Release date: 8 October, 2024Change typeChangesAdded a new Medium Analytics BIOCParsing Rule ErrorAdded 5 new Low Analytics BIOCsA Command Line Interface (CLI) command was executed from a GCP serverless compute serviceA Command Line Interface (CLI) command was executed from an AWS serverless compute serviceKubernetes pod creation from unknown container image registryPossible path traversal via HTTP requestSuspicious setspn.exe executionAdded 3 new Informational Analytics BIOCsExecutable or Script file written by web server processRare MS-Update Server was detectedUnique client computer model was detected via MS-Update protocolImproved logic of 23 High Analytics BIOCsA Successful VPN connection from TORA Successful login from TORA successful SSO sign-in from TORBronze-Bit exploitCollection errorCopy a process memory fileEditing ld.so.preload for persistence and injectionMemory dumping with comsvcs.dllMimikatz command-line argumentsNetcat makes or gets connectionsPossible DCShadow attemptPossible Distributed File System Namespace Management (DFSNM) abusePowerShell used to remove mailbox export request logsProcess execution with a suspicious command line indicative of the Spring4Shell exploitRemote service command execution from an uncommon sourceSuspicious API call from a Tor exit nodeSuspicious SaaS API call from a Tor exit nodeSuspicious dump of ntds.dit using Shadow Copy with ntdsutil/vssadminSuspicious usage of File Server Remote VSS Protocol (FSRVP)Uncommon remote scheduled task creationUnicode RTL Override CharacterUnprivileged process opened a registry hiveWbadmin deleted files in quiet modeImproved logic of 2 High Analytics AlertsPossible brute force or configuration change attempt on cytoolSuspicious objects encryption in an AWS bucketImproved logic of 86 Medium Analytics BIOCsA Kubernetes API operation was successfully invoked by an anonymous userA Kubernetes dashboard service account was used outside the clusterA Possible crypto miner was detected on a hostA TCP stream was created directly in a shellA contained executable from a mounted share initiated a suspicious outbound network connectionA contained executable was executed by an unusual processA machine certificate was issued with a mismatchA mail forwarding rule was configured in Google WorkspaceA process was executed with a command line obfuscated by Unicode character substitutionA suspicious executable with multiple file extensions was createdAutorun.inf created in root C driveAzure AD PIM alert disabledBitsadmin.exe persistence using command-line callbackCommonly abused AutoIT script connects to an external domainCorrelation rule errorDiscovery of misconfigured certificate templates using LDAPEncoded information using Windows certificate management toolError in event forwardingExecutable created to disk by lsass.exeExecutable moved to Windows system folderExecution of the Hydra Linux password brute-force toolFodhelper.exe UAC bypassIndirect command execution using the Program Compatibility AssistantInteractive at.exe privilege escalation methodKerberos Traffic from Non-Standard ProcessKubernetes vulnerability scanner activityKubernetes vulnerability scanning tool usageLSASS dump file written to diskMSI accessed a web page running a server-side scriptMachine account was added to a domain admins groupMailbox Client Access Setting (CAS) changedManipulation of netsh helper DLLs Registry keysMicrosoft Office Process Spawning a Suspicious One-LinerModification of NTLM restrictions in the RegistryOffice process creates a scheduled task via file accessOffice process spawned with suspicious command-line argumentsPenetration testing tool activityPhantom DLL LoadingPossible Microsoft process masqueradingPossible Persistence via group policy Registry keysPossible RDP session hijacking using tscon.exePossible Search For Password FilesPossible code downloading from a remote host by Regsvr32Possible collection of screen captures with Windows Problem Steps RecorderPossible compromised machine accountPossible malicious .NET compilation started by a commonly abused processPossible new DHCP serverPowerShell runs suspicious base64-encoded commandsPowerShell suspicious flagsPowerShell used to export mailbox contentsProcdump executed from an atypical directoryRDP Connection to localhostRecurring rare domain access from an unsigned processRemote WMI process executionReverse SSH tunnel to external domain/ipRundll32.exe running with no command-line argumentsRundll32.exe spawns conhost.exeScript file added to startup-related Registry keysService ticket request with a spoofed sAMAccountNameSuspicious .NET process loads an MSBuild DLLSuspicious Encrypting File System Remote call (EFSRPC) to domain controllerSuspicious PowerSploit's recon module (PowerView) net function was executedSuspicious PowerSploit's recon module (PowerView) used to search for exposed hostsSuspicious Process Spawned by wininit.exeSuspicious SearchProtocolHost.exe parent processSuspicious authentication package registeredSuspicious authentication with Azure Password Hash Sync userSuspicious certutil command lineSuspicious disablement of the Windows FirewallSuspicious disablement of the Windows Firewall using PowerShell commandsSuspicious execution of ODBCConfSuspicious heavy allocation of compute resources - possible mining activitySuspicious hidden user createdSuspicious print processor registeredSuspicious time provider registeredSuspicious usage of EC2 tokenTGT request with a spoofed sAMAccountName - Event logTGT request with a spoofed sAMAccountName - NetworkThe CA policy EditFlags was queriedUncommon Service Create/ConfigUncommon SetWindowsHookEx API invocation of a possible keyloggerUncommon jsp file write by a Java processUnsigned process injecting into a Windows system binary with no command lineVulnerable driver loadedWindows Installer exploitation for local privilege escalationWindows LOLBIN executable connected to a rare external hostImproved logic of 10 Medium Analytics AlertsA contained process attempted to escape using the 'notify on release' featureA new machine attempted Kerberos delegationAn internal Cloud resource performed port scan on external networksDNS TunnelingKerberos User EnumerationNTLM Hash HarvestingNew Administrative BehaviorPossible Kerberoasting attackRandom-Looking Domain NamesSudoedit Brute force attemptImproved logic of 190 Low Analytics BIOCsA GCP service account was delegated domain-wide authority in Google WorkspaceA cloud function was created with an unusual runtimeA compiled HTML help file wrote a script file to the diskA computer account was promoted to DCA disabled user attempted to log in to a VPNA domain was added to the trusted domains listA rare FTP user has been detected on an existing FTP serverA rare file path was added to the AppInit_DLLs registry valueA remote service was created via RPC over SMBA suspicious direct syscall was executedA suspicious process enrolled for a certificateA user attempted to bypass Okta MFAAWS Flow Logs deletionAWS Guard-Duty detector deletionAWS network ACL rule deletionAWS web ACL deletionAbnormal network communication through TOR using an uncommon portAn Azure Firewall policy deletionAn uncommon executable was remotely written over SMB to an uncommon destinationAn uncommon service was startedAn unpopular process accessed the microphone on the hostAttempt to execute a command on a remote host using PsExec.exeAzure AD PIM role settings changeAzure Event Hub DeletionAzure Network Watcher DeletionAzure account deletion by a non-standard accountAzure domain federation settings modification attemptBilling admin role was removedCached credentials discovery with cmdkeyCertutil pfx parsingChange of sudo caching configurationCloud Trail logging deletionCommand running with COMSPEC in the command line argumentCompressing data using pythonConditional Access policy removedConhost.exe spawned a suspicious cmd processContained process execution with a rare GitHub URLCopy a user's GnuPG directory with rsyncDelayed Deletion of FilesDisable encryption operationsDownload a script using the python requests moduleElevation to SYSTEM via servicesExchange DKIM signing configuration disabledExchange Safe Attachment policy disabled or removedExchange Safe Link policy disabled or removedExchange anti-phish policy disabled or removedExchange audit log disabledExchange mailbox audit bypassExchange malware filter policy removedExchange transport forwarding rule configuredExchange user mailbox forwardingExecution of an uncommon process at an early startup stage by Windows system binaryExecution of an uncommon process with a local/domain user SID at an early startup stage by Windows system binaryExecution of dllhost.exe with an empty command lineExecution of renamed lolbinExtracting credentials from Unix filesFTP Connection Using an Anonymous Login or Default CredentialsFirst Azure AD PowerShell operation for a userGCP Logging Sink DeletionGlobally uncommon root domain from a signed processGlobally uncommon root-domain port combination from a signed processImage file execution options (IFEO) registry key setInstallation of a new System-V serviceInteractive login by a service accountKeylogging using system commandsKnown service display name with uncommon image-pathKnown service name with an uncommon image-pathLDAP search query from an unpopular and unsigned processLOLBIN process executed with a high integrity levelLinux system firewall was modifiedMFA Disabled for Google WorkspaceMFA was disabled for an Azure identityMasquerading as a default local accountMasquerading as the Linux crond processMicrosoft Office adds a value to autostart Registry keyMicrosoft Office injects code into a processMicrosoft Office process spawns a commonly abused processMpCmdRun.exe was used to download files into the systemMshta.exe launched with suspicious argumentsNew FTP ServerNew addition to Windows Defender exclusion listNon-browser access to a pastebin-like siteOffice process accessed an unusual .LNK fileOkta Reported Attack SuspectedPossible DCSync from a non domain controllerPossible DLL Hijack into a Microsoft processPossible DLL Search Order HijackingPossible Kerberoasting without SPNsPossible Kerberos relay attackPossible Pass-the-HashPossible network service discovery via command-line toolPossible network sniffing attempt via tcpdump or tsharkPowerShell Initiates a Network Connection to GitHubRDP connections enabled remotely via RegistryRare RDP session to a remote hostRare SMB session to a remote hostRare SSH SessionRare Unsigned Process Spawned by Office Process Under Suspicious DirectoryRare Windows Remote Management (WinRM) HTTP ActivityRare communication over email ports to external email server by unsigned processRare file transfer over SMB protocolRare scheduled task createdRare security product signed executable executed in the networkRare service DLL was added to the registryReading bash command history fileRecurring access to rare IPRecurring rare domain access to dynamic DNS domainRemote DCOM command executionRemote command execution via wmic.exeRemote service start from an uncommon sourceRemote usage of an AWS service tokenRemote usage of an Azure Managed Identity tokenRemote usage of an Azure Service Principal tokenRundll32.exe executes a rare unsigned moduleSMB Traffic from Non-Standard ProcessSPNs cleared from a machine accountSSO authentication by a machine accountSSO authentication by a service accountSUID/GUID permission discoveryScheduled Task hidden by registry modificationScreensaver process executed from Users or temporary folderScripting engine connected to a rare external hostSecureBoot was disabledSensitive browser credential files accessed by a rare non browser processSetuid and Setgid file bit manipulationStored credentials exported using credwiz.exeSuspicious Certutil AD CS contactSuspicious DotNet log file createdSuspicious ICMP packetSuspicious LDAP search query executedSuspicious PowerShell Command LineSuspicious PowerShell Enumeration of Running ProcessesSuspicious Print System Remote Protocol usage by a processSuspicious Process Spawned by Adobe ReaderSuspicious RunOnce Parent ProcessSuspicious SMB connection from domain controllerSuspicious SSH DowngradeSuspicious Udev driver rule execution manipulationSuspicious container orchestration jobSuspicious data encryptionSuspicious failed HTTP request - potential Spring4Shell exploitSuspicious modification of the AdminSDHolder's ACLSuspicious module load using direct syscallSuspicious process accessed certificate filesSuspicious process execution by scheduled taskSuspicious process modified RC script fileSuspicious runonce.exe parent processSuspicious sAMAccountName changeSuspicious sshpass command executionSuspicious systemd timer activitySvchost.exe loads a rare unsigned moduleSystem information discovery via psinfo.exeThe Linux system firewall was disabledUncommon ARP cache listing via arp.exeUncommon AT task-job creation by userUncommon IP Configuration Listing via ipconfig.exeUncommon NtWriteVirtualMemoryRemote API invocation with a PE header bufferUncommon PowerShell commands used to create or alter scheduled task parametersUncommon Remote Monitoring and Management ToolUncommon SSH session was establishedUncommon Security Support Provider (SSP) registered via a registry keyUncommon access to Microsoft Teams credential filesUncommon creation or access operation of sensitive shadow copyUncommon local scheduled task creation via schtasks.exeUncommon msiexec execution of an arbitrary file from a remote locationUncommon remote service start via sc.exeUncommon routing table listing via route.exeUnsigned and unpopular process performed a DLL injectionUnsigned and unpopular process performed an injectionUnsigned process creates a scheduled task via file accessUnusual AWS credentials creationUnusual AWS user added to groupUnusual Azure AD sync module loadUnusual Kubernetes API server communication from a podUnusual Kubernetes dashboard communication from a podUnusual Lolbins Process Spawned by InstallUtil.exeUnusual Netsh PortProxy ruleUnusual compressed file password protectionUnusual cross projects activityUnusual process accessed FTP Client credentialsUnusual process accessed a crypto wallet's filesUnusual process accessed a messaging app's filesUnusual process accessed a web browser history fileVPN login by a service accountWeakly-Encrypted Kerberos Ticket RequestedWindows Event Log was cleared using wevtutil.exeWindows event logs were cleared with PowerShellWmiPrvSe.exe Rare Child Command LineWscript/Cscript loads .NET DLLsWsmprovhost.exe Rare Child ProcessImproved logic of 40 Low Analytics AlertsA user connected a new USB storage device to multiple hostsA user rejected an SSO request from an unusual countryA user sent multiple TGT requests to irregular serviceA user uploaded malware to SharePoint or OneDriveAbnormal ICMP echo (PING) to multiple hostsAbnormal SMB activity to multiple hostsAbnormal sensitive RPC traffic to multiple hostsAccount probingAn identity dumped multiple secrets from a projectExcessive user account lockoutsFailed ConnectionsFailed DNSHTTP with suspicious characteristicsImpossible traveler - SSOImpossible traveler - VPNInteractive local account enumerationKerberos Pre-Auth Failures by HostLarge Upload (FTP)Large Upload (Generic)Large Upload (HTTPS)Large Upload (SMTP)Multiple Azure AD admin role removalsMultiple Rare LOLBIN Process Executions by UserMultiple Suspicious FTP Login AttemptsMultiple Weakly-Encrypted Kerberos Tickets ReceivedMultiple discovery commandsMultiple discovery commands on a Windows host by the same processMultiple suspicious user accounts were createdNTLM Brute Force on a Service AccountNTLM Brute Force on an Administrator AccountNew Shared User AccountOutlook files accessed by an unsigned processPossible external RDP Brute-ForceRare LDAP enumerationShort-lived user accountSpam Bot TrafficSuspicious ICMP traffic that resembles smurf attackSuspicious identity downloaded multiple objects from a bucketUser collected remote shared files in an archiveVPN login Brute-Force attemptImproved logic of 412 Informational Analytics BIOCsA Google Workspace Role privilege was deletedA Google Workspace identity created, assigned or modified a roleA Google Workspace identity performed an unusual admin console activityA Google Workspace identity used the security investigation toolA Google Workspace service was configured as unrestrictedA Google Workspace user was added to a groupA Google Workspace user was removed from a groupA Kubernetes ConfigMap was created or deletedA Kubernetes Cronjob was createdA Kubernetes DaemonSet was createdA Kubernetes Pod was created with a sidecar containerA Kubernetes Pod was deletedA Kubernetes ReplicaSet was createdA Kubernetes StatefulSet was createdA Kubernetes cluster role binding was created or deletedA Kubernetes cluster was created or deletedA Kubernetes deployment was createdA Kubernetes ephemeral container was createdA Kubernetes namespace was created or deletedA Kubernetes node service account activity from external IPA Kubernetes role binding was created or deletedA Kubernetes secret was created or deletedA Kubernetes service account executed an unusual API callA Kubernetes service account has enumerated its permissionsA Kubernetes service account was created or deletedA Kubernetes service was created or deletedA LOLBIN was copied to a different locationA New Server was Added to an Azure Active Directory Hybrid Health ADFS EnvironmentA Service Principal was removed from AzureA Torrent client was detected on a hostA WMI subscriber was createdA browser extension was installed or loaded in an uncommon wayA browser was opened in private modeA cloud identity created or modified a security groupA cloud identity executed an API call from an unusual countryA cloud identity had escalated its permissionsA cloud identity invoked IAM related persistence operationsA cloud instance was stoppedA cloud snapshot was created or modifiedA cloud storage configuration was modifiedA compressed file was exfiltrated over SSHA compute-attached identity executed API calls outside the instance's regionA container registry was created or deletedA disabled user attempted to authenticate via SSOA disabled user attempted to log inA non-browser process accessed a website UIA process connected to a rare external hostA process modified an SSH authorized_keys fileA rare local administrator loginA service was disabledA suspicious process queried AD CS objects via LDAPA third-party application was authorized to access the Google Workspace APIsA third-party application's access to the Google Workspace domain's resources was revokedA user accessed an uncommon AppIDA user account was modified to password never expiresA user added a Windows firewall ruleA user certificate was issued with a mismatchA user changed the Windows system timeA user connected a USB storage device for the first timeA user connected a new USB storage device to a hostA user connected from a new countryA user connected to a VPN from a new countryA user created a pfx file for the first timeA user created an abnormal password-protected archiveA user enabled a default local accountA user logged in at an unusual time via SSOA user logged in at an unusual time via VPNA user logged in from an abnormal country or ASNA user logged in to the AWS console for the first timeA user modified an Okta network zoneA user modified an Okta policy ruleA user queried AD CS objects via LDAPA user was added to a Windows security groupAWS Cloud Trail log trail modificationAWS CloudWatch log group deletionAWS CloudWatch log stream deletionAWS Config Recorder stoppedAWS EC2 instance exported into S3AWS IAM resource group deletionAWS RDS cluster deletionAWS Role Trusted Entity modificationAWS Root account activityAWS SSM send command attemptAWS STS temporary credentials were generatedAWS SecurityHub findings were modifiedAWS config resource deletionAWS network ACL rule creationAWS user creationAbnormal Communication to a Rare DomainAbnormal Recurring Communications to a Rare DomainAbnormal User Login to Domain ControllerAbnormal process connection to default Meterpreter portActivity in a dormant region of a cloud projectAdding execution privilegesAdmin privileges were granted to a Google Workspace userAdministrator groups enumerated via LDAPAn AWS EFS File-share mount was deletedAn AWS EFS file-share was deletedAn AWS EKS cluster was created or deletedAn AWS ElastiCache security group was createdAn AWS ElastiCache security group was modified or deletedAn AWS GuardDuty IP set was createdAn AWS Lambda Function was createdAn AWS Lambda function was modifiedAn AWS RDS Global Cluster DeletionAn AWS RDS instance was created from a snapshotAn AWS RDS master password was changedAn AWS Route 53 domain was transferred to another AWS accountAn AWS S3 bucket configuration was modifiedAn AWS SAML provider was modifiedAn AWS SES Email sending settings were modifiedAn AWS SES identity was deletedAn Azure Cloud Shell was CreatedAn Azure DNS Zone was modifiedAn Azure Firewall Rule Collection was modifiedAn Azure Firewall was modifiedAn Azure Key Vault key was modifiedAn Azure Key Vault was modifiedAn Azure Kubernetes Cluster was created or deletedAn Azure Kubernetes Role or Cluster-Role was modifiedAn Azure Kubernetes Role-Binding or Cluster-Role-Binding was modified or deletedAn Azure Kubernetes Service Account was modified or deletedAn Azure Network Security Group was modifiedAn Azure Point-to-Site VPN was modifiedAn Azure Suppression Rule was createdAn Azure VPN Connection was modifiedAn Azure firewall rule group was modifiedAn Azure virtual network Device was modifiedAn Azure virtual network was modifiedAn Email address was added to AWS SESAn IAM group was createdAn app was added to Google MarketplaceAn app was added to the Google Workspace trusted OAuth apps listAn app was removed from a blocked list in Google WorkspaceAn identity accessed Azure Kubernetes SecretsAn identity attached an administrative policy to an IAM user/roleAn identity created or updated password for an IAM userAn identity disabled bucket loggingAn identity started an AWS SSM sessionAn identity was granted permissions to manage user access to Azure resourcesAn operation was performed by an identity from a domain that was not seen in the organizationAn uncommon file added to startup-related Registry keysAn uncommon file was created in the startup folderAn unusual archive file creation by a userAurora DB cluster stoppedAuthentication Attempt From a Dormant AccountAuthentication method added to an Azure accountAzure AD PIM elevation requestAzure AD account unlock/password reset attemptAzure Automation Account CreationAzure Automation Runbook Creation/ModificationAzure Automation Runbook DeletionAzure Automation Webhook creationAzure Blob Container Access Level ModificationAzure Event Hub Authorization rule creation/modificationAzure Key Vault Secrets were modifiedAzure Key Vault modificationAzure Kubernetes events were deletedAzure Resource Group DeletionAzure Storage Account key generatedAzure Temporary Access Pass (TAP) registered to an accountAzure account creation by a non-standard accountAzure application URI modificationAzure application consentAzure application credentials addedAzure device code authentication flow usedAzure diagnostic configuration deletionAzure service principal assigned app roleAzure virtual machine commands executionBitLocker key retrievalBrowser Extension InstalledBrowser bookmark files accessed by a rare non-browser processCloud Organizational policy was created or modifiedCloud Trail Logging has been stopped/suspendedCloud Unusual Instance Metadata Service (IMDS) accessCloud Watch alarm deletionCloud compute instance user data script modificationCloud compute serial console accessCloud email service activityCloud identity reached a throttling API rateCloud impersonation attempt by unusual identity typeCloud unusual access key creationCommand execution in a Kubernetes podCommand execution via wmiexecCommonly abused AutoIT script drops an executable file to diskCommonly abused process launched as a system serviceCreation or modification of the default command executed when opening an applicationDLP sensitive data exposed to external usersDSC (Desired State Configuration) lateral movement using PowerShellData Sharing between GCP and Google Workspace was disabledDenied API call by a Kubernetes service accountDevice Registration Policy modificationDiscovery of host users via WMICEC2 snapshot attribute has been modifiedExchange compliance search createdExchange email-hiding inbox ruleExchange email-hiding transport ruleExchange inbox forwarding rule configuredExchange mailbox folder permission modificationExecution of an uncommon process at an early startup stageExecution of an uncommon process with a local/domain user SID at an early startup stageExternal Sharing was turned on for Google DriveFailed Login For Locked-Out AccountFailed Login For a Long Username With Special CharactersFile transfer from unusual IP using known toolsFirst SSO Resource Access in the OrganizationFirst SSO access from ASN for userFirst SSO access from ASN in organizationFirst VPN access attempt from a country in organizationFirst VPN access from ASN for userFirst VPN access from ASN in organizationFirst connection from a country in organizationGCP Firewall Rule ModificationGCP Firewall Rule creationGCP IAM Custom Role CreationGCP IAM Role DeletionGCP IAM Service Account Key DeletionGCP Logging Bucket DeletionGCP Logging Sink ModificationGCP Pub/Sub Subscription DeletionGCP Pub/Sub Topic DeletionGCP Service Account DisableGCP Service Account creationGCP Service Account deletionGCP Service Account key creationGCP Storage Bucket Configuration ModificationGCP Storage Bucket Permissions ModificationGCP Storage Bucket deletionGCP VPC Firewall Rule DeletionGCP Virtual Private Cloud (VPC) Network DeletionGCP Virtual Private Network Route CreationGCP Virtual Private Network Route DeletionGCP set IAM policy activityGlobally uncommon IP address by a common process (sha256)Globally uncommon IP address connection from a signed processGlobally uncommon high entropy module was loadedGlobally uncommon high entropy process was executedGlobally uncommon image load from a signed processGlobally uncommon injection from a signed processGlobally uncommon process execution from a signed processGlobally uncommon root-domain port combination by a common process (sha256)Gmail delegation was turned on for the organizationGmail routing settings changedGoogle Marketplace restrictions were modifiedGoogle Workspace organizational unit was modifiedGoogle Workspace third-party application's security settings were changedGranting Access to an AccountHidden Attribute was added to a file using attrib.exeIAM User added to an IAM groupIdentity assigned an Azure AD Administrator RoleIndicator blockingInjection into rundll32.exeInteractive login by a machine accountInteractive login from a shared user accountIptables configuration command was executedKubernetes Pod Created With Sensitive VolumeKubernetes Pod Created with host Inter Process Communications (IPC) namespaceKubernetes Pod created with host process ID (PID) namespaceKubernetes Privileged Pod CreationKubernetes admission controller activityKubernetes cluster events deletionKubernetes network policy modificationKubernetes nsenter container escapeKubernetes pod creation with host networkKubernetes secret enumeration activityKubernetes service account activity outside the clusterKubernetes version disclosureLDAP traffic from non-standard processLOLBAS executable injects into another processLOLBIN created a PSScriptPolicyTest PowerShell script fileLocal account discoveryLocal user account creationLogin by a dormant userMFA device was removed/deactivated from an IAM userMicrosoft 365 DLP policy disabled or removedModification of PAMModification or Deletion of an Azure Application Gateway DetectedMsiexec execution of an executable from an uncommon remote locationNetwork sniffing detected in Cloud environmentNetwork traffic to a crypto miner related domain detectedNew process created via a WMI callOkta API Token CreatedOkta admin privilege assignmentOwner added to Azure applicationPIM privilege member removalPenetration testing tool activity attemptPenetration testing tool attemptPermission Groups discovery commandsPing to localhost from an uncommon, unsigned parent processPossible DLL Side-LoadingPossible Email collection using Outlook RPCPossible GPO EnumerationPossible IPFS traffic was detectedPossible LDAP Enumeration Tool UsagePossible SPN enumerationPossible binary padding using ddPossible data obfuscationPossible use of IPFS was detectedPossible use of a networking driver for network sniffingPossible webshell file written by a web server processPowerShell pfx certificate extractionPsExec was executed with a suspicious command linePython HTTP server startedRare AppID usage to a rare destinationRare DCOM RPC activityRare DLP rule match by userRare LOLBIN Process Execution by UserRare NTLM Access By User To HostRare NTLM Usage by UserRare SMTP/S SessionRare Scheduled Task RPC activityRare Unix process divided files by sizeRare WinRM SessionRare connection to external IP address or host by an application using RMI-IIOP or LDAP protocolRare machine account creationRare process accessed a Keychain fileRare process execution by userRare process execution in organizationRare process spawned by srvany.exeRare signature signed executable executed in the networkRegistration of Uncommon .NET Services and/or AssembliesRemote PsExec-like command executionRemote code execution into Kubernetes PodRemote usage of AWS Lambda's tokenRemote usage of VM Service Account tokenRemote usage of an App engine Service Account tokenRemoval of an Azure Owner from an Application or Service PrincipalRun downloaded script using pipeS3 configuration deletionSSO with abnormal operating systemSSO with abnormal user agentSSO with new operating systemSaaS suspicious external domain user activityScrcons.exe Rare Child ProcessSecurity tools detection attemptSensitive account password reset attemptService execution via sc.exeSharePoint Site Collection admin group additionSigned process performed an unpopular DLL injectionSigned process performed an unpopular injectionSpace after filenameSuccessful unusual guest user invitationSuspicious AMSI decode attemptSuspicious Azure AD interactive sign-in using PowerShellSuspicious External RDP LoginSuspicious SSO access from ASNSuspicious SSO authenticationSuspicious access to shadow fileSuspicious active setup registeredSuspicious cloud compute instance ssh keys modification attemptSuspicious container runtime connection from within a Kubernetes PodSuspicious curl user agentSuspicious docker image download from an unusual repositorySuspicious domain user account creationSuspicious process accessed a site masquerading as GoogleSuspicious process executed with a high integrity levelSuspicious process execution from tmp folderSuspicious process execution in a privileged containerSuspicious process loads a known PowerShell moduleSuspicious proxy environment variable settingSuspicious usage of Microsoft's Active Directory PowerShell module remote discovery cmdletSystem profiling WMI query executionSystem shutdown or rebootTampering with Internet Explorer Protected Mode configurationTampering with the Windows User Account Controls (UAC) configurationUncommon DotNet module load relationshipUncommon GetClipboardData API function invocation of a possible information stealerUncommon Managed Object Format (MOF) compiler usageUncommon RDP connectionUncommon browser extension loadedUncommon communication to an instant messaging serverUncommon kernel module loadUncommon net group or localgroup executionUncommon net localgroup executionUncommon network tunnel creationUncommon user management via net.exeUnpopular rsync process executionUnusual ADConnect database file accessUnusual AWS systems manager activityUnusual Conditional Access operation for an identityUnusual DB process spawning a shellUnusual IAM enumeration activity by a non-user IdentityUnusual Identity and Access Management (IAM) activityUnusual Kubernetes service account file readUnusual access to the AD Sync credential filesUnusual access to the Windows Internal Database on an ADFS serverUnusual certificate management activityUnusual cloud identity impersonationUnusual exec into a Kubernetes PodUnusual key management activityUnusual process accessed a macOS notes DB fileUnusual process accessed the PowerShell history fileUnusual process accessed web browser cookiesUnusual process accessed web browser credentialsUnusual resource modification by newly seen IAM userUnusual resource modification/creationUnusual secret management activityUnusual use of a 'SysInternals' toolUnusual weak authentication by userUnverified domain added to Azure ADUser accessed SaaS resource via anonymous linkUser account delegation changeUser added SID History to an accountUser attempted to connect from a suspicious countryUser discovery via WMI query executionVM Detection attemptVM Detection attempt on LinuxVPN access with an abnormal operating systemVPN login by a dormant userVPN login with a machine accountWeakly-Encrypted Kerberos TGT ResponseWebDAV drive mounted from net.exe over HTTPSImproved logic of 73 Informational Analytics AlertsA user accessed an abnormal number of files on a remote shared folderA user accessed an abnormal number of remote shared foldersA user accessed multiple time-consuming websitesA user accessed multiple unusual resources via SSOA user authenticated with weak NTLM to multiple hostsA user established an SMB connection to multiple hostsA user executed multiple LDAP enumeration queriesA user logged on to multiple workstations via SchannelA user performed suspiciously massive file activityA user printed an unusual number of filesA user received multiple weakly encrypted service ticketsA user requested multiple service ticketsA user took numerous screenshotsAbnormal Allocation of compute resources in multiple regionsAllocation of multiple cloud compute resourcesAn identity performed a suspicious download of multiple cloud storage objectsBrute-force attempt on a local accountCloud infrastructure enumeration activityCloud user performed multiple actions that were deniedDeletion of multiple cloud resourcesDownload pattern that resembles Peer to Peer trafficExchange mailbox delegation permissions addedExternal Login Password SprayExternal SaaS file-sharing activityIAM Enumeration sequenceImpossible travel by a cloud identityIncrease in Job-Related Site VisitsIntense SSO failuresInternal Login Password SprayKerberos Pre-Auth Failures by User and HostKubernetes enumeration activityMassive file activity abnormal to processMassive file compression by userMassive file downloads from SaaS serviceMassive upload to SaaS serviceMassive upload to a rare storage or mail domainMulti region enumeration activityMultiple Rare Process Executions in OrganizationMultiple SSO MFA attempts were rejected by a userMultiple TGT requests for users without Kerberos pre-authenticationMultiple cloud snapshots exportMultiple discovery commands on a Linux host by the same processMultiple discovery-like commandsMultiple failed logins from a single IPMultiple user accounts were deletedMultiple users authenticated with weak NTLM to a hostNTLM Brute ForceNTLM Password SprayNTLM RelayOkta Reported Threat DetectedPort ScanPossible Brute-Force attemptPossible LDAP enumeration by unsigned processPossible TGT reuse from different hosts (pass the ticket)Possible brute force on sudo userPossible data exfiltration over a USB storage devicePossible internal data exfiltration over a USB storage deviceRare access to known advertising domainsRemote account enumerationSSH authentication brute force attemptsSSO Brute ForceSSO Password SpraySensitive Exchange mail sent to external usersShort-lived Azure AD user accountStorage enumeration activitySuspicious DNS trafficSuspicious access to cloud credential filesSuspicious container reconnaissance activity in a Kubernetes podSuspicious reconnaissance using LDAPUpload pattern that resembles Peer to Peer trafficUser added to a group and removedUser and Group Enumeration via SAMRUser moved Exchange sent messages to deleted itemsRemoved an old Informational BIOCSuspicious setspn.exe execution