LoFP
/
t1578
t1578
Title
Tags
legitimate aad health ad fs service instances being deleted in a tenant
t1578
t1578.003
azure
sigma
legitimate ad fs servers added to an aad health ad fs service instance
t1578
azure
sigma
restoring snapshots may be done by a system or network administrator. verify whether the user identity, user agent, and/or hostname should be making changes in your environment. snapshot restoration by unfamiliar users or hosts should be investigated. if known behavior is causing false positives, it can be exempted from the rule.
t1578
aws
elastic
storage bucket configuration may be modified by system administrators. verify that the configuration change was expected. exceptions can be added to this rule to filter expected behavior.
t1578
gcp
elastic
LoFP
/
t1578