Detection Rules Overview
AWS CloudTrail Log Created
AWS CloudTrail Log Deleted
AWS CloudTrail Log Suspended
AWS CloudTrail Log Updated
AWS CloudWatch Alarm Deletion
AWS CloudWatch Log Group Deletion
AWS CloudWatch Log Stream Deletion
AWS Config Resource Deletion
AWS Configuration Recorder Stopped
AWS Deletion of RDS Instance or Cluster
AWS Discovery API Calls via CLI from a Single Resource
AWS DynamoDB Scan by Unusual User
AWS DynamoDB Table Exported to S3
AWS EC2 Admin Credential Fetch via Assumed Role
AWS EC2 Deprecated AMI Discovery
AWS EC2 EBS Snapshot Shared or Made Public
AWS EC2 Encryption Disabled
AWS EC2 Full Network Packet Capture Detected
AWS EC2 Instance Connect SSH Public Key Uploaded
AWS EC2 Instance Console Login via Assumed Role
AWS EC2 Instance Interaction with IAM Service
AWS EC2 Multi-Region DescribeInstances API Calls
AWS EC2 Network Access Control List Creation
AWS EC2 Network Access Control List Deletion
AWS EC2 Route Table Modified or Deleted
AWS EC2 Security Group Configuration Change
AWS EC2 Snapshot Activity
AWS EC2 User Data Retrieval for EC2 Instance
AWS EC2 VM Export Failure
AWS EFS File System or Mount Deleted
AWS ElastiCache Security Group Created
AWS ElastiCache Security Group Modified or Deleted
AWS EventBridge Rule Disabled or Deleted
AWS GuardDuty Detector Deletion
AWS IAM AdministratorAccess Policy Attached to Group
AWS IAM AdministratorAccess Policy Attached to Role
AWS IAM AdministratorAccess Policy Attached to User
AWS IAM Assume Role Policy Update
AWS IAM Brute Force of Assume Role Policy
AWS IAM CompromisedKeyQuarantine Policy Attached to User
AWS IAM Create User via Assumed Role on EC2 Instance
AWS IAM Customer-Managed Policy Attached to Role by Rare User
AWS IAM Deactivation of MFA Device
AWS IAM Group Creation
AWS IAM Group Deletion
AWS IAM Login Profile Added for Root
AWS IAM Login Profile Added to User
AWS IAM Password Recovery Requested
AWS IAM Roles Anywhere Profile Creation
AWS IAM Roles Anywhere Trust Anchor Created with External CA
AWS IAM SAML Provider Updated
AWS IAM User Addition to Group
AWS IAM User Created Access Keys For Another User
AWS KMS Customer Managed Key Disabled or Scheduled for Deletion
AWS Lambda Function Created or Updated
AWS Lambda Function Policy Updated to Allow Public Invocation
AWS Lambda Layer Added to Existing Function
AWS Management Console Brute Force of Root User Identity
AWS Management Console Root Login
AWS RDS Cluster Creation
AWS RDS DB Instance Made Public
AWS RDS DB Instance Restored
AWS RDS DB Instance or Cluster Deletion Protection Disabled
AWS RDS DB Instance or Cluster Password Modified
AWS RDS DB Snapshot Created
AWS RDS DB Snapshot Shared with Another Account
AWS RDS Instance Creation
AWS RDS Instance/Cluster Stoppage
AWS RDS Security Group Creation
AWS RDS Security Group Deletion
AWS RDS Snapshot Deleted
AWS RDS Snapshot Export
AWS Redshift Cluster Creation
AWS Root Login Without MFA
AWS Route 53 Domain Transfer Lock Disabled
AWS Route 53 Domain Transferred to Another Account
AWS Route Table Created
AWS Route53 private hosted zone associated with a VPC
AWS S3 Bucket Configuration Deletion
AWS S3 Bucket Enumeration or Brute Force
AWS S3 Bucket Expiration Lifecycle Configuration Added
AWS S3 Bucket Policy Added to Share with External Account
AWS S3 Bucket Replicated to Another Account
AWS S3 Bucket Server Access Logging Disabled
AWS S3 Object Encryption Using External KMS Key
AWS S3 Object Versioning Suspended
AWS S3 Unauthenticated Bucket Access by Rare Source
AWS SNS Email Subscription by Rare User
AWS SNS Topic Created by Rare User
AWS SQS Queue Purge
AWS SSM Command Document Created by Rare User
AWS SSM SendCommand Execution by Rare User
AWS STS AssumeRole with New MFA Device
AWS STS AssumeRoot by Rare User and Member Account
AWS STS GetCallerIdentity API Called for the First Time
AWS STS GetSessionToken Abuse
AWS STS Role Assumption by Service
AWS STS Role Assumption by User
AWS STS Role Chaining
AWS STS Temporary IAM Session Token Used from Multiple Addresses
AWS Service Quotas Multi-Region GetServiceQuota Requests
AWS Signin Single Factor Console Login with Federated User
AWS Systems Manager SecureString Parameter Request with Decryption Flag
AWS VPC Flow Logs Deletion
AWS WAF Access Control List Deletion
AWS WAF Rule or Rule Group Deletion
Application Added to Google Workspace Domain
Application Removed from Blocklist in Google Workspace
Attempts to Brute Force a Microsoft 365 User Account
Azure AD Global Administrator Role Assigned
Azure Active Directory High Risk Sign-in
Azure Active Directory High Risk User Sign-in Heuristic
Azure Active Directory PowerShell Sign-in
Azure Alert Suppression Rule Created or Modified
Azure Application Credential Modification
Azure Automation Account Created
Azure Automation Runbook Created or Modified
Azure Automation Runbook Deleted
Azure Automation Webhook Created
Azure Blob Container Access Level Modification
Azure Blob Permissions Modification
Azure Command Execution on Virtual Machine
Azure Diagnostic Settings Deletion
Azure Entra ID Password Spraying (Non-Interactive SFA)
Azure Entra ID Rare App ID for Principal Authentication
Azure Entra MFA TOTP Brute Force Attempts
Azure Entra Sign-in Brute Force Microsoft 365 Accounts by Repeat Source
Azure Entra Sign-in Brute Force against Microsoft 365 Accounts
Azure Event Hub Authorization Rule Created or Updated
Azure Event Hub Deletion
Azure External Guest User Invitation
Azure Firewall Policy Deletion
Azure Frontdoor Web Application Firewall (WAF) Policy Deleted
Azure Full Network Packet Capture Detected
Azure Global Administrator Role Addition to PIM User
Azure Key Vault Modified
Azure Kubernetes Events Deleted
Azure Kubernetes Pods Deleted
Azure Kubernetes Rolebindings Created
Azure Network Watcher Deletion
Azure Privilege Identity Management Role Modified
Azure Resource Group Deletion
Azure Service Principal Addition
Azure Storage Account Key Regenerated
Deprecated - Azure Virtual Network Device Modified or Deleted
Domain Added to Google Workspace Trusted Domains
EC2 AMI Shared with Another Account
Entra ID Device Code Auth with Broker Client
Excessive AWS S3 Object Encryption with SSE-C
External User Added to Google Workspace Group
First Occurrence GitHub Event for a Personal Access Token (PAT)
First Occurrence of Entra ID Auth via DeviceCode Protocol
First Occurrence of GitHub Repo Interaction From a New IP
First Occurrence of GitHub User Interaction with Private Repo
First Occurrence of IP Address For GitHub Personal Access Token (PAT)
First Occurrence of IP Address For GitHub User
First Occurrence of Personal Access Token (PAT) Use For a GitHub User
First Occurrence of Private Repo Event from Specific GitHub Personal Access Token (PAT)
First Occurrence of STS GetFederationToken Request by User
First Occurrence of User Agent For a GitHub Personal Access Token (PAT)
First Occurrence of User-Agent For a GitHub User
First Time AWS Cloudformation Stack Creation by User
First Time Seen AWS Secret Value Accessed in Secrets Manager
First Time Seen Google Workspace OAuth Login from Third-Party Application
Forwarded Google Workspace Security Alert
GCP Firewall Rule Creation
GCP Firewall Rule Deletion
GCP Firewall Rule Modification
GCP IAM Custom Role Creation
GCP IAM Role Deletion
GCP IAM Service Account Key Deletion
GCP Logging Bucket Deletion
GCP Logging Sink Deletion
GCP Logging Sink Modification
GCP Pub/Sub Subscription Creation
GCP Pub/Sub Subscription Deletion
GCP Pub/Sub Topic Creation
GCP Pub/Sub Topic Deletion
GCP Service Account Creation
GCP Service Account Deletion
GCP Service Account Disabled
GCP Service Account Key Creation
GCP Storage Bucket Configuration Modification
GCP Storage Bucket Deletion
GCP Storage Bucket Permissions Modification
GCP Virtual Private Cloud Network Deletion
GCP Virtual Private Cloud Route Creation
GCP Virtual Private Cloud Route Deletion
GitHub App Deleted
GitHub Owner Role Granted To User
GitHub PAT Access Revoked
GitHub Protected Branch Settings Changed
GitHub Repo Created
GitHub Repository Deleted
GitHub UEBA - Multiple Alerts from a GitHub Account
GitHub User Blocked From Organization
Google Drive Ownership Transferred via Google Workspace
Google Workspace 2SV Policy Disabled
Google Workspace API Access Granted via Domain-Wide Delegation
Google Workspace Admin Role Assigned to a User
Google Workspace Admin Role Deletion
Google Workspace Bitlocker Setting Disabled
Google Workspace Custom Admin Role Created
Google Workspace Custom Gmail Route Created or Modified
Google Workspace Drive Encryption Key(s) Accessed from Anonymous User
Google Workspace MFA Enforcement Disabled
Google Workspace Object Copied to External Drive with App Consent
Google Workspace Password Policy Modified
Google Workspace Restrictions for Marketplace Modified to Allow Any App
Google Workspace Role Modified
Google Workspace Suspended User Account Renewed
Google Workspace User Organizational Unit Changed
High Number of Cloned GitHub Repos From PAT
Insecure AWS EC2 VPC Security Group Ingress Rule Added
M365 OneDrive Excessive File Downloads with OAuth Token
MFA Deactivation with no Re-Activation for Okta User Account
MFA Disabled for Google Workspace Organization
Member Removed From GitHub Organization
Microsoft 365 Exchange Anti-Phish Policy Deletion
Microsoft 365 Exchange Anti-Phish Rule Modification
Microsoft 365 Exchange DKIM Signing Configuration Disabled
Microsoft 365 Exchange DLP Policy Removed
Microsoft 365 Exchange Malware Filter Policy Deletion
Microsoft 365 Exchange Malware Filter Rule Modification
Microsoft 365 Exchange Management Group Role Assignment
Microsoft 365 Exchange Safe Attachment Rule Disabled
Microsoft 365 Exchange Safe Link Policy Disabled
Microsoft 365 Exchange Transport Rule Creation
Microsoft 365 Exchange Transport Rule Modification
Microsoft 365 Global Administrator Role Assigned
Microsoft 365 Illicit Consent Grant via Registered Application
Microsoft 365 Impossible travel activity
Microsoft 365 Inbox Forwarding Rule Created
Microsoft 365 Mass download by a single user
Microsoft 365 Portal Login from Rare Location
Microsoft 365 Portal Logins from Impossible Travel Locations
Microsoft 365 Potential ransomware activity
Microsoft 365 Teams Custom Application Interaction Allowed
Microsoft 365 Teams External Access Enabled
Microsoft 365 Teams Guest Access Enabled
Microsoft 365 Unusual Volume of File Deletion
Microsoft 365 User Restricted from Sending Email
Microsoft Entra ID Conditional Access Policy (CAP) Modified
Microsoft Entra ID Illicit Consent Grant via Registered Application
Microsoft Entra ID Rare Authentication Requirement for Principal User
Microsoft Entra ID Service Principal Credentials Added by Rare User
Multi-Factor Authentication Disabled for an Azure User
New GitHub App Installed
New GitHub Owner Added
New User Added To GitHub Organization
New or Modified Federation Domain
O365 Email Reported by User as Malware or Phish
O365 Excessive Single Sign-On Logon Errors
O365 Exchange Suspicious Mailbox Right Delegation
O365 Mailbox Audit Logging Bypass
OneDrive Malware File Upload
Potential AWS S3 Bucket Ransomware Note Uploaded
Rapid Secret Retrieval Attempts from AWS SecretsManager
Rare AWS Error Code
Route53 Resolver Query Log Configuration Deleted
SNS Topic Message Publish by Rare User
SSM Session Started to EC2 Instance
SharePoint Malware File Upload
Spike in AWS Error Messages
Suspicious Microsoft 365 Mail Access by ClientAppId
Unusual AWS Command for a User
Unusual AWS S3 Object Encryption with SSE-C
Unusual City For an AWS Command
Unusual Country For an AWS Command
User Added as Owner for Azure Application
User Added as Owner for Azure Service Principal
AWS Credentials Searched For Inside A Container
Container Management Utility Run Inside A Container
File Made Executable via Chmod Inside A Container
File System Debugger Launched Inside a Container
Mount Launched Inside a Container
SSH Process Launched From Inside A Container
Sensitive Files Compression Inside A Container
Sensitive Keys Or Passwords Searched For Inside A Container
Suspicious Network Tool Launched Inside A Container
Unusual Interactive Process Launched in a Container
A scheduled task was created
A scheduled task was updated
APT Package Manager Configuration File Creation
AWS CLI Command with Custom Endpoint URL
AWS SSM SendCommand with Run Shell Command Parameters
Abnormal Process ID or Lock File Created
Accepted Default Telnet Port Connection
Access Control List Modification via setfacl
Access to Keychain Credentials Directories
Access to a Sensitive LDAP Attribute
Accessing Outlook Data Files
Account Configured with Never-Expiring Password
Account Discovery Command via SYSTEM Account
Account Password Reset Remotely
Account or Group Discovery via Built-In Tools
Active Directory Forced Authentication from Linux Host - SMB Named Pipes
Active Directory Group Modification by SYSTEM
AdFind Command Activity
Adding Hidden File Attribute via Attrib
AdminSDHolder Backdoor
AdminSDHolder SDProp Exclusion Added
Adobe Hijack Persistence
Alternate Data Stream Creation/Execution at Volume Root Directory
Anomalous Linux Compiler Activity
Anomalous Process For a Linux Population
Anomalous Process For a Windows Population
Anomalous Windows Process Creation
Apple Script Execution followed by Network Connection
Apple Scripting Execution with Administrator Privileges
Archive File with Unusual Extension
At Job Created or Modified
At.exe Command Lateral Movement
Attempt to Clear Kernel Ring Buffer
Attempt to Disable Auditd Service
Attempt to Disable Gatekeeper
Attempt to Disable IPTables or Firewall
Attempt to Disable Syslog Service
Attempt to Enable the Root Account
Attempt to Establish VScode Remote Tunnel
Attempt to Install Kali Linux via WSL
Attempt to Install Root Certificate
Attempt to Mount SMB Share via Command Line
Attempt to Unload Elastic Endpoint Security Kernel Extension
Attempted Private Key Access
Authentication via Unusual PAM Grantor
Authorization Plugin Modification
BPF filter applied using TC
Base16 or Base32 Encoding/Decoding Activity
Base64 Decoded Payload Piped to Interpreter
Bash Shell Profile Modification
Binary Content Copy via Cmd.exe
Binary Executed from Shared Memory Directory
Bitsadmin Activity
Boot File Copy
Browser Extension Install
Bypass UAC via Event Viewer
CAP_SYS_ADMIN Assigned to Binary
Chkconfig Service Add
Clearing Windows Console History
Clearing Windows Event Logs
Cobalt Strike Command and Control Beacon
Code Signing Policy Modification Through Built-in tools
Code Signing Policy Modification Through Registry
Command Execution via ForFiles
Command Execution via SolarWinds Process
Command Prompt Network Connection
Command Shell Activity Started via RunDLL32
Command and Scripting Interpreter via Windows Scripts
Component Object Model Hijacking
Compression DLL Loaded by Unusual Process
Conhost Spawned By Suspicious Parent Process
Connection to Commonly Abused Free SSL Certificate Providers
Connection to Commonly Abused Web Services
Connection to External Network via Telnet
Connection to Internal Network via Telnet
Control Panel Process with Unusual Arguments
Creation of Hidden Files and Directories via CommandLine
Creation of Hidden Launch Agent or Daemon
Creation of Hidden Login Item via Apple Script
Creation of Hidden Shared Object File
Creation of Kernel Module
Creation of SettingContent-ms Files
Creation of a DNS-Named Record
Creation of a Hidden Local User Account
Creation or Modification of Domain Backup DPAPI private key
Creation or Modification of Pluggable Authentication Module or Configuration
Creation or Modification of Root Certificate
Creation or Modification of a new GPO Scheduled Task or Service
Credential Acquisition via Registry Hive Dumping
Cron Job Created or Modified
Cupsd or Foomatic-rip Shell Execution
Curl SOCKS Proxy Activity from Unusual Parent
D-Bus Service Created
DNF Package Manager Plugin File Creation
DNS Global Query Block List Modified or Disabled
DNS-over-HTTPS Enabled via Registry
DPKG Package Installed by Unusual Parent Process
Default Cobalt Strike Team Server Certificate
Delayed Execution via Ping
Delete Volume USN Journal with Fsutil
Deleting Backup Catalogs with Wbadmin
Deprecated - Suspicious File Creation in /etc for Persistence
Directory Creation in /bin directory
Disable Windows Event and Security Logs Using Built-in Tools
Disable Windows Firewall Rules via Netsh
Disabling User Account Control via Registry Modification
Disabling Windows Defender Security Settings via PowerShell
Discovery of Domain Groups
Discovery of Internet Capabilities via Built-in Tools
Docker Escape via Nsenter
Docker Socket Enumeration
Downloaded Shortcut Files
Downloaded URL Files
Dracut Module Creation
Dumping Account Hashes via Built-In Commands
Dumping of Keychain Content via Security Command
Dynamic Linker (ld.so) Creation
Dynamic Linker Copy
Dynamic Linker Creation or Modification
ESXI Discovery via Find
ESXI Discovery via Grep
ESXI Timestomping using Touch Command
EggShell Backdoor Execution
Egress Connection from Entrypoint in Container
Elastic Agent Service Terminated
Emond Rules Creation or Modification
Enable Host Network Discovery via Netsh
Encoded Executable Stored in the Registry
Encrypting Files with WinRar or 7z
Enumerating Domain Trusts via DSQUERY.EXE
Enumerating Domain Trusts via NLTEST.EXE
Enumeration Command Spawned via WMIPrvSE
Enumeration of Administrator Accounts
Enumeration of Kernel Modules
Enumeration of Privileged Local Groups Membership
Enumeration of Users or Groups via Built-in Commands
Exchange Mailbox Export via PowerShell
Executable Bit Set for Potential Persistence Script
Executable File Creation with Multiple Extensions
Executable File with Unusual Extension
Executable Masquerading as Kernel Process
Execution from Unusual Directory - Command Line
Execution from a Removable Media with Network Connection
Execution of COM object via Xwizard
Execution of File Written or Modified by Microsoft Office
Execution of File Written or Modified by PDF Reader
Execution of Persistent Suspicious Program
Execution of a Downloaded Windows Script
Execution of an Unsigned Service
Execution via Electron Child Process Node.js Module
Execution via MS VisualStudio Pre/Post Build Events
Execution via MSSQL xp_cmdshell Stored Procedure
Execution via Microsoft DotNet ClickOnce Host
Execution via TSClient Mountpoint
Execution via Windows Command Debugging Utility
Execution via Windows Subsystem for Linux
Execution via local SxS Shared Module
Execution with Explicit Credentials via Scripting
Expired or Revoked Driver Loaded
Exporting Exchange Mailbox via PowerShell
External IP Lookup from Non-Browser Process
File Compressed or Archived into Common Format by Unsigned Process
File Creation Time Changed
File Creation by Cups or Foomatic-rip Child
File Creation in /var/log via Suspicious Process
File Creation, Execution and Self-Deletion in Suspicious Directory
File Deletion via Shred
File Permission Modification in Writable Directory
File Staged in Root Folder of Recycle Bin
File Transfer or Listener Established via Netcat
File and Directory Permissions Modification
File made Immutable by Chattr
File or Directory Deletion Command
File with Right-to-Left Override Character (RTLO) Created/Executed
File with Suspicious Extension Downloaded
Finder Sync Plugin Registered and Enabled
First Time Seen Commonly Abused Remote Access Tool Execution
First Time Seen Driver Loaded
First Time Seen NewCredentials Logon Process
First Time Seen Removable Device
FirstTime Seen Account Performing DCSync
Full User-Mode Dumps Enabled System-Wide
GRUB Configuration File Creation
GRUB Configuration Generation through Built-in Utilities
Git Hook Child Process
Git Hook Command Execution
Git Hook Created or Modified
Git Hook Egress Network Connection
Group Policy Abuse for Privilege Addition
Group Policy Discovery via Microsoft GPResult Utility
Halfbaked Command and Control Beacon
Hidden Directory Creation via Unusual Parent
Hidden Files and Directories via Hidden Flag
High Number of Egress Network Connections from Unusual Executable
High Number of Process Terminations
High Number of Process and/or Service Terminations
Host Files System Changes via Windows Subsystem for Linux
Hosts File Modified
Hping Process Activity
IIS HTTP Logging Disabled
IPSEC NAT Traversal Port Activity
IPv4/IPv6 Forwarding Activity
Image File Execution Options Injection
Image Loaded with Invalid Signature
ImageLoad via Windows Update Auto Update Client
Inbound Connection to an Unsecure Elasticsearch Node
Incoming DCOM Lateral Movement via MSHTA
Incoming DCOM Lateral Movement with MMC
Incoming DCOM Lateral Movement with ShellBrowserWindow or ShellWindows
Incoming Execution via PowerShell Remoting
Incoming Execution via WinRM Remote Shell
Indirect Command Execution via Forfiles/Pcalua
Ingress Transfer via Windows BITS
Initramfs Extraction via CPIO
Initramfs Unpacking via unmkinitramfs
InstallUtil Activity
InstallUtil Process Making Network Connections
Installation of Custom Shim Databases
Installation of Security Support Provider
Interactive Logon by an Unusual Process
Interactive Terminal Spawned via Perl
Interactive Terminal Spawned via Python
KRBTGT Delegation Backdoor
Kerberos Cached Credentials Dumping
Kerberos Pre-authentication Disabled for User
Kerberos Traffic from Unusual Process
Kernel Driver Load
Kernel Driver Load by non-root User
Kernel Load or Unload via Kexec Detected
Kernel Module Load via insmod
Kernel Module Removal
Kernel Object File Creation
Kernel Seeking Activity
Kernel Unpacking Activity
Keychain Password Retrieval via Command Line
Kill Command Execution
Kirbi File Creation
LSASS Memory Dump Creation
LSASS Memory Dump Handle Access
LSASS Process Access via Windows API
Lateral Movement via Startup Folder
Launch Agent Creation or Modification and Immediate Loading
LaunchDaemon Creation or Modification and Immediate Loading
Linux Clipboard Activity Detected
Linux Group Creation
Linux Process Hooking via GDB
Linux Restricted Shell Breakout via Linux Binary(s)
Linux SSH X11 Forwarding
Linux System Information Discovery
Linux System Information Discovery via Getconf
Linux User Account Creation
Linux User Account Credential Modification
Linux User Added to Privileged Group
Linux init (PID 1) Secret Dump via GDB
Loadable Kernel Module Configuration File Creation
Local Account TokenFilter Policy Disabled
Local Scheduled Task Creation
Login via Unusual System User
MS Office Macro Security Registry Modifications
MacOS Installer Package Spawns Network Event
Manual Dracut Execution
Masquerading Space After Filename
Memory Dump File with Unusual Extension
Memory Swap Modification
Message-of-the-Day (MOTD) File Creation
Microsoft Build Engine Started an Unusual Process
Microsoft Build Engine Started by a Script Process
Microsoft Build Engine Started by a System Process
Microsoft Build Engine Started by an Office Application
Microsoft Build Engine Using an Alternate Name
Microsoft Exchange Server UM Spawning Suspicious Processes
Microsoft Exchange Server UM Writing Suspicious Files
Microsoft Exchange Transport Agent Install Script
Microsoft Exchange Worker Spawning Suspicious Processes
Microsoft IIS Connection Strings Decryption
Microsoft IIS Service Account Password Dumped
Microsoft Management Console File from Unusual Path
Microsoft Windows Defender Tampering
Mimikatz Memssp Log File Detected
Modification of AmsiEnable Registry Key
Modification of Boot Configuration
Modification of Dynamic Linker Preload Shared Object
Modification of Environment Variable via Unsigned or Untrusted Parent
Modification of OpenSSH Binaries
Modification of Safari Settings via Defaults Command
Modification of Standard Authentication Module or Configuration
Modification of WDigest Security Provider
Modification of the msPKIAccountCredentials
Mofcomp Activity
Mounting Hidden or WebDav Remote Shares
MsBuild Making Network Connections
Mshta Making Network Connections
MsiExec Service Child Process With Network Connection
Multiple Logon Failure Followed by Logon Success
Multiple Logon Failure from the same Source Address
Multiple Vault Web Credentials Read
NTDS Dump via Wbadmin
NTDS or SAM Database File Copied
Namespace Manipulation Using Unshare
Netcat Listener Established via rlwrap
Netsh Helper DLL
Network Activity Detected via Kworker
Network Activity Detected via cat
Network Connection Initiated by SSHD Child Process
Network Connection by Cups or Foomatic-rip Child
Network Connection from Binary with RWX Memory Region
Network Connection via Certutil
Network Connection via Compiled HTML File
Network Connection via MsXsl
Network Connection via Recently Compiled Executable
Network Connection via Registration Utility
Network Connection via Signed Binary
Network Connection via Sudo Binary
Network Connections Initiated Through XDG Autostart Entry
Network Logon Provider Registry Modification
Network Traffic Capture via CAP_NET_RAW
Network-Level Authentication (NLA) Disabled
NetworkManager Dispatcher Script Creation
New ActiveSyncAllowedDeviceID Added via PowerShell
Nping Process Activity
NullSessionPipe Registry Modification
Office Test Registry Persistence
OpenSSL Password Hash Generation
Openssl Client or Server Activity
Outbound Scheduled Task Activity via PowerShell
Outlook Home Page Registry Modification
Parent Process Detected with Suspicious Windows Process(es)
Parent Process PID Spoofing
Peripheral Device Discovery
Persistence via BITS Job Notify Cmdline
Persistence via DirectoryService Plugin Modification
Persistence via Docker Shortcut Modification
Persistence via Folder Action Script
Persistence via Hidden Run Key Detected
Persistence via KDE AutoStart Script or Desktop File Modification
Persistence via Login or Logout Hook
Persistence via Microsoft Office AddIns
Persistence via Microsoft Outlook VBA
Persistence via PowerShell profile
Persistence via Scheduled Job Creation
Persistence via TelemetryController Scheduled Task Hijack
Persistence via Update Orchestrator Service Hijack
Persistence via WMI Event Subscription
Persistence via WMI Standard Registry Provider
Persistence via a Windows Installer
Persistent Scripts in the Startup Directory
Pluggable Authentication Module (PAM) Creation in Unusual Directory
Pluggable Authentication Module (PAM) Source Download
Pluggable Authentication Module (PAM) Version Discovery
Polkit Policy Creation
Polkit Version Discovery
Port Forwarding Rule Addition
Possible FIN7 DGA Command and Control Behavior
Potential ADIDNS Poisoning via Wildcard Record Creation
Potential Active Directory Replication Account Backdoor
Potential Admin Group Account Addition
Potential Antimalware Scan Interface Bypass via PowerShell
Potential Application Shimming via Sdbinst
Potential Buffer Overflow Attack Detected
Potential Chroot Container Escape via Mount
Potential Code Execution via Postgresql
Potential Command and Control via Internet Explorer
Potential Cookies Theft via Browser Debugging
Potential Credential Access via DCSync
Potential Credential Access via DuplicateHandle in LSASS
Potential Credential Access via LSASS Memory Dump
Potential Credential Access via Memory Dump File Creation
Potential Credential Access via Renamed COM+ Services DLL
Potential Credential Access via Trusted Developer Utility
Potential Credential Access via Windows Utilities
Potential DLL Side-Loading via Microsoft Antimalware Service Executable
Potential DLL Side-Loading via Trusted Microsoft Programs
Potential DNS Tunneling via NsLookup
Potential Data Splitting Detected
Potential Defense Evasion via CMSTP.exe
Potential Defense Evasion via Doas
Potential Defense Evasion via PRoot
Potential Disabling of AppArmor
Potential Disabling of SELinux
Potential Enumeration via Active Directory Web Service
Potential Escalation via Vulnerable MSI Repair
Potential Evasion via Filter Manager
Potential Evasion via Windows Filtering Platform
Potential Execution of rc.local Script
Potential Execution via XZBackdoor
Potential Exploitation of an Unquoted Service Path Vulnerability
Potential External Linux SSH Brute Force Detected
Potential File Download via a Headless Browser
Potential File Transfer via Certreq
Potential File Transfer via Curl for Windows
Potential Foxmail Exploitation
Potential Hex Payload Execution
Potential Hidden Local User Account Creation
Potential Hidden Process via Mount Hidepid
Potential Internal Linux SSH Brute Force Detected
Potential Invoke-Mimikatz PowerShell Script
Potential JAVA/JNDI Exploitation Attempt
Potential Kerberos Attack via Bifrost
Potential LSA Authentication Package Abuse
Potential LSASS Clone Creation via PssCaptureSnapShot
Potential LSASS Memory Dump via PssCaptureSnapShot
Potential Lateral Tool Transfer via SMB Share
Potential Linux Backdoor User Account Creation
Potential Linux Credential Dumping via Proc Filesystem
Potential Linux Credential Dumping via Unshadow
Potential Linux Hack Tool Launched
Potential Linux Local Account Brute Force Detected
Potential Linux Ransomware Note Creation Detected
Potential Linux Tunneling and/or Port Forwarding
Potential Local NTLM Relay via HTTP
Potential Malware-Driven SSH Brute Force Attempt
Potential Masquerading as Browser Process
Potential Masquerading as Business App Installer
Potential Masquerading as Communication Apps
Potential Masquerading as System32 DLL
Potential Masquerading as System32 Executable
Potential Masquerading as VLC DLL
Potential Memory Seeking Activity
Potential Meterpreter Reverse Shell
Potential Microsoft Office Sandbox Evasion
Potential Modification of Accessibility Binaries
Potential Network Scan Executed From Host
Potential Network Share Discovery
Potential Non-Standard Port HTTP/HTTPS connection
Potential Non-Standard Port SSH connection
Potential OpenSSH Backdoor Logging Activity
Potential Outgoing RDP Connection by Unusual Process
Potential Pass-the-Hash (PtH) Attempt
Potential Persistence via Atom Init Script Modification
Potential Persistence via File Modification
Potential Persistence via Login Hook
Potential Persistence via Periodic Tasks
Potential Persistence via Time Provider Modification
Potential Port Monitor or Print Processor Registration Abuse
Potential Port Scanning Activity from Compromised Host
Potential PowerShell HackTool Script by Author
Potential PowerShell HackTool Script by Function Names
Potential PowerShell Obfuscated Script
Potential PowerShell Pass-the-Hash/Relay Script
Potential Privacy Control Bypass via Localhost Secure Copy
Potential Privacy Control Bypass via TCCDB Modification
Potential Privilege Escalation through Writable Docker Socket
Potential Privilege Escalation via CVE-2023-4911
Potential Privilege Escalation via Container Misconfiguration
Potential Privilege Escalation via Enlightenment
Potential Privilege Escalation via InstallerFileTakeOver
Potential Privilege Escalation via Linux DAC permissions
Potential Privilege Escalation via OverlayFS
Potential Privilege Escalation via PKEXEC
Potential Privilege Escalation via Python cap_setuid
Potential Privilege Escalation via Recently Compiled Executable
Potential Privilege Escalation via Service ImagePath Modification
Potential Privilege Escalation via Sudoers File Modification
Potential Privilege Escalation via UID INT_MAX Bug Detected
Potential Privileged Escalation via SamAccountName Spoofing
Potential Process Injection from Malicious Document
Potential Process Injection via PowerShell
Potential Process Name Stomping with Prctl
Potential Protocol Tunneling via Chisel Client
Potential Protocol Tunneling via Chisel Server
Potential Protocol Tunneling via EarthWorm
Potential Pspy Process Monitoring Detected
Potential Ransomware Behavior - High count of Readme files by System
Potential Ransomware Note File Dropped via SMB
Potential Relay Attack against a Domain Controller
Potential Remote Code Execution via Web Server
Potential Remote Credential Access via Registry
Potential Remote Desktop Shadowing Activity
Potential Remote Desktop Tunneling Detected
Potential Remote File Execution via MSIEXEC
Potential Reverse Shell
Potential Reverse Shell Activity via Terminal
Potential Reverse Shell via Background Process
Potential Reverse Shell via Child
Potential Reverse Shell via Java
Potential Reverse Shell via Suspicious Binary
Potential Reverse Shell via Suspicious Child Process
Potential Reverse Shell via UDP
Potential SSH-IT SSH Worm Downloaded
Potential Secure File Deletion via SDelete Utility
Potential Shadow Credentials added to AD Object
Potential Shadow File Read via Command Line Utilities
Potential SharpRDP Behavior
Potential Shell via Wildcard Injection Detected
Potential Subnet Scanning Activity from Compromised Host
Potential Successful Linux FTP Brute Force Attack Detected
Potential Successful Linux RDP Brute Force Attack Detected
Potential Successful SSH Brute Force Attack
Potential Sudo Hijacking
Potential Sudo Privilege Escalation via CVE-2019-14287
Potential Sudo Token Manipulation via Process Injection
Potential Suspicious DebugFS Root Device Access
Potential Suspicious File Edit
Potential Unauthorized Access via Wildcard Injection Detected
Potential Upgrade of Non-interactive Shell
Potential Veeam Credential Access Command
Potential WPAD Spoofing via DNS Record Creation
Potential WSUS Abuse for Lateral Movement
Potential Widespread Malware Infection Across Multiple Hosts
Potential Windows Error Manager Masquerading
Potential Windows Session Hijacking via CcmExec
Potential curl CVE-2023-38545 Exploitation
Potential macOS SSH Brute Force Detected
Potential privilege escalation via CVE-2022-38028
Potentially Suspicious Process Started via tmux or screen
PowerShell Invoke-NinjaCopy script
PowerShell Kerberos Ticket Dump
PowerShell Kerberos Ticket Request
PowerShell Keylogging Script
PowerShell Mailbox Collection Script
PowerShell MiniDump Script
PowerShell PSReflect Script
PowerShell Script Block Logging Disabled
PowerShell Script with Archive Compression Capabilities
PowerShell Script with Discovery Capabilities
PowerShell Script with Encryption/Decryption Capabilities
PowerShell Script with Log Clear Capabilities
PowerShell Script with Password Policy Discovery Capabilities
PowerShell Script with Remote Execution Capabilities via WinRM
PowerShell Script with Token Impersonation Capabilities
PowerShell Script with Veeam Credential Access Capabilities
PowerShell Script with Webcam Video Capture Capabilities
PowerShell Script with Windows Defender Tampering Capabilities
PowerShell Share Enumeration Script
PowerShell Suspicious Discovery Related Windows API Functions
PowerShell Suspicious Payload Encoded and Compressed
PowerShell Suspicious Script with Audio Capture Capabilities
PowerShell Suspicious Script with Clipboard Retrieval Capabilities
PowerShell Suspicious Script with Screenshot Capabilities
Printer User (lp) Shell Execution
Private Key Searching Activity
Privilege Escalation via CAP_CHOWN/CAP_FOWNER Capabilities
Privilege Escalation via CAP_SETUID/SETGID Capabilities
Privilege Escalation via GDB CAP_SYS_PTRACE
Privilege Escalation via Named Pipe Impersonation
Privilege Escalation via Rogue Named Pipe Impersonation
Privilege Escalation via Root Crontab File Modification
Privilege Escalation via SUID/SGID
Privilege Escalation via Windir Environment Variable
Privileged Account Brute Force
Privileged Docker Container Creation
Privileges Elevation via Parent Process PID Spoofing
Process Activity via Compiled HTML File
Process Backgrounded by Unusual Parent
Process Capability Enumeration
Process Capability Set via setcap Utility
Process Created with a Duplicated Token
Process Created with an Elevated Token
Process Creation via Secondary Logon
Process Discovery Using Built-in Tools
Process Discovery via Built-In Applications
Process Execution from an Unusual Directory
Process Injection by the Microsoft Build Engine
Process Spawned from Message-of-the-Day (MOTD)
Process Started from Process ID (PID) File
Process Started with Executable Stack
Process Termination followed by Deletion
Processes with Trailing Spaces
Program Files Directory Masquerading
Prompt for Credentials with OSASCRIPT
ProxyChains Activity
PsExec Network Connection
Python Path File (pth) Creation
Python Site or User Customize File Creation
Quarantine Attrib Removed by Unsigned or Untrusted Process
Query Registry using Built-in Tools
RDP (Remote Desktop Protocol) from the Internet
RDP Enabled via Registry
ROT Encoded Python Script Execution
RPC (Remote Procedure Call) from the Internet
RPC (Remote Procedure Call) to the Internet
RPM Package Installed by Unusual Parent Process
Rare SMB Connection to the Internet
Registry Persistence via AppCert DLL
Registry Persistence via AppInit DLL
Remote Computer Account DnsHostName Update
Remote Desktop Enabled in Windows Firewall by Netsh
Remote Desktop File Opened from Suspicious Path
Remote Execution via File Shares
Remote File Copy to a Hidden Share
Remote File Copy via TeamViewer
Remote File Creation in World Writeable Directory
Remote File Download via Desktopimgdownldr Utility
Remote File Download via MpCmdRun
Remote File Download via PowerShell
Remote File Download via Script Interpreter
Remote SSH Login Enabled via systemsetup Command
Remote Scheduled Task Creation
Remote Scheduled Task Creation via RPC
Remote System Discovery Commands
Remote Windows Service Installed
Remote XSL Script Execution via COM
Remotely Started Services via RPC
Renamed AutoIt Scripts Interpreter
Renamed Utility Executed with Short Program Name
Root Certificate Installation
Root Network Connection via GDB CAP_SYS_PTRACE
Roshal Archive (RAR) or PowerShell File Downloaded from the Internet
SELinux Configuration Creation or Renaming
SIP Provider Modification
SMB (Windows File Sharing) Activity to the Internet
SMB Connections via LOLBin or Untrusted Process
SMTP on Port 26/TCP
SSH Authorized Keys File Deletion
SSH Authorized Keys File Modification
SSH Key Generated via ssh-keygen
SSL Certificate Deletion
SUID/SGID Bit Set
SUID/SGUID Enumeration Detected
SUNBURST Command and Control Activity
Scheduled Task Created by a Windows Script
Scheduled Task Execution at Scale via GPO
Scheduled Tasks AT Command Enabled
ScreenConnect Server Spawning Suspicious Processes
Screensaver Plist File Modified by Unexpected Process
Script Execution via Microsoft HTML Application
SeDebugPrivilege Enabled by a Suspicious Process
Searching for Saved Credentials via VaultCmd
Security File Access via Common Utilities
Security Software Discovery using WMIC
Security Software Discovery via Grep
Segfault Detected
Sensitive Audit Policy Sub-Category Disabled
Sensitive Files Compression
Sensitive Privilege SeEnableDelegationPrivilege assigned to a User
Sensitive Registry Hive Access via RegBack
Service Command Lateral Movement
Service Control Spawned via Script Interpreter
Service Creation via Local Kerberos Authentication
Service DACL Modification via sc.exe
Service Disabled via Registry Modification
Service Path Modification
Service Path Modification via sc.exe
Setcap setuid/setgid Capability Set
Shadow File Modification by Unusual Process
Shared Object Created or Changed by Previously Unknown Process
Shell Configuration Creation or Modification
Shell Execution via Apple Scripting
Shortcut File Written or Modified on Startup Folder
Signed Proxy Execution via MS Work Folders
Simple HTTP Web Server Connection
Simple HTTP Web Server Creation
SoftwareUpdate Preferences Modification
SolarWinds Process Disabling Services via Registry
Startup Folder Persistence via Unsigned Process
Startup Persistence by a Suspicious Process
Startup or Run Key Registry Modification
Startup/Logon Script added to Group Policy Object
Stolen Credentials Used to Login to Okta Account After MFA Reset
Sublime Plugin or Application Script Modification
Successful SSH Authentication from Unusual IP Address
Successful SSH Authentication from Unusual SSH Public Key
Successful SSH Authentication from Unusual User
Sudo Command Enumeration Detected
Sudo Heap-Based Buffer Overflow Attempt
Sudoers File Modification
Suspicious .NET Code Compilation
Suspicious .NET Reflection via PowerShell
Suspicious /proc/maps Discovery
Suspicious APT Package Manager Execution
Suspicious APT Package Manager Network Connection
Suspicious Access to LDAP Attributes
Suspicious Antimalware Scan Interface DLL
Suspicious Automator Workflows Execution
Suspicious Browser Child Process
Suspicious Calendar File Modification
Suspicious CertUtil Commands
Suspicious Child Process of Adobe Acrobat Reader Update Service
Suspicious Cmd Execution via WMI
Suspicious Communication App Child Process
Suspicious Content Extracted or Decompressed via Funzip
Suspicious CronTab Creation or Modification
Suspicious DLL Loaded for Persistence or Privilege Escalation
Suspicious Data Encryption via OpenSSL Utility
Suspicious Dynamic Linker Discovery via od
Suspicious Emond Child Process
Suspicious Endpoint Security Parent Process
Suspicious Execution from Foomatic-rip or Cupsd Parent
Suspicious Execution from INET Cache
Suspicious Execution from a Mounted Device
Suspicious Execution via MSIEXEC
Suspicious Execution via Microsoft Office Add-Ins
Suspicious Execution via Scheduled Task
Suspicious Execution via Windows Subsystem for Linux
Suspicious Explorer Child Process
Suspicious File Creation via Kworker
Suspicious File Downloaded from Google Drive
Suspicious File Renamed via SMB
Suspicious HTML File Creation
Suspicious Hidden Child Process of Launchd
Suspicious Image Load (taskschd.dll) from MS Office
Suspicious ImagePath Service Creation
Suspicious Inter-Process Communication via Outlook
Suspicious JetBrains TeamCity Child Process
Suspicious Kworker UID Elevation
Suspicious LSASS Access via MalSecLogon
Suspicious Lsass Process Access
Suspicious MS Office Child Process
Suspicious MS Outlook Child Process
Suspicious Managed Code Hosting Process
Suspicious Memory grep Activity
Suspicious Microsoft Diagnostics Wizard Execution
Suspicious Mining Process Creation Event
Suspicious Module Loaded by LSASS
Suspicious Network Activity to the Internet by Previously Unknown Executable
Suspicious Network Connection via systemd
Suspicious Outlook Child Process
Suspicious PDF Reader Child Process
Suspicious Passwd File Event Action
Suspicious Path Invocation from Command Line
Suspicious Portable Executable Encoded in Powershell Script
Suspicious PowerShell Engine ImageLoad
Suspicious Powershell Script
Suspicious Print Spooler File Deletion
Suspicious Print Spooler Point and Print DLL
Suspicious Print Spooler SPL File Created
Suspicious PrintSpooler Service Executable File Creation
Suspicious Process Access via Direct System Call
Suspicious Process Creation CallTrace
Suspicious Process Execution via Renamed PsExec Executable
Suspicious RDP ActiveX Client Loaded
Suspicious Remote Registry Access via SeBackupPrivilege
Suspicious Renaming of ESXI Files
Suspicious Renaming of ESXI index.html File
Suspicious ScreenConnect Client Child Process
Suspicious Script Object Execution
Suspicious Service was Installed in the System
Suspicious SolarWinds Child Process
Suspicious Startup Shell Folder Modification
Suspicious Symbolic Link Created
Suspicious System Commands Executed by Previously Unknown Executable
Suspicious Termination of ESXI Process
Suspicious Troubleshooting Pack Cabinet Execution
Suspicious Usage of bpf_probe_write_user Helper
Suspicious Utility Launched via ProxyChains
Suspicious WMI Event Subscription Created
Suspicious WMI Image Load from MS Office
Suspicious WMIC XSL Script Execution
Suspicious Web Browser Sensitive File Access
Suspicious WerFault Child Process
Suspicious Windows Command Shell Arguments
Suspicious Windows Powershell Arguments
Suspicious Zoom Child Process
Suspicious macOS MS Office Child Process
Suspicious pbpaste High Volume Activity
Suspicious rc.local Error Message
Suspicious which Enumeration
Svchost spawning Cmd
Symbolic Link to Shadow Copy Created
System Binary Moved or Copied
System Binary Path File Permission Modification
System Hosts File Access
System Information Discovery via Windows Command Shell
System Log File Deletion
System Network Connections Discovery
System Owner/User Discovery Linux
System Service Discovery through built-in Windows Utilities
System Shells via Services
System Time Discovery
System V Init Script Created
SystemKey Access via Command Line
Systemd Generator Created
Systemd Service Created
Systemd Service Started by Unusual Parent Process
Systemd Shell Execution During Boot
Systemd Timer Created
Systemd-udevd Rule File Creation
TCC Bypass via Mounted APFS Snapshot Access
Tainted Kernel Module Load
Tainted Out-Of-Tree Kernel Module Load
Tampering of Shell Command-Line History
Temporarily Scheduled Task Creation
Third-party Backup Files Deleted via Unexpected Process
Timestomping using Touch Command
Trap Signals Execution
UAC Bypass Attempt via Elevated COM Internet Explorer Add-On Installer
UAC Bypass Attempt via Privileged IFileOperation COM Interface
UAC Bypass Attempt via Windows Directory Masquerading
UAC Bypass Attempt with IEditionUpgradeManager Elevated COM Interface
UAC Bypass via DiskCleanup Scheduled Task Hijack
UAC Bypass via ICMLuaUtil Elevated COM Interface
UAC Bypass via Windows Firewall Snap-In Hijack
UID Elevation from Previously Unknown Executable
Uncommon Destination Port Connection by Web Server
Uncommon Registry Persistence Change
Unexpected Child Process of macOS Screensaver Engine
Unix Socket Connection
Unknown Execution of Binary with RWX Memory Region
Unsigned BITS Service Client Process
Unsigned DLL Loaded by Svchost
Unsigned DLL Loaded by a Trusted Process
Unsigned DLL Side-Loading from a Suspicious Folder
Unsigned DLL loaded by DNS Service
Untrusted DLL Loaded by Azure AD Sync Service
Untrusted Driver Loaded
Unusual Base64 Encoding/Decoding Activity
Unusual Child Process from a System Virtual Process
Unusual Child Process of dns.exe
Unusual Child Processes of RunDLL32
Unusual Command Execution from Web Server Parent
Unusual D-Bus Daemon Child Process
Unusual DPKG Execution
Unusual Discovery Activity by User
Unusual Discovery Signal Alert with Unusual Process Command Line
Unusual Discovery Signal Alert with Unusual Process Executable
Unusual Executable File Creation by a System Critical Process
Unusual Execution via Microsoft Common Console File
Unusual File Creation - Alternate Data Stream
Unusual File Creation by Web Server
Unusual File Modification by dns.exe
Unusual File Transfer Utility Launched
Unusual Instance Metadata Service (IMDS) API Request
Unusual Interactive Shell Launched from System User
Unusual Linux Network Activity
Unusual Linux Network Configuration Discovery
Unusual Linux Network Connection Discovery
Unusual Linux Network Port Activity
Unusual Linux Process Calling the Metadata Service
Unusual Linux Process Discovery Activity
Unusual Linux System Information Discovery Activity
Unusual Linux User Calling the Metadata Service
Unusual Linux User Discovery Activity
Unusual Linux Username
Unusual Network Activity from a Windows System Binary
Unusual Network Connection to Suspicious Top Level Domain
Unusual Network Connection to Suspicious Web Service
Unusual Network Connection via DllHost
Unusual Network Connection via RunDLL32
Unusual Parent Process for cmd.exe
Unusual Parent-Child Relationship
Unusual Persistence via Services Registry
Unusual Pkexec Execution
Unusual Preload Environment Variable Process Execution
Unusual Print Spooler Child Process
Unusual Process Execution Path - Alternate Data Stream
Unusual Process Execution on WBEM Path
Unusual Process Extension
Unusual Process For MSSQL Service Accounts
Unusual Process For a Linux Host
Unusual Process For a Windows Host
Unusual Process Network Connection
Unusual Process Spawned by a Host
Unusual Process Spawned by a Parent Process
Unusual Process Spawned by a User
Unusual Process Spawned from Web Server Parent
Unusual Remote File Creation
Unusual SSHD Child Process
Unusual Service Host Child Process - Childless Service
Unusual Sudo Activity
Unusual User Privilege Enumeration via id
Unusual Windows Network Activity
Unusual Windows Path Activity
Unusual Windows Process Calling the Metadata Service
Unusual Windows Remote User
Unusual Windows Service
Unusual Windows User Calling the Metadata Service
Unusual Windows User Privilege Elevation Activity
Unusual Windows Username
User Account Creation
User Added to Privileged Group
User Added to the Admin Group
User Detected with Suspicious Windows Process(es)
User account exposed to Kerberoasting
User or Group Creation/Modification
VNC (Virtual Network Computing) from the Internet
VNC (Virtual Network Computing) to the Internet
Veeam Backup Library Loaded by Unusual Process
Virtual Machine Fingerprinting
Virtual Machine Fingerprinting via Grep
Virtual Private Network Connection Attempt
Volume Shadow Copy Deleted or Resized via VssAdmin
Volume Shadow Copy Deletion via PowerShell
Volume Shadow Copy Deletion via WMIC
WDAC Policy File by an Unusual Process
WMI Incoming Lateral Movement
WMI WBEMTEST Utility Execution
WMIC Remote Command
WPAD Service Exploit
WPS Office Exploitation via DLL Hijack
WRITEDAC Access on Active Directory Object
Web Server Spawned via Python
Web Shell Detection: Script Process Child of Common Web Processes
WebProxy Settings Modification
WebServer Access Logs Deleted
Werfault ReflectDebugger Persistence
Whoami Process Activity
Windows Account or Group Discovery
Windows CryptoAPI Spoofing Vulnerability (CVE-2020-0601 - CurveBall)
Windows Defender Disabled via Registry Modification
Windows Defender Exclusions Added via PowerShell
Windows Event Logs Cleared
Windows Firewall Disabled via PowerShell
Windows Installer with Suspicious Properties
Windows Network Enumeration
Windows Registry File Creation in SMB Share
Windows Script Executing PowerShell
Windows Script Interpreter Executing Process via WMI
Windows Service Installed via an Unusual Client
Windows Subsystem for Linux Distribution Installed
Windows Subsystem for Linux Enabled via Dism Utility
Windows System Information Discovery
Windows System Network Connections Discovery
Windows User Account Creation
Wireless Credential Dumping using Netsh Command
Yum Package Manager Plugin File Creation
Yum/DNF Plugin Status Discovery
rc.local/rc.common File Creation
AWS Bedrock Detected Multiple Attempts to use Denied Models by a Single User
AWS Bedrock Detected Multiple Validation Exception Errors by a Single User
AWS Bedrock Guardrails Detected Multiple Policy Violations Within a Single Blocked Request
AWS Bedrock Guardrails Detected Multiple Violations by a Single User Over a Session
AWS Bedrock Invocations without Guardrails Detected by a Single User Over a Session
Azure OpenAI Insecure Output Handling
Potential Abuse of Resources by High Token Count and Large Response Sizes
Potential Azure OpenAI Model Theft
Potential Denial of Azure OpenAI ML Service
Unusual High Confidence Content Filter Blocks Detected
Unusual High Denied Sensitive Information Policy Blocks Detected
Unusual High Denied Topic Blocks Detected
Unusual High Word Policy Blocks Detected
Machine Learning Detected DGA activity using a known SUNBURST DNS domain
Machine Learning Detected a DNS Request Predicted to be a DGA Domain
Machine Learning Detected a DNS Request With a High DGA Probability Score
Potential Network Scan Detected
Potential Network Sweep Detected
Potential SYN-Based Port Scan Detected
Statistical Model Detected C2 Beaconing Activity
Statistical Model Detected C2 Beaconing Activity with High Confidence
Multiple Device Token Hashes for Single Okta Session
Successful Application SSO from Rare Unknown Client Device
Unauthorized Scope for Public App OAuth2 Token Grant with Client Credentials
Abnormally Large DNS Response
Administrator Privileges Assigned to an Okta Group
Administrator Role Assigned to an Okta User
Adversary Behavior - Detected - Elastic Endgame
Agent Spoofing - Mismatched Agent ID
Agent Spoofing - Multiple Hosts Using Same Agent
Attempt to Create Okta API Token
Attempt to Deactivate an Okta Application
Attempt to Deactivate an Okta Network Zone
Attempt to Deactivate an Okta Policy
Attempt to Deactivate an Okta Policy Rule
Attempt to Delete an Okta Application
Attempt to Delete an Okta Network Zone
Attempt to Delete an Okta Policy
Attempt to Delete an Okta Policy Rule
Attempt to Modify an Okta Application
Attempt to Modify an Okta Network Zone
Attempt to Modify an Okta Policy
Attempt to Modify an Okta Policy Rule
Attempt to Reset MFA Factors for an Okta User Account
Attempt to Revoke Okta API Token
Attempted Bypass of Okta MFA
Attempts to Brute Force an Okta User Account
Behavior - Detected - Elastic Defend
Behavior - Prevented - Elastic Defend
Credential Dumping - Detected - Elastic Endgame
Credential Dumping - Prevented - Elastic Endgame
Credential Manipulation - Detected - Elastic Endgame
Credential Manipulation - Prevented - Elastic Endgame
CyberArk Privileged Access Security Error
CyberArk Privileged Access Security Recommended Monitor
DNS Tunneling
Decline in host-based traffic
Endpoint Security (Elastic Defend)
Enumeration of Kernel Modules via Proc
Exploit - Detected - Elastic Endgame
Exploit - Prevented - Elastic Endgame
External Alerts
First Occurrence of Okta User Session Started via Proxy
High Command Line Entropy Detected for Privileged Commands
High Mean of Process Arguments in an RDP Session
High Mean of RDP Session Duration
High Number of Okta Device Token Cookies Generated for Authentication
High Number of Okta User Password Reset or Unlock Attempts
High Variance in RDP Session Duration
Host Detected with Suspicious Windows Process(es)
Kubernetes Anonymous Request Authorized
Kubernetes Container Created with Excessive Linux Capabilities
Kubernetes Denied Service Account Request
Kubernetes Exposed Service Created With Type NodePort
Kubernetes Pod Created With HostIPC
Kubernetes Pod Created With HostNetwork
Kubernetes Pod Created With HostPID
Kubernetes Pod created with a Sensitive hostPath Volume
Kubernetes Privileged Pod Created
Kubernetes Suspicious Assignment of Controller Service Account
Kubernetes Suspicious Self-Subject Review
Kubernetes User Exec into Pod
Machine Learning Detected a Suspicious Windows Event with a High Malicious Probability Score
Machine Learning Detected a Suspicious Windows Event with a Low Malicious Probability Score
Malicious File - Detected - Elastic Defend
Malicious File - Prevented - Elastic Defend
Malware - Detected - Elastic Endgame
Malware - Prevented - Elastic Endgame
Memory Threat - Detected - Elastic Defend
Memory Threat - Prevented- Elastic Defend
Modification or Removal of an Okta Application Sign-On Policy
Multiple Alerts Involving a User
Multiple Alerts in Different ATT&CK Tactics on a Single Host
Multiple Okta Sessions Detected for a Single User
Multiple Okta User Auth Events with Same Device Token Hash Behind a Proxy
Multiple Okta User Authentication Events with Client Address
Multiple Okta User Authentication Events with Same Device Token Hash
My First Rule
Network Traffic to Rare Destination Country
New Okta Authentication Behavior Detected
New Okta Identity Provider (IdP) Added by Admin
Okta Brute Force or Password Spraying Attack
Okta FastPass Phishing Detection
Okta Sign-In Events via Third-Party IdP
Okta ThreatInsight Threat Suspected Promotion
Okta User Session Impersonation
Okta User Sessions Started from Different Geolocations
Permission Theft - Detected - Elastic Endgame
Permission Theft - Prevented - Elastic Endgame
Possible Okta DoS Attack
Potential DGA Activity
Potential Data Exfiltration Activity to an Unusual Destination Port
Potential Data Exfiltration Activity to an Unusual IP Address
Potential Data Exfiltration Activity to an Unusual ISO Code
Potential Data Exfiltration Activity to an Unusual Region
Potential Okta MFA Bombing via Push Notifications
Potentially Successful MFA Bombing via Push Notifications
Process Injection - Detected - Elastic Endgame
Process Injection - Prevented - Elastic Endgame
Ransomware - Detected - Elastic Defend
Ransomware - Detected - Elastic Endgame
Ransomware - Prevented - Elastic Defend
Ransomware - Prevented - Elastic Endgame
Rapid7 Threat Command CVEs Correlation
Rare User Logon
Spike in Bytes Sent to an External Device
Spike in Bytes Sent to an External Device via Airdrop
Spike in Failed Logon Events
Spike in Firewall Denies
Spike in Group Application Assignment Change Events
Spike in Group Lifecycle Change Events
Spike in Group Management Events
Spike in Group Membership Events
Spike in Group Privilege Change Events
Spike in Logon Events
Spike in Network Traffic
Spike in Network Traffic To a Country
Spike in Number of Connections Made from a Source IP
Spike in Number of Connections Made to a Destination IP
Spike in Number of Processes in an RDP Session
Spike in Privileged Command Execution by a User
Spike in Remote File Transfers
Spike in Special Logon Events
Spike in Special Privilege Use Events
Spike in Successful Logon Events from a Source IP
Spike in User Account Management Events
Spike in User Lifecycle Management Change Events
Spike in host-based traffic
Suspicious Activity Reported by Okta User
Suspicious Modprobe File Event
Suspicious Proc Pseudo File System Enumeration
Suspicious Sysctl File Event
Threat Intel Hash Indicator Match
Threat Intel IP Address Indicator Match
Threat Intel URL Indicator Match
Threat Intel Windows Registry Indicator Match
Unauthorized Access to an Okta Application
Unusual DNS Activity
Unusual Group Name Accessed by a User
Unusual Host Name for Okta Privileged Operations Detected
Unusual Host Name for Windows Privileged Operations Detected
Unusual Hour for a User to Logon
Unusual Login Activity
Unusual Network Destination Domain Name
Unusual Privilege Type assigned to a User
Unusual Process Detected for Privileged Commands by a User
Unusual Process Writing Data to an External Device
Unusual Region Name for Okta Privileged Operations Detected
Unusual Region Name for Windows Privileged Operations Detected
Unusual Remote File Directory
Unusual Remote File Extension
Unusual Remote File Size
Unusual Source IP for Okta Privileged Operations Detected
Unusual Source IP for Windows Privileged Operations Detected
Unusual Source IP for a User to Logon from
Unusual Spike in Concurrent Active Sessions by a User
Unusual Time or Day for an RDP Session
Unusual Web Request
Unusual Web User Agent
Web Application Suspicious Activity: POST Request Declined
Web Application Suspicious Activity: Unauthorized Method
Web Application Suspicious Activity: sqlmap User Agent
Zoom Meeting with no Passcode