[Informational] A cloud identity executed an API call from an unusual country
[High] A cloud identity executed an API call from an unusual country using a compromised AWS access key - Added
[Medium] A Kubernetes identity executed an API call from a country that was not seen in the organization - Modified Metadata
[Low] A Kubernetes API call was executed from an unusual country - Modified Metadata
[Informational] A process is masquerading as a common Microsoft product
[High] An unsigned actor executed masqueraded process which was downloaded from unexpected source - Modified Metadata
[Informational] Activity in a dormant region of a cloud project
[High] Activity in a dormant region of a cloud project by a compromised AWS access key - Added
[High] Collection error
[Informational] Multiple failed logins from a single IP
[High] Multiple failed logins from a single IP by a compromised AWS access key - Added
[Low] Possible DCSync from a non domain controller
[High] DCSync from a non domain controller from a non-standard process - Modified Metadata
[Medium] Parsing Rule Error
[Informational] SSO Brute Force
[Medium] SSO Brute Force Threat Detected - Modified Metadata
[Medium] SSO Brute Force on a Honey User Account - Modified Metadata
[Low] SSO Brute Force Activity Observed - Modified Metadata
[Informational] Unusual cloud Instance Metadata Service (IMDS) access
[Medium] Unusual cloud Instance Metadata Service (IMDS) access from an unusual known Windows shell process - Added
[Medium] Unusual cloud Instance Metadata Service (IMDS) access from an unusual known Windows web service - Added
[Low] Unusual cloud Instance Metadata Service (IMDS) access from an unusual known Windows scripting process - Added
[Informational] Unusual user-agent for a cloud identity
[Medium] Unusual user-agent for a cloud identity by a compromised AWS access key - Added
[Low] A user uploaded malware to SharePoint or OneDrive
[Low] Azure domain federation settings modification attempt
[Low] Email attachment with Right-to-Left Override Unicode character
[Low] Email was received from an unknown sender using a disposable domain
[Low] Email with file-sharing link containing auto-download parameter
[Low] Logs were not collected from a data source for an abnormally long time
[Low] Logs were not collected from a Microsoft Windows XDR Collector (XDRC) for an abnormally long time - Modified Logic
[Low] Logs were not collected from a Windows Event Collector (WEC) for an abnormally long time - Modified Logic
[Low] Rare process executed by an AppleScript
[Low] Risk indicators detected in email
[Low] Sending unusual file(s) to an external address
[Informational] Uncommon Launch Agent persistency was registered or modified
[Low] Uncommon Launch Agent persistency was registered or modified while using a data communication tool - Modified Metadata
[Low] Uncommon Launch Agent persistency was registered or modified while using osascript - Modified Metadata
[Informational] Uncommon Launch Daemon persistency was registered or modified
[Low] Uncommon Launch Daemon persistency was registered or modified while using osascript - Modified Logic
[Informational] Uncommon login item persistency was registered or modified
[Low] Uncommon login item persistency was registered or modified while using osascript - Modified Logic
[Informational] Uncommon macOS shell command execution
[Low] Uncommon macOS shell command execution trying to gather information about the system - Removed
[Low] Uncommon macOS shell command execution trying to gather information about the system - Added
[Low] Unusual process accessed a crypto wallet's files
[Low] Unusual process accessed a messaging app's files
[Low] Unusual process accessed a web browser history file
[Informational] Unusual process accessed web browser cookies
[Low] Unusual unsigned process accessed web browser cookies - Modified Metadata
[Informational] User exported multiple messages in Microsoft Teams via Graph API
[Low] User exported multiple chats in Microsoft Teams via Graph API - Modified Metadata
[Low] User exported multiple messages in Microsoft Teams via Graph API by a privileged user for the first time - Modified Metadata
[Low] User exported multiple messages in Microsoft Teams via Graph API from a first seen ASN - Modified Metadata
[Informational] AppleScript executed a shell script
[Informational] AppleScript interpreter dynamic library loaded into a process
[Informational] Email attachment with a potentially malicious file extension
[Informational] Email attachment with multiple extensions
[Informational] Email attachment(s) with potentially malicious MIME type
[Informational] Email containing a link with an IP address convention was detected
[Informational] Email containing a redirected link
[Informational] Email contains URL delivering high-risk file type
[Informational] Email marked as spam and bulk based on Spam Confidence Level and Bulk Complaint Level values
[Informational] Email mimics replies or forwards without an actual ongoing conversation
[Informational] Email was received from an unknown address using a public provider domain
[Informational] Email with URL shortener detected
[Informational] External email display name impersonation of internal personnel
[Informational] External email display name impersonation of internal personnel, using a public provider - Modified Logic
[Informational] External email with a single internal recipient hidden in BCC
[Informational] First-seen email from mailbox owner to external recipient's address in the last 30 days
[Informational] Microsoft Teams messages were exported from conversation
[Informational] Moniker link detected in URL(s)
[Informational] Near-empty email from an external sender
[Informational] Numerous emails sent by a single sender to multiple internal recipients
[Informational] Outbound email contains file-sharing service link sent to external recipient
[Informational] Outbound email includes an external BCC recipient observed for the first time
[Informational] Outbound email to an address hosted by a public email service provider
[Informational] Potential spoofing of internal domain spotted
[Informational] Punycode characters detected in URL(s)
[Informational] Rarely seen URL(s) within a well-known domain detected in your organization's email
[Informational] Sudden spike in outbound email volume
[Informational] Suspicious DKIM Result
[Informational] DKIM results lacking sender correlation - Modified Logic
[Informational] Known domain DKIM deviation - Modified Logic
[Informational] Suspicious DMARC result
[Informational] DMARC deviation from historically compliant domain - Modified Metadata
[Informational] Suspicious SPF Result
[Informational] Suspicious Unicode character detected in email
[Informational] Uncommon URL domain(s) in your organization detected in email
[Informational] Uncommon attempt at discovering a sensitive file
[Informational] Uncommon attempt at grabbing credentials from a sensitive file
[Informational] Unpopular URL(s) detected in email
[Informational] Unpopular domains detected in email URLs for a recipient
[Informational] Unrecognized internal address (AAD mismatch)
[Informational] Unrecognized sender address
[Informational] Unrecognized sender domain
[Informational] Unusual attachment volume in outbound emails
[Informational] Unusual display name in From header
[Informational] Unusual hostname for the sending mail server in the email headers
[Informational] Unusual process accessed a macOS notes DB file
[Informational] Unusual process accessed web browser credentials
[Informational] Usage of homograph characters detected in an email
[Informational] Usage of homograph characters detected in an email attachment(s) name
[Informational] Usage of homograph characters detected in an email's from header
[Informational] Well-known brand in sender headers with header inconsistencies
[Informational] X-Forefront-Antispam-Report has flagged this email as a potential threat