Skip to main content
Skip table of contents

Threat Detection Rules

Threat detection rules provide your team with an additional resource for threat research and dashboard configuration. The preconfigured rules deliver content out of the box.

LogRhythm Labs’ ongoing in-field and lab-based research ensures your LogRhythm Axon analytics evolve as fast as current threats.

New rules are disabled by default, and you can enable them in the Rules window.

Content Revisions

The following table summarizes the changes that have been made for the latest release.

T1003: OS Credential DumpingT1003: OS Credential Dumping
T1007: System Service DiscoveryT1007: System Service Discovery
T1012: Query Registry

T1012: Query Registry
T1016: System Network Configuration DiscoveryT1016: System Network Configuration Discovery
T1018: Remote System DiscoveryT1018: Remote System Discovery
T1033: System Owner/User DiscoveryT1033: System Owner/User Discovery
T1053: Scheduled TaskT1053: Scheduled Task/Job

T1059: Command and Scripting Interpreter

T1059: Command and Scripting Interpreter
T1543.003: Windows ServiceT1543.003: Create or Modify System Process: Windows Service
T1550.002: Pass the HashT1550.002: Use Alternate Authentication Material: Pass the Hash
T1047: Windows Management InstrumentationT1047: Windows Management Instrumentation
T1057: Process DiscoveryT1057: Process Discovery
T1059.001: PowershellT1059.001: Command and Scripting Interpreter: Powershell
T1069: Permission Groups DiscoveryT1069: Permission Groups Discovery
T1070.006: TimestompT1070.006: Indicator Removal: Timestomp
T1082: System Information DiscoveryT1082: System Information Discovery
T1087: Account DiscoveryT1087: Account Discovery
T1218.011: Rundll32T1218.011: System Binary Proxy Execution: Rundll32
T1490: Inhibit System RecoveryT1490: Inhibit System Recovery
T1547.001: Registry Run Keys/Startup FolderT1547.001: Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder
T1027: Obfuscated Files or InformationT1027: Obfuscated Files or Information
T1059.003: Windows Command ShellT1059.003: Command and Scripting Interpreter: Windows Command Shell
T1552.004: Private KeysT1552.004: Unsecured Credentials: Private Keys
T1558.003: KerberoastingT1558.003: Steal or Forge Kerberos Tickets: Kerberoasting
T1562.001: Disable or Modify ToolsT1562.001: Impair Defenses: Disable or Modify Tools
T1566.001: Spearphising AttachmentT1566.001: Phishing: Spearphising Attachment
T1218.010: Regsvr32T1218.010: System Binary Proxy Execution: Regsvr32
T1569.002: Service ExecutionT1569.002: System Services: Service Execution
T1550.003: Pass the TicketT1550.003: Use Alternate Authentication Material: Pass the Ticket
T1562.002: Disable Windows Event LoggingT1562.002: Impair Defenses: Disable Windows Event Logging
T1106: Native APIT1106: Native API
T1134.002: Create Process With TokenT1134.002: Access Token Manipulation: Create Process With Token
T1190: Exploit Public-Facing ApplicationT1190: Exploit Public-Facing Application
T1484.002: Domain Trust ModificationT1484.002: Domain Policy Modification: Domain Trust Modification
T1489: Service StopT1489: Service Stop
T1539: Steal Web Session CookieT1539: Steal Web Session Cookie
T1621: Multi-Factor Authentication Request GenerationT1621: Multi-Factor Authentication Request Generation
JavaScript errors detected

Please note, these errors can depend on your browser setup.

If this problem persists, please contact our support.