[High] Cloud penetration testing tool activity
[High] Suspicious API call from a Tor exit node
[Informational] Globally uncommon image load from a signed process
[Medium] Globally uncommon and very rare image load from a signed process - Modified Logic
[Informational] Uncommon attempt at discovering a sensitive file
[Medium] Uncommon attempt at discovering a sensitive file by a potentially known credential dumper or enumeration script - Modified Logic
[Informational] Uncommon attempt at grabbing credentials from a sensitive file
[Medium] Uncommon attempt at grabbing credentials from a sensitive file by a potentially known credential dumper or enumeration script - Modified Logic
[Low] A rare file path was added to the AppInit_DLLs registry value
[Low] Authentication attempt by a honey user
[Low] Azure AD PIM role settings change
[Low] Azure Event Hub Deletion
[Informational] Azure storage account cross-tenant object replication was enabled
[Low] Azure storage account cross-tenant object replication was enabled for the first time in a subscription - Modified Metadata
[Informational] First VPN access from ASN for user
[Low] Unusual VPN access from ASN - Modified Metadata
[Low] Possible multistage attack in Microsoft Teams
[Low] Risk indicators detected in email
[Low] SSO authentication attempt by a honey user
[Low] Uncommon ARP cache listing via arp.exe
[Low] VPN login attempt by a honey user
[Informational] A cloud identity executed an API call from an unusual country
[Informational] A possible risky login to Azure
[Informational] An Azure Firewall rule collection group was modified or deleted
[Informational] An Azure Key Vault key was modified
[Informational] An identity attached an administrative policy to an IAM user or role
[Informational] An identity created or updated password for an IAM user
[Informational] Authentication method added to an Azure account
[Informational] Azure AD account unlock/password reset attempt
[Informational] Azure Automation Account Creation
[Informational] Azure Automation Runbook Creation/Modification
[Informational] Azure Automation Runbook Deletion
[Informational] Azure Key Vault modification
[Informational] Azure Resource Group Deletion
[Informational] Cloud access key creation
[Informational] Successful access key creation by an unusual identity type - Modified Metadata
[Informational] Unusual successful cloud access key creation - Modified Metadata
[Informational] Cloud resource logging was disabled
[Informational] Cloud user performed multiple actions that were denied
[Informational] Compute activity in dormant cloud region
[Informational] First SSO Resource Access in the Organization
[Informational] First SSO access from ASN for user
[Informational] First SSO access from ASN in organization
[Informational] First VPN access from ASN in organization
[Informational] Okta account unlock
[Informational] Okta account unlock by admin
[Informational] Potential Okta access limit breach
[Informational] Rare NTLM Access By User To Host
[Informational] SSO Brute Force
[Informational] Suspicious SSO access from ASN
[Informational] Unusual cloud Instance Metadata Service (IMDS) access
[Informational] Unverified domain added to Azure AD
[Informational] User attempted to connect from a suspicious country
[Informational] Windows CGO, actor and action processes with anomalous characteristics