LoFP
/
t1578
t1578
Title
Tags
legitimate aad health ad fs service instances being deleted in a tenant
t1578
t1578.003
azure
sigma
legitimate ad fs servers added to an aad health ad fs service instance
t1578
azure
sigma
legitimate manual or automated snapshots created for backups can trigger this rule. ensure that the snapshots are authorized and align with your organization's policies.
t1578
rules_building_block
elastic
restoring db instances may be done by a system or network administrator. verify whether the user identity, user agent, and/or hostname should be making changes in your environment. instance restoration by unfamiliar users or hosts should be investigated. if known behavior is causing false positives, it can be exempted from the rule.
t1578
aws
elastic
storage bucket configuration may be modified by system administrators. verify that the configuration change was expected. exceptions can be added to this rule to filter expected behavior.
t1578
gcp
elastic
LoFP
/
t1578