AWS Create Policy Version to allow all resources
Cloud Accounts , Valid Accounts
Initial Access
AWS Create Policy Version to allow all resources
Cloud Accounts , Valid Accounts
F5 BIG-IP iControl REST Vulnerability CVE-2022-1388
Exploit Public-Facing Application
Splunk User Enumeration Attempt
Valid Accounts
Splunk XSS in Monitoring Console
Drive-by Compromise
Web Spring4Shell HTTP Request Class Module
Exploit Public-Facing Application
Web Spring Cloud Function FunctionRouter
Exploit Public-Facing Application
Web JSP Request via URL
Web Shell , Server Software Component , Exploit Public-Facing Application
Spring4Shell Payload URL Request
Web Shell , Server Software Component , Exploit Public-Facing Application
Java Writing JSP File
Exploit Public-Facing Application
GitHub Actions Disable Security Workflow
Compromise Software Supply Chain , Supply Chain Compromise
GitHub Actions Disable Security Workflow
Compromise Software Supply Chain , Supply Chain Compromise
Windows ISO LNK File Creation
Spearphishing Attachment , Phishing , Malicious Link , User Execution
Windows ISO LNK File Creation
Spearphishing Attachment , Phishing , Malicious Link , User Execution
SQL Injection with Long URLs
Exploit Public-Facing Application
Log4Shell CVE-2021-44228 Exploitation
Ingress Tool Transfer , Exploit Public-Facing Application , Command and Scripting Interpreter
Suspicious Ticket Granting Ticket Request
Valid Accounts , Domain Accounts
Suspicious Ticket Granting Ticket Request
Valid Accounts , Domain Accounts
Suspicious Kerberos Service Ticket Request
Valid Accounts , Domain Accounts
Suspicious Kerberos Service Ticket Request
Valid Accounts , Domain Accounts
Suspicious Computer Account Name Change
Valid Accounts , Domain Accounts
Suspicious Computer Account Name Change
Valid Accounts , Domain Accounts
Hunting for Log4Shell
Exploit Public-Facing Application
Windows Java Spawning Shells
Exploit Public-Facing Application
Outbound Network Connection from Java Using Default Ports
Exploit Public-Facing Application
Log4Shell JNDI Payload Injection with Outbound Connection
Exploit Public-Facing Application
Log4Shell JNDI Payload Injection Attempt
Exploit Public-Facing Application
Linux Java Spawning Shell
Exploit Public-Facing Application
Java Class File download by Java User Agent
Exploit Public-Facing Application
Detect Outbound LDAP Traffic
Exploit Public-Facing Application , Command and Scripting Interpreter
MS Exchange Mailbox Replication service writing Active Server Pages
Server Software Component , Web Shell , Exploit Public-Facing Application
Microsoft Exchange Mailbox Replication service writing Active Server Pages
Server Software Component , Web Shell , Exploit Public-Facing Application
Anomalous Usage of Account Credentials
Domain Accounts
Unusual Number of Remote Endpoint Authentication Events
Valid Accounts
Unusual Number of Computer Service Tickets Requested
Valid Accounts
Disable Net User Account
Service Stop, Valid Accounts
Gsuite suspicious calendar invite
Phishing
Gdrive suspicious file sharing
Phishing
Detect Exchange Web Shell
Server Software Component , Web Shell , Exploit Public-Facing Application
Office Document Spawned Child Process To Download
Phishing , Spearphishing Attachment
Office Document Spawned Child Process To Download
Phishing , Spearphishing Attachment
Office Product Spawning Wmic
Phishing , Spearphishing Attachment
Office Product Spawning Wmic
Phishing , Spearphishing Attachment
Office Application Drop Executable
Phishing , Spearphishing Attachment
Office Application Drop Executable
Phishing , Spearphishing Attachment
Office Product Writing cab or inf
Phishing , Spearphishing Attachment
Office Product Writing cab or inf
Phishing , Spearphishing Attachment
MSHTML Module Load in Office Product
Phishing , Spearphishing Attachment
MSHTML Module Load in Office Product
Phishing , Spearphishing Attachment
Office Spawning Control
Phishing , Spearphishing Attachment
Office Spawning Control
Phishing , Spearphishing Attachment
GitHub Pull Request from Unknown User
Compromise Software Dependencies and Development Tools , Supply Chain Compromise
GitHub Pull Request from Unknown User
Compromise Software Dependencies and Development Tools , Supply Chain Compromise
GitHub Dependabot Alert
Compromise Software Dependencies and Development Tools , Supply Chain Compromise
GitHub Dependabot Alert
Compromise Software Dependencies and Development Tools , Supply Chain Compromise
Github Commit In Develop
Trusted Relationship
Exchange PowerShell Abuse via SSRF
Exploit Public-Facing Application
Process Creating LNK file in Suspicious Location
Phishing , Spearphishing Link
Process Creating LNK file in Suspicious Location
Phishing , Spearphishing Link
Gsuite Suspicious Shared File Name
Spearphishing Attachment , Phishing
Gsuite Suspicious Shared File Name
Spearphishing Attachment , Phishing
Gsuite Email With Known Abuse Web Service Link
Spearphishing Attachment , Phishing
Gsuite Email With Known Abuse Web Service Link
Spearphishing Attachment , Phishing
Github Commit Changes In Master
Trusted Relationship
Gsuite Email Suspicious Subject With Attachment
Spearphishing Attachment , Phishing
Gsuite Email Suspicious Subject With Attachment
Spearphishing Attachment , Phishing
GSuite Email Suspicious Attachment
Spearphishing Attachment , Phishing
GSuite Email Suspicious Attachment
Spearphishing Attachment , Phishing
Office Application Spawn Regsvr32 process
Phishing , Spearphishing Attachment
Office Application Spawn Regsvr32 process
Phishing , Spearphishing Attachment
Cloud Compute Instance Created By Previously Unseen User
Cloud Accounts , Valid Accounts
Cloud Compute Instance Created By Previously Unseen User
Cloud Accounts , Valid Accounts
WinRM Spawning a Process
Exploit Public-Facing Application
Office Product Spawning MSHTA
Phishing , Spearphishing Attachment
Office Product Spawning MSHTA
Phishing , Spearphishing Attachment
Office Product Spawning CertUtil
Phishing , Spearphishing Attachment
Office Product Spawning CertUtil
Phishing , Spearphishing Attachment
Office Product Spawning BITSAdmin
Phishing , Spearphishing Attachment
Office Product Spawning BITSAdmin
Phishing , Spearphishing Attachment
Winword Spawning Cmd
Phishing , Spearphishing Attachment
Winword Spawning Cmd
Phishing , Spearphishing Attachment
Office Product Spawning Rundll32 with no DLL
Phishing , Spearphishing Attachment
Office Product Spawning Rundll32 with no DLL
Phishing , Spearphishing Attachment
Office Document Executing Macro Code
Phishing , Spearphishing Attachment
Office Document Executing Macro Code
Phishing , Spearphishing Attachment
Office Document Creating Schedule Task
Phishing , Spearphishing Attachment
Office Document Creating Schedule Task
Phishing , Spearphishing Attachment
Office Application Spawn rundll32 process
Phishing , Spearphishing Attachment
Office Application Spawn rundll32 process
Phishing , Spearphishing Attachment
Winword Spawning Windows Script Host
Phishing , Spearphishing Attachment
Winword Spawning Windows Script Host
Phishing , Spearphishing Attachment
Winword Spawning PowerShell
Phishing , Spearphishing Attachment
Winword Spawning PowerShell
Phishing , Spearphishing Attachment
Unified Messaging Service Spawning a Process
Exploit Public-Facing Application
AWS SetDefaultPolicyVersion
Cloud Accounts , Valid Accounts
AWS SetDefaultPolicyVersion
Cloud Accounts , Valid Accounts
AWS Create Policy Version to allow all resources
Cloud Accounts , Valid Accounts
AWS Create Policy Version to allow all resources
Cloud Accounts , Valid Accounts
AWS SAML Update identity provider
Valid Accounts
AWS SAML Access by Provider User and Principal
Valid Accounts
Detect hosts connecting to dynamic domain providers
Drive-by Compromise
Detect Excessive Account Lockouts From Endpoint
Valid Accounts , Domain Accounts
Detect Excessive Account Lockouts From Endpoint
Valid Accounts , Domain Accounts
Detect Traffic Mirroring
Hardware Additions , Automated Exfiltration , Network Denial of Service , Traffic Duplication
Detect Port Security Violation
Hardware Additions , Network Denial of Service , Adversary-in-the-Middle , ARP Cache Poisoning
Detect IPv6 Network Infrastructure Threats
Hardware Additions , Network Denial of Service , Adversary-in-the-Middle , ARP Cache Poisoning
GCP Detect high risk permissions by resource and account
Valid Accounts
GCP Detect accounts with high risk roles by project
Valid Accounts
Cloud Provisioning Activity From Previously Unseen Country
Valid Accounts
Cloud Provisioning Activity From Previously Unseen City
Valid Accounts
GCP Detect gcploit framework
Valid Accounts
Detect Zerologon via Zeek
Exploit Public-Facing Application
Abnormally High Number Of Cloud Security Group API Calls
Cloud Accounts , Valid Accounts
Abnormally High Number Of Cloud Security Group API Calls
Cloud Accounts , Valid Accounts
Abnormally High Number Of Cloud Infrastructure API Calls
Cloud Accounts , Valid Accounts
Abnormally High Number Of Cloud Infrastructure API Calls
Cloud Accounts , Valid Accounts
Cloud API Calls From Previously Unseen User Roles
Valid Accounts
gcp detect oauth token abuse
Valid Accounts
Abnormally High Number Of Cloud Instances Launched
Cloud Accounts , Valid Accounts
Abnormally High Number Of Cloud Instances Launched
Cloud Accounts , Valid Accounts
Abnormally High Number Of Cloud Instances Destroyed
Cloud Accounts , Valid Accounts
Abnormally High Number Of Cloud Instances Destroyed
Cloud Accounts , Valid Accounts
Cloud Provisioning Activity From Previously Unseen Region
Valid Accounts
Detect Rogue DHCP Server
Hardware Additions , Network Denial of Service , Adversary-in-the-Middle
Detect ARP Poisoning
Hardware Additions , Network Denial of Service , Adversary-in-the-Middle , ARP Cache Poisoning
Detect F5 TMUI RCE CVE-2020-5902
Exploit Public-Facing Application
Cloud Instance Modified By Previously Unseen User
Cloud Accounts , Valid Accounts
Cloud Instance Modified By Previously Unseen User
Cloud Accounts , Valid Accounts
aws detect sts assume role abuse
Valid Accounts
aws detect role creation
Valid Accounts
aws detect permanent key creation
Valid Accounts
aws detect attach to role policy
Valid Accounts
Suspicious Email Attachment Extensions
Spearphishing Attachment , Phishing
Suspicious Email Attachment Extensions
Spearphishing Attachment , Phishing
Suspicious Email - UBA Anomaly
Phishing
SQL Injection with Long URLs
Exploit Public-Facing Application
Okta User Logins From Multiple Cities
Valid Accounts , Default Accounts
Okta User Logins From Multiple Cities
Valid Accounts , Default Accounts
Okta Failed SSO Attempts
Valid Accounts , Default Accounts
Okta Failed SSO Attempts
Valid Accounts , Default Accounts
Okta Account Lockout Events
Valid Accounts , Default Accounts
Okta Account Lockout Events
Valid Accounts , Default Accounts
Multiple Okta Users With Invalid Credentials From The Same IP
Valid Accounts , Default Accounts
Multiple Okta Users With Invalid Credentials From The Same IP
Valid Accounts , Default Accounts
EC2 Instance Started With Previously Unseen User
Cloud Accounts
EC2 Instance Modified With Previously Unseen User
Cloud Accounts
Detect Spike in AWS API Activity
Cloud Accounts
Detect Outlook exe writing a zip file
Phishing , Spearphishing Attachment
Detect Outlook exe writing a zip file
Phishing , Spearphishing Attachment
Detect new user AWS Console Login
Cloud Accounts
Detect Excessive User Account Lockouts
Valid Accounts , Local Accounts
Detect Excessive User Account Lockouts
Valid Accounts , Local Accounts
Detect DNS requests to Phishing Sites leveraging EvilGinx2
Spearphishing via Service
Detect AWS API Activities From Unapproved Accounts
Cloud Accounts
Abnormally High AWS Instances Terminated by User - MLTK
Cloud Accounts
Abnormally High AWS Instances Terminated by User
Cloud Accounts
Abnormally High AWS Instances Launched by User - MLTK
Cloud Accounts
Abnormally High AWS Instances Launched by User
Cloud Accounts
Web Fraud - Anomalous User Clickspeed
Valid Accounts
Detect Spike in Security Group Activity
Cloud Accounts
Detect new API calls from user roles
Cloud Accounts
Identify New User Accounts
Domain Accounts