Skip to main content

Threat Detection ManagementThreat Detection Management Guide

Analytics Rule Families

Get to know analytics rule families, categories of analytics rules organized by the type of event they evaluate.

Analytics rule families are a top-level classification that organizes analytics rules into 67 general categories. Each family describes the type of event the analytics rule evaluates; for example, authentication activity events or web activity events. Under each family, analytics rules are further classified into groups.

The family to which an analytics rule belongs affects the rarity score the analytics engine calculates when the analytics rule triggers. The analytics engine learns the pattern of triggers for each analytics rule family and learns to prioritize or de-prioritize certain families accordingly. If analytics rules in a family trigger very often, the analytics engine learns that these events are common and lowers the rarity score for analytics rule triggered in that family. If analytics rules in a family trigger seldomly, the analytics engine learns that these events are rare and increases the rarity score for analytics rule triggered in that family.

Family Name

Family ID

Description

Groups

Example Analytics Rules

Application Authentication Activity

app-auth-activity

Evaluates all events where authentication to an application has failed

Analytics rule groups under the Application Authentication Activity family

  • Abnormal number of failed authentications to one or more applications for this user

Application Login Activity

app-login-activity

Evaluates all application logins

Analytics rule groups under the Application Login Activity family

  • Abnormal number of failed logins to one or more applications for this user

  • First application login event from this endpoint for the organization

Audit Policy Modification Activity

audit-policy-mod

Evaluates all events where audit policies are modified

Analytics rule groups under the Audit Policy Modification Activity family

  • Endpoint is critical: True\False

  • First audit policy modification for this user

Authentication Activity

auth-activity

Evaluates all events involving authentication

Analytics rule groups under the Authentication Activity family

  • Abnormal number of MFA authentication events for this user

  • Abnormal number of unique services used to obtain Kerberos tickets for this user

Bucket Creation Activity

bucket-creation-activity

Evaluates all events where cloud buckets are created

Analytics rule groups under the Bucket Creation Activity family

  • First bucket creation for this user

Bucket Permission Modification Activity

bucket-permission-modification-activity

Evaluates all events where bucket permissions, policies, or access control lists (ACLs) are modified

Analytics rule groups under the Bucket Permission Modification Activity family

  • Bucket policy/ACL was modified to make it public

  • First AWS bucket ACL modification for this user

Cloud Policy Management Activity

cloud-policy-management-activity

Evaluates all events where cloud policies are created, modified, or attached

Analytics rule groups under the Cloud Policy Management Activity family

  • A cloud resource policy in GCP was modified with administrative permissions

  • A cloud resource policy in GCP was modified with public permissions

  • An administrative policy was created or attached to an identity in AWS

Compute Disk Activity

compute-disk-activity

Evaluates all events involving compute disk and volume

Analytics rule groups under the Compute Disk Activity family

  • Abnormal number of unique volumes attached for this user

  • First volume attachment for this user

  • First volume creation from a snapshot for this user

Compute Image Activity

compute-image-activity

Evaluates all events involving compute images

Analytics rule groups under the Compute Image Activity family

  • An image resource has been made public in AWS

  • First image creation for this user

  • First image creation with this publisher for the organization

Compute Snapshot Activity

compute-snapshot-activity

Evaluates all events involving compute snapshots

Analytics rule groups under the Compute Snapshot Activity family

  • A snapshot resource has been made public in AWS

  • First snapshot creation for this user

  • First snapshot user permissions modification for this user

Compute Virtual Machine Activity

compute-vm-activity

Evaluates all events where compute instances are managed

Analytics rule groups under the Compute Virtual Machine Activity family

  • A startup script was added to an instance in AWS

  • A startup/shutdown script was added to an instance in GCP

  • First instance SSH key modification for this user in GCP

Database Activity

database-activity

Evaluates all events where database is the subject

Analytics rule groups under the Database Activity family

  • Abnormal number of database operation events observed for this user

  • First database event in this database for this user

  • First database event in this database for users in this department

Database Query Activity

database-query-activity

Evaluates all events where databases are queried

Analytics rule groups under the Database Query Activity family

  • Abnormal database query response size for this user

  • Abnormal database query response size in this database for this source network zone

  • Abnormal database query response size in this database for this user

Directory Service Activity

directory-service-activity

Evaluates all events that originated from a directory service or that are targeting directory service objects

Analytics rule groups under the Database Service Activity family

  • First directory service activity for this directory service object class

  • First directory service activity from this endpoint for the organization

  • First directory service activity from this endpoint for this user

Directory Service Object Write Activity

directory-service-object-write-activity

Evaluates all events where directory service objects are created or modified

Analytics rule groups under the Database Service Object Write Activity family

  • Abnormal number of directory service write events for the organization

  • Abnormal number of directory service write events for users in this department

  • DCShadow related SPNs have been added to an endpoint

DLL Load Activity

dll-load-activity

Evaluates all events where DLL image are loaded

Analytics rule groups under the DLL Load Activity family

  • First DLL image loaded from this folder for the organization

  • First DLL image with this extension loaded for the organization

  • First DLL image with this extension loaded for this process

DNS Activity

dns-activity

Evaluates all events involving DNS protocols

Analytics rule groups under the DNS Activity family

  • A DNS query was sent to a domain associated with the SUNBURST malware

DNS Request Activity

dns-request-activity

Evaluates all events involving DNS requests

Analytics rule groups under the DNS Request Activity family

  • Abnormal amount of bytes sent in DNS queries for the organization

  • Abnormal amount of bytes sent in DNS queries from this endpoint

  • Abnormal amount of bytes sent in DNS queries from this network zone

DNS Response Activity

dns-response-activity

Evaluates all events involving DNS responses

Analytics rule groups under the DNS Response Activity family

  • Abnormal number of DNS queries to NX domains for the organization

  • Abnormal number of DNS queries to NX domains from this endpoint

Email Receive Activity

email-receive-activity

Evaluates events involving incoming email

Analytics rule groups under the Email Receive Activity family

  • Abnormal amount of bytes received in incoming emails for this user

  • Abnormal number of emails received for this user

  • First email attachment with this extension received for the organization

Email Rule Creation Activity

email-rule-create-activity

Evaluates all events where email rules are created

Analytics rule groups under the Email Rule Creation Activity family

  • An inbox rule has been configured to forward emails to an external email address

Email Send Activity

email-send-activity

Evaluates all events involving outgoing emails

Analytics rule groups under the Email Send Activity family

  • Abnormal amount of bytes sent in outgoing emails for this user

  • Abnormal number of emails sent for this user

  • An email containing a source code file was sent

Endpoint Login Activity

endpoint-login-activity

Evaluates all events involving endpoint logins

Analytics rule groups under the Endpoint Login Activity family

  • A service account failed an interactive login to an endpoint

  • Abnormal number of failed endpoint logins from this endpoint for this user

  • Destination endpoint is a Domain Controller: True\False

Endpoint Login Activity - NAC

endpoint-login-activity-nac

Evaluates all events where endpoint logins originate from a network access application

Analytics rule groups under the Endpoint Login Activity - NAC family

  • First network access control login event from this MAC address for this user

Endpoint Screenshot Activity

endpoint-screenshot-activity

Evaluates all events involving endpoint screenshots

Analytics rule groups under the Endpoint Screenshot Activity family

  • Abnormal number of screenshot events for this user

File Activity

file-activity

Evaluates all file events

Analytics rule groups under the File Activity family

  • First source code file activity for this user

  • First source code file activity for users in this department

File Delete Activity

file-delete-activity

Evaluates all events where files are deleted

Analytics rule groups under the File Delete Activity family

  • Abnormal number of file deletion events for this user

  • Abnormal number of unique remote destination endpoints in file deletion events for this user

File Download Activity

file-download-activity

Evaluates all events where files are downloaded

Analytics rule groups under the File Download Activity family

  • Abnormal amount of file download events for the organization

  • An executable file was downloaded

  • First file download to this endpoint for the organization

File Permission Modification Activity

file-permission-modify-activity

Evaluates all events where file permissions are modified

Analytics rule groups under the File Permission Modification Activity family

  • First cloud storage object file modification to public for this bucket

  • First cloud storage object file modification to public for this user

File Read Activity

file-read-activity

Evaluates all events where files are read

Analytics rule groups under the File Read Activity family

  • A 'PST'\'OST' file was copied

  • Abnormal amount of file bytes read in this bucket for this user

  • Abnormal number of unique endpoints in file read events for this user

File Upload Activity

file-upload-activity

Evaluates all events where files are uploaded

Analytics rule groups under the File Upload Activity family

  • Abnormal amount of file upload events for the organization

  • Abnormal amount of file upload events for this user

  • First file upload from this endpoint for the organization

File Write Activity

file-write-activity

Evaluates all file write events

Analytics rule groups under the File Write Activity family

  • A file with an '.exe' extension following a non-executable extension was written to

  • Abnormal number of unique files written for this user

  • The 'ds7002.lnk' file was written to

File Write Activity – USB

file-write-activity-usb

Evaluates all events where files are written to a USB device

Analytics rule groups under the File Write Activity - USB family

  • Abnormal amount of file bytes written to peripheral storage devices for this user

  • Abnormal number of unique files written to peripheral storage devices by this user

  • File has a .pst/.ost extension: True\False

General Activity

general-activity

Evaluates ALL events

Analytics rule groups under the General Activity family

  • A TOR IP address was accessed

  • Abnormal number of unique failed operations in this platform for this user

  • First activity from this country for the organization

Group Member Addition Activity

group-member-addition-activity

Evaluates all events where members are added to groups

Analytics rule groups under the Group Member Addition Activity family

  • First group member addition for this system account on this endpoint

  • Security group is privileged: True\False

  • User added themselves to a security group: True\False

Log Clear Activity

log-clear-activity

Evaluates all log clear events

Analytics rule groups under the Log Clear Activity family

  • An audit log was cleared

  • Endpoint is critical: True\False

  • First audit log clear for this user

Login Activity

login-activity

Evaluates all login events

Analytics rule groups under the Login Activity family

  • A hacking tool domain was used in a login

  • Abnormal number of unique destination network zones in login events for this user

  • First login from this network zone for this user

  • Login type

Mailbox Permission Modification Activity

mailbox-permission-modification-activity

Evaluates events where mailbox permissions are modified

Analytics rule groups under the Mailbox Permission Modification Activity family

  • Abnormal number of mailbox permission modifications for this user

  • First mailbox permission modification for this user

  • The mailbox permissions of an executive user were changed by another user

Network Activity

network-activity

Evaluates all network events

Analytics rule groups under the Network Activity family

  • A BitTorrent port was accessed

  • Abnormal amount of bytes failed to be sent in outbound communication from this endpoint

  • Network activity failed: True\False

Password Checkout Activity

password-checkout-activity

Evaluates all all vault password checkout events

Analytics rule groups under the Password Checkout Activity family

  • Abnormal number of password retrievals for the organization

  • Abnormal number of unique safes in password retrieval events for this user

Physical Location Access Activity

physical-location-access-activity

Evaluates all events involving access to physical locations

Analytics rule groups under the Physical Location Access Activity family

  • Abnormal number of unique cities physically accessed for this user

  • First physical access to this door for this user

  • Physical access failed: True\False

Privilege Use Activity

privilege-use-activity

Evaluates all privilege use activity

Analytics rule groups under the Privilege Use Activity family

  • Abnormal number of administrative privilege access events for this user

  • First Windows privilege use for this users in this department

Process Creation Activity

process-creation-activity

Evalautes all events where processes are executed

Analytics rule groups under the Process Creation Activity family

  • 'appcmd.exe' was used to disable IIS HTTP logging

  • 'certutil.exe' executed with suspicious parameters

  • 'dir.exe' was used to enumerate the users folder

Registry Activity

registry-activity

Evaluates all registry events

Analytics rule groups under the Registry Activity family

  • The WDigest authentication protocol was enabled via the registry

Role Assumption Activity

role-assume-activity

Evaluates all events where roles are assumed

Analytics rule groups under the Role Assumption Activity family

  • Abnormal number of unique roles assumed for this user

  • First role assumption event for this user

  • First role assumption of this role for this user

Role Permission Modification

role-permission-modification-activity

Evaluates all events where role permissions are modified

Analytics rule groups under the Role Permission Modification family

  • First role permission modification for this user on this platform

  • First role permission modification to public for this role

Role Creation and Modification Activity

role-write-activity

Evaluates all events where roles are created or modified

Analytics rule groups under the Role Creation and Modification Activity family

  • First role creation or modification for this user on this platform

Rule Delete Activity

rule-delete-activity

Evaluates all events where security rules are deleted

Analytics rule groups under the Rule Delete Activity family

  • Abnormal number of security rules deletions for this user

Scheduled Tasks Creation Activity

scheduled-task-creation-activity

Evaluates all events where scheduled tasks are created

Analytics rule groups under the Scheduled Tasks Creation Activity family

  • A scheduled task was configured to execute PowerShell

  • First creation of a scheduled task with this name for the organization

Script Execution Activity – PowerShell

script-execution-activity

Evaluates all events involving PowerShell scripts and invocations

Analytics rule groups under the Script Execution Activity – PowerShell family

  • Abnormal number of PowerShell command invocations for the organization

  • First PowerShell script execution for this user

Security Alerts

security-alerts

Evaluates all events where alerts are triggered

Analytics rule groups under the Security Alerts family

  • A correlation rule was triggered

  • Abnormal number of unique alerts triggered for this user

  • Alert is from a third party: True\False

  • First network alert trigger on this port for this destination network zone

Security Alerts – DLP

security-alerts-dlp

Evaluates all events involving DLP alerts

Analytics rule groups under the Security Alerts - DLP family

  • Abnormal number of unique protocols in DLP alerts for this user

  • First DLP alert trigger on this domain for this protocol

Share Access Activity

share-access-activity

Evaluates all events where access is shared

Analytics rule groups under the Share Access Activity family

  • Abnormal number of unique network shares accessed for this user

  • First access to this network share for this user

  • Share is a known named pipe: True\False

USB Activity

usb-activity

Evaluates all events that occurred on or in peripheral devices

Analytics rule groups under the USB Activity family

  • First peripheral device activity for this user

  • First peripheral device activity from this endpoint for users in this department

User Activity

user-activity

Evaluates all user events

Analytics rule groups under the User Activity family

  • A non-privileged user accessed an attribute of a privileged directory service user account

User Creation Activity

user-creation-activity

Evaluates all events where users are created

Analytics rule groups under the User Creation Activity family

  • First user creation for this system account on this endpoint

  • User is local: True\False

User Deletion Activity

user-deletion-activity

Evaluates all events where users are deleted

Analytics rule groups under the User Deletion family

  • First user deletion for this user

User Key Creation Activity

user-key-creation-activity

Evaluates all events where user associated keys are created

Analytics rule groups under the User Key Creation family

  • First account key creation for this user

User Lock Activity

user-lock-activity

Evaluates all user lockdown events

Analytics rule groups under the User Lock Activity family

  • First user lock for this user

User Password Modification Activity

user-password-modification-activity

Evaluates all events where user account passwords are modified

Analytics rule groups under the User Password Modification Activity family

  • Abnormal amount of password resets for user

  • First user account password modification for this user

User Switch Activity

user-switch-activity

Evaluates all events where a user switches identities

Analytics rule groups under the User Switch family

  • Dest user is privileged: True\False

  • First account switch for this user

VPN Login Activity

vpn-login-activity

Evaluates all events involving VPN logins

Analytics rule groups under the VPN Login family

  • Abnormal number of failed vpn logins for this user

  • First VPN login for this user

  • User is a contractor : True\False

VPN Logout Activity

vpn-logout-activity

Evaluates all events involving VPN logouts

Analytics rule groups under the VPN Logout family

  • Abnormal amount of bytes uploaded in VPN sessions for this user

  • Abnormal VPN session duration for this user

Web Activity

web-activity

Evaluates all events involving web protocols

Analytics rule groups under the Web Activity family

  • Abnormal amount of bytes downloaded from file sharing websites for this user

  • First HTTP communication from this endpoint for the organization

  • Endpoint is a Domain Controller: True\False

Web Meeting Activity

web-meeting-activity

Evaluates all events where a web meeting is the subject

Analytics rule groups under the Web Meeting Activity family

  • A meeting was modified to remove the meeting password

Web Request Activity

web-request-activity

Evaluates all events involving HTTP requests

Analytics rule groups under the Web Request Activity family

  • Abnormal number of failed HTTP requests for this user

Windows Service Creation Activity

windows-service-creation-activity

Evaluates all events where a Windows system service is created

Analytics rule groups under the Windows Service Creation family

  • A service was created from a temporary internet files directory

  • First process path for this service