Sentinel Rules
- RULE-1020 - Detect email forwarding rules
- RULE-1022 - Suspicious keyword in mailbox rule
- RULE-1023 - Mailbox auto-forwards
- RULE-1024 - Transport rule forwards email externally
- RULE-1026 - Transport rule with suspicious keywords
- RULE-1027 - Large number of external shares
- RULE-1123 & RULE-1138 - Gastgebruiker kreeg hoge privileges
- RULE-1127 - Detect sign-in into disabled account
- RULE-1129 - Emergency admin account used
- RULE-1139 - New GDAP Relationship
- RULE-1143 t/m RULE-1146 - AITM Activity
- RULE-1148 & RULE-1149 - MFA Methods of Admin Changed
- RULE-1150 - AiTM Activity (User Agent)
- RULE-1151 to RULE-1156 - Suspicious login
- RULE-1152 - Guest made eligible for PIM admin role
- RULE-1157 & RULE-1158 - Clicks & Visits
- RULE-1159/RULE-1160 Admin starts SSPR
- RULE-1161 - External User Added to Admin Role Outside PIM.
- RULE-1162 - New Owner Added to Azure Subscription.
- RULE-1520 - Public Sharepoint Site
- RULE-1521 & RULE-1522 - Malware detected on SharePoint
- RULE-1720 - Sign-in from Known IP [MISP]
- RULE-1721 - Office activity from known IP [MISP]
- RULE-1722 - Known URL in email [MISP]
- RULE-1723 - Known sender in email [MISP]
- RULE-1724 - Known attachment in email [MISP]
- RULE-1725 - Azure activity from known IP [MISP]