N/A Detections

Name	Data Source	Technique	Type	Analytic Story	Date
CrushFTP Server Side Template Injection	CrushFTP	Exploit Public-Facing Application	TTP	CrushFTP Vulnerabilities	2024-09-30
Detect New Login Attempts to Routers		N/A	TTP	Router and Infrastructure Security	2024-10-17
Detect Risky SPL using Pretrained ML Model		Command and Scripting Interpreter	Anomaly	Splunk Vulnerabilities	2024-10-17
Email Attachments With Lots Of Spaces		N/A	Anomaly	Data Destruction, Emotet Malware DHS Report TA18-201A, Hermetic Wiper, Suspicious Emails	2024-10-17
Email servers sending high volume traffic to hosts		Email Collection Remote Email Collection	Anomaly	Collection and Staging, HAFNIUM Group	2024-10-17
Ivanti VTM New Account Creation	Ivanti VTM Audit	Exploit Public-Facing Application	TTP	Ivanti Virtual Traffic Manager CVE-2024-7593	2024-09-30
Monitor Email For Brand Abuse		N/A	TTP	Brand Monitoring, Suspicious Emails	2024-10-17
Okta Authentication Failed During MFA Challenge	Okta	Compromise Accounts Cloud Accounts Valid Accounts Cloud Accounts Multi-Factor Authentication Request Generation	TTP	Okta Account Takeover	2024-09-30
Okta IDP Lifecycle Modifications	Okta	Cloud Account	Anomaly	Suspicious Okta Activity	2024-09-30
Okta MFA Exhaustion Hunt	Okta	Brute Force	Hunting	Okta Account Takeover, Okta MFA Exhaustion	2024-10-17
Okta Mismatch Between Source and Response for Verify Push Request	Okta	Multi-Factor Authentication Request Generation	TTP	Okta Account Takeover, Okta MFA Exhaustion	2024-10-17
Okta Multi-Factor Authentication Disabled	Okta	Modify Authentication Process Multi-Factor Authentication	TTP	Okta Account Takeover	2024-09-30
Okta Multiple Accounts Locked Out	Okta	Brute Force	Anomaly	Okta Account Takeover	2024-09-30
Okta Multiple Failed MFA Requests For User	Okta	Multi-Factor Authentication Request Generation	Anomaly	Okta Account Takeover	2024-09-30
Okta Multiple Failed Requests to Access Applications	Okta	Web Session Cookie Cloud Service Dashboard	Hunting	Okta Account Takeover	2024-10-17
Okta Multiple Users Failing To Authenticate From Ip	Okta	Password Spraying	Anomaly	Okta Account Takeover	2024-09-30
Okta New API Token Created	Okta	Valid Accounts Default Accounts	TTP	Okta Account Takeover	2024-09-30
Okta New Device Enrolled on Account	Okta	Account Manipulation Device Registration	TTP	Okta Account Takeover	2024-09-30
Okta Phishing Detection with FastPass Origin Check	Okta	Valid Accounts Default Accounts Modify Authentication Process	TTP	Okta Account Takeover	2024-10-17
Okta Risk Threshold Exceeded	Okta	Valid Accounts Brute Force	Correlation	Okta Account Takeover, Okta MFA Exhaustion, Suspicious Okta Activity	2024-09-30
Okta Successful Single Factor Authentication	Okta	Compromise Accounts Cloud Accounts Valid Accounts Cloud Accounts Multi-Factor Authentication Request Generation	Anomaly	Okta Account Takeover	2024-09-30
Okta Suspicious Activity Reported	Okta	Valid Accounts Default Accounts	TTP	Okta Account Takeover	2024-09-30
Okta Suspicious Use of a Session Cookie	Okta	Steal Web Session Cookie	Anomaly	Okta Account Takeover, Suspicious Okta Activity	2024-09-30
Okta ThreatInsight Threat Detected	Okta	Valid Accounts Cloud Accounts	Anomaly	Okta Account Takeover	2024-09-30
Okta Unauthorized Access to Application	Okta	Cloud Account	Anomaly	Okta Account Takeover	2024-09-30
Okta User Logins from Multiple Cities	Okta	Cloud Accounts	Anomaly	Okta Account Takeover	2024-09-30
PingID Mismatch Auth Source and Verification Response	PingID	Multi-Factor Authentication Request Generation Multi-Factor Authentication Device Registration	TTP	Compromised User Account	2024-09-30
PingID Multiple Failed MFA Requests For User	PingID	Multi-Factor Authentication Request Generation Valid Accounts Brute Force	TTP	Compromised User Account	2024-09-30
PingID New MFA Method After Credential Reset	PingID	Multi-Factor Authentication Request Generation Multi-Factor Authentication Device Registration	TTP	Compromised User Account	2024-09-30
PingID New MFA Method Registered For User	PingID	Multi-Factor Authentication Request Generation Multi-Factor Authentication Device Registration	TTP	Compromised User Account	2024-09-30
Suspicious Email Attachment Extensions		Spearphishing Attachment Phishing	Anomaly	Data Destruction, Emotet Malware DHS Report TA18-201A, Hermetic Wiper, Suspicious Emails	2024-10-17
Suspicious Java Classes		N/A	Anomaly	Apache Struts Vulnerability	2024-10-17
Circle CI Disable Security Job	CircleCI	Compromise Host Software Binary	Anomaly	Dev Sec Ops	2024-09-30
Circle CI Disable Security Step	CircleCI	Compromise Host Software Binary	Anomaly	Dev Sec Ops	2024-10-17
Detect S3 access from a new IP		Data from Cloud Storage	Anomaly	Suspicious AWS S3 Activities	2024-10-17
Gdrive suspicious file sharing		Phishing	Hunting	Data Exfiltration, Spearphishing Attachments	2024-10-17
GitHub Actions Disable Security Workflow	GitHub	Compromise Software Supply Chain Supply Chain Compromise	Anomaly	Dev Sec Ops	2024-09-30
Github Commit Changes In Master	GitHub	Trusted Relationship	Anomaly	Dev Sec Ops	2024-09-30
Github Commit In Develop	GitHub	Trusted Relationship	Anomaly	Dev Sec Ops	2024-09-30
GitHub Dependabot Alert	GitHub	Compromise Software Dependencies and Development Tools Supply Chain Compromise	Anomaly	Dev Sec Ops	2024-09-30
GitHub Pull Request from Unknown User	GitHub	Compromise Software Dependencies and Development Tools Supply Chain Compromise	Anomaly	Dev Sec Ops	2024-09-30
Gsuite Drive Share In External Email	G Suite Drive	Exfiltration to Cloud Storage Exfiltration Over Web Service	Anomaly	Dev Sec Ops, Insider Threat	2024-10-17
GSuite Email Suspicious Attachment	G Suite Gmail	Spearphishing Attachment Phishing	Anomaly	Dev Sec Ops	2024-09-30
Gsuite Email Suspicious Subject With Attachment	G Suite Gmail	Spearphishing Attachment Phishing	Anomaly	Dev Sec Ops	2024-09-30
Gsuite Email With Known Abuse Web Service Link	G Suite Gmail	Spearphishing Attachment Phishing	Anomaly	Dev Sec Ops	2024-09-30
Gsuite Outbound Email With Attachment To External Domain	G Suite Gmail	Exfiltration Over Unencrypted Non-C2 Protocol Exfiltration Over Alternative Protocol	Hunting	Dev Sec Ops, Insider Threat	2024-10-17
Gsuite suspicious calendar invite		Phishing	Hunting	Spearphishing Attachments	2024-10-17
Gsuite Suspicious Shared File Name	G Suite Drive	Spearphishing Attachment Phishing	Anomaly	Dev Sec Ops	2024-09-30
High Number of Login Failures from a single source	O365 UserLoginFailed	Password Guessing Brute Force	Anomaly	Office 365 Account Takeover	2024-09-30
O365 Add App Role Assignment Grant User	O365 Add app role assignment grant to user.	Cloud Account Create Account	TTP	Cloud Federated Credential Abuse, Office 365 Persistence Mechanisms	2024-09-30
O365 Added Service Principal	O365	Cloud Account Create Account	TTP	Cloud Federated Credential Abuse, NOBELIUM Group, Office 365 Persistence Mechanisms	2024-09-30
O365 Admin Consent Bypassed by Service Principal	O365 Add app role assignment to service principal.	Additional Cloud Roles	TTP	Office 365 Persistence Mechanisms	2024-09-30
O365 Advanced Audit Disabled	O365 Change user license.	Impair Defenses Disable or Modify Cloud Logs	TTP	Office 365 Persistence Mechanisms	2024-09-30
O365 Application Available To Other Tenants		Additional Cloud Roles Account Manipulation	TTP	Azure Active Directory Account Takeover, Azure Active Directory Persistence, Data Exfiltration	2024-09-30
O365 Application Registration Owner Added	O365 Add owner to application.	Account Manipulation	TTP	NOBELIUM Group, Office 365 Persistence Mechanisms	2024-09-30
O365 ApplicationImpersonation Role Assigned	O365	Account Manipulation Additional Email Delegate Permissions	TTP	NOBELIUM Group, Office 365 Collection Techniques, Office 365 Persistence Mechanisms	2024-09-30
O365 Block User Consent For Risky Apps Disabled	O365 Update authorization policy.	Impair Defenses	TTP	Office 365 Account Takeover	2024-09-30
O365 Bypass MFA via Trusted IP	O365 Set Company Information.	Disable or Modify Cloud Firewall Impair Defenses	TTP	Office 365 Persistence Mechanisms	2024-09-30
O365 Compliance Content Search Exported		Email Collection Remote Email Collection	TTP	Office 365 Collection Techniques	2024-09-30
O365 Compliance Content Search Started		Email Collection Remote Email Collection	TTP	Office 365 Collection Techniques	2024-09-30
O365 Concurrent Sessions From Different Ips	O365 UserLoggedIn	Browser Session Hijacking	TTP	Office 365 Account Takeover	2024-09-30
O365 Cross-Tenant Access Change		Trust Modification	TTP	Azure Active Directory Persistence	2024-09-30
O365 Disable MFA	O365 Disable Strong Authentication.	Modify Authentication Process	TTP	Office 365 Persistence Mechanisms	2024-09-30
O365 DLP Rule Triggered		Exfiltration Over Alternative Protocol Exfiltration Over Web Service	Anomaly	Data Exfiltration	2024-09-30
O365 Elevated Mailbox Permission Assigned		Account Manipulation Additional Email Delegate Permissions	TTP	Office 365 Collection Techniques	2024-09-30
O365 Email Access By Security Administrator		Exfiltration Over Web Service Email Collection Remote Email Collection	TTP	Azure Active Directory Account Takeover, Data Exfiltration, Office 365 Account Takeover	2024-09-30
O365 Email Reported By Admin Found Malicious		Phishing Spearphishing Attachment Spearphishing Link	TTP	Spearphishing Attachments, Suspicious Emails	2024-09-30
O365 Email Reported By User Found Malicious		Phishing Spearphishing Attachment Spearphishing Link	TTP	Spearphishing Attachments, Suspicious Emails	2024-09-30
O365 Email Security Feature Changed		Impair Defenses Disable or Modify Cloud Logs Disable or Modify Tools	TTP	Office 365 Account Takeover, Office 365 Persistence Mechanisms	2024-09-30
O365 Email Suspicious Behavior Alert		Email Collection Email Forwarding Rule	TTP	Office 365 Account Takeover, Office 365 Collection Techniques, Suspicious Emails	2024-09-30
O365 Excessive Authentication Failures Alert		Brute Force	Anomaly	Office 365 Account Takeover	2024-09-30
O365 Excessive SSO logon errors	O365 UserLoginFailed	Modify Authentication Process	Anomaly	Cloud Federated Credential Abuse, Office 365 Account Takeover	2024-09-30
O365 External Guest User Invited		Cloud Account	TTP	Azure Active Directory Persistence	2024-09-30
O365 External Identity Policy Changed		Cloud Account	TTP	Azure Active Directory Persistence	2024-09-30
O365 File Permissioned Application Consent Granted by User	O365 Consent to application.	Steal Application Access Token	TTP	Office 365 Account Takeover	2024-09-30
O365 FullAccessAsApp Permission Assigned	O365 Update application.	Additional Email Delegate Permissions Additional Cloud Roles	TTP	NOBELIUM Group, Office 365 Persistence Mechanisms	2024-09-30
O365 High Number Of Failed Authentications for User	O365 UserLoginFailed	Brute Force Password Guessing	TTP	Office 365 Account Takeover	2024-09-30
O365 High Privilege Role Granted	O365 Add member to role.	Account Manipulation Additional Cloud Roles	TTP	Office 365 Persistence Mechanisms	2024-09-30
O365 Mail Permissioned Application Consent Granted by User	O365 Consent to application.	Steal Application Access Token	TTP	Office 365 Account Takeover	2024-09-30
O365 Mailbox Email Forwarding Enabled		Email Collection Email Forwarding Rule	TTP	Office 365 Collection Techniques	2024-09-30
O365 Mailbox Folder Read Permission Assigned		Account Manipulation Additional Email Delegate Permissions	TTP	Office 365 Collection Techniques	2024-09-30
O365 Mailbox Folder Read Permission Granted		Account Manipulation Additional Email Delegate Permissions	TTP	Office 365 Collection Techniques	2024-09-30
O365 Mailbox Inbox Folder Shared with All Users	O365 ModifyFolderPermissions	Email Collection Remote Email Collection	TTP	Office 365 Persistence Mechanisms	2024-09-30
O365 Mailbox Read Access Granted to Application	O365 Update application.	Remote Email Collection Email Collection Account Manipulation Additional Cloud Roles	TTP	Office 365 Persistence Mechanisms	2024-09-30
O365 Multi-Source Failed Authentications Spike	O365 UserLoginFailed	Compromise Accounts Cloud Accounts Brute Force Password Spraying Credential Stuffing	Hunting	NOBELIUM Group, Office 365 Account Takeover	2024-10-17
O365 Multiple AppIDs and UserAgents Authentication Spike	O365 UserLoggedIn, O365 UserLoginFailed	Valid Accounts	Anomaly	Office 365 Account Takeover	2024-09-30
O365 Multiple Failed MFA Requests For User	O365 UserLoginFailed	Multi-Factor Authentication Request Generation	TTP	Office 365 Account Takeover	2024-09-30
O365 Multiple Mailboxes Accessed via API	O365 MailItemsAccessed	Remote Email Collection	TTP	NOBELIUM Group, Office 365 Collection Techniques	2024-09-30
O365 Multiple Service Principals Created by SP	O365 Add service principal.	Cloud Account	Anomaly	NOBELIUM Group, Office 365 Persistence Mechanisms	2024-09-30
O365 Multiple Service Principals Created by User	O365 Add service principal.	Cloud Account	Anomaly	NOBELIUM Group, Office 365 Persistence Mechanisms	2024-09-30
O365 Multiple Users Failing To Authenticate From Ip	O365 UserLoginFailed	Compromise Accounts Cloud Accounts Brute Force Password Spraying Credential Stuffing	TTP	NOBELIUM Group, Office 365 Account Takeover	2024-09-30
O365 New Email Forwarding Rule Created		Email Collection Email Forwarding Rule	TTP	Office 365 Collection Techniques	2024-09-30
O365 New Email Forwarding Rule Enabled		Email Collection Email Forwarding Rule	TTP	Office 365 Collection Techniques	2024-09-30
O365 New Federated Domain Added	O365	Cloud Account Create Account	TTP	Cloud Federated Credential Abuse, Office 365 Persistence Mechanisms	2024-09-30
O365 New Forwarding Mailflow Rule Created		Email Collection	TTP	Office 365 Collection Techniques	2024-09-30
O365 New MFA Method Registered	O365 Update user.	Account Manipulation Device Registration	TTP	Office 365 Persistence Mechanisms	2024-09-30
O365 OAuth App Mailbox Access via EWS	O365 MailItemsAccessed	Remote Email Collection	TTP	NOBELIUM Group, Office 365 Collection Techniques	2024-09-30
O365 OAuth App Mailbox Access via Graph API	O365 MailItemsAccessed	Remote Email Collection	TTP	NOBELIUM Group, Office 365 Collection Techniques	2024-09-30
O365 Privileged Graph API Permission Assigned	O365 Update application.	Security Account Manager	TTP	NOBELIUM Group, Office 365 Persistence Mechanisms	2024-09-30
O365 Privileged Role Assigned		Account Manipulation Additional Cloud Roles	TTP	Azure Active Directory Persistence	2024-09-30
O365 Privileged Role Assigned To Service Principal		Account Manipulation Additional Cloud Roles	TTP	Azure Active Directory Privilege Escalation	2024-09-30
O365 PST export alert	O365	Email Collection	TTP	Data Exfiltration, Office 365 Collection Techniques	2024-09-30
O365 Safe Links Detection		Phishing Spearphishing Attachment	TTP	Office 365 Account Takeover, Spearphishing Attachments	2024-09-30
O365 Security And Compliance Alert Triggered		Valid Accounts Cloud Accounts	TTP	Office 365 Account Takeover	2024-09-30
O365 Service Principal New Client Credentials	O365	Account Manipulation Additional Cloud Credentials	TTP	NOBELIUM Group, Office 365 Persistence Mechanisms	2024-09-30
O365 SharePoint Allowed Domains Policy Changed		Cloud Account	TTP	Azure Active Directory Persistence	2024-09-30
O365 SharePoint Malware Detection		Malicious File User Execution	TTP	Azure Active Directory Persistence, Office 365 Account Takeover, Ransomware Cloud	2024-09-30
O365 Tenant Wide Admin Consent Granted	O365 Consent to application.	Account Manipulation Additional Cloud Roles	TTP	NOBELIUM Group, Office 365 Persistence Mechanisms	2024-09-30
O365 Threat Intelligence Suspicious Email Delivered		Phishing Spearphishing Attachment Spearphishing Link	Anomaly	Spearphishing Attachments, Suspicious Emails	2024-09-30
O365 Threat Intelligence Suspicious File Detected		Malicious File User Execution	TTP	Azure Active Directory Account Takeover, Office 365 Account Takeover, Ransomware Cloud	2024-09-30
O365 User Consent Blocked for Risky Application	O365 Consent to application.	Steal Application Access Token	TTP	Office 365 Account Takeover	2024-09-30
O365 User Consent Denied for OAuth Application	O365	Steal Application Access Token	TTP	Office 365 Account Takeover	2024-09-30
O365 ZAP Activity Detection		Phishing Spearphishing Attachment Spearphishing Link	Anomaly	Spearphishing Attachments, Suspicious Emails	2024-09-30
Risk Rule for Dev Sec Ops by Repository		Malicious Image User Execution	Correlation	Dev Sec Ops	2024-10-22
Clients Connecting to Multiple DNS Servers		Exfiltration Over Unencrypted Non-C2 Protocol	TTP	Command And Control, DNS Hijacking, Host Redirection, Suspicious DNS Traffic	2024-10-17
Correlation by Repository and Risk		Malicious Image User Execution	Correlation	Dev Sec Ops	2024-10-17
Correlation by User and Risk		Malicious Image User Execution	Correlation	Dev Sec Ops	2024-10-17
Detect API activity from users without MFA		N/A	Hunting	AWS User Monitoring	2024-10-17
Detect DNS requests to Phishing Sites leveraging EvilGinx2		Spearphishing via Service	TTP	Common Phishing Frameworks	2024-10-17
Detect Long DNS TXT Record Response		Exfiltration Over Unencrypted Non-C2 Protocol	TTP	Command And Control, Suspicious DNS Traffic	2024-10-17
Detect new API calls from user roles		Cloud Accounts	Anomaly	AWS User Monitoring	2024-10-17
Detect Spike in Security Group Activity		Cloud Accounts	Anomaly	AWS User Monitoring	2024-10-17
Detect USB device insertion		N/A	TTP	Data Protection	2024-10-17
Detect web traffic to dynamic domain providers		Web Protocols	TTP	Dynamic DNS	2024-10-17
Detection of DNS Tunnels		Exfiltration Over Unencrypted Non-C2 Protocol	TTP	Command And Control, Data Protection, Suspicious DNS Traffic	2024-10-17
DNS Query Requests Resolved by Unauthorized DNS Servers		DNS	TTP	Command And Control, DNS Hijacking, Host Redirection, Suspicious DNS Traffic	2024-10-17
DNS record changed		DNS	TTP	DNS Hijacking	2024-10-17
EC2 Instance Modified With Previously Unseen User		Cloud Accounts	Anomaly	Unusual AWS EC2 Modifications	2024-10-17
EC2 Instance Started In Previously Unseen Region		Unused/Unsupported Cloud Regions	Anomaly	AWS Cryptomining, Suspicious AWS EC2 Activities	2024-10-17
EC2 Instance Started With Previously Unseen AMI		N/A	Anomaly	AWS Cryptomining	2024-10-17
EC2 Instance Started With Previously Unseen Instance Type		N/A	Anomaly	AWS Cryptomining	2024-10-17
EC2 Instance Started With Previously Unseen User		Cloud Accounts	Anomaly	AWS Cryptomining, Suspicious AWS EC2 Activities	2024-10-17
Extended Period Without Successful Netbackup Backups		N/A	Hunting	Monitor Backup Solution	2024-10-17
Identify New User Accounts		Domain Accounts	Hunting	N/A	2024-10-17
Monitor DNS For Brand Abuse		N/A	TTP	Brand Monitoring	2024-10-17
Multiple Okta Users With Invalid Credentials From The Same IP		Password Spraying Valid Accounts Default Accounts	TTP	Suspicious Okta Activity	2024-10-17
O365 Suspicious Admin Email Forwarding		Email Forwarding Rule Email Collection	Anomaly	Data Exfiltration, Office 365 Collection Techniques	2024-10-17
O365 Suspicious Rights Delegation		Remote Email Collection Email Collection Additional Email Delegate Permissions Account Manipulation	TTP	Office 365 Collection Techniques	2024-10-17
O365 Suspicious User Email Forwarding		Email Forwarding Rule Email Collection	Anomaly	Data Exfiltration, Office 365 Collection Techniques	2024-10-17
Okta Account Locked Out		Brute Force	Anomaly	Okta MFA Exhaustion, Suspicious Okta Activity	2024-10-17
Okta Account Lockout Events		Valid Accounts Default Accounts	Anomaly	Suspicious Okta Activity	2024-10-17
Okta Failed SSO Attempts		Valid Accounts Default Accounts	Anomaly	Suspicious Okta Activity	2024-10-17
Okta ThreatInsight Login Failure with High Unknown users		Valid Accounts Default Accounts Credential Stuffing	TTP	Suspicious Okta Activity	2024-10-17
Okta ThreatInsight Suspected PasswordSpray Attack		Valid Accounts Default Accounts Password Spraying	TTP	Suspicious Okta Activity	2024-10-17
Okta Two or More Rejected Okta Pushes		Brute Force	TTP	Okta MFA Exhaustion, Suspicious Okta Activity	2024-10-17
Osquery pack - ColdRoot detection		N/A	TTP	ColdRoot MacOS RAT	2024-10-17
Spectre and Meltdown Vulnerable Systems		N/A	TTP	Spectre And Meltdown Vulnerabilities	2024-10-17
Suspicious Email - UBA Anomaly		Phishing	Anomaly	Suspicious Emails	2024-10-17
Unsuccessful Netbackup backups		N/A	Hunting	Monitor Backup Solution	2024-10-17
Web Fraud - Account Harvesting		Create Account	TTP	Web Fraud Detection	2024-10-17
Web Fraud - Anomalous User Clickspeed		Valid Accounts	Anomaly	Web Fraud Detection	2024-10-17
Web Fraud - Password Sharing Across Accounts		N/A	Anomaly	Web Fraud Detection	2024-10-17
Active Directory Lateral Movement Identified		Exploitation of Remote Services	Correlation	Active Directory Lateral Movement	2024-09-30
Active Directory Privilege Escalation Identified		Domain or Tenant Policy Modification	Correlation	Active Directory Privilege Escalation	2024-09-30
Crowdstrike Admin Weak Password Policy		Brute Force	TTP	Compromised Windows Host	2024-09-30
Crowdstrike Admin With Duplicate Password		Brute Force	TTP	Compromised Windows Host	2024-09-30
Crowdstrike High Identity Risk Severity		Brute Force	TTP	Compromised Windows Host	2024-09-30
Crowdstrike Medium Identity Risk Severity		Brute Force	TTP	Compromised Windows Host	2024-09-30
Crowdstrike Medium Severity Alert		Brute Force	Anomaly	Compromised Windows Host	2024-09-30
Crowdstrike Multiple LOW Severity Alerts		Brute Force	Anomaly	Compromised Windows Host	2024-09-30
Crowdstrike Privilege Escalation For Non-Admin User		Brute Force	Anomaly	Compromised Windows Host	2024-09-30
Crowdstrike User Weak Password Policy		Brute Force	Anomaly	Compromised Windows Host	2024-09-30
Crowdstrike User with Duplicate Password		Brute Force	Anomaly	Compromised Windows Host	2024-09-30
Detect Baron Samedit CVE-2021-3156		Exploitation for Privilege Escalation	TTP	Baron Samedit CVE-2021-3156	2024-10-17
Detect Baron Samedit CVE-2021-3156 Segfault		Exploitation for Privilege Escalation	TTP	Baron Samedit CVE-2021-3156	2024-10-17
Detect Baron Samedit CVE-2021-3156 via OSQuery		Exploitation for Privilege Escalation	TTP	Baron Samedit CVE-2021-3156	2024-10-17
Detect Excessive Account Lockouts From Endpoint		Valid Accounts Domain Accounts	Anomaly	Active Directory Password Spraying	2024-09-30
Detect Excessive User Account Lockouts		Valid Accounts Local Accounts	Anomaly	Active Directory Password Spraying	2024-09-30
Detect Password Spray Attack Behavior From Source		Password Spraying Brute Force	TTP	Compromised User Account	2024-09-30
Detect Password Spray Attack Behavior On User		Password Spraying Brute Force	TTP	Compromised User Account	2024-09-30
Living Off The Land Detection		Ingress Tool Transfer Exploit Public-Facing Application Command and Scripting Interpreter External Remote Services	Correlation	Living Off The Land	2024-09-30
Log4Shell CVE-2021-44228 Exploitation		Ingress Tool Transfer Exploit Public-Facing Application Command and Scripting Interpreter External Remote Services	Correlation	CISA AA22-320A, Log4Shell CVE-2021-44228	2024-09-30
MOVEit Certificate Store Access Failure		Exploit Public-Facing Application	Hunting	MOVEit Transfer Authentication Bypass	2024-10-17
MOVEit Empty Key Fingerprint Authentication Attempt		Exploit Public-Facing Application	Hunting	MOVEit Transfer Authentication Bypass	2024-10-17
PaperCut NG Suspicious Behavior Debug Log		Exploit Public-Facing Application External Remote Services	Hunting	PaperCut MF NG Vulnerability	2024-10-17
Processes Tapping Keyboard Events		N/A	TTP	ColdRoot MacOS RAT	2024-10-17
Steal or Forge Authentication Certificates Behavior Identified		Steal or Forge Authentication Certificates	Correlation	Windows Certificate Services	2024-09-30
Suspicious PlistBuddy Usage via OSquery		Launch Agent Create or Modify System Process	TTP	Silver Sparrow	2024-10-17
WMI Permanent Event Subscription		Windows Management Instrumentation	TTP	Suspicious WMI Use	2024-10-17
WMI Temporary Event Subscription		Windows Management Instrumentation	TTP	Suspicious WMI Use	2024-10-17
Detect ARP Poisoning		Hardware Additions Network Denial of Service Adversary-in-the-Middle ARP Cache Poisoning	TTP	Router and Infrastructure Security	2024-10-17
Detect DGA domains using pretrained model in DSDL		Domain Generation Algorithms	Anomaly	Command And Control, DNS Hijacking, Data Exfiltration, Dynamic DNS, Suspicious DNS Traffic	2024-10-17
Detect DNS Data Exfiltration using pretrained model in DSDL		Exfiltration Over Unencrypted Non-C2 Protocol	Anomaly	Command And Control, DNS Hijacking, Suspicious DNS Traffic	2024-10-17
Detect Outbound LDAP Traffic	Bro	Exploit Public-Facing Application Command and Scripting Interpreter	Hunting	Log4Shell CVE-2021-44228	2024-10-17
Detect Outbound SMB Traffic		File Transfer Protocols Application Layer Protocol	TTP	DHS Report TA18-074A, Hidden Cobra Malware, NOBELIUM Group	2024-10-16
Detect Port Security Violation		Hardware Additions Network Denial of Service Adversary-in-the-Middle ARP Cache Poisoning	TTP	Router and Infrastructure Security	2024-10-17
Detect Rogue DHCP Server		Hardware Additions Network Denial of Service Adversary-in-the-Middle	TTP	Router and Infrastructure Security	2024-10-17
Detect SNICat SNI Exfiltration		Exfiltration Over C2 Channel	TTP	Data Exfiltration	2024-10-17
Detect suspicious DNS TXT records using pretrained model in DSDL		Domain Generation Algorithms	Anomaly	Command And Control, DNS Hijacking, Suspicious DNS Traffic	2024-10-17
Detect Traffic Mirroring		Hardware Additions Automated Exfiltration Network Denial of Service Traffic Duplication	TTP	Router and Infrastructure Security	2024-10-17
Detect Unauthorized Assets by MAC address		N/A	TTP	Asset Tracking	2024-10-17
Detect Zerologon via Zeek		Exploit Public-Facing Application	TTP	Detect Zerologon Attack, Rhysida Ransomware	2024-10-17
DNS Query Length Outliers - MLTK		DNS Application Layer Protocol	Anomaly	Command And Control, Hidden Cobra Malware, Suspicious DNS Traffic	2024-10-17
Excessive DNS Failures		DNS Application Layer Protocol	Anomaly	Command And Control, Suspicious DNS Traffic	2024-10-17
Internal Vulnerability Scan		Vulnerability Scanning Network Service Discovery	TTP	Network Discovery	2024-10-17
Large Volume of DNS ANY Queries		Network Denial of Service Reflection Amplification	Anomaly	DNS Amplification Attacks	2024-10-17
Protocol or Port Mismatch		Exfiltration Over Unencrypted Non-C2 Protocol Exfiltration Over Alternative Protocol	Anomaly	Command And Control, Prohibited Traffic Allowed or Protocol Mismatch	2024-10-17
Protocols passing authentication in cleartext		N/A	TTP	Use of Cleartext Protocols	2024-10-17
SMB Traffic Spike		SMB/Windows Admin Shares Remote Services	Anomaly	DHS Report TA18-074A, Emotet Malware DHS Report TA18-201A, Hidden Cobra Malware, Ransomware	2024-10-17
SMB Traffic Spike - MLTK		SMB/Windows Admin Shares Remote Services	Anomaly	DHS Report TA18-074A, Emotet Malware DHS Report TA18-201A, Hidden Cobra Malware, Ransomware	2024-10-17
SSL Certificates with Punycode		Encrypted Channel	Hunting	OpenSSL CVE-2022-3602	2024-10-17
Zeek x509 Certificate with Punycode		Encrypted Channel	Hunting	OpenSSL CVE-2022-3602	2024-10-17
Access to Vulnerable Ivanti Connect Secure Bookmark Endpoint	Suricata	Exploit Public-Facing Application	TTP	CISA AA24-241A, Ivanti Connect Secure VPN Vulnerabilities	2024-09-30
Adobe ColdFusion Access Control Bypass	Suricata	Exploit Public-Facing Application	TTP	Adobe ColdFusion Arbitrary Code Execution CVE-2023-29298 CVE-2023-26360	2024-09-30
Adobe ColdFusion Unauthenticated Arbitrary File Read	Suricata	Exploit Public-Facing Application	TTP	Adobe ColdFusion Arbitrary Code Execution CVE-2023-29298 CVE-2023-26360	2024-09-30
Cisco IOS XE Implant Access	Suricata	Exploit Public-Facing Application	TTP	Cisco IOS XE Software Web Management User Interface vulnerability	2024-09-30
Citrix ADC and Gateway Unauthorized Data Disclosure	Suricata	Exploit Public-Facing Application	TTP	Citrix NetScaler ADC and NetScaler Gateway CVE-2023-4966	2024-09-30
Citrix ShareFile Exploitation CVE-2023-24489	Suricata	Exploit Public-Facing Application	Hunting	Citrix ShareFile RCE CVE-2023-24489	2024-10-17
Confluence CVE-2023-22515 Trigger Vulnerability	Suricata	Exploit Public-Facing Application	TTP	CVE-2023-22515 Privilege Escalation Vulnerability Confluence Data Center and Server	2024-09-30
Confluence Data Center and Server Privilege Escalation	Nginx Access	Exploit Public-Facing Application	TTP	CVE-2023-22515 Privilege Escalation Vulnerability Confluence Data Center and Server, Confluence Data Center and Confluence Server Vulnerabilities	2024-09-30
Confluence Pre-Auth RCE via OGNL Injection CVE-2023-22527	Suricata	Exploit Public-Facing Application	TTP	Confluence Data Center and Confluence Server Vulnerabilities	2024-09-30
ConnectWise ScreenConnect Authentication Bypass	Suricata	Exploit Public-Facing Application	TTP	ConnectWise ScreenConnect Vulnerabilities	2024-09-30
Detect attackers scanning for vulnerable JBoss servers		System Information Discovery External Remote Services	TTP	JBoss Vulnerability, SamSam Ransomware	2024-10-17
Detect F5 TMUI RCE CVE-2020-5902		Exploit Public-Facing Application	TTP	F5 TMUI RCE CVE-2020-5902	2024-10-17
Detect malicious requests to exploit JBoss servers		N/A	TTP	JBoss Vulnerability, SamSam Ransomware	2024-10-17
Exploit Public Facing Application via Apache Commons Text	Nginx Access	Web Shell Server Software Component Exploit Public-Facing Application External Remote Services	Anomaly	Text4Shell CVE-2022-42889	2024-09-30
F5 TMUI Authentication Bypass	Suricata	N/A	TTP	F5 Authentication Bypass with TMUI	2024-09-30
High Volume of Bytes Out to Url	Nginx Access	Exfiltration Over Web Service	Anomaly	Data Exfiltration	2024-09-30
Hunting for Log4Shell	Nginx Access	Exploit Public-Facing Application External Remote Services	Hunting	CISA AA22-320A, Log4Shell CVE-2021-44228	2024-10-17
Ivanti Connect Secure Command Injection Attempts	Suricata	Exploit Public-Facing Application	TTP	CISA AA24-241A, Ivanti Connect Secure VPN Vulnerabilities	2024-09-30
Ivanti Connect Secure SSRF in SAML Component	Suricata	Exploit Public-Facing Application	TTP	Ivanti Connect Secure VPN Vulnerabilities	2024-09-30
Ivanti Connect Secure System Information Access via Auth Bypass	Suricata	Exploit Public-Facing Application	Anomaly	CISA AA24-241A, Ivanti Connect Secure VPN Vulnerabilities	2024-09-30
Ivanti EPM SQL Injection Remote Code Execution	Suricata	Exploit Public-Facing Application	TTP	Ivanti EPM Vulnerabilities	2024-09-30
Ivanti EPMM Remote Unauthenticated API Access CVE-2023-35078	Suricata	Exploit Public-Facing Application External Remote Services	TTP	Ivanti EPMM Remote Unauthenticated Access	2024-09-30
Ivanti EPMM Remote Unauthenticated API Access CVE-2023-35082	Suricata	Exploit Public-Facing Application External Remote Services	TTP	Ivanti EPMM Remote Unauthenticated Access	2024-09-30
Ivanti Sentry Authentication Bypass	Suricata	Exploit Public-Facing Application	TTP	Ivanti Sentry Authentication Bypass CVE-2023-38035	2024-09-30
Jenkins Arbitrary File Read CVE-2024-23897	Nginx Access	Exploit Public-Facing Application	TTP	Jenkins Server Vulnerabilities	2024-09-30
JetBrains TeamCity Authentication Bypass CVE-2024-27198	Suricata	Exploit Public-Facing Application	TTP	JetBrains TeamCity Vulnerabilities	2024-09-30
JetBrains TeamCity Authentication Bypass Suricata CVE-2024-27198	Suricata	Exploit Public-Facing Application	TTP	JetBrains TeamCity Vulnerabilities	2024-09-30
JetBrains TeamCity Limited Auth Bypass Suricata CVE-2024-27199	Suricata	Exploit Public-Facing Application	TTP	JetBrains TeamCity Vulnerabilities	2024-09-30
JetBrains TeamCity RCE Attempt	Suricata	Exploit Public-Facing Application	TTP	CISA AA23-347A, JetBrains TeamCity Unauthenticated RCE, JetBrains TeamCity Vulnerabilities	2024-09-30
Log4Shell JNDI Payload Injection Attempt	Nginx Access	Exploit Public-Facing Application External Remote Services	Anomaly	CISA AA22-257A, CISA AA22-320A, Log4Shell CVE-2021-44228	2024-09-30
Log4Shell JNDI Payload Injection with Outbound Connection		Exploit Public-Facing Application External Remote Services	Anomaly	CISA AA22-320A, Log4Shell CVE-2021-44228	2024-09-30
Microsoft SharePoint Server Elevation of Privilege	Suricata	Exploitation for Privilege Escalation	TTP	Microsoft SharePoint Server Elevation of Privilege CVE-2023-29357	2024-09-30
Monitor Web Traffic For Brand Abuse		N/A	TTP	Brand Monitoring	2024-10-17
Nginx ConnectWise ScreenConnect Authentication Bypass	Nginx Access	Exploit Public-Facing Application	TTP	ConnectWise ScreenConnect Vulnerabilities	2024-09-30
PaperCut NG Remote Web Access Attempt	Suricata	Exploit Public-Facing Application External Remote Services	TTP	PaperCut MF NG Vulnerability	2024-09-30
ProxyShell ProxyNotShell Behavior Detected		Exploit Public-Facing Application External Remote Services	Correlation	BlackByte Ransomware, ProxyNotShell, ProxyShell	2024-09-30
Spring4Shell Payload URL Request	Nginx Access	Web Shell Server Software Component Exploit Public-Facing Application External Remote Services	TTP	Spring4Shell CVE-2022-22965	2024-09-30
SQL Injection with Long URLs		Exploit Public-Facing Application	TTP	SQL Injection	2024-10-17
Supernova Webshell		Web Shell External Remote Services	TTP	NOBELIUM Group	2024-10-17
Unusually Long Content-Type Length		N/A	Anomaly	Apache Struts Vulnerability	2024-10-17
Web JSP Request via URL	Nginx Access	Web Shell Server Software Component Exploit Public-Facing Application External Remote Services	TTP	Spring4Shell CVE-2022-22965	2024-09-30
Web Remote ShellServlet Access	Nginx Access	Exploit Public-Facing Application	TTP	CVE-2023-22515 Privilege Escalation Vulnerability Confluence Data Center and Server	2024-09-30
WordPress Bricks Builder plugin RCE	Nginx Access	Exploit Public-Facing Application	TTP	WordPress Vulnerabilities	2024-09-30
WS FTP Remote Code Execution	Suricata	Exploit Public-Facing Application	TTP	WS FTP Server Critical Vulnerabilities	2024-09-30
Zscaler Adware Activities Threat Blocked		Phishing	Anomaly	Zscaler Browser Proxy Threats	2024-09-30
Zscaler Behavior Analysis Threat Blocked		Phishing	Anomaly	Zscaler Browser Proxy Threats	2024-09-30
Zscaler CryptoMiner Downloaded Threat Blocked		Phishing	Anomaly	Zscaler Browser Proxy Threats	2024-09-30
Zscaler Employment Search Web Activity		Phishing	Anomaly	Zscaler Browser Proxy Threats	2024-09-30
Zscaler Exploit Threat Blocked		Phishing	TTP	Zscaler Browser Proxy Threats	2024-09-30
Zscaler Legal Liability Threat Blocked		Phishing	Anomaly	Zscaler Browser Proxy Threats	2024-09-30
Zscaler Malware Activity Threat Blocked		Phishing	Anomaly	Zscaler Browser Proxy Threats	2024-09-30
Zscaler Phishing Activity Threat Blocked		Phishing	Anomaly	Zscaler Browser Proxy Threats	2024-09-30
Zscaler Potentially Abused File Download		Phishing	Anomaly	Zscaler Browser Proxy Threats	2024-09-30
Zscaler Privacy Risk Destinations Threat Blocked		Phishing	Anomaly	Zscaler Browser Proxy Threats	2024-09-30
Zscaler Scam Destinations Threat Blocked		Phishing	Anomaly	Zscaler Browser Proxy Threats	2024-09-30
Zscaler Virus Download threat blocked		Phishing	Anomaly	Zscaler Browser Proxy Threats	2024-09-30