Application

Name Technique Datamodel
CrushFTP Server Side Template Injection Exploit Public-Facing Application None
Detect Distributed Password Spray Attempts Password Spraying, Brute Force Authentication
Detect New Login Attempts to Routers None Authentication
Detect Password Spray Attempts Password Spraying, Brute Force Authentication
Detect Risky SPL using Pretrained ML Model Command and Scripting Interpreter Splunk_Audit
Email Attachments With Lots Of Spaces None Email
Email files written outside of the Outlook directory Email Collection, Local Email Collection Endpoint
Email servers sending high volume traffic to hosts Email Collection, Remote Email Collection Network_Traffic
Ivanti VTM New Account Creation Exploit Public-Facing Application None
Monitor Email For Brand Abuse None Email
No Windows Updates in a time frame None Updates
Okta Authentication Failed During MFA Challenge Compromise Accounts, Cloud Accounts, Valid Accounts, Cloud Accounts, Multi-Factor Authentication Request Generation Authentication
Okta IDP Lifecycle Modifications Cloud Account None
Okta MFA Exhaustion Hunt Brute Force Authentication
Okta Mismatch Between Source and Response for Verify Push Request Multi-Factor Authentication Request Generation None
Okta Multi-Factor Authentication Disabled Modify Authentication Process, Multi-Factor Authentication Change
Okta Multiple Accounts Locked Out Brute Force Change
Okta Multiple Failed MFA Requests For User Multi-Factor Authentication Request Generation None
Okta Multiple Failed Requests to Access Applications Web Session Cookie, Cloud Service Dashboard None
Okta Multiple Users Failing To Authenticate From Ip Password Spraying Authentication
Okta New API Token Created Valid Accounts, Default Accounts Change
Okta New Device Enrolled on Account Account Manipulation, Device Registration Change
Okta Phishing Detection with FastPass Origin Check Valid Accounts, Default Accounts, Modify Authentication Process None
Okta Risk Threshold Exceeded Valid Accounts, Brute Force Risk
Okta Successful Single Factor Authentication Compromise Accounts, Cloud Accounts, Valid Accounts, Cloud Accounts, Multi-Factor Authentication Request Generation None
Okta Suspicious Activity Reported Valid Accounts, Default Accounts None
Okta Suspicious Use of a Session Cookie Steal Web Session Cookie None
Okta ThreatInsight Threat Detected Valid Accounts, Cloud Accounts None
Okta Unauthorized Access to Application Cloud Account Authentication
Okta User Logins from Multiple Cities Cloud Accounts Authentication
Path traversal SPL injection File and Directory Discovery None
Persistent XSS in RapidDiag through User Interface Views Drive-by Compromise None
PingID Mismatch Auth Source and Verification Response Multi-Factor Authentication Request Generation, Multi-Factor Authentication, Device Registration None
PingID Multiple Failed MFA Requests For User Multi-Factor Authentication Request Generation, Valid Accounts, Brute Force None
PingID New MFA Method After Credential Reset Multi-Factor Authentication Request Generation, Multi-Factor Authentication, Device Registration Change
PingID New MFA Method Registered For User Multi-Factor Authentication Request Generation, Multi-Factor Authentication, Device Registration None
Splunk Absolute Path Traversal Using runshellscript File and Directory Discovery None
Splunk Account Discovery Drilldown Dashboard Disclosure Account Discovery None
Splunk App for Lookup File Editing RCE via User XSLT Exploitation of Remote Services None
Splunk Authentication Token Exposure in Debug Log Log Enumeration Web
Splunk CSRF in the SSG kvstore Client Endpoint Drive-by Compromise None
Splunk Code Injection via custom dashboard leading to RCE Exploitation of Remote Services None
Splunk Command and Scripting Interpreter Delete Usage Command and Scripting Interpreter Splunk_Audit
Splunk Command and Scripting Interpreter Risky Commands Command and Scripting Interpreter Splunk_Audit
Splunk Command and Scripting Interpreter Risky SPL MLTK Command and Scripting Interpreter Splunk_Audit
Splunk DOS Via Dump SPL Command Application or System Exploitation None
Splunk DOS via printf search function Application or System Exploitation None
Splunk Data exfiltration from Analytics Workspace using sid query Exfiltration Over Web Service None
Splunk Digital Certificates Infrastructure Version Digital Certificates None
Splunk Digital Certificates Lack of Encryption Digital Certificates None
Splunk DoS Using Malformed SAML Request Network Denial of Service None
Splunk DoS via Malformed S2S Request Network Denial of Service None
Splunk DoS via POST Request Datamodel Endpoint Endpoint Denial of Service None
Splunk ES DoS Investigations Manager via Investigation Creation Endpoint Denial of Service None
Splunk ES DoS Through Investigation Attachments Endpoint Denial of Service None
Splunk Edit User Privilege Escalation Abuse Elevation Control Mechanism None
Splunk Endpoint Denial of Service DoS Zip Bomb Endpoint Denial of Service None
Splunk Enterprise KV Store Incorrect Authorization Abuse Elevation Control Mechanism None
Splunk Enterprise Windows Deserialization File Partition Exploit Public-Facing Application None
Splunk HTTP Response Splitting Via Rest SPL Command HTML Smuggling None
Splunk Improperly Formatted Parameter Crashes splunkd Endpoint Denial of Service Splunk_Audit
Splunk Information Disclosure in Splunk Add-on Builder System Information Discovery None
Splunk Information Disclosure on Account Login Account Discovery None
Splunk Low Privilege User Can View Hashed Splunk Password Exploitation for Credential Access None
Splunk Path Traversal In Splunk App For Lookup File Edit File and Directory Discovery None
Splunk Persistent XSS Via URL Validation Bypass W Dashboard Drive-by Compromise None
Splunk Process Injection Forwarder Bundle Downloads Process Injection None
Splunk Protocol Impersonation Weak Encryption Configuration Protocol Impersonation Web
Splunk RBAC Bypass On Indexing Preview REST Endpoint Access Token Manipulation None
Splunk RCE PDFgen Render Exploitation of Remote Services None
Splunk RCE via External Lookup Copybuckets Exploitation of Remote Services None
Splunk RCE via Serialized Session Payload Exploit Public-Facing Application None
Splunk RCE via Splunk Secure Gateway Splunk Mobile alerts feature Exploitation of Remote Services None
Splunk RCE via User XSLT Exploitation of Remote Services None
Splunk Reflected XSS in the templates lists radio Drive-by Compromise None
Splunk Reflected XSS on App Search Table Endpoint Drive-by Compromise None
Splunk Stored XSS conf-web Settings on Premises Drive-by Compromise None
Splunk Stored XSS via Data Model objectName Field Drive-by Compromise None
Splunk Stored XSS via Specially Crafted Bulletin Message Drive-by Compromise None
Splunk Unauthenticated DoS via Null Pointer References Endpoint Denial of Service None
Splunk Unauthenticated Log Injection Web Service Log Exploit Public-Facing Application None
Splunk Unauthenticated Path Traversal Modules Messaging File and Directory Discovery None
Splunk Unauthorized Experimental Items Creation Drive-by Compromise None
Splunk Unauthorized Notification Input by User Abuse Elevation Control Mechanism None
Splunk User Enumeration Attempt Valid Accounts None
Splunk XSS Privilege Escalation via Custom Urls in Dashboard Drive-by Compromise None
Splunk XSS Via External Urls in Dashboards SSRF Drive-by Compromise None
Splunk XSS in Highlighted JSON Events Drive-by Compromise None
Splunk XSS in Monitoring Console Drive-by Compromise None
Splunk XSS in Save table dialog header in search page Drive-by Compromise None
Splunk XSS via View Drive-by Compromise None
Splunk list all nonstandard admin accounts Drive-by Compromise None
Splunk protocol impersonation weak encryption selfsigned Digital Certificates None
Splunk protocol impersonation weak encryption simplerequest Digital Certificates None
Splunk risky Command Abuse disclosed february 2023 Abuse Elevation Control Mechanism, Indirect Command Execution Splunk_Audit
Splunk unnecessary file extensions allowed by lookup table uploads Drive-by Compromise None
Suspicious Email Attachment Extensions Spearphishing Attachment, Phishing Email
Suspicious Java Classes None None
Web Servers Executing Suspicious Processes System Information Discovery Endpoint
Windows AD DCShadow Privileges ACL Addition Domain or Tenant Policy Modification, Rogue Domain Controller, Windows File and Directory Permissions Modification None
Windows AD Dangerous Deny ACL Modification Domain or Tenant Policy Modification, File and Directory Permissions Modification, Windows File and Directory Permissions Modification None
Windows AD Dangerous Group ACL Modification Domain or Tenant Policy Modification, File and Directory Permissions Modification, Windows File and Directory Permissions Modification None
Windows AD Dangerous User ACL Modification Domain or Tenant Policy Modification, File and Directory Permissions Modification, Windows File and Directory Permissions Modification None
Windows AD Domain Root ACL Deletion Domain or Tenant Policy Modification, File and Directory Permissions Modification, Windows File and Directory Permissions Modification None
Windows AD Domain Root ACL Modification Domain or Tenant Policy Modification, File and Directory Permissions Modification, Windows File and Directory Permissions Modification None
Windows AD GPO Deleted Disable or Modify Tools, Group Policy Modification None
Windows AD GPO Disabled Disable or Modify Tools, Group Policy Modification None
Windows AD GPO New CSE Addition Domain or Tenant Policy Modification, Group Policy Modification, File and Directory Permissions Modification, Windows File and Directory Permissions Modification None
Windows AD Hidden OU Creation Domain or Tenant Policy Modification, File and Directory Permissions Modification, Windows File and Directory Permissions Modification None
Windows AD Object Owner Updated Domain or Tenant Policy Modification, File and Directory Permissions Modification, Windows File and Directory Permissions Modification None
Windows AD Privileged Group Modification Account Manipulation None
Windows AD Self DACL Assignment Domain or Tenant Policy Modification, Account Manipulation None
Windows AD Suspicious Attribute Modification Use Alternate Authentication Material, File and Directory Permissions Modification, Windows File and Directory Permissions Modification Change
Windows AD Suspicious GPO Modification Domain or Tenant Policy Modification, Group Policy Modification, File and Directory Permissions Modification, Windows File and Directory Permissions Modification None
Windows AD add Self to Group Account Manipulation None
Windows Increase in Group or Object Modification Activity Account Manipulation, Impair Defenses None
Windows Increase in User Modification Activity Account Manipulation, Impair Defenses None

Endpoint

CMD Echo Pipe - Escalation

Command and Scripting Interpreter, Windows Command Shell, Windows Service, Create or Modify System Process

Windows Post Exploitation Risk Behavior

Query Registry, System Network Connections Discovery, Permission Groups Discovery, System Network Configuration Discovery, OS Credential Dumping, System Info...

Disable Show Hidden Files

Hidden Files and Directories, Disable or Modify Tools, Hide Artifacts, Impair Defenses, Modify Registry

Detect SharpHound Usage

Domain Account, Local Groups, Domain Trust Discovery, Local Account, Account Discovery, Domain Groups, Permission Groups Discovery

Back to Top ↑

Cloud

Back to Top ↑

Application

Windows AD Suspicious GPO Modification

Domain or Tenant Policy Modification, Group Policy Modification, File and Directory Permissions Modification, Windows File and Directory Permissions Modifica...

Windows AD GPO New CSE Addition

Domain or Tenant Policy Modification, Group Policy Modification, File and Directory Permissions Modification, Windows File and Directory Permissions Modifica...

Windows AD Hidden OU Creation

Domain or Tenant Policy Modification, File and Directory Permissions Modification, Windows File and Directory Permissions Modification

Windows AD Object Owner Updated

Domain or Tenant Policy Modification, File and Directory Permissions Modification, Windows File and Directory Permissions Modification

Back to Top ↑

Deprecated

Back to Top ↑

Web