[High] A Successful login from TOR
[Informational] A compute-attached identity executed API calls outside the instance's region
[High] A compute-attached identity executed API calls outside the instance's region from an unusual geolocation and ASN - Modified Metadata
[Medium] A compute-attached identity executed API calls outside the instance's region from an unusual geolocation - Modified Metadata
[Informational] A process connected to a rare external host
[High] LOLBIN spawned by an Office executable connected to a rare external host - Modified Metadata
[Informational] A curl process connected to a rare external host - Modified Metadata
[High] Copy a process memory file
[High] Memory dumping with comsvcs.dll
[Informational] Remote usage of AWS Lambda's role
[High] Remote command line usage of AWS Lambda's role - Modified Metadata
[High] Suspicious usage of AWS Lambda's role - Modified Metadata
[Medium] Suspicious usage of AWS Lambda's role - Modified Metadata
[Low] Suspicious usage of AWS Lambda's role - Modified Metadata
[High] Suspicious objects encryption in an AWS bucket
[Low] Unsigned and unpopular process performed a DLL injection
[High] Unsigned and unpopular process performed a DLL injection to a commonly abused process - Modified Metadata
[Medium] Unsigned and unpopular process performed a DLL injection to a security vendor signed process - Modified Metadata
[Medium] Unsigned and unpopular process performed a DLL injection to a sensitive process - Modified Metadata
[Medium] A Possible crypto miner was detected on a host
[Medium] A cloud identity performed multiple unusual activities
[Medium] A contained executable was executed by an unusual process
[Medium] 69ab3fbe-7b14-4439-bd23-8b7c5e40a76a - Modified Metadata
[Medium] A machine certificate was issued with a mismatch
[Informational] A non-browser process accessed a website UI
[Medium] Uncommon data download from a known text share website through a Non-browser process - Modified Metadata
[Medium] A process was executed with a command line obfuscated by Unicode character substitution
[Informational] An uncommon file was created in the startup folder
[Medium] An executable file with a non-default extension was added to the startup folder - Modified Metadata
[Low] An executable or script was added to the startup folder - Modified Metadata
[Medium] Bitsadmin.exe persistence using command-line callback
[Informational] EBS snapshots were created from an EC2 instance
[Medium] EBS snapshots were created from an EC2 instance attached one or more volumes with sensitive data - Modified Metadata
[Low] An unusual creation of EBS snapshots from an EC2 instances - Modified Metadata
[Informational] Executable moved to Windows system folder
[Medium] Rare executable moved to Windows system folder by rare causality actor - Modified Metadata
[Low] Executable moved to Windows system folder by rare and unsigned actor - Modified Metadata
[Low] Rare executable moved to Windows system folder by rare actor - Modified Metadata
[Medium] Fodhelper.exe UAC bypass
[Informational] Globally uncommon injection from a signed process
[Medium] Globally uncommon suspicious injection from a signed process - Modified Metadata
[Medium] Gost tunneling execution
[Low] Image file execution options (IFEO) registry key set
[Medium] Image file execution options (IFEO) registry key set to activate Windows licenses illegally - Modified Metadata
[Medium] Indirect command execution using the Program Compatibility Assistant
[Medium] Logging was impaired via external encryption key
[Low] MFA was disabled for an Azure identity
[Medium] Suspicious MFA was disabled for an Azure identity - Modified Metadata
[Informational] MFA was disabled for an Azure identity regularly by the user - Modified Metadata
[Medium] Mailbox Client Access Setting (CAS) changed
[Medium] Manipulation of netsh helper DLLs Registry keys
[Informational] Multiple cloud snapshots export
[Medium] c04afdbe-fcb3-43f1-825c-556f25bca9cd - Modified Metadata
[Informational] Penetration testing tool activity attempt
[Medium] 3f88509f-bc75-40df-bca4-db19cf11b6cd - Modified Metadata
[Medium] Possible Kerberoasting attack
[Medium] Possible Persistence via group policy Registry keys
[Medium] Possible Search For Password Files
[Medium] Possible code downloading from a remote host by Regsvr32
[Medium] Possible collection of screen captures with Windows Problem Steps Recorder
[Medium] Possible malicious .NET compilation started by a commonly abused process
[Medium] PowerShell dumps users and roles from Exchange server
[Medium] PowerShell used to export mailbox contents
[Medium] Procdump executed from an atypical directory
[Medium] Process changes the Windows logon text
[Medium] RDP Connection to localhost
[Informational] Rare process accessed a Keychain file
[Medium] Rare process accessed a Keychain file while installing a new certificate - Modified Metadata
[Low] Rare process accessed a Keychain file initiated by a causality actor with a rare path - Modified Metadata
[Low] Rare process accessed a Keychain file initiated by an unsigned causality actor - Modified Metadata
[Low] Rare unsigned process accessed a Keychain file - Modified Metadata
[Medium] Rundll32.exe spawns conhost.exe
[Medium] Script file added to startup-related Registry keys
[Low] Stored credentials exported using credwiz.exe
[Medium] Stored credentials exported using credwiz.exe using keymgr.dll's KRShowKeyMgr function - Modified Metadata
[Low] Stored credentials exported using credwiz.exe over RDP - Modified Metadata
[Low] Stored credentials exported using credwiz.exe with a built-in Windows tool - Modified Metadata
[Medium] Suspicious .NET process loads an MSBuild DLL
[Medium] Suspicious Process Spawned by wininit.exe
[Medium] Suspicious SearchProtocolHost.exe parent process
[Medium] Suspicious certutil command line
[Medium] Suspicious disablement of the Windows Firewall using PowerShell commands
[Medium] Suspicious heavy allocation of compute resources - possible mining activity
[Medium] Suspicious time provider registered
[Low] Suspicious usage of EC2 token
[Medium] Suspicious usage of EC2 token - Modified Metadata
[Medium] Uncommon DLL-sideloading from a logical CD-ROM (ISO) device
[Informational] Uncommon net localgroup command execution
[Medium] Uncommon net localgroup administrators command execution by a web server process or CGO - Modified Metadata
[Low] Uncommon remote net localgroup execution - Modified Metadata
[Low] Uncommon remote monitoring and management tool
[Medium] Uncommon remote monitoring and management tool downloaded from an uncommon source and executed - Modified Metadata
[Medium] Unsigned process injecting into a Windows system binary with no command line
[Medium] Unusual process access to ld.so.preload file
[Low] Weakly-Encrypted Kerberos Ticket Requested
[Medium] Weakly-Encrypted Kerberos Ticket Requested on a sensitive server - Modified Metadata
[Low] A GCP service account was delegated domain-wide authority in Google Workspace
[Informational] A Google Workspace identity created, assigned or modified a role
[Low] A non-administrative Google Workspace identity created, assigned or modified a role from an unusual ASN - Modified Metadata
[Informational] A Google Workspace service was configured as unrestricted
[Low] A Google Workspace service was configured as unrestricted by a suspicious identity - Modified Metadata
[Informational] A cloud identity created or modified a security group
[Low] A cloud identity opened a security group to an unknown IP - Modified Metadata
[Low] A compiled HTML help file wrote a script file to the disk
[Low] A domain was added to the trusted domains list
[Low] A domain was added to the trusted domains list from an unusual ASN - Modified Metadata
[Low] A rare file path was added to the AppInit_DLLs registry value
[Low] A remote service was created via RPC over SMB
[Low] A suspicious direct syscall was executed
[Low] AWS Guard-Duty detector deletion
[Low] AWS web ACL deletion
[Informational] Abnormal process connection to default Meterpreter port
[Low] Abnormal process connection to default Meterpreter port on an internet-facing server - Modified Metadata
[Informational] An AWS database service master user password was changed
[Low] An AWS Database Service master user password was changed by a non-DevOps identity - Modified Metadata
[Low] An AWS Database Service master user password was changed from an unusual country - Modified Metadata
[Low] An Azure Firewall policy deletion
[Informational] An Azure application reached a throttling API rate
[Low] An Azure application reached an unusual throttling API rate - Modified Metadata
[Informational] An Azure application reached an unusual throttling API rate - Modified Metadata
[Informational] An app was removed from a blocked list in Google Workspace
[Low] An app was removed from a blocked list in Google Workspace by a suspicious identity - Modified Metadata
[Low] An uncommon service was started
[Informational] Authentication Attempt From a Dormant Account
[Low] Authentication Attempt From a Dormant Account to a sensitive server - Modified Metadata
[Low] Azure Network Watcher Deletion
[Low] Change of sudo caching configuration
[Informational] Common third-party software name masquerading
[Low] Common third-party software name masquerading which was downloaded from an unexpected source - Modified Metadata
[Low] Copy a user's GnuPG directory with rsync
[Informational] Data Sharing between GCP and Google Workspace was disabled
[Low] Data Sharing between GCP and Google Workspace was disabled by a suspicious identity - Modified Metadata
[Low] Delayed Deletion of Files
[Low] Disable encryption operations
[Low] Download a script using the python requests module
[Low] Dumping Registry hives with passwords
[Low] Executable or Script file written by a web server process
[Low] A driver was written by a web server process - Modified Metadata
[Informational] External Sharing was turned on for Google Drive
[Low] External Sharing was turned on for Google Drive by a non Google Workspace administrative user from an unusual ASN - Modified Metadata
[Low] GCP data asset shared public
[Informational] Globally uncommon high entropy process was executed
[Low] Globally uncommon high entropy process was downloaded from an uncommon source and executed - Modified Metadata
[Low] Globally uncommon root domain from a signed process
[Low] Globally uncommon root-domain port combination from a signed process
[Informational] Gmail routing settings changed
[Low] Gmail routing settings changed by a non-administrative Google Workspace identity - Modified Metadata
[Low] Installation of a new System-V service
[Low] Interactive at.exe privilege escalation method
[Low] Interactive local account enumeration
[Low] Keylogging using system commands
[Low] Known service display name with uncommon image-path
[Low] Known service name with an uncommon image-path
[Low] Large Upload (FTP)
[Low] MFA Disabled for Google Workspace
[Low] MFA Disabled for Google Workspace from an unusual caller IP ASN - Modified Metadata
[Low] Microsoft Office adds a value to autostart Registry key
[Low] Microsoft Office injects code into a process
[Low] Modification of NTLM restrictions in the Registry
[Low] MpCmdRun.exe was used to download files into the system
[Low] Mshta.exe launched with suspicious arguments
[Low] Multiple Azure AD admin role removals
[Low] Multiple uncommon SSH Servers with the same Server host key
[Low] NTDS.dit file written by an uncommon executable
[Low] New addition to Windows Defender exclusion list
[Low] Office process spawned with suspicious command-line arguments
[Low] PowerPoint process accesses a suspicious PPAM file - Modified Metadata
[Low] Possible Kerberoasting without SPNs
[Low] Possible external RDP Brute-Force
[Low] Possible network sniffing attempt via tcpdump or tshark
[Informational] Potential DCSync by an unusual user
[Low] Possible DCSync by an unusual user - Modified Metadata
[Informational] Privileged role used by Azure application
[Low] First-time privileged role is used by Azure application - Modified Metadata
[Low] RDP connections enabled remotely via Registry
[Low] Rare RDP session to a remote host
[Low] Rare process created an SSH session to an uncommon cloud resource
[Low] Rare service DLL was added to the registry
[Informational] Rare signature signed executable executed in the network
[Low] Rare signature signed executable downloaded from an uncommon source and executed in the network - Modified Metadata
[Low] Recurring access to rare IP
[Low] Remote usage of an AWS service token
[Informational] Removal of an Azure Owner from an Application or Service Principal
[Low] Removal of an Azure AD privileged user from an Application or Service Principal - Modified Metadata
[Low] Rundll32.exe executes a rare unsigned module
[Low] Screensaver process executed from Users or temporary folder
[Low] SecureBoot was disabled
[Low] Suspicious EBS snapshots deletion
[Low] Suspicious SMB connection from domain controller
[Low] Suspicious SSH Downgrade
[Low] Suspicious account attribute modification that matches that of another account
[Low] Suspicious activity indicating a potential abuse of a cloud-native email service
[Informational] Suspicious docker image download from an unusual repository
[Low] Suspicious docker image download from an unrecognized registry - Modified Metadata
[Low] Suspicious docker image download from an unrecognized repository - Modified Metadata
[Low] Suspicious failed HTTP request - potential Spring4Shell exploit
[Low] Suspicious runonce.exe parent process
[Low] Suspicious sshpass command execution
[Low] Svchost.exe loads a rare unsigned module
[Low] System information discovery via psinfo.exe
[Low] Uncommon VNC server communication
[Low] Uncommon VNC server communication from an unmanaged previously unseen external host - Modified Metadata
[Informational] Partially uncommon VNC server communication - Modified Metadata
[Informational] Uncommon communication to an instant messaging server
[Low] Uncommon communication to an instant messaging server by an uncommon scripting engine execution - Modified Metadata
[Low] Uncommon msiexec execution of an arbitrary file from a remote location
[Informational] Uncommon net group command execution
[Low] Uncommon remote net group administrators command execution - Modified Metadata
[Low] Uncommon remote net group execution - Modified Metadata
[Low] Uncommon sensitive registry hive dump
[Informational] Uncommon signed process execution by scheduled task
[Low] Rare signed process execution by scheduled task - Modified Metadata
[Low] Unsigned and unpopular process performed an injection
[Low] Unusual Encrypting File System Remote call (EFSRPC) to domain controller
[Low] Unusual Lolbins Process Spawned by InstallUtil.exe
[Low] Unusual Netsh PortProxy rule
[Low] Windows Event Log was cleared using wevtutil.exe
[Low] Wscript/Cscript loads .NET DLLs
[Informational] A Google Workspace Role privilege was deleted
[Informational] A Google Workspace identity performed an unusual admin console activity
[Informational] A Google Workspace identity used the security investigation tool
[Informational] A Google Workspace user was removed from a group
[Informational] A Kubernetes Cronjob was created
[Informational] A Kubernetes DaemonSet was created
[Informational] A Kubernetes Pod was deleted
[Informational] A Kubernetes ReplicaSet was created
[Informational] A Kubernetes cluster was created or deleted
[Informational] A Kubernetes ephemeral container was created
[Informational] A Kubernetes namespace was created or deleted
[Informational] A Kubernetes service was created or deleted
[Informational] A LOLBIN was copied to a different location
[Informational] A New Server was Added to an Azure Active Directory Hybrid Health ADFS Environment
[Informational] A Service Principal was removed from Azure
[Informational] A Torrent client was detected on a host
[Informational] 0891f007-4666-4ed4-9a7e-2fa724b925e4 - Modified Metadata
[Informational] A WMI subscriber was created
[Informational] A browser extension was installed or loaded in an uncommon way
[Informational] A compressed file was exfiltrated over SSH
[Informational] A container registry was created or deleted
[Informational] A process modified an SSH authorized_keys file
[Informational] A rare DLL, signed by an uncommon vendor, was hijacked into a Microsoft process
[Informational] A third-party application was authorized to access the Google Workspace APIs
[Informational] A third-party application's access to the Google Workspace domain's resources was revoked
[Informational] A third-party utility was copied to a different location
[Informational] A user accessed multiple time-consuming websites
[Informational] A user connected a new USB storage device to a host
[Informational] A user created an abnormal password-protected archive
[Informational] ADFind queries Active Directory for Exchange groups
[Informational] AWS Backup recovery point deletion
[Informational] AWS CloudWatch log group deletion
[Informational] AWS CloudWatch log stream deletion
[Informational] AWS Config Recorder stopped
[Informational] AWS EBS snapshot deletion
[Informational] AWS EC2 instance exported into S3
[Informational] AWS IAM resource group deletion
[Informational] AWS RDS cluster deletion
[Informational] AWS S3 discovery operation
[Informational] AWS S3 object deletion
[Informational] AWS SES account sending settings modified
[Informational] AWS SSM parameters retrieval
[Informational] Unusual AWS SSM parameters retrieval - Modified Metadata
[Informational] AWS SecurityHub findings were modified
[Informational] AWS config resource deletion
[Informational] AWS network ACL rule creation
[Informational] AWS network ACL rule deletion
[Informational] AWS root account activity
[Informational] AWS support case creation
[Informational] Abnormal Allocation of compute resources in multiple regions
[Informational] Abnormal Communication to a Rare Domain
[Informational] Abnormal RDP connections to multiple hosts
[Informational] Abnormal Recurring Communications to a Rare Domain
[Informational] Access to Kubernetes CA certificate file
[Informational] Adding execution privileges
[Informational] Adding execution privileges in a Kubernetes pod - Modified Metadata
[Informational] Admin privileges were granted to a Google Workspace user
[Informational] An AWS EFS File-share mount was deleted
[Informational] An AWS EFS file-share was deleted
[Informational] An AWS EKS cluster was created or deleted
[Informational] An AWS GuardDuty IP set was created
[Informational] An AWS Lambda Function was created
[Informational] An AWS RDS Global Cluster Deletion
[Informational] An AWS RDS instance was created from a snapshot
[Informational] An AWS Route 53 domain was transferred to another AWS account
[Informational] An AWS S3 bucket configuration was modified
[Informational] An AWS SAML provider was modified
[Informational] An AWS SES identity was deleted
[Informational] An Azure DNS Zone was modified
[Informational] An Azure Firewall was modified
[Informational] An Azure Key Vault was modified
[Informational] An Azure Kubernetes Cluster was created or deleted
[Informational] An Azure Kubernetes Role or Cluster-Role was modified
[Informational] An Azure Kubernetes Role-Binding or Cluster-Role-Binding was modified or deleted
[Informational] An Azure Kubernetes Service Account was modified or deleted
[Informational] An Azure Network Security Group was modified
[Informational] An Azure Point-to-Site VPN was modified
[Informational] An Azure VPN Connection was modified
[Informational] An Azure firewall rule group was modified
[Informational] An Azure identity performed multiple actions that were denied
[Informational] An Azure virtual network Device was modified
[Informational] An Azure virtual network was modified
[Informational] An Email address was added to AWS SES
[Informational] An IAM group was created
[Informational] An app was added to Google Marketplace
[Informational] An app was added to the Google Workspace trusted OAuth apps list
[Informational] An identity accessed Azure Kubernetes Secrets
[Informational] An identity accessed a cloud storage for the first time
[Informational] An identity started an AWS SSM session
[Informational] An operation was performed by an identity from a domain that was not seen in the organization
[Informational] AppleScript process executed with a rare command line
[Informational] Aurora DB cluster stopped
[Informational] Azure AD account unlock/password reset attempt
[Informational] Azure Automation Runbook Deletion
[Informational] Azure Event Hub Authorization rule creation/modification
[Informational] Azure Key Vault Secrets were modified
[Informational] Azure Key Vault modification
[Informational] Azure Kubernetes events were deleted
[Informational] Azure Storage Account key generated
[Informational] Azure device code authentication flow used
[Informational] Azure diagnostic configuration deletion
[Informational] Azure virtual machine commands execution
[Informational] Cloud Organizational policy was created or modified
[Informational] Cloud Watch alarm deletion
[Informational] Cloud email service activity
[Informational] Cloud identity reached a throttling API rate
[Informational] Cloud identity reached an unusual throttling API rate - Modified Metadata
[Informational] Cloud user performed multiple actions that were denied
[Informational] Command enumeration via sudo
[Informational] Command execution in a Kubernetes pod
[Informational] Commonly abused AutoIT script drops an executable file to disk
[Informational] Data encryption was disabled
[Informational] EC2 snapshot attribute has been modified
[Informational] Execution of an uncommon process with a local/domain user SID at an early startup stage
[Informational] GCP Firewall Rule Modification
[Informational] GCP Firewall Rule creation
[Informational] GCP IAM Role Deletion
[Informational] GCP IAM Service Account Key Deletion
[Informational] GCP Logging Bucket Deletion
[Informational] GCP Pub/Sub Subscription Deletion
[Informational] GCP Pub/Sub Topic Deletion
[Informational] GCP Service Account Deletion
[Informational] GCP Service Account Disable
[Informational] GCP Service Account creation
[Informational] GCP Service Account key creation
[Informational] GCP Storage Bucket Configuration Modification
[Informational] GCP Storage Bucket Permissions Modification
[Informational] GCP Storage Bucket deletion
[Informational] GCP VPC Firewall Rule Deletion
[Informational] GCP Virtual Private Cloud (VPC) Network Deletion
[Informational] GCP Virtual Private Network Route Creation
[Informational] GCP Virtual Private Network Route Deletion
[Informational] GCP logging sink modification
[Informational] GCP sensitive Cloud Run role granted
[Informational] GCP sensitive Deployment Manager role granted
[Informational] Globally uncommon IP address by a common process (sha256)
[Informational] Globally uncommon IP address connection from a signed process
[Informational] Globally uncommon image load from a signed process
[Informational] Globally uncommon root-domain port combination by a common process (sha256)
[Informational] Gmail delegation was turned on for the organization
[Informational] Google Workspace organizational unit was modified
[Informational] Google Workspace third-party application's security settings were changed
[Informational] Granting Access to an Account
[Informational] IAM Enumeration sequence
[Informational] IAM instance profiles were listed
[Informational] Indicator blocking
[Informational] Injection into rundll32.exe
[Informational] Installation of networking security tools
[Informational] Kubernetes cluster events deletion
[Informational] Kubernetes network policy modification
[Informational] Kubernetes nsenter container escape
[Informational] Kubernetes secret enumeration activity
[Informational] LOLBAS executable injects into another process
[Informational] Local account discovery
[Informational] Login by a dormant user
[Informational] MFA device was removed/deactivated from an IAM user
[Informational] MSI accessed a web page running a server-side script
[Informational] Modification of PAM
[Informational] Modification or Deletion of an Azure Application Gateway Detected
[Informational] Network sniffing detected in Cloud environment
[Informational] New process created via a WMI call
[Informational] OneDrive file download
[Informational] Outlook creates an executable file on disk
[Informational] Possible authentication coercion
[Informational] Possible data obfuscation
[Informational] Possible use of a networking driver for network sniffing
[Informational] Potential Network Sniffing
[Informational] Potential creation of persistent cloud credentials
[Informational] Privileged certificate request via certificate template
[Informational] Rare AppID usage to a rare destination
[Informational] Rare MS-Update Server was detected
[Informational] Rare MS-Update traffic over HTTP
[Informational] Rare NTLM Access By User To Host
[Informational] Rare Scheduled Task RPC activity
[Informational] Rare connection to external IP address or host by an application using RMI-IIOP or LDAP protocol
[Informational] Remote code execution into Kubernetes Pod
[Informational] Remote usage of VM Service Account token
[Informational] Remote usage of an Azure Service Principal token
[Informational] Run downloaded script using pipe
[Informational] S3 configuration deletion
[Informational] SaaS suspicious external domain user activity
[Informational] Service execution via sc.exe
[Informational] Shell binary copied to another location
[Informational] Signed process performed an unpopular DLL injection
[Informational] Signed process performed an unpopular injection
[Informational] Suspicious container runtime connection from within a Kubernetes Pod
[Informational] Suspicious curl user agent
[Informational] Suspicious process executed with a high integrity level
[Informational] Suspicious usage of Microsoft's Active Directory PowerShell module remote discovery cmdlet
[Informational] Tampering with Internet Explorer Protected Mode configuration
[Informational] Tampering with the Windows User Account Controls (UAC) configuration
[Informational] Uncommon DotNet module load relationship
[Informational] Uncommon Linux remote shell command execution
[Informational] Uncommon Linux shell command execution
[Informational] Uncommon Managed Object Format (MOF) compiler usage
[Informational] Uncommon access to cloud platforms' sensitive files by a scripting engine
[Informational] Uncommon cloud CLI tool usage
[Informational] Uncommon increase in Azure Microsoft Graph API request sizes
[Informational] Uncommon sensitive filesystem registry hive access
[Informational] Uncommon service stop operation
[Informational] Unique client computer model was detected via MS-Update protocol
[Informational] Unpopular rsync process execution
[Informational] Unusual AWS systems manager activity
[Informational] Unusual IAM enumeration activity by a non-user Identity
[Informational] Unusual access to Microsoft 365 storage services
[Informational] Unusual certificate management activity
[Informational] Unusual key management activity
[Informational] Unusual secret management activity
[Informational] Unusual use of a 'SysInternals' tool
[Informational] Upload pattern that resembles Peer to Peer traffic
[Informational] Weakly-Encrypted Kerberos TGT Response
[Informational] Windows CGO, actor and action processes with anomalous characteristics
[Informational] Windows Security audit log was cleared