A searchable database of Microsoft Sentinel Analytics Rule templates found in Content Hub Solutions.
I update the SolutionKB periodically, so I do not guarantee it is 100% up to date with the source repository.
Between the first and current updating was a couple of months, I've since automated parts of the process so in the future this will not be as long.
The changelog is based on the output of a simple diff command, with the rule name and Solution separated by a semicolon.
Sync from Sentinel repository with 1104 detections.
Removed detections:
< NRT MFA Rejected by User;Azure Active Directory
< High Urgency Cyberpion Action Items;Cyberpion
< Beacon Traffic Based on Common User Agents Visiting Limited Number of Domains;FalconFriday
< Fortiweb - WAF Allowed threat;FortiWebCloud
< Infoblox - High Number of High Threat Level Queries Detected;Infoblox Cloud Data Connector
< Infoblox - High Number of NXDOMAIN DNS Responses Detected;Infoblox Cloud Data Connector
< (Preview) TI map Domain entity to Web Session Events (ASIM Web Session schema);Threat Intelligence
< (Preview) TI map Domain entity to Dns Events (ASIM DNS Schema);Threat Intelligence
< (Preview) TI map IP entity to DNS Events (ASIM DNS schema);Threat Intelligence
< (Preview) TI map IP entity to Web Session Events (ASIM Web Session schema);Threat Intelligence
< Zinc Actor IOCs domains hashes IPs and useragent - October 2022;Zinc Open Source
New detections:
> Suspicious AWS CLI Command Execution;Amazon Web Services
> Suspicious AWS EC2 Compute Resource Deployments;Amazon Web Services
> MFA Spamming followed by Successful login;Azure Active Directory
> New onmicrosoft domain added to tenant;Azure Active Directory
> AFD WAF - Code Injection;Azure Web Application Firewall (WAF)
> AFD WAF - Path Traversal Attack;Azure Web Application Firewall (WAF)
> App GW WAF - Code Injection;Azure Web Application Firewall (WAF)
> App GW WAF - Path Traversal Attack;Azure Web Application Firewall (WAF)
> App Gateway WAF - Scanner Detection;Azure Web Application Firewall (WAF)
> BitSight - compromised systems detected;BitSight
> BitSight - diligence risk category detected;BitSight
> BitSight - drop in company ratings;BitSight
> BitSight - drop in the headline rating;BitSight
> BitSight - new alert found;BitSight
> BitSight - new breach found;BitSight
> BloodHound Enterprise - Number of critical attack paths increase;BloodHound Enterprise
> BloodHound Enterprise - Exposure increase;BloodHound Enterprise
> BloodHound Enterprise - Number of Tier Zero assets increase;BloodHound Enterprise
> Account Elevated to New Role;Business Email Compromise - Financial Fraud
> Authentication Method Changed for Privileged Account;Business Email Compromise - Financial Fraud
> Malicious BEC Inbox Rule;Business Email Compromise - Financial Fraud
> Privileged Account Permissions Changed;Business Email Compromise - Financial Fraud
> Suspicious access of BEC related documents;Business Email Compromise - Financial Fraud
> Suspicious access of BEC related documents in AWS S3 buckets;Business Email Compromise - Financial Fraud
> User Added to Admin Role;Business Email Compromise - Financial Fraud
> Cisco SDWAN - Intrusion Events;Cisco SD-WAN
> Cisco SDWAN - IPS Event Threshold;Cisco SD-WAN
> Cisco SDWAN - Maleware Events;Cisco SD-WAN
> Cisco SDWAN - Monitor Critical IPs;Cisco SD-WAN
> Data Alert;Commvault Security IQ
> IDP Alert;Commvault Security IQ
> User Alert;Commvault Security IQ
> Cortex XDR Incident - High;Cortex XDR
> Cortex XDR Incident - Low;Cortex XDR
> Cortex XDR Incident - Medium;Cortex XDR
> Cynerio - IoT - Default password;Cynerio
> Cynerio - Exploitation Attempt of IoT device;Cynerio
> Cynerio - IoT - Weak password;Cynerio
> Cynerio - Medical device scanning;Cynerio
> Cynerio - Suspicious Connection to External Address;Cynerio
> Dataminr - urgent alerts detected;Dataminr Pulse
> Egress Defend - Dangerous Attachment Detected;Egress Defend
> Egress Defend - Dangerous Link Click;Egress Defend
> Beacon Traffic Based on Common User Agents Visiting Limited Number of Domains;T1071.001
> Fortiweb - WAF Allowed threat;Fortinet FortiWeb Cloud WAF-as-a-Service connector for Microsoft Sentinel
> Infoblox - Data Exfiltration Attack;Infoblox Cloud Data Connector
> Infoblox - Many High Threat Level Queries From Single Host Detected;Infoblox Cloud Data Connector
> Infoblox - Many High Threat Level Single Query Detected;Infoblox Cloud Data Connector
> Infoblox - Many NXDOMAIN DNS Responses Detected;Infoblox Cloud Data Connector
> Infoblox - TI - CommonSecurityLog Match Found - MalwareC2;Infoblox Cloud Data Connector
> Infoblox - TI - InfobloxCDC Match Found - Lookalike Domains;Infoblox Cloud Data Connector
> Infoblox - TI - Syslog Match Found - URL;Infoblox Cloud Data Connector
> High Urgency IONIX Action Items;IONIX
> Mimecast Audit - Logon Authentication Failed;MimecastAudit
> Mimecast Data Leak Prevention - Notifications;MimecastSEG
> Mimecast Data Leak Prevention - Hold;MimecastSEG
> Mimecast Secure Email Gateway - Attachment Protect;MimecastSEG
> Mimecast Secure Email Gateway - AV;MimecastSEG
> Mimecast Secure Email Gateway - Impersonation Protect;MimecastSEG
> Mimecast Secure Email Gateway - Internal Email Protect;MimecastSEG
> Mimecast Secure Email Gateway - Spam Event Thread;MimecastSEG
> Mimecast Secure Email Gateway - URL Protect;MimecastSEG
> Mimecast Secure Email Gateway - Virus;MimecastSEG
> Mimecast Targeted Threat Protection - Attachment Protect;MimecastTTP
> Mimecast Targeted Threat Protection - Impersonation Protect;MimecastTTP
> Mimecast Targeted Threat Protection - URL Protect;MimecastTTP
> Ransomware Attack Detected;Nasuni
> Ransomware Client Blocked;Nasuni
> Device Registration from Malicious IP;Okta Single Sign-On
> High-Risk Admin Activity;Okta Single Sign-On
> MFA Fatigue (OKTA);Okta Single Sign-On
> New Device/Location sign-in along with critical operation;Okta Single Sign-On
> Okta Fast Pass phishing Detection;Okta Single Sign-On
> SpyCloud Enterprise Breach Detection;SpyCloud Enterprise Protection
> SpyCloud Enterprise Malware Detection;SpyCloud Enterprise Protection
> TI map Domain entity to Web Session Events (ASIM Web Session schema);Threat Intelligence
> TI map Domain entity to Dns Events (ASIM DNS Schema);Threat Intelligence
> TI map IP entity to DNS Events (ASIM DNS schema);Threat Intelligence
> TI map IP entity to Web Session Events (ASIM Web Session schema);Threat Intelligence
> Votiro - File Blocked from Connector;Votiro
> Votiro - File Blocked in Email;Votiro
> Detect URLs containing known malicious keywords or commands (ASIM Web Session);Web Session Essentials
> Detect unauthorized data transfers using timeseries anomaly (ASIM Web Session);Web Session Essentials
> The download of potentially risky files from the Discord Content Delivery Network (CDN) (ASIM Web Session);Web Session Essentials
> Detect known risky user agents (ASIM Web Session);Web Session Essentials
> Detect Local File Inclusion(LFI) in web requests (ASIM Web Session);Web Session Essentials
> Detect instances of multiple client errors occurring within a brief period of time (ASIM Web Session);Web Session Essentials
> Detect instances of multiple server errors occurring within a brief period of time (ASIM Web Session);Web Session Essentials
> Identify instances where a single source is observed using multiple user agents (ASIM Web Session);Web Session Essentials
> Detect potential presence of a malicious file with a double extension (ASIM Web Session);Web Session Essentials
> Detect potential file enumeration activity (ASIM Web Session);Web Session Essentials
> Detect presence of private IP addresses in URLs (ASIM Web Session);Web Session Essentials
> Detect requests for an uncommon resources on the web (ASIM Web Session);Web Session Essentials
> Detect presence of uncommon user agents in web requests (ASIM Web Session);Web Session Essentials
> Detect web requests to potentially harmful files (ASIM Web Session);Web Session Essentials
> Detect threat information in web requests (ASIM Web Session);Web Session Essentials
> ZeroFox Alerts - High Severity Alerts;ZeroFox
> ZeroFox Alerts - Informational Severity Alerts;ZeroFox
> ZeroFox Alerts - Low Severity Alerts;ZeroFox
> ZeroFox Alerts - Medium Severity Alerts;ZeroFox