|
Splunk User Enumeration Attempt
|
Splunk
|
T1078
|
TTP
|
Splunk Vulnerabilities
|
2026-05-14
|
|
Splunk XSS Privilege Escalation via Custom Urls in Dashboard
|
Splunk
|
T1189
|
Hunting
|
Splunk Vulnerabilities
|
2026-05-14
|
|
PaperCut NG Suspicious Behavior Debug Log
|
|
T1133
T1190
|
Hunting
|
PaperCut MF NG Vulnerability
|
2026-05-13
|
|
Java Writing JSP File
|
Sysmon for Linux EventID 1, Sysmon for Linux EventID 11
|
T1133
T1190
|
TTP
|
SAP NetWeaver Exploitation, Spring4Shell CVE-2022-22965, SysAid On-Prem Software CVE-2023-47246 Vulnerability, Atlassian Confluence Server and Data Center CVE-2022-26134
|
2026-05-13
|
|
Windows TeamCity Payload Execution from Temp Directory
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1059
T1190
T1505.003
|
TTP
|
JetBrains TeamCity Unauthenticated RCE, JetBrains TeamCity Vulnerabilities
|
2026-05-13
|
|
Windows Large Number of Computer Service Tickets Requested
|
Windows Event Log Security 4769
|
T1078
T1135
|
Anomaly
|
Active Directory Lateral Movement, Active Directory Privilege Escalation
|
2026-05-13
|
|
Windows Entra User Management Via Azure CLI
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1078.004
T1098
T1136
|
Anomaly
|
Azure Active Directory Persistence
|
2026-05-13
|
|
Windows WSUS Spawning Shell
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1190
T1505.003
|
TTP
|
Microsoft WSUS CVE-2025-59287
|
2026-05-13
|
|
MOVEit Empty Key Fingerprint Authentication Attempt
|
|
T1190
|
Hunting
|
Hellcat Ransomware, MOVEit Transfer Authentication Bypass
|
2026-05-13
|
|
MS Exchange Mailbox Replication service writing Active Server Pages
|
Sysmon EventID 1, Sysmon EventID 11
|
T1133
T1190
T1505.003
|
TTP
|
BlackByte Ransomware, Ransomware, ProxyShell
|
2026-05-13
|
|
Windows Azure PowerShell Module Installation Via PowerShell Script
|
Powershell Script Block Logging 4104
|
T1021.007
T1069.003
T1078
T1098
T1136.003
|
Anomaly
|
Azure Active Directory Account Takeover, Azure Active Directory Persistence, Azure Active Directory Privilege Escalation
|
2026-05-13
|
|
Windows Office Product Spawned Child Process For Download
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1566.001
|
TTP
|
Spearphishing Attachments, CVE-2023-36884 Office and Windows HTML RCE Vulnerability, PlugX, APT37 Rustonotto and FadeStealer, NjRAT
|
2026-05-13
|
|
Windows InProcServer32 New Outlook Form
|
Sysmon EventID 13
|
T1112
T1566
|
Anomaly
|
Outlook RCE CVE-2024-21378
|
2026-05-13
|
|
Windows Office Product Spawned Rundll32 With No DLL
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1566.001
|
TTP
|
Spearphishing Attachments, CVE-2023-36884 Office and Windows HTML RCE Vulnerability, Prestige Ransomware, Graceful Wipe Out Attack, Compromised Windows Host, Crypto Stealer
|
2026-05-13
|
|
Outbound Network Connection from Java Using Default Ports
|
Sysmon EventID 1, Sysmon EventID 3
|
T1133
T1190
|
TTP
|
Log4Shell CVE-2021-44228
|
2026-05-13
|
|
Potential password in username
|
Linux Secure
|
T1078.003
T1552.001
|
Hunting
|
Credential Dumping, Insider Threat
|
2026-05-13
|
|
Linux Auditd Hardware Addition Swapoff
|
Linux Auditd Execve
|
T1200
|
Anomaly
|
Compromised Linux Host, Data Destruction, Scattered Lapsus$ Hunters, AwfulShred
|
2026-05-13
|
|
Windows Office Product Spawned Control
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1566.001
|
TTP
|
Spearphishing Attachments, Compromised Windows Host, Microsoft MSHTML Remote Code Execution CVE-2021-40444
|
2026-05-13
|
|
Windows Office Product Loading VBE7 DLL
|
Sysmon EventID 7
|
T1566.001
|
Anomaly
|
Spearphishing Attachments, Qakbot, Azorult, PlugX, MuddyWater, Trickbot, IcedID, AgentTesla, Remcos, DarkCrystal RAT, NjRAT
|
2026-05-13
|
|
Windows Office Product Loading Taskschd DLL
|
Sysmon EventID 7
|
T1566.001
|
Anomaly
|
Spearphishing Attachments
|
2026-05-13
|
|
Windows Suspicious React or Next.js Child Process
|
CrowdStrike ProcessRollup2, Sysmon EventID 1
|
T1059.001
T1059.003
T1190
|
TTP
|
React2Shell
|
2026-05-13
|
|
Detect Exchange Web Shell
|
Sysmon EventID 11
|
T1133
T1190
T1505.003
|
TTP
|
BlackByte Ransomware, Compromised Windows Host, CISA AA22-257A, Seashell Blizzard, GhostRedirector IIS Module and Rungan Backdoor, HAFNIUM Group, ProxyNotShell, ProxyShell
|
2026-05-13
|
|
ConnectWise ScreenConnect Path Traversal Windows SACL
|
Windows Event Log Security 4663
|
T1190
|
TTP
|
Seashell Blizzard, Compromised Windows Host, ConnectWise ScreenConnect Vulnerabilities
|
2026-05-13
|
|
Windows Shell Process from CrushFTP
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1059.001
T1059.003
T1190
T1505
|
TTP
|
CrushFTP Vulnerabilities
|
2026-05-13
|
|
Detect Outlook exe writing a zip file
|
Sysmon EventID 1, Sysmon EventID 11
|
T1566.001
|
Anomaly
|
Spearphishing Attachments, APT37 Rustonotto and FadeStealer, PXA Stealer, Meduza Stealer, Remcos, Amadey
|
2026-05-13
|
|
Windows RDPClient Connection Sequence Events
|
Windows Event Log Microsoft Windows TerminalServices RDPClient 1024
|
T1133
|
Anomaly
|
Spearphishing Attachments, Windows RDP Artifacts and Defense Evasion
|
2026-05-13
|
|
Windows ConvertTo-AADIntBackdoor Execution Via PowerShell Script
|
Powershell Script Block Logging 4104
|
T1071.001
T1078
T1212
T1482
|
TTP
|
Azure Active Directory Account Takeover, Azure Active Directory Persistence, Azure Active Directory Privilege Escalation
|
2026-05-13
|
|
Windows Replication Through Removable Media
|
Sysmon EventID 11
|
T1091
|
TTP
|
Chaos Ransomware, China-Nexus Threat Activity, PlugX, APT37 Rustonotto and FadeStealer, Derusbi, Salt Typhoon, NjRAT
|
2026-05-13
|
|
Process Creating LNK file in Suspicious Location
|
Sysmon EventID 11
|
T1566.002
|
Anomaly
|
Spearphishing Attachments, BlankGrabber Stealer, APT37 Rustonotto and FadeStealer, IcedID, Amadey, Qakbot, Gozi Malware
|
2026-05-13
|
|
Windows Vulnerable 3CX Software
|
Sysmon EventID 1
|
T1195.002
|
TTP
|
3CX Supply Chain Attack
|
2026-05-13
|
|
Windows Defender ASR Audit Events
|
Windows Event Log Defender 1132, Windows Event Log Defender 1125, Windows Event Log Defender 1134, Windows Event Log Defender 1126, Windows Event Log Defender 1122
|
T1059
T1566.001
T1566.002
|
Anomaly
|
Windows Attack Surface Reduction
|
2026-05-13
|
|
Windows Shell or Script Execution From IIS Directory
|
CrowdStrike ProcessRollup2, Sysmon EventID 1
|
T1190
T1505.004
|
Anomaly
|
ProxyNotShell, ProxyShell
|
2026-05-13
|
|
Windows Office Product Dropped Cab or Inf File
|
Sysmon EventID 1, Windows Event Log Security 4688, Sysmon EventID 11
|
T1566.001
|
TTP
|
Spearphishing Attachments, APT37 Rustonotto and FadeStealer, Compromised Windows Host, Microsoft MSHTML Remote Code Execution CVE-2021-40444
|
2026-05-13
|
|
Suspicious Kerberos Service Ticket Request
|
Windows Event Log Security 4769
|
T1078.002
|
TTP
|
sAMAccountName Spoofing and Domain Controller Impersonation, Active Directory Privilege Escalation, Active Directory Kerberos Attacks
|
2026-05-13
|
|
Windows Guest Account Enabled Via Net.EXE
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1078.001
|
Anomaly
|
Windows Persistence Techniques
|
2026-05-13
|
|
Windows PowerView AD Access Control List Enumeration
|
Powershell Script Block Logging 4104
|
T1069
T1078.002
|
TTP
|
Rhysida Ransomware, Active Directory Privilege Escalation, Active Directory Discovery
|
2026-05-13
|
|
Windows Multiple Accounts Deleted
|
Windows Event Log Security 4726
|
T1078
T1098
|
TTP
|
Azure Active Directory Persistence
|
2026-05-13
|
|
Exchange PowerShell Abuse via SSRF
|
|
T1133
T1190
|
TTP
|
ProxyNotShell, BlackByte Ransomware, Seashell Blizzard, ProxyShell
|
2026-05-13
|
|
Windows Process Executed From Removable Media
|
Sysmon EventID 13, Sysmon EventID 1
|
T1025
T1091
T1200
|
Anomaly
|
APT37 Rustonotto and FadeStealer, Data Protection
|
2026-05-13
|
|
Windows Phishing Recent ISO Exec Registry
|
Sysmon EventID 13
|
T1566.001
|
Hunting
|
Warzone RAT, Brute Ratel C4, Azorult, IcedID, AgentTesla, Remcos, Qakbot, Gozi Malware
|
2026-05-13
|
|
Windows SharePoint Spinstall0 Webshell File Creation
|
Sysmon EventID 11
|
T1190
T1505.003
|
TTP
|
Microsoft SharePoint Vulnerabilities
|
2026-05-13
|
|
Linux Suspicious React or Next.js Child Process
|
Sysmon for Linux EventID 1
|
T1059.004
T1190
|
TTP
|
React2Shell
|
2026-05-13
|
|
Log4Shell CVE-2021-44228 Exploitation
|
|
T1059
T1105
T1133
T1190
|
Correlation
|
CISA AA22-320A, Log4Shell CVE-2021-44228
|
2026-05-13
|
|
Web or Application Server Spawning a Shell
|
Sysmon for Linux EventID 1, Sysmon EventID 1
|
T1133
T1190
|
TTP
|
Cleo File Transfer Software, SysAid On-Prem Software CVE-2023-47246 Vulnerability, SAP NetWeaver Exploitation, Data Destruction, CISA AA22-257A, HAFNIUM Group, ProxyNotShell, Spring4Shell CVE-2022-22965, Microsoft WSUS CVE-2025-59287, ProxyShell, BlackByte Ransomware, Hermetic Wiper, CISA AA22-264A, Flax Typhoon, Microsoft SharePoint Vulnerabilities, PHP-CGI RCE Attack on Japanese Organizations, Log4Shell CVE-2021-44228, GhostRedirector IIS Module and Rungan Backdoor, WS FTP Server Critical Vulnerabilities
|
2026-05-13
|
|
MOVEit Certificate Store Access Failure
|
|
T1190
|
Hunting
|
MOVEit Transfer Authentication Bypass
|
2026-05-13
|
|
Windows Office Product Spawned Uncommon Process
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1566.001
|
TTP
|
Warzone RAT, Spearphishing Attachments, CVE-2023-21716 Word RTF Heap Corruption, FIN7, CVE-2023-36884 Office and Windows HTML RCE Vulnerability, Qakbot, Azorult, PlugX, APT37 Rustonotto and FadeStealer, Compromised Windows Host, Trickbot, IcedID, MuddyWater, AgentTesla, Remcos, DarkCrystal RAT, NjRAT
|
2026-05-13
|
|
Windows Identify PowerShell Web Access IIS Pool
|
Windows Event Log Security 4648
|
T1190
|
Hunting
|
CISA AA24-241A
|
2026-05-13
|
|
ConnectWise ScreenConnect Path Traversal
|
Sysmon EventID 11
|
T1190
|
TTP
|
Seashell Blizzard, ConnectWise ScreenConnect Vulnerabilities
|
2026-05-13
|
|
Windows WPDBusEnum Registry Key Modification
|
Sysmon EventID 13, Sysmon EventID 12
|
T1025
T1091
T1200
|
Anomaly
|
APT37 Rustonotto and FadeStealer, Data Protection
|
2026-05-13
|
|
Windows TeamCity Plugin Installed
|
Sysmon EventID 11
|
T1059
T1190
T1505.003
|
Anomaly
|
JetBrains TeamCity Unauthenticated RCE, JetBrains TeamCity Vulnerabilities
|
2026-05-13
|
|
GitHub Workflow File Creation or Modification
|
Sysmon for Linux EventID 11, Sysmon EventID 11
|
T1195
T1554
T1574.006
|
Hunting
|
NPM Supply Chain Compromise
|
2026-05-13
|
|
Windows Group Policy Object Created
|
Windows Event Log Security 5136, Windows Event Log Security 5137
|
T1078.002
T1484.001
|
TTP
|
Sneaky Active Directory Persistence Tricks, Active Directory Privilege Escalation
|
2026-05-13
|
|
Windows Multiple Account Passwords Changed
|
Windows Event Log Security 4724
|
T1078
T1098
|
TTP
|
Azure Active Directory Persistence
|
2026-05-13
|
|
WinRM Spawning a Process
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1190
|
TTP
|
CISA AA23-347A, Rhysida Ransomware, Microsoft WSUS CVE-2025-59287, Unusual Processes
|
2026-05-13
|
|
Windows Office Product Spawned MSDT
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1566.001
|
TTP
|
Microsoft Support Diagnostic Tool Vulnerability CVE-2022-30190, Spearphishing Attachments, Compromised Windows Host
|
2026-05-13
|
|
Windows Office Product Loaded MSHTML Module
|
Sysmon EventID 7
|
T1566.001
|
Anomaly
|
CVE-2023-36884 Office and Windows HTML RCE Vulnerability, Spearphishing Attachments, MuddyWater, Microsoft MSHTML Remote Code Execution CVE-2021-40444
|
2026-05-13
|
|
Windows Multiple Accounts Disabled
|
Windows Event Log Security 4725
|
T1078
T1098
|
TTP
|
Azure Active Directory Persistence
|
2026-05-13
|
|
Windows Universal Data Link File Creation
|
Sysmon EventID 11
|
T1204.002
T1566.001
|
Anomaly
|
Spearphishing Attachments
|
2026-05-13
|
|
Windows Defender ASR Block Events
|
Windows Event Log Defender 1121, Windows Event Log Defender 1131, Windows Event Log Defender 1129, Windows Event Log Defender 1133, Windows Event Log Defender 1126
|
T1059
T1566.001
T1566.002
|
Anomaly
|
Windows Attack Surface Reduction
|
2026-05-13
|
|
Windows Spearphishing Attachment Onenote Spawn Mshta
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1566.001
|
TTP
|
Spearphishing Attachments, APT37 Rustonotto and FadeStealer, Compromised Windows Host, AsyncRAT
|
2026-05-13
|
|
Unusual Number of Computer Service Tickets Requested
|
Windows Event Log Security 4769
|
T1078
|
Hunting
|
Active Directory Lateral Movement, Active Directory Privilege Escalation, Active Directory Kerberos Attacks, Scattered Lapsus$ Hunters
|
2026-05-13
|
|
Hunting 3CXDesktopApp Software
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1195.002
|
Hunting
|
3CX Supply Chain Attack
|
2026-05-13
|
|
Short Lived Windows Accounts
|
Windows Event Log System 4726, Windows Event Log System 4720
|
T1078.003
T1136.001
|
TTP
|
GhostRedirector IIS Module and Rungan Backdoor, Active Directory Lateral Movement
|
2026-05-13
|
|
Windows CAB File on Disk
|
Sysmon EventID 11
|
T1566.001
|
Anomaly
|
DarkGate Malware, APT37 Rustonotto and FadeStealer
|
2026-05-13
|
|
Windows PaperCut NG Spawn Shell
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1059
T1133
T1190
|
TTP
|
Compromised Windows Host, PaperCut MF NG Vulnerability
|
2026-05-13
|
|
Windows Phishing PDF File Executes URL Link
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1566.001
|
Anomaly
|
Spearphishing Attachments, MuddyWater, Snake Keylogger
|
2026-05-13
|
|
Suspicious Computer Account Name Change
|
Windows Event Log Security 4781
|
T1078.002
|
TTP
|
sAMAccountName Spoofing and Domain Controller Impersonation, Scattered Lapsus$ Hunters, Active Directory Privilege Escalation, Compromised Windows Host
|
2026-05-13
|
|
Windows USBSTOR Registry Key Modification
|
Sysmon EventID 13, Sysmon EventID 12
|
T1025
T1091
T1200
|
Anomaly
|
APT37 Rustonotto and FadeStealer, Data Protection
|
2026-05-13
|
|
Suspicious Ticket Granting Ticket Request
|
Windows Event Log Security 4781, Windows Event Log Security 4768
|
T1078.002
|
Hunting
|
sAMAccountName Spoofing and Domain Controller Impersonation, Active Directory Privilege Escalation, Active Directory Kerberos Attacks
|
2026-05-13
|
|
Windows Phishing Outlook Drop Dll In FORM Dir
|
Sysmon EventID 1, Sysmon EventID 11
|
T1566
|
TTP
|
Outlook RCE CVE-2024-21378
|
2026-05-13
|
|
Windows Metasploit Confluence Plugin Execution
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1190
T1505.003
T1608
|
TTP
|
Confluence Data Center and Confluence Server Vulnerabilities
|
2026-05-13
|
|
Windows Office Product Dropped Uncommon File
|
Sysmon EventID 1, Sysmon EventID 11
|
T1566.001
|
Anomaly
|
Warzone RAT, CVE-2023-21716 Word RTF Heap Corruption, FIN7, PlugX, Compromised Windows Host, AgentTesla
|
2026-05-13
|
|
Detect Excessive Account Lockouts From Endpoint
|
|
T1078.002
|
Anomaly
|
Active Directory Password Spraying
|
2026-05-13
|
|
Linux Hardware Addition SwapOff
|
Sysmon for Linux EventID 1
|
T1200
|
Anomaly
|
Scattered Lapsus$ Hunters, Data Destruction, AwfulShred
|
2026-05-13
|
|
Unusual Number of Remote Endpoint Authentication Events
|
Windows Event Log Security 4624
|
T1078
|
Hunting
|
Active Directory Lateral Movement, Active Directory Privilege Escalation
|
2026-05-13
|
|
Windows MOVEit Transfer Writing ASPX
|
Sysmon EventID 11
|
T1133
T1190
|
TTP
|
Hellcat Ransomware, MOVEit Transfer Critical Vulnerability
|
2026-05-13
|
|
Shai-Hulud 2 Exfiltration Artifact Files
|
Sysmon for Linux EventID 11, Sysmon EventID 11
|
T1074.001
T1195.002
T1552.001
|
TTP
|
NPM Supply Chain Compromise
|
2026-05-13
|
|
Shai-Hulud Workflow File Creation or Modification
|
Sysmon for Linux EventID 11, Sysmon EventID 11
|
T1195
T1554
T1574.006
|
TTP
|
NPM Supply Chain Compromise
|
2026-05-13
|
|
Living Off The Land Detection
|
|
T1059
T1105
T1133
T1190
|
Correlation
|
Living Off The Land, Hellcat Ransomware
|
2026-05-13
|
|
Windows ISO LNK File Creation
|
Sysmon EventID 11
|
T1204.001
T1566.001
|
Hunting
|
Warzone RAT, Spearphishing Attachments, Brute Ratel C4, Azorult, APT37 Rustonotto and FadeStealer, IcedID, AgentTesla, Remcos, Amadey, Qakbot, Gozi Malware
|
2026-05-13
|
|
Detect Excessive User Account Lockouts
|
|
T1078.003
|
Anomaly
|
Scattered Lapsus$ Hunters, Active Directory Password Spraying
|
2026-05-13
|
|
Windows Unusual File Creation in Confluence Directory
|
Sysmon EventID 11
|
T1190
T1608.001
T1608.002
|
Anomaly
|
CVE-2023-22515 Privilege Escalation Vulnerability Confluence Data Center and Server, Confluence Data Center and Confluence Server Vulnerabilities
|
2026-05-13
|
|
Windows Defender ASR Rules Stacking
|
Windows Event Log Defender 1125, Windows Event Log Defender 1134, Windows Event Log Defender 1121, Windows Event Log Defender 5007, Windows Event Log Defender 1131, Windows Event Log Defender 1129, Windows Event Log Defender 1133, Windows Event Log Defender 1126, Windows Event Log Defender 1122
|
T1059
T1566.001
T1566.002
|
Hunting
|
Windows Attack Surface Reduction
|
2026-05-13
|
|
Cisco NVM - Webserver Download From File Sharing Website
|
Cisco Network Visibility Module Flow Data
|
T1105
T1190
|
TTP
|
GhostRedirector IIS Module and Rungan Backdoor, Cisco Network Visibility Module Analytics
|
2026-05-13
|
|
Ivanti Sentry Authentication Bypass
|
Suricata
|
T1190
|
TTP
|
Ivanti Sentry Authentication Bypass CVE-2023-38035
|
2026-05-13
|
|
PaperCut NG Remote Web Access Attempt
|
Suricata
|
T1133
T1190
|
TTP
|
PaperCut MF NG Vulnerability
|
2026-05-13
|
|
Hunting for Log4Shell
|
Nginx Access
|
T1133
T1190
|
Hunting
|
CISA AA22-320A, Log4Shell CVE-2021-44228
|
2026-05-13
|
|
Windows IIS Server PSWA Console Access
|
Windows IIS
|
T1190
|
Hunting
|
CISA AA24-241A
|
2026-05-13
|
|
Zscaler Exploit Threat Blocked
|
|
T1566
|
TTP
|
Zscaler Browser Proxy Threats
|
2026-05-13
|
|
Zscaler Malware Activity Threat Blocked
|
|
T1566
|
Anomaly
|
Zscaler Browser Proxy Threats
|
2026-05-13
|
|
Web Remote ShellServlet Access
|
Nginx Access
|
T1190
|
TTP
|
GhostRedirector IIS Module and Rungan Backdoor, CVE-2023-22515 Privilege Escalation Vulnerability Confluence Data Center and Server
|
2026-05-13
|
|
Web Spring4Shell HTTP Request Class Module
|
Splunk Stream HTTP
|
T1133
T1190
|
TTP
|
Spring4Shell CVE-2022-22965
|
2026-05-13
|
|
Zscaler Behavior Analysis Threat Blocked
|
|
T1566
|
Anomaly
|
Zscaler Browser Proxy Threats
|
2026-05-13
|
|
SAP NetWeaver Visual Composer Exploitation Attempt
|
Suricata
|
T1190
|
Hunting
|
SAP NetWeaver Exploitation
|
2026-05-13
|
|
Log4Shell JNDI Payload Injection with Outbound Connection
|
|
T1133
T1190
|
Anomaly
|
CISA AA22-320A, Log4Shell CVE-2021-44228
|
2026-05-13
|
|
JetBrains TeamCity Authentication Bypass CVE-2024-27198
|
Suricata
|
T1190
|
TTP
|
JetBrains TeamCity Vulnerabilities
|
2026-05-13
|
|
Zscaler Phishing Activity Threat Blocked
|
|
T1566
|
Anomaly
|
Zscaler Browser Proxy Threats, Hellcat Ransomware
|
2026-05-13
|
|
Tomcat Session Deserialization Attempt
|
Nginx Access
|
T1190
T1505.003
|
Anomaly
|
Apache Tomcat Session Deserialization Attacks
|
2026-05-13
|
|
Zscaler Scam Destinations Threat Blocked
|
|
T1566
|
Anomaly
|
Zscaler Browser Proxy Threats
|
2026-05-13
|
|
Cisco IOS XE Implant Access
|
Suricata
|
T1190
|
TTP
|
Cisco IOS XE Software Web Management User Interface vulnerability
|
2026-05-13
|
|
Zscaler Virus Download threat blocked
|
|
T1566
|
Anomaly
|
Zscaler Browser Proxy Threats
|
2026-05-13
|
|
Zscaler Potentially Abused File Download
|
|
T1566
|
Anomaly
|
Zscaler Browser Proxy Threats
|
2026-05-13
|
|
Adobe ColdFusion Access Control Bypass
|
Suricata
|
T1190
|
Anomaly
|
Adobe ColdFusion Arbitrary Code Execution CVE-2023-29298 CVE-2023-26360
|
2026-05-13
|
|
Juniper Networks Remote Code Execution Exploit Detection
|
Suricata
|
T1059
T1105
T1190
|
TTP
|
Juniper JunOS Remote Code Execution
|
2026-05-13
|
|
Adobe ColdFusion Unauthenticated Arbitrary File Read
|
Suricata
|
T1190
|
Anomaly
|
Adobe ColdFusion Arbitrary Code Execution CVE-2023-29298 CVE-2023-26360
|
2026-05-13
|
|
Zscaler Employment Search Web Activity
|
|
T1566
|
Anomaly
|
Zscaler Browser Proxy Threats
|
2026-05-13
|
|
HTTP Duplicated Header
|
Suricata
|
T1071.001
T1190
|
Anomaly
|
HTTP Request Smuggling
|
2026-05-13
|
|
Ivanti EPM SQL Injection Remote Code Execution
|
Suricata
|
T1190
|
TTP
|
GhostRedirector IIS Module and Rungan Backdoor, Hellcat Ransomware, Ivanti EPM Vulnerabilities
|
2026-05-13
|
|
Spring4Shell Payload URL Request
|
Nginx Access
|
T1133
T1190
T1505.003
|
TTP
|
Spring4Shell CVE-2022-22965
|
2026-05-13
|
|
Ivanti Connect Secure Command Injection Attempts
|
Suricata
|
T1190
|
TTP
|
CISA AA24-241A, Ivanti Connect Secure VPN Vulnerabilities
|
2026-05-13
|
|
Confluence Pre-Auth RCE via OGNL Injection CVE-2023-22527
|
Suricata
|
T1190
|
TTP
|
Confluence Data Center and Confluence Server Vulnerabilities
|
2026-05-13
|
|
Ivanti Connect Secure SSRF in SAML Component
|
Suricata
|
T1190
|
TTP
|
Ivanti Connect Secure VPN Vulnerabilities
|
2026-05-13
|
|
Supernova Webshell
|
|
T1133
T1505.003
|
TTP
|
NOBELIUM Group, Earth Alux, GhostRedirector IIS Module and Rungan Backdoor
|
2026-05-13
|
|
Windows Exchange Autodiscover SSRF Abuse
|
Windows IIS
|
T1133
T1190
|
TTP
|
ProxyNotShell, BlackByte Ransomware, Seashell Blizzard, ProxyShell
|
2026-05-13
|
|
JetBrains TeamCity RCE Attempt
|
Suricata
|
T1190
|
TTP
|
CISA AA23-347A, JetBrains TeamCity Unauthenticated RCE, JetBrains TeamCity Vulnerabilities
|
2026-05-13
|
|
ProxyShell ProxyNotShell Behavior Detected
|
|
T1133
T1190
|
Correlation
|
ProxyNotShell, Seashell Blizzard, ProxyShell
|
2026-05-13
|
|
JetBrains TeamCity Limited Auth Bypass Suricata CVE-2024-27199
|
Suricata
|
T1190
|
TTP
|
JetBrains TeamCity Vulnerabilities
|
2026-05-13
|
|
Log4Shell JNDI Payload Injection Attempt
|
Nginx Access
|
T1133
T1190
|
Anomaly
|
CISA AA22-257A, CISA AA22-320A, Log4Shell CVE-2021-44228
|
2026-05-13
|
|
Detect attackers scanning for vulnerable JBoss servers
|
|
T1082
T1133
|
TTP
|
SamSam Ransomware, JBoss Vulnerability
|
2026-05-13
|
|
Windows SharePoint Spinstall0 GET Request
|
Suricata
|
T1190
T1505.003
T1552
|
TTP
|
Microsoft SharePoint Vulnerabilities
|
2026-05-13
|
|
WS FTP Remote Code Execution
|
Suricata
|
T1190
|
TTP
|
WS FTP Server Critical Vulnerabilities
|
2026-05-13
|
|
Access to Vulnerable Ivanti Connect Secure Bookmark Endpoint
|
Suricata
|
T1190
|
TTP
|
CISA AA24-241A, Ivanti Connect Secure VPN Vulnerabilities
|
2026-05-13
|
|
Zscaler Privacy Risk Destinations Threat Blocked
|
|
T1566
|
Anomaly
|
Zscaler Browser Proxy Threats
|
2026-05-13
|
|
VMWare Aria Operations Exploit Attempt
|
Palo Alto Network Threat
|
T1068
T1133
T1190
T1210
|
TTP
|
VMware Aria Operations vRealize CVE-2023-20887
|
2026-05-13
|
|
Nginx ConnectWise ScreenConnect Authentication Bypass
|
Nginx Access
|
T1190
|
TTP
|
Hellcat Ransomware, Scattered Lapsus$ Hunters, Seashell Blizzard, ConnectWise ScreenConnect Vulnerabilities
|
2026-05-13
|
|
Tomcat Session File Upload Attempt
|
Nginx Access
|
T1190
T1505.003
|
Anomaly
|
Apache Tomcat Session Deserialization Attacks
|
2026-05-13
|
|
Detect F5 TMUI RCE CVE-2020-5902
|
|
T1190
|
TTP
|
F5 TMUI RCE CVE-2020-5902
|
2026-05-13
|
|
Fortinet Appliance Auth bypass
|
Palo Alto Network Threat
|
T1133
T1190
|
TTP
|
CVE-2022-40684 Fortinet Appliance Auth bypass
|
2026-05-13
|
|
Citrix ADC and Gateway CitrixBleed 2 Memory Disclosure
|
Suricata
|
T1190
|
Anomaly
|
Citrix NetScaler ADC and NetScaler Gateway CVE-2025-5777
|
2026-05-13
|
|
SQL Injection with Long URLs
|
|
T1190
|
TTP
|
GhostRedirector IIS Module and Rungan Backdoor, SQL Injection
|
2026-05-13
|
|
Ivanti EPMM Remote Unauthenticated API Access CVE-2023-35082
|
Suricata
|
T1133
T1190
|
TTP
|
Ivanti EPMM Remote Unauthenticated Access
|
2026-05-13
|
|
Web Spring Cloud Function FunctionRouter
|
Splunk Stream HTTP
|
T1133
T1190
|
TTP
|
Spring4Shell CVE-2022-22965
|
2026-05-13
|
|
Zscaler CryptoMiner Downloaded Threat Blocked
|
|
T1566
|
Anomaly
|
Zscaler Browser Proxy Threats
|
2026-05-13
|
|
Windows SharePoint ToolPane Endpoint Exploitation Attempt
|
Suricata
|
T1190
T1505.003
|
TTP
|
Microsoft SharePoint Vulnerabilities
|
2026-05-13
|
|
HTTP Request to Reserved Name on IIS Server
|
Suricata
|
T1071.001
T1190
|
TTP
|
HTTP Request Smuggling
|
2026-05-13
|
|
Confluence CVE-2023-22515 Trigger Vulnerability
|
Suricata
|
T1190
|
TTP
|
CVE-2023-22515 Privilege Escalation Vulnerability Confluence Data Center and Server
|
2026-05-13
|
|
Jenkins Arbitrary File Read CVE-2024-23897
|
Nginx Access
|
T1190
|
TTP
|
Hellcat Ransomware, Jenkins Server Vulnerabilities
|
2026-05-13
|
|
Citrix ADC Exploitation CVE-2023-3519
|
Palo Alto Network Threat
|
T1190
|
Hunting
|
CISA AA24-241A, Citrix Netscaler ADC CVE-2023-3519
|
2026-05-13
|
|
Confluence Data Center and Server Privilege Escalation
|
Nginx Access
|
T1190
|
TTP
|
CVE-2023-22515 Privilege Escalation Vulnerability Confluence Data Center and Server, Confluence Data Center and Confluence Server Vulnerabilities
|
2026-05-13
|
|
Exploit Public-Facing Fortinet FortiNAC CVE-2022-39952
|
Palo Alto Network Threat
|
T1133
T1190
|
TTP
|
Fortinet FortiNAC CVE-2022-39952, Hellcat Ransomware
|
2026-05-13
|
|
Ivanti Connect Secure System Information Access via Auth Bypass
|
Suricata
|
T1190
|
Anomaly
|
CISA AA24-241A, Ivanti Connect Secure VPN Vulnerabilities
|
2026-05-13
|
|
Citrix ShareFile Exploitation CVE-2023-24489
|
Suricata
|
T1190
|
Hunting
|
Citrix ShareFile RCE CVE-2023-24489
|
2026-05-13
|
|
Java Class File download by Java User Agent
|
Splunk Stream HTTP
|
T1190
|
TTP
|
Log4Shell CVE-2021-44228
|
2026-05-13
|
|
Exploit Public Facing Application via Apache Commons Text
|
Nginx Access
|
T1133
T1190
T1505.003
|
Anomaly
|
Text4Shell CVE-2022-42889
|
2026-05-13
|
|
Citrix ADC and Gateway Unauthorized Data Disclosure
|
Suricata
|
T1190
|
TTP
|
Citrix NetScaler ADC and NetScaler Gateway CVE-2023-4966, Scattered Lapsus$ Hunters
|
2026-05-13
|
|
Confluence Unauthenticated Remote Code Execution CVE-2022-26134
|
Palo Alto Network Threat
|
T1133
T1190
T1505
|
TTP
|
Confluence Data Center and Confluence Server Vulnerabilities, Atlassian Confluence Server and Data Center CVE-2022-26134
|
2026-05-13
|
|
CrushFTP Authentication Bypass Exploitation
|
CrushFTP
|
T1059.001
T1059.003
T1190
|
TTP
|
Hellcat Ransomware, CrushFTP Vulnerabilities
|
2026-05-13
|
|
Zscaler Adware Activities Threat Blocked
|
|
T1566
|
Anomaly
|
Zscaler Browser Proxy Threats
|
2026-05-13
|
|
HTTP Rapid POST with Mixed Status Codes
|
Nginx Access
|
T1071.001
T1190
T1595
|
Anomaly
|
HTTP Request Smuggling
|
2026-05-13
|
|
Web JSP Request via URL
|
Nginx Access
|
T1133
T1190
T1505.003
|
TTP
|
Earth Alux, Spring4Shell CVE-2022-22965
|
2026-05-13
|
|
ConnectWise ScreenConnect Authentication Bypass
|
Suricata
|
T1190
|
TTP
|
Seashell Blizzard, ConnectWise ScreenConnect Vulnerabilities
|
2026-05-13
|
|
WordPress Bricks Builder plugin RCE
|
Nginx Access
|
T1190
|
TTP
|
Hellcat Ransomware, WordPress Vulnerabilities
|
2026-05-13
|
|
JetBrains TeamCity Authentication Bypass Suricata CVE-2024-27198
|
Suricata
|
T1190
|
TTP
|
Hellcat Ransomware, JetBrains TeamCity Vulnerabilities
|
2026-05-13
|
|
VMware Workspace ONE Freemarker Server-side Template Injection
|
Palo Alto Network Threat
|
T1133
T1190
|
Anomaly
|
VMware Server Side Injection and Privilege Escalation
|
2026-05-13
|
|
Zscaler Legal Liability Threat Blocked
|
|
T1566
|
Anomaly
|
Zscaler Browser Proxy Threats
|
2026-05-13
|
|
Ivanti EPMM Remote Unauthenticated API Access CVE-2023-35078
|
Suricata
|
T1133
T1190
|
TTP
|
Ivanti EPMM Remote Unauthenticated Access
|
2026-05-13
|
|
VMware Server Side Template Injection Hunt
|
Palo Alto Network Threat
|
T1133
T1190
|
Hunting
|
VMware Server Side Injection and Privilege Escalation
|
2026-05-13
|
|
ESXi Shared or Stolen Root Account
|
VMWare ESXi Syslog
|
T1078
|
Anomaly
|
Black Basta Ransomware, ESXi Post Compromise
|
2026-05-13
|
|
Cisco ASA - New Local User Account Created
|
Cisco ASA Logs
|
T1078.003
T1136.001
|
Anomaly
|
Suspicious Cisco Adaptive Security Appliance Activity
|
2026-05-13
|
|
Cisco ASA - User Privilege Level Change
|
Cisco ASA Logs
|
T1078.003
T1098
|
Anomaly
|
Suspicious Cisco Adaptive Security Appliance Activity, ArcaneDoor
|
2026-05-13
|
|
M365 Copilot Application Usage Pattern Anomalies
|
M365 Copilot Graph API
|
T1078
|
Anomaly
|
Suspicious Microsoft 365 Copilot Activities
|
2026-05-13
|
|
Okta New API Token Created
|
Okta
|
T1078.001
|
TTP
|
Scattered Lapsus$ Hunters, Okta Account Takeover
|
2026-05-13
|
|
Ivanti VTM New Account Creation
|
Ivanti VTM Audit
|
T1190
|
TTP
|
Hellcat Ransomware, Scattered Lapsus$ Hunters, Ivanti Virtual Traffic Manager CVE-2024-7593
|
2026-05-13
|
|
Zoom High Video Latency
|
|
T1078
|
Anomaly
|
Remote Employment Fraud
|
2026-05-13
|
|
Okta Phishing Detection with FastPass Origin Check
|
Okta
|
T1078.001
T1556
|
TTP
|
Okta Account Takeover
|
2026-05-13
|
|
ESXi External Root Login Activity
|
VMWare ESXi Syslog
|
T1078
|
Anomaly
|
Black Basta Ransomware, ESXi Post Compromise
|
2026-05-13
|
|
PingID Multiple Failed MFA Requests For User
|
PingID
|
T1078
T1110
T1621
|
TTP
|
Compromised User Account
|
2026-05-13
|
|
ESXi Account Modified
|
VMWare ESXi Syslog
|
T1078
T1098
T1136.001
|
Anomaly
|
Black Basta Ransomware, ESXi Post Compromise
|
2026-05-13
|
|
ESXi User Granted Admin Role
|
VMWare ESXi Syslog
|
T1078
T1098
|
TTP
|
Black Basta Ransomware, ESXi Post Compromise
|
2026-05-13
|
|
Email Attachments With Lots Of Spaces
|
|
T1036.008
T1566.001
|
Anomaly
|
Hermetic Wiper, Data Destruction, Suspicious Emails, Emotet Malware DHS Report TA18-201A
|
2026-05-13
|
|
Ollama Possible RCE via Model Loading
|
Ollama Server
|
T1190
|
Anomaly
|
Suspicious Ollama Activities
|
2026-05-13
|
|
Okta Suspicious Activity Reported
|
Okta
|
T1078.001
|
TTP
|
Okta Account Takeover
|
2026-05-13
|
|
Okta Risk Threshold Exceeded
|
Okta
|
T1078
T1110
|
Correlation
|
Suspicious Okta Activity, Okta Account Takeover, Okta MFA Exhaustion
|
2026-05-13
|
|
Suspicious Java Classes
|
|
T1190
|
Anomaly
|
Apache Struts Vulnerability
|
2026-05-13
|
|
Ollama Suspicious Prompt Injection Jailbreak
|
Ollama Server
|
T1059
T1190
|
Anomaly
|
Suspicious Ollama Activities
|
2026-05-13
|
|
Suspicious Email Attachment Extensions
|
|
T1566.001
|
Anomaly
|
Hermetic Wiper, Data Destruction, Suspicious Emails, Emotet Malware DHS Report TA18-201A
|
2026-05-13
|
|
CrushFTP Server Side Template Injection
|
CrushFTP
|
T1190
|
TTP
|
Hellcat Ransomware, CrushFTP Vulnerabilities
|
2026-05-13
|
|
Okta Successful Single Factor Authentication
|
Okta
|
T1078.004
T1586.003
T1621
|
Anomaly
|
Okta Account Takeover
|
2026-05-13
|
|
M365 Copilot Session Origin Anomalies
|
M365 Copilot Graph API
|
T1078
|
Anomaly
|
Suspicious Microsoft 365 Copilot Activities
|
2026-05-13
|
|
Okta Authentication Failed During MFA Challenge
|
Okta
|
T1078.004
T1586.003
T1621
|
TTP
|
Scattered Lapsus$ Hunters, Okta Account Takeover
|
2026-05-13
|
|
Okta ThreatInsight Threat Detected
|
Okta
|
T1078.004
|
Anomaly
|
Okta Account Takeover
|
2026-05-13
|
|
O365 ZAP Activity Detection
|
Office 365 Universal Audit Log
|
T1566.001
T1566.002
|
Anomaly
|
Spearphishing Attachments, Suspicious Emails
|
2026-05-13
|
|
GCP Successful Single-Factor Authentication
|
Google Workspace
|
T1078.004
T1586.003
|
TTP
|
Scattered Lapsus$ Hunters, GCP Account Takeover
|
2026-05-13
|
|
AWS SAML Update identity provider
|
AWS CloudTrail UpdateSAMLProvider
|
T1078
|
TTP
|
Cloud Federated Credential Abuse
|
2026-05-13
|
|
GCP Detect gcploit framework
|
|
T1078
|
TTP
|
GCP Cross Account Activity
|
2026-05-13
|
|
Cloud Provisioning Activity From Previously Unseen IP Address
|
AWS CloudTrail
|
T1078
|
Anomaly
|
Suspicious Cloud Provisioning Activities
|
2026-05-13
|
|
O365 Email Reported By User Found Malicious
|
Office 365 Universal Audit Log
|
T1566.001
T1566.002
|
TTP
|
Spearphishing Attachments, Suspicious Emails
|
2026-05-13
|
|
GitHub Organizations Disable Dependabot
|
GitHub Organizations Audit Logs
|
T1195
T1685
|
Anomaly
|
GitHub Malicious Activity
|
2026-05-13
|
|
Azure AD Successful PowerShell Authentication
|
Azure Active Directory
|
T1078.004
T1586.003
|
TTP
|
Azure Active Directory Account Takeover
|
2026-05-13
|
|
Cloud Provisioning Activity From Previously Unseen City
|
AWS CloudTrail
|
T1078
|
Anomaly
|
Suspicious Cloud Provisioning Activities
|
2026-05-13
|
|
Gsuite Suspicious Shared File Name
|
G Suite Drive
|
T1566.001
|
Anomaly
|
Dev Sec Ops
|
2026-05-13
|
|
Cloud Compute Instance Created By Previously Unseen User
|
AWS CloudTrail
|
T1078.004
|
Anomaly
|
Cloud Cryptomining
|
2026-05-13
|
|
GitHub Enterprise Disable IP Allow List
|
GitHub Enterprise Audit Logs
|
T1195
T1685
|
Anomaly
|
GitHub Malicious Activity
|
2026-05-13
|
|
GitHub Organizations Repository Archived
|
GitHub Organizations Audit Logs
|
T1195
T1485
|
Anomaly
|
NPM Supply Chain Compromise, GitHub Malicious Activity
|
2026-05-13
|
|
Azure AD Service Principal Authentication
|
Azure Active Directory Sign-in activity
|
T1078.004
|
TTP
|
NOBELIUM Group, Azure Active Directory Account Takeover
|
2026-05-13
|
|
AWS Successful Single-Factor Authentication
|
AWS CloudTrail ConsoleLogin
|
T1078.004
T1586.003
|
TTP
|
AWS Identity and Access Management Account Takeover
|
2026-05-13
|
|
GitHub Organizations Delete Branch Ruleset
|
GitHub Organizations Audit Logs
|
T1195
T1685
|
Anomaly
|
NPM Supply Chain Compromise, GitHub Malicious Activity
|
2026-05-13
|
|
GitHub Enterprise Register Self Hosted Runner
|
GitHub Enterprise Audit Logs
|
T1195
T1685
|
Anomaly
|
NPM Supply Chain Compromise, GitHub Malicious Activity
|
2026-05-13
|
|
Azure AD Device Code Authentication
|
Azure Active Directory
|
T1528
T1566.002
|
TTP
|
Azure Active Directory Account Takeover
|
2026-05-13
|
|
GitHub Enterprise Repository Deleted
|
GitHub Enterprise Audit Logs
|
T1195
T1485
|
Anomaly
|
NPM Supply Chain Compromise, GitHub Malicious Activity
|
2026-05-13
|
|
O365 Safe Links Detection
|
Office 365 Universal Audit Log
|
T1566.001
|
TTP
|
Office 365 Account Takeover, Spearphishing Attachments
|
2026-05-13
|
|
GitHub Enterprise Delete Branch Ruleset
|
GitHub Enterprise Audit Logs
|
T1195
T1685
|
Anomaly
|
NPM Supply Chain Compromise, GitHub Malicious Activity
|
2026-05-13
|
|
AWS SetDefaultPolicyVersion
|
AWS CloudTrail SetDefaultPolicyVersion
|
T1078.004
|
TTP
|
AWS IAM Privilege Escalation
|
2026-05-13
|
|
O365 Security And Compliance Alert Triggered
|
|
T1078.004
|
TTP
|
Office 365 Account Takeover
|
2026-05-13
|
|
Gdrive suspicious file sharing
|
|
T1566
|
Hunting
|
Data Exfiltration, Spearphishing Attachments, Scattered Lapsus$ Hunters
|
2026-05-13
|
|
GCP Authentication Failed During MFA Challenge
|
Google Workspace login_failure
|
T1078.004
T1586.003
T1621
|
TTP
|
Scattered Lapsus$ Hunters, GCP Account Takeover
|
2026-05-13
|
|
GitHub Organizations Disable 2FA Requirement
|
GitHub Organizations Audit Logs
|
T1195
T1685
|
Anomaly
|
GitHub Malicious Activity
|
2026-05-13
|
|
Gsuite Email Suspicious Subject With Attachment
|
G Suite Gmail
|
T1566.001
|
Anomaly
|
Dev Sec Ops
|
2026-05-13
|
|
Azure AD Multiple Failed MFA Requests For User
|
Azure Active Directory Sign-in activity
|
T1078.004
T1586.003
T1621
|
TTP
|
Azure Active Directory Account Takeover
|
2026-05-13
|
|
GitHub Enterprise Disable Audit Log Event Stream
|
GitHub Enterprise Audit Logs
|
T1195
T1685.002
|
Anomaly
|
NPM Supply Chain Compromise, GitHub Malicious Activity
|
2026-05-13
|
|
Okta Non-Standard VPN Usage
|
Okta
|
T1078
T1090
T1572
|
TTP
|
Remote Employment Fraud, Suspicious Okta Activity
|
2026-05-13
|
|
Cloud Provisioning Activity From Previously Unseen Country
|
AWS CloudTrail
|
T1078
|
Anomaly
|
Suspicious Cloud Provisioning Activities
|
2026-05-13
|
|
Azure Runbook Webhook Created
|
Azure Audit Create or Update an Azure Automation webhook
|
T1078.004
|
TTP
|
Azure Active Directory Persistence
|
2026-05-13
|
|
GitHub Organizations Disable Classic Branch Protection Rule
|
GitHub Organizations Audit Logs
|
T1195
T1685
|
Anomaly
|
GitHub Malicious Activity
|
2026-05-13
|
|
O365 Multiple AppIDs and UserAgents Authentication Spike
|
O365 UserLoginFailed, O365 UserLoggedIn
|
T1078
|
Anomaly
|
Office 365 Account Takeover
|
2026-05-13
|
|
GitHub Enterprise Modify Audit Log Event Stream
|
GitHub Enterprise Audit Logs
|
T1195
T1685.002
|
Anomaly
|
NPM Supply Chain Compromise, GitHub Malicious Activity
|
2026-05-13
|
|
Azure AD Multiple AppIDs and UserAgents Authentication Spike
|
Azure Active Directory Sign-in activity
|
T1078
|
Anomaly
|
Azure Active Directory Account Takeover
|
2026-05-13
|
|
GitHub Enterprise Disable Dependabot
|
GitHub Enterprise Audit Logs
|
T1195
T1685
|
Anomaly
|
GitHub Malicious Activity
|
2026-05-13
|
|
AWS Create Policy Version to allow all resources
|
AWS CloudTrail CreatePolicyVersion
|
T1078.004
|
TTP
|
AWS IAM Privilege Escalation
|
2026-05-13
|
|
Gsuite Email With Known Abuse Web Service Link
|
G Suite Gmail
|
T1566.001
|
Anomaly
|
Dev Sec Ops
|
2026-05-13
|
|
Cloud Instance Modified By Previously Unseen User
|
AWS CloudTrail
|
T1078.004
|
Anomaly
|
Suspicious Cloud Instance Activities
|
2026-05-13
|
|
GitHub Enterprise Pause Audit Log Event Stream
|
GitHub Enterprise Audit Logs
|
T1195
T1685.002
|
Anomaly
|
NPM Supply Chain Compromise, GitHub Malicious Activity
|
2026-05-13
|
|
Azure AD Successful Single-Factor Authentication
|
Azure Active Directory
|
T1078.004
T1586.003
|
TTP
|
Azure Active Directory Account Takeover
|
2026-05-13
|
|
GitHub Enterprise Disable Classic Branch Protection Rule
|
GitHub Enterprise Audit Logs
|
T1195
T1685
|
Anomaly
|
GitHub Malicious Activity
|
2026-05-13
|
|
GSuite Email Suspicious Attachment
|
G Suite Gmail
|
T1566.001
|
Anomaly
|
Dev Sec Ops
|
2026-05-13
|
|
O365 Threat Intelligence Suspicious Email Delivered
|
Office 365 Universal Audit Log
|
T1566.001
T1566.002
|
Anomaly
|
Spearphishing Attachments, Suspicious Emails
|
2026-05-13
|
|
ASL AWS Create Policy Version to allow all resources
|
ASL AWS CloudTrail
|
T1078.004
|
TTP
|
AWS IAM Privilege Escalation, Scattered Lapsus$ Hunters
|
2026-05-13
|
|
Cloud API Calls From Previously Unseen User Roles
|
AWS CloudTrail
|
T1078
|
Anomaly
|
Suspicious Cloud User Activities
|
2026-05-13
|
|
GitHub Organizations Repository Deleted
|
GitHub Organizations Audit Logs
|
T1195
T1485
|
Anomaly
|
NPM Supply Chain Compromise, GitHub Malicious Activity
|
2026-05-13
|
|
AWS Bedrock Invoke Model Access Denied
|
AWS CloudTrail
|
T1078
T1550
|
TTP
|
AWS Bedrock Security
|
2026-05-13
|
|
O365 Email Reported By Admin Found Malicious
|
Office 365 Universal Audit Log
|
T1566.001
T1566.002
|
TTP
|
Spearphishing Attachments, Suspicious Emails
|
2026-05-13
|
|
GitHub Enterprise Remove Organization
|
GitHub Enterprise Audit Logs
|
T1195
T1485
|
Anomaly
|
GitHub Malicious Activity
|
2026-05-13
|
|
ASL AWS SAML Update identity provider
|
ASL AWS CloudTrail
|
T1078
|
TTP
|
Cloud Federated Credential Abuse
|
2026-05-13
|
|
Gsuite suspicious calendar invite
|
|
T1566
|
Hunting
|
Spearphishing Attachments
|
2026-05-13
|
|
GitHub Enterprise Disable 2FA Requirement
|
GitHub Enterprise Audit Logs
|
T1195
T1685
|
Anomaly
|
GitHub Malicious Activity
|
2026-05-13
|
|
Geographic Improbable Location
|
Okta
|
T1078
|
Anomaly
|
Remote Employment Fraud
|
2026-05-13
|
|
Cloud Provisioning Activity From Previously Unseen Region
|
AWS CloudTrail
|
T1078
|
Anomaly
|
Suspicious Cloud Provisioning Activities
|
2026-05-13
|
|
GitHub Enterprise Repository Archived
|
GitHub Enterprise Audit Logs
|
T1195
T1485
|
Anomaly
|
NPM Supply Chain Compromise, GitHub Malicious Activity
|
2026-05-13
|
|
Azure AD Authentication Failed During MFA Challenge
|
Azure Active Directory
|
T1078.004
T1586.003
T1621
|
TTP
|
Azure Active Directory Account Takeover
|
2026-05-13
|
|
GCP Multiple Failed MFA Requests For User
|
Google Workspace
|
T1078.004
T1586.003
T1621
|
TTP
|
Scattered Lapsus$ Hunters, GCP Account Takeover
|
2026-05-13
|
|
3CX Supply Chain Attack Network Indicators
|
Sysmon EventID 22
|
T1195.002
|
TTP
|
3CX Supply Chain Attack
|
2026-05-13
|
|
Cisco Secure Firewall - Oracle E-Business Suite Correlation
|
Cisco Secure Firewall Threat Defense Intrusion Event
|
T1190
|
TTP
|
Cisco Secure Firewall Threat Defense Analytics, Oracle E-Business Suite Exploitation
|
2026-05-13
|
|
Cisco SD-WAN - Peering Activity
|
Cisco SD-WAN NTCE 1000001
|
T1190
|
Hunting
|
Cisco Catalyst SD-WAN Analytics
|
2026-05-13
|
|
Cisco Privileged Account Creation with HTTP Command Execution
|
|
T1021.004
T1078
T1136
|
Correlation
|
Cisco Secure Firewall Threat Defense Analytics, Salt Typhoon
|
2026-05-13
|
|
Cisco Secure Firewall - React Server Components RCE Attempt
|
Cisco Secure Firewall Threat Defense Intrusion Event
|
T1190
|
TTP
|
React2Shell
|
2026-05-13
|
|
Detect ARP Poisoning
|
Cisco IOS Logs
|
T1200
T1498
T1557.002
|
TTP
|
Router and Infrastructure Security
|
2026-05-13
|
|
Cisco Smart Install Oversized Packet Detection
|
Splunk Stream TCP
|
T1190
|
TTP
|
Cisco Smart Install Remote Code Execution CVE-2018-0171
|
2026-05-13
|
|
Cisco Smart Install Port Discovery and Status
|
Splunk Stream TCP
|
T1190
|
TTP
|
Scattered Lapsus$ Hunters, Cisco Smart Install Remote Code Execution CVE-2018-0171
|
2026-05-13
|
|
Cisco SD-WAN - Arbitrary File Overwrite Exploitation Activity
|
Cisco SD-WAN Service Proxy Access Logs
|
T1190
|
TTP
|
Cisco Catalyst SD-WAN Analytics
|
2026-05-13
|
|
Cisco SD-WAN - Low Frequency Rogue Peer
|
Cisco SD-WAN NTCE 1000001
|
T1190
|
Anomaly
|
Cisco Catalyst SD-WAN Analytics
|
2026-05-13
|
|
Detect Zerologon via Zeek
|
|
T1190
|
TTP
|
Rhysida Ransomware, Black Basta Ransomware, Detect Zerologon Attack
|
2026-05-13
|
|
F5 BIG-IP iControl REST Vulnerability CVE-2022-1388
|
Palo Alto Network Threat
|
T1133
T1190
|
TTP
|
CISA AA24-241A, F5 BIG-IP Vulnerability CVE-2022-1388
|
2026-05-13
|
|
Cisco Secure Firewall - Static Tundra Smart Install Abuse
|
Cisco Secure Firewall Threat Defense Intrusion Event
|
T1190
T1210
T1499
|
TTP
|
Cisco Secure Firewall Threat Defense Analytics, Cisco Smart Install Remote Code Execution CVE-2018-0171
|
2026-05-13
|
|
Cisco Privileged Account Creation with Suspicious SSH Activity
|
|
T1021.004
T1078
T1136
|
Correlation
|
Cisco Secure Firewall Threat Defense Analytics, Salt Typhoon
|
2026-05-13
|
|
Detect Rogue DHCP Server
|
Cisco IOS Logs
|
T1200
T1498
T1557
|
TTP
|
Router and Infrastructure Security, Scattered Lapsus$ Hunters
|
2026-05-13
|
|
Cisco Secure Firewall - High Priority Intrusion Classification
|
Cisco Secure Firewall Threat Defense Intrusion Event
|
T1003
T1071
T1078
T1190
T1203
|
TTP
|
Cisco Secure Firewall Threat Defense Analytics
|
2026-05-13
|
|
Cisco IOS Suspicious Privileged Account Creation
|
Cisco IOS Logs
|
T1078
T1136
|
Anomaly
|
Cisco Smart Install Remote Code Execution CVE-2018-0171
|
2026-05-13
|
|
Cisco Network Interface Modifications
|
Cisco IOS Logs
|
T1021
T1133
T1556
|
Anomaly
|
Cisco Smart Install Remote Code Execution CVE-2018-0171
|
2026-05-13
|
|
Detect Port Security Violation
|
Cisco IOS Logs
|
T1200
T1498
T1557.002
|
TTP
|
Router and Infrastructure Security
|
2026-05-13
|
|
Detect hosts connecting to dynamic domain providers
|
Sysmon EventID 22
|
T1189
|
TTP
|
Suspicious DNS Traffic, Dynamic DNS, Command And Control, Data Protection, Prohibited Traffic Allowed or Protocol Mismatch, DNS Hijacking
|
2026-05-13
|
|
Cisco Secure Firewall - Veeam CVE-2023-27532 Exploitation Activity
|
Cisco Secure Firewall Threat Defense Intrusion Event
|
T1003.001
T1059.001
T1190
T1210
|
TTP
|
Cisco Secure Firewall Threat Defense Analytics
|
2026-05-13
|
|
Cisco Secure Firewall - Oracle E-Business Suite Exploitation
|
Cisco Secure Firewall Threat Defense Intrusion Event
|
T1190
|
TTP
|
Cisco Secure Firewall Threat Defense Analytics, Oracle E-Business Suite Exploitation
|
2026-05-13
|
|
Detect Traffic Mirroring
|
Cisco IOS Logs
|
T1020.001
T1200
T1498
|
TTP
|
Router and Infrastructure Security
|
2026-05-13
|
|
Cisco Secure Firewall - Lumma Stealer Activity
|
Cisco Secure Firewall Threat Defense Intrusion Event
|
T1027
T1190
T1204
T1210
|
TTP
|
Cisco Secure Firewall Threat Defense Analytics, Lumma Stealer
|
2026-05-13
|
|
Windows Spearphishing Attachment Connect To None MS Office Domain
|
Sysmon EventID 22
|
T1566.001
|
Hunting
|
Spearphishing Attachments, MuddyWater, AsyncRAT
|
2026-05-13
|
|
Detect IPv6 Network Infrastructure Threats
|
Cisco IOS Logs
|
T1200
T1498
T1557.002
|
TTP
|
Router and Infrastructure Security, Scattered Lapsus$ Hunters
|
2026-05-13
|
|
Detect Outbound LDAP Traffic
|
Palo Alto Network Traffic, Cisco Secure Access Firewall, Cisco Secure Firewall Threat Defense Connection Event
|
T1059
T1190
|
Hunting
|
Cisco Secure Firewall Threat Defense Analytics, Cisco Secure Access Analytics, Log4Shell CVE-2021-44228
|
2026-05-13
|
