Vendor: LogRhythm
April 15, 2026 · View on GitHub
Product: LogRhythm
| Rules | Models | MITRE ATT&CK® TTPs | Activity Types | Parsers |
|---|---|---|---|---|
| 520 | 133 | 149 | 9 | 16 |
| Use-Case | Activity Types/Parsers | MITRE ATT&CK® TTP | Content |
|---|---|---|---|
| Abnormal Authentication & Access | app-activity ↳microsoft-m365auditlogs-kv-file-share-sharingset ↳microsoft-m365auditlogs-kv-group-create-groupadded ↳microsoft-m365auditlogs-kv-app-notification-success-pageprefetched ↳microsoft-m365auditlogs-kv-share-link-open-success-companylinkused ↳microsoft-m365auditlogs-kv-file-unshare-sharingrevoked ↳microsoft-m365auditlogs-kv-user-modify-changeuserlicense ↳microsoft-m365auditlogs-kv-user-modify-success-updateserviceprincipal ↳microsoft-m365auditlogs-kv-user-modify-success-updatestsrefreshtokenvalidfromtimestamp ↳microsoft-m365auditlogs-kv-user-modify-updateuser ↳microsoft-m365auditlogs-kv-group-modify-updategroup ↳microsoft-m365auditlogs-kv-endpoint-modify-success-updatedevice ↳microsoft-m365auditlogs-kv-user-create-adduser ↳microsoft-m365auditlogs-kv-mailbox-item-create-create ↳microsoft-m365auditlogs-kv-report-read-success-viewreport app-login ↳microsoft-m365auditlogs-kv-app-login-success-teamssessionstarted member-added ↳microsoft-m365auditlogs-kv-group-member-add-addedtogroup | T1078 - Valid Accounts T1133 - External Remote Services |
|
| Account Manipulation | app-activity ↳microsoft-m365auditlogs-kv-file-share-sharingset ↳microsoft-m365auditlogs-kv-group-create-groupadded ↳microsoft-m365auditlogs-kv-app-notification-success-pageprefetched ↳microsoft-m365auditlogs-kv-share-link-open-success-companylinkused ↳microsoft-m365auditlogs-kv-file-unshare-sharingrevoked ↳microsoft-m365auditlogs-kv-user-modify-changeuserlicense ↳microsoft-m365auditlogs-kv-user-modify-success-updateserviceprincipal ↳microsoft-m365auditlogs-kv-user-modify-success-updatestsrefreshtokenvalidfromtimestamp ↳microsoft-m365auditlogs-kv-user-modify-updateuser ↳microsoft-m365auditlogs-kv-group-modify-updategroup ↳microsoft-m365auditlogs-kv-endpoint-modify-success-updatedevice ↳microsoft-m365auditlogs-kv-user-create-adduser ↳microsoft-m365auditlogs-kv-mailbox-item-create-create ↳microsoft-m365auditlogs-kv-report-read-success-viewreport member-added ↳microsoft-m365auditlogs-kv-group-member-add-addedtogroup process-created ↳logrhythm-l-kv-process-create-success-pid | T1003 - OS Credential Dumping T1003.003 - T1003.003 T1021 - Remote Services T1021.003 - T1021.003 T1059 - Command and Scripting Interperter T1059.001 - Command and Scripting Interperter: PowerShell T1059.003 - T1059.003 T1078 - Valid Accounts T1098 - Account Manipulation T1098.002 - Account Manipulation: Exchange Email Delegate Permissions T1136 - Create Account T1136.001 - Create Account: Create: Local Account T1218 - Signed Binary Proxy Execution T1218.010 - Signed Binary Proxy Execution: Regsvr32 T1531 - Account Access Removal T1559 - Inter-Process Communication T1559.002 - T1559.002 |
|
| Audit Tampering | process-created ↳logrhythm-l-kv-process-create-success-pid | T1059 - Command and Scripting Interperter T1070 - Indicator Removal on Host T1070.001 - Indicator Removal on Host: Clear Windows Event Logs T1546 - Event Triggered Execution T1546.003 - T1546.003 T1562 - Impair Defenses T1562.006 - T1562.006 |
|
| Cryptomining | process-created ↳logrhythm-l-kv-process-create-success-pid | T1496 - Resource Hijacking |
|
| Data Exfiltration | file-write ↳microsoft-m365auditlogs-kv-file-property-modify-sharinginheritancebroken process-created ↳logrhythm-l-kv-process-create-success-pid | T1003 - OS Credential Dumping T1040 - Network Sniffing T1041 - Exfiltration Over C2 Channel T1048 - Exfiltration Over Alternative Protocol T1059 - Command and Scripting Interperter T1071 - Application Layer Protocol T1071.001 - Application Layer Protocol: Web Protocols T1071.002 - Application Layer Protocol: File Transfer Protocols T1071.004 - Application Layer Protocol: DNS T1552 - Unsecured Credentials T1552.001 - T1552.001 T1560 - Archive Collected Data T1572 - Protocol Tunneling TA0002 - TA0002 |
|
| Evasion | process-created ↳logrhythm-l-kv-process-create-success-pid | T1027 - Obfuscated Files or Information T1027.004 - Obfuscated Files or Information: Compile After Delivery T1036 - Masquerading T1036.003 - Masquerading: Rename System Utilities T1036.005 - Masquerading: Match Legitimate Name or Location T1059 - Command and Scripting Interperter T1059.001 - Command and Scripting Interperter: PowerShell T1059.005 - T1059.005 T1070 - Indicator Removal on Host T1070.001 - Indicator Removal on Host: Clear Windows Event Logs T1105 - Ingress Tool Transfer T1127 - Trusted Developer Utilities Proxy Execution T1127.001 - Trusted Developer Utilities Proxy Execution: MSBuild T1140 - Deobfuscate/Decode Files or Information T1197 - BITS Jobs T1202 - Indirect Command Execution T1203 - Exploitation for Client Execution T1218 - Signed Binary Proxy Execution T1218.002 - Signed Binary Proxy Execution: Control Panel T1218.004 - Signed Binary Proxy Execution: InstallUtil T1218.008 - T1218.008 T1218.009 - Signed Binary Proxy Execution: Regsvcs/Regasm T1218.010 - Signed Binary Proxy Execution: Regsvr32 T1218.011 - Signed Binary Proxy Execution: Rundll32 T1484 - Group Policy Modification T1484.001 - T1484.001 T1542 - Pre-OS Boot T1542.003 - T1542.003 T1543 - Create or Modify System Process T1543.003 - Create or Modify System Process: Windows Service T1552 - Unsecured Credentials T1552.006 - T1552.006 T1562 - Impair Defenses T1562.001 - T1562.001 T1562.004 - Impair Defenses: Disable or Modify System Firewall T1562.006 - T1562.006 T1564 - Hide Artifacts T1564.001 - T1564.001 T1564.004 - Hide Artifacts: NTFS File Attributes T1574 - Hijack Execution Flow |
|
| Lateral Movement | app-login ↳microsoft-m365auditlogs-kv-app-login-success-teamssessionstarted network-connection-successful ↳logrhythm-l-csv-network-session-logrhythmdpi process-created ↳logrhythm-l-kv-process-create-success-pid | T1021 - Remote Services T1021.001 - Remote Services: Remote Desktop Protocol T1021.003 - T1021.003 T1021.006 - T1021.006 T1047 - Windows Management Instrumentation T1059 - Command and Scripting Interperter T1059.001 - Command and Scripting Interperter: PowerShell T1071 - Application Layer Protocol T1090 - Proxy T1090.003 - Proxy: Multi-hop Proxy T1190 - Exploit Public Fasing Application T1210 - Exploitation of Remote Services T1219 - Remote Access Software T1563 - Remote Service Session Hijacking T1563.002 - T1563.002 TA0010 - TA0010 TA0011 - TA0011 |
|
| Phishing | dlp-email-alert-out ↳microsoft-m365auditlogs-kv-email-send-sendas ↳microsoft-m365auditlogs-kv-email-send-success-send ↳microsoft-m365auditlogs-kv-email-send-success-sendonbehalf process-created ↳logrhythm-l-kv-process-create-success-pid | T1048 - Exfiltration Over Alternative Protocol T1048.003 - Exfiltration Over Alternative Protocol: Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol T1566 - Phishing T1566.001 - T1566.001 |
|
| Ransomware | app-login ↳microsoft-m365auditlogs-kv-app-login-success-teamssessionstarted file-write ↳microsoft-m365auditlogs-kv-file-property-modify-sharinginheritancebroken process-created ↳logrhythm-l-kv-process-create-success-pid | T1003 - OS Credential Dumping T1003.001 - T1003.001 T1059 - Command and Scripting Interperter T1059.003 - T1059.003 T1070 - Indicator Removal on Host T1070.001 - Indicator Removal on Host: Clear Windows Event Logs T1078 - Valid Accounts T1218 - Signed Binary Proxy Execution T1218.011 - Signed Binary Proxy Execution: Rundll32 T1222 - File and Directory Permissions Modification T1222.001 - File and Directory Permissions Modification: Windows File and Directory Permissions Modification T1486 - Data Encrypted for Impact T1490 - Inhibit System Recovery |
|
| Workforce Protection | dlp-email-alert-out ↳microsoft-m365auditlogs-kv-email-send-sendas ↳microsoft-m365auditlogs-kv-email-send-success-send ↳microsoft-m365auditlogs-kv-email-send-success-sendonbehalf | T1048 - Exfiltration Over Alternative Protocol T1048.003 - Exfiltration Over Alternative Protocol: Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol |
|
| Next Page -->> |