AWS Audit Log |
Cloud infrastructure enumeration activity
|
Allocation of multiple cloud compute resources
|
Deletion of multiple cloud resources
|
Multiple failed logins from a single IP
|
Cloud user performed multiple actions that were denied
|
Abnormal Allocation of compute resources in multiple regions
|
Multiple cloud snapshots export
|
Storage enumeration activity
|
Kubernetes enumeration activity
|
Multi region enumeration activity
|
An identity dumped multiple secrets from a project
|
An identity performed a suspicious download of multiple cloud storage objects
|
Suspicious objects encryption in an AWS bucket
|
IAM Enumeration sequence
|
Suspicious identity downloaded multiple objects from a bucket
|
AWS user creation
|
Kubernetes cluster events deletion
|
A Kubernetes namespace was created or deleted
|
Unusual resource modification by newly seen IAM user
|
Unusual AWS systems manager activity
|
A Kubernetes Cronjob was created
|
Cloud Trail logging deletion
|
MFA device was removed/deactivated from an IAM user
|
AWS SecurityHub findings were modified
|
Unusual exec into a Kubernetes Pod
|
A cloud function was created with an unusual runtime
|
An AWS Route 53 domain was transferred to another AWS account
|
Kubernetes pod creation with host network
|
A cloud identity invoked IAM related persistence operations
|
A Kubernetes Pod was deleted
|
AWS CloudWatch log group deletion
|
Disable encryption operations
|
Kubernetes Pod Created With Sensitive Volume
|
Suspicious usage of EC2 token
|
An AWS SAML provider was modified
|
A Kubernetes deployment was created
|
AWS Role Trusted Entity modification
|
AWS Root account activity
|
A cloud storage object was copied to a foreign cloud account
|
Remote usage of AWS Lambda's role
|
An AWS S3 bucket configuration was modified
|
Cloud compute instance user data script modification
|
Cloud snapshot of a database or storage instance was publicly shared
|
An AWS EFS File-share mount was deleted
|
A Kubernetes API operation was successfully invoked by an anonymous user
|
A Kubernetes cluster was created or deleted
|
An AWS ElastiCache security group was modified or deleted
|
Unusual certificate management activity
|
AWS S3 bucket was exposed to public access
|
Kubernetes Pod created with host process ID (PID) namespace
|
A Backup vault policy was modified
|
An AWS GuardDuty IP set was created
|
An operation was performed by an identity from a domain that was not seen in the organization
|
AWS STS temporary credentials were generated
|
AWS web ACL deletion
|
AWS config resource deletion
|
An AWS ElastiCache security group was created
|
Penetration testing tool attempt
|
A Command Line Interface (CLI) command was executed from an AWS serverless compute service
|
Remote usage of an AWS service token
|
AWS Config Recorder stopped
|
An identity attached an administrative policy to an IAM user/role
|
Unusual cross projects activity
|
Suspicious heavy allocation of compute resources - possible mining activity
|
Activity in a dormant region of a cloud project
|
S3 configuration deletion
|
AWS EC2 instance exported into S3
|
Kubernetes vulnerability scanning tool usage
|
An AWS database service master user password was changed
|
Cloud Watch alarm deletion
|
Cloud storage automatic backup disabled
|
Unusual secret management activity
|
A Kubernetes StatefulSet was created
|
A user logged in to the AWS console for the first time
|
Suspicious cloud compute instance ssh keys modification attempt
|
A cloud identity had escalated its permissions
|
Unusual key management activity
|
Unusual Identity and Access Management (IAM) activity
|
Kubernetes admission controller activity
|
An identity started an AWS SSM session
|
AWS IAM resource group deletion
|
AWS Cloud Trail log trail modification
|
A Kubernetes role binding was created or deleted
|
A Kubernetes ConfigMap was created or deleted
|
AWS Transfer Family server created
|
An AWS SES Email sending settings were modified
|
Cloud identity reached a throttling API rate
|
IAM User added to an IAM group
|
A Kubernetes ephemeral container was created
|
An AWS SES identity was deleted
|
Kubernetes network policy modification
|
A Kubernetes service account executed an unusual API call
|
Data encryption was disabled
|
Suspicious API call from a Tor exit node
|
An IAM group was created
|
Billing admin role was removed
|
An AWS EKS cluster was created or deleted
|
Cloud Trail Logging has been stopped/suspended
|
An AWS RDS instance was created from a snapshot
|
EC2 snapshot attribute has been modified
|
An AWS EFS file-share was deleted
|
Aurora DB cluster stopped
|
Kubernetes service account activity outside the cluster
|
A Kubernetes service was created or deleted
|
Unusual resource modification/creation
|
A compute-attached identity executed API calls outside the instance's region
|
A container registry was created or deleted
|
A cloud instance was stopped
|
A Kubernetes service account was created or deleted
|
Denied API call by a Kubernetes service account
|
Cloud impersonation attempt by unusual identity type
|
Cloud unusual access key creation
|
Cloud email service activity
|
AWS data asset shared public
|
Network sniffing detected in Cloud environment
|
Kubernetes Pod Created with host Inter Process Communications (IPC) namespace
|
A Kubernetes cluster role binding was created or deleted
|
A Kubernetes node service account activity from external IP
|
Penetration testing tool activity
|
Unusual IAM enumeration activity by a non-user Identity
|
AWS Flow Logs deletion
|
AWS SSM send command attempt
|
A Kubernetes secret was created or deleted
|
An Email address was added to AWS SES
|
A Kubernetes service account has enumerated its permissions
|
Kubernetes pod creation from unknown container image registry
|
Kubernetes Privileged Pod Creation
|
Unusual cloud identity impersonation
|
Cloud compute serial console access
|
AWS CloudWatch log stream deletion
|
AWS network ACL rule deletion
|
A cloud identity created or modified a security group
|
A Kubernetes DaemonSet was created
|
An identity disabled bucket logging
|
AWS Guard-Duty detector deletion
|
A Kubernetes ReplicaSet was created
|
An AWS Lambda function was modified
|
A cloud identity executed an API call from an unusual country
|
An AWS RDS Global Cluster Deletion
|
Object versioning was disabled
|
AWS RDS cluster deletion
|
An AWS Lambda Function was created
|
AWS network ACL rule creation
|
A cloud snapshot was created or modified
|
A Kubernetes dashboard service account was used outside the cluster
|
A Kubernetes Pod was created with a sidecar container
|
A cloud storage configuration was modified
|
Cloud storage delete protection disabled
|
An identity created or updated password for an IAM user
|
AWS Flow Log |
An internal Cloud resource performed port scan on external networks
|
SSH brute force attempt
|
Unusual SSH activity that resembles SSH proxy
|
AWS OCSF Flow Logs |
An internal Cloud resource performed port scan on external networks
|
SSH brute force attempt
|
Unusual SSH activity that resembles SSH proxy
|
Azure Audit Log |
Allocation of multiple cloud compute resources
|
Deletion of multiple cloud resources
|
Multiple failed logins from a single IP
|
Cloud user performed multiple actions that were denied
|
Abnormal Allocation of compute resources in multiple regions
|
Multiple cloud snapshots export
|
Mailbox enumeration activity by Azure application
|
Storage enumeration activity
|
Microsoft OneDrive enumeration activity
|
Kubernetes enumeration activity
|
Azure enumeration activity using Microsoft Graph API
|
Multi region enumeration activity
|
An identity dumped multiple secrets from a project
|
An identity performed a suspicious download of multiple cloud storage objects
|
Azure uncommon increase in API request sizes
|
Suspicious identity downloaded multiple objects from a bucket
|
Microsoft Teams enumeration activity
|
Microsoft SharePoint enumeration activity
|
Microsoft OneNote enumeration activity
|
An Azure identity performed multiple actions that were denied
|
Kubernetes cluster events deletion
|
A Kubernetes namespace was created or deleted
|
Owner was added to Azure application
|
Unusual resource modification by newly seen IAM user
|
Azure Network Watcher Deletion
|
A Kubernetes Cronjob was created
|
Unusual exec into a Kubernetes Pod
|
Kubernetes pod creation with host network
|
PIM privilege member removal
|
A cloud identity invoked IAM related persistence operations
|
A Kubernetes Pod was deleted
|
Attempted Azure application access from unknown tenant
|
Azure user creation/deletion
|
Azure Key Vault modification
|
An identity was granted permissions to manage user access to Azure resources
|
Kubernetes Pod Created With Sensitive Volume
|
A Kubernetes deployment was created
|
A Service Principal was created in Azure
|
An Azure virtual network was modified
|
A cloud storage object was copied to a foreign cloud account
|
Azure Service principal/Application creation
|
An Azure Kubernetes Cluster was created or deleted
|
Azure Automation Account Creation
|
Remote usage of an Azure Service Principal token
|
External user invitation to Azure tenant
|
An Azure Suppression Rule was created
|
A Kubernetes API operation was successfully invoked by an anonymous user
|
A Kubernetes cluster was created or deleted
|
An Azure Kubernetes Service Account was modified or deleted
|
Unusual certificate management activity
|
An Azure DNS Zone was modified
|
An Azure Firewall was modified
|
Kubernetes Pod created with host process ID (PID) namespace
|
OneDrive file download
|
Modification or Deletion of an Azure Application Gateway Detected
|
An operation was performed by an identity from a domain that was not seen in the organization
|
Azure group creation/deletion
|
Azure Automation Webhook creation
|
Unusual resource access by Azure application
|
Azure Event Hub Authorization rule creation/modification
|
Azure storage account was publicly shared
|
Unusual cross projects activity
|
Azure device code authentication flow used
|
Credentials were added to Azure application
|
Suspicious heavy allocation of compute resources - possible mining activity
|
Activity in a dormant region of a cloud project
|
Kubernetes vulnerability scanning tool usage
|
Cloud storage automatic backup disabled
|
Unusual secret management activity
|
An Azure Cloud Shell was Created
|
An Azure Kubernetes Role or Cluster-Role was modified
|
A Kubernetes StatefulSet was created
|
An Azure Key Vault was modified
|
An Azure firewall rule group was modified
|
Azure Blob Container Access Level Modification
|
Suspicious cloud compute instance ssh keys modification attempt
|
A cloud identity had escalated its permissions
|
Unusual key management activity
|
Kubernetes admission controller activity
|
Remote usage of an Azure Managed Identity token
|
An identity accessed Azure Kubernetes Secrets
|
Azure conditional access policy creation or modification
|
A Kubernetes role binding was created or deleted
|
A Kubernetes ConfigMap was created or deleted
|
Azure permission delegation granted
|
Cloud identity reached a throttling API rate
|
An Azure Network Security Group was modified
|
A Kubernetes ephemeral container was created
|
Kubernetes network policy modification
|
A Kubernetes service account executed an unusual API call
|
Suspicious API call from a Tor exit node
|
Billing admin role was removed
|
Azure Storage Account key generated
|
Azure Resource Group Deletion
|
Kubernetes service account activity outside the cluster
|
A Kubernetes service was created or deleted
|
Unusual resource modification/creation
|
An Azure Kubernetes Role-Binding or Cluster-Role-Binding was modified or deleted
|
An Azure Firewall policy deletion
|
Removal of an Azure Owner from an Application or Service Principal
|
A container registry was created or deleted
|
A Service Principal was removed from Azure
|
Soft delete of cloud storage configuration was disabled
|
Azure virtual machine commands execution
|
A cloud instance was stopped
|
A Kubernetes service account was created or deleted
|
Denied API call by a Kubernetes service account
|
Azure diagnostic configuration deletion
|
OneDrive file upload
|
An Azure virtual network Device was modified
|
Azure Event Hub Deletion
|
An Azure application reached a throttling API rate
|
Cloud email service activity
|
Granting Access to an Account
|
Azure mailbox rule creation
|
Azure user password reset
|
Network sniffing detected in Cloud environment
|
An Azure VPN Connection was modified
|
Kubernetes Pod Created with host Inter Process Communications (IPC) namespace
|
A Kubernetes cluster role binding was created or deleted
|
An Azure Point-to-Site VPN was modified
|
A Kubernetes node service account activity from external IP
|
Penetration testing tool activity
|
Cloud resource logging was disabled
|
Azure application removed
|
Azure storage account blob anonymous access is enabled
|
OneDrive folder creation
|
Azure Automation Runbook Creation/Modification
|
A Kubernetes secret was created or deleted
|
A Kubernetes service account has enumerated its permissions
|
Kubernetes pod creation from unknown container image registry
|
Kubernetes Privileged Pod Creation
|
Cloud compute serial console access
|
A cloud identity created or modified a security group
|
Privileged role used by Azure application
|
A Kubernetes DaemonSet was created
|
A Kubernetes ReplicaSet was created
|
Authentication method was added to Azure account
|
A cloud identity executed an API call from an unusual country
|
An Azure Key Vault key was modified
|
Object versioning was disabled
|
Azure storage account cross-tenant object replication was enabled
|
A New Server was Added to an Azure Active Directory Hybrid Health ADFS Environment
|
Azure Automation Runbook Deletion
|
Azure Key Vault Secrets were modified
|
A cloud snapshot was created or modified
|
A Kubernetes dashboard service account was used outside the cluster
|
Azure Kubernetes events were deleted
|
A Kubernetes Pod was created with a sidecar container
|
A cloud storage configuration was modified
|
Cloud storage delete protection disabled
|
An Azure Firewall Rule Collection was modified
|
Azure Flow Log |
An internal Cloud resource performed port scan on external networks
|
SSH brute force attempt
|
Unusual SSH activity that resembles SSH proxy
|
Azure SignIn Log |
Intense SSO failures
|
SSO Password Spray
|
Impossible traveler - SSO
|
A user accessed multiple unusual resources via SSO
|
SSO Brute Force
|
User attempted to connect from a suspicious country
|
First SSO access from ASN for user
|
First SSO access from ASN in organization
|
First SSO Resource Access in the Organization
|
A successful SSO sign-in from TOR
|
SSO authentication by a service account
|
SSO with new operating system
|
Suspicious SSO access from ASN
|
First connection from a country in organization
|
SSO authentication by a machine account
|
A user connected from a new country
|
SSO with abnormal user agent
|
A disabled user attempted to authenticate via SSO
|
A user logged in at an unusual time via SSO
|
AzureAD |
Intense SSO failures
|
SSO Password Spray
|
Impossible traveler - SSO
|
A user accessed multiple unusual resources via SSO
|
SSO Brute Force
|
User attempted to connect from a suspicious country
|
First SSO access from ASN for user
|
SSO authentication attempt by a honey user
|
First SSO access from ASN in organization
|
Suspicious Azure AD interactive sign-in using PowerShell
|
SSO with abnormal operating system
|
Authentication attempt by a honey user
|
First SSO Resource Access in the Organization
|
A successful SSO sign-in from TOR
|
SSO authentication by a service account
|
SSO with new operating system
|
A possible risky login to Azure
|
Suspicious SSO access from ASN
|
First connection from a country in organization
|
SSO authentication by a machine account
|
A user connected from a new country
|
SSO with abnormal user agent
|
A disabled user attempted to authenticate via SSO
|
Suspicious authentication with Azure Password Hash Sync user
|
A user logged in at an unusual time via SSO
|
AzureAD Audit Log |
Multiple Azure AD admin role removals
|
Short-lived Azure AD user account
|
Owner added to Azure application
|
Azure account deletion by a non-standard account
|
Conditional Access policy removed
|
Azure service principal assigned app role
|
Azure audit - MFA fraud reported
|
Azure application URI modification
|
Azure AD PIM elevation request
|
MFA was disabled for an Azure identity
|
Authentication method added to an Azure account
|
Azure Temporary Access Pass (TAP) registered to an account
|
Azure AD account unlock/password reset attempt
|
Unusual Conditional Access operation for an identity
|
Azure account creation by a non-standard account
|
Azure domain federation settings modification attempt
|
Identity assigned an Azure AD Administrator Role
|
Azure AD PIM alert disabled
|
First Azure AD PowerShell operation for a user
|
Azure application credentials added
|
Device Registration Policy modification
|
Unverified domain added to Azure AD
|
Successful unusual guest user invitation
|
BitLocker key retrieval
|
Azure application consent
|
Azure AD PIM role settings change
|
Box Audit Log |
External SaaS file-sharing activity
|
Massive upload to SaaS service
|
Massive file downloads from SaaS service
|
Suspicious SaaS API call from a Tor exit node
|
DropBox |
External SaaS file-sharing activity
|
Massive upload to SaaS service
|
Massive file downloads from SaaS service
|
Suspicious SaaS API call from a Tor exit node
|
Duo |
Intense SSO failures
|
SSO Password Spray
|
Impossible traveler - SSO
|
A user accessed multiple unusual resources via SSO
|
SSO Brute Force
|
User attempted to connect from a suspicious country
|
First SSO access from ASN for user
|
First SSO access from ASN in organization
|
First SSO Resource Access in the Organization
|
A successful SSO sign-in from TOR
|
SSO authentication by a service account
|
SSO with new operating system
|
Suspicious SSO access from ASN
|
First connection from a country in organization
|
SSO authentication by a machine account
|
A user connected from a new country
|
SSO with abnormal user agent
|
A disabled user attempted to authenticate via SSO
|
A user logged in at an unusual time via SSO
|
Gcp Audit Log |
Cloud infrastructure enumeration activity
|
Allocation of multiple cloud compute resources
|
Deletion of multiple cloud resources
|
Multiple failed logins from a single IP
|
Cloud user performed multiple actions that were denied
|
Abnormal Allocation of compute resources in multiple regions
|
Multiple cloud snapshots export
|
Storage enumeration activity
|
Kubernetes enumeration activity
|
Multi region enumeration activity
|
An identity dumped multiple secrets from a project
|
An identity performed a suspicious download of multiple cloud storage objects
|
IAM Enumeration sequence
|
Suspicious identity downloaded multiple objects from a bucket
|
GCP Logging Sink Deletion
|
Kubernetes cluster events deletion
|
A Kubernetes namespace was created or deleted
|
Unusual resource modification by newly seen IAM user
|
A Kubernetes Cronjob was created
|
GCP Service Account key creation
|
GCP Service Account deletion
|
Unusual exec into a Kubernetes Pod
|
A cloud function was created with an unusual runtime
|
Kubernetes pod creation with host network
|
GCP Firewall Rule Modification
|
A cloud identity invoked IAM related persistence operations
|
A Kubernetes Pod was deleted
|
Kubernetes Pod Created With Sensitive Volume
|
A Kubernetes deployment was created
|
GCP set IAM policy activity
|
Cloud compute instance user data script modification
|
A Kubernetes API operation was successfully invoked by an anonymous user
|
A Kubernetes cluster was created or deleted
|
Unusual certificate management activity
|
Kubernetes Pod created with host process ID (PID) namespace
|
GCP Virtual Private Network Route Creation
|
An operation was performed by an identity from a domain that was not seen in the organization
|
GCP Storage Bucket Configuration Modification
|
GCP Storage Bucket Permissions Modification
|
Unusual cross projects activity
|
Suspicious heavy allocation of compute resources - possible mining activity
|
Activity in a dormant region of a cloud project
|
Kubernetes vulnerability scanning tool usage
|
Cloud storage automatic backup disabled
|
Unusual secret management activity
|
A Kubernetes StatefulSet was created
|
Suspicious cloud compute instance ssh keys modification attempt
|
A cloud identity had escalated its permissions
|
Unusual key management activity
|
Unusual Identity and Access Management (IAM) activity
|
GCP Virtual Private Cloud (VPC) Network Deletion
|
Kubernetes admission controller activity
|
A Kubernetes role binding was created or deleted
|
A Kubernetes ConfigMap was created or deleted
|
GCP Pub/Sub Topic Deletion
|
GCP Pub/Sub Subscription Deletion
|
Cloud identity reached a throttling API rate
|
A Kubernetes ephemeral container was created
|
Remote usage of VM Service Account token
|
Kubernetes network policy modification
|
A Kubernetes service account executed an unusual API call
|
Suspicious API call from a Tor exit node
|
Billing admin role was removed
|
GCP IAM Custom Role Creation
|
GCP Service Account Disable
|
Kubernetes service account activity outside the cluster
|
A Kubernetes service was created or deleted
|
Unusual resource modification/creation
|
A container registry was created or deleted
|
A cloud instance was stopped
|
A Kubernetes service account was created or deleted
|
Denied API call by a Kubernetes service account
|
Cloud impersonation attempt by unusual identity type
|
Cloud unusual access key creation
|
GCP Virtual Private Network Route Deletion
|
GCP VPC Firewall Rule Deletion
|
Network sniffing detected in Cloud environment
|
Cloud Organizational policy was created or modified
|
Kubernetes Pod Created with host Inter Process Communications (IPC) namespace
|
A Kubernetes cluster role binding was created or deleted
|
A Kubernetes node service account activity from external IP
|
GCP IAM Service Account Key Deletion
|
Penetration testing tool activity
|
Cloud resource logging was disabled
|
Unusual IAM enumeration activity by a non-user Identity
|
A Kubernetes secret was created or deleted
|
A Kubernetes service account has enumerated its permissions
|
Kubernetes pod creation from unknown container image registry
|
Kubernetes Privileged Pod Creation
|
Unusual cloud identity impersonation
|
GCP data asset shared public
|
Cloud compute serial console access
|
A cloud identity created or modified a security group
|
A Kubernetes DaemonSet was created
|
A Kubernetes ReplicaSet was created
|
GCP Logging Sink Modification
|
GCP IAM Role Deletion
|
A cloud identity executed an API call from an unusual country
|
Remote usage of an App engine Service Account token
|
A Command Line Interface (CLI) command was executed from a GCP serverless compute service
|
GCP Firewall Rule creation
|
GCP Logging Bucket Deletion
|
GCP Service Account creation
|
A cloud snapshot was created or modified
|
GCP Storage Bucket deletion
|
A Kubernetes dashboard service account was used outside the cluster
|
A Kubernetes Pod was created with a sidecar container
|
A cloud storage configuration was modified
|
Cloud storage delete protection disabled
|
Gcp Flow Log |
An internal Cloud resource performed port scan on external networks
|
SSH brute force attempt
|
Unusual SSH activity that resembles SSH proxy
|
Google Workspace Audit Logs |
External SaaS file-sharing activity
|
Massive upload to SaaS service
|
Massive file downloads from SaaS service
|
Gmail routing settings changed
|
A Google Workspace user was added to a group
|
A Google Workspace identity performed an unusual admin console activity
|
A Google Workspace identity used the security investigation tool
|
A mail forwarding rule was configured in Google Workspace
|
An app was added to Google Marketplace
|
SaaS suspicious external domain user activity
|
Gmail delegation was turned on for the organization
|
An app was removed from a blocked list in Google Workspace
|
User accessed SaaS resource via anonymous link
|
Data Sharing between GCP and Google Workspace was disabled
|
A third-party application was authorized to access the Google Workspace APIs
|
A third-party application's access to the Google Workspace domain's resources was revoked
|
External Sharing was turned on for Google Drive
|
A domain was added to the trusted domains list
|
Google Marketplace restrictions were modified
|
Google Workspace organizational unit was modified
|
An app was added to the Google Workspace trusted OAuth apps list
|
Suspicious SaaS API call from a Tor exit node
|
MFA Disabled for Google Workspace
|
A Google Workspace identity created, assigned or modified a role
|
A Google Workspace Role privilege was deleted
|
A Google Workspace service was configured as unrestricted
|
A Google Workspace user was removed from a group
|
Admin privileges were granted to a Google Workspace user
|
Google Workspace third-party application's security settings were changed
|
A GCP service account was delegated domain-wide authority in Google Workspace
|
Google Workspace Authentication |
First SSO access from ASN for user
|
First SSO access from ASN in organization
|
Suspicious SSO access from ASN
|
A user logged in at an unusual time via SSO
|
Health Monitoring Data |
Logs were not collected from a data source for an abnormally long time
|
Parsing Rule Error
|
Correlation rule error
|
Collection error
|
Error in event forwarding
|
Kubernetes Audit Logs |
Kubernetes enumeration activity
|
Kubernetes cluster events deletion
|
A Kubernetes namespace was created or deleted
|
A Kubernetes Cronjob was created
|
Unusual exec into a Kubernetes Pod
|
Kubernetes pod creation with host network
|
A Kubernetes Pod was deleted
|
Kubernetes Pod Created With Sensitive Volume
|
A Kubernetes deployment was created
|
A Kubernetes API operation was successfully invoked by an anonymous user
|
A Kubernetes cluster was created or deleted
|
Kubernetes Pod created with host process ID (PID) namespace
|
Kubernetes vulnerability scanning tool usage
|
A Kubernetes StatefulSet was created
|
Kubernetes admission controller activity
|
A Kubernetes role binding was created or deleted
|
A Kubernetes ConfigMap was created or deleted
|
A Kubernetes ephemeral container was created
|
Kubernetes network policy modification
|
A Kubernetes service account executed an unusual API call
|
Suspicious API call from a Tor exit node
|
Kubernetes service account activity outside the cluster
|
A Kubernetes service was created or deleted
|
A container registry was created or deleted
|
A Kubernetes service account was created or deleted
|
Denied API call by a Kubernetes service account
|
Kubernetes Pod Created with host Inter Process Communications (IPC) namespace
|
A Kubernetes cluster role binding was created or deleted
|
A Kubernetes node service account activity from external IP
|
A Kubernetes secret was created or deleted
|
A Kubernetes service account has enumerated its permissions
|
Kubernetes pod creation from unknown container image registry
|
Kubernetes Privileged Pod Creation
|
A Kubernetes DaemonSet was created
|
A Kubernetes ReplicaSet was created
|
A cloud identity executed an API call from an unusual country
|
A Kubernetes dashboard service account was used outside the cluster
|
A Kubernetes Pod was created with a sidecar container
|
Microsoft 365 Emails |
AURL - Email contains URL(s) classified as inappropriate
|
EMAIL BETA - Email Punycode characters in URL
|
EMAIL BETA - Usage of homograph characters detected in an email
|
EMAIL BETA - Email containing a link with an IP address convention was detected
|
EMAIL BETA - Email containing a redirected link
|
EMAIL BETA - Email with URL shortener detected
|
AURL - Email was received from a newly registered domain
|
EMAIL BETA - Email was received from an unknown sender using a public provider domain
|
EMAIL BETA - Email suspicious Moniker link detected
|
AURL - Email contains URL(s) classified as malicious
|
AURL - An email was received from a domain classified as risky
|
AURL - Unpopular domain(s) detected in an email's URL(s)
|
EMAIL BETA - Well-known brand impersonation within an email's from address domain
|
EMAIL BETA - Email was received from an unknown sender using a disposable domain
|
EMAIL BETA - Email attachment with a potentially malicious file extension
|
EMAIL BETA - Email attachment with multiple extensions
|
EMAIL BETA - Email attachment(s) with potentially malicious MIME type
|
EMAIL BETA - Unpopular URL domain(s) in your organization detected in email
|
AURL - Email was sent from a domain classified as inappropriate
|
EMAIL BETA - Unpopular domains detected in email URLs for a recipient
|
AURL - An email was sent from a malicious domain
|
EMAIL BETA - Usage of homograph characters detected in an email's from header
|
EMAIL BETA - X-Forefront-Antispam-Report has flagged this email as a potential threat
|
AURL - URL(s) classified as risky have been detected within Email
|
EMAIL BETA - Unusual hostname for the sending mail server in the email headers
|
EMAIL BETA - Email message contains text hiding attributes
|
EMAIL BETA - Email was received from an unknown sender using a recognized domain
|
EMAIL BETA - Email has a short body or subject and was sent from an external source
|
EMAIL BETA - Unpopular URL(s) detected in email
|
EMAIL BETA - Rarely seen URL(s) within a well-known domain detected in your organization's email
|
EMAIL BETA - Email marked as spam and bulk based on Spam Confidence Level and Bulk Complaint Level values
|
EMAIL BETA - Suspicious Unicode character detected in email
|
EMAIL BETA - Email mimics replies or forwards without an actual ongoing conversation
|
EMAIL BETA - External email display name impersonation of internal personnel
|
Microsoft Graph Logs |
Mailbox enumeration activity by Azure application
|
Microsoft OneDrive enumeration activity
|
Azure enumeration activity using Microsoft Graph API
|
Azure uncommon increase in API request sizes
|
Microsoft Teams enumeration activity
|
Microsoft SharePoint enumeration activity
|
Microsoft OneNote enumeration activity
|
An Azure identity performed multiple actions that were denied
|
Owner was added to Azure application
|
Attempted Azure application access from unknown tenant
|
Azure user creation/deletion
|
Azure Service principal/Application creation
|
External user invitation to Azure tenant
|
OneDrive file download
|
Azure group creation/deletion
|
Unusual resource access by Azure application
|
Credentials were added to Azure application
|
Azure conditional access policy creation or modification
|
OneDrive file upload
|
An Azure application reached a throttling API rate
|
Azure mailbox rule creation
|
Azure user password reset
|
Penetration testing tool activity
|
OneDrive folder creation
|
Privileged role used by Azure application
|
Authentication method was added to Azure account
|
Office 365 Audit |
External SaaS file-sharing activity
|
Massive upload to SaaS service
|
User moved Exchange sent messages to deleted items
|
Sensitive Exchange mail sent to external users
|
Exchange mailbox delegation permissions added
|
User accessed multiple O365 AIP sensitive files
|
Massive file downloads from SaaS service
|
A user uploaded malware to SharePoint or OneDrive
|
Exchange Safe Attachment policy disabled or removed
|
Exchange email-hiding transport rule
|
Exchange DKIM signing configuration disabled
|
DLP sensitive data exposed to external users
|
Exchange anti-phish policy disabled or removed
|
Exchange compliance search created
|
Exchange mailbox audit bypass
|
Exchange user mailbox forwarding
|
SaaS suspicious external domain user activity
|
Exchange malware filter policy removed
|
Exchange inbox forwarding rule configured
|
User accessed SaaS resource via anonymous link
|
Penetration testing tool activity attempt
|
Exchange audit log disabled
|
Exchange mailbox folder permission modification
|
Exchange Safe Link policy disabled or removed
|
Suspicious SaaS API call from a Tor exit node
|
Rare DLP rule match by user
|
Exchange email-hiding inbox rule
|
Microsoft 365 DLP policy disabled or removed
|
SharePoint Site Collection admin group addition
|
Exchange transport forwarding rule configured
|
Okta |
A user rejected an SSO request from an unusual country
|
Intense SSO failures
|
SSO Password Spray
|
Impossible traveler - SSO
|
A user accessed multiple unusual resources via SSO
|
Multiple Okta MFA requests sent to a user
|
SSO Brute Force
|
User attempted to connect from a suspicious country
|
First SSO access from ASN for user
|
SSO authentication attempt by a honey user
|
First SSO access from ASN in organization
|
SSO with abnormal operating system
|
Authentication attempt by a honey user
|
First SSO Resource Access in the Organization
|
Suspicious SSO authentication
|
A successful SSO sign-in from TOR
|
SSO authentication by a service account
|
SSO with new operating system
|
Suspicious SSO access from ASN
|
First connection from a country in organization
|
SSO authentication by a machine account
|
A user connected from a new country
|
SSO with abnormal user agent
|
A disabled user attempted to authenticate via SSO
|
A user logged in at an unusual time via SSO
|
Okta Audit Log |
Okta account reset password attempt
|
Okta account unlock
|
Okta device assignment
|
A user observed and reported unusual activity in Okta
|
Okta Reported Threat Detected
|
Okta admin privilege assignment
|
Okta account unlock by admin
|
A user modified an Okta network zone
|
User added a new device to Okta Verify instance
|
A user modified an Okta policy rule
|
A user accessed Okta's admin application
|
A user attempted to bypass Okta MFA
|
Potential Okta access limit breach
|
Okta User Session Impersonation
|
Okta Reported Attack Suspected
|
Okta API Token Created
|
OneLogin |
Intense SSO failures
|
SSO Password Spray
|
Impossible traveler - SSO
|
A user accessed multiple unusual resources via SSO
|
SSO Brute Force
|
User attempted to connect from a suspicious country
|
First SSO access from ASN for user
|
SSO authentication attempt by a honey user
|
First SSO access from ASN in organization
|
Authentication attempt by a honey user
|
First SSO Resource Access in the Organization
|
A successful SSO sign-in from TOR
|
SSO authentication by a service account
|
Suspicious SSO access from ASN
|
First connection from a country in organization
|
SSO authentication by a machine account
|
A user connected from a new country
|
A disabled user attempted to authenticate via SSO
|
A user logged in at an unusual time via SSO
|
Palo Alto Networks Global Protect |
Impossible traveler - VPN
|
VPN login Brute-Force attempt
|
VPN access with an abnormal operating system
|
VPN login by a service account
|
First VPN access from ASN in organization
|
A user connected to a VPN from a new country
|
A user logged in at an unusual time via VPN
|
First VPN access from ASN for user
|
A disabled user attempted to log in to a VPN
|
First VPN access attempt from a country in organization
|
VPN login by a dormant user
|
A Successful VPN connection from TOR
|
VPN login attempt by a honey user
|
VPN login with a machine account
|
Palo Alto Networks Platform Logs |
Rare LDAP enumeration
|
Subdomain Fuzzing
|
Increase in Job-Related Site Visits
|
Failed Connections
|
Kerberos User Enumeration
|
Large Upload (FTP)
|
Abnormal sensitive RPC traffic to multiple hosts
|
Kerberos Pre-Auth Failures by Host
|
Multiple Weakly-Encrypted Kerberos Tickets Received
|
Suspicious DNS traffic
|
HTTP with suspicious characteristics
|
Download pattern that resembles Peer to Peer traffic
|
NTLM Hash Harvesting
|
Large Upload (HTTPS)
|
Kerberos Pre-Auth Failures by User and Host
|
New Administrative Behavior
|
A user accessed multiple time-consuming websites
|
Upload pattern that resembles Peer to Peer traffic
|
Random-Looking Domain Names
|
DNS Tunneling
|
Rare access to known advertising domains
|
Uncommon WPAD queries
|
SSH brute force attempt
|
SSH brute force attempt
|
Port Scan
|
Large Upload (Generic)
|
Spam Bot Traffic
|
NTLM Relay
|
NTLM Password Spray
|
Large Upload (SMTP)
|
Multiple Suspicious FTP Login Attempts
|
Massive upload to a rare storage or mail domain
|
Failed DNS
|
Unusual SSH activity that resembles SSH proxy
|
Unusual SSH activity that resembles SSH proxy
|
Unique client computer model was detected via MS-Update protocol
|
Weakly-Encrypted Kerberos Ticket Requested
|
Possible path traversal via HTTP request
|
Rare SMB session to a remote host
|
Rare file transfer over SMB protocol
|
A Possible crypto miner was detected on a host
|
Rare MS-Update traffic over HTTP
|
Abnormal Communication to a Rare Domain
|
Failed Login For a Long Username With Special Characters
|
Rare NTLM Usage by User
|
A Torrent client was detected on a host
|
Suspicious SSH Downgrade
|
Weakly-Encrypted Kerberos TGT Response
|
Failed Login For Locked-Out Account
|
Rare AppID usage to a rare destination
|
A user accessed an uncommon AppID
|
Rare DCOM RPC activity
|
FTP Connection Using an Anonymous Login or Default Credentials
|
Authentication Attempt From a Dormant Account
|
Suspicious SMB connection from domain controller
|
Suspicious failed HTTP request - potential Spring4Shell exploit
|
A rare FTP user has been detected on an existing FTP server
|
Suspicious NTLM authentication with machine account
|
Rare Windows Remote Management (WinRM) HTTP Activity
|
Rare NTLM Access By User To Host
|
Suspicious ICMP packet
|
Rare Scheduled Task RPC activity
|
Rare Remote Service (SVCCTL) RPC activity
|
Bronze-Bit exploit
|
Possible DCSync from a non domain controller
|
Suspicious Encrypting File System Remote call (EFSRPC) to domain controller
|
Recurring rare domain access to dynamic DNS domain
|
Possible IPFS traffic was detected
|
Abnormal communication with a rare combination of TLS and HTTP User Agent
|
Abnormal Recurring Communications to a Rare Domain
|
Rare RDP session to a remote host
|
Possible use of IPFS was detected
|
New FTP Server
|
Uncommon SSH session was established
|
Abnormal network communication through TOR using an uncommon port
|
Rare MS-Update Server was detected
|
Rare SMTP/S Session
|
Recurring access to rare IP
|
Possible Kerberoasting without SPNs
|
Multiple uncommon SSH Servers with the same Server host key
|
Palo Alto Networks Url Logs |
Non-browser access to a pastebin-like site
|
Uncommon network tunnel creation
|
A non-browser process accessed a website UI
|
PowerShell Initiates a Network Connection to GitHub
|
Rare connection to external IP address or host by an application using RMI-IIOP or LDAP protocol
|
PingOne |
Intense SSO failures
|
SSO Password Spray
|
Impossible traveler - SSO
|
A user accessed multiple unusual resources via SSO
|
SSO Brute Force
|
User attempted to connect from a suspicious country
|
First SSO access from ASN for user
|
SSO authentication attempt by a honey user
|
First SSO access from ASN in organization
|
Authentication attempt by a honey user
|
First SSO Resource Access in the Organization
|
A successful SSO sign-in from TOR
|
SSO authentication by a service account
|
Suspicious SSO access from ASN
|
First connection from a country in organization
|
SSO authentication by a machine account
|
A user connected from a new country
|
SSO with abnormal user agent
|
A disabled user attempted to authenticate via SSO
|
A user logged in at an unusual time via SSO
|
Third-Party Firewalls |
Failed Connections
|
Large Upload (HTTPS)
|
New Administrative Behavior
|
Upload pattern that resembles Peer to Peer traffic
|
SSH brute force attempt
|
Port Scan
|
Spam Bot Traffic
|
Large Upload (SMTP)
|
Unusual SSH activity that resembles SSH proxy
|
Rare SMB session to a remote host
|
Abnormal Communication to a Rare Domain
|
A Torrent client was detected on a host
|
Rare AppID usage to a rare destination
|
Suspicious SMB connection from domain controller
|
Recurring rare domain access to dynamic DNS domain
|
Abnormal Recurring Communications to a Rare Domain
|
Rare RDP session to a remote host
|
New FTP Server
|
Uncommon SSH session was established
|
Rare SMTP/S Session
|
Recurring access to rare IP
|
Third-Party VPNs |
Impossible traveler - VPN
|
VPN login Brute-Force attempt
|
VPN access with an abnormal operating system
|
VPN login by a service account
|
First VPN access from ASN in organization
|
A user connected to a VPN from a new country
|
A user logged in at an unusual time via VPN
|
First VPN access from ASN for user
|
A disabled user attempted to log in to a VPN
|
First VPN access attempt from a country in organization
|
VPN login by a dormant user
|
A Successful VPN connection from TOR
|
VPN login attempt by a honey user
|
VPN login with a machine account
|
Windows Event Collector |
Short-lived user account
|
User added to the SMS Admins local group
|
A user sent multiple TGT requests to irregular service
|
A user requested multiple service tickets
|
A user received multiple weakly encrypted service tickets
|
A user printed an unusual number of files
|
User added to a group and removed
|
Excessive user account lockouts
|
A new machine attempted Kerberos delegation
|
Multiple TGT requests for users without Kerberos pre-authentication
|
Multiple suspicious user accounts were created
|
Multiple user accounts were deleted
|
Rare machine account creation
|
Local user account creation
|
Vulnerable certificate template loaded
|
User account delegation change
|
A machine certificate was issued with a mismatch
|
Machine account was added to a domain admins group
|
Security tools detection attempt
|
A computer account was promoted to DC
|
Suspicious access of the System Management Container
|
Unusual user account enablement
|
A user modified the CA audit policy
|
Suspicious hidden user created
|
A user enabled a default local account
|
Suspicious sAMAccountName change
|
Member added to a Windows local security group
|
Key credential attribute modification
|
Deletion of AD CS certificate database entries
|
User added SID History to an account
|
Mailbox Client Access Setting (CAS) changed
|
VM Detection attempt
|
Administrator groups enumerated via LDAP
|
SPNs cleared from a machine account
|
TGT request with a spoofed sAMAccountName - Event log
|
Masquerading as a default local account
|
A user was added to a Windows security group
|
A user account was modified to password never expires
|
Sensitive account password reset attempt
|
Possible Kerberos relay attack
|
PKINIT TGT authentication request
|
PowerShell used to remove mailbox export request logs
|
PowerShell used to export mailbox contents
|
Unusual user account unlock
|
A user changed the Windows system time
|
Suspicious domain user account creation
|
Suspicious modification of the AdminSDHolder's ACL
|
Service ticket request with a spoofed sAMAccountName
|
A user certificate was issued with a mismatch
|
Privileged certificate request via certificate template
|
XDR Agent |
Multiple discovery-like commands
|
Subdomain Fuzzing
|
Failed Connections
|
Possible external RDP Brute-Force
|
Kerberos User Enumeration
|
Large Upload (FTP)
|
Sudoedit Brute force attempt
|
Suspicious ICMP traffic that resembles smurf attack
|
NTLM Brute Force on an Administrator Account
|
Kerberos Pre-Auth Failures by Host
|
Multiple Weakly-Encrypted Kerberos Tickets Received
|
Suspicious DNS traffic
|
A user authenticated with weak NTLM to multiple hosts
|
Multiple Rare Process Executions in Organization
|
HTTP with suspicious characteristics
|
Internal Login Password Spray
|
Download pattern that resembles Peer to Peer traffic
|
Remote account enumeration
|
NTLM Hash Harvesting
|
Large Upload (HTTPS)
|
Kerberos Pre-Auth Failures by User and Host
|
New Administrative Behavior
|
Abnormal SMB activity to multiple hosts
|
Multiple users authenticated with weak NTLM to a host
|
Kubernetes environment enumeration activity
|
Abnormal RDP connections to multiple hosts
|
A user logged on to multiple workstations via Schannel
|
Possible brute force on sudo user
|
Multiple discovery commands on a Windows host by the same process
|
Upload pattern that resembles Peer to Peer traffic
|
Random-Looking Domain Names
|
SSH authentication brute force attempts
|
Possible TGT reuse from different hosts (pass the ticket)
|
Abnormal ICMP echo (PING) to multiple hosts
|
Possible brute force or configuration change attempt on cytool
|
DNS Tunneling
|
Multiple discovery commands
|
Rare access to known advertising domains
|
Uncommon WPAD queries
|
NTLM Brute Force on a Service Account
|
Brute-force attempt on a local account
|
SSH brute force attempt
|
Port Scan
|
Large Upload (Generic)
|
Multiple discovery commands on a Linux host by the same process
|
Multiple Rare LOLBIN Process Executions by User
|
Spam Bot Traffic
|
NTLM Relay
|
New Shared User Account
|
NTLM Password Spray
|
External Login Password Spray
|
Possible Brute-Force attempt
|
Account probing
|
Large Upload (SMTP)
|
Interactive local account enumeration
|
Massive upload to a rare storage or mail domain
|
NTLM Brute Force
|
Failed DNS
|
Suspicious container reconnaissance activity in a Kubernetes pod
|
A process connected to rare external host
|
Unusual SSH activity that resembles SSH proxy
|
Uncommon Service Create/Config
|
Suspicious Certutil AD CS contact
|
Remote code execution into Kubernetes Pod
|
Possible Email collection using Outlook RPC
|
Setuid and Setgid file bit manipulation
|
Bitsadmin.exe persistence using command-line callback
|
Iptables configuration command was executed
|
Uncommon communication to an instant messaging server
|
Svchost.exe loads a rare unsigned module
|
Weakly-Encrypted Kerberos Ticket Requested
|
Linux process execution with a rare GitHub URL
|
Interactive at.exe privilege escalation method
|
Discovery of host users via WMIC
|
A compressed file was exfiltrated over SSH
|
A Successful login from TOR
|
Possible path traversal via HTTP request
|
Rare SMB session to a remote host
|
Attempt to execute a command on a remote host using PsExec.exe
|
Suspicious curl user agent
|
Suspicious process execution from tmp folder
|
Wbadmin deleted files in quiet mode
|
Suspicious time provider registered
|
Suspicious disablement of the Windows Firewall
|
Interactive login from a shared user account
|
Suspicious container runtime connection from within a Kubernetes Pod
|
A disabled user attempted to log in
|
Rare file transfer over SMB protocol
|
Possible DLL Hijack into a Microsoft process
|
A Possible crypto miner was detected on a host
|
A contained executable from a mounted share initiated a suspicious outbound network connection
|
Uncommon msiexec execution of an arbitrary file from a remote location
|
Script file added to startup-related Registry keys
|
Possible new DHCP server
|
Suspicious sshpass command execution
|
Kubernetes version disclosure
|
Recurring rare domain access from an unsigned process
|
Interactive login by a service account
|
PowerShell suspicious flags
|
Fodhelper.exe UAC bypass
|
The CA policy EditFlags was queried
|
Python HTTP server started
|
AppleScript process executed with a rare command line
|
Execution of the Hydra Linux password brute-force tool
|
Registration of Uncommon .NET Services and/or Assemblies
|
Uncommon kernel module load
|
Uncommon user management via net.exe
|
Uncommon routing table listing via route.exe
|
Rare signature signed executable executed in the network
|
Injection into rundll32.exe
|
Execution of an uncommon process at an early startup stage
|
Uncommon RDP connection
|
Cached credentials discovery with cmdkey
|
LOLBIN process executed with a high integrity level
|
Remote DCOM command execution
|
Suspicious SearchProtocolHost.exe parent process
|
Command execution in a Kubernetes pod
|
Rundll32.exe running with no command-line arguments
|
Suspicious dump of ntds.dit using Shadow Copy with ntdsutil/vssadmin
|
Abnormal Communication to a Rare Domain
|
Uncommon Managed Object Format (MOF) compiler usage
|
SUID/GUID permission discovery
|
A TCP stream was created directly in a shell
|
Failed Login For a Long Username With Special Characters
|
Screensaver process executed from Users or temporary folder
|
Globally uncommon IP address by a common process (sha256)
|
Possible data obfuscation
|
Rare NTLM Usage by User
|
Command running with COMSPEC in the command line argument
|
A Torrent client was detected on a host
|
Globally uncommon image load from a signed process
|
Suspicious setspn.exe execution
|
Unusual Azure AD sync module load
|
Scripting engine connected to a rare external host
|
Weakly-Encrypted Kerberos TGT Response
|
Indicator blocking
|
Failed Login For Locked-Out Account
|
A rare local administrator login
|
Rare AppID usage to a rare destination
|
AppleScript executed a shell script
|
Execution of an uncommon process with a local/domain user SID at an early startup stage by Windows system binary
|
Login attempt by a honey user
|
Suspicious module load using direct syscall
|
A user accessed an uncommon AppID
|
Uncommon reverse SSH tunnel to external domain/ip
|
Suspicious Process Spawned by Adobe Reader
|
Unusual Lolbins Process Spawned by InstallUtil.exe
|
Unpopular rsync process execution
|
Wscript/Cscript loads .NET DLLs
|
Command execution via wmiexec
|
Netcat makes or gets connections
|
Kubernetes nsenter container escape
|
Possible compromised machine account
|
Possible network sniffing attempt via tcpdump or tshark
|
Rare process spawned by srvany.exe
|
Unusual compressed file password protection
|
A service was disabled
|
Download a script using the python requests module
|
Unusual process accessed the PowerShell history file
|
Scrcons.exe Rare Child Process
|
Suspicious process loads a known PowerShell module
|
Commonly abused AutoIT script connects to an external domain
|
Kerberos Traffic from Non-Standard Process
|
Adding execution privileges
|
Mshta.exe launched with suspicious arguments
|
An uncommon service was started
|
Masquerading as the Linux crond process
|
Copy a process memory file
|
Kubernetes secret enumeration activity
|
LOLBAS executable injects into another process
|
Suspicious External RDP Login
|
Uncommon local scheduled task creation via schtasks.exe
|
Remote service command execution from an uncommon source
|
Certutil pfx parsing
|
Autorun.inf created in root C drive
|
Manipulation of netsh helper DLLs Registry keys
|
Abnormal process connection to default Meterpreter port
|
Globally uncommon root-domain port combination by a common process (sha256)
|
A user logged in from an abnormal country or ASN
|
Unprivileged process opened a registry hive
|
Authentication Attempt From a Dormant Account
|
MSI accessed a web page running a server-side script
|
Remote WMI process execution
|
Unusual Kubernetes API server communication from a pod
|
Suspicious SMB connection from domain controller
|
File transfer from unusual IP using known tools
|
Rare communication over email ports to external email server by unsigned process
|
Suspicious failed HTTP request - potential Spring4Shell exploit
|
Uncommon DLL-sideloading from a logical CD-ROM (ISO) device
|
WebDAV drive mounted from net.exe over HTTPS
|
RDP Connection to localhost
|
Rare process executed by an AppleScript
|
Suspicious process executed with a high integrity level
|
Uncommon driver loaded
|
Possible malicious .NET compilation started by a commonly abused process
|
Uncommon remote scheduled task creation
|
MpCmdRun.exe was used to download files into the system
|
A contained executable was executed by an unusual process
|
Keylogging using system commands
|
Phantom DLL Loading
|
Suspicious RunOnce Parent Process
|
System information discovery via psinfo.exe
|
Execution of an uncommon process with a local/domain user SID at an early startup stage
|
Uncommon execution of ODBCConf
|
Windows Event Log was cleared using wevtutil.exe
|
Suspicious NTLM authentication with machine account
|
Unsigned process injecting into a Windows system binary with no command line
|
Suspicious process accessed a site masquerading as Google
|
Suspicious PowerShell Enumeration of Running Processes
|
Rare Windows Remote Management (WinRM) HTTP Activity
|
Suspicious proxy environment variable setting
|
Installation of a new System-V service
|
Rare NTLM Access By User To Host
|
Suspicious docker image download from an unusual repository
|
Uncommon net group or localgroup execution
|
Uncommon remote service start via sc.exe
|
Rare Unix process divided files by size
|
Procdump executed from an atypical directory
|
Suspicious ICMP packet
|
Globally uncommon root-domain port combination from a signed process
|
VM Detection attempt on Linux
|
Modification of PAM
|
Office process creates a scheduled task via file access
|
Stored credentials exported using credwiz.exe
|
Possible Microsoft process masquerading
|
Kubernetes vulnerability scanner activity
|
Suspicious process execution in a privileged container
|
SMB Traffic from Non-Standard Process
|
Globally uncommon process execution from a signed process
|
Possible Pass-the-Hash
|
Copy a user's GnuPG directory with rsync
|
Abnormal User Login to Domain Controller
|
Suspicious data encryption
|
Permission Groups discovery commands
|
Extracting credentials from Unix files
|
Windows Installer exploitation for local privilege escalation
|
Unusual Kubernetes dashboard communication from a pod
|
Possible Search For Password Files
|
Execution of renamed lolbin
|
Suspicious Process Spawned by wininit.exe
|
Unusual AWS credentials creation
|
Suspicious usage of File Server Remote VSS Protocol (FSRVP)
|
Ping to localhost from an uncommon, unsigned parent process
|
Microsoft Office Process Spawning a Suspicious One-Liner
|
Globally uncommon high entropy module was loaded
|
Run downloaded script using pipe
|
Globally uncommon root domain from a signed process
|
Bronze-Bit exploit
|
Possible DLL Search Order Hijacking
|
Suspicious systemd timer activity
|
Globally uncommon IP address connection from a signed process
|
Possible binary padding using dd
|
Linux network share discovery
|
Remote PsExec-like command execution
|
Encoded information using Windows certificate management tool
|
Suspicious process execution by scheduled task
|
Execution of dllhost.exe with an empty command line
|
Uncommon IP Configuration Listing via ipconfig.exe
|
Mimikatz command-line arguments
|
Suspicious .NET process loads an MSBuild DLL
|
Remote service start from an uncommon source
|
Commonly abused process launched as a system service
|
Suspicious Encrypting File System Remote call (EFSRPC) to domain controller
|
Abnormal Communication to a Rare IP
|
Recurring rare domain access to dynamic DNS domain
|
Hidden Attribute was added to a file using attrib.exe
|
Possible IPFS traffic was detected
|
Cloud Unusual Instance Metadata Service (IMDS) access
|
Globally uncommon high entropy process was executed
|
Possible Kerberos relay attack
|
Contained process execution with a rare GitHub URL
|
Interactive login by a machine account
|
Suspicious authentication package registered
|
The Linux system firewall was disabled
|
Abnormal communication with a rare combination of TLS and HTTP User Agent
|
Unusual weak authentication by user
|
Execution of an uncommon process at an early startup stage by Windows system binary
|
Suspicious PowerShell Command Line
|
Abnormal Recurring Communications to a Rare Domain
|
Rare RDP session to a remote host
|
Reading bash command history file
|
Suspicious print processor registered
|
Signed process performed an unpopular DLL injection
|
Uncommon shell command execution
|
New addition to Windows Defender exclusion list
|
WmiPrvSe.exe Rare Child Command Line
|
Rare process execution by user
|
TGT request with a spoofed sAMAccountName - Network
|
Possible use of IPFS was detected
|
New FTP Server
|
Possible collection of screen captures with Windows Problem Steps Recorder
|
Rare Unsigned Process Spawned by Office Process Under Suspicious Directory
|
Login by a dormant user
|
Possible DLL Side-Loading
|
Wsmprovhost.exe Rare Child Process
|
Unusual DB process spawning a shell
|
A browser was opened in private mode
|
Signed process performed an unpopular injection
|
Delayed Deletion of Files
|
Rare LOLBIN Process Execution by User
|
Uncommon SSH session was established
|
Microsoft Office injects code into a process
|
Indirect command execution using the Program Compatibility Assistant
|
Compressing data using python
|
Tampering with Internet Explorer Protected Mode configuration
|
Rare WinRM Session
|
Suspicious runonce.exe parent process
|
Uncommon cloud CLI tool usage
|
Unsigned and unpopular process performed a DLL injection
|
Msiexec execution of an executable from an uncommon remote location
|
Uncommon remote monitoring and management tool
|
PowerShell runs suspicious base64-encoded commands
|
A suspicious process enrolled for a certificate
|
Rundll32.exe spawns conhost.exe
|
PsExec was executed with a suspicious command line
|
LDAP traffic from non-standard process
|
Abnormal network communication through TOR using an uncommon port
|
Suspicious container orchestration job
|
Unusual AWS user added to group
|
Memory dumping with comsvcs.dll
|
Suspicious successful RDP connection to localhost
|
A process connected to a rare external host
|
Uncommon net localgroup execution
|
Uncommon DotNet module load relationship
|
Suspicious certutil command line
|
Unsigned process creates a scheduled task via file access
|
A process was executed with a command line obfuscated by Unicode character substitution
|
Rare SMTP/S Session
|
A LOLBIN was copied to a different location
|
Rare SSH Session
|
Possible RDP session hijacking using tscon.exe
|
Possible network service discovery via command-line tool
|
Recurring access to rare IP
|
Unsigned and unpopular process performed an injection
|
Microsoft Office process spawns a commonly abused process
|
Rundll32.exe executes a rare unsigned module
|
Windows LOLBIN executable connected to a rare external host
|
Rare process execution in organization
|
Service execution via sc.exe
|
Possible Kerberoasting without SPNs
|
Vulnerable driver loaded
|
Multiple uncommon SSH Servers with the same Server host key
|
Local account discovery
|
Uncommon ARP cache listing via arp.exe
|
Remote command execution via wmic.exe
|
System shutdown or reboot
|
Possible code downloading from a remote host by Regsvr32
|
Rare security product signed executable executed in the network
|
Unicode RTL Override Character
|
Globally uncommon injection from a signed process
|
XDR Agent with eXtended Threat Hunting (XTH) |
Possible LDAP enumeration by unsigned process
|
Short-lived user account
|
A user connected a new USB storage device to multiple hosts
|
A user accessed an abnormal number of remote shared folders
|
User added to the SMS Admins local group
|
A user sent multiple TGT requests to irregular service
|
User collected remote shared files in an archive
|
Abnormal File Activity in SCCMContentLib Shared Folder by user
|
A user requested multiple service tickets
|
Abnormal sensitive RPC traffic to multiple hosts
|
Possible data exfiltration over a USB storage device
|
A user received multiple weakly encrypted service tickets
|
A user took numerous screenshots
|
Outlook files accessed by an unsigned process
|
Massive file compression by user
|
A user accessed an abnormal number of files on a remote shared folder
|
Massive file activity abnormal to process
|
A user established an SMB connection to multiple hosts
|
Possible internal data exfiltration over a USB storage device
|
Suspicious reconnaissance using LDAP
|
A user printed an unusual number of files
|
Suspicious access to cloud credential files
|
A contained process attempted to escape using the 'notify on release' feature
|
User added to a group and removed
|
Excessive user account lockouts
|
A user executed multiple LDAP enumeration queries
|
A new machine attempted Kerberos delegation
|
User and Group Enumeration via SAMR
|
A user performed suspiciously massive file activity
|
Multiple TGT requests for users without Kerberos pre-authentication
|
Multiple suspicious user accounts were created
|
Multiple user accounts were deleted
|
Discovery of accounts with pre-authentication disabled via LDAP
|
LSASS dump file written to disk
|
Suspicious DotNet log file created
|
Browser Extension Installed
|
Suspicious Udev driver rule execution manipulation
|
A suspicious process queried AD CS objects via LDAP
|
Rare machine account creation
|
Unusual process accessed a messaging app's files
|
Possible SPN enumeration
|
Unusual process access to ld.so.preload file
|
A user connected a USB storage device for the first time
|
Rare service DLL was added to the registry
|
Unusual process accessed FTP Client credentials
|
Unusual use of a 'SysInternals' tool
|
Local user account creation
|
Vulnerable certificate template loaded
|
Unusual ADConnect database file access
|
User account delegation change
|
A compiled HTML help file wrote a script file to the disk
|
A machine certificate was issued with a mismatch
|
Known service name with an uncommon image-path
|
A user created an abnormal password-protected archive
|
Suspicious process accessed certificate files
|
Windows event logs were cleared with PowerShell
|
Machine account was added to a domain admins group
|
Security tools detection attempt
|
A suspicious direct syscall was executed
|
A process modified an SSH authorized_keys file
|
A computer account was promoted to DC
|
Office process accessed an unusual .LNK file
|
Suspicious access of the System Management Container
|
Scheduled Task hidden by registry modification
|
Suspicious active setup registered
|
Unusual process accessed a web browser history file
|
New process created via a WMI call
|
Modification of NTLM restrictions in the Registry
|
Unusual Encrypting File System Remote call (EFSRPC) to domain controller
|
Uncommon PowerShell commands used to create or alter scheduled task parameters
|
Suspicious Kubernetes pod token access
|
Unusual user account enablement
|
Rare process accessed a Keychain file
|
Commonly abused AutoIT script drops an executable file to disk
|
A user modified the CA audit policy
|
Unusual Netsh PortProxy rule
|
NTDS.dit file written by an uncommon executable
|
Suspicious Print System Remote Protocol usage by a process
|
Certipy AD CS enumeration via LDAP
|
Suspicious LDAP search query executed
|
Known service display name with uncommon image-path
|
Suspicious hidden user created
|
Microsoft Office adds a value to autostart Registry key
|
Suspicious disablement of the Windows Firewall using PowerShell commands
|
A user enabled a default local account
|
Executable or Script file written by a web server process
|
Uncommon file access over WebDAV
|
A rare file path was added to the AppInit_DLLs registry value
|
Suspicious sAMAccountName change
|
Unusual access to the AD Sync credential files
|
Suspicious PowerSploit's recon module (PowerView) net function was executed
|
Rare DCOM RPC activity
|
Member added to a Windows local security group
|
Key credential attribute modification
|
Creation or modification of the default command executed when opening an application
|
PowerShell pfx certificate extraction
|
Possible GPO Enumeration
|
Uncommon creation or access operation of sensitive shadow copy
|
A process queried the ADFS database decryption key via LDAP
|
Suspicious usage of Microsoft's Active Directory PowerShell module remote discovery cmdlet
|
Deletion of AD CS certificate database entries
|
SecureBoot was disabled
|
System profiling WMI query execution
|
Suspicious PowerSploit's recon module (PowerView) used to search for exposed hosts
|
User added SID History to an account
|
Unusual process accessed a macOS notes DB file
|
Mailbox Client Access Setting (CAS) changed
|
VM Detection attempt
|
LOLBIN created a PSScriptPolicyTest PowerShell script file
|
Possible Distributed File System Namespace Management (DFSNM) abuse
|
An unusual archive file creation by a user
|
DSC (Desired State Configuration) lateral movement using PowerShell
|
Executable created to disk by lsass.exe
|
Administrator groups enumerated via LDAP
|
Unusual process accessed a crypto wallet's files
|
A suspicious executable with multiple file extensions was created
|
Uncommon AT task-job creation by user
|
User discovery via WMI query execution
|
LDAP search query from an unpopular and unsigned process
|
An unpopular process accessed the microphone on the host
|
Suspicious access to shadow file
|
SPNs cleared from a machine account
|
User set insecure CA registry setting for global SANs
|
Uncommon jsp file write by a Java process
|
TGT request with a spoofed sAMAccountName - Event log
|
Elevation to SYSTEM via services
|
Suspicious process modified RC script file
|
Masquerading as a default local account
|
Browser bookmark files accessed by a rare non-browser process
|
Linux system firewall was modified
|
Possible use of a networking driver for network sniffing
|
Uncommon SetWindowsHookEx API invocation of a possible keylogger
|
A remote service was created via RPC over SMB
|
Rare Scheduled Task RPC activity
|
Unusual process accessed web browser credentials
|
Sensitive browser credential files accessed by a rare non browser process
|
Rare Remote Service (SVCCTL) RPC activity
|
Suspicious AMSI decode attempt
|
Uncommon NtWriteVirtualMemoryRemote API invocation with a PE header buffer
|
Possible DCSync from a non domain controller
|
Uncommon access to Microsoft Teams credential files
|
A user was added to a Windows security group
|
A user account was modified to password never expires
|
Unusual CIM repository file access
|
Unusual access to the Windows Internal Database on an ADFS server
|
Sensitive account password reset attempt
|
Access to Kubernetes configuration file
|
Space after filename
|
Uncommon Security Support Provider (SSP) registered via a registry key
|
An uncommon executable was remotely written over SMB to an uncommon destination
|
PKINIT TGT authentication request
|
A browser extension was installed or loaded in an uncommon way
|
Potential SCCM credential harvesting using WMI detected
|
PowerShell used to remove mailbox export request logs
|
Image file execution options (IFEO) registry key set
|
Unusual CertLog Remote File Write
|
PowerShell used to export mailbox contents
|
Discovery of misconfigured certificate templates using LDAP
|
Unusual user account unlock
|
Rare scheduled task created
|
A user changed the Windows system time
|
An uncommon file added to startup-related Registry keys
|
A user queried AD CS objects via LDAP
|
Possible LDAP Enumeration Tool Usage
|
Uncommon GetClipboardData API function invocation of a possible information stealer
|
A user created a pfx file for the first time
|
An uncommon file was created in the startup folder
|
Uncommon browser extension loaded
|
Suspicious domain user account creation
|
RDP connections enabled remotely via Registry
|
Change of sudo caching configuration
|
Suspicious modification of the AdminSDHolder's ACL
|
A user added a Windows firewall rule
|
Unusual process accessed web browser cookies
|
Unusual Kubernetes service account file read
|
Possible LDAP Enumeration of Microsoft Configuration Manager
|
Service ticket request with a spoofed sAMAccountName
|
Possible Persistence via group policy Registry keys
|
Tampering with the Windows User Account Controls (UAC) configuration
|
A user certificate was issued with a mismatch
|
A WMI subscriber was created
|
Possible webshell file written by a web server process
|
Privileged certificate request via certificate template
|
A user connected a new USB storage device to a host
|