Required Data Sources

Cortex XDR Analytics Alert Reference by data source

Product
Cortex XDR
Last date published
2024-12-03
Category
Analytics Alert Reference
Order
data source

Data sources

Topics

AWS Audit Log

A Kubernetes Cronjob was created

An AWS RDS Global Cluster Deletion

Object versioning was disabled

Suspicious usage of EC2 token

Unusual secret management activity

Kubernetes network policy modification

Penetration testing tool activity

Denied API call by a Kubernetes service account

AWS CloudWatch log group deletion

Kubernetes pod creation with host network

IAM User added to an IAM group

Unusual key management activity

Cloud Trail Logging has been stopped/suspended

Cloud snapshot of a database or storage instance was publicly shared

A Command Line Interface (CLI) command was executed from an AWS serverless compute service

An AWS EKS cluster was created or deleted

A cloud function was created with an unusual runtime

Kubernetes Pod created with host process ID (PID) namespace

AWS config resource deletion

A cloud identity had escalated its permissions

AWS RDS cluster deletion

A Kubernetes StatefulSet was created

An AWS SAML provider was modified

A Kubernetes service account executed an unusual API call

An Email address was added to AWS SES

Unusual Identity and Access Management (IAM) activity

An AWS RDS instance was created from a snapshot

An IAM group was created

A Kubernetes node service account activity from external IP

MFA device was removed/deactivated from an IAM user

An AWS S3 bucket configuration was modified

A Kubernetes deployment was created

A Kubernetes service account was created or deleted

An AWS ElastiCache security group was modified or deleted

Unusual resource modification/creation

Unusual certificate management activity

A Kubernetes ephemeral container was created

A Kubernetes secret was created or deleted

A Kubernetes Pod was created with a sidecar container

Cloud compute instance user data script modification

A Kubernetes ReplicaSet was created

AWS CloudWatch log stream deletion

A Kubernetes Pod was deleted

An AWS Lambda function was modified

An AWS SES identity was deleted

AWS user creation

Cloud compute serial console access

AWS network ACL rule creation

Cloud impersonation attempt by unusual identity type

A cloud identity created or modified a security group

AWS Root account activity

Kubernetes Pod Created with host Inter Process Communications (IPC) namespace

Kubernetes Privileged Pod Creation

Kubernetes pod creation from unknown container image registry

A cloud snapshot was created or modified

An identity attached an administrative policy to an IAM user/role

AWS STS temporary credentials were generated

An AWS Lambda Function was created

A cloud identity invoked IAM related persistence operations

An AWS EFS file-share was deleted

AWS Flow Logs deletion

Suspicious API call from a Tor exit node

A Kubernetes service account has enumerated its permissions

A Kubernetes namespace was created or deleted

AWS Config Recorder stopped

AWS Cloud Trail log trail modification

Cloud storage delete protection disabled

Cloud Trail logging deletion

EC2 snapshot attribute has been modified

AWS SecurityHub findings were modified

A user logged in to the AWS console for the first time

Kubernetes Pod Created With Sensitive Volume

Disable encryption operations

AWS network ACL rule deletion

An AWS database service master user password was changed

An AWS GuardDuty IP set was created

AWS IAM resource group deletion

Cloud unusual access key creation

Unusual cloud identity impersonation

Penetration testing tool attempt

A Kubernetes cluster role binding was created or deleted

An identity created or updated password for an IAM user

Kubernetes vulnerability scanning tool usage

Remote usage of an AWS service token

Remote usage of AWS Lambda's token

An AWS SES Email sending settings were modified

A cloud instance was stopped

Aurora DB cluster stopped

A compute-attached identity executed API calls outside the instance's region

An identity disabled bucket logging

A Kubernetes API operation was successfully invoked by an anonymous user

Network sniffing detected in Cloud environment

A Kubernetes role binding was created or deleted

An AWS EFS File-share mount was deleted

Suspicious cloud compute instance ssh keys modification attempt

Unusual IAM enumeration activity by a non-user Identity

A Kubernetes cluster was created or deleted

AWS Role Trusted Entity modification

Kubernetes cluster events deletion

Data encryption was disabled

An operation was performed by an identity from a domain that was not seen in the organization

Cloud Watch alarm deletion

Kubernetes service account activity outside the cluster

A Kubernetes service was created or deleted

An identity started an AWS SSM session

A Kubernetes ConfigMap was created or deleted

A cloud storage configuration was modified

AWS EC2 instance exported into S3

AWS web ACL deletion

Cloud email service activity

An AWS ElastiCache security group was created

Cloud identity reached a throttling API rate

Kubernetes admission controller activity

S3 configuration deletion

Unusual AWS systems manager activity

AWS SSM send command attempt

A Kubernetes DaemonSet was created

A container registry was created or deleted

A cloud identity executed an API call from an unusual country

Unusual cross projects activity

Unusual exec into a Kubernetes Pod

Unusual resource modification by newly seen IAM user

An AWS Route 53 domain was transferred to another AWS account

AWS Guard-Duty detector deletion

Suspicious heavy allocation of compute resources - possible mining activity

A Kubernetes dashboard service account was used outside the cluster

Activity in a dormant region of a cloud project

Billing admin role was removed

Suspicious objects encryption in an AWS bucket

Abnormal Allocation of compute resources in multiple regions

An identity dumped multiple secrets from a project

Storage enumeration activity

Suspicious identity downloaded multiple objects from a bucket

Cloud user performed multiple actions that were denied

Kubernetes enumeration activity

Allocation of multiple cloud compute resources

IAM Enumeration sequence

Impossible travel by a cloud identity

Multiple cloud snapshots export

Multiple failed logins from a single IP

An identity performed a suspicious download of multiple cloud storage objects

Cloud infrastructure enumeration activity

Deletion of multiple cloud resources

Multi region enumeration activity

AWS Flow Log

Possible DCShadow attempt

An internal Cloud resource performed port scan on external networks

SSH brute force attempt

AWS OCSF Flow Logs

Possible DCShadow attempt

An internal Cloud resource performed port scan on external networks

SSH brute force attempt

Azure Audit Log

A Kubernetes Cronjob was created

Object versioning was disabled

Unusual secret management activity

Azure Blob Container Access Level Modification

Kubernetes network policy modification

Penetration testing tool activity

Denied API call by a Kubernetes service account

Kubernetes pod creation with host network

Azure user creation/deletion

Azure mailbox rule creation

Azure Key Vault modification

An Azure Kubernetes Role or Cluster-Role was modified

Unusual key management activity

External user invitation to Azure tenant

Kubernetes Pod created with host process ID (PID) namespace

A cloud identity had escalated its permissions

A Kubernetes StatefulSet was created

A Kubernetes service account executed an unusual API call

A Kubernetes node service account activity from external IP

Credentials were added to Azure application

Azure Network Watcher Deletion

Azure Event Hub Deletion

A Kubernetes deployment was created

A Kubernetes service account was created or deleted

Unusual resource modification/creation

Unusual certificate management activity

A Kubernetes ephemeral container was created

Remote usage of an Azure Managed Identity token

Azure Automation Webhook creation

An Azure Kubernetes Cluster was created or deleted

A Kubernetes secret was created or deleted

A Kubernetes Pod was created with a sidecar container

A Kubernetes ReplicaSet was created

A Kubernetes Pod was deleted

An Azure Network Security Group was modified

An Azure virtual network was modified

Azure diagnostic configuration deletion

Cloud compute serial console access

Azure Event Hub Authorization rule creation/modification

A cloud identity created or modified a security group

Azure group creation/deletion

Kubernetes Pod Created with host Inter Process Communications (IPC) namespace

An identity accessed Azure Kubernetes Secrets

An Azure virtual network Device was modified

An Azure Suppression Rule was created

Kubernetes Privileged Pod Creation

Kubernetes pod creation from unknown container image registry

Azure device code authentication flow used

OneDrive file download

A cloud snapshot was created or modified

A cloud identity invoked IAM related persistence operations

Suspicious API call from a Tor exit node

An Azure Firewall Rule Collection was modified

A Kubernetes service account has enumerated its permissions

A Kubernetes namespace was created or deleted

Azure conditional access policy creation or modification

Azure Storage Account key generated

An identity was granted permissions to manage user access to Azure resources

Cloud storage delete protection disabled

Azure Key Vault Secrets were modified

Azure user password reset

Azure Automation Runbook Creation/Modification

An Azure Firewall policy deletion

Kubernetes Pod Created With Sensitive Volume

Modification or Deletion of an Azure Application Gateway Detected

An Azure VPN Connection was modified

OneDrive file upload

An Azure firewall rule group was modified

A Kubernetes cluster role binding was created or deleted

Owner was added to Azure application

Azure Service principal/Application creation

Kubernetes vulnerability scanning tool usage

Authentication method was added to Azure account

PIM privilege member removal

Azure permission delegation granted

A cloud instance was stopped

Unusual resource access by Azure application

A Kubernetes API operation was successfully invoked by an anonymous user

Azure Automation Account Creation

Network sniffing detected in Cloud environment

A Kubernetes role binding was created or deleted

Suspicious cloud compute instance ssh keys modification attempt

Azure virtual machine commands execution

An Azure Key Vault key was modified

Remote usage of an Azure Service Principal token

A Kubernetes cluster was created or deleted

Kubernetes cluster events deletion

An Azure application reached a throttling API rate

An Azure Kubernetes Role-Binding or Cluster-Role-Binding was modified or deleted

An operation was performed by an identity from a domain that was not seen in the organization

A Service Principal was created in Azure

Kubernetes service account activity outside the cluster

A Kubernetes service was created or deleted

Azure application removed

Attempted Azure application access from unknown tenant

An Azure DNS Zone was modified

An Azure Kubernetes Service Account was modified or deleted

A Kubernetes ConfigMap was created or deleted

A cloud storage configuration was modified

Cloud email service activity

Cloud identity reached a throttling API rate

Azure Resource Group Deletion

Kubernetes admission controller activity

A Service Principal was removed from Azure

An Azure Firewall was modified

Removal of an Azure Owner from an Application or Service Principal

An Azure Point-to-Site VPN was modified

A Kubernetes DaemonSet was created

Azure Kubernetes events were deleted

A container registry was created or deleted

Granting Access to an Account

Azure Automation Runbook Deletion

A cloud identity executed an API call from an unusual country

Unusual cross projects activity

OneDrive folder creation

Unusual exec into a Kubernetes Pod

Unusual resource modification by newly seen IAM user

A New Server was Added to an Azure Active Directory Hybrid Health ADFS Environment

An Azure Key Vault was modified

Suspicious heavy allocation of compute resources - possible mining activity

A Kubernetes dashboard service account was used outside the cluster

Activity in a dormant region of a cloud project

An Azure Cloud Shell was Created

Billing admin role was removed

Microsoft Teams enumeration activity

Abnormal Allocation of compute resources in multiple regions

An identity dumped multiple secrets from a project

Storage enumeration activity

Suspicious identity downloaded multiple objects from a bucket

Cloud user performed multiple actions that were denied

Mailbox enumeration activity by Azure application

Kubernetes enumeration activity

Allocation of multiple cloud compute resources

Impossible travel by a cloud identity

Multiple cloud snapshots export

Multiple failed logins from a single IP

An identity performed a suspicious download of multiple cloud storage objects

An Azure identity performed multiple actions that were denied

Deletion of multiple cloud resources

Microsoft SharePoint enumeration activity

Azure enumeration activity using Microsoft Graph API

Multi region enumeration activity

Azure Flow Log

Possible DCShadow attempt

An internal Cloud resource performed port scan on external networks

SSH brute force attempt

Azure SignIn Log

Suspicious SSO access from ASN

SSO with abnormal user agent

A user connected from a new country

First SSO access from ASN in organization

SSO authentication by a machine account

First SSO access from ASN for user

A user logged in at an unusual time via SSO

User attempted to connect from a suspicious country

First connection from a country in organization

SSO authentication by a service account

A disabled user attempted to authenticate via SSO

First SSO Resource Access in the Organization

SSO with new operating system

A successful SSO sign-in from TOR

A user accessed multiple unusual resources via SSO

SSO Brute Force

Impossible traveler - SSO

SSO Password Spray

Intense SSO failures

AzureAD

Suspicious SSO access from ASN

SSO with abnormal user agent

SSO authentication attempt by a honey user

Suspicious authentication with Azure Password Hash Sync user

A user connected from a new country

First SSO access from ASN in organization

SSO authentication by a machine account

First SSO access from ASN for user

A user logged in at an unusual time via SSO

User attempted to connect from a suspicious country

First connection from a country in organization

SSO authentication by a service account

A disabled user attempted to authenticate via SSO

First SSO Resource Access in the Organization

SSO with new operating system

A successful SSO sign-in from TOR

SSO with abnormal operating system

Suspicious Azure AD interactive sign-in using PowerShell

A user accessed multiple unusual resources via SSO

SSO Brute Force

Impossible traveler - SSO

SSO Password Spray

Intense SSO failures

AzureAD Audit Log

Authentication method added to an Azure account

MFA was disabled for an Azure identity

Device Registration Policy modification

Azure application credentials added

Azure AD PIM alert disabled

BitLocker key retrieval

Identity assigned an Azure AD Administrator Role

Azure account deletion by a non-standard account

Successful unusual guest user invitation

Azure AD PIM role settings change

Azure account creation by a non-standard account

Azure domain federation settings modification attempt

Azure AD PIM elevation request

Conditional Access policy removed

First Azure AD PowerShell operation for a user

Azure application consent

Unusual Conditional Access operation for an identity

Owner added to Azure application

Azure service principal assigned app role

Azure application URI modification

Azure Temporary Access Pass (TAP) registered to an account

Unverified domain added to Azure AD

Azure AD account unlock/password reset attempt

Short-lived Azure AD user account

Multiple Azure AD admin role removals

Box Audit Log

Suspicious SaaS API call from a Tor exit node

Massive file downloads from SaaS service

External SaaS file-sharing activity

Massive upload to SaaS service

DropBox

Suspicious SaaS API call from a Tor exit node

Massive file downloads from SaaS service

External SaaS file-sharing activity

Massive upload to SaaS service

Duo

Suspicious SSO access from ASN

SSO with abnormal user agent

A user connected from a new country

First SSO access from ASN in organization

SSO authentication by a machine account

First SSO access from ASN for user

A user logged in at an unusual time via SSO

User attempted to connect from a suspicious country

First connection from a country in organization

SSO authentication by a service account

A disabled user attempted to authenticate via SSO

First SSO Resource Access in the Organization

SSO with new operating system

A successful SSO sign-in from TOR

A user accessed multiple unusual resources via SSO

SSO Brute Force

Impossible traveler - SSO

SSO Password Spray

Intense SSO failures

Gcp Audit Log

A Kubernetes Cronjob was created

GCP Virtual Private Cloud (VPC) Network Deletion

Unusual secret management activity

Remote usage of an App engine Service Account token

Kubernetes network policy modification

Penetration testing tool activity

Denied API call by a Kubernetes service account

Kubernetes pod creation with host network

Unusual key management activity

A cloud function was created with an unusual runtime

Kubernetes Pod created with host process ID (PID) namespace

A cloud identity had escalated its permissions

A Kubernetes StatefulSet was created

A Kubernetes service account executed an unusual API call

Unusual Identity and Access Management (IAM) activity

A Kubernetes node service account activity from external IP

A Kubernetes deployment was created

A Kubernetes service account was created or deleted

GCP Pub/Sub Topic Deletion

Unusual resource modification/creation

Unusual certificate management activity

A Kubernetes ephemeral container was created

A Kubernetes secret was created or deleted

A Kubernetes Pod was created with a sidecar container

Cloud compute instance user data script modification

A Kubernetes ReplicaSet was created

A Kubernetes Pod was deleted

GCP Storage Bucket Configuration Modification

GCP Firewall Rule creation

Cloud compute serial console access

Cloud impersonation attempt by unusual identity type

A cloud identity created or modified a security group

GCP Pub/Sub Subscription Deletion

GCP IAM Service Account Key Deletion

Kubernetes Pod Created with host Inter Process Communications (IPC) namespace

GCP Logging Bucket Deletion

Kubernetes Privileged Pod Creation

GCP Virtual Private Network Route Creation

Kubernetes pod creation from unknown container image registry

GCP Service Account key creation

A cloud snapshot was created or modified

A Command Line Interface (CLI) command was executed from a GCP serverless compute service

A cloud identity invoked IAM related persistence operations

Suspicious API call from a Tor exit node

A Kubernetes service account has enumerated its permissions

A Kubernetes namespace was created or deleted

Cloud storage delete protection disabled

GCP Virtual Private Network Route Deletion

Kubernetes Pod Created With Sensitive Volume

Cloud unusual access key creation

Unusual cloud identity impersonation

A Kubernetes cluster role binding was created or deleted

Remote usage of VM Service Account token

Kubernetes vulnerability scanning tool usage

GCP Service Account Disable

Cloud Organizational policy was created or modified

GCP IAM Role Deletion

A cloud instance was stopped

GCP Firewall Rule Modification

A Kubernetes API operation was successfully invoked by an anonymous user

Network sniffing detected in Cloud environment

A Kubernetes role binding was created or deleted

Suspicious cloud compute instance ssh keys modification attempt

Unusual IAM enumeration activity by a non-user Identity

A Kubernetes cluster was created or deleted

Kubernetes cluster events deletion

GCP Service Account deletion

GCP Storage Bucket deletion

An operation was performed by an identity from a domain that was not seen in the organization

Kubernetes service account activity outside the cluster

A Kubernetes service was created or deleted

A Kubernetes ConfigMap was created or deleted

A cloud storage configuration was modified

GCP Service Account creation

Cloud identity reached a throttling API rate

Kubernetes admission controller activity

GCP IAM Custom Role Creation

A Kubernetes DaemonSet was created

A container registry was created or deleted

GCP VPC Firewall Rule Deletion

GCP Storage Bucket Permissions Modification

GCP set IAM policy activity

A cloud identity executed an API call from an unusual country

Unusual cross projects activity

Unusual exec into a Kubernetes Pod

Unusual resource modification by newly seen IAM user

Suspicious heavy allocation of compute resources - possible mining activity

A Kubernetes dashboard service account was used outside the cluster

Activity in a dormant region of a cloud project

Billing admin role was removed

GCP Logging Sink Deletion

GCP Logging Sink Modification

Abnormal Allocation of compute resources in multiple regions

An identity dumped multiple secrets from a project

Storage enumeration activity

Suspicious identity downloaded multiple objects from a bucket

Cloud user performed multiple actions that were denied

Kubernetes enumeration activity

Allocation of multiple cloud compute resources

IAM Enumeration sequence

Impossible travel by a cloud identity

Multiple cloud snapshots export

Multiple failed logins from a single IP

An identity performed a suspicious download of multiple cloud storage objects

Cloud infrastructure enumeration activity

Deletion of multiple cloud resources

Multi region enumeration activity

Gcp Flow Log

Possible DCShadow attempt

An internal Cloud resource performed port scan on external networks

SSH brute force attempt

Google Workspace Audit Logs

Gmail routing settings changed

Data Sharing between GCP and Google Workspace was disabled

External Sharing was turned on for Google Drive

A Google Workspace service was configured as unrestricted

A GCP service account was delegated domain-wide authority in Google Workspace

User accessed SaaS resource via anonymous link

A Google Workspace user was added to a group

Admin privileges were granted to a Google Workspace user

MFA Disabled for Google Workspace

A third-party application's access to the Google Workspace domain's resources was revoked

A Google Workspace identity used the security investigation tool

Suspicious SaaS API call from a Tor exit node

SaaS suspicious external domain user activity

A Google Workspace identity created, assigned or modified a role

A Google Workspace Role privilege was deleted

An app was added to Google Marketplace

Google Workspace organizational unit was modified

A domain was added to the trusted domains list

An app was removed from a blocked list in Google Workspace

A Google Workspace user was removed from a group

An app was added to the Google Workspace trusted OAuth apps list

Google Workspace third-party application's security settings were changed

A mail forwarding rule was configured in Google Workspace

Google Marketplace restrictions were modified

A Google Workspace identity performed an unusual admin console activity

Gmail delegation was turned on for the organization

A third-party application was authorized to access the Google Workspace APIs

Massive file downloads from SaaS service

External SaaS file-sharing activity

Massive upload to SaaS service

Google Workspace Authentication

Suspicious SSO access from ASN

First SSO access from ASN in organization

First SSO access from ASN for user

A user logged in at an unusual time via SSO

Health Monitoring Data

Collection error

Parsing Rule Error

Error in event forwarding

Correlation rule error

Logs were not collected from a data source for an abnormally long time

Office 365 Audit

Exchange user mailbox forwarding

Exchange inbox forwarding rule configured

Exchange email-hiding transport rule

User accessed SaaS resource via anonymous link

SharePoint Site Collection admin group addition

Exchange audit log disabled

Exchange Safe Link policy disabled or removed

Exchange DKIM signing configuration disabled

Penetration testing tool activity attempt

Suspicious SaaS API call from a Tor exit node

Exchange email-hiding inbox rule

SaaS suspicious external domain user activity

Exchange transport forwarding rule configured

DLP sensitive data exposed to external users

Exchange anti-phish policy disabled or removed

Rare DLP rule match by user

Exchange mailbox folder permission modification

Exchange Safe Attachment policy disabled or removed

Exchange malware filter policy removed

Exchange compliance search created

Exchange mailbox audit bypass

Microsoft 365 DLP policy disabled or removed

Massive file downloads from SaaS service

External SaaS file-sharing activity

User moved Exchange sent messages to deleted items

Massive upload to SaaS service

Sensitive Exchange mail sent to external users

A user uploaded malware to SharePoint or OneDrive

Exchange mailbox delegation permissions added

Okta

Suspicious SSO access from ASN

SSO with abnormal user agent

SSO authentication attempt by a honey user

A user connected from a new country

Suspicious SSO authentication

First SSO access from ASN in organization

SSO authentication by a machine account

First SSO access from ASN for user

A user logged in at an unusual time via SSO

User attempted to connect from a suspicious country

First connection from a country in organization

SSO authentication by a service account

A disabled user attempted to authenticate via SSO

First SSO Resource Access in the Organization

SSO with new operating system

A successful SSO sign-in from TOR

SSO with abnormal operating system

A user accessed multiple unusual resources via SSO

SSO Brute Force

Impossible traveler - SSO

A user rejected an SSO request from an unusual country

SSO Password Spray

Intense SSO failures

Multiple SSO MFA attempts were rejected by a user

Okta Audit Log

Okta account unlock by admin

Okta User Session Impersonation

A user modified an Okta policy rule

A user attempted to bypass Okta MFA

A user modified an Okta network zone

A user accessed Okta's admin application

Potential Okta access limit breach

User added a new device to Okta Verify instance

Okta Reported Attack Suspected

Okta API Token Created

Okta admin privilege assignment

A user observed and reported unusual activity in Okta

Okta device assignment

Okta account unlock

Okta Reported Threat Detected

OneLogin

Suspicious SSO access from ASN

SSO authentication attempt by a honey user

A user connected from a new country

First SSO access from ASN in organization

SSO authentication by a machine account

First SSO access from ASN for user

A user logged in at an unusual time via SSO

User attempted to connect from a suspicious country

First connection from a country in organization

SSO authentication by a service account

A disabled user attempted to authenticate via SSO

First SSO Resource Access in the Organization

A successful SSO sign-in from TOR

A user accessed multiple unusual resources via SSO

SSO Brute Force

Impossible traveler - SSO

SSO Password Spray

Intense SSO failures

Palo Alto Networks Global Protect

A disabled user attempted to log in to a VPN

First VPN access attempt from a country in organization

VPN login by a dormant user

VPN login with a machine account

A user connected to a VPN from a new country

A user logged in at an unusual time via VPN

First VPN access from ASN for user

A Successful VPN connection from TOR

VPN login by a service account

VPN login attempt by a honey user

First VPN access from ASN in organization

VPN access with an abnormal operating system

Impossible traveler - VPN

VPN login Brute-Force attempt

Palo Alto Networks Platform Logs

Recurring access to rare IP

Rare NTLM Usage by User

Authentication Attempt From a Dormant Account

Multiple uncommon SSH Servers with the same Server host key

Failed Login For Locked-Out Account

Rare SMB session to a remote host

Abnormal Communication to a Rare IP

A user accessed an uncommon AppID

Suspicious Encrypting File System Remote call (EFSRPC) to domain controller

FTP Connection Using an Anonymous Login or Default Credentials

Recurring rare domain access to dynamic DNS domain

Abnormal network communication through TOR using an uncommon port

Weakly-Encrypted Kerberos Ticket Requested

Unique client computer model was detected via MS-Update protocol

Suspicious failed HTTP request - potential Spring4Shell exploit

Weakly-Encrypted Kerberos TGT Response

Rare RDP session to a remote host

Possible DCShadow attempt

Possible IPFS traffic was detected

Bronze-Bit exploit

Suspicious SSH Downgrade

A rare FTP user has been detected on an existing FTP server

Rare file transfer over SMB protocol

Abnormal Communication to a Rare Domain

A Torrent client was detected on a host

Rare NTLM Access By User To Host

Suspicious SMB connection from domain controller

Possible path traversal via HTTP request

Rare Scheduled Task RPC activity

Failed Login For a Long Username With Special Characters

Rare AppID usage to a rare destination

Rare SMTP/S Session

Possible Kerberoasting without SPNs

Possible use of IPFS was detected

Rare Windows Remote Management (WinRM) HTTP Activity

New FTP Server

Suspicious ICMP packet

Uncommon SSH session was established

Abnormal Recurring Communications to a Rare Domain

Abnormal Recurring Communications to a Rare IP

Rare MS-Update Server was detected

A Possible crypto miner was detected on a host

Multiple Weakly-Encrypted Kerberos Tickets Received

Random-Looking Domain Names

Download pattern that resembles Peer to Peer traffic

Multiple Suspicious FTP Login Attempts

NTLM Password Spray

Kerberos Pre-Auth Failures by Host

Subdomain Fuzzing

NTLM Relay

Large Upload (HTTPS)

Spam Bot Traffic

Massive upload to a rare storage or mail domain

Large Upload (SMTP)

Increase in Job-Related Site Visits

NTLM Hash Harvesting

SSH brute force attempt

SSH brute force attempt

Large Upload (FTP)

Rare access to known advertising domains

Kerberos Pre-Auth Failures by User and Host

Large Upload (Generic)

Upload pattern that resembles Peer to Peer traffic

Port Scan

Rare LDAP enumeration

A user accessed multiple time-consuming websites

New Administrative Behavior

Failed DNS

HTTP with suspicious characteristics

Kerberos User Enumeration

Failed Connections

DNS Tunneling

Suspicious DNS traffic

Palo Alto Networks Url Logs

Uncommon network tunnel creation

Non-browser access to a pastebin-like site

Rare connection to external IP address or host by an application using RMI-IIOP or LDAP protocol

PowerShell Initiates a Network Connection to GitHub

A non-browser process accessed a website UI

PingOne

Suspicious SSO access from ASN

SSO with abnormal user agent

SSO authentication attempt by a honey user

A user connected from a new country

First SSO access from ASN in organization

SSO authentication by a machine account

First SSO access from ASN for user

A user logged in at an unusual time via SSO

User attempted to connect from a suspicious country

First connection from a country in organization

SSO authentication by a service account

A disabled user attempted to authenticate via SSO

First SSO Resource Access in the Organization

A successful SSO sign-in from TOR

A user accessed multiple unusual resources via SSO

SSO Brute Force

Impossible traveler - SSO

SSO Password Spray

Intense SSO failures

Third-Party Firewalls

Recurring access to rare IP

Rare SMB session to a remote host

Recurring rare domain access to dynamic DNS domain

Rare RDP session to a remote host

Possible DCShadow attempt

Abnormal Communication to a Rare Domain

A Torrent client was detected on a host

Suspicious SMB connection from domain controller

Rare AppID usage to a rare destination

Rare SMTP/S Session

Rare Windows Remote Management (WinRM) HTTP Activity

New FTP Server

Uncommon SSH session was established

Abnormal Recurring Communications to a Rare Domain

Large Upload (HTTPS)

Spam Bot Traffic

Large Upload (SMTP)

SSH brute force attempt

Upload pattern that resembles Peer to Peer traffic

Port Scan

New Administrative Behavior

Failed Connections

Third-Party VPNs

A disabled user attempted to log in to a VPN

First VPN access attempt from a country in organization

VPN login by a dormant user

VPN login with a machine account

A user connected to a VPN from a new country

A user logged in at an unusual time via VPN

First VPN access from ASN for user

A Successful VPN connection from TOR

VPN login by a service account

VPN login attempt by a honey user

First VPN access from ASN in organization

VPN access with an abnormal operating system

Impossible traveler - VPN

VPN login Brute-Force attempt

Windows Event Collector

Sensitive account password reset attempt

A user certificate was issued with a mismatch

Mailbox Client Access Setting (CAS) changed

Service ticket request with a spoofed sAMAccountName

PowerShell used to remove mailbox export request logs

VM Detection attempt

Possible Kerberos relay attack

User account delegation change

Administrator groups enumerated via LDAP

Rare machine account creation

A machine certificate was issued with a mismatch

A user was added to a Windows security group

A user changed the Windows system time

User added SID History to an account

Masquerading as a default local account

Security tools detection attempt

Suspicious modification of the AdminSDHolder's ACL

Member added to a Windows local security group

A user account was modified to password never expires

Machine account was added to a domain admins group

Local user account creation

Suspicious domain user account creation

Suspicious hidden user created

SPNs cleared from a machine account

A user enabled a default local account

Suspicious sAMAccountName change

A computer account was promoted to DC

TGT request with a spoofed sAMAccountName - Event log

PowerShell used to export mailbox contents

Multiple TGT requests for users without Kerberos pre-authentication

Multiple user accounts were deleted

Multiple suspicious user accounts were created

A user printed an unusual number of files

A user sent multiple TGT requests to irregular service

A user received multiple weakly encrypted service tickets

User added to a group and removed

Excessive user account lockouts

A new machine attempted Kerberos delegation

Short-lived user account

A user requested multiple service tickets

XDR Agent

Recurring access to rare IP

Uncommon communication to an instant messaging server

Scrcons.exe Rare Child Process

Copy a process memory file

Signed process performed an unpopular injection

Delayed Deletion of Files

Installation of a new System-V service

Microsoft Office Process Spawning a Suspicious One-Liner

Uncommon IP Configuration Listing via ipconfig.exe

Rare NTLM Usage by User

Local account discovery

Uncommon Remote Monitoring and Management Tool

Authentication Attempt From a Dormant Account

Multiple uncommon SSH Servers with the same Server host key

Globally uncommon injection from a signed process

Wsmprovhost.exe Rare Child Process

Fodhelper.exe UAC bypass

Suspicious proxy environment variable setting

Manipulation of netsh helper DLLs Registry keys

Permission Groups discovery commands

Remote service command execution from an uncommon source

Kubernetes vulnerability scanner activity

Execution of an uncommon process at an early startup stage by Windows system binary

Failed Login For Locked-Out Account

Suspicious container orchestration job

Rare process execution in organization

Rare process executed by an AppleScript

Possible binary padding using dd

Suspicious disablement of the Windows Firewall

Kubernetes version disclosure

Iptables configuration command was executed

Suspicious setspn.exe execution

Registration of Uncommon .NET Services and/or Assemblies

Command running with COMSPEC in the command line argument

Conhost.exe spawned a suspicious cmd process

Encoded information using Windows certificate management tool

Uncommon remote service start via sc.exe

Possible collection of screen captures with Windows Problem Steps Recorder

Globally uncommon root-domain port combination from a signed process

Unpopular rsync process execution

Rare SMB session to a remote host

Remote DCOM command execution

Abnormal Communication to a Rare IP

Rare WinRM Session

Possible DLL Hijack into a Microsoft process

A user accessed an uncommon AppID

Suspicious Encrypting File System Remote call (EFSRPC) to domain controller

Globally uncommon process execution from a signed process

Possible Kerberos relay attack

Interactive login from a shared user account

Rare process execution by user

Recurring rare domain access to dynamic DNS domain

Abnormal network communication through TOR using an uncommon port

A compressed file was exfiltrated over SSH

Discovery of host users via WMIC

Weakly-Encrypted Kerberos Ticket Requested

PsExec was executed with a suspicious command line

Suspicious PowerShell Command Line

Login by a dormant user

Script file added to startup-related Registry keys

System information discovery via psinfo.exe

Suspicious sshpass command execution

A contained executable was executed by an unusual process

Suspicious docker image download from an unusual repository

PowerShell suspicious flags

Unusual Kubernetes dashboard communication from a pod

Globally uncommon IP address connection from a signed process

Suspicious failed HTTP request - potential Spring4Shell exploit

Extracting credentials from Unix files

A disabled user attempted to log in

Weakly-Encrypted Kerberos TGT Response

Compressing data using python

Rare Remote Service (SVCCTL) RPC activity

Rare RDP session to a remote host

Reading bash command history file

Network traffic to a crypto miner related domain detected

Autorun.inf created in root C drive

WmiPrvSe.exe Rare Child Command Line

Contained process execution with a rare GitHub URL

Msiexec execution of an executable from an uncommon remote location

Kubernetes secret enumeration activity

Possible DCShadow attempt

Mimikatz command-line arguments

Suspicious process executed with a high integrity level

System shutdown or reboot

Suspicious process accessed a site masquerading as Google

Possible IPFS traffic was detected

Bronze-Bit exploit

Hidden Attribute was added to a file using attrib.exe

Signed process performed an unpopular DLL injection

Unusual AWS credentials creation

Suspicious process execution from tmp folder

Suspicious .NET process loads an MSBuild DLL

Rundll32.exe executes a rare unsigned module

TGT request with a spoofed sAMAccountName - Network

Unprivileged process opened a registry hive

Suspicious execution of ODBCConf

Unsigned process injecting into a Windows system binary with no command line

Run downloaded script using pipe

Rare file transfer over SMB protocol

Scripting engine connected to a rare external host

Login attempt by a honey user

Uncommon msiexec execution of an arbitrary file from a remote location

Uncommon net localgroup execution

Possible DCSync from a non domain controller

Uncommon local scheduled task creation via schtasks.exe

Abnormal Communication to a Rare Domain

Uncommon DLL-sideloading from a logical CD-ROM (ISO) device

Execution of an uncommon process at an early startup stage

Remote code execution into Kubernetes Pod

A Torrent client was detected on a host

Possible compromised machine account

Possible new DHCP server

RDP Connection to localhost

SMB Traffic from Non-Standard Process

Possible Pass-the-Hash

Office process creates a scheduled task via file access

LOLBAS executable injects into another process

Interactive at.exe privilege escalation method

The Linux system firewall was disabled

Rare NTLM Access By User To Host

Suspicious SMB connection from domain controller

Suspicious certutil command line

AppleScript process executed with a rare command line

Vulnerable driver loaded

Kerberos Traffic from Non-Standard Process

Linux network share discovery

Attempt to execute a command on a remote host using PsExec.exe

Possible path traversal via HTTP request

Rare Scheduled Task RPC activity

Suspicious process execution in a privileged container

Globally uncommon root-domain port combination by a common process (sha256)

Modification of PAM

Failed Login For a Long Username With Special Characters

Execution of dllhost.exe with an empty command line

Possible Email collection using Outlook RPC

File transfer from unusual IP using known tools

Ping to localhost from an uncommon, unsigned parent process

Possible DLL Side-Loading

Rare AppID usage to a rare destination

Rare SMTP/S Session

Possible Microsoft process masquerading

Microsoft Office process spawns a commonly abused process

Execution of renamed lolbin

Possible Kerberoasting without SPNs

Remote command execution via wmic.exe

Possible use of IPFS was detected

A user logged in from an abnormal country or ASN

VM Detection attempt on Linux

Netcat makes or gets connections

Possible data obfuscation

Unsigned process creates a scheduled task via file access

LDAP traffic from non-standard process

Rare Windows Remote Management (WinRM) HTTP Activity

SUID/GUID permission discovery

A suspicious process enrolled for a certificate

Unusual Azure AD sync module load

Reverse SSH tunnel to external domain/ip

Injection into rundll32.exe

Uncommon ARP cache listing via arp.exe

Unusual DB process spawning a shell

Unusual compressed file password protection

Linux process execution with a rare GitHub URL

New FTP Server

Windows LOLBIN executable connected to a rare external host

Svchost.exe loads a rare unsigned module

Suspicious container runtime connection from within a Kubernetes Pod

Executable moved to Windows system folder

Phantom DLL Loading

Suspicious ICMP packet

Uncommon net group or localgroup execution

Remote WMI process execution

Uncommon DotNet module load relationship

Office process spawned with suspicious command-line arguments

Unicode RTL Override Character

Suspicious data encryption

A contained executable from a mounted share initiated a suspicious outbound network connection

Suspicious usage of File Server Remote VSS Protocol (FSRVP)

Suspicious RunOnce Parent Process

Bitsadmin.exe persistence using command-line callback

Indicator blocking

A rare local administrator login

Masquerading as the Linux crond process

Rare signature signed executable executed in the network

Uncommon cloud CLI tool usage

Download a script using the python requests module

Uncommon SSH session was established

Windows Installer exploitation for local privilege escalation

Possible network sniffing attempt via tcpdump or tshark

Globally uncommon high entropy process was executed

Command execution via wmiexec

MSI accessed a web page running a server-side script

Python HTTP server started

Globally uncommon image load from a signed process

Suspicious PowerShell Enumeration of Running Processes

Recurring rare domain access from an unsigned process

Suspicious Process Spawned by wininit.exe

A LOLBIN was copied to a different location

Service execution via sc.exe

Indirect command execution using the Program Compatibility Assistant

Wscript/Cscript loads .NET DLLs

Procdump executed from an atypical directory

Suspicious curl user agent

Rare LOLBIN Process Execution by User

MpCmdRun.exe was used to download files into the system

Abnormal process connection to default Meterpreter port

Rundll32.exe running with no command-line arguments

Certutil pfx parsing

Unusual process accessed the PowerShell history file

Suspicious process loads a known PowerShell module

Abnormal User Login to Domain Controller

Memory dumping with comsvcs.dll

An uncommon service was started

Unusual weak authentication by user

Execution of an uncommon process with a local/domain user SID at an early startup stage by Windows system binary

Interactive login by a service account

Unusual Kubernetes API server communication from a pod

Execution of an uncommon process with a local/domain user SID at an early startup stage

Suspicious print processor registered

Possible DLL Search Order Hijacking

Possible Search For Password Files

A Successful login from TOR

Setuid and Setgid file bit manipulation

Command execution in a Kubernetes pod

Wbadmin deleted files in quiet mode

Windows Event Log was cleared using wevtutil.exe

Suspicious SearchProtocolHost.exe parent process

Remote service start from an uncommon source

Unsigned and unpopular process performed a DLL injection

LOLBIN process executed with a high integrity level

Suspicious External RDP Login

Mshta.exe launched with suspicious arguments

Kubernetes nsenter container escape

Process execution with a suspicious command line indicative of the Spring4Shell exploit

Possible network service discovery via command-line tool

Rare communication over email ports to external email server by unsigned process

Uncommon Service Create/Config

Possible code downloading from a remote host by Regsvr32

Rare security product signed executable executed in the network

Suspicious runonce.exe parent process

Unusual Lolbins Process Spawned by InstallUtil.exe

Abnormal Recurring Communications to a Rare Domain

A browser was opened in private mode

Uncommon Managed Object Format (MOF) compiler usage

New addition to Windows Defender exclusion list

Keylogging using system commands

Uncommon remote scheduled task creation

Abnormal Recurring Communications to a Rare IP

Suspicious process execution by scheduled task

Globally uncommon high entropy module was loaded

Interactive login by a machine account

Rare DCOM RPC activity

Suspicious Process Spawned by Adobe Reader

Rundll32.exe spawns conhost.exe

Rare SSH Session

Unsigned and unpopular process performed an injection

Suspicious time provider registered

Rare process spawned by srvany.exe

A process connected to a rare external host

Unusual AWS user added to group

Uncommon RDP connection

Rare Unix process divided files by size

Suspicious Certutil AD CS contact

Copy a user's GnuPG directory with rsync

Adding execution privileges

Execution of the Hydra Linux password brute-force tool

Suspicious dump of ntds.dit using Shadow Copy with ntdsutil/vssadmin

Suspicious module load using direct syscall

Globally uncommon root domain from a signed process

Stored credentials exported using credwiz.exe

A process was executed with a command line obfuscated by Unicode character substitution

Possible malicious .NET compilation started by a commonly abused process

Uncommon kernel module load

Microsoft Office injects code into a process

WebDAV drive mounted from net.exe over HTTPS

Uncommon user management via net.exe

Commonly abused process launched as a system service

Screensaver process executed from Users or temporary folder

Cloud Unusual Instance Metadata Service (IMDS) access

Commonly abused AutoIT script connects to an external domain

A TCP stream was created directly in a shell

PowerShell runs suspicious base64-encoded commands

Possible RDP session hijacking using tscon.exe

Remote PsExec-like command execution

Rare Unsigned Process Spawned by Office Process Under Suspicious Directory

A service was disabled

Globally uncommon IP address by a common process (sha256)

Cached credentials discovery with cmdkey

Tampering with Internet Explorer Protected Mode configuration

Uncommon routing table listing via route.exe

Suspicious authentication package registered

The CA policy EditFlags was queried

A Possible crypto miner was detected on a host

Suspicious systemd timer activity

NTLM Brute Force on a Service Account

Possible TGT reuse from different hosts (pass the ticket)

Multiple Weakly-Encrypted Kerberos Tickets Received

Random-Looking Domain Names

Download pattern that resembles Peer to Peer traffic

Remote account enumeration

NTLM Password Spray

Multiple Rare Process Executions in Organization

Kerberos Pre-Auth Failures by Host

Brute-force attempt on a local account

Multiple discovery-like commands

Suspicious ICMP traffic that resembles smurf attack

External Login Password Spray

Subdomain Fuzzing

Interactive local account enumeration

Abnormal SMB activity to multiple hosts

NTLM Relay

Multiple discovery commands on a Windows host by the same process

Sudoedit Brute force attempt

Multiple Rare LOLBIN Process Executions by User

Multiple discovery commands on a Linux host by the same process

Large Upload (HTTPS)

Spam Bot Traffic

A user authenticated with weak NTLM to multiple hosts

Possible brute force or configuration change attempt on cytool

Massive upload to a rare storage or mail domain

Large Upload (SMTP)

NTLM Hash Harvesting

SSH brute force attempt

Large Upload (FTP)

A user logged on to multiple workstations via Schannel

Possible brute force on sudo user

Rare access to known advertising domains

Kerberos Pre-Auth Failures by User and Host

NTLM Brute Force

Abnormal sensitive RPC traffic to multiple hosts

Large Upload (Generic)

Upload pattern that resembles Peer to Peer traffic

Port Scan

SSH authentication brute force attempts

New Shared User Account

Abnormal ICMP echo (PING) to multiple hosts

Multiple users authenticated with weak NTLM to a host

Internal Login Password Spray

Possible external RDP Brute-Force

New Administrative Behavior

Account probing

Failed DNS

Multiple discovery commands

Possible Brute-Force attempt

HTTP with suspicious characteristics

Kerberos User Enumeration

Failed Connections

DNS Tunneling

Suspicious container reconnaissance activity in a Kubernetes pod

Suspicious DNS traffic

NTLM Brute Force on an Administrator Account

XDR Agent with eXtended Threat Hunting (XTH)

Space after filename

Unusual Netsh PortProxy rule

Uncommon SetWindowsHookEx API invocation of a possible keylogger

Uncommon Security Support Provider (SSP) registered via a registry key

Suspicious Print System Remote Protocol usage by a process

Suspicious Udev driver rule execution manipulation

A compiled HTML help file wrote a script file to the disk

Potential SCCM credential harvesting using WMI detected

A browser extension was installed or loaded in an uncommon way

Unusual Encrypting File System Remote call (EFSRPC) to domain controller

Unusual use of a 'SysInternals' tool

System profiling WMI query execution

Browser Extension Installed

Sensitive account password reset attempt

Uncommon jsp file write by a Java process

Discovery of misconfigured certificate templates using LDAP

A user certificate was issued with a mismatch

Mailbox Client Access Setting (CAS) changed

Service ticket request with a spoofed sAMAccountName

PowerShell used to remove mailbox export request logs

A user connected a USB storage device for the first time

Uncommon NtWriteVirtualMemoryRemote API invocation with a PE header buffer

Uncommon AT task-job creation by user

DSC (Desired State Configuration) lateral movement using PowerShell

Suspicious process modified RC script file

Unusual process accessed a macOS notes DB file

VM Detection attempt

A user added a Windows firewall rule

Office process accessed an unusual .LNK file

Executable created to disk by lsass.exe

Unusual process accessed a messaging app's files

An uncommon file added to startup-related Registry keys

Possible webshell file written by a web server process

Suspicious AMSI decode attempt

Windows event logs were cleared with PowerShell

Scheduled Task hidden by registry modification

An unpopular process accessed the microphone on the host

A user queried AD CS objects via LDAP

Known service display name with uncommon image-path

User account delegation change

Creation or modification of the default command executed when opening an application

New process created via a WMI call

Uncommon GetClipboardData API function invocation of a possible information stealer

Browser bookmark files accessed by a rare non-browser process

An uncommon executable was remotely written over SMB to an uncommon destination

Administrator groups enumerated via LDAP

Suspicious access to shadow file

Suspicious active setup registered

Rare machine account creation

LSASS dump file written to disk

A machine certificate was issued with a mismatch

Unusual Kubernetes service account file read

A rare file path was added to the AppInit_DLLs registry value

A user was added to a Windows security group

A user changed the Windows system time

User added SID History to an account

Tampering with the Windows User Account Controls (UAC) configuration

Commonly abused AutoIT script drops an executable file to disk

Editing ld.so.preload for persistence and injection

Masquerading as a default local account

A user created a pfx file for the first time

Security tools detection attempt

Unusual process accessed web browser cookies

Executable or Script file written by a web server process

Sensitive browser credential files accessed by a rare non browser process

Suspicious process accessed certificate files

Suspicious modification of the AdminSDHolder's ACL

Suspicious usage of Microsoft's Active Directory PowerShell module remote discovery cmdlet

A remote service was created via RPC over SMB

Unusual process accessed a crypto wallet's files

Possible use of a networking driver for network sniffing

An uncommon file was created in the startup folder

LDAP search query from an unpopular and unsigned process

A process queried the ADFS database decryption key via LDAP

Uncommon browser extension loaded

Possible Persistence via group policy Registry keys

Member added to a Windows local security group

A user account was modified to password never expires

Rare service DLL was added to the registry

Microsoft Office adds a value to autostart Registry key

A user created an abnormal password-protected archive

Possible LDAP Enumeration Tool Usage

Machine account was added to a domain admins group

Local user account creation

Unusual access to the AD Sync credential files

Suspicious domain user account creation

Suspicious hidden user created

An unusual archive file creation by a user

A suspicious direct syscall was executed

Possible SPN enumeration

Elevation to SYSTEM via services

A WMI subscriber was created

A user connected a new USB storage device to a host

SecureBoot was disabled

RDP connections enabled remotely via Registry

Possible GPO Enumeration

Unusual process accessed a web browser history file

SPNs cleared from a machine account

Suspicious Kubernetes pod token access

A user enabled a default local account

Modification of NTLM restrictions in the Registry

Rare process accessed a Keychain file

User discovery via WMI query execution

Known service name with an uncommon image-path

Suspicious sAMAccountName change

A computer account was promoted to DC

A suspicious executable with multiple file extensions was created

LOLBIN created a PSScriptPolicyTest PowerShell script file

Unusual process accessed web browser credentials

Suspicious PowerSploit's recon module (PowerView) used to search for exposed hosts

Possible Distributed File System Namespace Management (DFSNM) abuse

TGT request with a spoofed sAMAccountName - Event log

Linux system firewall was modified

Uncommon PowerShell commands used to create or alter scheduled task parameters

Unusual ADConnect database file access

Suspicious PowerSploit's recon module (PowerView) net function was executed

Unusual process accessed FTP Client credentials

Uncommon creation or access operation of sensitive shadow copy

PowerShell used to export mailbox contents

Change of sudo caching configuration

A process modified an SSH authorized_keys file

Suspicious LDAP search query executed

A suspicious process queried AD CS objects via LDAP

Suspicious disablement of the Windows Firewall using PowerShell commands

PowerShell pfx certificate extraction

Unusual access to the Windows Internal Database on an ADFS server

Uncommon access to Microsoft Teams credential files

Suspicious DotNet log file created

Image file execution options (IFEO) registry key set

Rare scheduled task created

Massive file compression by user

Possible data exfiltration over a USB storage device

Multiple TGT requests for users without Kerberos pre-authentication

Suspicious access to cloud credential files

A user established an SMB connection to multiple hosts

Multiple user accounts were deleted

Multiple suspicious user accounts were created

User collected remote shared files in an archive

A user executed multiple LDAP enumeration queries

Suspicious reconnaissance using LDAP

Possible LDAP enumeration by unsigned process

A user printed an unusual number of files

A user performed suspiciously massive file activity

User and Group Enumeration via SAMR

A user took numerous screenshots

A user sent multiple TGT requests to irregular service

A user received multiple weakly encrypted service tickets

Outlook files accessed by an unsigned process

A user accessed an abnormal number of files on a remote shared folder

User added to a group and removed

A user connected a new USB storage device to multiple hosts

A user accessed an abnormal number of remote shared folders

Excessive user account lockouts

Possible internal data exfiltration over a USB storage device

A new machine attempted Kerberos delegation

A contained process attempted to escape using the 'notify on release' feature

Short-lived user account

Massive file activity abnormal to process

A user requested multiple service tickets