Full Rule Catalog (with MITRE Mapping)
14 min read
The full reference for every detection rule Burrow ships with. Each rule has a category name (the identifier that appears on every alert), a MITRE ATT&CK technique mapping, a severity, the conditions under which it fires, the configurable knobs and their defaults across postures, common false-positive patterns, and tuning advice.
Defaults shown are as of June 2026; the Rules page in your dashboard is the source of truth.
The posture columns are P (Permissive), R (Relaxed), B (Balanced — the default), S (Strict), X (Paranoid).
For an overview of how postures and overrides interact, see Postures, overrides, and disabled rules.
Ransomware and destruction
ransomware_signature
- MITRE: T1486 (Data Encrypted for Impact)
- Severity: Critical
Fires on any of three sub-patterns:
- Crypto-locker extension match — files touched in the window carry an extension on the operator-curated ransomware extension list (
.locked,.crypted, etc.). - Encrypt-and-replace — modify + delete + upload pattern in the same window beyond the configured thresholds. Crypto-locker behaviour: delete original, upload encrypted copy.
- Encrypt-in-place burst — high modification volume across many distinct files with a low modifies-per-file ratio. The ratio gate is the Office co-authoring filter: real ransomware touches many files at ratio ~1, Office co-authoring touches few files at ratio 10+.
Tunable knobs:
| Knob | P | R | B | S | X |
|---|---|---|---|---|---|
ransom_ext_events | 1 | 1 | 1 | 1 | 1 |
modified_burst | 400 | 250 | 150 | 100 | 75 |
modified_burst_min_files | 250 | 150 | 100 | 75 | 50 |
max_modifies_per_file | 2.0 | 2.5 | 2.5 | 3.0 | 3.0 |
combo_deleted | 200 | 100 | 50 | 25 | 15 |
combo_uploaded | 200 | 100 | 50 | 25 | 15 |
False positives: Office co-authoring on small file sets generates many modifications on few files. Mitigated by the max_modifies_per_file ratio gate.
Tuning advice: rarely raise ransom_ext_events above 1 — the extension list is curated to be unambiguous. If the burst pattern fires on bulk-edit tooling, raise modified_burst_min_files rather than modified_burst.
When to disable: almost never.
mass_deletion_high / mass_deletion_med
- MITRE: T1485 (Data Destruction)
- Severity: High / Medium
Fires when deleted-file count crosses the threshold.
Tunable knobs:
| Knob | P | R | B | S | X |
|---|---|---|---|---|---|
mass_deletion_high.deleted | 500 | 200 | 100 | 50 | 25 |
mass_deletion_med.deleted | 150 | 60 | 30 | 15 | 8 |
False positives: project archive cleanup, retention-policy execution, bulk list cleanup. Service accounts doing scheduled deletes are the biggest source.
Tuning advice: add service-account exceptions before raising thresholds (a real deleted=200 from a human is meaningful; do not blunt the rule for everyone to mute one account).
When to disable: never globally — use per-user exceptions.
Exfiltration
data_exfiltration_high / data_exfiltration_med
- MITRE: T1567.002 (Exfiltration to Cloud Storage)
- Severity: High / Medium
Fires when ANY of four envelope thresholds is crossed: total bytes downloaded, manual downloads (sync excluded), manual downloads of labelled files, or total labelled-file count.
Tunable knobs (high):
| Knob | P | R | B | S | X |
|---|---|---|---|---|---|
bytes_downloaded | 5 GB | 2 GB | 1 GB | 512 MB | 256 MB |
downloaded_manual | 2500 | 1000 | 500 | 250 | 100 |
downloaded_manual_with_labels | 1000 | 400 | 200 | 100 | 50 |
labeled_files | 25 | 20 | 10 | 5 | 3 |
Tunable knobs (med):
| Knob | P | R | B | S | X |
|---|---|---|---|---|---|
bytes_downloaded | 1 GB | 512 MB | 256 MB | 128 MB | 64 MB |
downloaded_manual | 1000 | 400 | 200 | 100 | 50 |
distinct_files | 5000 | 2000 | 1000 | 500 | 250 |
distinct_files_downloaded_manual | 250 | 100 | 50 | 25 | 10 |
False positives: legitimate large pulls (project hand-offs, M&A due diligence, data scientists pulling datasets). OneDrive sync is already excluded. Backup tooling.
Tuning advice: the Med tier fires more than High; raise data_exfiltration_med.bytes_downloaded first if Med is the noisy one. If only the labelled-files signal is firing, that is a significant signal worth keeping at low volume. Use entity exceptions for known data-engineer accounts.
When to disable: never — use exceptions.
sensitive_ext_exfil_critical
- MITRE: T1567.002
- Severity: Critical
Fires on downloads of files with extensions in a curated high-risk list (credential vaults, mailbox archives, database dumps, system backups). Extension-based, not MIP-label-based — the cheap heuristic that complements the labelled-content rules.
Tunable knobs:
| Knob | P | R | B | S | X |
|---|---|---|---|---|---|
sensitive_ext_dl | 50 | 20 | 10 | 5 | 3 |
False positives: legitimate ops people pulling backups, IT migrating mailboxes. Use entity exceptions for known operational accounts.
When to disable: never.
risky_sharing / risky_sharing_orgwide
- MITRE: T1530 (Data from Cloud Storage)
- Severity: High (anonymous links), Medium (external shares), Medium (org-wide links)
Fires on three sub-conditions: anonymous link creation, external shares, or org-wide link events above threshold.
Tunable knobs (org-wide):
| Knob | P | R | B | S | X |
|---|---|---|---|---|---|
risky_sharing_orgwide.org_links | 25 | 10 | 5 | 3 | 1 |
False positives: modern collaboration uses sharing heavily. Internal teams use org-wide links for tenant-wide announcements. SharePoint News uses them.
Tuning advice: correlate with site sensitivity — the high-value alerts are ones where the shared files carry a sensitivity label. If specific sites legitimately broadcast, add a sensitive-site exception rather than a user exception.
When to disable: never — tune thresholds and use exceptions.
Recon and discovery
search_enumeration_high / search_enumeration_med
- MITRE: T1083 (File and Directory Discovery)
- Severity: High / Medium
Fires when search-query count crosses threshold.
Tunable knobs:
| Knob | P | R | B | S | X |
|---|---|---|---|---|---|
search_enumeration_high.searches_performed | 1000 | 400 | 200 | 100 | 50 |
search_enumeration_med.searches_performed | 375 | 150 | 75 | 40 | 20 |
False positives: legitimate research, librarians, knowledge-base maintainers, heavy SharePoint adopters.
Tuning advice: the sensitive_search_high rule is the better signal — if a user does 50 searches all matching sensitive-keyword patterns, that is reconnaissance regardless of volume. Tune search_enumeration_* up and rely on sensitive_search_high for the signal.
When to disable: if your tenant does not have a SharePoint search culture, consider disabling at the posture-default level and re-enabling only when reconnaissance is a known risk.
sensitive_search_high
- MITRE: T1083
- Severity: High
Fires on search queries matching the operator-configured sensitive keywords list.
Tunable knobs:
| Knob | P | R | B | S | X |
|---|---|---|---|---|---|
sensitive_searches | 50 | 20 | 10 | 5 | 3 |
False positives: security team enumeration, audit / compliance scans.
Tuning advice: add an entity exception for known security / compliance users. Do not raise the threshold — the rule's value is its sensitivity to low-volume targeted recon.
When to disable: never.
new_site_access (UEBA)
- MITRE: T1083
- Severity: High
Fires when a user accesses sites they have never accessed in their recent history (default 14-day baseline window).
False positives: project pivots (legitimate new-project ramp-up touches many new sites at once), people moving teams.
Tuning advice: high-signal for insider recon and lateral movement. Tune by raising the minimum new-site count rather than disabling — a single new site is normal, 20 in one window is recon.
Authentication and identity
account_compromise (SharePoint)
- MITRE: T1078.004 (Cloud Accounts)
- Severity: High
Fires on activity from multiple geographies in the same window, with at least one geography being new vs the user's baseline.
Tunable knobs:
| Knob | P | R | B | S | X |
|---|---|---|---|---|---|
n_geos | 3 | 2 | 2 | 2 | 2 |
False positives: VPN users hitting different egress points, mobile users on flights, users with home and office in different geographies (border regions).
Tuning advice: prefer the AAD impossible_travel_signin rule — sign-in events have cleaner timing data. Use this SharePoint rule as supporting evidence rather than primary signal.
impossible_travel_signin (Entra ID)
- MITRE: T1078.004
- Severity: High
Fires on sign-ins from two geographies where physical travel time between them is implausible.
False positives: mobile users using VPN egress at different sites; legitimate travel where the sign-in interval is unrealistically short.
mfa_fatigue (Entra ID)
- MITRE: T1621 (MFA Request Generation)
- Severity: High
Fires on many MFA prompts to the same user in a short window — the attacker pattern of spam-prompting hoping for accidental approval.
oauth_consent_grant (Entra ID)
- MITRE: T1528 (Steal Application Access Token)
- Severity: Medium / High (severity scales with scope sensitivity)
Fires when an application is granted OAuth scopes on the operator-curated sensitive-scopes list.
Tuning advice: review the sensitive-scopes list periodically — Microsoft adds new scopes regularly.
site_collection_admin_grant
- MITRE: T1078.004
- Severity: High
Fires on any SharePoint site-collection-admin role grant.
False positives: legitimate admin onboarding new site owners.
Tuning advice: none — investigate every firing.
When to disable: never.
external_user_group_add
- MITRE: T1098 (Account Manipulation)
- Severity: Medium
Fires on guest account additions to security or distribution groups.
False positives: legitimate guest onboarding for partner projects.
Tuning advice: correlate with risky_sharing — guest add followed by immediate external share is more suspicious than guest add alone.
Device and IP
unmanaged_device_access
- MITRE: T1078
- Severity: High
Fires when both gates trip: unmanaged-device event count crosses threshold AND labelled-file count crosses threshold. Pure unmanaged volume without labelled-file involvement does not fire.
Tunable knobs:
| Knob | P | R | B | S | X |
|---|---|---|---|---|---|
unmanaged_events | 500 | 200 | 100 | 50 | 20 |
labeled_files | 25 | 20 | 10 | 5 | 1 |
False positives: mobile-app access on personal devices, BYOD users with unenrolled devices doing routine work.
Tuning advice: if your tenant does not enforce device compliance broadly, this rule will be noisy. Either disable it or add OU-scoped exceptions.
When to disable: if your tenant has no MIP labelling rollout (the rule relies on label presence to fire meaningfully).
anonymizer_access_critical
- MITRE: T1090.003 (Multi-hop Proxy)
- Severity: Critical
Fires on access from Tor exit-node IPs. The Tor exit list is refreshed from a public source on every detection pass.
False positives: essentially zero. Tor to SharePoint is not a legitimate access pattern.
Tuning advice: keep at default. If a known security-team red-team exercise is in progress, add a temporary exception with an expiry note in the reason text.
When to disable: never.
malicious_ip_access_critical
- MITRE: T1071 (Application Layer Protocol)
- Severity: Critical
Fires on access from IPs on a public threat-intelligence list (botnets, brute-forcers, scanners).
False positives: the threat-intel list occasionally includes cloud-provider IP space. Verify any single-IP repeat alert.
When to disable: never.
Anti-forensics
audit_tampering
- MITRE: T1562.008 (Disable Cloud Logs)
- Severity: Critical
Fires on any single audit-config modification event.
False positives: legitimate admin reconfiguration of audit policy. Should be rare and traceable to a named admin.
Tuning advice: none — investigate every firing.
When to disable: never.
recyclebin_restore_high / recyclebin_restore_med
- MITRE: T1070 (Indicator Removal)
- Severity: High / Medium
Fires on recycle-bin restore burst — many file restorations in a short window.
Tunable knobs:
| Knob | P | R | B | S | X |
|---|---|---|---|---|---|
recyclebin_restore_high.recyclebin_restored | 500 | 200 | 100 | 50 | 25 |
recyclebin_restore_med.recyclebin_restored | 150 | 60 | 30 | 15 | 8 |
False positives: legitimate undo of a bulk delete, retention-policy reversal, project resurrection.
Tuning advice: correlate with prior delete activity. If the same user has a high mass_deletion_* alert in the same day, the restore is meaningful (could be cover-up or oops). Standalone, more often benign.
UEBA family — baseline-relative deviation rules
These rules do not have numeric posture knobs the way the deterministic rules above do. Each compares today vs the user's own prior days. Common gates: minimum baseline-days required before the rule can fire, and minimum events-per-baseline-day for a day to count toward the baseline.
behavioral_deviation
- MITRE: T1078
- Severity: scales with magnitude (Medium for >= 4 sigma, High for >= 6 sigma, Critical for >= 10 sigma)
Fires when today's event count for the user is far above the user's own mean (in standard deviations).
False positives: users returning from leave (their mean includes zeros for absence days), users in seasonal-spike work.
Tuning advice: raise the minimum baseline-days gate to reduce cold-start noise.
unusual_hour_activity
- MITRE: T1078
- Severity: Medium / High (scales with how far outside typical hours)
Fires when events occur in hours where the user's baseline shows minimal activity. Requires at least a week of baseline.
False positives: shift workers, on-call rotation, end-of-quarter crunch, travel across timezones.
Tuning advice: very noisy in modern environments. Add category-level exceptions for known late-shift users, or raise the baseline-maturity gate.
weekend_posture_drift
- MITRE: T1078
- Severity: High
Fires on weekend activity for a user whose baseline shows no weekend activity.
False positives: on-call, deadline weekend work.
Tuning advice: respects baseline — a user who regularly works weekends will not fire. If still noisy, increase the baseline-maturity gate.
dow_drift
- MITRE: T1078
- Severity: Medium
Fires when a user is active on a day of week where their baseline is mostly quiet.
False positives: weekend catch-up, conference travel, deadline crunch.
Tuning advice: noisy — one of the first rules many operators downgrade. Either accept as audit data only or raise the active-percentage threshold.
ua_anomaly
- MITRE: T1078
- Severity: Medium
Fires when a user-agent string appears that was not in the user's baseline UA set. Requires at least 3 days of UA baseline.
False positives: browser updates, OS updates, new device, app version bumps, mobile UA drift.
Tuning advice: very noisy. Pair with another signal for higher confidence (UA anomaly + impossible-travel = real signal; UA anomaly alone = noise).
intraday_velocity_burst
- MITRE: T1078
- Severity: High
Fires when activity rate this hour is far above the user's typical hourly rate.
False positives: batch jobs, automated sync, bulk-edit sessions.
Tuning advice: for users who legitimately batch-work, raise the ratio threshold via override.
unmanaged_baseline_spike
- MITRE: T1078
- Severity: High
Fires when unmanaged-device event count spikes vs baseline.
search_baseline_deviation
- MITRE: T1083
- Severity: High
Fires on search-query volume spike vs baseline.
Tuning advice: correlate with sensitive_search_high for high-confidence signals.
peer_group_deviation
- MITRE: T1078
- Severity: High
Fires when a user's metric (distinct files, downloads, etc.) is far above the median of their peer group AND far above the peer-group median in robust statistical terms (MAD-z). Peer group is auto-derived by class (human, service-app).
False positives: users in atypical roles misclassified into the wrong peer group.
Tuning advice: if a known IT user keeps firing, add an entity exception. The peer-class assignment is automated.
Meta and correlation
daily_pattern_escalation
- MITRE: varies (cumulative)
- Severity: maximum of constituent alert severities + 1 tier
Fires when a user's cumulative day score crosses a threshold. The score weights severity x category diversity x time spread x slope. When this fires, Burrow sends ONE meta-alert for the user's day instead of N raw per-alert emails for the rest of the day.
custom_rule
- MITRE: operator-set
- Severity: operator-set
Fires when an operator-defined custom rule expression evaluates true against per-user counters. See Custom rules.
label_rule
- MITRE: operator-set
- Severity: operator-set
Fires when an operator-defined label-aware rule triggers. See Sensitive sites, labels, and keywords.
See also
- Alert severity meanings — what each severity tier means operationally.
- MITRE ATT&CK technique reference — the techniques this catalog maps to.
- Postures, overrides, and disabled rules — for the tuning levers behind every rule's thresholds.
- Tuning a noisy rule — for the workflow when a specific rule is too noisy.
Need help? support@smikar.com.