GitHub Repo

Other Detections

Name Data Source Technique Type Analytic Story Date
Steal or Forge Authentication Certificates Behavior Identified T1649 Correlation Windows Certificate Services 2026-05-13
PaperCut NG Suspicious Behavior Debug Log T1133 T1190 Hunting PaperCut MF NG Vulnerability 2026-05-13
Crowdstrike Medium Severity Alert T1110 Anomaly Compromised Windows Host 2026-05-13
Cisco Isovalent - Non Allowlisted Image Use Cisco Isovalent Process Exec T1204.003 Anomaly Cisco Isovalent Suspicious Activity 2026-05-13
MOVEit Empty Key Fingerprint Authentication Attempt T1190 Hunting Hellcat Ransomware, MOVEit Transfer Authentication Bypass 2026-05-13
Processes Tapping Keyboard Events Osquery Results N/A TTP APT37 Rustonotto and FadeStealer, ColdRoot MacOS RAT 2026-05-13
Cisco Isovalent - Cron Job Creation Cisco Isovalent Process Exec T1053.003 T1053.007 Anomaly Cisco Isovalent Suspicious Activity 2026-05-13
Cisco Isovalent - Shell Execution Cisco Isovalent Process Exec T1543 Anomaly Cisco Isovalent Suspicious Activity 2026-05-13
WMI Permanent Event Subscription T1047 TTP Suspicious WMI Use 2026-05-13
Cisco Isovalent - Access To Cloud Metadata Service Cisco Isovalent Process Connect T1552.005 Anomaly VoidLink Cloud-Native Linux Malware, Cisco Isovalent Suspicious Activity 2026-05-13
Active Directory Privilege Escalation Identified T1484 Correlation Active Directory Privilege Escalation 2026-05-13
Detect Baron Samedit CVE-2021-3156 Segfault T1068 TTP Baron Samedit CVE-2021-3156 2026-05-13
WMI Temporary Event Subscription T1047 TTP Suspicious WMI Use 2026-05-13
CrowdStrike Falcon Stream Alerts CrowdStrike Falcon Stream Alert N/A Anomaly Critical Alerts 2026-05-13
Crowdstrike Admin With Duplicate Password T1110 TTP Compromised Windows Host 2026-05-13
Detect Baron Samedit CVE-2021-3156 via OSQuery T1068 TTP Baron Samedit CVE-2021-3156 2026-05-13
Crowdstrike Admin Weak Password Policy T1110 TTP Compromised Windows Host 2026-05-13
Log4Shell CVE-2021-44228 Exploitation T1059 T1105 T1133 T1190 Correlation CISA AA22-320A, Log4Shell CVE-2021-44228 2026-05-13
Crowdstrike Multiple LOW Severity Alerts T1110 Anomaly Compromised Windows Host 2026-05-13
MOVEit Certificate Store Access Failure T1190 Hunting MOVEit Transfer Authentication Bypass 2026-05-13
Crowdstrike High Identity Risk Severity T1110 TTP Compromised Windows Host 2026-05-13
Crowdstrike User with Duplicate Password T1110 Anomaly Compromised Windows Host 2026-05-13
Detect Baron Samedit CVE-2021-3156 T1068 TTP Baron Samedit CVE-2021-3156 2026-05-13
Active Directory Lateral Movement Identified T1210 Correlation Active Directory Lateral Movement 2026-05-13
Crowdstrike Privilege Escalation For Non-Admin User T1110 Anomaly Compromised Windows Host 2026-05-13
Cisco Isovalent - Kprobe Spike Cisco Isovalent Process Kprobe T1068 Hunting VoidLink Cloud-Native Linux Malware, Cisco Isovalent Suspicious Activity 2026-05-13
Suspicious PlistBuddy Usage via OSquery Osquery Results T1543.001 TTP Silver Sparrow 2026-05-13
Cisco Isovalent - Late Process Execution Cisco Isovalent Process Exec T1543 Anomaly Cisco Isovalent Suspicious Activity 2026-05-13
Crowdstrike User Weak Password Policy T1110 Anomaly Compromised Windows Host 2026-05-13
Cisco Isovalent - Curl Execution With Insecure Flags Cisco Isovalent Process Exec T1105 Anomaly Cisco Isovalent Suspicious Activity 2026-05-13
Detect Excessive Account Lockouts From Endpoint T1078.002 Anomaly Active Directory Password Spraying 2026-05-13
Cisco Isovalent - Pods Running Offensive Tools Cisco Isovalent Process Exec T1204.003 Anomaly Cisco Isovalent Suspicious Activity 2026-05-13
Microsoft Defender ATP Alerts MS Defender ATP Alerts N/A TTP Critical Alerts 2026-05-13
Living Off The Land Detection T1059 T1105 T1133 T1190 Correlation Living Off The Land, Hellcat Ransomware 2026-05-13
Detect Excessive User Account Lockouts T1078.003 Anomaly Scattered Lapsus$ Hunters, Active Directory Password Spraying 2026-05-13
Microsoft Defender Incident Alerts MS365 Defender Incident Alerts N/A TTP Critical Alerts 2026-05-13
Crowdstrike Medium Identity Risk Severity T1110 TTP Compromised Windows Host 2026-05-13
Cisco Isovalent - Potential Escape to Host Cisco Isovalent Process Exec T1611 Anomaly VoidLink Cloud-Native Linux Malware, Cisco Isovalent Suspicious Activity 2026-05-13
Ivanti Sentry Authentication Bypass Suricata T1190 TTP Ivanti Sentry Authentication Bypass CVE-2023-38035 2026-05-13
PaperCut NG Remote Web Access Attempt Suricata T1133 T1190 TTP PaperCut MF NG Vulnerability 2026-05-13
Hunting for Log4Shell Nginx Access T1133 T1190 Hunting CISA AA22-320A, Log4Shell CVE-2021-44228 2026-05-13
Zscaler Exploit Threat Blocked T1566 TTP Zscaler Browser Proxy Threats 2026-05-13
Zscaler Malware Activity Threat Blocked T1566 Anomaly Zscaler Browser Proxy Threats 2026-05-13
Web Remote ShellServlet Access Nginx Access T1190 TTP GhostRedirector IIS Module and Rungan Backdoor, CVE-2023-22515 Privilege Escalation Vulnerability Confluence Data Center and Server 2026-05-13
Zscaler Behavior Analysis Threat Blocked T1566 Anomaly Zscaler Browser Proxy Threats 2026-05-13
SAP NetWeaver Visual Composer Exploitation Attempt Suricata T1190 Hunting SAP NetWeaver Exploitation 2026-05-13
Unusually Long Content-Type Length N/A Anomaly Apache Struts Vulnerability 2026-05-13
Log4Shell JNDI Payload Injection with Outbound Connection T1133 T1190 Anomaly CISA AA22-320A, Log4Shell CVE-2021-44228 2026-05-13
JetBrains TeamCity Authentication Bypass CVE-2024-27198 Suricata T1190 TTP JetBrains TeamCity Vulnerabilities 2026-05-13
Zscaler Phishing Activity Threat Blocked T1566 Anomaly Zscaler Browser Proxy Threats, Hellcat Ransomware 2026-05-13
Tomcat Session Deserialization Attempt Nginx Access T1190 T1505.003 Anomaly Apache Tomcat Session Deserialization Attacks 2026-05-13
Zscaler Scam Destinations Threat Blocked T1566 Anomaly Zscaler Browser Proxy Threats 2026-05-13
Cisco IOS XE Implant Access Suricata T1190 TTP Cisco IOS XE Software Web Management User Interface vulnerability 2026-05-13
Zscaler Virus Download threat blocked T1566 Anomaly Zscaler Browser Proxy Threats 2026-05-13
Zscaler Potentially Abused File Download T1566 Anomaly Zscaler Browser Proxy Threats 2026-05-13
Adobe ColdFusion Access Control Bypass Suricata T1190 Anomaly Adobe ColdFusion Arbitrary Code Execution CVE-2023-29298 CVE-2023-26360 2026-05-13
Adobe ColdFusion Unauthenticated Arbitrary File Read Suricata T1190 Anomaly Adobe ColdFusion Arbitrary Code Execution CVE-2023-29298 CVE-2023-26360 2026-05-13
Zscaler Employment Search Web Activity T1566 Anomaly Zscaler Browser Proxy Threats 2026-05-13
HTTP Duplicated Header Suricata T1071.001 T1190 Anomaly HTTP Request Smuggling 2026-05-13
Ivanti EPM SQL Injection Remote Code Execution Suricata T1190 TTP GhostRedirector IIS Module and Rungan Backdoor, Hellcat Ransomware, Ivanti EPM Vulnerabilities 2026-05-13
Spring4Shell Payload URL Request Nginx Access T1133 T1190 T1505.003 TTP Spring4Shell CVE-2022-22965 2026-05-13
Ivanti Connect Secure Command Injection Attempts Suricata T1190 TTP CISA AA24-241A, Ivanti Connect Secure VPN Vulnerabilities 2026-05-13
Confluence Pre-Auth RCE via OGNL Injection CVE-2023-22527 Suricata T1190 TTP Confluence Data Center and Confluence Server Vulnerabilities 2026-05-13
Ivanti Connect Secure SSRF in SAML Component Suricata T1190 TTP Ivanti Connect Secure VPN Vulnerabilities 2026-05-13
Supernova Webshell T1133 T1505.003 TTP NOBELIUM Group, Earth Alux, GhostRedirector IIS Module and Rungan Backdoor 2026-05-13
JetBrains TeamCity RCE Attempt Suricata T1190 TTP CISA AA23-347A, JetBrains TeamCity Unauthenticated RCE, JetBrains TeamCity Vulnerabilities 2026-05-13
ProxyShell ProxyNotShell Behavior Detected T1133 T1190 Correlation ProxyNotShell, Seashell Blizzard, ProxyShell 2026-05-13
JetBrains TeamCity Limited Auth Bypass Suricata CVE-2024-27199 Suricata T1190 TTP JetBrains TeamCity Vulnerabilities 2026-05-13
Log4Shell JNDI Payload Injection Attempt Nginx Access T1133 T1190 Anomaly CISA AA22-257A, CISA AA22-320A, Log4Shell CVE-2021-44228 2026-05-13
Detect attackers scanning for vulnerable JBoss servers T1082 T1133 TTP SamSam Ransomware, JBoss Vulnerability 2026-05-13
High Volume of Bytes Out to Url Nginx Access T1567 Anomaly Hellcat Ransomware, Data Exfiltration 2026-05-13
WS FTP Remote Code Execution Suricata T1190 TTP WS FTP Server Critical Vulnerabilities 2026-05-13
Access to Vulnerable Ivanti Connect Secure Bookmark Endpoint Suricata T1190 TTP CISA AA24-241A, Ivanti Connect Secure VPN Vulnerabilities 2026-05-13
Zscaler Privacy Risk Destinations Threat Blocked T1566 Anomaly Zscaler Browser Proxy Threats 2026-05-13
Nginx ConnectWise ScreenConnect Authentication Bypass Nginx Access T1190 TTP Hellcat Ransomware, Scattered Lapsus$ Hunters, Seashell Blizzard, ConnectWise ScreenConnect Vulnerabilities 2026-05-13
Tomcat Session File Upload Attempt Nginx Access T1190 T1505.003 Anomaly Apache Tomcat Session Deserialization Attacks 2026-05-13
Microsoft SharePoint Server Elevation of Privilege Suricata T1068 Anomaly Microsoft SharePoint Server Elevation of Privilege CVE-2023-29357 2026-05-13
Detect F5 TMUI RCE CVE-2020-5902 T1190 TTP F5 TMUI RCE CVE-2020-5902 2026-05-13
Citrix ADC and Gateway CitrixBleed 2 Memory Disclosure Suricata T1190 Anomaly Citrix NetScaler ADC and NetScaler Gateway CVE-2025-5777 2026-05-13
SQL Injection with Long URLs T1190 TTP GhostRedirector IIS Module and Rungan Backdoor, SQL Injection 2026-05-13
Ivanti EPMM Remote Unauthenticated API Access CVE-2023-35082 Suricata T1133 T1190 TTP Ivanti EPMM Remote Unauthenticated Access 2026-05-13
Zscaler CryptoMiner Downloaded Threat Blocked T1566 Anomaly Zscaler Browser Proxy Threats 2026-05-13
F5 TMUI Authentication Bypass Suricata N/A TTP F5 Authentication Bypass with TMUI 2026-05-13
HTTP Request to Reserved Name on IIS Server Suricata T1071.001 T1190 TTP HTTP Request Smuggling 2026-05-13
Confluence CVE-2023-22515 Trigger Vulnerability Suricata T1190 TTP CVE-2023-22515 Privilege Escalation Vulnerability Confluence Data Center and Server 2026-05-13
Jenkins Arbitrary File Read CVE-2024-23897 Nginx Access T1190 TTP Hellcat Ransomware, Jenkins Server Vulnerabilities 2026-05-13
Confluence Data Center and Server Privilege Escalation Nginx Access T1190 TTP CVE-2023-22515 Privilege Escalation Vulnerability Confluence Data Center and Server, Confluence Data Center and Confluence Server Vulnerabilities 2026-05-13
Monitor Web Traffic For Brand Abuse N/A TTP Brand Monitoring 2026-05-13
Ivanti Connect Secure System Information Access via Auth Bypass Suricata T1190 Anomaly CISA AA24-241A, Ivanti Connect Secure VPN Vulnerabilities 2026-05-13
Citrix ShareFile Exploitation CVE-2023-24489 Suricata T1190 Hunting Citrix ShareFile RCE CVE-2023-24489 2026-05-13
Exploit Public Facing Application via Apache Commons Text Nginx Access T1133 T1190 T1505.003 Anomaly Text4Shell CVE-2022-42889 2026-05-13
Citrix ADC and Gateway Unauthorized Data Disclosure Suricata T1190 TTP Citrix NetScaler ADC and NetScaler Gateway CVE-2023-4966, Scattered Lapsus$ Hunters 2026-05-13
CrushFTP Authentication Bypass Exploitation CrushFTP T1059.001 T1059.003 T1190 TTP Hellcat Ransomware, CrushFTP Vulnerabilities 2026-05-13
Detect malicious requests to exploit JBoss servers N/A TTP SamSam Ransomware, JBoss Vulnerability 2026-05-13
Zscaler Adware Activities Threat Blocked T1566 Anomaly Zscaler Browser Proxy Threats 2026-05-13
HTTP Rapid POST with Mixed Status Codes Nginx Access T1071.001 T1190 T1595 Anomaly HTTP Request Smuggling 2026-05-13
CrushFTP Max Simultaneous Users From IP CrushFTP T1110.001 T1110.004 Anomaly CrushFTP Vulnerabilities 2026-05-13
Web JSP Request via URL Nginx Access T1133 T1190 T1505.003 TTP Earth Alux, Spring4Shell CVE-2022-22965 2026-05-13
HTTP Scripting Tool User Agent Nginx Access T1071.001 Anomaly HTTP Request Smuggling, Suspicious User Agents 2026-05-13
ConnectWise ScreenConnect Authentication Bypass Suricata T1190 TTP Seashell Blizzard, ConnectWise ScreenConnect Vulnerabilities 2026-05-13
WordPress Bricks Builder plugin RCE Nginx Access T1190 TTP Hellcat Ransomware, WordPress Vulnerabilities 2026-05-13
JetBrains TeamCity Authentication Bypass Suricata CVE-2024-27198 Suricata T1190 TTP Hellcat Ransomware, JetBrains TeamCity Vulnerabilities 2026-05-13
Zscaler Legal Liability Threat Blocked T1566 Anomaly Zscaler Browser Proxy Threats 2026-05-13
HTTP Possible Request Smuggling Suricata T1071.001 TTP HTTP Request Smuggling 2026-05-13
Ivanti EPMM Remote Unauthenticated API Access CVE-2023-35078 Suricata T1133 T1190 TTP Ivanti EPMM Remote Unauthenticated Access 2026-05-13
M365 Copilot Impersonation Jailbreak Attack M365 Exported eDiscovery Prompts T1685 TTP Suspicious Microsoft 365 Copilot Activities 2026-05-13
ESXi Syslog Config Change VMWare ESXi Syslog T1690 TTP Black Basta Ransomware, ESXi Post Compromise 2026-05-13
Cisco ASA - Device File Copy to Remote Location Cisco ASA Logs T1005 T1041 T1048.003 Anomaly Suspicious Cisco Adaptive Security Appliance Activity, ArcaneDoor 2026-05-13
ESXi Shared or Stolen Root Account VMWare ESXi Syslog T1078 Anomaly Black Basta Ransomware, ESXi Post Compromise 2026-05-13
ESXi Bulk VM Termination VMWare ESXi Syslog T1499 T1529 T1673 TTP Black Basta Ransomware, ESXi Post Compromise 2026-05-13
ESXi Lockdown Mode Disabled VMWare ESXi Syslog T1685 TTP Black Basta Ransomware, ESXi Post Compromise 2026-05-13
ESXi Loghost Config Tampering VMWare ESXi Syslog T1685 TTP Black Basta Ransomware, ESXi Post Compromise 2026-05-13
Okta Multiple Accounts Locked Out Okta T1110 Anomaly Okta Account Takeover 2026-05-13
Cisco ASA - Logging Disabled via CLI Cisco ASA Logs T1685 TTP Suspicious Cisco Adaptive Security Appliance Activity 2026-05-13
ESXi Encryption Settings Modified VMWare ESXi Syslog T1685 TTP Black Basta Ransomware, ESXi Post Compromise 2026-05-13
ESXi Firewall Disabled VMWare ESXi Syslog T1686 TTP China-Nexus Threat Activity, Black Basta Ransomware, ESXi Post Compromise 2026-05-13
Cisco ASA - New Local User Account Created Cisco ASA Logs T1078.003 T1136.001 Anomaly Suspicious Cisco Adaptive Security Appliance Activity 2026-05-13
PingID New MFA Method Registered For User PingID T1098.005 T1556.006 T1621 TTP Compromised User Account 2026-05-13
Okta Multi-Factor Authentication Disabled Okta T1556.006 TTP Scattered Lapsus$ Hunters, Okta Account Takeover 2026-05-13
Okta Multiple Users Failing To Authenticate From Ip Okta T1110.003 Anomaly Okta Account Takeover 2026-05-13
Cisco Duo Policy Allow Old Java Cisco Duo Administrator T1556 TTP Cisco Duo Suspicious Activity 2026-05-13
Cisco Duo Admin Login Unusual Os Cisco Duo Activity T1556 TTP Cisco Duo Suspicious Activity 2026-05-13
Cisco ASA - User Privilege Level Change Cisco ASA Logs T1078.003 T1098 Anomaly Suspicious Cisco Adaptive Security Appliance Activity, ArcaneDoor 2026-05-13
ESXi SSH Brute Force VMWare ESXi Syslog T1110 Anomaly Hellcat Ransomware, Black Basta Ransomware, ESXi Post Compromise 2026-05-13
ESXi Sensitive Files Accessed VMWare ESXi Syslog T1003.008 T1005 TTP China-Nexus Threat Activity, Black Basta Ransomware, ESXi Post Compromise 2026-05-13
Okta Suspicious Use of a Session Cookie Okta T1539 Anomaly Suspicious Okta Activity, Okta Account Takeover, Scattered Lapsus$ Hunters 2026-05-13
M365 Copilot Application Usage Pattern Anomalies M365 Copilot Graph API T1078 Anomaly Suspicious Microsoft 365 Copilot Activities 2026-05-13
Zoom Rare Input Devices T1123 Hunting Remote Employment Fraud 2026-05-13
ESXi Shell Access Enabled VMWare ESXi Syslog T1021 TTP Black Basta Ransomware, ESXi Post Compromise 2026-05-13
Cisco Duo Policy Allow Devices Without Screen Lock Cisco Duo Administrator T1556 TTP Cisco Duo Suspicious Activity 2026-05-13
ESXi SSH Enabled VMWare ESXi Syslog T1021.004 TTP Hellcat Ransomware, Black Basta Ransomware, ESXi Post Compromise 2026-05-13
M365 Copilot Failed Authentication Patterns M365 Copilot Graph API T1110 Anomaly Suspicious Microsoft 365 Copilot Activities 2026-05-13
Okta New API Token Created Okta T1078.001 TTP Scattered Lapsus$ Hunters, Okta Account Takeover 2026-05-13
M365 Copilot Non Compliant Devices Accessing M365 Copilot M365 Copilot Graph API T1685 Anomaly Suspicious Microsoft 365 Copilot Activities 2026-05-13
Cisco Duo Policy Allow Old Flash Cisco Duo Administrator T1556 TTP Cisco Duo Suspicious Activity 2026-05-13
Cisco Duo Admin Login Unusual Country Cisco Duo Activity T1556 TTP Cisco Duo Suspicious Activity 2026-05-13
Cisco AI Defense Security Alerts by Application Name Cisco AI Defense Alerts N/A Anomaly Critical Alerts 2026-05-13
MCP Sensitive System File Search MCP Server T1552.001 Hunting Suspicious MCP Activities 2026-05-13
M365 Copilot Jailbreak Attempts M365 Exported eDiscovery Prompts T1685 Anomaly Suspicious Microsoft 365 Copilot Activities 2026-05-13
Ivanti VTM New Account Creation Ivanti VTM Audit T1190 TTP Hellcat Ransomware, Scattered Lapsus$ Hunters, Ivanti Virtual Traffic Manager CVE-2024-7593 2026-05-13
Zoom High Video Latency T1078 Anomaly Remote Employment Fraud 2026-05-13
Okta Phishing Detection with FastPass Origin Check Okta T1078.001 T1556 TTP Okta Account Takeover 2026-05-13
ESXi External Root Login Activity VMWare ESXi Syslog T1078 Anomaly Black Basta Ransomware, ESXi Post Compromise 2026-05-13
Cisco ASA - User Account Deleted From Local Database Cisco ASA Logs T1070.008 T1531 Anomaly Suspicious Cisco Adaptive Security Appliance Activity 2026-05-13
Cisco ASA - AAA Policy Tampering Cisco ASA Logs T1556.004 Anomaly Suspicious Cisco Adaptive Security Appliance Activity 2026-05-13
Okta New Device Enrolled on Account Okta T1098.005 TTP Scattered Lapsus$ Hunters, Okta Account Takeover 2026-05-13
PingID Multiple Failed MFA Requests For User PingID T1078 T1110 T1621 TTP Compromised User Account 2026-05-13
Email servers sending high volume traffic to hosts T1114.002 Anomaly HAFNIUM Group, Collection and Staging 2026-05-13
Cisco Duo Bypass Code Generation Cisco Duo Administrator T1556 TTP Cisco Duo Suspicious Activity 2026-05-13
MCP Github Suspicious Operation MCP Server T1552.001 Hunting Suspicious MCP Activities 2026-05-13
Cisco ASA - Logging Message Suppression Cisco ASA Logs T1070 T1685.001 Anomaly Suspicious Cisco Adaptive Security Appliance Activity, ArcaneDoor 2026-05-13
Cisco ASA - Reconnaissance Command Activity Cisco ASA Logs T1082 T1590.001 T1590.005 Anomaly Suspicious Cisco Adaptive Security Appliance Activity 2026-05-13
Cisco Duo Policy Skip 2FA for Other Countries Cisco Duo Administrator T1556 TTP Cisco Duo Suspicious Activity 2026-05-13
ESXi Account Modified VMWare ESXi Syslog T1078 T1098 T1136.001 Anomaly Black Basta Ransomware, ESXi Post Compromise 2026-05-13
Okta IDP Lifecycle Modifications Okta T1087.004 Anomaly Suspicious Okta Activity 2026-05-13
ESXi User Granted Admin Role VMWare ESXi Syslog T1078 T1098 TTP Black Basta Ransomware, ESXi Post Compromise 2026-05-13
Ollama Abnormal Service Crash Availability Attack Ollama Server T1489 Anomaly Suspicious Ollama Activities 2026-05-13
ESXi Reverse Shell Patterns VMWare ESXi Syslog T1059 TTP Black Basta Ransomware, ESXi Post Compromise 2026-05-13
Email Attachments With Lots Of Spaces T1036.008 T1566.001 Anomaly Hermetic Wiper, Data Destruction, Suspicious Emails, Emotet Malware DHS Report TA18-201A 2026-05-13
Ollama Possible Memory Exhaustion Resource Abuse Ollama Server T1499 Anomaly Suspicious Ollama Activities 2026-05-13
Ollama Possible RCE via Model Loading Ollama Server T1190 Anomaly Suspicious Ollama Activities 2026-05-13
Okta Suspicious Activity Reported Okta T1078.001 TTP Okta Account Takeover 2026-05-13
ESXi System Clock Manipulation VMWare ESXi Syslog T1070.006 TTP Black Basta Ransomware, ESXi Post Compromise 2026-05-13
Cisco ASA - Core Syslog Message Volume Drop Cisco ASA Logs T1685 Hunting Suspicious Cisco Adaptive Security Appliance Activity, ArcaneDoor 2026-05-13
Zoom Rare Audio Devices T1123 Hunting Remote Employment Fraud 2026-05-13
Cisco ASA - Packet Capture Activity Cisco ASA Logs T1040 T1557 Anomaly Suspicious Cisco Adaptive Security Appliance Activity, ArcaneDoor 2026-05-13
PingID New MFA Method After Credential Reset PingID T1098.005 T1556.006 T1621 TTP Scattered Lapsus$ Hunters, Compromised User Account 2026-05-13
ESXi VM Discovery VMWare ESXi Syslog T1673 TTP China-Nexus Threat Activity, Black Basta Ransomware, ESXi Post Compromise 2026-05-13
Okta Multiple Failed MFA Requests For User Okta T1621 Anomaly Scattered Lapsus$ Hunters, Okta Account Takeover 2026-05-13
Okta Risk Threshold Exceeded Okta T1078 T1110 Correlation Suspicious Okta Activity, Okta Account Takeover, Okta MFA Exhaustion 2026-05-13
Okta Unauthorized Access to Application Okta T1087.004 Anomaly Okta Account Takeover 2026-05-13
Suspicious Java Classes T1190 Anomaly Apache Struts Vulnerability 2026-05-13
MCP Prompt Injection MCP Server T1059 TTP Suspicious MCP Activities 2026-05-13
Monitor Email For Brand Abuse N/A TTP Scattered Lapsus$ Hunters, Brand Monitoring, Suspicious Emails 2026-05-13
Okta User Logins from Multiple Cities Okta T1586.003 Anomaly Okta Account Takeover 2026-05-13
Cisco Duo Bulk Policy Deletion Cisco Duo Administrator T1556 TTP Cisco Duo Suspicious Activity 2026-05-13
Ollama Suspicious Prompt Injection Jailbreak Ollama Server T1059 T1190 Anomaly Suspicious Ollama Activities 2026-05-13
ESXi VIB Acceptance Level Tampering VMWare ESXi Syslog T1685 TTP China-Nexus Threat Activity, Black Basta Ransomware, ESXi Post Compromise 2026-05-13
Suspicious Email Attachment Extensions T1566.001 Anomaly Hermetic Wiper, Data Destruction, Suspicious Emails, Emotet Malware DHS Report TA18-201A 2026-05-13
Cisco Duo Policy Allow Tampered Devices Cisco Duo Administrator T1556 TTP Cisco Duo Suspicious Activity 2026-05-13
Cisco Duo Set User Status to Bypass 2FA Cisco Duo Administrator T1556 TTP Cisco Duo Suspicious Activity 2026-05-13
Okta Multiple Failed Requests to Access Applications Okta T1538 T1550.004 Hunting Okta Account Takeover 2026-05-13
M365 Copilot Information Extraction Jailbreak Attack M365 Exported eDiscovery Prompts T1685 TTP Suspicious Microsoft 365 Copilot Activities 2026-05-13
CrushFTP Server Side Template Injection CrushFTP T1190 TTP Hellcat Ransomware, CrushFTP Vulnerabilities 2026-05-13
MCP Postgres Suspicious Query MCP Server T1555 Hunting Suspicious MCP Activities 2026-05-13
Cisco Duo Policy Deny Access Cisco Duo Administrator T1556 TTP Cisco Duo Suspicious Activity 2026-05-13
Cisco Duo Policy Bypass 2FA Cisco Duo Administrator T1556 TTP Cisco Duo Suspicious Activity 2026-05-13
ESXi Malicious VIB Forced Install VMWare ESXi Syslog T1505.006 TTP China-Nexus Threat Activity, Black Basta Ransomware, ESXi Post Compromise 2026-05-13
Okta Mismatch Between Source and Response for Verify Push Request Okta T1621 TTP Scattered Lapsus$ Hunters, Okta Account Takeover, Okta MFA Exhaustion 2026-05-13
Cisco ASA - Logging Filters Configuration Tampering Cisco ASA Logs T1685 Anomaly Suspicious Cisco Adaptive Security Appliance Activity 2026-05-13
MCP Filesystem Server Suspicious Extension Write MCP Server T1059 Hunting Suspicious MCP Activities 2026-05-13
Okta MFA Exhaustion Hunt Okta T1110 Hunting Scattered Lapsus$ Hunters, Okta Account Takeover, Okta MFA Exhaustion 2026-05-13
ESXi System Information Discovery VMWare ESXi Syslog T1082 TTP Black Basta Ransomware, ESXi Post Compromise 2026-05-13
Okta Successful Single Factor Authentication Okta T1078.004 T1586.003 T1621 Anomaly Okta Account Takeover 2026-05-13
ESXi Audit Tampering VMWare ESXi Syslog T1070 T1690 TTP Black Basta Ransomware, ESXi Post Compromise 2026-05-13
Ollama Excessive API Requests Ollama Server T1498 Anomaly Suspicious Ollama Activities 2026-05-13
M365 Copilot Session Origin Anomalies M365 Copilot Graph API T1078 Anomaly Suspicious Microsoft 365 Copilot Activities 2026-05-13
M365 Copilot Agentic Jailbreak Attack M365 Exported eDiscovery Prompts T1685 Anomaly Suspicious Microsoft 365 Copilot Activities 2026-05-13
ESXi VM Exported via Remote Tool VMWare ESXi Syslog T1005 TTP Black Basta Ransomware, ESXi Post Compromise 2026-05-13
Cisco ASA - Device File Copy Activity Cisco ASA Logs T1005 T1530 Anomaly Suspicious Cisco Adaptive Security Appliance Activity, ArcaneDoor 2026-05-13
Cisco ASA - User Account Lockout Threshold Exceeded Cisco ASA Logs T1110.001 T1110.003 Anomaly Suspicious Cisco Adaptive Security Appliance Activity 2026-05-13
Zoom Rare Video Devices T1123 Hunting Remote Employment Fraud 2026-05-13
Detect New Login Attempts to Routers N/A TTP Router and Infrastructure Security, Scattered Lapsus$ Hunters 2026-05-13
Ollama Possible API Endpoint Scan Reconnaissance Ollama Server T1595 Anomaly Suspicious Ollama Activities 2026-05-13
Ollama Possible Model Exfiltration Data Leakage Ollama Server T1048 Anomaly Suspicious Ollama Activities 2026-05-13
Okta Authentication Failed During MFA Challenge Okta T1078.004 T1586.003 T1621 TTP Scattered Lapsus$ Hunters, Okta Account Takeover 2026-05-13
Okta ThreatInsight Threat Detected Okta T1078.004 Anomaly Okta Account Takeover 2026-05-13
PingID Mismatch Auth Source and Verification Response PingID T1098.005 T1556.006 T1621 TTP Compromised User Account 2026-05-13
Cisco Duo Admin Login Unusual Browser Cisco Duo Activity T1556 TTP Cisco Duo Suspicious Activity 2026-05-13
ESXi Download Errors VMWare ESXi Syslog T1601.001 T1685 Anomaly Black Basta Ransomware, ESXi Post Compromise 2026-05-13
O365 ZAP Activity Detection Office 365 Universal Audit Log T1566.001 T1566.002 Anomaly Spearphishing Attachments, Suspicious Emails 2026-05-13
O365 Excessive SSO logon errors O365 UserLoginFailed T1556 Anomaly Office 365 Account Takeover, Cloud Federated Credential Abuse 2026-05-13
O365 Email Transport Rule Changed Office 365 Universal Audit Log T1114.003 T1564.008 Anomaly Office 365 Account Takeover, Data Exfiltration 2026-05-13
O365 Advanced Audit Disabled O365 Change user license. T1685.002 TTP Office 365 Persistence Mechanisms 2026-05-13
O365 Cross-Tenant Access Change Office 365 Universal Audit Log T1484.002 TTP Azure Active Directory Persistence 2026-05-13
O365 Service Principal Privilege Escalation O365 Add app role assignment grant to user. T1098.003 TTP Office 365 Account Takeover, Azure Active Directory Privilege Escalation 2026-05-13
O365 SharePoint Suspicious Search Behavior Office 365 Universal Audit Log T1213.002 T1552 Anomaly Office 365 Account Takeover, Compromised User Account, CISA AA22-320A, Office 365 Collection Techniques 2026-05-13
O365 File Permissioned Application Consent Granted by User O365 Consent to application. T1528 TTP Office 365 Account Takeover 2026-05-13
O365 Email Reported By User Found Malicious Office 365 Universal Audit Log T1566.001 T1566.002 TTP Spearphishing Attachments, Suspicious Emails 2026-05-13
O365 Email Security Feature Changed Office 365 Universal Audit Log T1685.002 TTP Office 365 Account Takeover, Office 365 Persistence Mechanisms 2026-05-13
GitHub Organizations Disable Dependabot GitHub Organizations Audit Logs T1195 T1685 Anomaly GitHub Malicious Activity 2026-05-13
Gsuite Drive Share In External Email G Suite Drive T1567.002 Anomaly Insider Threat, Scattered Lapsus$ Hunters, Dev Sec Ops 2026-05-13
O365 Multiple Service Principals Created by User O365 Add service principal. T1136.003 Anomaly NOBELIUM Group, Office 365 Persistence Mechanisms 2026-05-13
Gsuite Suspicious Shared File Name G Suite Drive T1566.001 Anomaly Dev Sec Ops 2026-05-13
O365 Mailbox Email Forwarding Enabled T1114.003 TTP Office 365 Collection Techniques 2026-05-13
O365 Multi-Source Failed Authentications Spike O365 UserLoginFailed T1110.003 T1110.004 T1586.003 Hunting Office 365 Account Takeover, NOBELIUM Group 2026-05-13
O365 Privileged Role Assigned Office 365 Universal Audit Log T1098.003 TTP Azure Active Directory Persistence, Scattered Lapsus$ Hunters 2026-05-13
O365 Bypass MFA via Trusted IP O365 Set Company Information. T1686.001 TTP Office 365 Persistence Mechanisms 2026-05-13
O365 Privileged Graph API Permission Assigned O365 Update application. T1003.002 TTP NOBELIUM Group, Office 365 Persistence Mechanisms 2026-05-13
O365 PST export alert O365 T1114 TTP Office 365 Collection Techniques, Data Exfiltration 2026-05-13
O365 High Number Of Failed Authentications for User O365 UserLoginFailed T1110.001 TTP Office 365 Account Takeover 2026-05-13
GitHub Enterprise Disable IP Allow List GitHub Enterprise Audit Logs T1195 T1685 Anomaly GitHub Malicious Activity 2026-05-13
O365 Add App Role Assignment Grant User O365 Add app role assignment grant to user. T1136.003 TTP Cloud Federated Credential Abuse, Office 365 Persistence Mechanisms 2026-05-13
GitHub Organizations Repository Archived GitHub Organizations Audit Logs T1195 T1485 Anomaly NPM Supply Chain Compromise, GitHub Malicious Activity 2026-05-13
O365 New Forwarding Mailflow Rule Created T1114 TTP Office 365 Collection Techniques 2026-05-13
O365 FullAccessAsApp Permission Assigned O365 Update application. T1098.002 T1098.003 TTP NOBELIUM Group, Office 365 Persistence Mechanisms 2026-05-13
O365 DLP Rule Triggered Office 365 Universal Audit Log T1048 T1567 Anomaly Data Exfiltration 2026-05-13
GitHub Organizations Delete Branch Ruleset GitHub Organizations Audit Logs T1195 T1685 Anomaly NPM Supply Chain Compromise, GitHub Malicious Activity 2026-05-13
GitHub Enterprise Register Self Hosted Runner GitHub Enterprise Audit Logs T1195 T1685 Anomaly NPM Supply Chain Compromise, GitHub Malicious Activity 2026-05-13
O365 Email Send Attachments Excessive Volume Office 365 Universal Audit Log T1070.008 T1485 Anomaly Office 365 Account Takeover, Suspicious Emails 2026-05-13
GitHub Enterprise Repository Deleted GitHub Enterprise Audit Logs T1195 T1485 Anomaly NPM Supply Chain Compromise, GitHub Malicious Activity 2026-05-13
O365 Privileged Role Assigned To Service Principal Office 365 Universal Audit Log T1098.003 TTP Scattered Lapsus$ Hunters, Azure Active Directory Privilege Escalation 2026-05-13
O365 SharePoint Malware Detection Office 365 Universal Audit Log T1204.002 TTP Office 365 Account Takeover, Azure Active Directory Persistence, Ransomware Cloud 2026-05-13
O365 Multiple Mailboxes Accessed via API O365 MailItemsAccessed T1114.002 TTP Office 365 Collection Techniques, NOBELIUM Group 2026-05-13
O365 Safe Links Detection Office 365 Universal Audit Log T1566.001 TTP Office 365 Account Takeover, Spearphishing Attachments 2026-05-13
GitHub Enterprise Delete Branch Ruleset GitHub Enterprise Audit Logs T1195 T1685 Anomaly NPM Supply Chain Compromise, GitHub Malicious Activity 2026-05-13
O365 Application Registration Owner Added O365 Add owner to application. T1098 TTP NOBELIUM Group, Office 365 Persistence Mechanisms 2026-05-13
O365 Security And Compliance Alert Triggered T1078.004 TTP Office 365 Account Takeover 2026-05-13
Circle CI Disable Security Job CircleCI T1554 Anomaly Dev Sec Ops 2026-05-13
Gdrive suspicious file sharing T1566 Hunting Data Exfiltration, Spearphishing Attachments, Scattered Lapsus$ Hunters 2026-05-13
Detect S3 access from a new IP T1530 Anomaly Suspicious AWS S3 Activities 2026-05-13
O365 Email Suspicious Search Behavior Office 365 Universal Audit Log T1114.002 T1552 Anomaly Office 365 Account Takeover, Compromised User Account, CISA AA22-320A, Office 365 Collection Techniques 2026-05-13
O365 OAuth App Mailbox Access via Graph API O365 MailItemsAccessed T1114.002 TTP Office 365 Collection Techniques, NOBELIUM Group 2026-05-13
O365 Service Principal New Client Credentials O365 T1098.001 TTP NOBELIUM Group, Office 365 Persistence Mechanisms 2026-05-13
GitHub Organizations Disable 2FA Requirement GitHub Organizations Audit Logs T1195 T1685 Anomaly GitHub Malicious Activity 2026-05-13
O365 Mail Permissioned Application Consent Granted by User O365 Consent to application. T1528 TTP Office 365 Account Takeover 2026-05-13
Gsuite Email Suspicious Subject With Attachment G Suite Gmail T1566.001 Anomaly Dev Sec Ops 2026-05-13
O365 Email Password and Payroll Compromise Behavior Office 365 Reporting Message Trace, Office 365 Universal Audit Log T1070.008 T1114.001 T1485 TTP Office 365 Account Takeover, Data Destruction, Office 365 Collection Techniques, Suspicious Emails 2026-05-13
O365 New Federated Domain Added O365 T1136.003 TTP Cloud Federated Credential Abuse, Office 365 Persistence Mechanisms 2026-05-13
O365 Threat Intelligence Suspicious File Detected Office 365 Universal Audit Log T1204.002 TTP Office 365 Account Takeover, Azure Active Directory Account Takeover, Ransomware Cloud 2026-05-13
Circle CI Disable Security Step CircleCI T1554 Anomaly Dev Sec Ops 2026-05-13
O365 Mailbox Read Access Granted to Application O365 Update application. T1098.003 T1114.002 TTP Office 365 Persistence Mechanisms 2026-05-13
O365 Block User Consent For Risky Apps Disabled O365 Update authorization policy. T1685 TTP Office 365 Account Takeover 2026-05-13
GitHub Enterprise Disable Audit Log Event Stream GitHub Enterprise Audit Logs T1195 T1685.002 Anomaly NPM Supply Chain Compromise, GitHub Malicious Activity 2026-05-13
O365 Exfiltration via File Sync Download Office 365 Universal Audit Log T1530 T1567 Anomaly Office 365 Account Takeover, Data Exfiltration 2026-05-13
O365 Email Receive and Hard Delete Takeover Behavior Office 365 Reporting Message Trace, Office 365 Universal Audit Log T1070.008 T1114.001 T1485 Anomaly Office 365 Account Takeover, Data Destruction, Office 365 Collection Techniques, Suspicious Emails 2026-05-13
O365 New MFA Method Registered O365 Update user. T1098.005 TTP Office 365 Persistence Mechanisms 2026-05-13
O365 Disable MFA O365 Disable Strong Authentication. T1556 TTP Office 365 Persistence Mechanisms 2026-05-13
O365 Added Service Principal O365 T1136.003 TTP NOBELIUM Group, Cloud Federated Credential Abuse, Office 365 Persistence Mechanisms 2026-05-13
O365 High Privilege Role Granted O365 Add member to role. T1098.003 TTP Office 365 Persistence Mechanisms 2026-05-13
O365 Email Hard Delete Excessive Volume Office 365 Universal Audit Log T1070.008 T1485 Anomaly Office 365 Account Takeover, Data Destruction, Suspicious Emails 2026-05-13
Okta Non-Standard VPN Usage Okta T1078 T1090 T1572 TTP Remote Employment Fraud, Suspicious Okta Activity 2026-05-13
O365 Multiple OS Vendors Authenticating From User Office 365 Universal Audit Log T1110 TTP Office 365 Account Takeover 2026-05-13
GitHub Organizations Disable Classic Branch Protection Rule GitHub Organizations Audit Logs T1195 T1685 Anomaly GitHub Malicious Activity 2026-05-13
O365 SharePoint Allowed Domains Policy Changed Office 365 Universal Audit Log T1136.003 TTP Azure Active Directory Persistence 2026-05-13
O365 Exfiltration via File Access Office 365 Universal Audit Log T1530 T1567 Anomaly Office 365 Account Takeover, Data Exfiltration 2026-05-13
O365 Email Suspicious Behavior Alert Office 365 Universal Audit Log T1114.003 TTP Office 365 Collection Techniques, Office 365 Account Takeover, Suspicious Emails 2026-05-13
O365 Compliance Content Search Started T1114.002 TTP Office 365 Collection Techniques 2026-05-13
O365 Email New Inbox Rule Created Office 365 Universal Audit Log T1114.003 T1564.008 Anomaly Office 365 Collection Techniques 2026-05-13
O365 Multiple AppIDs and UserAgents Authentication Spike O365 UserLoginFailed, O365 UserLoggedIn T1078 Anomaly Office 365 Account Takeover 2026-05-13
GitHub Enterprise Modify Audit Log Event Stream GitHub Enterprise Audit Logs T1195 T1685.002 Anomaly NPM Supply Chain Compromise, GitHub Malicious Activity 2026-05-13
GitHub Enterprise Disable Dependabot GitHub Enterprise Audit Logs T1195 T1685 Anomaly GitHub Malicious Activity 2026-05-13
Gsuite Email With Known Abuse Web Service Link G Suite Gmail T1566.001 Anomaly Dev Sec Ops 2026-05-13
O365 New Email Forwarding Rule Enabled T1114.003 TTP Office 365 Collection Techniques 2026-05-13
O365 New Email Forwarding Rule Created T1114.003 TTP Office 365 Collection Techniques 2026-05-13
GitHub Enterprise Pause Audit Log Event Stream GitHub Enterprise Audit Logs T1195 T1685.002 Anomaly NPM Supply Chain Compromise, GitHub Malicious Activity 2026-05-13
O365 External Guest User Invited Office 365 Universal Audit Log T1136.003 TTP Azure Active Directory Persistence 2026-05-13
O365 Excessive Authentication Failures Alert T1110 Anomaly Office 365 Account Takeover 2026-05-13
O365 Email Send and Hard Delete Exfiltration Behavior Office 365 Reporting Message Trace, Office 365 Universal Audit Log T1070.008 T1114.001 T1485 Anomaly Office 365 Account Takeover, Data Destruction, Office 365 Collection Techniques, Suspicious Emails 2026-05-13
O365 Mailbox Folder Read Permission Assigned O365 ModifyFolderPermissions T1098.002 TTP Office 365 Collection Techniques 2026-05-13
GitHub Enterprise Disable Classic Branch Protection Rule GitHub Enterprise Audit Logs T1195 T1685 Anomaly GitHub Malicious Activity 2026-05-13
GSuite Email Suspicious Attachment G Suite Gmail T1566.001 Anomaly Dev Sec Ops 2026-05-13
O365 External Identity Policy Changed Office 365 Universal Audit Log T1136.003 TTP Azure Active Directory Persistence 2026-05-13
O365 Threat Intelligence Suspicious Email Delivered Office 365 Universal Audit Log T1566.001 T1566.002 Anomaly Spearphishing Attachments, Suspicious Emails 2026-05-13
O365 Application Available To Other Tenants Office 365 Universal Audit Log T1098.003 TTP Azure Active Directory Account Takeover, Azure Active Directory Persistence, Data Exfiltration 2026-05-13
O365 Multiple Service Principals Created by SP O365 Add service principal. T1136.003 Anomaly NOBELIUM Group, Office 365 Persistence Mechanisms 2026-05-13
O365 Multiple Failed MFA Requests For User O365 UserLoginFailed T1621 TTP Office 365 Account Takeover, Scattered Lapsus$ Hunters 2026-05-13
GitHub Organizations Repository Deleted GitHub Organizations Audit Logs T1195 T1485 Anomaly NPM Supply Chain Compromise, GitHub Malicious Activity 2026-05-13
O365 OAuth App Mailbox Access via EWS O365 MailItemsAccessed T1114.002 TTP Office 365 Collection Techniques, NOBELIUM Group 2026-05-13
O365 Admin Consent Bypassed by Service Principal O365 Add app role assignment to service principal. T1098.003 TTP Office 365 Persistence Mechanisms 2026-05-13
O365 ApplicationImpersonation Role Assigned O365 T1098.002 TTP Office 365 Collection Techniques, NOBELIUM Group, Office 365 Persistence Mechanisms 2026-05-13
Gsuite Outbound Email With Attachment To External Domain G Suite Gmail T1048.003 Hunting Insider Threat, Dev Sec Ops 2026-05-13
High Number of Login Failures from a single source O365 UserLoginFailed T1110.001 Anomaly Office 365 Account Takeover 2026-05-13
O365 User Consent Blocked for Risky Application O365 Consent to application. T1528 TTP Office 365 Account Takeover 2026-05-13
O365 Email Reported By Admin Found Malicious Office 365 Universal Audit Log T1566.001 T1566.002 TTP Spearphishing Attachments, Suspicious Emails 2026-05-13
GitHub Enterprise Remove Organization GitHub Enterprise Audit Logs T1195 T1485 Anomaly GitHub Malicious Activity 2026-05-13
Gsuite suspicious calendar invite T1566 Hunting Spearphishing Attachments 2026-05-13
GitHub Enterprise Disable 2FA Requirement GitHub Enterprise Audit Logs T1195 T1685 Anomaly GitHub Malicious Activity 2026-05-13
Geographic Improbable Location Okta T1078 Anomaly Remote Employment Fraud 2026-05-13
O365 Email Access By Security Administrator Office 365 Universal Audit Log T1114.002 T1567 TTP Office 365 Account Takeover, Data Exfiltration, Azure Active Directory Account Takeover 2026-05-13
Risk Rule for Dev Sec Ops by Repository T1204.003 Correlation Dev Sec Ops 2026-05-13
GitHub Enterprise Repository Archived GitHub Enterprise Audit Logs T1195 T1485 Anomaly NPM Supply Chain Compromise, GitHub Malicious Activity 2026-05-13
O365 Concurrent Sessions From Different Ips O365 UserLoggedIn T1185 TTP Office 365 Account Takeover, Scattered Lapsus$ Hunters 2026-05-13
O365 Multiple Users Failing To Authenticate From Ip O365 UserLoginFailed T1110.003 T1110.004 T1586.003 TTP Office 365 Account Takeover, NOBELIUM Group 2026-05-13
O365 Mailbox Inbox Folder Shared with All Users O365 ModifyFolderPermissions T1114.002 TTP Office 365 Persistence Mechanisms 2026-05-13
O365 Tenant Wide Admin Consent Granted O365 Consent to application. T1098.003 TTP NOBELIUM Group, Office 365 Persistence Mechanisms 2026-05-13
O365 Elevated Mailbox Permission Assigned O365 Add-MailboxPermission T1098.002 TTP Office 365 Collection Techniques 2026-05-13
O365 User Consent Denied for OAuth Application O365 T1528 TTP Office 365 Account Takeover 2026-05-13
O365 Exfiltration via File Download Office 365 Universal Audit Log T1530 T1567 Anomaly Office 365 Account Takeover, Data Exfiltration 2026-05-13
O365 Email Send and Hard Delete Suspicious Behavior Office 365 Universal Audit Log T1070.008 T1114.001 T1485 Anomaly Office 365 Account Takeover, Data Destruction, Office 365 Collection Techniques, Suspicious Emails 2026-05-13
O365 Compliance Content Search Exported T1114.002 TTP Office 365 Collection Techniques 2026-05-13
O365 BEC Email Hiding Rule Created T1564.008 TTP Office 365 Account Takeover 2026-05-13
O365 Mailbox Folder Read Permission Granted O365 ModifyFolderPermissions T1098.002 TTP Office 365 Collection Techniques 2026-05-13
Cisco Secure Firewall - Oracle E-Business Suite Correlation Cisco Secure Firewall Threat Defense Intrusion Event T1190 TTP Cisco Secure Firewall Threat Defense Analytics, Oracle E-Business Suite Exploitation 2026-05-13
HTTP RMM User Agent Suricata T1071.001 T1219 Anomaly Suspicious User Agents, Remote Monitoring and Management Software 2026-05-13
HTTP Malware User Agent Suricata T1071.001 TTP Lokibot, Lumma Stealer, Suspicious User Agents, RedLine Stealer, Crypto Stealer, Meduza Stealer 2026-05-13
Cisco Secure Firewall - Lumma Stealer Outbound Connection Attempt Cisco Secure Firewall Threat Defense Intrusion Event T1041 T1573.002 Anomaly Cisco Secure Firewall Threat Defense Analytics, Lumma Stealer 2026-05-13
Cisco SD-WAN - Peering Activity Cisco SD-WAN NTCE 1000001 T1190 Hunting Cisco Catalyst SD-WAN Analytics 2026-05-13
Cisco Privileged Account Creation with HTTP Command Execution T1021.004 T1078 T1136 Correlation Cisco Secure Firewall Threat Defense Analytics, Salt Typhoon 2026-05-13
HTTP C2 Framework User Agent Suricata T1071.001 TTP Spearphishing Attachments, BishopFox Sliver Adversary Emulation Framework, Brute Ratel C4, Meterpreter, Suspicious User Agents, Cobalt Strike, Malicious PowerShell, Tuoni 2026-05-13
Cisco Secure Firewall - Blocked Connection Cisco Secure Firewall Threat Defense Connection Event T1018 T1046 T1110 T1203 T1595.002 Anomaly Cisco Secure Firewall Threat Defense Analytics 2026-05-13
Cisco Secure Firewall - Snort Rule Triggered Across Multiple Hosts Cisco Secure Firewall Threat Defense Intrusion Event T1027 T1105 Anomaly Cisco Secure Firewall Threat Defense Analytics 2026-05-13
Cisco Secure Firewall - Privileged Command Execution via HTTP Cisco Secure Firewall Threat Defense Intrusion Event T1059 T1505.003 Anomaly Cisco Secure Firewall Threat Defense Analytics, Salt Typhoon 2026-05-13
HTTP PUA User Agent Suricata T1071.001 Anomaly BlackSuit Ransomware, Local Privilege Escalation With KrbRelayUp, Cactus Ransomware, Suspicious User Agents 2026-05-13
Cisco Secure Firewall - React Server Components RCE Attempt Cisco Secure Firewall Threat Defense Intrusion Event T1190 TTP React2Shell 2026-05-13
Cisco Secure Firewall - Intrusion Events by Threat Activity Cisco Secure Firewall Threat Defense Intrusion Event T1041 T1573.002 Anomaly Cisco Secure Firewall Threat Defense Analytics, ArcaneDoor 2026-05-13
Cisco Secure Firewall - Communication Over Suspicious Ports Cisco Secure Firewall Threat Defense Connection Event T1021 T1055 T1059.001 T1105 T1219 T1571 Anomaly Cisco Secure Firewall Threat Defense Analytics 2026-05-13
Detect ARP Poisoning Cisco IOS Logs T1200 T1498 T1557.002 TTP Router and Infrastructure Security 2026-05-13
Cisco Secure Firewall - Repeated Blocked Connections Cisco Secure Firewall Threat Defense Connection Event T1018 T1046 T1110 T1203 T1595.002 Anomaly Cisco Secure Firewall Threat Defense Analytics 2026-05-13
Cisco Secure Firewall - Potential Data Exfiltration Cisco Secure Firewall Threat Defense Connection Event T1041 T1048.003 T1567.002 Anomaly Cisco Secure Firewall Threat Defense Analytics 2026-05-13
Cisco TFTP Server Configuration for Data Exfiltration Cisco IOS Logs T1005 T1567 TTP Cisco Smart Install Remote Code Execution CVE-2018-0171 2026-05-13
Zeek x509 Certificate with Punycode T1573 Hunting OpenSSL CVE-2022-3602 2026-05-13
Cisco SD-WAN - Arbitrary File Overwrite Exploitation Activity Cisco SD-WAN Service Proxy Access Logs T1190 TTP Cisco Catalyst SD-WAN Analytics 2026-05-13
SSL Certificates with Punycode T1573 Hunting OpenSSL CVE-2022-3602 2026-05-13
Cisco SD-WAN - Low Frequency Rogue Peer Cisco SD-WAN NTCE 1000001 T1190 Anomaly Cisco Catalyst SD-WAN Analytics 2026-05-13
Detect Zerologon via Zeek T1190 TTP Rhysida Ransomware, Black Basta Ransomware, Detect Zerologon Attack 2026-05-13
Detect SNICat SNI Exfiltration T1041 TTP Data Exfiltration 2026-05-13
Cisco Secure Firewall - Remote Access Software Usage Traffic Cisco Secure Firewall Threat Defense Connection Event T1219 Anomaly Scattered Spider, Cisco Secure Firewall Threat Defense Analytics, Ransomware, Insider Threat, Command And Control, Remote Monitoring and Management Software, Scattered Lapsus$ Hunters, Interlock Ransomware 2026-05-13
Protocols passing authentication in cleartext Cisco Secure Firewall Threat Defense Connection Event N/A Anomaly Use of Cleartext Protocols, Cisco Secure Firewall Threat Defense Analytics, Scattered Lapsus$ Hunters 2026-05-13
Cisco Secure Firewall - Malware File Downloaded Cisco Secure Firewall Threat Defense File Event T1105 T1203 Anomaly Cisco Secure Firewall Threat Defense Analytics 2026-05-13
Internal Vulnerability Scan T1046 T1595.002 TTP Scattered Lapsus$ Hunters, Network Discovery 2026-05-13
Cisco Secure Firewall - Static Tundra Smart Install Abuse Cisco Secure Firewall Threat Defense Intrusion Event T1190 T1210 T1499 TTP Cisco Secure Firewall Threat Defense Analytics, Cisco Smart Install Remote Code Execution CVE-2018-0171 2026-05-13
Cisco Configuration Archive Logging Analysis Cisco IOS Logs T1098 T1505.003 T1685 Hunting Cisco Smart Install Remote Code Execution CVE-2018-0171 2026-05-13
Cisco Secure Firewall - Blacklisted SSL Certificate Fingerprint Cisco Secure Firewall Threat Defense Connection Event T1071.001 T1573.002 T1587.002 T1588.004 TTP Cisco Secure Firewall Threat Defense Analytics 2026-05-13
Cisco Secure Firewall - Citrix NetScaler Memory Overread Attempt Cisco Secure Firewall Threat Defense Intrusion Event T1059 T1203 TTP Cisco Secure Firewall Threat Defense Analytics, Citrix NetScaler ADC and NetScaler Gateway CVE-2025-5777 2026-05-13
Cisco Privileged Account Creation with Suspicious SSH Activity T1021.004 T1078 T1136 Correlation Cisco Secure Firewall Threat Defense Analytics, Salt Typhoon 2026-05-13
Detect Rogue DHCP Server Cisco IOS Logs T1200 T1498 T1557 TTP Router and Infrastructure Security, Scattered Lapsus$ Hunters 2026-05-13
Cisco Secure Firewall - Lumma Stealer Download Attempt Cisco Secure Firewall Threat Defense Intrusion Event T1041 T1573.002 Anomaly Cisco Secure Firewall Threat Defense Analytics, Lumma Stealer 2026-05-13
Cisco Secure Firewall - High Priority Intrusion Classification Cisco Secure Firewall Threat Defense Intrusion Event T1003 T1071 T1078 T1190 T1203 TTP Cisco Secure Firewall Threat Defense Analytics 2026-05-13
Cisco Secure Firewall - Rare Snort Rule Triggered Cisco Secure Firewall Threat Defense Intrusion Event T1583.006 T1598 Hunting Cisco Secure Firewall Threat Defense Analytics 2026-05-13
Cisco IOS Suspicious Privileged Account Creation Cisco IOS Logs T1078 T1136 Anomaly Cisco Smart Install Remote Code Execution CVE-2018-0171 2026-05-13
Cisco Secure Firewall - High EVE Threat Confidence Cisco Secure Firewall Threat Defense Connection Event T1041 T1071.001 T1105 T1573.002 Anomaly Cisco Secure Firewall Threat Defense Analytics 2026-05-13
Cisco Secure Firewall - Repeated Malware Downloads Cisco Secure Firewall Threat Defense File Event T1027 T1105 Anomaly Hellcat Ransomware, Cisco Secure Firewall Threat Defense Analytics 2026-05-13
Cisco Secure Firewall - SSH Connection to Non-Standard Port Cisco Secure Firewall Threat Defense Intrusion Event T1021.004 Anomaly Cisco Secure Firewall Threat Defense Analytics, Salt Typhoon 2026-05-13
Cisco Secure Firewall - Wget or Curl Download Cisco Secure Firewall Threat Defense Connection Event T1053.003 T1059 T1071.001 T1105 Anomaly Cisco Secure Firewall Threat Defense Analytics 2026-05-13
Detect Port Security Violation Cisco IOS Logs T1200 T1498 T1557.002 TTP Router and Infrastructure Security 2026-05-13
Large Volume of DNS ANY Queries T1498.002 Anomaly DNS Amplification Attacks 2026-05-13
Cisco Secure Firewall - File Download Over Uncommon Port Cisco Secure Firewall Threat Defense File Event T1105 T1571 Anomaly Cisco Secure Firewall Threat Defense Analytics 2026-05-13
Cisco Secure Firewall - Veeam CVE-2023-27532 Exploitation Activity Cisco Secure Firewall Threat Defense Intrusion Event T1003.001 T1059.001 T1190 T1210 TTP Cisco Secure Firewall Threat Defense Analytics 2026-05-13
Protocol or Port Mismatch Cisco Secure Firewall Threat Defense Connection Event T1048.003 Anomaly Command And Control, Prohibited Traffic Allowed or Protocol Mismatch, Cisco Secure Firewall Threat Defense Analytics 2026-05-13
Detect Outbound SMB Traffic Cisco Secure Access Firewall, Cisco Secure Firewall Threat Defense Connection Event T1071.002 TTP Cisco Secure Firewall Threat Defense Analytics, Cisco Secure Access Analytics, NOBELIUM Group, Hidden Cobra Malware, DHS Report TA18-074A 2026-05-13
Detect Unauthorized Assets by MAC address N/A TTP Asset Tracking 2026-05-13
Cisco Secure Firewall - Oracle E-Business Suite Exploitation Cisco Secure Firewall Threat Defense Intrusion Event T1190 TTP Cisco Secure Firewall Threat Defense Analytics, Oracle E-Business Suite Exploitation 2026-05-13
Cisco Secure Firewall - Binary File Type Download Cisco Secure Firewall Threat Defense File Event T1059 T1203 Anomaly Cisco Secure Firewall Threat Defense Analytics 2026-05-13
Detect Traffic Mirroring Cisco IOS Logs T1020.001 T1200 T1498 TTP Router and Infrastructure Security 2026-05-13
Cisco Secure Firewall - Possibly Compromised Host Cisco Secure Firewall Threat Defense Intrusion Event T1059 T1203 T1587.001 Anomaly Cisco Secure Firewall Threat Defense Analytics 2026-05-13
Cisco Secure Firewall - Connection to File Sharing Domain Cisco Secure Firewall Threat Defense Connection Event T1071.001 T1090.002 T1105 T1567.002 T1588.002 Anomaly Scattered Lapsus$ Hunters, Cisco Secure Firewall Threat Defense Analytics 2026-05-13
Excessive DNS Failures T1071.004 Anomaly Command And Control, Suspicious DNS Traffic 2026-05-13
Cisco SNMP Community String Configuration Changes Cisco IOS Logs T1040 T1552 T1685 Anomaly Cisco Smart Install Remote Code Execution CVE-2018-0171 2026-05-13
Cisco Secure Firewall - Lumma Stealer Activity Cisco Secure Firewall Threat Defense Intrusion Event T1027 T1190 T1204 T1210 TTP Cisco Secure Firewall Threat Defense Analytics, Lumma Stealer 2026-05-13
Cisco SD-WAN - Uncommon User-Agent Multi-URI Activity Cisco SD-WAN Service Proxy Access Logs T1595 Hunting Cisco Catalyst SD-WAN Analytics 2026-05-13
SMB Traffic Spike T1021.002 Anomaly DHS Report TA18-074A, Hidden Cobra Malware, Ransomware, Emotet Malware DHS Report TA18-201A 2026-05-13
Cisco Secure Firewall - High Volume of Intrusion Events Per Host Cisco Secure Firewall Threat Defense Intrusion Event T1059 T1071 T1595.002 Anomaly Cisco Secure Firewall Threat Defense Analytics 2026-05-13
Cisco Secure Firewall - SSH Connection to sshd_operns Cisco Secure Firewall Threat Defense Intrusion Event T1021.004 Anomaly Cisco Secure Firewall Threat Defense Analytics, Salt Typhoon 2026-05-13