Application Detections

Name Data Source Technique Type Analytic Story Date
CrushFTP Server Side Template Injection CrushFTP Exploit Public-Facing Application TTP CrushFTP Vulnerabilities 2024-09-30
Detect Distributed Password Spray Attempts Azure Active Directory Sign-in activity Password Spraying Brute Force Hunting Active Directory Password Spraying, Compromised User Account 2024-10-17
Detect New Login Attempts to Routers N/A TTP Router and Infrastructure Security 2024-10-17
Detect Password Spray Attempts Windows Event Log Security 4625 Password Spraying Brute Force TTP Active Directory Password Spraying, Compromised User Account 2024-10-17
Detect Risky SPL using Pretrained ML Model Command and Scripting Interpreter Anomaly Splunk Vulnerabilities 2024-10-17
Email Attachments With Lots Of Spaces N/A Anomaly Data Destruction, Emotet Malware DHS Report TA18-201A, Hermetic Wiper, Suspicious Emails 2024-10-17
Email files written outside of the Outlook directory Sysmon EventID 11 Email Collection Local Email Collection TTP Collection and Staging 2024-10-17
Email servers sending high volume traffic to hosts Email Collection Remote Email Collection Anomaly Collection and Staging, HAFNIUM Group 2024-10-17
Ivanti VTM New Account Creation Ivanti VTM Audit Exploit Public-Facing Application TTP Ivanti Virtual Traffic Manager CVE-2024-7593 2024-09-30
Monitor Email For Brand Abuse N/A TTP Brand Monitoring, Suspicious Emails 2024-10-17
No Windows Updates in a time frame N/A Hunting Monitor for Updates 2024-10-17
Okta Authentication Failed During MFA Challenge Okta Compromise Accounts Cloud Accounts Valid Accounts Cloud Accounts Multi-Factor Authentication Request Generation TTP Okta Account Takeover 2024-09-30
Okta IDP Lifecycle Modifications Okta Cloud Account Anomaly Suspicious Okta Activity 2024-09-30
Okta MFA Exhaustion Hunt Okta Brute Force Hunting Okta Account Takeover, Okta MFA Exhaustion 2024-10-17
Okta Mismatch Between Source and Response for Verify Push Request Okta Multi-Factor Authentication Request Generation TTP Okta Account Takeover, Okta MFA Exhaustion 2024-11-19
Okta Multi-Factor Authentication Disabled Okta Modify Authentication Process Multi-Factor Authentication TTP Okta Account Takeover 2024-09-30
Okta Multiple Accounts Locked Out Okta Brute Force Anomaly Okta Account Takeover 2024-09-30
Okta Multiple Failed MFA Requests For User Okta Multi-Factor Authentication Request Generation Anomaly Okta Account Takeover 2024-09-30
Okta Multiple Failed Requests to Access Applications Okta Web Session Cookie Cloud Service Dashboard Hunting Okta Account Takeover 2024-10-17
Okta Multiple Users Failing To Authenticate From Ip Okta Password Spraying Anomaly Okta Account Takeover 2024-09-30
Okta New API Token Created Okta Valid Accounts Default Accounts TTP Okta Account Takeover 2024-09-30
Okta New Device Enrolled on Account Okta Account Manipulation Device Registration TTP Okta Account Takeover 2024-09-30
Okta Phishing Detection with FastPass Origin Check Okta Valid Accounts Default Accounts Modify Authentication Process TTP Okta Account Takeover 2024-10-17
Okta Risk Threshold Exceeded Okta Valid Accounts Brute Force Correlation Okta Account Takeover, Okta MFA Exhaustion, Suspicious Okta Activity 2024-09-30
Okta Successful Single Factor Authentication Okta Compromise Accounts Cloud Accounts Valid Accounts Cloud Accounts Multi-Factor Authentication Request Generation Anomaly Okta Account Takeover 2024-09-30
Okta Suspicious Activity Reported Okta Valid Accounts Default Accounts TTP Okta Account Takeover 2024-09-30
Okta Suspicious Use of a Session Cookie Okta Steal Web Session Cookie Anomaly Okta Account Takeover, Suspicious Okta Activity 2024-09-30
Okta ThreatInsight Threat Detected Okta Valid Accounts Cloud Accounts Anomaly Okta Account Takeover 2024-09-30
Okta Unauthorized Access to Application Okta Cloud Account Anomaly Okta Account Takeover 2024-09-30
Okta User Logins from Multiple Cities Okta Cloud Accounts Anomaly Okta Account Takeover 2024-09-30
Path traversal SPL injection Splunk File and Directory Discovery TTP Splunk Vulnerabilities 2024-10-16
Persistent XSS in RapidDiag through User Interface Views Splunk Drive-by Compromise TTP Splunk Vulnerabilities 2024-10-16
PingID Mismatch Auth Source and Verification Response PingID Multi-Factor Authentication Request Generation Multi-Factor Authentication Device Registration TTP Compromised User Account 2024-09-30
PingID Multiple Failed MFA Requests For User PingID Multi-Factor Authentication Request Generation Valid Accounts Brute Force TTP Compromised User Account 2024-09-30
PingID New MFA Method After Credential Reset PingID Multi-Factor Authentication Request Generation Multi-Factor Authentication Device Registration TTP Compromised User Account 2024-09-30
PingID New MFA Method Registered For User PingID Multi-Factor Authentication Request Generation Multi-Factor Authentication Device Registration TTP Compromised User Account 2024-09-30
Splunk Absolute Path Traversal Using runshellscript Splunk File and Directory Discovery Hunting Splunk Vulnerabilities 2024-10-17
Splunk Account Discovery Drilldown Dashboard Disclosure Account Discovery TTP Splunk Vulnerabilities 2024-10-17
Splunk App for Lookup File Editing RCE via User XSLT Exploitation of Remote Services Hunting Splunk Vulnerabilities 2024-10-17
Splunk Authentication Token Exposure in Debug Log Log Enumeration TTP Splunk Vulnerabilities 2024-10-16
Splunk Code Injection via custom dashboard leading to RCE Exploitation of Remote Services Hunting Splunk Vulnerabilities 2024-10-17
Splunk Command and Scripting Interpreter Delete Usage Splunk Command and Scripting Interpreter Anomaly Splunk Vulnerabilities 2024-10-16
Splunk Command and Scripting Interpreter Risky Commands Splunk Command and Scripting Interpreter Hunting Splunk Vulnerabilities 2024-10-17
Splunk Command and Scripting Interpreter Risky SPL MLTK Splunk Command and Scripting Interpreter Anomaly Splunk Vulnerabilities 2024-10-16
Splunk CSRF in the SSG kvstore Client Endpoint Splunk Drive-by Compromise TTP Splunk Vulnerabilities 2024-10-16
Splunk Data exfiltration from Analytics Workspace using sid query Splunk Exfiltration Over Web Service Hunting Splunk Vulnerabilities 2024-10-17
Splunk Digital Certificates Infrastructure Version Splunk Digital Certificates Hunting Splunk Vulnerabilities 2024-10-17
Splunk Digital Certificates Lack of Encryption Splunk Digital Certificates Anomaly Splunk Vulnerabilities 2024-10-16
Splunk Disable KVStore via CSRF Enabling Maintenance Mode Splunk Service Stop TTP Splunk Vulnerabilities 2024-10-16
Splunk DoS Using Malformed SAML Request Splunk Network Denial of Service Hunting Splunk Vulnerabilities 2024-10-17
Splunk DOS Via Dump SPL Command Splunk Application or System Exploitation Hunting Splunk Vulnerabilities 2024-10-17
Splunk DoS via Malformed S2S Request Splunk Network Denial of Service TTP Splunk Vulnerabilities 2024-10-16
Splunk DoS via POST Request Datamodel Endpoint Endpoint Denial of Service Hunting Splunk Vulnerabilities 2024-10-17
Splunk DOS via printf search function Splunk Application or System Exploitation Hunting Splunk Vulnerabilities 2024-10-17
Splunk Edit User Privilege Escalation Splunk Abuse Elevation Control Mechanism Hunting Splunk Vulnerabilities 2024-10-17
Splunk Endpoint Denial of Service DoS Zip Bomb Splunk Endpoint Denial of Service TTP Splunk Vulnerabilities 2024-10-16
Splunk Enterprise KV Store Incorrect Authorization Splunk Abuse Elevation Control Mechanism Hunting Splunk Vulnerabilities 2024-10-17
Splunk Enterprise Windows Deserialization File Partition Splunk Exploit Public-Facing Application TTP Splunk Vulnerabilities 2024-10-16
Splunk ES DoS Investigations Manager via Investigation Creation Splunk Endpoint Denial of Service TTP Splunk Vulnerabilities 2024-10-16
Splunk ES DoS Through Investigation Attachments Splunk Endpoint Denial of Service TTP Splunk Vulnerabilities 2024-10-16
Splunk HTTP Response Splitting Via Rest SPL Command Splunk HTML Smuggling Hunting Splunk Vulnerabilities 2024-10-17
Splunk Image File Disclosure via PDF Export in Classic Dashboard Splunk Account Discovery Hunting Splunk Vulnerabilities 2024-10-17
Splunk Improperly Formatted Parameter Crashes splunkd Splunk Endpoint Denial of Service TTP Splunk Vulnerabilities 2024-10-17
Splunk Information Disclosure in Splunk Add-on Builder Splunk System Information Discovery Hunting Splunk Vulnerabilities 2024-10-17
Splunk Information Disclosure on Account Login Splunk Account Discovery Hunting Splunk Vulnerabilities 2024-10-17
Splunk list all nonstandard admin accounts Splunk Drive-by Compromise Hunting Splunk Vulnerabilities 2024-10-17
Splunk Low-Priv Search as nobody SplunkDeploymentServerConfig App Splunk Exploitation for Privilege Escalation Hunting Splunk Vulnerabilities 2024-10-17
Splunk Low Privilege User Can View Hashed Splunk Password Splunk Exploitation for Credential Access Hunting Splunk Vulnerabilities 2024-10-17
Splunk Path Traversal In Splunk App For Lookup File Edit Splunk File and Directory Discovery Hunting Splunk Vulnerabilities 2024-10-17
Splunk Persistent XSS via Props Conf Splunk Drive-by Compromise Hunting Splunk Vulnerabilities 2024-10-17
Splunk Persistent XSS via Scheduled Views Splunk Drive-by Compromise Hunting Splunk Vulnerabilities 2024-10-17
Splunk Persistent XSS Via URL Validation Bypass W Dashboard Splunk Drive-by Compromise Hunting Splunk Vulnerabilities 2024-10-17
Splunk Process Injection Forwarder Bundle Downloads Splunk Process Injection Hunting Splunk Vulnerabilities 2024-10-17
Splunk Protocol Impersonation Weak Encryption Configuration Splunk Protocol or Service Impersonation Hunting Splunk Vulnerabilities 2024-10-17
Splunk protocol impersonation weak encryption selfsigned Splunk Digital Certificates Hunting Splunk Vulnerabilities 2024-10-17
Splunk protocol impersonation weak encryption simplerequest Splunk Digital Certificates Hunting Splunk Vulnerabilities 2024-10-17
Splunk RBAC Bypass On Indexing Preview REST Endpoint Splunk Access Token Manipulation Hunting Splunk Vulnerabilities 2024-10-17
Splunk RCE PDFgen Render Splunk Exploitation of Remote Services TTP Splunk Vulnerabilities 2024-10-16
Splunk RCE Through Arbitrary File Write to Windows System Root Splunk Exploitation of Remote Services Hunting Splunk Vulnerabilities 2024-10-17
Splunk RCE via External Lookup Copybuckets Splunk Exploitation of Remote Services Hunting Splunk Vulnerabilities 2024-10-17
Splunk RCE via Serialized Session Payload Splunk Exploit Public-Facing Application Hunting Splunk Vulnerabilities 2024-10-17
Splunk RCE via Splunk Secure Gateway Splunk Mobile alerts feature Splunk Exploitation of Remote Services Hunting Splunk Vulnerabilities 2024-10-17
Splunk RCE via User XSLT Exploitation of Remote Services Hunting Splunk Vulnerabilities 2024-10-17
Splunk Reflected XSS in the templates lists radio Splunk Drive-by Compromise Hunting Splunk Vulnerabilities 2024-10-17
Splunk Reflected XSS on App Search Table Endpoint Splunk Drive-by Compromise Hunting Splunk Vulnerabilities 2024-10-17
Splunk risky Command Abuse disclosed february 2023 Splunk Abuse Elevation Control Mechanism Indirect Command Execution Hunting Splunk Vulnerabilities 2024-10-17
Splunk Sensitive Information Disclosure in DEBUG Logging Channels Splunk Unsecured Credentials Hunting Splunk Vulnerabilities 2024-10-17
Splunk SG Information Disclosure for Low Privs User Splunk Account Discovery Hunting Splunk Vulnerabilities 2024-10-17
Splunk Stored XSS conf-web Settings on Premises Splunk Drive-by Compromise Hunting Splunk Vulnerabilities 2024-10-17
Splunk Stored XSS via Data Model objectName Field Splunk Drive-by Compromise Hunting Splunk Vulnerabilities 2024-10-17
Splunk Stored XSS via Specially Crafted Bulletin Message Splunk Drive-by Compromise Hunting Splunk Vulnerabilities 2024-10-17
Splunk Unauthenticated DoS via Null Pointer References Splunk Endpoint Denial of Service Hunting Splunk Vulnerabilities 2024-10-17
Splunk Unauthenticated Log Injection Web Service Log Splunk Exploit Public-Facing Application Hunting Splunk Vulnerabilities 2024-10-22
Splunk Unauthenticated Path Traversal Modules Messaging Splunk File and Directory Discovery Hunting Splunk Vulnerabilities 2024-10-17
Splunk Unauthorized Experimental Items Creation Splunk Drive-by Compromise Hunting Splunk Vulnerabilities 2024-10-17
Splunk Unauthorized Notification Input by User Splunk Abuse Elevation Control Mechanism Hunting Splunk Vulnerabilities 2024-10-17
Splunk unnecessary file extensions allowed by lookup table uploads Splunk Drive-by Compromise TTP Splunk Vulnerabilities 2024-10-16
Splunk User Enumeration Attempt Splunk Valid Accounts TTP Splunk Vulnerabilities 2024-10-16
Splunk XSS in Highlighted JSON Events Splunk Drive-by Compromise Hunting Splunk Vulnerabilities 2024-10-17
Splunk XSS in Monitoring Console Drive-by Compromise TTP Splunk Vulnerabilities 2024-10-17
Splunk XSS in Save table dialog header in search page Splunk Drive-by Compromise Hunting Splunk Vulnerabilities 2024-10-17
Splunk XSS Privilege Escalation via Custom Urls in Dashboard Splunk Drive-by Compromise Hunting Splunk Vulnerabilities 2024-10-17
Splunk XSS Via External Urls in Dashboards SSRF Splunk Drive-by Compromise Hunting Splunk Vulnerabilities 2024-10-17
Splunk XSS via View Splunk Drive-by Compromise Hunting Splunk Vulnerabilities 2024-10-17
Suspicious Email Attachment Extensions Spearphishing Attachment Phishing Anomaly Data Destruction, Emotet Malware DHS Report TA18-201A, Hermetic Wiper, Suspicious Emails 2024-10-17
Suspicious Java Classes N/A Anomaly Apache Struts Vulnerability 2024-10-17
Web Servers Executing Suspicious Processes Sysmon EventID 1 System Information Discovery TTP Apache Struts Vulnerability 2024-10-17
Windows AD add Self to Group Account Manipulation TTP Active Directory Privilege Escalation, Sneaky Active Directory Persistence Tricks 2024-09-30
Windows AD Dangerous Deny ACL Modification Domain or Tenant Policy Modification File and Directory Permissions Modification Windows File and Directory Permissions Modification TTP Sneaky Active Directory Persistence Tricks 2024-09-30
Windows AD Dangerous Group ACL Modification Domain or Tenant Policy Modification File and Directory Permissions Modification Windows File and Directory Permissions Modification TTP Sneaky Active Directory Persistence Tricks 2024-09-30
Windows AD Dangerous User ACL Modification Domain or Tenant Policy Modification File and Directory Permissions Modification Windows File and Directory Permissions Modification TTP Sneaky Active Directory Persistence Tricks 2024-09-30
Windows AD DCShadow Privileges ACL Addition Domain or Tenant Policy Modification Rogue Domain Controller Windows File and Directory Permissions Modification TTP Sneaky Active Directory Persistence Tricks 2024-09-30
Windows AD Domain Root ACL Deletion Domain or Tenant Policy Modification File and Directory Permissions Modification Windows File and Directory Permissions Modification TTP Sneaky Active Directory Persistence Tricks 2024-09-30
Windows AD Domain Root ACL Modification Domain or Tenant Policy Modification File and Directory Permissions Modification Windows File and Directory Permissions Modification TTP Sneaky Active Directory Persistence Tricks 2024-09-30
Windows AD GPO Deleted Disable or Modify Tools Group Policy Modification TTP Sneaky Active Directory Persistence Tricks 2024-09-30
Windows AD GPO Disabled Disable or Modify Tools Group Policy Modification TTP Sneaky Active Directory Persistence Tricks 2024-09-30
Windows AD GPO New CSE Addition Domain or Tenant Policy Modification Group Policy Modification File and Directory Permissions Modification Windows File and Directory Permissions Modification TTP Sneaky Active Directory Persistence Tricks 2024-09-30
Windows AD Hidden OU Creation Domain or Tenant Policy Modification File and Directory Permissions Modification Windows File and Directory Permissions Modification TTP Sneaky Active Directory Persistence Tricks 2024-09-30
Windows AD Object Owner Updated Domain or Tenant Policy Modification File and Directory Permissions Modification Windows File and Directory Permissions Modification TTP Sneaky Active Directory Persistence Tricks 2024-09-30
Windows AD Privileged Group Modification Account Manipulation TTP Active Directory Privilege Escalation, Sneaky Active Directory Persistence Tricks 2024-10-17
Windows AD Self DACL Assignment Domain or Tenant Policy Modification Account Manipulation TTP Sneaky Active Directory Persistence Tricks 2024-09-30
Windows AD Suspicious Attribute Modification Use Alternate Authentication Material File and Directory Permissions Modification Windows File and Directory Permissions Modification TTP Sneaky Active Directory Persistence Tricks 2024-09-30
Windows AD Suspicious GPO Modification Domain or Tenant Policy Modification Group Policy Modification File and Directory Permissions Modification Windows File and Directory Permissions Modification TTP Sneaky Active Directory Persistence Tricks 2024-10-17
Windows Increase in Group or Object Modification Activity Windows Event Log Security 4663 Account Manipulation Impair Defenses TTP Sneaky Active Directory Persistence Tricks 2024-09-30
Windows Increase in User Modification Activity Windows Event Log Security 4720 Account Manipulation Impair Defenses TTP Sneaky Active Directory Persistence Tricks 2024-09-30