Okta Successful Single Factor Authentication
Compromise Accounts, Cloud Accounts, Valid Accounts, Cloud Accounts, Multi-Factor Authentication Request Generation
Initial Access
Okta Successful Single Factor Authentication
Compromise Accounts, Cloud Accounts, Valid Accounts, Cloud Accounts, Multi-Factor Authentication Request Generation
Okta Risk Threshold Exceeded
Valid Accounts, Brute Force
Web Remote ShellServlet Access
Exploit Public-Facing Application
O365 Security And Compliance Alert Triggered
Valid Accounts, Cloud Accounts
O365 Security And Compliance Alert Triggered
Valid Accounts, Cloud Accounts
Windows InProcServer32 New Outlook Form
Phishing, Modify Registry
Detect Excessive Account Lockouts From Endpoint
Valid Accounts, Domain Accounts
Detect Excessive Account Lockouts From Endpoint
Valid Accounts, Domain Accounts
Detect Excessive User Account Lockouts
Valid Accounts, Local Accounts
Detect Excessive User Account Lockouts
Valid Accounts, Local Accounts
Splunk User Enumeration Attempt
Valid Accounts
Okta Authentication Failed During MFA Challenge
Compromise Accounts, Cloud Accounts, Valid Accounts, Cloud Accounts, Multi-Factor Authentication Request Generation
Okta Authentication Failed During MFA Challenge
Compromise Accounts, Cloud Accounts, Valid Accounts, Cloud Accounts, Multi-Factor Authentication Request Generation
JetBrains TeamCity Authentication Bypass CVE-2024-27198
Exploit Public-Facing Application
JetBrains TeamCity Authentication Bypass Suricata CVE-2024-27198
Exploit Public-Facing Application
JetBrains TeamCity Limited Auth Bypass Suricata CVE-2024-27199
Exploit Public-Facing Application
Multiple Okta Users With Invalid Credentials From The Same IP
Password Spraying, Valid Accounts, Default Accounts
Multiple Okta Users With Invalid Credentials From The Same IP
Password Spraying, Valid Accounts, Default Accounts
ConnectWise ScreenConnect Authentication Bypass
Exploit Public-Facing Application
Nginx ConnectWise ScreenConnect Authentication Bypass
Exploit Public-Facing Application
WordPress Bricks Builder plugin RCE
Exploit Public-Facing Application
Windows Multiple Accounts Disabled
Account Manipulation, Valid Accounts
ConnectWise ScreenConnect Path Traversal
Exploit Public-Facing Application
ConnectWise ScreenConnect Path Traversal Windows SACL
Exploit Public-Facing Application
Windows Multiple Accounts Deleted
Account Manipulation, Valid Accounts
Windows Multiple Account Passwords Changed
Account Manipulation, Valid Accounts
Azure AD Service Principal Authentication
Cloud Accounts
Ivanti Connect Secure SSRF in SAML Component
Exploit Public-Facing Application
Jenkins Arbitrary File Read CVE-2024-23897
Exploit Public-Facing Application
Confluence Pre-Auth RCE via OGNL Injection CVE-2023-22527
Exploit Public-Facing Application
Splunk Enterprise Windows Deserialization File Partition
Exploit Public-Facing Application
Ivanti Connect Secure Command Injection Attempts
Exploit Public-Facing Application
Ivanti Connect Secure System Information Access via Auth Bypass
Exploit Public-Facing Application
Access to Vulnerable Ivanti Connect Secure Bookmark Endpoint
Exploit Public-Facing Application
GCP Successful Single-Factor Authentication
Compromise Accounts, Cloud Accounts, Valid Accounts, Cloud Accounts
GCP Successful Single-Factor Authentication
Compromise Accounts, Cloud Accounts, Valid Accounts, Cloud Accounts
GCP Authentication Failed During MFA Challenge
Compromise Accounts, Cloud Accounts, Valid Accounts, Cloud Accounts, Multi-Factor Authentication Request Generation
GCP Authentication Failed During MFA Challenge
Compromise Accounts, Cloud Accounts, Valid Accounts, Cloud Accounts, Multi-Factor Authentication Request Generation
WinRM Spawning a Process
Exploit Public-Facing Application
Azure Runbook Webhook Created
Valid Accounts, Cloud Accounts
Azure Runbook Webhook Created
Valid Accounts, Cloud Accounts
Azure AD Authentication Failed During MFA Challenge
Compromise Accounts, Cloud Accounts, Valid Accounts, Cloud Accounts, Multi-Factor Authentication Request Generation
Azure AD Authentication Failed During MFA Challenge
Compromise Accounts, Cloud Accounts, Valid Accounts, Cloud Accounts, Multi-Factor Authentication Request Generation
Azure AD Device Code Authentication
Steal Application Access Token, Phishing, Spearphishing Link
Azure AD Device Code Authentication
Steal Application Access Token, Phishing, Spearphishing Link
Azure AD Successful Single-Factor Authentication
Compromise Accounts, Cloud Accounts, Valid Accounts, Cloud Accounts
Azure AD Successful Single-Factor Authentication
Compromise Accounts, Cloud Accounts, Valid Accounts, Cloud Accounts
Azure AD Successful PowerShell Authentication
Compromise Accounts, Cloud Accounts, Valid Accounts, Cloud Accounts
Azure AD Successful PowerShell Authentication
Compromise Accounts, Cloud Accounts, Valid Accounts, Cloud Accounts
Azure AD Multiple AppIDs and UserAgents Authentication Spike
Valid Accounts
Azure AD Multiple Failed MFA Requests For User
Compromise Accounts, Cloud Accounts, Multi-Factor Authentication Request Generation, Valid Accounts, Cloud Accounts
Azure AD Multiple Failed MFA Requests For User
Compromise Accounts, Cloud Accounts, Multi-Factor Authentication Request Generation, Valid Accounts, Cloud Accounts
Windows Defender ASR Audit Events
Command and Scripting Interpreter, Spearphishing Attachment, Spearphishing Link
Windows Defender ASR Audit Events
Command and Scripting Interpreter, Spearphishing Attachment, Spearphishing Link
Windows Defender ASR Block Events
Command and Scripting Interpreter, Spearphishing Attachment, Spearphishing Link
Windows Defender ASR Block Events
Command and Scripting Interpreter, Spearphishing Attachment, Spearphishing Link
Windows Defender ASR Rules Stacking
Spearphishing Attachment, Spearphishing Link, Command and Scripting Interpreter
Windows Defender ASR Rules Stacking
Spearphishing Attachment, Spearphishing Link, Command and Scripting Interpreter
Splunk XSS in Highlighted JSON Events
Drive-by Compromise
Windows CAB File on Disk
Spearphishing Attachment
Office Product Spawning Windows Script Host
Phishing, Spearphishing Attachment
Office Product Spawning Windows Script Host
Phishing, Spearphishing Attachment
Detect Exchange Web Shell
Server Software Component, Web Shell, Exploit Public-Facing Application, External Remote Services
Detect Exchange Web Shell
Server Software Component, Web Shell, Exploit Public-Facing Application, External Remote Services
MSHTML Module Load in Office Product
Phishing, Spearphishing Attachment
MSHTML Module Load in Office Product
Phishing, Spearphishing Attachment
Windows Office Product Spawning MSDT
Phishing, Spearphishing Attachment
Windows Office Product Spawning MSDT
Phishing, Spearphishing Attachment
Office Spawning Control
Phishing, Spearphishing Attachment
Office Spawning Control
Phishing, Spearphishing Attachment
Zscaler Exploit Threat Blocked
Phishing
Citrix ADC and Gateway Unauthorized Data Disclosure
Exploit Public-Facing Application
O365 Multiple AppIDs and UserAgents Authentication Spike
Valid Accounts
Confluence CVE-2023-22515 Trigger Vulnerability
Exploit Public-Facing Application
Confluence Data Center and Server Privilege Escalation
Exploit Public-Facing Application
Cisco IOS XE Implant Access
Exploit Public-Facing Application
Splunk RCE via Serialized Session Payload
Exploit Public-Facing Application
WS FTP Remote Code Execution
Exploit Public-Facing Application
JetBrains TeamCity RCE Attempt
Exploit Public-Facing Application
PingID Multiple Failed MFA Requests For User
Multi-Factor Authentication Request Generation, Valid Accounts, Brute Force
Windows Replication Through Removable Media
Replication Through Removable Media
Splunk Reflected XSS on App Search Table Endpoint
Drive-by Compromise
Juniper Networks Remote Code Execution Exploit Detection
Exploit Public-Facing Application, Ingress Tool Transfer, Command and Scripting Interpreter
Ivanti Sentry Authentication Bypass
Exploit Public-Facing Application
Adobe ColdFusion Access Control Bypass
Exploit Public-Facing Application
Adobe ColdFusion Unauthenticated Arbitrary File Read
Exploit Public-Facing Application
Ivanti EPMM Remote Unauthenticated API Access CVE-2023-35082
Exploit Public-Facing Application, External Remote Services
Ivanti EPMM Remote Unauthenticated API Access CVE-2023-35082
Exploit Public-Facing Application, External Remote Services
Ivanti EPMM Remote Unauthenticated API Access CVE-2023-35078
Exploit Public-Facing Application, External Remote Services
Ivanti EPMM Remote Unauthenticated API Access CVE-2023-35078
Exploit Public-Facing Application, External Remote Services
Citrix ShareFile Exploitation CVE-2023-24489
Exploit Public-Facing Application
Citrix ADC Exploitation CVE-2023-3519
Exploit Public-Facing Application
Splunk Unauthenticated Log Injection Web Service Log
Exploit Public-Facing Application
Office Product Spawning Wmic
Phishing, Spearphishing Attachment
Office Product Spawning Wmic
Phishing, Spearphishing Attachment
Office Product Spawning BITSAdmin
Phishing, Spearphishing Attachment
Office Product Spawning BITSAdmin
Phishing, Spearphishing Attachment
Office Product Spawning Rundll32 with no DLL
Phishing, Spearphishing Attachment
Office Product Spawning Rundll32 with no DLL
Phishing, Spearphishing Attachment
Office Product Spawn CMD Process
Phishing, Spearphishing Attachment
Office Product Spawn CMD Process
Phishing, Spearphishing Attachment
Office Document Spawned Child Process To Download
Phishing, Spearphishing Attachment
Office Document Spawned Child Process To Download
Phishing, Spearphishing Attachment
Office Product Spawning CertUtil
Phishing, Spearphishing Attachment
Office Product Spawning CertUtil
Phishing, Spearphishing Attachment
Office Product Spawning MSHTA
Phishing, Spearphishing Attachment
Office Product Spawning MSHTA
Phishing, Spearphishing Attachment
Windows Exchange Autodiscover SSRF Abuse
Exploit Public-Facing Application, External Remote Services
Windows Exchange Autodiscover SSRF Abuse
Exploit Public-Facing Application, External Remote Services
ProxyShell ProxyNotShell Behavior Detected
Exploit Public-Facing Application, External Remote Services
ProxyShell ProxyNotShell Behavior Detected
Exploit Public-Facing Application, External Remote Services
MS Exchange Mailbox Replication service writing Active Server Pages
Server Software Component, Web Shell, Exploit Public-Facing Application, External Remote Services
MS Exchange Mailbox Replication service writing Active Server Pages
Server Software Component, Web Shell, Exploit Public-Facing Application, External Remote Services
Exchange PowerShell Abuse via SSRF
Exploit Public-Facing Application, External Remote Services
Exchange PowerShell Abuse via SSRF
Exploit Public-Facing Application, External Remote Services
VMWare Aria Operations Exploit Attempt
External Remote Services, Exploit Public-Facing Application, Exploitation of Remote Services, Exploitation for Privilege Escalation
VMWare Aria Operations Exploit Attempt
External Remote Services, Exploit Public-Facing Application, Exploitation of Remote Services, Exploitation for Privilege Escalation
Windows MOVEit Transfer Writing ASPX
Exploit Public-Facing Application, External Remote Services
Windows MOVEit Transfer Writing ASPX
Exploit Public-Facing Application, External Remote Services
Windows PaperCut NG Spawn Shell
Command and Scripting Interpreter, Exploit Public-Facing Application, External Remote Services
Windows PaperCut NG Spawn Shell
Command and Scripting Interpreter, Exploit Public-Facing Application, External Remote Services
PaperCut NG Remote Web Access Attempt
Exploit Public-Facing Application, External Remote Services
PaperCut NG Remote Web Access Attempt
Exploit Public-Facing Application, External Remote Services
PaperCut NG Suspicious Behavior Debug Log
Exploit Public-Facing Application, External Remote Services
PaperCut NG Suspicious Behavior Debug Log
Exploit Public-Facing Application, External Remote Services
Splunk Persistent XSS Via URL Validation Bypass W Dashboard
Drive-by Compromise
Windows PowerView AD Access Control List Enumeration
Domain Accounts, Permission Groups Discovery
Linux Hardware Addition SwapOff
Hardware Additions
Linux Java Spawning Shell
Exploit Public-Facing Application, External Remote Services
Linux Java Spawning Shell
Exploit Public-Facing Application, External Remote Services
Suspicious Email Attachment Extensions
Spearphishing Attachment, Phishing
Suspicious Email Attachment Extensions
Spearphishing Attachment, Phishing
Windows Vulnerable 3CX Software
Compromise Software Supply Chain
3CX Supply Chain Attack Network Indicators
Compromise Software Supply Chain
Hunting 3CXDesktopApp Software
Compromise Software Supply Chain
Windows Group Policy Object Created
Domain Policy Modification, Group Policy Modification, Domain Accounts
Windows Large Number of Computer Service Tickets Requested
Network Share Discovery, Valid Accounts
Okta Phishing Detection with FastPass Origin Check
Valid Accounts, Default Accounts, Modify Authentication Process
Okta Phishing Detection with FastPass Origin Check
Valid Accounts, Default Accounts, Modify Authentication Process
Okta ThreatInsight Login Failure with High Unknown users
Valid Accounts, Default Accounts, Credential Stuffing
Okta ThreatInsight Login Failure with High Unknown users
Valid Accounts, Default Accounts, Credential Stuffing
Okta ThreatInsight Suspected PasswordSpray Attack
Valid Accounts, Default Accounts, Password Spraying
Okta ThreatInsight Suspected PasswordSpray Attack
Valid Accounts, Default Accounts, Password Spraying
Exploit Public-Facing Fortinet FortiNAC CVE-2022-39952
Exploit Public-Facing Application, External Remote Services
Exploit Public-Facing Fortinet FortiNAC CVE-2022-39952
Exploit Public-Facing Application, External Remote Services
Office Product Writing cab or inf
Phishing, Spearphishing Attachment
Office Product Writing cab or inf
Phishing, Spearphishing Attachment
Office Document Creating Schedule Task
Phishing, Spearphishing Attachment
Office Document Creating Schedule Task
Phishing, Spearphishing Attachment
Office Application Spawn rundll32 process
Phishing, Spearphishing Attachment
Office Application Spawn rundll32 process
Phishing, Spearphishing Attachment
Office Application Drop Executable
Phishing, Spearphishing Attachment
Office Application Drop Executable
Phishing, Spearphishing Attachment
Office Application Spawn Regsvr32 process
Phishing, Spearphishing Attachment
Office Application Spawn Regsvr32 process
Phishing, Spearphishing Attachment
Windows Spearphishing Attachment Connect To None MS Office Domain
Spearphishing Attachment, Phishing
Windows Spearphishing Attachment Connect To None MS Office Domain
Spearphishing Attachment, Phishing
Persistent XSS in RapidDiag through User Interface Views
Drive-by Compromise
Splunk unnecessary file extensions allowed by lookup table uploads
Drive-by Compromise
Splunk csrf in the ssg kvstore client endpoint
Drive-by Compromise
Detect Outlook exe writing a zip file
Phishing, Spearphishing Attachment
Detect Outlook exe writing a zip file
Phishing, Spearphishing Attachment
Splunk XSS via View
Drive-by Compromise
Splunk list all nonstandard admin accounts
Drive-by Compromise
Office Document Executing Macro Code
Phishing, Spearphishing Attachment
Office Document Executing Macro Code
Phishing, Spearphishing Attachment
Windows Spearphishing Attachment Onenote Spawn Mshta
Spearphishing Attachment, Phishing
Windows Spearphishing Attachment Onenote Spawn Mshta
Spearphishing Attachment, Phishing
Windows Java Spawning Shells
Exploit Public-Facing Application, External Remote Services
Windows Java Spawning Shells
Exploit Public-Facing Application, External Remote Services
Exploit Public Facing Application via Apache Commons Text
Web Shell, Server Software Component, Exploit Public-Facing Application, External Remote Services
Exploit Public Facing Application via Apache Commons Text
Web Shell, Server Software Component, Exploit Public-Facing Application, External Remote Services
Windows Phishing PDF File Executes URL Link
Spearphishing Attachment, Phishing
Windows Phishing PDF File Executes URL Link
Spearphishing Attachment, Phishing
GCP Multiple Failed MFA Requests For User
Compromise Accounts, Cloud Accounts, Multi-Factor Authentication Request Generation, Valid Accounts, Cloud Accounts
GCP Multiple Failed MFA Requests For User
Compromise Accounts, Cloud Accounts, Multi-Factor Authentication Request Generation, Valid Accounts, Cloud Accounts
Fortinet Appliance Auth bypass
Exploit Public-Facing Application, External Remote Services
Fortinet Appliance Auth bypass
Exploit Public-Facing Application, External Remote Services
Office Product Spawning Windows Script Host
Phishing, Spearphishing Attachment
Office Product Spawning Windows Script Host
Phishing, Spearphishing Attachment
Splunk Reflected XSS in the templates lists radio
Drive-by Compromise
Splunk XSS in Save table dialog header in search page
Drive-by Compromise
Splunk Stored XSS via Data Model objectName field
Drive-by Compromise
AWS Successful Single-Factor Authentication
Compromise Accounts, Cloud Accounts, Valid Accounts, Cloud Accounts
AWS Successful Single-Factor Authentication
Compromise Accounts, Cloud Accounts, Valid Accounts, Cloud Accounts
Okta New API Token Created
Valid Accounts, Default Accounts
Okta New API Token Created
Valid Accounts, Default Accounts
Okta Suspicious Activity Reported
Valid Accounts, Default Accounts
Okta Suspicious Activity Reported
Valid Accounts, Default Accounts
Okta Failed SSO Attempts
Valid Accounts, Default Accounts
Okta Failed SSO Attempts
Valid Accounts, Default Accounts
Okta ThreatInsight Threat Detected
Valid Accounts, Cloud Accounts
Okta ThreatInsight Threat Detected
Valid Accounts, Cloud Accounts
Windows ISO LNK File Creation
Spearphishing Attachment, Phishing, Malicious Link, User Execution
Windows ISO LNK File Creation
Spearphishing Attachment, Phishing, Malicious Link, User Execution
Windows Phishing Recent ISO Exec Registry
Spearphishing Attachment, Phishing
Windows Phishing Recent ISO Exec Registry
Spearphishing Attachment, Phishing
Okta Account Lockout Events
Valid Accounts, Default Accounts
Okta Account Lockout Events
Valid Accounts, Default Accounts
Log4Shell CVE-2021-44228 Exploitation
Ingress Tool Transfer, Exploit Public-Facing Application, Command and Scripting Interpreter, External Remote Services
Log4Shell CVE-2021-44228 Exploitation
Ingress Tool Transfer, Exploit Public-Facing Application, Command and Scripting Interpreter, External Remote Services
Living Off The Land
Ingress Tool Transfer, Exploit Public-Facing Application, Command and Scripting Interpreter, External Remote Services
Living Off The Land
Ingress Tool Transfer, Exploit Public-Facing Application, Command and Scripting Interpreter, External Remote Services
Spring4Shell Payload URL Request
Web Shell, Server Software Component, Exploit Public-Facing Application, External Remote Services
Spring4Shell Payload URL Request
Web Shell, Server Software Component, Exploit Public-Facing Application, External Remote Services
Outbound Network Connection from Java Using Default Ports
Exploit Public-Facing Application, External Remote Services
Outbound Network Connection from Java Using Default Ports
Exploit Public-Facing Application, External Remote Services
Confluence Unauthenticated Remote Code Execution CVE-2022-26134
Server Software Component, Exploit Public-Facing Application, External Remote Services
Confluence Unauthenticated Remote Code Execution CVE-2022-26134
Server Software Component, Exploit Public-Facing Application, External Remote Services
Java Writing JSP File
Exploit Public-Facing Application, External Remote Services
Java Writing JSP File
Exploit Public-Facing Application, External Remote Services
ASL AWS CreateAccessKey
Valid Accounts
VMware Workspace ONE Freemarker Server-side Template Injection
Exploit Public-Facing Application, External Remote Services
VMware Workspace ONE Freemarker Server-side Template Injection
Exploit Public-Facing Application, External Remote Services
VMware Server Side Template Injection Hunt
Exploit Public-Facing Application, External Remote Services
VMware Server Side Template Injection Hunt
Exploit Public-Facing Application, External Remote Services
AWS Create Policy Version to allow all resources
Cloud Accounts, Valid Accounts
AWS Create Policy Version to allow all resources
Cloud Accounts, Valid Accounts
Potential password in username
Local Accounts, Credentials In Files
F5 BIG-IP iControl REST Vulnerability CVE-2022-1388
Exploit Public-Facing Application, External Remote Services
F5 BIG-IP iControl REST Vulnerability CVE-2022-1388
Exploit Public-Facing Application, External Remote Services
Splunk XSS in Monitoring Console
Drive-by Compromise
Web Spring4Shell HTTP Request Class Module
Exploit Public-Facing Application, External Remote Services
Web Spring4Shell HTTP Request Class Module
Exploit Public-Facing Application, External Remote Services
Web Spring Cloud Function FunctionRouter
Exploit Public-Facing Application, External Remote Services
Web Spring Cloud Function FunctionRouter
Exploit Public-Facing Application, External Remote Services
Web JSP Request via URL
Web Shell, Server Software Component, Exploit Public-Facing Application, External Remote Services
Web JSP Request via URL
Web Shell, Server Software Component, Exploit Public-Facing Application, External Remote Services
GitHub Actions Disable Security Workflow
Compromise Software Supply Chain, Supply Chain Compromise
GitHub Actions Disable Security Workflow
Compromise Software Supply Chain, Supply Chain Compromise
SQL Injection with Long URLs
Exploit Public-Facing Application
Suspicious Ticket Granting Ticket Request
Valid Accounts, Domain Accounts
Suspicious Ticket Granting Ticket Request
Valid Accounts, Domain Accounts
Suspicious Kerberos Service Ticket Request
Valid Accounts, Domain Accounts
Suspicious Kerberos Service Ticket Request
Valid Accounts, Domain Accounts
Suspicious Computer Account Name Change
Valid Accounts, Domain Accounts
Suspicious Computer Account Name Change
Valid Accounts, Domain Accounts
Hunting for Log4Shell
Exploit Public-Facing Application, External Remote Services
Hunting for Log4Shell
Exploit Public-Facing Application, External Remote Services
Log4Shell JNDI Payload Injection Attempt
Exploit Public-Facing Application, External Remote Services
Log4Shell JNDI Payload Injection Attempt
Exploit Public-Facing Application, External Remote Services
Java Class File download by Java User Agent
Exploit Public-Facing Application
Log4Shell JNDI Payload Injection with Outbound Connection
Exploit Public-Facing Application, External Remote Services
Log4Shell JNDI Payload Injection with Outbound Connection
Exploit Public-Facing Application, External Remote Services
Detect Outbound LDAP Traffic
Exploit Public-Facing Application, Command and Scripting Interpreter
Unusual Number of Remote Endpoint Authentication Events
Valid Accounts
Unusual Number of Computer Service Tickets Requested
Valid Accounts
Disable Net User Account
Service Stop, Valid Accounts
Gdrive suspicious file sharing
Phishing
Gsuite suspicious calendar invite
Phishing
Github Commit In Develop
Trusted Relationship
GitHub Pull Request from Unknown User
Compromise Software Dependencies and Development Tools, Supply Chain Compromise
GitHub Pull Request from Unknown User
Compromise Software Dependencies and Development Tools, Supply Chain Compromise
GitHub Dependabot Alert
Compromise Software Dependencies and Development Tools, Supply Chain Compromise
GitHub Dependabot Alert
Compromise Software Dependencies and Development Tools, Supply Chain Compromise
Process Creating LNK file in Suspicious Location
Phishing, Spearphishing Link
Process Creating LNK file in Suspicious Location
Phishing, Spearphishing Link
Gsuite Email With Known Abuse Web Service Link
Spearphishing Attachment, Phishing
Gsuite Email With Known Abuse Web Service Link
Spearphishing Attachment, Phishing
Gsuite Suspicious Shared File Name
Spearphishing Attachment, Phishing
Gsuite Suspicious Shared File Name
Spearphishing Attachment, Phishing
Github Commit Changes In Master
Trusted Relationship
Gsuite Email Suspicious Subject With Attachment
Spearphishing Attachment, Phishing
Gsuite Email Suspicious Subject With Attachment
Spearphishing Attachment, Phishing
GSuite Email Suspicious Attachment
Spearphishing Attachment, Phishing
GSuite Email Suspicious Attachment
Spearphishing Attachment, Phishing
Cloud Compute Instance Created By Previously Unseen User
Cloud Accounts, Valid Accounts
Cloud Compute Instance Created By Previously Unseen User
Cloud Accounts, Valid Accounts
Winword Spawning Cmd
Phishing, Spearphishing Attachment
Winword Spawning Cmd
Phishing, Spearphishing Attachment
Winword Spawning PowerShell
Phishing, Spearphishing Attachment
Winword Spawning PowerShell
Phishing, Spearphishing Attachment
Winword Spawning Windows Script Host
Phishing, Spearphishing Attachment
Winword Spawning Windows Script Host
Phishing, Spearphishing Attachment
AWS SetDefaultPolicyVersion
Cloud Accounts, Valid Accounts
AWS SetDefaultPolicyVersion
Cloud Accounts, Valid Accounts
AWS SAML Access by Provider User and Principal
Valid Accounts
AWS SAML Update identity provider
Valid Accounts
Detect hosts connecting to dynamic domain providers
Drive-by Compromise
Supernova Webshell
Web Shell, External Remote Services
Detect IPv6 Network Infrastructure Threats
Hardware Additions, Network Denial of Service, Adversary-in-the-Middle, ARP Cache Poisoning
Detect Traffic Mirroring
Hardware Additions, Automated Exfiltration, Network Denial of Service, Traffic Duplication
Detect Port Security Violation
Hardware Additions, Network Denial of Service, Adversary-in-the-Middle, ARP Cache Poisoning
Cloud Provisioning Activity From Previously Unseen City
Valid Accounts
Cloud Provisioning Activity From Previously Unseen Country
Valid Accounts
GCP Detect high risk permissions by resource and account
Valid Accounts
GCP Detect accounts with high risk roles by project
Valid Accounts
GCP Detect gcploit framework
Valid Accounts
Detect Zerologon via Zeek
Exploit Public-Facing Application
Abnormally High Number Of Cloud Security Group API Calls
Cloud Accounts, Valid Accounts
Abnormally High Number Of Cloud Security Group API Calls
Cloud Accounts, Valid Accounts
Abnormally High Number Of Cloud Infrastructure API Calls
Cloud Accounts, Valid Accounts
Abnormally High Number Of Cloud Infrastructure API Calls
Cloud Accounts, Valid Accounts
Cloud API Calls From Previously Unseen User Roles
Valid Accounts
gcp detect oauth token abuse
Valid Accounts
Abnormally High Number Of Cloud Instances Launched
Cloud Accounts, Valid Accounts
Abnormally High Number Of Cloud Instances Launched
Cloud Accounts, Valid Accounts
Abnormally High Number Of Cloud Instances Destroyed
Cloud Accounts, Valid Accounts
Abnormally High Number Of Cloud Instances Destroyed
Cloud Accounts, Valid Accounts
Cloud Provisioning Activity From Previously Unseen Region
Valid Accounts
Detect ARP Poisoning
Hardware Additions, Network Denial of Service, Adversary-in-the-Middle, ARP Cache Poisoning
Detect Rogue DHCP Server
Hardware Additions, Network Denial of Service, Adversary-in-the-Middle
Detect F5 TMUI RCE CVE-2020-5902
Exploit Public-Facing Application
Cloud Instance Modified By Previously Unseen User
Cloud Accounts, Valid Accounts
Cloud Instance Modified By Previously Unseen User
Cloud Accounts, Valid Accounts
aws detect sts assume role abuse
Valid Accounts
aws detect attach to role policy
Valid Accounts
aws detect role creation
Valid Accounts
aws detect permanent key creation
Valid Accounts
Suspicious Email - UBA Anomaly
Phishing
Abnormally High AWS Instances Launched by User - MLTK
Cloud Accounts
Detect new user AWS Console Login
Cloud Accounts
Detect AWS API Activities From Unapproved Accounts
Cloud Accounts
Detect Spike in AWS API Activity
Cloud Accounts
Abnormally High AWS Instances Terminated by User
Cloud Accounts
EC2 Instance Modified With Previously Unseen User
Cloud Accounts
Abnormally High AWS Instances Launched by User
Cloud Accounts
Detect DNS requests to Phishing Sites leveraging EvilGinx2
Spearphishing via Service
EC2 Instance Started With Previously Unseen User
Cloud Accounts
Abnormally High AWS Instances Terminated by User - MLTK
Cloud Accounts
Web Fraud - Anomalous User Clickspeed
Valid Accounts
Detect Spike in Security Group Activity
Cloud Accounts
Detect new API calls from user roles
Cloud Accounts
Detect attackers scanning for vulnerable JBoss servers
System Information Discovery, External Remote Services
Identify New User Accounts
Domain Accounts