AWS Audit Log |
Cloud user performed multiple actions that were denied
|
Log enumeration via cloud native logging service
|
AI model discovery
|
AWS Lambda infrastructure enumeration activity
|
ML artifacts destruction
|
Multiple failed logins from a single IP
|
Allocation of multiple cloud compute resources
|
Cloud infrastructure enumeration activity
|
Deletion of multiple cloud resources
|
Cloud email infrastructure enumeration activity
|
AWS S3 Buckets enumeration activity
|
An identity initiated a download of multiple cloud objects
|
Multi region enumeration activity
|
Suspicious identity downloaded multiple objects from a bucket
|
IAM Enumeration sequence
|
Suspicious EBS snapshots deletion
|
Suspicious secrets dump activity
|
Suspicious objects encryption in an AWS bucket
|
An identity performed a suspicious download of multiple cloud storage objects
|
Kubernetes enumeration activity
|
AWS EBS enumeration activity
|
AWS Security Service Enumeration
|
AWS EC2 infrastructure enumeration activity
|
Potential denial of wallet abusing AI services
|
Storage enumeration activity
|
An identity successfully extracted multiple secrets within the organization
|
Abnormal Allocation of compute resources in multiple regions
|
Unusual AWS S3 objects deletion
|
Multiple cloud snapshots export
|
A Kubernetes StatefulSet was created
|
Kubernetes network policy modification
|
AWS Secrets Manager discovery
|
AWS Bedrock model invocation logging deletion
|
A Kubernetes Pod was deleted
|
AWS network ACL rule creation
|
A Kubernetes dashboard service account was used outside the cluster
|
A Kubernetes secret was created or deleted
|
Unusual AWS systems manager activity
|
AWS Guard-Duty detector deletion
|
A user logged in to the AWS console for the first time
|
AWS user creation
|
IAM User added to an IAM group
|
An IAM group was created
|
Retrieval of cloud compute EC2 instance user data
|
Unusual AWS Bedrock model access request
|
AWS support case creation
|
Cloud instance deletion attempt
|
An unusual read activity of cloud object
|
Suspicious AI Dataset Label Modification
|
IAM policy was attached to group
|
AWS web ACL deletion
|
Cloud penetration testing tool activity
|
Kubernetes cluster events deletion
|
Data encryption was disabled
|
AWS S3 discovery operation
|
IAM instance profile was associated with EC2 instance
|
Suspicious AI Dataset Download
|
An S3 replication policy to an unknown bucket was created
|
Cloud access key creation
|
AWS EBS discovery operation
|
AWS Backup recovery point deletion
|
Cloud compute serial console access
|
A Kubernetes ConfigMap was created or deleted
|
Kubernetes pod creation from unknown container image registry
|
Cloud compute instance user data script modification
|
An operation was performed by an identity from a domain that was not seen in the organization
|
AWS Storage Gateway enumeration
|
Suspicious heavy allocation of compute resources - possible mining activity
|
A compute-attached identity executed API calls outside the instance's region
|
A Kubernetes cluster was created or deleted
|
Unusual AI model invocation
|
EBS volume detachment attempt
|
Bucket's block public access setting turned off
|
An identity accessed a cloud storage for the first time
|
Kubernetes pod creation with host network
|
AWS IAM resource group deletion
|
An AWS Lambda function was modified
|
AWS CloudTrail has been stopped
|
Network sniffing detected in Cloud environment
|
A Kubernetes deployment was created
|
AWS S3 object deletion
|
A Kubernetes node service account activity from external IP
|
A Kubernetes service account has enumerated its permissions
|
Disable encryption operations
|
A cloud storage object was copied to a foreign cloud account
|
A cloud instance was stopped
|
AI safeguards deletion attempt
|
A Kubernetes cluster role binding was created or deleted
|
A Kubernetes API operation was successfully invoked by an anonymous user
|
Suspicious AI model usage from a Tor exit node
|
Cloud snapshot created or modified
|
A cloud function was created with an unusual runtime
|
AWS Storage Gateway file share enumeration
|
Unusual certificate management activity
|
Unusual cloud identity impersonation
|
AWS root account activity
|
Unusual secret management activity
|
Kubernetes Pod created with host process ID (PID) namespace
|
Cloud storage delete protection disabled
|
IAM inline policy was added to role
|
Unusual AWS CLI/SDK activity
|
A Kubernetes Pod was created with a sidecar container
|
Remote usage of an AWS service token
|
An AWS database service master user password was changed
|
Kubernetes Pod Created with host Inter Process Communications (IPC) namespace
|
Unusual Identity and Access Management (IAM) activity
|
An AWS GuardDuty IP set was created
|
A cloud identity created or modified a security group
|
AWS IAM permission groups discovery operation
|
Logging was impaired via external encryption key
|
Cloud Watch alarm deletion
|
AWS SecurityHub findings were modified
|
An EBS snapshot block was downloaded
|
AWS SSM parameters retrieval
|
MFA device was removed/deactivated from an IAM user
|
EC2 instance Amazon machine image was created
|
A container registry was created or deleted
|
Object versioning was disabled
|
Unusual resource modification by newly seen IAM user
|
AWS Config Recorder stopped
|
An identity disabled bucket logging
|
IAM instance profile was replaced for EC2 instance
|
An identity attached an administrative policy to an IAM user or role
|
Suspicious activity on logging bucket
|
AWS Flow Logs deletion
|
Suspicious API call from a Tor exit node
|
An AWS EKS cluster was created or deleted
|
AWS Transfer Family server created
|
Kubernetes Privileged Pod Creation
|
An AWS Lambda Function was created
|
EBS volume attachment attempt
|
An AWS SES identity was deleted
|
Unusual AWS SageMaker notebook access
|
SES Production Access Requested
|
An AWS Route 53 domain was transferred to another AWS account
|
An AWS EFS File-share mount was deleted
|
An AWS S3 bucket configuration was modified
|
Unusual AI RAG Knowledge Base Modification
|
Suspicious cloud compute instance SSH keys modification attempt
|
Unusual key management activity
|
Unusual AI dataset modification
|
AWS config resource deletion
|
EBS snapshots were created from an EC2 instance
|
AWS CloudWatch log stream deletion
|
AWS network ACL rule deletion
|
AWS SSM parameters discovery
|
Unusual Kubernetes secret access
|
Cloud email service activity
|
A cloud identity had escalated its permissions
|
Foreign account was granted permissions to S3 bucket via resource-based policy
|
AWS EC2 instance exported into S3
|
A Backup vault policy was modified
|
Billing admin role was removed
|
An unknown account was invited to the AWS organization
|
A Kubernetes service account was created or deleted
|
IAM instance profiles were listed
|
AWS CloudWatch log group deletion
|
AWS SSM send command attempt
|
IAM policy version was created
|
A cloud storage configuration was modified
|
A Kubernetes Cronjob was created
|
AWS principals discovery
|
A Command Line Interface (CLI) command was executed from an AWS serverless compute service
|
An AWS SAML provider was modified
|
Cloud impersonation attempt by unusual identity type
|
AWS CloudTrail modification
|
Denied API call by a Kubernetes service account
|
AWS data asset shared public
|
An AWS RDS Global Cluster Deletion
|
IAM role was created
|
An identity accessed cloud storage containing sensitive data
|
AWS Lambda discovery operation
|
IAM instance profile was created
|
AWS Secrets Manager Access
|
A Kubernetes service was created or deleted
|
An AWS EFS file-share was deleted
|
Kubernetes Pod Created With Sensitive Volume
|
Cloud compute volume creation attempt
|
A Kubernetes role binding was created or deleted
|
Cloud AI agent was modified
|
Cloud identity reached a throttling API rate
|
EC2 snapshot attribute has been modified
|
AWS SES account sending settings modified
|
Cloud storage object discovery
|
Cloud storage automatic backup disabled
|
An identity accessed a backup cloud storage
|
IAM inline policy was added to user
|
Compute activity in dormant cloud region
|
AWS S3 bucket was exposed to public access
|
A cloud identity executed an API call from an unusual country
|
A Kubernetes namespace was created or deleted
|
An RDS snapshot was exported to an unknown bucket
|
IAM policy was attached to role
|
An AWS RDS instance was created from a snapshot
|
IAM role-attached managed policies were listed
|
Kubernetes vulnerability scanning tool usage
|
An identity started an AWS SSM session
|
An RDS snapshot was exported to an unknown S3 bucket
|
Unusual cross projects activity
|
A cloud snapshot of AWS database or storage was modified or shared
|
AI safeguards were modified
|
A Kubernetes service account executed an unusual API call
|
Unusual user-agent for a cloud identity
|
Bucket's object ownership controls were modified
|
Suspicious usage of EC2 token
|
Cloud email sending was enabled
|
Kubernetes admission controller activity
|
Suspicious ML Model Download
|
Potential creation of persistent cloud credentials
|
Unusual exec into a Kubernetes Pod
|
IAM inline policy was added to group
|
A Kubernetes ephemeral container was created
|
S3 configuration deletion
|
AWS Password Policy Discovery
|
AWS EBS snapshot deletion
|
AWS resource discovery
|
Remote usage of AWS Lambda's role
|
IAM instance profile associations were described
|
Serial console access was enabled in AWS account
|
IAM role trust policy modification
|
A Kubernetes ReplicaSet was created
|
Cloud snapshot of a database or storage instance was publicly shared
|
AWS EC2 discovery operation
|
Kubernetes service account activity outside the cluster
|
CloudTrail logging deletion
|
AWS STS temporary credentials were generated
|
AWS IAM account discovery operation
|
An identity created or updated password for an IAM user
|
An Email address was added to AWS SES
|
Unusual AI Knowledge Base Modification
|
A cloud identity invoked IAM related persistence operations
|
Cloud instance creation attempt
|
A cloud identity started a Cloud Shell session
|
A Kubernetes DaemonSet was created
|
IAM policy default version was changed
|
AWS RDS cluster deletion
|
Aurora DB cluster stopped
|
Command execution via AWS SSM
|
A cloud identity performed multiple unusual activities
|
Suspicious activity indicating a potential abuse of a cloud-native email service
|
AWS Flow Log |
An internal Cloud resource performed port scan on external networks
|
Unusual SSH activity that resembles SSH proxy
|
AWS OCSF Flow Logs |
An internal Cloud resource performed port scan on external networks
|
Unusual SSH activity that resembles SSH proxy
|
Azure Audit Log |
Cloud user performed multiple actions that were denied
|
AI model discovery
|
Microsoft OneNote enumeration activity
|
Microsoft SharePoint enumeration activity
|
Microsoft Teams enumeration activity
|
Mailbox enumeration activity by Azure application
|
Multiple failed logins from a single IP
|
Allocation of multiple cloud compute resources
|
Deletion of multiple cloud resources
|
Cloud email infrastructure enumeration activity
|
An identity initiated a download of multiple cloud objects
|
Azure enumeration activity using Microsoft Graph API
|
Multi region enumeration activity
|
Suspicious identity downloaded multiple objects from a bucket
|
Suspicious secrets dump activity
|
An identity performed a suspicious download of multiple cloud storage objects
|
Kubernetes enumeration activity
|
Potential denial of wallet abusing AI services
|
Uncommon increase in Azure Microsoft Graph API request sizes
|
Microsoft 365 storage services exfiltration activity
|
Storage enumeration activity
|
An Azure identity performed multiple actions that were denied
|
Microsoft OneDrive enumeration activity
|
Multiple cloud snapshots export
|
Azure group creation/deletion
|
A Kubernetes StatefulSet was created
|
Kubernetes network policy modification
|
A Kubernetes Pod was deleted
|
An Azure Kubernetes Cluster was created or deleted
|
A Kubernetes dashboard service account was used outside the cluster
|
A Kubernetes secret was created or deleted
|
Azure Resource Group Deletion
|
Soft delete of cloud storage configuration was disabled
|
Azure Event Hub Deletion
|
Cloud instance deletion attempt
|
An unusual read activity of cloud object
|
Suspicious AI Dataset Label Modification
|
Azure storage account was publicly shared
|
Azure application removed
|
Cloud penetration testing tool activity
|
Kubernetes cluster events deletion
|
Cloud resource logging was disabled
|
An Azure Key Vault was modified
|
Suspicious AI Dataset Download
|
Cloud compute serial console access
|
External user invitation to Azure tenant
|
An Azure Kubernetes Role-Binding or Cluster-Role-Binding was modified or deleted
|
An identity accessed Azure Kubernetes Secrets
|
Azure Automation Account Creation
|
A Kubernetes ConfigMap was created or deleted
|
Kubernetes pod creation from unknown container image registry
|
An Azure Suppression Rule was created
|
A Service Principal was removed from Azure
|
An operation was performed by an identity from a domain that was not seen in the organization
|
Privileged role used by Azure application
|
Suspicious heavy allocation of compute resources - possible mining activity
|
A Kubernetes cluster was created or deleted
|
An Azure DNS Zone was modified
|
An Azure Network Security Group was modified
|
Azure diagnostic configuration deletion
|
Azure Automation Runbook Creation/Modification
|
An identity accessed a cloud storage for the first time
|
Kubernetes pod creation with host network
|
An Azure Firewall rule collection group was modified or deleted
|
A New Server was Added to an Azure Active Directory Hybrid Health ADFS Environment
|
Azure conditional access policy creation or modification
|
Network sniffing detected in Cloud environment
|
A Service Principal was created in Azure
|
Remote usage of an Azure Service Principal token
|
A Kubernetes deployment was created
|
A Kubernetes node service account activity from external IP
|
OneDrive file upload
|
A Kubernetes service account has enumerated its permissions
|
A cloud storage object was copied to a foreign cloud account
|
A new Azure email domain verification was requested
|
A cloud instance was stopped
|
Azure Storage Account key generated
|
AI safeguards deletion attempt
|
A Kubernetes cluster role binding was created or deleted
|
A Kubernetes API operation was successfully invoked by an anonymous user
|
Azure Kubernetes events were deleted
|
Cloud snapshot created or modified
|
Unusual certificate management activity
|
Unusual secret management activity
|
Kubernetes Pod created with host process ID (PID) namespace
|
Cloud storage delete protection disabled
|
An Azure Firewall was modified
|
A Kubernetes Pod was created with a sidecar container
|
Removal of an Azure Owner from an Application or Service Principal
|
Azure storage account blob anonymous access is enabled
|
An Azure virtual network Device was modified
|
Kubernetes Pod Created with host Inter Process Communications (IPC) namespace
|
A cloud identity created or modified a security group
|
Azure storage account cross-tenant object replication was enabled
|
OneDrive folder creation
|
Unusual access to Microsoft 365 storage services
|
A container registry was created or deleted
|
Object versioning was disabled
|
Unusual resource modification by newly seen IAM user
|
Credentials were added to Azure application
|
An Azure application reached a throttling API rate
|
Azure mailbox rule creation
|
Azure virtual machine commands execution
|
Suspicious API call from a Tor exit node
|
Azure Event Hub Authorization rule creation/modification
|
Unusual resource access by Azure application
|
Modification or Deletion of an Azure Application Gateway Detected
|
Kubernetes Privileged Pod Creation
|
An Azure SQL database was exported from a production subscription
|
Attempted Azure application access from unknown tenant
|
Azure permission delegation granted
|
An Azure Point-to-Site VPN was modified
|
Owner was added to Azure application
|
Suspicious cloud compute instance SSH keys modification attempt
|
Unusual key management activity
|
Unusual AI dataset modification
|
Azure Service principal/Application creation
|
Azure device code authentication flow used
|
An identity was granted permissions to manage user access to Azure resources
|
An Azure virtual network was modified
|
Unusual Kubernetes secret access
|
Cloud email service activity
|
A cloud identity had escalated its permissions
|
Azure Automation Webhook creation
|
Billing admin role was removed
|
Azure Key Vault modification
|
Azure Network Watcher Deletion
|
A Kubernetes service account was created or deleted
|
PIM privilege member removal
|
An Azure Key Vault key was modified
|
Azure Automation Runbook Deletion
|
An Azure Kubernetes Service Account was modified or deleted
|
A cloud storage configuration was modified
|
OneDrive file download
|
A Kubernetes Cronjob was created
|
An Azure Firewall policy deletion
|
Denied API call by a Kubernetes service account
|
An identity accessed cloud storage containing sensitive data
|
A Kubernetes service was created or deleted
|
Kubernetes Pod Created With Sensitive Volume
|
A Kubernetes role binding was created or deleted
|
Cloud identity reached a throttling API rate
|
Cloud storage object discovery
|
An Azure firewall rule group was modified
|
Cloud storage automatic backup disabled
|
An identity accessed a backup cloud storage
|
An Azure VPN Connection was modified
|
Compute activity in dormant cloud region
|
A cloud identity executed an API call from an unusual country
|
A Kubernetes namespace was created or deleted
|
Granting Access to an Account
|
Azure user creation/deletion
|
Authentication method was added to Azure account
|
An Azure Kubernetes Role or Cluster-Role was modified
|
Azure Blob Container Access Level Modification
|
Kubernetes vulnerability scanning tool usage
|
Azure Key Vault Secrets were modified
|
Unusual cross projects activity
|
AI safeguards were modified
|
A Kubernetes service account executed an unusual API call
|
Unusual user-agent for a cloud identity
|
Azure user password reset
|
Kubernetes admission controller activity
|
Suspicious ML Model Download
|
Unusual exec into a Kubernetes Pod
|
A Kubernetes ephemeral container was created
|
Remote usage of an Azure Managed Identity token
|
A Kubernetes ReplicaSet was created
|
Kubernetes service account activity outside the cluster
|
A cloud identity invoked IAM related persistence operations
|
Cloud instance creation attempt
|
A Kubernetes DaemonSet was created
|
An Azure VM snapshot SAS URL was generated for export from a production subscription
|
Suspicious Azure enumeration activity
|
A cloud identity performed multiple unusual activities
|
Suspicious activity indicating a potential abuse of a cloud-native email service
|
Azure Flow Log |
An internal Cloud resource performed port scan on external networks
|
Unusual SSH activity that resembles SSH proxy
|
Azure SignIn Log |
SSO Brute Force
|
A user accessed multiple unusual resources via SSO
|
Intense SSO failures
|
IP Rotation Pattern in SSO Spray
|
Impossible traveler - SSO
|
Possible Impossible Travel Pattern - SSO
|
SSO Password Spray
|
First SSO access from ASN for user
|
SSO authentication by a machine account
|
A successful SSO sign-in from TOR
|
A user connected from a new country
|
A user logged in at an unusual time via SSO
|
SSO with abnormal user agent
|
First SSO Resource Access in the Organization
|
User attempted to connect from a suspicious country
|
First SSO access from ASN in organization
|
A disabled user attempted to authenticate via SSO
|
Suspicious SSO access from ASN
|
SSO authentication by a service account
|
SSO with new operating system
|
First connection from a country in organization
|
AzureAD |
SSO Brute Force
|
A user accessed multiple unusual resources via SSO
|
Intense SSO failures
|
IP Rotation Pattern in SSO Spray
|
Impossible traveler - SSO
|
Possible Impossible Travel Pattern - SSO
|
SSO Password Spray
|
Suspicious authentication with Azure Password Hash Sync user
|
First SSO access from ASN for user
|
SSO authentication by a machine account
|
A successful SSO sign-in from TOR
|
A user connected from a new country
|
SSO with abnormal operating system
|
Suspicious Azure AD interactive sign-in using PowerShell
|
A user logged in at an unusual time via SSO
|
SSO with abnormal user agent
|
First SSO Resource Access in the Organization
|
User attempted to connect from a suspicious country
|
Authentication attempt by a honey user
|
First SSO access from ASN in organization
|
A disabled user attempted to authenticate via SSO
|
A possible risky login to Azure
|
Suspicious SSO access from ASN
|
SSO authentication attempt by a honey user
|
SSO authentication by a service account
|
User signed in to an application via Power Automate for the first time
|
SSO with new operating system
|
First connection from a country in organization
|
AzureAD Audit Log |
Short-lived Azure AD user account
|
Multiple Azure AD admin role removals
|
Azure Temporary Access Pass (TAP) registered to an account
|
Azure domain federation settings modification attempt
|
Device Registration Policy modification
|
Unverified domain added to Azure AD
|
Azure AD PIM alert disabled
|
Unusual Conditional Access operation for an identity
|
Azure application URI modification
|
Successful unusual guest user invitation
|
BitLocker key retrieval
|
Azure account deletion by a non-standard account
|
Azure AD PIM role settings change
|
Azure application consent
|
Identity assigned an Azure AD Administrator Role
|
Azure AD PIM elevation request
|
Suspicious MFA request reported by user in Entra ID
|
Azure service principal assigned app role
|
Authentication method added to an Azure account
|
Azure application credentials added
|
First Azure AD PowerShell operation for a user
|
MFA was disabled for an Azure identity
|
Azure AD account unlock/password reset attempt
|
Conditional Access policy removed
|
Owner added to Azure application
|
Azure account creation by a non-standard account
|
Box Audit Log |
Massive upload to SaaS service
|
Massive file downloads from SaaS service
|
External SaaS file-sharing activity
|
Suspicious SaaS API call from a Tor exit node
|
DropBox |
Massive upload to SaaS service
|
Massive file downloads from SaaS service
|
External SaaS file-sharing activity
|
Suspicious SaaS API call from a Tor exit node
|
Duo |
SSO Brute Force
|
A user accessed multiple unusual resources via SSO
|
Intense SSO failures
|
IP Rotation Pattern in SSO Spray
|
Impossible traveler - SSO
|
Possible Impossible Travel Pattern - SSO
|
SSO Password Spray
|
First SSO access from ASN for user
|
SSO authentication by a machine account
|
A successful SSO sign-in from TOR
|
A user connected from a new country
|
A user logged in at an unusual time via SSO
|
SSO with abnormal user agent
|
First SSO Resource Access in the Organization
|
User attempted to connect from a suspicious country
|
First SSO access from ASN in organization
|
A disabled user attempted to authenticate via SSO
|
Suspicious SSO access from ASN
|
SSO authentication by a service account
|
SSO with new operating system
|
First connection from a country in organization
|
Gcp Audit Log |
Cloud user performed multiple actions that were denied
|
AI model discovery
|
ML artifacts destruction
|
Multiple failed logins from a single IP
|
Allocation of multiple cloud compute resources
|
Cloud infrastructure enumeration activity
|
Deletion of multiple cloud resources
|
An identity initiated a download of multiple cloud objects
|
Multi region enumeration activity
|
Suspicious identity downloaded multiple objects from a bucket
|
IAM Enumeration sequence
|
Suspicious secrets dump activity
|
An identity performed a suspicious download of multiple cloud storage objects
|
Kubernetes enumeration activity
|
Potential denial of wallet abusing AI services
|
Storage enumeration activity
|
Abnormal Allocation of compute resources in multiple regions
|
Multiple cloud snapshots export
|
A Kubernetes StatefulSet was created
|
Kubernetes network policy modification
|
A Kubernetes Pod was deleted
|
A Kubernetes dashboard service account was used outside the cluster
|
GCP IAM Service Account Key Deletion
|
A Kubernetes secret was created or deleted
|
GCP sensitive Functions role granted
|
Cloud instance deletion attempt
|
An unusual read activity of cloud object
|
Suspicious AI Dataset Label Modification
|
GCP Service Account Deletion
|
GCP logging sink modification
|
GCP Storage Bucket Permissions Modification
|
Cloud penetration testing tool activity
|
Kubernetes cluster events deletion
|
Cloud resource logging was disabled
|
A Command Line Interface (CLI) command was executed from a GCP serverless compute service
|
GCP logging sink deletion
|
Suspicious AI Dataset Download
|
GCP Pub/Sub Topic Deletion
|
GCP Virtual Private Network Route Creation
|
Cloud access key creation
|
Cloud compute serial console access
|
GCP service account impersonation attempt
|
A Kubernetes ConfigMap was created or deleted
|
Kubernetes pod creation from unknown container image registry
|
Cloud compute instance user data script modification
|
An operation was performed by an identity from a domain that was not seen in the organization
|
Suspicious heavy allocation of compute resources - possible mining activity
|
A Kubernetes cluster was created or deleted
|
Unusual AI model invocation
|
An identity accessed a cloud storage for the first time
|
Kubernetes pod creation with host network
|
Network sniffing detected in Cloud environment
|
A Kubernetes deployment was created
|
A Kubernetes node service account activity from external IP
|
A Kubernetes service account has enumerated its permissions
|
A cloud instance was stopped
|
A Kubernetes cluster role binding was created or deleted
|
BigQuery table or query results exfiltrated to a foreign project
|
A Kubernetes API operation was successfully invoked by an anonymous user
|
Suspicious AI model usage from a Tor exit node
|
Remote usage of an App engine Service Account token
|
Cloud snapshot created or modified
|
A cloud function was created with an unusual runtime
|
GCP sensitive IAM role granted
|
Unusual certificate management activity
|
Unusual cloud identity impersonation
|
Unusual secret management activity
|
GCP administrative role granted to a cloud identity
|
Kubernetes Pod created with host process ID (PID) namespace
|
GCP Service Account creation
|
Cloud storage delete protection disabled
|
GCP Virtual Private Cloud (VPC) Network Deletion
|
A Kubernetes Pod was created with a sidecar container
|
Kubernetes Pod Created with host Inter Process Communications (IPC) namespace
|
Unusual Identity and Access Management (IAM) activity
|
A cloud identity created or modified a security group
|
GCP Service Account Disable
|
GCP sensitive storage role granted
|
Logging was impaired via external encryption key
|
GCP IAM deny policy creation
|
GCP sensitive role granted to group
|
GCP set IAM policy activity
|
A container registry was created or deleted
|
Unusual resource modification by newly seen IAM user
|
GCP IAM Role Deletion
|
Suspicious API call from a Tor exit node
|
GCP sensitive Cloud Run role granted
|
Kubernetes Privileged Pod Creation
|
Unusual AI RAG Knowledge Base Modification
|
Suspicious cloud compute instance SSH keys modification attempt
|
Unusual key management activity
|
Unusual AI dataset modification
|
Unusual Kubernetes secret access
|
GCP Pub/Sub Subscription Deletion
|
A cloud identity had escalated its permissions
|
Billing admin role was removed
|
A Kubernetes service account was created or deleted
|
A cloud storage configuration was modified
|
A Kubernetes Cronjob was created
|
Remote usage of VM Service Account token
|
GCP sensitive Secret Manager role granted
|
GCP Storage Bucket Configuration Modification
|
Cloud impersonation attempt by unusual identity type
|
Denied API call by a Kubernetes service account
|
IAM role was created
|
GCP sensitive Deployment Manager role granted
|
An identity accessed cloud storage containing sensitive data
|
A Kubernetes service was created or deleted
|
Kubernetes Pod Created With Sensitive Volume
|
A Kubernetes role binding was created or deleted
|
GCP sensitive compute role granted
|
Cloud AI agent was modified
|
Cloud identity reached a throttling API rate
|
Cloud storage object discovery
|
Cloud storage automatic backup disabled
|
An identity accessed a backup cloud storage
|
Compute activity in dormant cloud region
|
A cloud identity executed an API call from an unusual country
|
A Kubernetes namespace was created or deleted
|
GCP Virtual Private Network Route Deletion
|
GCP data asset shared public
|
GCP Firewall Rule Modification
|
Kubernetes vulnerability scanning tool usage
|
Unusual cross projects activity
|
A Kubernetes service account executed an unusual API call
|
Unusual user-agent for a cloud identity
|
GCP Logging Bucket Deletion
|
GCP VPC Firewall Rule Deletion
|
Kubernetes admission controller activity
|
Suspicious ML Model Download
|
Unusual exec into a Kubernetes Pod
|
A Kubernetes ephemeral container was created
|
Cloud Organizational policy was created or modified
|
GCP Storage Bucket deletion
|
GCP Firewall Rule creation
|
A Kubernetes ReplicaSet was created
|
Kubernetes service account activity outside the cluster
|
An unusual cloud identity was granted permissions to a BigQuery resource
|
Unusual AI Knowledge Base Modification
|
A cloud identity invoked IAM related persistence operations
|
GCP Service Account key creation
|
Cloud instance creation attempt
|
Unusual IAM enumeration activity by a non-user Identity
|
A Kubernetes DaemonSet was created
|
A cloud identity performed multiple unusual activities
|
Gcp Flow Log |
An internal Cloud resource performed port scan on external networks
|
Unusual SSH activity that resembles SSH proxy
|
Google Workspace Audit Logs |
Massive upload to SaaS service
|
Massive file downloads from SaaS service
|
External SaaS file-sharing activity
|
User accessed SaaS resource via anonymous link
|
A Google Workspace identity performed an unusual admin console activity
|
Admin privileges were granted to a Google Workspace user
|
A GCP service account was delegated domain-wide authority in Google Workspace
|
A Google Workspace user was removed from a group
|
A Google Workspace Role privilege was deleted
|
MFA Disabled for Google Workspace
|
Gmail delegation was turned on for the organization
|
Google Workspace organizational unit was modified
|
An app was added to the Google Workspace trusted OAuth apps list
|
A Google Workspace user was added to a group
|
Gmail routing settings changed
|
Google Marketplace restrictions were modified
|
An app was added to Google Marketplace
|
A third-party application's access to the Google Workspace domain's resources was revoked
|
A mail forwarding rule was configured in Google Workspace
|
A Google Workspace identity used the security investigation tool
|
A third-party application was authorized to access the Google Workspace APIs
|
External Sharing was turned on for Google Drive
|
Data Sharing between GCP and Google Workspace was disabled
|
Suspicious SaaS API call from a Tor exit node
|
SaaS suspicious external domain user activity
|
A Google Workspace identity created, assigned or modified a role
|
Google Workspace third-party application's security settings were changed
|
An app was removed from a blocked list in Google Workspace
|
A domain was added to the trusted domains list
|
A Google Workspace service was configured as unrestricted
|
Google Workspace Authentication |
First SSO access from ASN for user
|
A user logged in at an unusual time via SSO
|
First SSO access from ASN in organization
|
Suspicious SSO access from ASN
|
Health Monitoring Data |
Logs were not collected from a data source for an abnormally long time
|
Correlation rule error
|
Parsing Rule Error
|
Error in event forwarding
|
Collection error
|
Kubernetes Audit Logs |
Kubernetes enumeration activity
|
A Kubernetes StatefulSet was created
|
Kubernetes network policy modification
|
A Kubernetes Pod was deleted
|
A Kubernetes dashboard service account was used outside the cluster
|
A Kubernetes secret was created or deleted
|
Kubernetes cluster events deletion
|
A Kubernetes ConfigMap was created or deleted
|
Kubernetes pod creation from unknown container image registry
|
A Kubernetes cluster was created or deleted
|
Kubernetes pod creation with host network
|
A Kubernetes deployment was created
|
A Kubernetes node service account activity from external IP
|
A Kubernetes service account has enumerated its permissions
|
A Kubernetes cluster role binding was created or deleted
|
A Kubernetes API operation was successfully invoked by an anonymous user
|
Kubernetes Pod created with host process ID (PID) namespace
|
A Kubernetes Pod was created with a sidecar container
|
Kubernetes Pod Created with host Inter Process Communications (IPC) namespace
|
A container registry was created or deleted
|
Suspicious API call from a Tor exit node
|
Kubernetes Privileged Pod Creation
|
Unusual Kubernetes secret access
|
A Kubernetes service account was created or deleted
|
A Kubernetes Cronjob was created
|
Denied API call by a Kubernetes service account
|
A Kubernetes service was created or deleted
|
Kubernetes Pod Created With Sensitive Volume
|
A Kubernetes role binding was created or deleted
|
A cloud identity executed an API call from an unusual country
|
A Kubernetes namespace was created or deleted
|
Kubernetes vulnerability scanning tool usage
|
A Kubernetes service account executed an unusual API call
|
Kubernetes admission controller activity
|
Unusual exec into a Kubernetes Pod
|
A Kubernetes ephemeral container was created
|
A Kubernetes ReplicaSet was created
|
Kubernetes service account activity outside the cluster
|
A Kubernetes DaemonSet was created
|
Microsoft 365 Emails |
Numerous emails sent by a single sender to multiple internal recipients
|
Sudden spike in outbound email volume
|
Unusual attachment volume in outbound emails
|
Unrecognized internal address (AAD mismatch)
|
Outbound email includes an external BCC recipient observed for the first time
|
Usage of homograph characters detected in an email's from header
|
Email was received from an unknown address using a public provider domain
|
Potential spoofing of internal domain spotted
|
Email containing a redirected link
|
Usage of homograph characters detected in an email attachment(s) name
|
Email marked as spam and bulk based on Spam Confidence Level and Bulk Complaint Level values
|
Email contains URL delivering high-risk file type
|
Unrecognized sender domain
|
Unrecognized sender address
|
Outbound email contains file-sharing service link sent to external recipient
|
Email was received from an unknown sender using a disposable domain
|
Email with URL shortener detected
|
Well-known brand in sender headers with header inconsistencies
|
Unusual hostname for the sending mail server in the email headers
|
Rarely seen URL(s) within a well-known domain detected in your organization's email
|
First-seen email from mailbox owner to external recipient's address in the last 30 days
|
Near-empty email from an external sender
|
External email display name impersonation of internal personnel
|
Sending unusual file(s) to an external address
|
Suspicious DMARC result
|
Usage of homograph characters detected in an email
|
Unpopular domains detected in email URLs for a recipient
|
Email with file-sharing link containing auto-download parameter
|
External email with a single internal recipient hidden in BCC
|
Suspicious DKIM Result
|
Outbound email to an address hosted by a public email service provider
|
Email attachment(s) with potentially malicious MIME type
|
X-Forefront-Antispam-Report has flagged this email as a potential threat
|
Suspicious SPF Result
|
Moniker link detected in URL(s)
|
Suspicious Unicode character detected in email
|
Unusual display name in From header
|
Unpopular URL(s) detected in email
|
Uncommon URL domain(s) in your organization detected in email
|
Email attachment with a potentially malicious file extension
|
Email containing a link with an IP address convention was detected
|
Email attachment with Right-to-Left Override Unicode character
|
Email attachment with multiple extensions
|
Punycode characters detected in URL(s)
|
Email mimics replies or forwards without an actual ongoing conversation
|
Risk indicators detected in email
|
Suspicious theme and sentiment in email
|
Microsoft Graph Logs |
Microsoft OneNote enumeration activity
|
Microsoft SharePoint enumeration activity
|
Microsoft Teams enumeration activity
|
Mailbox enumeration activity by Azure application
|
Azure enumeration activity using Microsoft Graph API
|
User sent messages in Microsoft Teams to multiple conversations via Graph API
|
Uncommon increase in Azure Microsoft Graph API request sizes
|
Microsoft 365 storage services exfiltration activity
|
An Azure identity performed multiple actions that were denied
|
Microsoft OneDrive enumeration activity
|
Azure group creation/deletion
|
Cloud penetration testing tool activity
|
External user invitation to Azure tenant
|
Privileged role used by Azure application
|
Azure conditional access policy creation or modification
|
OneDrive file upload
|
OneDrive folder creation
|
Unusual access to Microsoft 365 storage services
|
Credentials were added to Azure application
|
An Azure application reached a throttling API rate
|
Azure mailbox rule creation
|
Unusual resource access by Azure application
|
Attempted Azure application access from unknown tenant
|
Owner was added to Azure application
|
Azure Service principal/Application creation
|
OneDrive file download
|
Azure user creation/deletion
|
Authentication method was added to Azure account
|
Azure user password reset
|
User installed an application in Microsoft Teams via Graph API
|
Suspicious Azure enumeration activity
|
Office 365 Audit |
External user created a Microsoft Teams conversation with suspicious operations
|
Sensitive Exchange mail sent to external users
|
Massive upload to SaaS service
|
External user started a Microsoft Teams conversation
|
User moved Exchange sent messages to deleted items
|
User accessed multiple O365 AIP sensitive files
|
Exchange mailbox delegation permissions added
|
A user uploaded malware to SharePoint or OneDrive
|
User exported multiple messages in Microsoft Teams via Graph API
|
Massive file downloads from SaaS service
|
External SaaS file-sharing activity
|
User accessed SaaS resource via anonymous link
|
Penetration testing tool activity attempt
|
External user added a link to a Microsoft Teams chat
|
Exchange audit log disabled
|
Exchange mailbox folder permission modification
|
A Microsoft Teams bot was added to a team
|
Microsoft Teams application setup policy was modified
|
Exchange Safe Link policy disabled or removed
|
Exchange user mailbox forwarding
|
Microsoft Teams messages were exported from conversation
|
Exchange mailbox audit bypass
|
Exchange malware filter policy removed
|
A Microsoft Teams application was installed
|
Exchange anti-phish policy disabled or removed
|
Exchange inbox forwarding rule configured
|
Exchange Safe Attachment policy disabled or removed
|
Rare DLP rule match by user
|
Microsoft 365 DLP policy disabled or removed
|
SharePoint Site Collection admin group addition
|
Microsoft Teams external communication policy was modified
|
Exchange compliance search created
|
Exchange transport forwarding rule configured
|
Suspicious SaaS API call from a Tor exit node
|
Exchange email-hiding transport rule
|
Exchange DKIM signing configuration disabled
|
SaaS suspicious external domain user activity
|
New Teams application published to the organization catalog
|
DLP sensitive data exposed to external users
|
Exchange email-hiding inbox rule
|
Possible multistage attack in Microsoft Teams
|
Okta |
Multiple Okta MFA requests sent to a user
|
SSO Brute Force
|
A user rejected an SSO request from an unusual country
|
A user accessed multiple unusual resources via SSO
|
Intense SSO failures
|
IP Rotation Pattern in SSO Spray
|
Impossible traveler - SSO
|
Possible Impossible Travel Pattern - SSO
|
SSO Password Spray
|
First SSO access from ASN for user
|
SSO authentication by a machine account
|
A successful SSO sign-in from TOR
|
A user connected from a new country
|
SSO with abnormal operating system
|
Suspicious SSO authentication
|
A user logged in at an unusual time via SSO
|
SSO with abnormal user agent
|
First SSO Resource Access in the Organization
|
User attempted to connect from a suspicious country
|
Authentication attempt by a honey user
|
First SSO access from ASN in organization
|
A disabled user attempted to authenticate via SSO
|
Suspicious SSO access from ASN
|
SSO authentication attempt by a honey user
|
SSO authentication by a service account
|
SSO with new operating system
|
First connection from a country in organization
|
Okta Audit Log |
Okta account reset password attempt
|
Okta Reported Threat Detected
|
A user observed and reported unusual activity in Okta
|
Okta device assignment
|
Okta account unlock
|
A user modified an Okta MFA factor
|
A user modified an Okta network zone
|
Potential Okta access limit breach
|
A user accessed Okta's admin application
|
Okta User Session Impersonation
|
Okta admin privilege assignment
|
Okta account unlock by admin
|
User added a new device to Okta Verify instance
|
A user modified an Okta policy rule
|
Okta API Token Created
|
A user attempted to bypass Okta MFA
|
Okta Reported Attack Suspected
|
OneLogin |
SSO Brute Force
|
A user accessed multiple unusual resources via SSO
|
Intense SSO failures
|
IP Rotation Pattern in SSO Spray
|
Impossible traveler - SSO
|
Possible Impossible Travel Pattern - SSO
|
SSO Password Spray
|
First SSO access from ASN for user
|
SSO authentication by a machine account
|
A successful SSO sign-in from TOR
|
A user connected from a new country
|
A user logged in at an unusual time via SSO
|
First SSO Resource Access in the Organization
|
User attempted to connect from a suspicious country
|
Authentication attempt by a honey user
|
First SSO access from ASN in organization
|
A disabled user attempted to authenticate via SSO
|
Suspicious SSO access from ASN
|
SSO authentication attempt by a honey user
|
SSO authentication by a service account
|
First connection from a country in organization
|
Palo Alto Networks Global Protect |
Impossible traveler - VPN
|
VPN Login Password Spray
|
VPN login Brute-Force attempt
|
First VPN access from ASN for user
|
VPN login by a service account
|
A Successful VPN connection from TOR
|
VPN login attempt by a honey user
|
VPN login by a dormant user
|
A user connected to a VPN from a new country
|
VPN login with a machine account
|
First VPN access from ASN in organization
|
First VPN access attempt from a country in organization
|
VPN access with an abnormal operating system
|
A disabled user attempted to log in to a VPN
|
A user logged in at an unusual time via VPN
|
Palo Alto Networks Platform Alerts |
Multiple alerts of different MITRE tactics were seen
|
Palo Alto Networks Platform Logs |
Large Upload (Generic)
|
Kerberos Pre-Auth Failures by Host
|
New Administrative Behavior
|
Kerberos Pre-Auth Failures by User and Host
|
Rare LDAP enumeration
|
Large Upload (HTTPS)
|
Spam Bot Traffic
|
Increase in Job-Related Site Visits
|
Large Upload (FTP)
|
HTTP with suspicious characteristics
|
Multiple Weakly-Encrypted Kerberos Tickets Received
|
Uncommon WPAD queries
|
Kerberos User Enumeration
|
Subdomain Fuzzing
|
Failed DNS
|
Abnormal RPC traffic to multiple hosts
|
Large Upload (SMTP)
|
DNS Tunneling
|
NTLM Relay
|
NTLM Password Spray
|
Massive upload to a rare storage or mail domain
|
Abnormal connections to a dormant host from a newly seen endpoint
|
Suspicious DNS traffic
|
Random-Looking Domain Names
|
Failed Connections
|
Abnormal sensitive RPC traffic to multiple hosts
|
Rare access to known advertising domains
|
Port Scan
|
Unusual SSH Activity
|
Machine Account NTLM Relay
|
Multiple Suspicious FTP Login Attempts
|
A user accessed multiple time-consuming websites
|
NTLM Hash Harvesting
|
Rare Scheduled Task RPC activity
|
Rare NTLM Access By User To Host
|
A Torrent client was detected on a host
|
Possible path traversal via HTTP request
|
Recurring rare domain access to dynamic DNS domain
|
Unique client computer model was detected via MS-Update protocol
|
Multiple uncommon SSH Servers with the same Server host key
|
Rare Windows Remote Management (WinRM) HTTP Activity
|
Abnormal communication with a rare combination of TLS and HTTP User Agent
|
Possible Kerberoasting without SPNs
|
Suspicious ICMP packet
|
Bronze-Bit exploit
|
Failed Login For Locked-Out Account
|
Suspicious Encrypting File System Remote call (EFSRPC) to domain controller
|
Rare MS-Update Server was detected
|
A Possible crypto miner was detected on a host
|
Abnormal Recurring Communications to a Rare Domain
|
Abnormal Communication to a Rare Domain
|
Abnormal network communication with a rare combination of HTTP User Agent and HTTP Server
|
Rare MS-Update traffic over HTTP
|
Suspicious SSH Downgrade
|
Possible use of IPFS was detected
|
Authentication Attempt From a Dormant Account
|
Suspicious HTTP parameters detected
|
Rare SMTP/S Session
|
Failed Login For a Long Username With Special Characters
|
A user accessed an uncommon AppID
|
Rare AppID usage to a rare destination
|
Rare process created an SSH session to an uncommon external host
|
Possible DCSync from a non domain controller
|
New FTP Server
|
Rare NTLM Usage by User
|
Rare RDP session to a remote host
|
Rare DCOM RPC activity
|
Weakly-Encrypted Kerberos TGT Response
|
Suspicious NTLM authentication with machine account
|
Rare process created an SSH session to an uncommon cloud resource
|
Recurring access to rare IP
|
Suspicious failed HTTP request - potential Spring4Shell exploit
|
Rare Remote Service (SVCCTL) RPC activity
|
Possible IPFS traffic was detected
|
Suspicious SMB connection from domain controller
|
Rare SMB session to a remote host
|
Unusual SSH activity that resembles SSH proxy
|
Unusual SSH activity that resembles SSH proxy
|
FTP Connection Using an Anonymous Login or Default Credentials
|
Uncommon SSH session was established
|
RDP from an unmanaged endpoint in a typically managed subnet
|
Rare file transfer over SMB protocol
|
A rare FTP user has been detected on an existing FTP server
|
Okta FastPass reported phishing attack suspected
|
Weakly-Encrypted Kerberos Ticket Requested
|
Recurring access to rare domain
|
Palo Alto Networks Url Logs |
A non-browser process accessed a website UI
|
PowerShell Initiates a Network Connection to GitHub
|
Uncommon network tunnel creation
|
Rare connection to external IP address or host by an application using RMI-IIOP or LDAP protocol
|
Non-browser access to a pastebin-like site
|
PingOne |
SSO Brute Force
|
A user accessed multiple unusual resources via SSO
|
Intense SSO failures
|
IP Rotation Pattern in SSO Spray
|
Impossible traveler - SSO
|
Possible Impossible Travel Pattern - SSO
|
SSO Password Spray
|
First SSO access from ASN for user
|
SSO authentication by a machine account
|
A successful SSO sign-in from TOR
|
A user connected from a new country
|
A user logged in at an unusual time via SSO
|
SSO with abnormal user agent
|
First SSO Resource Access in the Organization
|
User attempted to connect from a suspicious country
|
Authentication attempt by a honey user
|
First SSO access from ASN in organization
|
A disabled user attempted to authenticate via SSO
|
Suspicious SSO access from ASN
|
SSO authentication attempt by a honey user
|
SSO authentication by a service account
|
First connection from a country in organization
|
Third-Party Alerts |
Multiple alerts of different MITRE tactics were seen
|
Third-Party Firewalls |
New Administrative Behavior
|
Large Upload (HTTPS)
|
Spam Bot Traffic
|
Large Upload (SMTP)
|
Failed Connections
|
Port Scan
|
A Torrent client was detected on a host
|
Recurring rare domain access to dynamic DNS domain
|
Abnormal Recurring Communications to a Rare Domain
|
Abnormal Communication to a Rare Domain
|
Rare SMTP/S Session
|
Rare AppID usage to a rare destination
|
Rare process created an SSH session to an uncommon external host
|
New FTP Server
|
Rare RDP session to a remote host
|
Rare process created an SSH session to an uncommon cloud resource
|
Recurring access to rare IP
|
Suspicious SMB connection from domain controller
|
Rare SMB session to a remote host
|
Unusual SSH activity that resembles SSH proxy
|
Uncommon SSH session was established
|
Recurring access to rare domain
|
Recurring access to rare domain
|
Third-Party VPNs |
Impossible traveler - VPN
|
VPN Login Password Spray
|
VPN login Brute-Force attempt
|
First VPN access from ASN for user
|
VPN login by a service account
|
A Successful VPN connection from TOR
|
VPN login attempt by a honey user
|
VPN login by a dormant user
|
A user connected to a VPN from a new country
|
VPN login with a machine account
|
First VPN access from ASN in organization
|
First VPN access attempt from a country in organization
|
VPN access with an abnormal operating system
|
A disabled user attempted to log in to a VPN
|
A user logged in at an unusual time via VPN
|
Windows Event Collector |
Excessive user account lockouts
|
A new machine attempted Kerberos delegation
|
Possible Privilege Escalation using Delegated MSA account
|
A user sent multiple TGT requests to irregular service
|
User added to the SMS Admins local group
|
Multiple suspicious user accounts were created
|
A user requested multiple service tickets
|
User added to a group and removed
|
Local group enumeration
|
A user printed an unusual number of files
|
A user received multiple weakly encrypted service tickets
|
Multiple TGT requests for users without Kerberos pre-authentication
|
Single account excessively locked out
|
Multiple user accounts were deleted
|
Short-lived user account
|
Mailbox Client Access Setting (CAS) changed
|
Suspicious access of the System Management Container
|
Suspicious modification of the AdminSDHolder's ACL
|
Privileged certificate request via certificate template
|
Possible Kerberos relay attack
|
Rare machine account creation
|
VM Detection attempt
|
Suspicious dNSHostName attribute change to DC name
|
Sensitive account password reset attempt
|
Suspicious account attribute modification that matches that of another account
|
A user enabled a default local account
|
User added SID History to an account
|
TGT request with a spoofed sAMAccountName - Event log
|
User account delegation change
|
Unusual user account enablement
|
A user modified the CA audit policy
|
Security tools detection attempt
|
Suspicious domain user account creation
|
Service ticket request with a spoofed sAMAccountName
|
A user changed the Windows system time
|
SPNs cleared from a machine account
|
Administrator groups enumerated via LDAP
|
A machine certificate was issued with a mismatch
|
A computer account was promoted to DC
|
PowerShell used to remove mailbox export request logs
|
Suspicious sAMAccountName change
|
Vulnerable certificate template loaded
|
Machine account was added to a domain admins group
|
Deletion of AD CS certificate database entries
|
Suspicious certificate template modification
|
PowerShell used to export mailbox contents
|
Local user account creation by a machine account
|
Masquerading as a default local account
|
A user account was modified to password never expires
|
Local user account creation
|
Key credential attribute modification
|
Unusual user account unlock
|
PKINIT TGT authentication request
|
Potential DCSync by an unusual user
|
Suspicious hidden user created
|
Member added to a Windows local security group
|
A user was added to a Windows security group
|
A user certificate was issued with a mismatch
|
XDR Agent |
Potential NTLM Relay Attack against a Microsoft Configuration Manager Site Server
|
Large Upload (Generic)
|
Kerberos Pre-Auth Failures by Host
|
Brute-force attempt on a local account
|
Abnormal SMB scanning activity to multiple hosts
|
Possible Brute-Force attempt
|
New Administrative Behavior
|
Multiple users authenticated with weak NTLM to a host
|
A user logged on to multiple workstations via Schannel
|
Internal Login Password Spray
|
Kubernetes environment enumeration activity
|
Kerberos Pre-Auth Failures by User and Host
|
Suspicious ICMP traffic that resembles smurf attack
|
Interactive local account enumeration
|
Abnormal ICMP echo (PING) to multiple hosts
|
Multiple Rare LOLBIN Process Executions by User
|
Possible brute force or configuration change attempt on cytool
|
New Shared User Account
|
Large Upload (HTTPS)
|
Spam Bot Traffic
|
An internal Cloud resource performed port scan on external networks
|
Large Upload (FTP)
|
Account probing
|
HTTP with suspicious characteristics
|
Multiple discovery-like commands
|
Multiple Weakly-Encrypted Kerberos Tickets Received
|
Remote account enumeration
|
Multiple discovery commands on a Linux host by the same process
|
Uncommon WPAD queries
|
External Login Password Spray
|
SSH authentication brute force attempts
|
Kerberos User Enumeration
|
Subdomain Fuzzing
|
Possible brute force on sudo user
|
Failed DNS
|
Large Upload (SMTP)
|
DNS Tunneling
|
NTLM Relay
|
Upload pattern that resembles Peer to Peer traffic
|
NTLM Password Spray
|
Possible external RDP Brute-Force
|
Multiple Rare Process Executions in Organization
|
Massive upload to a rare storage or mail domain
|
Abnormal connections to a dormant host from a newly seen endpoint
|
Suspicious DNS traffic
|
Abnormal SMB activity to multiple hosts
|
Multiple user accounts failed login due to account lockouts
|
Random-Looking Domain Names
|
Download pattern that resembles Peer to Peer traffic
|
Potential NTLM Relay Attack
|
Possible TGT reuse from different hosts (pass the ticket)
|
Multiple discovery commands
|
Failed Connections
|
Multiple discovery commands on a Windows host by the same process
|
A user authenticated with weak NTLM to multiple hosts
|
NTLM Brute Force on an Administrator Account
|
Rare access to known advertising domains
|
NTLM Brute Force on a Service Account
|
Unusual SSH Activity
|
NTLM Brute Force
|
Microsoft Configuration Manager device registration and policy request
|
Machine Account NTLM Relay
|
Suspicious container reconnaissance activity in a Kubernetes pod
|
Abnormal RDP connections to multiple hosts
|
Sudoedit Brute force attempt
|
NTLM Hash Harvesting
|
Microsoft Office injects code into a process
|
A process connected to a rare external host
|
Windows Event Log was cleared using wevtutil.exe
|
Suspicious PowerShell Command Line
|
Suspicious data encryption
|
Uncommon driver loaded
|
Remote command execution via wmic.exe
|
Uncommon communication to an instant messaging server
|
Uncommon net localgroup execution
|
Uncommon DLL-sideloading from a logical CD-ROM (ISO) device
|
Abnormal process connection to default Meterpreter port
|
Uncommon execution of ODBCConf
|
Uncommon Launch Daemon persistency was registered or modified
|
Attempt to execute a command on a remote host using PsExec.exe
|
Signed process performed an unpopular injection
|
Netcat makes or gets connections
|
Rare NTLM Access By User To Host
|
A Torrent client was detected on a host
|
AppleScript process executed with a rare command line
|
Kerberos Traffic from Non-Standard Process
|
Linux local user account creation
|
Suspicious module load using direct syscall
|
Remote WMI process execution
|
Possible Kerberos relay attack
|
A process was executed with a command line obfuscated by Unicode character substitution
|
Fodhelper.exe UAC bypass
|
Possible Email collection using Outlook RPC
|
Execution of renamed lolbin
|
Permission Groups discovery commands
|
Suspicious curl user agent
|
Possible path traversal via HTTP request
|
Download a script using the python requests module
|
Possible RDP session hijacking using tscon.exe
|
Suspicious process execution in a privileged container
|
Rare unsigned process execution by scheduled task
|
A LOLBIN was copied to a different location
|
Recurring rare domain access to dynamic DNS domain
|
Uncommon service stop operation
|
LOLBIN process executed with a high integrity level
|
Uncommon attempt to clear shell history
|
Possible code downloading from a remote host by Regsvr32
|
PowerShell runs suspicious base64-encoded commands
|
Possible DLL Hijack into a Microsoft process
|
Remote DCOM command execution
|
Uncommon signed process execution by scheduled task
|
TGT request with a spoofed sAMAccountName - Network
|
Possible malicious .NET compilation started by a commonly abused process
|
Uncommon DotNet module load relationship
|
Uncommon login item persistency was registered or modified
|
Mshta.exe launched with suspicious arguments
|
Rundll32.exe executes a rare unsigned module
|
Interactive login by a machine account
|
Suspicious Process Spawned by Adobe Reader
|
Rundll32.exe running with no command-line arguments
|
An uncommon RDP session was established
|
Recurring rare domain access from an unsigned process
|
Suspicious Certutil AD CS contact
|
Unpopular rsync process execution
|
Reading bash command history file
|
Microsoft Office process spawns a commonly abused process
|
Suspicious disablement of the Windows Firewall
|
Setuid and Setgid file bit manipulation
|
New addition to Windows Defender exclusion list
|
The Linux system firewall was disabled
|
Linux network share discovery
|
Suspicious SearchProtocolHost.exe parent process
|
Globally uncommon root-domain port combination from a signed process
|
Globally uncommon process execution from a signed process
|
Multiple uncommon SSH Servers with the same Server host key
|
Uncommon kernel module load
|
Adding execution privileges
|
Bitsadmin.exe persistence using command-line callback
|
Compressing data using python
|
Python HTTP server started
|
Globally uncommon high entropy module was loaded
|
Uncommon user management via net.exe
|
Suspicious container orchestration job
|
Unusual Process Spawned by Nginx in Ingress-Nginx pod
|
A process connected to a rare cloud resource
|
LDAP traffic from non-standard process
|
Suspicious process execution from tmp folder
|
Rare Windows Remote Management (WinRM) HTTP Activity
|
A disabled user attempted to log in
|
Rare signature signed executable executed in the network
|
Indirect command execution using the Program Compatibility Assistant
|
A contained executable was executed by an unusual process
|
Certutil pfx parsing
|
Remote service start from an uncommon source
|
Uncommon msiexec execution of an arbitrary file from a remote location
|
Suspicious authentication package registered
|
Interactive login from a shared user account
|
Abnormal communication with a rare combination of TLS and HTTP User Agent
|
Uncommon Linux remote shell command execution
|
Service execution via sc.exe
|
Possible Search For Password Files
|
A Successful login from TOR
|
Possible Kerberoasting without SPNs
|
Suspicious ICMP packet
|
Executable moved to Windows system folder
|
Bronze-Bit exploit
|
Failed Login For Locked-Out Account
|
Suspicious Encrypting File System Remote call (EFSRPC) to domain controller
|
Interactive at.exe privilege escalation method
|
Signed process performed an unpopular DLL injection
|
Unusual AWS user added to group
|
Scrcons.exe Rare Child Process
|
Globally uncommon IP address connection from a signed process
|
Uncommon recurring rare external host access
|
File transfer from unusual IP using known tools
|
A Possible crypto miner was detected on a host
|
Rare Unix process divided files by size
|
Office process spawned with suspicious command-line arguments
|
Msiexec execution of an executable from an uncommon remote location
|
Abnormal Recurring Communications to a Rare Domain
|
Registration of Uncommon .NET Services and/or Assemblies
|
WebDAV drive mounted from net.exe over HTTPS
|
Unusual weak authentication by user
|
Modification of PAM
|
Login by a dormant user
|
LOLBAS executable injects into another process
|
Possible collection of screen captures with Windows Problem Steps Recorder
|
Retrieval of kubelet credentials
|
Possible Pass-the-Hash
|
Phantom DLL Loading
|
Commonly abused AutoIT script connects to an external domain
|
Copy a process memory file
|
Remote service command execution from an uncommon source
|
Procdump executed from an atypical directory
|
Web server CGO executed an uncommon process
|
Rare process executed by an AppleScript
|
Suspicious process accessed a site masquerading as Google
|
Rare process execution by user
|
The CA policy EditFlags was queried
|
Suspicious Process Spawned by wininit.exe
|
Abnormal Communication to a Rare Domain
|
Interactive login by a service account
|
Rare Unsigned Process Spawned by Office Process Under Suspicious Directory
|
Abnormal network communication with a rare combination of HTTP User Agent and HTTP Server
|
Suspicious External RDP Login
|
Uncommon net group command execution
|
Delayed Deletion of Files
|
A service was disabled
|
Possible new DHCP server
|
Uncommon RDP connection
|
Autorun.inf created in root C drive
|
Hydra Password Brute-Force Tool Execution
|
AppleScript interpreter dynamic library loaded into a process
|
Unusual cloud Instance Metadata Service (IMDS) access
|
Possible binary padding using dd
|
Masquerading as the Linux crond process
|
Hidden Attribute was added to a file using attrib.exe
|
Unsigned process creates a scheduled task via file access
|
Suspicious docker image download from an unusual repository
|
Suspicious proxy environment variable setting
|
Uncommon remote scheduled task creation
|
Execution of an uncommon process at an early startup stage
|
Execution of masqueraded third-party utility
|
Suspicious print processor registered
|
Suspicious .NET process loads an MSBuild DLL
|
Uncommon IP Configuration Listing via ipconfig.exe
|
Uncommon local scheduled task creation via schtasks.exe
|
Suspicious process executed with a high integrity level
|
Suspicious process loads a known PowerShell module
|
Suspicious dump of ntds.dit using Shadow Copy with ntdsutil/vssadmin
|
Unusual internal access to network device management interface
|
Rare process execution in organization
|
Uncommon SQL like command line
|
Copy a user's GnuPG directory with rsync
|
Installation of a new System-V service
|
Unusual DB process spawning a shell
|
Unusual process accessed the PowerShell history file
|
Command running with COMSPEC in the command line argument
|
Remote PsExec-like command execution
|
Contained process execution with a rare GitHub URL
|
Globally uncommon high entropy process was executed
|
Command execution in a Kubernetes pod
|
Indicator blocking
|
Globally uncommon image load from a signed process
|
Suspicious PowerShell Enumeration of Running Processes
|
Unusual AWS credentials creation
|
Possible DLL Search Order Hijacking
|
Unsigned DLL Hijack into a Microsoft process
|
Mount command was executed from within a Kubernetes pod to list all the attached filesystems
|
Unusual Kubernetes dashboard communication from a pod
|
Uncommon cloud CLI tool usage
|
Rare WinRM Session
|
Keylogging using system commands
|
PsExec was executed with a suspicious command line
|
MSI accessed a web page running a server-side script
|
A rare local administrator login
|
Rare security product signed executable executed in the network
|
Scripting engine connected to a rare external host
|
Injection into rundll32.exe
|
Unusual Lolbins Process Spawned by InstallUtil.exe
|
Rundll32.exe spawns conhost.exe
|
Rare process with VNC server capabilities started
|
Execution of an uncommon process at an early startup stage by Windows system binary
|
Possible use of IPFS was detected
|
A TCP stream was created directly in a shell
|
Mshta.exe spawns from a browser process
|
Common third-party software name masquerading
|
Uncommon Launch Agent persistency was registered or modified
|
Authentication Attempt From a Dormant Account
|
Unsigned and unpopular process performed a DLL injection
|
Rare LOLBIN Process Execution by User
|
Kubernetes API server communication from within a pod
|
Suspicious HTTP parameters detected
|
Suspicious time provider registered
|
A contained executable from a mounted share initiated a suspicious outbound network connection
|
Commonly abused process launched as a system service
|
Uncommon routing table listing via route.exe
|
Windows CGO, actor and action processes with anomalous characteristics
|
Rare SMTP/S Session
|
Failed Login For a Long Username With Special Characters
|
Uncommon ARP cache listing via arp.exe
|
Possible network service discovery via command-line tool
|
Script file added to startup-related Registry keys
|
A user accessed an uncommon AppID
|
Rare SSH Session
|
Kubernetes vulnerability scanner activity
|
AppleScript executed a shell script
|
Uncommon net localgroup command execution
|
A rare DLL, signed by an uncommon vendor, was hijacked into a Microsoft process
|
System shutdown or reboot
|
Suspicious successful RDP connection to localhost
|
A process is masquerading as a common Microsoft product
|
Rare AppID usage to a rare destination
|
Conhost.exe spawned a suspicious cmd process
|
Rare process created an SSH session to an uncommon external host
|
Uncommon Managed Object Format (MOF) compiler usage
|
New FTP Server
|
Rare NTLM Usage by User
|
Rare RDP session to a remote host
|
Execution of command from within a Kubernetes pod using kubelet credentials
|
Windows Installer exploitation for local privilege escalation
|
A commonly abused process connected to a rare external host
|
Weakly-Encrypted Kerberos TGT Response
|
WmiPrvSe.exe Rare Child Command Line
|
Suspicious NTLM authentication with machine account
|
Suspicious sshpass command execution
|
Rare binary connected to a rare cloud resource
|
Possible data obfuscation
|
Unsigned DLL Side-Loading
|
Globally uncommon root domain from a signed process
|
Possible compromised machine account
|
Possible network sniffing attempt via tcpdump or tshark
|
Execution of an uncommon process with a local/domain user SID at an early startup stage
|
Rare process created an SSH session to an uncommon cloud resource
|
Recurring access to rare IP
|
Mimikatz command-line arguments
|
Suspicious runonce.exe parent process
|
Login attempt by a honey user
|
System information discovery via psinfo.exe
|
Uncommon remote monitoring and management tool
|
A browser was opened in private mode
|
Suspicious failed HTTP request - potential Spring4Shell exploit
|
Globally uncommon injection from a signed process
|
Screensaver process executed from Users or temporary folder
|
VM Detection attempt on Linux
|
Tampering with Internet Explorer Protected Mode configuration
|
Uncommon reverse SSH tunnel to external domain/ip
|
MpCmdRun.exe was used to download files into the system
|
Suspicious certutil command line
|
A process connected to rare external host
|
Stored credentials exported using credwiz.exe
|
Run downloaded script using pipe
|
Execution of dllhost.exe with an empty command line
|
Suspicious systemd timer activity
|
Unusual compressed file password protection
|
Uncommon Linux shell command execution
|
Possible IPFS traffic was detected
|
An uncommon RDP session from a managed host
|
Suspicious RunOnce Parent Process
|
Ping to localhost from an uncommon, unsigned parent process
|
Suspicious SMB connection from domain controller
|
Local account discovery
|
Suspicious container runtime connection from within a Kubernetes Pod
|
Rare SMB session to a remote host
|
Unusual SSH activity that resembles SSH proxy
|
Uncommon macOS shell command execution
|
SUID/GUID permission discovery
|
Cached credentials discovery with cmdkey
|
Extracting credentials from Unix files
|
Command execution via wmiexec
|
Kubernetes secret enumeration activity
|
Unsigned process injecting into a Windows system binary with no command line
|
PowerShell suspicious flags
|
Uncommon remote service start via sc.exe
|
Iptables configuration command was executed
|
Execution of an uncommon process with a local/domain user SID at an early startup stage by Windows system binary
|
Svchost.exe loads a rare unsigned module
|
An uncommon service was started
|
Uncommon SSH session was established
|
Manipulation of netsh helper DLLs Registry keys
|
Linux process execution with a rare GitHub URL
|
Kubernetes nsenter container escape
|
Suspicious setspn.exe execution
|
Globally uncommon IP address by a common process (sha256)
|
SMB Traffic from Non-Standard Process
|
Unicode RTL Override Character
|
Microsoft Office Process Spawning a Suspicious One-Liner
|
A commonly abused process connected to a rare cloud resource
|
RDP Connection to localhost
|
Encoded information using Windows certificate management tool
|
Unusual Azure AD sync module load
|
Discovery of host users via WMIC
|
Windows LOLBIN executable connected to a rare external host
|
Rare communication over email ports to external email server by unsigned process
|
Uncommon VNC server communication
|
RDP from an unmanaged endpoint in a typically managed subnet
|
A suspicious process enrolled for a certificate
|
Uncommon Service Create/Config
|
Suspicious usage of File Server Remote VSS Protocol (FSRVP)
|
A user logged in from an abnormal country or ASN
|
Rare binary connected to a rare external host
|
Unsigned and unpopular process performed an injection
|
Globally uncommon root-domain port combination by a common process (sha256)
|
Memory dumping with comsvcs.dll
|
A compressed file was exfiltrated over SSH
|
Wscript/Cscript loads .NET DLLs
|
Remote code execution into Kubernetes Pod
|
Rare file transfer over SMB protocol
|
Abnormal network communication through TOR using an uncommon port
|
Okta FastPass reported phishing attack suspected
|
Unprivileged process opened a registry hive
|
Weakly-Encrypted Kerberos Ticket Requested
|
Wsmprovhost.exe Rare Child Process
|
Recurring access to rare domain
|
Abnormal User Login to Domain Controller
|
A third-party utility was copied to a different location
|
Wbadmin deleted files in quiet mode
|
Rare process spawned by srvany.exe
|
Kubernetes version disclosure
|
A compromised process accessed a rare external host
|
Possible AS-REP Roasting Attack
|
Possible Kerberoasting attack
|
A compromised process accessed a rare cloud resource
|
XDR Agent with eXtended Threat Hunting (XTH) |
A user connected a new USB storage device to multiple hosts
|
Outlook files accessed by an unsigned process
|
Excessive user account lockouts
|
Possible data exfiltration over a USB storage device
|
A new machine attempted Kerberos delegation
|
Possible Kerberos User Enumeration
|
Massive file compression by user
|
Possible Privilege Escalation using Delegated MSA account
|
A user sent multiple TGT requests to irregular service
|
Possible LDAP enumeration by unsigned process
|
Suspicious access to cloud credential files
|
User added to the SMS Admins local group
|
Suspicious reconnaissance using LDAP
|
A user executed multiple LDAP enumeration queries
|
Multiple suspicious user accounts were created
|
Possible internal data exfiltration over a USB storage device
|
A user requested multiple service tickets
|
A user accessed an abnormal number of files on a remote shared folder
|
A contained process attempted to escape using the 'notify on release' feature
|
User and Group Enumeration via SAMR
|
Abnormal File Activity in SCCMContentLib Shared Folder by user
|
User added to a group and removed
|
Local group enumeration
|
Abnormal RPC traffic to multiple hosts
|
User collected remote shared files in an archive
|
A user printed an unusual number of files
|
A user took numerous screenshots
|
A user received multiple weakly encrypted service tickets
|
A user performed suspiciously massive file activity
|
SCCM log files enumeration
|
Abnormal sensitive RPC traffic to multiple hosts
|
Multiple TGT requests for users without Kerberos pre-authentication
|
Single account excessively locked out
|
Massive file activity abnormal to process
|
Multiple user accounts were deleted
|
Short-lived user account
|
A user established an SMB connection to multiple hosts
|
A user accessed an abnormal number of remote shared folders
|
Possible LDAP Enumeration of Microsoft Configuration Manager
|
Space after filename
|
Possible SPN enumeration
|
Executable created to disk by lsass.exe
|
Suspicious usage of Microsoft's Active Directory PowerShell module remote discovery cmdlet
|
Rare Scheduled Task RPC activity
|
A process modified an SSH authorized_keys file
|
Mailbox Client Access Setting (CAS) changed
|
Suspicious PowerSploit's recon module (PowerView) net function was executed
|
Unusual process accessed a web browser history file
|
Suspicious access of the System Management Container
|
Modification of NTLM restrictions in the Registry
|
Unusual access to the AD Sync credential files
|
NTDS.dit file written by an uncommon executable
|
Possible use of a networking driver for network sniffing
|
Unusual Kubernetes service account file read
|
Suspicious modification of the AdminSDHolder's ACL
|
Privileged certificate request via certificate template
|
Rare machine account creation
|
Microsoft Office adds a value to autostart Registry key
|
Suspicious AMSI decode attempt
|
Unusual process accessed a crypto wallet's files
|
Unusual process accessed web browser cookies
|
Known service display name with uncommon image-path
|
Suspicious Print System Remote Protocol usage by a process
|
Suspicious Udev driver rule execution manipulation
|
Suspicious DotNet log file created
|
VM Detection attempt
|
A browser extension was installed or loaded in an uncommon way
|
LSASS dump file written to disk
|
Unusual ADConnect database file access
|
Uncommon Security Support Provider (SSP) registered via a registry key
|
Known service name with an uncommon image-path
|
LDAP search query from an unpopular and unsigned process
|
A user connected a new USB storage device to a host
|
A rare file path was added to the AppInit_DLLs registry value
|
Suspicious active setup registered
|
Suspicious dNSHostName attribute change to DC name
|
PowerShell pfx certificate extraction
|
An uncommon file added to startup-related Registry keys
|
A suspicious executable with multiple file extensions was created
|
Discovery of misconfigured certificate templates using LDAP
|
Sensitive account password reset attempt
|
Possible GPO Enumeration
|
A suspicious direct syscall was executed
|
Suspicious account attribute modification that matches that of another account
|
A user added a Windows firewall rule
|
A user enabled a default local account
|
Possible authentication coercion
|
User added SID History to an account
|
TGT request with a spoofed sAMAccountName - Event log
|
User account delegation change
|
Unusual user account enablement
|
Uncommon sensitive filesystem registry hive access
|
A user modified the CA audit policy
|
Commonly abused AutoIT script drops an executable file to disk
|
Unusual CertLog Remote File Write
|
Security tools detection attempt
|
Local user enumeration via SAMR
|
Suspicious domain user account creation
|
Windows event logs were cleared with PowerShell
|
System profiling WMI query execution
|
DSC (Desired State Configuration) lateral movement using PowerShell
|
Unusual process accessed a macOS notes DB file
|
Service ticket request with a spoofed sAMAccountName
|
A suspicious process queried AD CS objects via LDAP
|
A remote service was created via RPC over SMB
|
Creation or modification of the default command executed when opening an application
|
Uncommon jsp file write by a Java process
|
A user changed the Windows system time
|
User set insecure CA registry setting for global SANs
|
SPNs cleared from a machine account
|
Administrator groups enumerated via LDAP
|
Possible Distributed File System Namespace Management (DFSNM) abuse
|
Suspicious LDAP search query executed
|
RDP connections enabled remotely via Registry
|
Suspicious access to shadow file
|
Rare scheduled task created
|
Linux system firewall was modified
|
Suspicious Kubernetes pod token access
|
A user connected a USB storage device for the first time
|
Uncommon browser extension loaded
|
Uncommon attempt at grabbing credentials from a sensitive file
|
Office process accessed an unusual .LNK file
|
Change of sudo caching configuration
|
Suspicious PowerSploit's recon module (PowerView) used to search for exposed hosts
|
User discovery via WMI query execution
|
Uncommon access to cloud platforms' sensitive files by a scripting engine
|
Tampering with the Windows User Account Controls (UAC) configuration
|
A machine certificate was issued with a mismatch
|
Uncommon access to Microsoft Teams credential files
|
A computer account was promoted to DC
|
Unusual Netsh PortProxy rule
|
LDAP AD CS Enumeration via Attack Tool
|
PowerShell used to remove mailbox export request logs
|
Discovery of accounts with pre-authentication disabled via LDAP
|
Rare process accessed a Keychain file
|
Uncommon SetWindowsHookEx API invocation of a possible keylogger
|
Access to kubelet credentials file
|
Suspicious sAMAccountName change
|
Unusual process access to ld.so.preload file
|
A process queried the ADFS database decryption key via LDAP
|
A compiled HTML help file wrote a script file to the disk
|
Uncommon creation or access operation of sensitive shadow copy
|
Vulnerable certificate template loaded
|
Browser Extension Installed
|
Access to Kubernetes configuration file
|
ClickFix - PowerShell executed through the run application
|
Possible Persistence via group policy Registry keys
|
Uncommon access to /etc/passwd
|
Possible LDAP Enumeration Tool Usage
|
Elevation to SYSTEM via services
|
Local group enumeration via RPC
|
An unusual archive file creation by a user
|
An uncommon file was created in the startup folder
|
Machine account was added to a domain admins group
|
Uncommon GetClipboardData API function invocation of a possible information stealer
|
LOLBIN created a PSScriptPolicyTest PowerShell script file
|
Possible DCSync from a non domain controller
|
Rare DCOM RPC activity
|
Suspicious disablement of the Windows Firewall using PowerShell commands
|
A WMI subscriber was created
|
Deletion of AD CS certificate database entries
|
Unusual CIM repository file access
|
Unusual access to the Windows Internal Database on an ADFS server
|
Unusual process accessed a messaging app's files
|
Uncommon AT task-job creation by user
|
Suspicious process modified RC script file
|
Possible webshell file written by a web server process
|
Unusual use of a 'SysInternals' tool
|
Browser bookmark files accessed by a rare non-browser process
|
Unusual process accessed web browser credentials
|
Suspicious certificate template modification
|
Suspicious process accessed certificate files
|
Rare service DLL was added to the registry
|
A user created a pfx file for the first time
|
PowerShell used to export mailbox contents
|
Unusual process accessed FTP Client credentials
|
Rare Remote Service (SVCCTL) RPC activity
|
Uncommon PowerShell commands used to create or alter scheduled task parameters
|
Local user account creation by a machine account
|
Unusual Encrypting File System Remote call (EFSRPC) to domain controller
|
Masquerading as a default local account
|
Potential SCCM credential harvesting using WMI detected
|
A user account was modified to password never expires
|
Local user account creation
|
A user queried AD CS objects via LDAP
|
An uncommon executable was remotely written over SMB to an uncommon destination
|
Key credential attribute modification
|
Sensitive browser credential files accessed by a rare non browser process
|
Unusual user account unlock
|
PKINIT TGT authentication request
|
An unpopular process accessed the microphone on the host
|
Uncommon attempt at discovering a sensitive file
|
Access to sensitive host files from within a Kubernetes pod
|
Uncommon file access over WebDAV
|
Access to Kubernetes CA certificate file
|
Uncommon sensitive registry hive dump
|
Image file execution options (IFEO) registry key set
|
New process created via a WMI call
|
Scheduled Task hidden by registry modification
|
Potential DCSync by an unusual user
|
Suspicious hidden user created
|
Executable or Script file written by a web server process
|
A user created an abnormal password-protected archive
|
SecureBoot was disabled
|
Member added to a Windows local security group
|
A user was added to a Windows security group
|
A user certificate was issued with a mismatch
|
Uncommon NtWriteVirtualMemoryRemote API invocation with a PE header buffer
|
An unusual process in ingress-nginx has accessed a service-account token file
|
Potential kubelet impersonation attempt
|
A compromised process accessed a rare external host
|
Possible AS-REP Roasting Attack
|
Possible Kerberoasting attack
|
Web server CGO executed a process following a potential Webshell dropped
|
An executable was written and executed by a web server
|
A compromised process accessed a rare cloud resource
|
Suspicious access to Kubernetes API with kubelet credentials
|