LoFP LoFP / vulnerability scanners

Techniques

Sample rules

Suspicious SQL Query

Description

Detects suspicious SQL query keywrods that are often used during recon, exfiltration or destructive activities. Such as dropping tables and selecting wildcard fields

Detection logic

condition: keywords
keywords:
- drop
- truncate
- dump
- select \*

Sign-in Failure Due to Conditional Access Requirements Not Met

Description

Define a baseline threshold for failed sign-ins due to Conditional Access failures

Detection logic

condition: selection
selection:
  ResultType: 53003
  Resultdescription: Blocked by Conditional Access