LoFP
/
t1578
t1578
Title
Tags
legitimate aad health ad fs service instances being deleted in a tenant
t1578
t1578.003
azure
sigma
legitimate ad fs servers added to an aad health ad fs service instance
t1578
azure
sigma
legitimate manual or automated snapshots created for backups can trigger this rule. ensure that the snapshots are authorized and align with your organization's policies.
t1578
rules_building_block
elastic
restoring an rds db instance may be performed legitimately during troubleshooting, development refresh processes, migrations, or disaster-recovery drills. validate the user identity, source ip, automation context, and whether the restoration aligns with a known maintenance or testing workflow before treating the event as suspicious. expected behavior can be exempted through rule exceptions.
t1578
aws
elastic
storage bucket configuration may be modified by system administrators. verify that the configuration change was expected. exceptions can be added to this rule to filter expected behavior.
t1578
gcp
elastic
LoFP
/
t1578