Amazon

EC2

Detect suspicious SSH activity, EC2 snapshot stealing or public access, human created large or multi region instances and more.

Amazon

S3

Detect bucket versioning being disabled, MFADelete disabled, Workmail Mailbox Exported Public, Public access and more.

Amazon

IAM

Monitor Root passwords or email changes, activity of potentially compromised secrets, mass mailer scripts, roles that allow for external access and more.

Amazon

Config

Monitor if Amazon Config has been disabled in any of your environments, a common tactic by threat actors.

Amazon

ECS

Detects when an Elastic Container Service (ECS) Task Definition has been modified and run.

Amazon

CloudWatch

Detect when a CloudWatch alarm has been deleted, this may be an attempt to evade detection.

Amazon

ApiGateway

Detect when an AWS API Gateway key was created. These keys grant access to an API, often for development purposes.

Amazon

Workmail

Detect when a workmail mailbox has been exported, exported public or if a suspicious user has been created.

Amazon

SSM

Detect SSM remote code execution and suspected malicious script execution.

Amazon

GuardDuty

Monitor when IPSet Lists have changed, threat lists of changed or status has been altered.

Amazon

RDS

Monitor RDS Snapshot sharing with vendors, given or restored public access, as well as deletion protection disabled and master password resets.

Amazon

CloudTrail

Get notified when CloudTrail logging has been stopped or deleted, a common tactic employed by threat actors.

Amazon

Route53

Monitor Route53 domain transfer activity as well as those created with public zone selected.

Amazon

CodeBuild

Detect any AWS CodeBuild projects that have been made public.

Amazon

Resource Access Manager (RAM)

Learn when AWS Resource Access Manager (RAM) settings were modified

Amazon

SES

SES Access key activity such as enable sending, request production status, list identities verified, verify sending status, key abuse, key list identities and more.

Amazon

Elastic Block Storage (EBS)

Monitor when Amazon Elastic Block Store (EBS) encryption has been disabled for a particular region.

Amazon

STS

Learn when federation tokens are created that have overly permissive policies that allows all actions.

Amazon

Secrets Manager

Detect when an identity has successfully retrieved a key from AWS Secrets Manager via the GetSecretValue action.

Microsoft

Azure Compute

Learn when an azure virtual machine (VM) has had commands executed against it, which may execute as System.

Microsoft

Azure Blob Storage

Detect when Azure blob storage has had permissions modified that could lead to data exposure.

Microsoft

Azure Key Vault

Monitor when an Azure Key Vault was either created or updated in order to secure certificates, connection strings, encryption keys and passwords.

Microsoft

Azure Automation

Discover when Automation Runbooks have been created or deleted, webhooks have been created or code has changed, as well as when accounts were created or deleted.

Microsoft

Defender

Know when an Azure Defender for Cloud alert has been suppressed, a common tactic by threat actors.

Microsoft

Azure Network

Monitor when Azure Network watchers are created, updated or deleted, packet capture was created or updated or network taps are created or updated.

Microsoft

Azure Backup Vault

Learn when Azure Backup Vaults are created or disabled, signs of ransomware or similar attacks.

Microsoft

Azure Role-Based Access Control

Learn when Azure Backup Vaults are created or disabled, signs of ransomware or similar attacks.

Microsoft

Entra ID

Learn when service principle creates certificates or secrets, PIM identity denied role as well as when alerts are fired or disabled, as well as tenants or resources offboarded. Monitor when general admin or high risk admin, privileged admin, medium risk admin and global admin role memberships are added.

Microsoft

Entra ID IAM

Learn when password reset verification is blocked, registered app certificates created as well as suspicious MFA activity such as factor deletion or rotation by both user and Admins.

Okta

Monitor when multiple MFA verifications were denied, factors were reset or deactivated, as well as Okta detections such as threat suspected, suspicious sessions, high risk session API tokens created and more.

Google Workspace

Applications

Detect suspicious gmail activity such as deep scan disabled, routing rules modified or delayed delivery disabled, in addition to password reuse enabled or strong enforcement disabled.

Google Workspace

IAM

Monitor when accounts are disabled, passwords have leaked, MFA disabled, admin role assignment and suspicious login behavior.

Google Workspace

Account

Learn when domains have been added or removed to the trusted list for the account.

Google Workspace

Drive

Detect when an identity has performed a mass deletion or download of files and folders.

Microsoft

Exchange

Detect transport rules and inbox rules that redirect or forward to external domains, when identities give full access to another mailbox or forwarded to an external domain.

Microsoft

Sharepoint

Detect when an identity has performed a mass deletion or download of files and folders, as well as malware detections via Microsoft 365 virus detection.

Microsoft

OneDrive

Detect when an identity has performed a mass deletion or download of files and folders, as well as malware detections via Microsoft 365 virus detection.

Github

Monitor when Github repositories have been transferred outside the organization or updated to public.

JIRA

Monitor when a Jira Service has been deleted, mail queue flushed, monitor JMX disabled, global permissions added and more.

1Password

Threat detection for 1Password's password management system.

Confluence

Detection for your company's wiki when support Zip is created or downloaded, data is exported, or global settings are edited.

Snowflake

Detect anomalous access, compromised credentials and malicious data access, credential leakage in Snowflake.