workspace Domain (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Entra ID Privileged Identity Management (PIM) Role Modified (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Unusual Kubernetes Sensitive Workload Modification (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Azure Key Vault Modified (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ AWS First Occurrence of STS GetFederationToken Request by User (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Google Workspace Bitlocker Setting Disabled (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ GCP Service Account Creation (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ AWS Lambda Layer Added to Existing Function (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Entra ID Custom Domain Added or Verified (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Potential Webshell Deployed via Apache Struts CVE-2023-50164 Exploitation (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ M365 Exchange Mailbox Items Accessed Excessively (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Potential AWS S3 Bucket Ransomware Note Uploaded (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ AWS SSM Session Started to EC2 Instance (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Potential Linux Local Account Brute Force Detected (esql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Web Server Discovery or Fuzzing Activity (esql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Azure Kubernetes Services (AKS) Kubernetes Pods Deleted (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Suspicious Windows Powershell Arguments (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ AWS EC2 Unauthorized Admin Credential Fetch via Assumed Role (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Enumerating Domain Trusts via NLTEST.EXE (eql)
    • stack_validation_failed: no_alerts - 0 alerts
  • ❌ Potential Subnet Scanning Activity from Compromised Host (esql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ AWS EC2 Network Access Control List Deletion (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ AWS IAM Group Deletion (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ AWS EC2 Instance Connect SSH Public Key Uploaded (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ AWS EventBridge Rule Disabled or Deleted (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ M365 Identity Global Administrator Role Assigned (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ FortiGate Overly Permissive Firewall Policy Created (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Potential Okta MFA Bombing via Push Notifications (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Kubernetes Unusual Decision by User Agent (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ FortiGate Administrator Login from Multiple IP Addresses (esql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Attempt to Deactivate an Okta Network Zone (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Unusual Command Execution from Web Server Parent (esql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Azure Storage Account Keys Accessed by Privileged User (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Azure Kubernetes Services (AKS) Kubernetes Events Deleted (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Several Failed Protected Branch Force Pushes by User (esql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ RDP (Remote Desktop Protocol) from the Internet (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ GitHub Private Repository Turned Public (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Multiple External EDR Alerts by Host (esql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Entra ID OAuth ROPC Grant Login Detected (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Entra ID Elevated Access to User Access Administrator (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Azure Automation Runbook Deleted (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ File Transfer Utility Launched from Unusual Parent (esql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ GCP Service Account Deletion (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ AWS RDS DB Instance or Cluster Deleted (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Excessive AWS S3 Object Encryption with SSE-C (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Web Server Local File Inclusion Activity (esql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Entra ID Unusual Cloud Device Registration (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ GCP Virtual Private Cloud Route Creation (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ AWS WAF Access Control List Deletion (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ M365 Identity OAuth Phishing via First-Party Microsoft Application (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ AWS STS Role Assumption by Service (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ AWS VPC Flow Logs Deletion (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Google Workspace Admin Role Deletion (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Potential Okta Credential Stuffing (Single Source) (esql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Google Workspace Custom Gmail Route Created or Modified (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Entra ID OAuth user_impersonation Scope for Unusual User and Client (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Multiple Okta User Authentication Events with Same Device Token Hash (esql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ AWS STS AssumeRoot by Rare User and Member Account (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ AWS DynamoDB Scan by Unusual User (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Attempt to Create Okta API Token (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ M365 Exchange Anti-Phish Rule Modification (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ GCP Storage Bucket Configuration Modification (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Unusual Process Spawned from Web Server Parent (esql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ AWS IAM SAML Provider Updated (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Potentially Successful Okta MFA Bombing via Push Notifications (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Google Workspace Drive Encryption Key(s) Accessed from Anonymous User (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ GCP IAM Service Account Key Deletion (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ M365 Exchange Management Group Role Assigned (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ M365 SharePoint Site Administrator Added (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ AWS IAM AdministratorAccess Policy Attached to User (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ GitHub Owner Role Granted To User (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Direct Interactive Kubernetes API Request by Common Utilities (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Entra ID User Sign-in with Unusual Authentication Type (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Potential Password Spraying Attack via SSH (esql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ AWS CloudTrail Log Evasion (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Suricata and Elastic Defend Network Correlation (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ AWS RDS DB Instance Made Public (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ AWS IAM Long-Term Access Key First Seen from Source IP (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ First Time Seen AWS Secret Value Accessed in Secrets Manager (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ GCP Pub/Sub Topic Creation (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ GCP Virtual Private Cloud Route Deletion (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Azure Storage Account Deletion by Unusual User (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Entra ID Protection Admin Confirmed Compromise (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Web Server Suspicious User Agent Requests (esql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ AWS STS AssumeRole with New MFA Device (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Google Workspace Restrictions for Marketplace Modified to Allow Any App (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Kubernetes Cluster-Admin Role Binding Created (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Entra ID Sharepoint or OneDrive Accessed by Unusual Client (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ AWS IAM Assume Role Policy Update (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Entra ID PowerShell Sign-in (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ M365 Azure Monitor Alert Email with Financial or Billing Theme (esql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ AWS S3 Bucket Server Access Logging Disabled (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Entra ID Protection User Alert and Device Registration (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ AWS S3 Rapid Bucket Posture API Calls from a Single Principal (esql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ FortiGate SSL VPN Login Followed by SIEM Alert by User (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ AWS IAM SAML Provider Created (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Entra ID OAuth Device Code Grant by Microsoft Authentication Broker (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Azure Storage Blob Retrieval via AzCopy (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ AWS EC2 LOLBin Execution via SSM SendCommand (esql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ M365 Exchange Email Safe Link Policy Disabled (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Google Workspace Password Policy Modified (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ IPSEC NAT Traversal Port Activity (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ GCP IAM Custom Role Creation (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ AWS S3 Object Encryption Using External KMS Key (esql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Google Workspace API Access Granted via Domain-Wide Delegation (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Google Workspace Custom Admin Role Created (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Entra ID OAuth Device Code Grant by Unusual User (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Okta Alerts Following Unusual Proxy Authentication (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Deprecated - M365 Security Compliance Unusual Volume of File Deletion (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Azure Storage Account Deletions by User (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ AWS RDS Snapshot Deleted (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Suspicious Python Shell Command Execution (esql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Attempt to Delete an Okta Policy (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ AWS CloudShell Environment Created (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Azure Event Hub Authorization Rule Created or Updated (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Attempt to Deactivate an Okta Policy (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ FortiGate Configuration File Downloaded (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Administrator Privileges Assigned to an Okta Group (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ AWS STS Role Chaining (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ AWS SQS Queue Purge (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Azure Resource Group Deleted (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ AWS EC2 Encryption Disabled (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ M365 OneDrive Malware File Upload (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ M365 Teams Custom Application Interaction Enabled (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ GCP Storage Bucket Deletion (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Entra ID Conditional Access Policy (CAP) Modified (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ GCP Service Account Disabled (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Entra ID Protection Alerts for User Detected (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ AWS RDS DB Instance Restored (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ AWS IAM Login Profile Added for Root (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Azure Key Vault Excessive Secret or Key Retrieved (esql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ AWS EC2 Full Network Packet Capture Detected (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Azure Compute Restore Point Collection Deleted by Unusual User (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Unusual AWS S3 Object Encryption with SSE-C (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ AWS EC2 User Data Retrieval for EC2 Instance (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Entra ID Sign-in BloodHound Suite User-Agent Detected (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Suspicious Usage of bpf_probe_write_user Helper (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Azure Compute Snapshot Deletion by Unusual User and Resource Group (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Multiple Rare Elastic Defend Behavior Rules by Host (esql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Elastic Defend and Email Alerts Correlation (esql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Unusual Base64 Encoding/Decoding Activity (esql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ GCP Virtual Private Cloud Network Deletion (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Potential Credential Access via Renamed COM+ Services DLL (eql)
    • stack_validation_failed: no_alerts - 0 alerts
  • ❌ CyberArk Privileged Access Security Recommended Monitor (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ AWS IAM API Calls via Temporary Session Tokens (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Attempt to Delete an Okta Network Zone (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Attempt to Modify an Okta Application (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Entra ID User Sign-in with Unusual Client (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Kubernetes Privileged Pod Created (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ SMB (Windows File Sharing) Activity to the Internet (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Entra ID OAuth Authorization Code Grant for Unusual User, App, and Resource (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ M365 Exchange MFA Notification Email Deleted or Moved (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ M365 Exchange Malware Filter Rule Modified (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Entra ID User Reported Suspicious Activity (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Google Workspace MFA Enforcement Disabled (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ FortiGate Super Admin Account Creation (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Kubernetes Secret Access via Unusual User Agent (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Multiple Device Token Hashes for Single Okta Session (esql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Google Workspace User Organizational Unit Changed (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ GCP Pub/Sub Subscription Deletion (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Attempt to Deactivate an Okta Policy Rule (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Entra ID User Sign-in Brute Force Attempted (esql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Modification or Removal of an Okta Application Sign-On Policy (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ MFA Deactivation with no Re-Activation for Okta User Account (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Okta User Session Impersonation (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Cobalt Strike Command and Control Beacon (lucene)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Domain Added to Google Workspace Trusted Domains (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ FortiGate Administrator Account Creation from Unusual Source (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Entra ID ADRS Token Request by Microsoft Authentication Broker (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ AWS EC2 Instance Console Login via Assumed Role (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ AWS S3 Bucket Replicated to Another Account (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Attempt to Delete an Okta Application (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Azure Compute Snapshot Deletions by User (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Elastic Defend Alert from GenAI Utility or Descendant (esql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Attempt to Delete an Okta Policy Rule (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ AWS CloudWatch Log Stream Deletion (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ GCP Pub/Sub Subscription Creation (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ M365 Exchange Anti-Phish Policy Deleted (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ M365 Exchange Malware Filter Policy Deleted (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Azure Blob Storage Permissions Modified (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ SMTP on Port 26/TCP (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Azure Compute Restore Point Collections Deleted (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ AWS IAM Deactivation of MFA Device (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Suspicious Windows Command Shell Arguments (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Azure Service Principal Sign-In Followed by Arc Cluster Credential Access (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Github Activity on a Private Repository from an Unusual IP (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Entra ID MFA Disabled for User (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Execution via Windows Subsystem for Linux (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Entra ID Service Principal with Unusual Source ASN (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ AWS IAM AdministratorAccess Policy Attached to Role (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ M365 Identity User Account Lockouts (esql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ AWS EC2 Export Task (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Azure Automation Account Created (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Kubernetes Pod Created With HostPID (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ AWS IAM AdministratorAccess Policy Attached to Group (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Azure VNet Firewall Policy Deleted (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Attempts to Brute Force an Okta User Account (kuery)
    • stack_validation_failed: no_alerts - 0 alerts
  • ❌ Azure Event Hub Deleted (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ AWS EC2 Route Table Created (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ AWS Management Console Root Login (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ GCP IAM Role Deletion (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ FortiGate SSO Login Followed by Administrator Account Creation (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Entra ID Concurrent Sign-in with Suspicious Properties (esql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ AWS Route 53 Private Hosted Zone Associated With a VPC (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Attempt to Modify an Okta Network Zone (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ AWS IAM Virtual MFA Device Registration Attempt with Session Token (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ MFA Disabled for Google Workspace Organization (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Possible Okta DoS Attack (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Default Cobalt Strike Team Server Certificate (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Suspicious WMI Event Subscription Created (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ AWS EC2 Route Table Modified or Deleted (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Microsoft Graph Request Email Access by Unusual User and Client (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ AWS S3 Bucket Policy Added to Share with External Account (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ AWS DynamoDB Table Exported to S3 (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ High Number of Okta User Password Reset or Unlock Attempts (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ AWS EC2 Serial Console Access Enabled (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Azure Automation Webhook Created (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ AWS IAM Principal Enumeration via UpdateAssumeRolePolicy (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Kubernetes Forbidden Creation Request (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Entra ID Global Administrator Role Assigned (PIM User) (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Attempt to Deactivate an Okta Application (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Okta FastPass Phishing Detection (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Whoami Process Activity (eql)
    • stack_validation_failed: no_alerts - 0 alerts
  • ❌ Okta User Assigned Administrator Role (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Azure Diagnostic Settings Alert Suppression Rule Created or Modified (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ M365 or Entra ID Identity Sign-in from a Suspicious Source (esql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Forwarded Google Workspace Security Alert (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ AWS RDS DB Instance or Cluster Password Modified (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Kubernetes Service Account Modified RBAC Objects (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Google Workspace Object Copied to External Drive with App Consent (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ WMI Incoming Lateral Movement (eql)
    • stack_validation_failed: no_alerts - 0 alerts
  • ❌ Web Server Potential Command Injection Request (esql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Entra ID Sign-in TeamFiltration User-Agent Detected (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ AWS RDS DB Instance or Cluster Deletion Protection Disabled (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ AWS IAM Customer-Managed Policy Attached to Role by Rare User (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Entra ID Service Principal Credentials Created by Unusual User (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ AWS CloudWatch Alarm Deletion (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ AWS IAM Create User via Assumed Role on EC2 Instance (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ AWS Suspicious User Agent Fingerprint (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Suspicious Activity Reported by Okta User (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ High Number of Cloned GitHub Repos From PAT (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ AWS Configuration Recorder Stopped (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Process Started with Executable Stack (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Elastic Defend Alert Followed by Telemetry Loss (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ M365 Identity OAuth Flow by User Sign-in to Device Registration (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Kubernetes Creation of a RoleBinding Referencing a ServiceAccount (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ GitHub App Deleted (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ AWS Systems Manager SecureString Parameter Request with Decryption Flag (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Roshal Archive (RAR) or PowerShell File Downloaded from the Internet (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ AWS S3 Bucket Expiration Lifecycle Configuration Added (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ M365 Exchange Mail Flow Transport Rule Created (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ GCP Firewall Rule Deletion (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta

@terrancedejesus
Copy link
Copy Markdown
Contributor Author

terrancedejesus commented Apr 10, 2026

@Mikaayenson - Same here

min_stack_version: 9.1.0 (2 rules)

rules/integrations/azure/credential_access_entra_id_excessive_account_lockouts.toml
rules/windows/defense_evasion_masquerading_as_svchost.toml

min_stack_version: 9.2.0 (11 rules)
3. rules/cross-platform/discovery_web_server_local_file_inclusion_activity.toml
4. rules/cross-platform/discovery_web_server_remote_file_inclusion_activity.toml
5. rules/integrations/aws/discovery_multiple_discovery_api_calls_via_cli.toml
6. rules/integrations/aws/discovery_organization_discovery_by_rare_user.toml
7. rules/integrations/aws/discovery_s3_rapid_bucket_posture_api_calls.toml
8. rules/integrations/aws/initial_access_iam_session_token_used_from_multiple_addresses.toml
9. rules/integrations/aws/persistence_aws_attempt_to_register_virtual_mfa_device.toml
10. rules/integrations/aws/persistence_iam_api_calls_via_user_session_token.toml
11. rules/integrations/aws/privilege_escalation_iam_customer_managed_policy_attached_to_role.toml
12. rules/integrations/aws/privilege_escalation_iam_update_assume_role_policy.toml
13. rules/integrations/github/impact_high_number_of_protected_branch_force_pushes_by_user.toml

min_stack_version: 9.3.0 (8 rules)
14. rules/cross-platform/execution_d4c_k8s_mda_direct_interactive_kubernetes_api_request_by_usual_utilities.toml
15. rules/cross-platform/execution_d4c_k8s_mda_forbidden_direct_interactive_kubernetes_api_request.toml
16. rules/cross-platform/execution_d4c_k8s_mda_kubernetes_api_activity_by_unusual_utilities.toml
17. rules/cross-platform/execution_d4c_k8s_mda_service_account_token_access_followed_by_kubernetes_api_request.toml
18. rules/cross-platform/initial_access_elastic_defend_alert_genai_utility_descendant.toml
19. rules/cross-platform/initial_access_elastic_defend_alert_package_manager_ancestor.toml
20. rules/cross-platform/multiple_alerts_llm_compromised_user_triage.toml
21. rules/cross-platform/multiple_elastic_defend_behavior_rules_same_host_prevalence.toml

@eric-forte-elastic
Copy link
Copy Markdown
Contributor

eric-forte-elastic commented Apr 10, 2026
edited
Loading

Some of the note text still refers to event.dataset, we may want to update that. (Example)

eric-forte-elastic
eric-forte-elastic reviewed Apr 10, 2026
View reviewed changes
Comment thread rules/cross-platform/initial_access_zoom_meeting_with_no_passcode.toml

### Possible investigation steps

- Review the Zoom event logs to identify the specific meeting details, including the meeting ID and the organizer's information, using the fields event.type, event.module, event.dataset, and event.action.
Copy link
Copy Markdown
Contributor

@eric-forte-elastic eric-forte-elastic Apr 10, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
- Review the Zoom event logs to identify the specific meeting details, including the meeting ID and the organizer's information, using the fields event.type, event.module, data_stream.dataset, and event.action.

Should this still be event.dataset? Or perhaps data_stream.dataset?

Copy link
Copy Markdown
Contributor Author

@terrancedejesus terrancedejesus Apr 10, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Tried to keep the PR as minimal as possible and not adjust any investigation guides.

imays11
imays11 reviewed Apr 10, 2026
View reviewed changes
Comment thread rules/cross-platform/discovery_web_server_local_file_inclusion_activity.toml Outdated
@tradebot-elastic
Copy link
Copy Markdown

tradebot-elastic commented Apr 10, 2026
edited
Loading

⛔️ Test failed

Results
  • ❌ Attempt to Modify an Okta Policy Rule (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Google Workspace Suspended User Account Renewed (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Deprecated - M365 Security Compliance User Restricted from Sending Email (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Direct Interactive Kubernetes API Request by Unusual Utilities (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Azure Arc Cluster Credential Access by Identity from Unusual Source (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ M365 Exchange Email Safe Attachment Rule Disabled (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ GitHub Actions Unusual Bot Push to Repository (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ First Time AWS CloudFormation Stack Creation (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ High Number of Protected Branch Force Pushes by User (esql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Entra ID Global Administrator Role Assigned (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Tainted Kernel Module Load (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Entra ID Protection - Risk Detection - Sign-in Risk (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ GitHub Protected Branch Settings Changed (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Google Drive Ownership Transferred via Google Workspace (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ High Number of Closed Pull Requests by User (esql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Azure VNet Firewall Front Door WAF Policy Deleted (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ AWS IAM CompromisedKeyQuarantine Policy Attached to User (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Elastic Defend and Network Security Alerts Correlation (esql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ M365 Identity OAuth Illicit Consent Grant by Rare Client and User (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ M365 Exchange Mailbox High-Risk Permission Delegated (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Multiple Alerts Involving a User (esql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Entra ID OAuth User Impersonation to Microsoft Graph (esql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ AWS Access Token Used from Multiple Addresses (esql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ M365 SharePoint Malware File Detected (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ M365 OneDrive/SharePoint Excessive File Downloads (esql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ GCP Service Account Key Creation (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ AWS SSM Inventory Reconnaissance by Rare User (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Abnormally Large DNS Response (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ AWS RDS Snapshot Export (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ AWS Route 53 Domain Transfer Lock Disabled (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Kubernetes Suspicious Self-Subject Review via Unusual User Agent (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Kubernetes Pod Created With HostNetwork (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Entra ID External Guest User Invited (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ RPC (Remote Procedure Call) from the Internet (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Kubernetes User Exec into Pod (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Entra ID OAuth Phishing via First-Party Microsoft Application (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Successful Application SSO from Rare Unknown Client Device (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ AWS Lambda Function Policy Updated to Allow Public Invocation (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Azure Automation Runbook Created or Modified (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ AWS IAM Group Creation (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ AWS S3 Static Site JavaScript File Uploaded (esql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ GCP Logging Sink Modification (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ AWS Secrets Manager Rapid Secrets Retrieval (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Potential Persistence via File Modification (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ AWS Service Quotas Multi-Region GetServiceQuota Requests (esql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ GitHub Exfiltration via High Number of Repository Clones by User (esql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Azure RBAC Built-In Administrator Roles Assigned (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Entra ID Application Credential Modified (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Newly Observed High Severity Detection Alert (esql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ AWS CloudTrail Log Suspended (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ React2Shell Network Security Alert (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Azure Kubernetes Services (AKS) Kubernetes Rolebindings Created (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ New GitHub App Installed (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Okta Sign-In Events via Third-Party IdP (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Entra ID Domain Federation Configuration Change (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Initial Access via File Upload Followed by GET Request (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ AWS IAM Roles Anywhere Profile Creation (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Azure Storage Account Key Regenerated (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ AWS Sign-In Console Login with Federated User (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ High Number of Egress Network Connections from Unusual Executable (esql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ AWS Route 53 Domain Transferred to Another Account (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ AWS SNS Topic Message Publish by Rare User (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ New GitHub Personal Access Token (PAT) Added (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ First Time Seen Google Workspace OAuth Login from Third-Party Application (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ GitHub Secret Scanning Disabled (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ AWS S3 Bucket Configuration Deletion (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ GCP Storage Bucket Permissions Modification (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Potential Okta Brute Force (Device Token Rotation) (esql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ New GitHub Owner Added (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Insecure AWS EC2 VPC Security Group Ingress Rule Added (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Azure Blob Storage Container Access Level Modified (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ AWS EC2 Deprecated AMI Discovery (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Entra ID High Risk User Sign-in Heuristic (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ M365 Identity User Brute Force Attempted (esql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ M365 Exchange Mail Flow Transport Rule Modified (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ GCP Firewall Rule Modification (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Deprecated - M365 Teams External Access Enabled (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Newly Observed Palo Alto Network Alert (esql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ AWS STS Role Assumption by User (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ AWS EC2 Security Group Configuration Change (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Alerts in Different ATT&CK Tactics by Host (esql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ New Okta Identity Provider (IdP) Added by Admin (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Microsoft Graph Request User Impersonation by Unusual Client (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Kubernetes Pod Created with a Sensitive hostPath Volume (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Potential Okta Password Spray (Multi-Source) (esql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Command and Scripting Interpreter via Windows Scripts (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Entra ID Excessive Account Lockouts Detected (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ M365 Identity Unusual SSO Authentication Errors for User (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Potential File Transfer via Curl for Windows (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Okta User Sessions Started from Different Geolocations (esql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Halfbaked Command and Control Beacon (lucene)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ GCP Firewall Rule Creation (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ AWS S3 Object Versioning Suspended (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ AWS STS GetCallerIdentity API Called for the First Time (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Inbound Connection to an Unsecure Elasticsearch Node (lucene)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ GCP Pub/Sub Topic Deletion (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Azure VNet Network Watcher Deleted (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ RPC (Remote Procedure Call) to the Internet (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ M365 Identity Login from Atypical Travel Location (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Potential Masquerading as Svchost (esql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ AWS IAM User Addition to Group (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Kubernetes Events Deleted (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Elastic Defend Alert from Package Manager Install Ancestry (esql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ GitHub Repository Deleted (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Accepted Default Telnet Port Connection (kuery)
    • stack_validation_failed: no_alerts - 0 alerts
  • ❌ Entra ID Sign-in Brute Force Attempted (Microsoft 365) (esql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ M365 Identity OAuth Flow by First-Party Microsoft App from Multiple IPs (esql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Entra ID OAuth Flow by Microsoft Authentication Broker to Device Registration Service (DRS) (esql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Entra ID High Risk Sign-in (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ AWS SSM SendCommand Execution by Rare User (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Attempted Bypass of Okta MFA (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ M365 Identity Login from Impossible Travel Location (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Entra ID User Added as Service Principal Owner (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ External User Added to Google Workspace Group (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ AWS EC2 Network Access Control List Creation (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Kubernetes Anonymous User Create/Update/Patch Pods Request (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ VNC (Virtual Network Computing) to the Internet (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Azure VNet Full Network Packet Capture Enabled (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ AWS SNS Topic Created by Rare User (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ AWS GuardDuty Member Account Manipulation (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Kubernetes Sensitive RBAC Change Followed by Workload Modification (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Entra ID OAuth Device Code Flow with Concurrent Sign-ins (esql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ LLM-Based Compromised User Triage by User (esql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ AWS SNS Rare Protocol Subscription by User (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ AWS CloudTrail Log Updated (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ CyberArk Privileged Access Security Error (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Entra ID MFA TOTP Brute Force Attempted (esql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ New GitHub Self Hosted Action Runner (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Entra ID OAuth PRT Issuance to Non-Managed Device Detected (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ M365 Exchange Inbox Phishing Evasion Rule Created (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ AWS Sensitive IAM Operations Performed via CloudShell (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ AWS EC2 EBS Snapshot Shared or Made Public (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Potential Okta Password Spray (Single Source) (esql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Entra ID External Authentication Methods (EAM) Modified (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ AWS Account Discovery By Rare User (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ AWS Route 53 Resolver Query Log Configuration Deleted (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ AWS RDS DB Snapshot Shared with Another Account (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Web Server Potential Remote File Inclusion Activity (esql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Multiple Cloud Secrets Accessed by Source Address (esql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ AWS IAM OIDC Provider Created by Rare User (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ M365 Exchange Mailbox Accessed by Unusual Client (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ M365 SharePoint/OneDrive File Access via PowerShell (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Application Removed from Blocklist in Google Workspace (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Possible FIN7 DGA Command and Control Behavior (lucene)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Entra ID Protection - Risk Detection - User Risk (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Kubernetes Forbidden Request from Unusual User Agent (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Service Account Token or Certificate Access Followed by Kubernetes API Request (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Azure Storage Account Blob Public Access Enabled (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ AWS Management Console Brute Force of Root User Identity (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Unauthorized Access to an Okta Application (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ M365 SharePoint Search for Sensitive Content (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Okta Successful Login After Credential Attack (esql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Multiple Okta User Auth Events with Same Device Token Hash Behind a Proxy (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ AWS SSM Command Document Created by Rare User (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ M365 Exchange DKIM Signing Configuration Disabled (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ GCP Logging Sink Deletion (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Tainted Out-Of-Tree Kernel Module Load (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ AWS GuardDuty Detector Deletion (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ AWS EFS File System Deleted (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Azure Diagnostic Settings Deleted (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ First-Time FortiGate Administrator Login (esql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Stolen Credentials Used to Login to Okta Account After MFA Reset (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ GCP Logging Bucket Deletion (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ VNC (Virtual Network Computing) from the Internet (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Potential Okta Brute Force (Multi-Source) (esql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Zoom Meeting with no Passcode (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Deprecated - M365 Security Compliance Email Reported by User as Malware or Phish (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ AWS CloudTrail Log Created (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ AWS S3 Unauthenticated Bucket Access by Rare Source (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ AWS WAF Rule or Rule Group Deletion (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Forbidden Direct Interactive Kubernetes API Request (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Google Workspace 2SV Policy Disabled (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Deprecated - M365 Teams Guest Access Enabled (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ AWS S3 Bucket Enumeration or Brute Force (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Azure Compute VM Command Executed (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Entra ID Service Principal Created (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Deprecated - M365 Exchange DLP Policy Deleted (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Entra ID Service Principal Federated Credential Authentication by Unusual Client (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ FortiGate FortiCloud SSO Login from Unusual Source (esql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ AWS S3 Bucket Policy Added to Allow Public Access (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Multiple Okta Sessions Detected for a Single User (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ M365 SharePoint Site Sharing Policy Weakened (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Kubernetes Suspicious Assignment of Controller Service Account (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Kubernetes Denied Service Account Request via Unusual User Agent (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Kubernetes Anonymous Request Authorized by Unusual User Agent (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Kubernetes Exposed Service Created With Type NodePort (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Potential Spike in Web Server Error Logs (esql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Unauthorized Scope for Public App OAuth2 Token Grant with Client Credentials (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Attempt to Modify an Okta Policy (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ M365 Exchange Mailbox Audit Logging Bypass Added (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Attempt to Revoke Okta API Token (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ M365 Exchange Federated Domain Created or Modified (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Okta ThreatInsight Threat Suspected Promotion (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Google Workspace Admin Role Assigned to a User (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ AWS CloudWatch Log Group Deletion (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ FortiGate SOCKS Traffic from an Unusual Process (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ AWS KMS Customer Managed Key Disabled or Scheduled for Deletion (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ AWS IAM User Created Access Keys For Another User (esql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Suspicious rc.local Error Message (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ AWS Sign-In Root Password Recovery Requested (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ AWS EC2 AMI Shared with Another Account (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Potential Port Scanning Activity from Compromised Host (esql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Multiple Alerts in Same ATT&CK Tactic by Host (esql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ First Occurrence of Okta User Session Started via Proxy (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Google Workspace Role Modified (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Web Server Potential Spike in Error Response Codes (esql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Multiple Vulnerabilities by Asset via Wiz (esql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ AWS CloudTrail Log Deleted (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ AWS Config Resource Deletion (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ AWS EC2 EBS Snapshot Access Removed (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Kubernetes Container Created with Excessive Linux Capabilities (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ AWS IAM Roles Anywhere Trust Anchor Created with External CA (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Deprecated - M365 Security Compliance Potential Ransomware Activity (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Attempt to Reset MFA Factors for an Okta User Account (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Entra ID User Sign-in with Unusual Non-Managed Device (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ AWS API Activity from Uncommon S3 Client by Rare User (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ AWS Discovery API Calls via CLI from a Single Resource (esql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Azure Key Vault Unusual Secret Key Usage (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Kubernetes Pod Created With HostIPC (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Potential Malware-Driven SSH Brute Force Attempt (esql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Entra ID User Added as Registered Application Owner (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Application Added to Google Workspace Domain (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Entra ID Privileged Identity Management (PIM) Role Modified (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Unusual Kubernetes Sensitive Workload Modification (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Azure Key Vault Modified (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ AWS First Occurrence of STS GetFederationToken Request by User (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Google Workspace Bitlocker Setting Disabled (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ GCP Service Account Creation (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ AWS Lambda Layer Added to Existing Function (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Entra ID Custom Domain Added or Verified (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Potential Webshell Deployed via Apache Struts CVE-2023-50164 Exploitation (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ M365 Exchange Mailbox Items Accessed Excessively (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Potential AWS S3 Bucket Ransomware Note Uploaded (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ AWS SSM Session Started to EC2 Instance (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Potential Linux Local Account Brute Force Detected (esql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Web Server Discovery or Fuzzing Activity (esql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Azure Kubernetes Services (AKS) Kubernetes Pods Deleted (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Suspicious Windows Powershell Arguments (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ AWS EC2 Unauthorized Admin Credential Fetch via Assumed Role (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Enumerating Domain Trusts via NLTEST.EXE (eql)
    • stack_validation_failed: no_alerts - 0 alerts
  • ❌ Potential Subnet Scanning Activity from Compromised Host (esql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ AWS EC2 Network Access Control List Deletion (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ AWS IAM Group Deletion (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ AWS EC2 Instance Connect SSH Public Key Uploaded (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ AWS EventBridge Rule Disabled or Deleted (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ M365 Identity Global Administrator Role Assigned (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ FortiGate Overly Permissive Firewall Policy Created (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Potential Okta MFA Bombing via Push Notifications (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Kubernetes Unusual Decision by User Agent (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ FortiGate Administrator Login from Multiple IP Addresses (esql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Attempt to Deactivate an Okta Network Zone (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Unusual Command Execution from Web Server Parent (esql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Azure Storage Account Keys Accessed by Privileged User (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Azure Kubernetes Services (AKS) Kubernetes Events Deleted (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Several Failed Protected Branch Force Pushes by User (esql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ RDP (Remote Desktop Protocol) from the Internet (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ GitHub Private Repository Turned Public (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Multiple External EDR Alerts by Host (esql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Entra ID OAuth ROPC Grant Login Detected (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Entra ID Elevated Access to User Access Administrator (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Azure Automation Runbook Deleted (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ File Transfer Utility Launched from Unusual Parent (esql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ GCP Service Account Deletion (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ AWS RDS DB Instance or Cluster Deleted (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Excessive AWS S3 Object Encryption with SSE-C (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Web Server Local File Inclusion Activity (esql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Entra ID Unusual Cloud Device Registration (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ GCP Virtual Private Cloud Route Creation (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ AWS WAF Access Control List Deletion (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ M365 Identity OAuth Phishing via First-Party Microsoft Application (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ AWS STS Role Assumption by Service (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ AWS VPC Flow Logs Deletion (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Google Workspace Admin Role Deletion (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Potential Okta Credential Stuffing (Single Source) (esql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Google Workspace Custom Gmail Route Created or Modified (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Entra ID OAuth user_impersonation Scope for Unusual User and Client (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Multiple Okta User Authentication Events with Same Device Token Hash (esql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ AWS STS AssumeRoot by Rare User and Member Account (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ AWS DynamoDB Scan by Unusual User (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Attempt to Create Okta API Token (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ M365 Exchange Anti-Phish Rule Modification (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ GCP Storage Bucket Configuration Modification (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Unusual Process Spawned from Web Server Parent (esql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ AWS IAM SAML Provider Updated (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Potentially Successful Okta MFA Bombing via Push Notifications (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Google Workspace Drive Encryption Key(s) Accessed from Anonymous User (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ GCP IAM Service Account Key Deletion (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ M365 Exchange Management Group Role Assigned (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ M365 SharePoint Site Administrator Added (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ AWS IAM AdministratorAccess Policy Attached to User (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ GitHub Owner Role Granted To User (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Direct Interactive Kubernetes API Request by Common Utilities (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Entra ID User Sign-in with Unusual Authentication Type (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Potential Password Spraying Attack via SSH (esql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ AWS CloudTrail Log Evasion (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Suricata and Elastic Defend Network Correlation (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ AWS RDS DB Instance Made Public (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ AWS IAM Long-Term Access Key First Seen from Source IP (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ First Time Seen AWS Secret Value Accessed in Secrets Manager (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ GCP Pub/Sub Topic Creation (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ GCP Virtual Private Cloud Route Deletion (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Azure Storage Account Deletion by Unusual User (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Entra ID Protection Admin Confirmed Compromise (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Web Server Suspicious User Agent Requests (esql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ AWS STS AssumeRole with New MFA Device (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Google Workspace Restrictions for Marketplace Modified to Allow Any App (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Kubernetes Cluster-Admin Role Binding Created (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Entra ID Sharepoint or OneDrive Accessed by Unusual Client (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ AWS IAM Assume Role Policy Update (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Entra ID PowerShell Sign-in (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ M365 Azure Monitor Alert Email with Financial or Billing Theme (esql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ AWS S3 Bucket Server Access Logging Disabled (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Entra ID Protection User Alert and Device Registration (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ AWS S3 Rapid Bucket Posture API Calls from a Single Principal (esql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ FortiGate SSL VPN Login Followed by SIEM Alert by User (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ AWS IAM SAML Provider Created (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Entra ID OAuth Device Code Grant by Microsoft Authentication Broker (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Azure Storage Blob Retrieval via AzCopy (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ AWS EC2 LOLBin Execution via SSM SendCommand (esql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ M365 Exchange Email Safe Link Policy Disabled (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Google Workspace Password Policy Modified (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ IPSEC NAT Traversal Port Activity (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ GCP IAM Custom Role Creation (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ AWS S3 Object Encryption Using External KMS Key (esql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Google Workspace API Access Granted via Domain-Wide Delegation (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Google Workspace Custom Admin Role Created (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Entra ID OAuth Device Code Grant by Unusual User (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Okta Alerts Following Unusual Proxy Authentication (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Deprecated - M365 Security Compliance Unusual Volume of File Deletion (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Azure Storage Account Deletions by User (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ AWS RDS Snapshot Deleted (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Suspicious Python Shell Command Execution (esql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Attempt to Delete an Okta Policy (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ AWS CloudShell Environment Created (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Azure Event Hub Authorization Rule Created or Updated (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Attempt to Deactivate an Okta Policy (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ FortiGate Configuration File Downloaded (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Administrator Privileges Assigned to an Okta Group (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ AWS STS Role Chaining (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ AWS SQS Queue Purge (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Azure Resource Group Deleted (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ AWS EC2 Encryption Disabled (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ M365 OneDrive Malware File Upload (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ M365 Teams Custom Application Interaction Enabled (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ GCP Storage Bucket Deletion (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Entra ID Conditional Access Policy (CAP) Modified (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ GCP Service Account Disabled (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Entra ID Protection Alerts for User Detected (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ AWS RDS DB Instance Restored (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ AWS IAM Login Profile Added for Root (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Azure Key Vault Excessive Secret or Key Retrieved (esql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ AWS EC2 Full Network Packet Capture Detected (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Azure Compute Restore Point Collection Deleted by Unusual User (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Unusual AWS S3 Object Encryption with SSE-C (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ AWS EC2 User Data Retrieval for EC2 Instance (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Entra ID Sign-in BloodHound Suite User-Agent Detected (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Suspicious Usage of bpf_probe_write_user Helper (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Azure Compute Snapshot Deletion by Unusual User and Resource Group (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Multiple Rare Elastic Defend Behavior Rules by Host (esql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Elastic Defend and Email Alerts Correlation (esql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Unusual Base64 Encoding/Decoding Activity (esql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ GCP Virtual Private Cloud Network Deletion (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Potential Credential Access via Renamed COM+ Services DLL (eql)
    • stack_validation_failed: no_alerts - 0 alerts
  • ❌ CyberArk Privileged Access Security Recommended Monitor (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ AWS IAM API Calls via Temporary Session Tokens (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Attempt to Delete an Okta Network Zone (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Attempt to Modify an Okta Application (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Entra ID User Sign-in with Unusual Client (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Kubernetes Privileged Pod Created (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ SMB (Windows File Sharing) Activity to the Internet (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Entra ID OAuth Authorization Code Grant for Unusual User, App, and Resource (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ M365 Exchange MFA Notification Email Deleted or Moved (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ M365 Exchange Malware Filter Rule Modified (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Entra ID User Reported Suspicious Activity (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Google Workspace MFA Enforcement Disabled (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ FortiGate Super Admin Account Creation (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Kubernetes Secret Access via Unusual User Agent (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Multiple Device Token Hashes for Single Okta Session (esql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Google Workspace User Organizational Unit Changed (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ GCP Pub/Sub Subscription Deletion (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Attempt to Deactivate an Okta Policy Rule (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Entra ID User Sign-in Brute Force Attempted (esql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Modification or Removal of an Okta Application Sign-On Policy (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ MFA Deactivation with no Re-Activation for Okta User Account (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Okta User Session Impersonation (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Cobalt Strike Command and Control Beacon (lucene)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Domain Added to Google Workspace Trusted Domains (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ FortiGate Administrator Account Creation from Unusual Source (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Entra ID ADRS Token Request by Microsoft Authentication Broker (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ AWS EC2 Instance Console Login via Assumed Role (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ AWS S3 Bucket Replicated to Another Account (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Attempt to Delete an Okta Application (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Azure Compute Snapshot Deletions by User (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Elastic Defend Alert from GenAI Utility or Descendant (esql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Attempt to Delete an Okta Policy Rule (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ AWS CloudWatch Log Stream Deletion (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ GCP Pub/Sub Subscription Creation (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ M365 Exchange Anti-Phish Policy Deleted (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ M365 Exchange Malware Filter Policy Deleted (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Azure Blob Storage Permissions Modified (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ SMTP on Port 26/TCP (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Azure Compute Restore Point Collections Deleted (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ AWS IAM Deactivation of MFA Device (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Suspicious Windows Command Shell Arguments (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Azure Service Principal Sign-In Followed by Arc Cluster Credential Access (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Github Activity on a Private Repository from an Unusual IP (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Entra ID MFA Disabled for User (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Execution via Windows Subsystem for Linux (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Entra ID Service Principal with Unusual Source ASN (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ AWS IAM AdministratorAccess Policy Attached to Role (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ M365 Identity User Account Lockouts (esql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ AWS EC2 Export Task (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Azure Automation Account Created (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Kubernetes Pod Created With HostPID (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ AWS IAM AdministratorAccess Policy Attached to Group (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Azure VNet Firewall Policy Deleted (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Attempts to Brute Force an Okta User Account (kuery)
    • stack_validation_failed: no_alerts - 0 alerts
  • ❌ Azure Event Hub Deleted (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ AWS EC2 Route Table Created (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ AWS Management Console Root Login (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ GCP IAM Role Deletion (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ FortiGate SSO Login Followed by Administrator Account Creation (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Entra ID Concurrent Sign-in with Suspicious Properties (esql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ AWS Route 53 Private Hosted Zone Associated With a VPC (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Attempt to Modify an Okta Network Zone (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ AWS IAM Virtual MFA Device Registration Attempt with Session Token (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ MFA Disabled for Google Workspace Organization (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Possible Okta DoS Attack (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Default Cobalt Strike Team Server Certificate (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Suspicious WMI Event Subscription Created (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ AWS EC2 Route Table Modified or Deleted (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Microsoft Graph Request Email Access by Unusual User and Client (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ AWS S3 Bucket Policy Added to Share with External Account (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ AWS DynamoDB Table Exported to S3 (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ High Number of Okta User Password Reset or Unlock Attempts (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ AWS EC2 Serial Console Access Enabled (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Azure Automation Webhook Created (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ AWS IAM Principal Enumeration via UpdateAssumeRolePolicy (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Kubernetes Forbidden Creation Request (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Entra ID Global Administrator Role Assigned (PIM User) (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Attempt to Deactivate an Okta Application (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Okta FastPass Phishing Detection (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Whoami Process Activity (eql)
    • stack_validation_failed: no_alerts - 0 alerts
  • ❌ Okta User Assigned Administrator Role (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Azure Diagnostic Settings Alert Suppression Rule Created or Modified (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ M365 or Entra ID Identity Sign-in from a Suspicious Source (esql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Forwarded Google Workspace Security Alert (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ AWS RDS DB Instance or Cluster Password Modified (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Kubernetes Service Account Modified RBAC Objects (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Google Workspace Object Copied to External Drive with App Consent (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ WMI Incoming Lateral Movement (eql)
    • stack_validation_failed: no_alerts - 0 alerts
  • ❌ Web Server Potential Command Injection Request (esql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Entra ID Sign-in TeamFiltration User-Agent Detected (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ AWS RDS DB Instance or Cluster Deletion Protection Disabled (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ AWS IAM Customer-Managed Policy Attached to Role by Rare User (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Entra ID Service Principal Credentials Created by Unusual User (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ AWS CloudWatch Alarm Deletion (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ AWS IAM Create User via Assumed Role on EC2 Instance (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ AWS Suspicious User Agent Fingerprint (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Suspicious Activity Reported by Okta User (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ High Number of Cloned GitHub Repos From PAT (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ AWS Configuration Recorder Stopped (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Process Started with Executable Stack (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Elastic Defend Alert Followed by Telemetry Loss (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ M365 Identity OAuth Flow by User Sign-in to Device Registration (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Kubernetes Creation of a RoleBinding Referencing a ServiceAccount (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ GitHub App Deleted (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ AWS Systems Manager SecureString Parameter Request with Decryption Flag (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Roshal Archive (RAR) or PowerShell File Downloaded from the Internet (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ AWS S3 Bucket Expiration Lifecycle Configuration Added (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ M365 Exchange Mail Flow Transport Rule Created (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ GCP Firewall Rule Deletion (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta

@terrancedejesus terrancedejesus merged commit deab1c0 into main Apr 10, 2026
13 checks passed
@terrancedejesus terrancedejesus deleted the event-dataset-to-data-stream-dataset branch April 10, 2026 16:27
@htbcallan htbcallan mentioned this pull request Apr 27, 2026
Closed
This was referenced Apr 28, 2026
Merged
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@imays11 imays11 imays11 approved these changes

@eric-forte-elastic eric-forte-elastic eric-forte-elastic left review comments

@Mikaayenson Mikaayenson Mikaayenson approved these changes

@Samirbous Samirbous Awaiting requested review from Samirbous

@w0rk3r w0rk3r Awaiting requested review from w0rk3r

@DefSecSentinel DefSecSentinel Awaiting requested review from DefSecSentinel

@Aegrah Aegrah Awaiting requested review from Aegrah

Assignees

@terrancedejesus terrancedejesus

Labels

backport: auto Domain: Cloud Integration: AWS AWS related rules Integration: Azure azure related rules Integration: CyberArkPas CyberArkPas integration Integration: GCP GCP related rules Integration: Google Workspace Rule: Tuning tweaking or tuning an existing rule

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

[Rule Tuning] Add data_stream.dataset to all applicable integration rules

5 participants

@terrancedejesus @tradebot-elastic @eric-forte-elastic @Mikaayenson @imays11