Skip to main content
Skip table of contents

Threat Detection Rules

Threat detection rules provide your team with an additional resource for threat research and dashboard configuration. The preconfigured rules deliver content out of the box.

LogRhythm Labs’ ongoing in-field and lab-based research ensures your LogRhythm Axon analytics evolve as fast as current threats.

New rules are disabled by default, and you can enable them in the Rules window.

Content Revisions

The following table summarizes the changes that have been made for the latest release.

Rule NameMITRE ATT&CK MappingMITRE ATT&CK URLRevision
T1003: OS Credential DumpingT1003: OS Credential Dumpinghttps://attack.mitre.org/techniques/T1003/New
T1007: System Service DiscoveryT1007: System Service Discoveryhttps://attack.mitre.org/techniques/T1007/New
T1012: Query Registry

T1012: Query Registry

https://attack.mitre.org/techniques/T1012/New
T1016: System Network Configuration DiscoveryT1016: System Network Configuration Discoveryhttps://attack.mitre.org/techniques/T1016/New
T1018: Remote System DiscoveryT1018: Remote System Discoveryhttps://attack.mitre.org/techniques/T1018/New
T1033: System Owner/User DiscoveryT1033: System Owner/User Discoveryhttps://attack.mitre.org/techniques/T1033/New
T1053: Scheduled TaskT1053: Scheduled Task/Jobhttps://attack.mitre.org/techniques/T1053/New

T1059: Command and Scripting Interpreter

T1059: Command and Scripting Interpreterhttps://attack.mitre.org/techniques/T1059/New
T1543.003: Windows ServiceT1543.003: Create or Modify System Process: Windows Servicehttps://attack.mitre.org/techniques/T1543/003/New
T1550.002: Pass the HashT1550.002: Use Alternate Authentication Material: Pass the Hashhttps://attack.mitre.org/techniques/T1550/002/New
T1047: Windows Management InstrumentationT1047: Windows Management Instrumentationhttps://attack.mitre.org/techniques/T1047/New
T1057: Process DiscoveryT1057: Process Discoveryhttps://attack.mitre.org/techniques/T1057/New
T1059.001: PowershellT1059.001: Command and Scripting Interpreter: Powershellhttps://attack.mitre.org/techniques/T1059/001/New
T1069: Permission Groups DiscoveryT1069: Permission Groups Discoveryhttps://attack.mitre.org/techniques/T1069/New
T1070.006: TimestompT1070.006: Indicator Removal: Timestomphttps://attack.mitre.org/techniques/T1070/006/New
T1082: System Information DiscoveryT1082: System Information Discoveryhttps://attack.mitre.org/techniques/T1082/New
T1087: Account DiscoveryT1087: Account Discoveryhttps://attack.mitre.org/techniques/T1087/New
T1218.011: Rundll32T1218.011: System Binary Proxy Execution: Rundll32https://attack.mitre.org/techniques/T1218/011/New
T1490: Inhibit System RecoveryT1490: Inhibit System Recoveryhttps://attack.mitre.org/techniques/T1490/New
T1547.001: Registry Run Keys/Startup FolderT1547.001: Boot or Logon Autostart Execution: Registry Run Keys / Startup Folderhttps://attack.mitre.org/techniques/T1547/001/New
T1027: Obfuscated Files or InformationT1027: Obfuscated Files or Informationhttps://attack.mitre.org/techniques/T1027/New
T1059.003: Windows Command ShellT1059.003: Command and Scripting Interpreter: Windows Command Shellhttps://attack.mitre.org/techniques/T1059/003/New
T1552.004: Private KeysT1552.004: Unsecured Credentials: Private Keyshttps://attack.mitre.org/techniques/T1552/004/New
T1558.003: KerberoastingT1558.003: Steal or Forge Kerberos Tickets: Kerberoasting https://attack.mitre.org/techniques/T1558/003/New
T1562.001: Disable or Modify ToolsT1562.001: Impair Defenses: Disable or Modify Toolshttps://attack.mitre.org/techniques/T1562/001/New
T1566.001: Spearphising AttachmentT1566.001: Phishing: Spearphising Attachmenthttps://attack.mitre.org/techniques/T1566/001/New
T1218.010: Regsvr32T1218.010: System Binary Proxy Execution: Regsvr32https://attack.mitre.org/techniques/T1218/010/New
T1569.002: Service ExecutionT1569.002: System Services: Service Executionhttps://attack.mitre.org/techniques/T1569/002/New
T1550.003: Pass the TicketT1550.003: Use Alternate Authentication Material: Pass the Tickethttps://attack.mitre.org/techniques/T1550/003/New
T1562.002: Disable Windows Event LoggingT1562.002: Impair Defenses: Disable Windows Event Logginghttps://attack.mitre.org/techniques/T1562/002/New
T1106: Native APIT1106: Native APIhttps://attack.mitre.org/techniques/T1106/New
T1134.002: Create Process With TokenT1134.002: Access Token Manipulation: Create Process With Tokenhttps://attack.mitre.org/techniques/T1134/002/New
T1190: Exploit Public-Facing ApplicationT1190: Exploit Public-Facing Applicationhttps://attack.mitre.org/techniques/T1190/New
T1484.002: Domain Trust ModificationT1484.002: Domain Policy Modification: Domain Trust Modificationhttps://attack.mitre.org/techniques/T1484/002/New
T1489: Service StopT1489: Service Stophttps://attack.mitre.org/techniques/T1489/New
T1539: Steal Web Session CookieT1539: Steal Web Session Cookiehttps://attack.mitre.org/techniques/T1539/New
T1621: Multi-Factor Authentication Request GenerationT1621: Multi-Factor Authentication Request Generationhttps://attack.mitre.org/techniques/T1621/New
JavaScript errors detected

Please note, these errors can depend on your browser setup.

If this problem persists, please contact our support.