Document toolboxDocument toolbox

Models

Name

Description

Data Source

Name

Description

Data Source

1

WS ec2 first time action for AMI

This finds first time AWS ec2 actions per AMI events compared to the given time period (default 30 days).

cloud.aws.cloudtrail.events

2

AWS ec2 first time action for instance type

This finds first time AWS ec2 actions per instance type per user events compared to the given time period (default 30 days).

cloud.aws.cloudtrail.events

3

AWS ec2 first time action for region

This finds first time AWS ec2 actions per region events compared to the given time period (default 30 days).

cloud.aws.cloudtrail.events

4

AWS ec2 first time action for user

This finds first time AWS ec2 actions per user events compared to the given time period (default 30 days).

cloud.aws.cloudtrail.events

5

AWS first time action

This finds first time AWS actions per user events compared to the given time period (default 30 days).

cloud.aws.cloudtrail

6

AWS provisioning first time action in region

This finds first time AWS actions per user per region events compared to the given time period (default 30 days).

cloud.aws.cloudtrail.events

7

AWS provisioning first time city

This finds first time AWS provisioning actions per user per city events compared to the given time period (default 30 days).

cloud.aws.cloudtrail.events

8

AWS provisioning first time country

This finds first time AWS provisioning events per user per country compared to the given time period (default 30 days).

cloud.aws.cloudtrail.events

9

AWS provisioning first time IP

This finds first time AWS provisioning events per user per ip compared to the given time period (default 30 days).

cloud.aws.cloudtrail.events

10

Azure App Service First Time Action

This finds first time Azure App Service user actions compared to the given time period (default 30 days).

cloud.azure.appservice.administrative

11

Azure App Service First Time Country

This finds first time Azure App Service events from a country compared to the given time period (default 30 days).

cloud.azure.appservice.administrative

12

Azure app service first time user

This finds first time Azure App Service users compared to the given time period (default 30 days).

cloud.azure.appservice.administrative

13

Azure storage first time action

This finds first time Azure Storage action events compared to the given time period (default 30 days).

cloud.azure.storage.administrative

14

Azure storage first time country

This finds first time Azure Storage events from a country compared to the given time period (default 30 days).

cloud.azure.storage.administrative

15

Azure storage first time user

This finds first time Azure Storage users compared to the given time period (default 30 days).

cloud.azure.storage.administrative

16

Azure VM first time action

This finds first time Azure VM action events compared to the given time period (default 30 days).

cloud.azure.vm.administrative

17

Azure VM first time country

This finds first time Azure VM events from a country compared to the given time period (default 30 days).

cloud.azure.vm.administrative

18

Azure VM first time user

This finds first time Azure VM users compared to the given time period (default 30 days).

cloud.azure.vm.administrative

19

First time access to domain from user

Identifies first time Domain is accessed over the proxy by a user compared to the past 30 days.

proxy.all.access

20

First time authentication or authorization from a country

Identify if this is the first authentication or authorization request for a user from a country in the past 30 days.

auth.all

21

First time authentication or authorization from a organization

Identify if this is the first authentication or authorization request for a user from a organization in the past 30 days.

auth.all

22

First time authentication to a Windows domain

Identify if this is the first authentication to a Windows domain by a user in the past 30 days.

box.all.win

23

First time domain accessed by internal IP

Identifies first time internal IP accessed a domain over the proxy compared to the past 30 days.

proxy.all.access

24

First time login to device/asset

Identifies first time logins to devices compared to the past 30 days.

auth.all

25

GitHub organization first time access protocol events

This finds first time GitHub Organization user activity with a protocol compared to the given time period (default 30 days).

vcs.github.organization.audit

26

GitHub organization first time action events

This finds first time GitHub Organization user actions compared to the given time period (default 30 days).

vcs.github.organization.audit

27

GitHub organization first time country events

This finds first time GitHub Organization user activity from a country compared to the given time period (default 30 days).

vcs.github.organization.audit

28

GitHub organization first time repo access

This finds first time GitHub Organization repo access compared to the given time period (default 30 days).

vcs.github.organization.audit

29

GitHub organization first time user access

This finds first time GitHub Organization user access compared to the given time period (default 30 days).

vcs.github.organization.audit

30

GSuite admin first time action

This finds first time GSuite Admin actions per user compared to the given time period (default 30 days).

cloud.gsuite.reports.admin

31

O365 first time action

This finds first time O365 actions per user compared to the given time period (default 30 days).

loud.office365.management

32

Proxy first-time outbound connection to country

This detects first time connections from a given proxy to a country that is new compared to historical data (default 30 days).

proxy.all.access