[Low] ClickFix - PowerShell executed through the run application
[High] ClickFix - Schedule task PowerShell command executed through the run application - Added
[Informational] Compute activity in dormant cloud region
[High] Compute activity in dormant cloud region by a compromised AWS access key - Modified Metadata
[Informational] Compute activity in dormant cloud region from a non-VPN IP address - Added
[Informational] Multiple cloud snapshots export
[High] 062ca644-b34a-4d95-9ddb-41bce814f5a9 - Added
[High] f17228e4_558f_46bd_bb83_5c26896ef9bb - Removed
[Informational] Remote usage of AWS Lambda's role
[High] Remote command line usage of AWS Lambda's role - Removed
[High] Remote command line usage of AWS Lambda's role - Added
[High] Suspicious API call from a Tor exit node
[Informational] Unsigned DLL Side-Loading
[High] DLL Side-Loading of module bearing an invalid Microsoft signature - Modified Logic
[Medium] Unsigned DLL Side-Loading to a signed microsoft process by a rare causality actor - Modified Logic
[Low] Unsigned high entropy DLL Side-Loading by untrusted causality actor - Modified Logic
[Medium] A Kubernetes dashboard service account was used outside the cluster
[Low] A process queried the ADFS database decryption key via LDAP
[Medium] A process explicitly queried the ADFS database decryption key (DKM key) via LDAP - Modified Logic
[Medium] Azure AD PIM alert disabled
[Low] Azure account deletion by a non-standard account
[Medium] A suspicious Azure account deletion by a non-standard account - Modified Logic
[Informational] Azure application credentials added
[Medium] Suspicious credential operation on an Azure application - Modified Logic
[Low] Unusual certificate operation on an Azure application - Modified Logic
[Medium] Kubernetes vulnerability scanning tool usage
[Medium] External Kubernetes vulnerability scanning tool usage - Modified Logic
[Low] Multiple user accounts failed login due to account lockouts
[Medium] Excessive user account login failure due to lockout from a suspicious source - Removed
[Medium] Excessive user account login failure due to lockout from a suspicious source - Added
[Low] Possible DCSync from a non domain controller
[Medium] Possible DCSync from an internet-facing server - Removed
[Medium] Possible DCSync from an internet-facing server - Added
[Medium] Script file added to startup-related Registry keys
[Medium] Suspicious PowerSploit's recon module (PowerView) net function was executed
[Low] Suspicious usage of EC2 token
[Medium] Suspicious usage of EC2 token - Modified Logic
[Informational] Uncommon SQL like command line
[Medium] Uncommon SQL like command line executed by a remote actor - Modified Metadata
[Medium] Uncommon SQL like command line executed by an RMM tool - Modified Logic
[Low] Uncommon SQL like command line executed by an uncommon CGO - Modified Logic
[Informational] A Kubernetes node service account activity from external IP
[Low] A Kubernetes node service account was used outside the cluster - Modified Logic
[Informational] A process connected to a rare external host
[Low] UNIX LOLBIN process connected to a rare external host - Modified Logic
[Informational] Abnormal network communication with a rare combination of HTTP User Agent and HTTP Server
[Low] Abnormal network communication with a rare combination of HTTP User Agent and HTTP Server where both the User Agent and the HTTP Server are rare - Removed
[Low] Abnormal network communication with a rare combination of HTTP User Agent and HTTP Server where both the User Agent and the HTTP Server are rare - Added
[Informational] An AWS database service master user password was changed
[Low] An AWS Database Service master user password was changed from an unusual country - Modified Logic
[Low] Azure AD PIM role settings change
[Low] Azure domain federation settings modification attempt
[Low] First Azure AD PowerShell operation for a user
[Low] Impossible traveler - SSO
[Informational] SSO impossible traveler from a VPN or proxy - Removed
[Informational] SSO impossible traveler from a VPN or proxy - Added
[Informational] Kubernetes service account activity outside the cluster
[Low] Kubernetes service account activity outside the cluster from non-cloud IP - Modified Logic
[Low] MFA was disabled for an Azure identity
[Low] Multiple Azure AD admin role removals
[Low] Possible multistage attack in Microsoft Teams
[Low] Potential kubelet impersonation attempt
[Low] Rare unsigned process execution by scheduled task
[Low] Remote usage of an AWS service token
[Low] Remote usage of an Azure Managed Identity token
[Low] Risk indicators detected in email
[Informational] SSH authentication brute force attempts
[Low] Successful SSH Brute Force - Removed
[Low] Successful SSH Brute Force - Added
[Low] Suspicious access to Kubernetes API with kubelet credentials
[Low] Uncommon local scheduled task creation via schtasks.exe
[Low] Uncommon remote monitoring and management tool
[Low] Uncommon remote scheduled task creation
[Low -> Informational] Windows event logs were cleared with PowerShell
[Low] Windows event logs were cleared with uncommon PowerShell command line - Added
[Informational] A cloud identity executed an API call from an unusual country
[Informational] A compute-attached identity executed API calls outside the instance's region
[Informational] Authentication method added to an Azure account
[Informational] Azure AD PIM elevation request
[Informational] Azure AD account unlock/password reset attempt
[Informational] Azure Temporary Access Pass (TAP) registered to an account
[Informational] Azure account creation by a non-standard account
[Informational] Azure application consent
[Informational] Azure device code authentication flow used
[Informational] BitLocker key retrieval
[Informational] Bucket's block public access setting turned off
[Informational] Device Registration Policy modification
[Informational] Email attachment with a potentially malicious file extension
[Informational] Email attachment(s) with potentially malicious MIME type
[Informational] External Login Password Spray
[Informational] External Login Password Spray from Multiple Source Hosts - Added
[Informational] External email with a single internal recipient hidden in BCC
[Informational] Globally uncommon IP address by a common process (sha256)
[Informational] Multiple failed logins from a single IP
[Informational] Numerous emails sent by a single sender to multiple internal recipients
[Informational] Owner added to Azure application
[Informational] Possible DLL Hijack into a Microsoft process
[Informational] Possible DLL Side-Loading into a Microsoft process from a suspicious folder - Removed
[Informational] Possible DLL Side-Loading into a Microsoft process from a suspicious folder - Added
[Informational] Rare scheduled task created
[Informational] Remote usage of VM Service Account token
[Informational] Remote usage of an App engine Service Account token
[Informational] Remote usage of an Azure Service Principal token
[Informational] Uncommon attempt at discovering a sensitive file
[Informational] Uncommon attempt at grabbing credentials from a sensitive file
[Informational] Uncommon signed process execution by scheduled task
[Informational] Unusual Conditional Access operation for an identity