SSE Content

SSE has 800+ detections. Consult the list below for the full set of content.

  • 7Zip Commandline To SMB Share Path
  • AWS Create Policy Version To Allow All Resources
  • AWS Createaccesskey
  • AWS Createloginprofile
  • AWS Cross Account Activity From Previously Unseen Account
  • AWS Detect Attach To Role Policy
  • AWS Detect Permanent Key Creation
  • AWS Detect Role Creation
  • AWS Detect Sts Assume Role Abuse
  • AWS Detect Sts Get Session Token Abuse
  • AWS Detect Users Creating Keys With Encrypt Policy Without MFA
  • AWS Detect Users With Kms Keys Performing Encryption S3
  • AWS Ecr Container Scanning Findings High
  • AWS Ecr Container Scanning Findings Low Informational Unknown
  • AWS Ecr Container Scanning Findings Medium
  • AWS Ecr Container Upload Outside Business Hours
  • AWS Ecr Container Upload Unknown User
  • AWS Excessive Security Scanning
  • AWS Iam Accessdenied Discovery Events
  • AWS Iam Assume Role Policy Brute Force
  • AWS Iam Delete Policy
  • AWS Iam Failure Group Deletion
  • AWS Iam Successful Group Deletion
  • AWS Network Access Control List Created With All Open Ports
  • AWS Network Access Control List Deleted
  • AWS Saml Access By Provider User And Principal
  • AWS Saml Update Identity Provider
  • AWS Setdefaultpolicyversion
  • AWS Updateloginprofile
  • Abnormally High Number Of Cloud Infrastructure API Calls
  • Abnormally High Number Of Cloud Instances Destroyed
  • Abnormally High Number Of Cloud Instances Launched
  • Abnormally High Number Of Cloud Security Group API Calls
  • Abnormally High Number of Endpoint Changes By User
  • Abnormally High Number of HTTP Method Events By Src
  • Access LSASS Memory For Dump Creation
  • Access to In-Scope Unencrypted Resources
  • Access to In-scope Resources
  • Account Compromise with Suspicious Internal Activity
  • Account Compromised followed by Exfiltration
  • Account Deleted
  • Account Discovery With Net App
  • Activity from Expired User Identity
  • Activity from Expired User Identity - on Category
  • Add Defaultuser And Password In Registry
  • Adsisearcher Account Discovery
  • Aggregate Risky Events
  • Allow File And Printing Sharing In Firewall
  • Allow Inbound Traffic By Firewall Rule Registry
  • Allow Inbound Traffic In Firewall Rule
  • Allow Network Discovery In Firewall
  • Allow Operation With Consent Admin
  • Amazon EKS Kubernetes Cluster Scan Detection
  • Amazon EKS Kubernetes Pod Scan Detection
  • Anomalous Audit Trail Activity Detected
  • Anomalous New Listening Port
  • Anomalous New Process
  • Anomalous New Service
  • Anomalous Usage Of 7Zip
  • Any Powershell Downloadfile
  • Any Powershell Downloadstring
  • Asset Ownership Unspecified
  • Attacker Tools On Endpoint
  • Attempt To Add Certificate To Untrusted Store
  • Attempt To Stop Security Service
  • Attempted Credential Dump From Registry Via Reg Exe
  • Auditing Overview of Data Processing Systems (Glass Table)
  • Authentication Against a New Domain Controller
  • Auto Admin Logon Registry Entry
  • Basic Brute Force Detection
  • Basic Dynamic DNS Detection
  • Basic Malware Outbreak
  • Basic Scanning
  • Basic TOR Traffic Detection
  • Batch File Write To System32
  • Bcdedit Command Back To Normal Mode Boot
  • Bcdedit Failure Recovery Modification
  • Bits Job Persistence
  • Bitsadmin Download File
  • Blacklisted Application
  • Blacklisted Domain
  • Blacklisted IP Address
  • Brute Force
  • Brute Force Access Behavior Detected
  • Brute Force Access Behavior Detected - Against Category
  • Brute Force Access Behavior Detected Over One Day
  • Brute Force Access Behavior Detected Over One Day - Against Category
  • Brute Force Attack
  • Building a Departmental Peer Group
  • COVID-19 Indicator Check
  • Certutil Download With Urlcache And Split Arguments
  • Certutil Download With Verifyctl And Split Arguments
  • Certutil Exe Certificate Extraction
  • Certutil With Decode Argument
  • Change To Safe Mode With Network Config
  • Chcp Command Execution
  • Check Elevated Cmd Using Whoami
  • Child Processes Of Spoolsv Exe
  • Circle Ci Disable Security Job
  • Circle Ci Disable Security Step
  • Clear Unallocated Sector Using Cipher App
  • Cleartext Password At Rest Detected
  • Clop Common Exec Parameter
  • Clop Ransomware Known Service Name
  • Cloud API Calls From Previously Unseen User Roles
  • Cloud APIs Called More Often Than Usual Per User
  • Cloud Compute Instance Created By Previously Unseen User
  • Cloud Compute Instance Created In Previously Unused Region
  • Cloud Compute Instance Created With Previously Unseen Image
  • Cloud Compute Instance Created With Previously Unseen Instance Type
  • Cloud Instance Modified By Previously Unseen User
  • Cloud Provisioning Activity From Previously Unseen City
  • Cloud Provisioning Activity From Previously Unseen Country
  • Cloud Provisioning Activity From Previously Unseen IP Address
  • Cloud Provisioning Activity From Previously Unseen Region
  • Cloud Provisioning Activity from Unusual Country
  • Cloud Provisioning Activity from Unusual IP
  • Cmd Echo Pipe - Escalation
  • Cmdline Tool Not Executed In Cmd Shell
  • Cmlua Or Cmstplua Uac Bypass
  • Cobalt Strike Named Pipes
  • Common Filename Launched from New Path
  • Common Ransomware Extensions
  • Common Ransomware Notes
  • Completely Inactive Account
  • Compromised Account
  • Compromised Web Server
  • Concentration of Attacker Tools by Filename
  • Concentration of Attacker Tools by SHA1 Hash
  • Concentration of Discovery Tools by Filename
  • Concentration of Discovery Tools by SHA1 Hash
  • Concurrent Login Attempts Detected
  • Connection to New Domain
  • Conti Common Exec Parameter
  • Control Loading From World Writable Directory
  • Correlation By Repository And Risk
  • Correlation By User And Risk
  • Create Local Admin Accounts Using Net Exe
  • Create Or Delete Windows Shares Using Net Exe
  • Create Remote Thread In Shell Application
  • Create Remote Thread Into LSASS
  • Create Service In Suspicious File Path
  • Creation Of LSASS Dump With Taskmgr
  • Creation Of Shadow Copy
  • Creation Of Shadow Copy With Wmic And Powershell
  • Credential Dumping Via Copy Command From Shadow Copy
  • Credential Dumping Via Symlink To Shadow Copy
  • Credentials In File Detected
  • DNS Exfiltration Using Nslookup App
  • DNS Query Length Outliers - MLTK
  • DNS Query Length With High Standard Deviation
  • Data Exfiltration after Account Takeover, High
  • Data Exfiltration after Account Takeover, Medium
  • Data Exfiltration after Data Staging
  • Data Exfiltration by suspicious user or device
  • Data Staging
  • Default Account Activity Detected
  • Default Account At Rest Detected
  • Delete Shadowcopy With Powershell
  • Deleting Of Net Users
  • Deleting Shadow Copies
  • Detect AWS Console Login By New User
  • Detect AWS Console Login By User From New City
  • Detect AWS Console Login By User From New Country
  • Detect AWS Console Login By User From New Region
  • Detect Activity Related To Pass The Hash Attacks
  • Detect Arp Poisoning
  • Detect Attackers Scanning For Vulnerable Jboss Servers
  • Detect Azurehound Command-Line Arguments
  • Detect Azurehound File Modifications
  • Detect Baron Samedit Cve-2021-3156
  • Detect Baron Samedit Cve-2021-3156 Segfault
  • Detect Baron Samedit Cve-2021-3156 Via Osquery
  • Detect Computer Changed With Anonymous Account
  • Detect Copy Of Shadowcopy With Script Block Logging
  • Detect Credential Dumping Through LSASS Access
  • Detect Credit Card Numbers using Luhn Algorithm
  • Detect Empire With Powershell Script Block Logging
  • Detect Excessive Account Lockouts From Endpoint
  • Detect Excessive User Account Lockouts
  • Detect Exchange Web Shell
  • Detect F5 Tmui RCE Cve-2020-5902
  • Detect GCP Storage Access From A New IP
  • Detect Hosts Connecting To Dynamic Domain Providers
  • Detect Html Help Renamed
  • Detect Html Help Spawn Child Process
  • Detect Html Help Url In Command Line
  • Detect Html Help Using Infotech Storage Handlers
  • Detect Ipv6 Network Infrastructure Threats
  • Detect Journal Clearing
  • Detect Large Outbound ICMP Packets
  • Detect Lateral Movement With WMI
  • Detect Log Clearing With wevtutil
  • Detect Malicious Requests To Exploit Jboss Servers
  • Detect Many Unauthorized Access Attempts
  • Detect Mimikatz Using Loaded Images
  • Detect Mimikatz With Powershell Script Block Logging
  • Detect Mshta Inline Hta Execution
  • Detect Mshta Renamed
  • Detect Mshta Url In Command Line
  • Detect New Local Admin Account
  • Detect New Login Attempts To Routers
  • Detect New Open GCP Storage Buckets
  • Detect New Open S3 Buckets
  • Detect New Open S3 Buckets Over AWS Cli
  • Detect Outbound SMB Traffic
  • Detect Outlook Exe Writing A Zip File
  • Detect Path Interception By Creation Of Program Exe
  • Detect Port Security Violation
  • Detect Processes Used For System Network Configuration Discovery
  • Detect Prohibited Applications Spawning Cmd Exe
  • Detect Psexec With Accepteula Flag
  • Detect Rare Executables
  • Detect Rclone Command-Line Usage
  • Detect Regasm Spawning A Process
  • Detect Regasm With Network Connection
  • Detect Regasm With No Command Line Arguments
  • Detect Regsvcs Spawning A Process
  • Detect Regsvcs With Network Connection
  • Detect Regsvcs With No Command Line Arguments
  • Detect Regsvr32 Application Control Bypass
  • Detect Renamed 7-Zip
  • Detect Renamed Psexec
  • Detect Renamed Rclone
  • Detect Renamed Winrar
  • Detect Rogue DHCP Server
  • Detect Rundll32 Application Control Bypass - Advpack
  • Detect Rundll32 Application Control Bypass - Setupapi
  • Detect Rundll32 Application Control Bypass - Syssetup
  • Detect Rundll32 Inline Hta Execution
  • Detect S3 Access From A New IP
  • Detect Shared EC2 Snapshot
  • Detect Sharphound Command-Line Arguments
  • Detect Sharphound File Modifications
  • Detect Sharphound Usage
  • Detect Snicat Sni Exfiltration
  • Detect Software Download To Network Device
  • Detect Spike In AWS Security Hub Alerts For EC2 Instance
  • Detect Spike In AWS Security Hub Alerts For User
  • Detect Spike In Blocked Outbound Traffic From Your AWS
  • Detect Spike In S3 Bucket Deletion
  • Detect Traffic Mirroring
  • Detect Unauthorized Assets By MAC Address
  • Detect Use Of Cmd Exe To Launch Script Interpreters
  • Detect WMI Event Subscription Persistence
  • Detect Windows DNS Sigred Via Splunk Stream
  • Detect Windows DNS Sigred Via Zeek
  • Detect Zerologon Via Zeek
  • Detection Of Tools Built By Nirsoft
  • Disable Amsi Through Registry
  • Disable Etw Through Registry
  • Disable Logs Using Wevtutil
  • Disable Registry Tool
  • Disable Show Hidden Files
  • Disable Windows App Hotkeys
  • Disable Windows Behavior Monitoring
  • Disable Windows Smartscreen Protection
  • Disabled Update Service
  • Disabling Cmd Application
  • Disabling Controlpanel
  • Disabling Firewall With Netsh
  • Disabling Folderoptions Windows Feature
  • Disabling Net User Account
  • Disabling Norun Windows App
  • Disabling Remote User Account Control
  • Disabling Systemrestore In Registry
  • Disabling Task Manager
  • Dllhost With No Command Line Arguments With Network
  • Domain Account Discovery With Dsquery
  • Domain Account Discovery With Net App
  • Domain Account Discovery With Wmic
  • Domain Controller Discovery With Nltest
  • Domain Controller Discovery With Wmic
  • Domain Group Discovery With Adsisearcher
  • Domain Group Discovery With Dsquery
  • Domain Group Discovery With Net
  • Domain Group Discovery With Wmic
  • Download Files Using Telegram
  • Download from Internal Server
  • Drop Icedid License Dat
  • Dsquery Domain Discovery
  • Dump LSASS Via Comsvcs DLL
  • Dump LSASS Via Procdump
  • EC2 Instance Isolation
  • Elevated Group Discovery With Net
  • Elevated Group Discovery With Powerview
  • Elevated Group Discovery With Wmic
  • Email Attachments With Lots Of Spaces
  • Email Files Written Outside Of The Outlook Directory
  • Email Servers Sending High Volume Traffic To Hosts
  • Emails from Outside the Organization with Company Domains
  • Emails with Lookalike Domains
  • Enable Rdp In Other Port Number
  • Endpoint Uncleaned Malware Detection
  • Enumerate Users Local Group Using Telegram
  • Esentutl Sam Copy
  • Eventvwr Uac Bypass
  • Excel Spawning Powershell
  • Excel Spawning Windows Script Host
  • Excessive Attempt To Disable Services
  • Excessive Box Downloads
  • Excessive DNS Queries
  • Excessive Data Printed
  • Excessive Data Transmission
  • Excessive Downloads via VPN
  • Excessive Failed Logins
  • Excessive HTTP Failure Responses
  • Excessive Number Of Distinct Processes Created In Windows Temp Folder
  • Excessive Number Of Service Control Start As Disabled
  • Excessive Number Of Taskhost Processes
  • Excessive Service Stop Attempt
  • Excessive Usage Of Cacls App
  • Excessive Usage Of Net App
  • Excessive Usage Of Nslookup App
  • Excessive Usage Of Sc Service Utility
  • Excessive Usage Of Taskkill
  • Exchange Powershell Abuse Via Ssrf
  • Exchange Powershell Module Usage
  • Executables Or Script Creation In Suspicious Path
  • Execute Javascript With Jscript Com Clsid
  • Execution Of File With Multiple Extensions
  • Exfiltration
  • Exfiltration after Account Compromise
  • Exfiltration after Infection
  • Exfiltration after Suspicious Internal Activity
  • Expected Host Not Reporting
  • Expected Host Not Reporting - in Category
  • External Alarm Activity
  • External Website Attack
  • Extraction Of Registry Hives
  • Failed Access by Disabled Badge
  • Failed Badge Accesses on Multiple Doors
  • Fake Windows Processes
  • Familiar Filename Launched with New Path on Host
  • File With Samsam Extension
  • Find Processes with Renamed Executables
  • Find Unusually Long CLI Commands
  • First Time Access to Jump Server for Peer Group
  • First Time Accessing an Internal Git Repository
  • First Time Accessing an Internal Git Repository Not Viewed by Peers
  • First Time Logon to New Server
  • First Time Seen Child Process Of Zoom
  • First Time Seen Running Windows Service
  • First Time USB Usage
  • Flight Risk Emailing
  • Flight Risk Printing
  • Flight Risk User
  • Flight Risk Web Browsing
  • Fodhelper Uac Bypass
  • Fsutil Zeroing File
  • GCP Detect Gcploit Framework
  • GCP Kubernetes Cluster Pod Scan Detection
  • Geographically Improbable Access (Physical access and VPN)
  • Geographically Improbable Access Detected
  • Geographically Improbable Access Detected against Category
  • Geographically Improbable Access Detected for Privileged Accounts
  • Get Addefaultdomainpasswordpolicy With Powershell
  • Get Addefaultdomainpasswordpolicy With Powershell Script Block
  • Get Aduser With Powershell
  • Get Aduser With Powershell Script Block
  • Get Aduserresultantpasswordpolicy With Powershell
  • Get Aduserresultantpasswordpolicy With Powershell Script Block
  • Get Domainpolicy With Powershell
  • Get Domainpolicy With Powershell Script Block
  • Get Domainuser With Powershell
  • Get Domainuser With Powershell Script Block
  • Get Wmiobject Group Discovery
  • Get Wmiobject Group Discovery With Script Block Logging
  • Get-Domaintrust With Powershell
  • Get-Domaintrust With Powershell Script Block
  • Get-Foresttrust With Powershell
  • Get-Foresttrust With Powershell Script Block
  • Getadcomputer With Powershell
  • Getadcomputer With Powershell Script Block
  • Getadgroup With Powershell
  • Getadgroup With Powershell Script Block
  • Getcurrent User With Powershell
  • Getcurrent User With Powershell Script Block
  • Getdomaincomputer With Powershell
  • Getdomaincomputer With Powershell Script Block
  • Getdomaincontroller With Powershell
  • Getdomaincontroller With Powershell Script Block
  • Getdomaingroup With Powershell
  • Getdomaingroup With Powershell Script Block
  • Getlocaluser With Powershell
  • Getlocaluser With Powershell Script Block
  • Getnettcpconnection With Powershell
  • Getnettcpconnection With Powershell Script Block
  • Getwmiobject Ds Computer With Powershell
  • Getwmiobject Ds Computer With Powershell Script Block
  • Getwmiobject Ds Group With Powershell
  • Getwmiobject Ds Group With Powershell Script Block
  • Getwmiobject Ds User With Powershell
  • Getwmiobject Ds User With Powershell Script Block
  • Getwmiobject User Account With Powershell
  • Getwmiobject User Account With Powershell Script Block
  • Github Commit Changes In Master
  • Github Commit In Develop
  • Github Dependabot Alert
  • Github Pull Request From Unknown User
  • Gpupdate With No Command Line Arguments With Network
  • Gsuite Drive Share In External Email
  • Gsuite Email Suspicious Attachment
  • Gsuite Email Suspicious Subject With Attachment
  • Gsuite Email With Known Abuse Web Service Link
  • Gsuite Outbound Email With Attachment To External Domain
  • Gsuite Suspicious Shared File Name
  • Healthcare Worker Opening More Patient Records Than Usual
  • Hide User Account From Sign-In Screen
  • Hiding Files And Directories With Attrib Exe
  • High File Deletion Frequency
  • High Number Of Infected Hosts
  • High Number Of Login Failures From A Single Source
  • High Number of Hosts Not Updating Malware Signatures
  • High Or Critical Priority Host With Malware Detected
  • High Process Count
  • High Process Termination Frequency
  • High Volume Email Activity to Non-corporate Domains by User
  • High Volume of Traffic from High or Critical Host Observed
  • High or Critical Priority Individual Logging into Infected Machine
  • High or critical risk NGFW application activity detected
  • Host Sending Excessive Email
  • Host With A Recurring Malware Infection
  • Host With High Number Of Listening ports
  • Host With High Number Of Services
  • Host With Multiple Infections
  • Host With Old Infection Or Potential Re-Infection
  • Hosts Receiving High Volume Of Network Traffic From Email Server
  • Hosts Sending To More Destinations Than Normal
  • Hosts Where Security Sources Go Quiet
  • Hosts with Varied and Future Timestamps
  • Hunting COVID Themed Attacks With IOCs
  • IP Investigate and Report
  • Icacls Deny Command
  • Icacls Grant Command
  • Icedid Exfiltrated Archived File Creation
  • Image From New Repository Detected
  • In-Scope Device with Outdated Anti-Malware Found
  • In-Scope System with Windows Update Disabled
  • Inactive Account Activity Detected
  • Increase in # of Hosts Logged into
  • Increase in Pages Printed
  • Increase in Source Code (Git) Downloads
  • Increase in Windows Privilege Escalations
  • Infected Host
  • Infection followed by Exfiltration
  • Insecure Or Cleartext Authentication Detected
  • Instance Created by Unusual User
  • Instance Modified by Unusual User
  • Integrating Threat Indicators with MISP and Splunk Enterprise Security
  • Investigate GDPR Breaches Using ES
  • Jscript Execution Using Cscript App
  • Kerberoasting Spn Request With RC4 Encryption
  • Known Services Killed By Ransomware
  • Kubernetes AWS Detect Suspicious Kubectl Calls
  • Kubernetes Nginx Ingress Lfi
  • Kubernetes Nginx Ingress Rfi
  • Kubernetes Scanner Image Pulling
  • Land Speed Violation
  • Large Volume Of DNS Any Queries
  • Large Web Upload
  • Lateral Movement
  • Local Account Creation
  • Local Account Discovery With Net
  • Local Account Discovery With Wmic
  • Machine Generated Beacon
  • Macos - Re-Opened Applications
  • Mailsniper Invoke Functions
  • Malicious AD Activity
  • Malicious Command Line Executions
  • Malicious Insider Containment
  • Malicious Powershell Executed As A Service
  • Malicious Powershell Process - Connect To Internet With Hidden Window
  • Malicious Powershell Process - Encoded Command
  • Malicious Powershell Process - Execution Policy Bypass
  • Malicious Powershell Process With Obfuscation Techniques
  • Malicious URI with Potential Malware
  • Malware
  • Malware Investigation
  • Many USB File Copies for User
  • Modification Of Wallpaper
  • Modify ACL Permission To Files Or Folder
  • Monitor AutoRun Registry Keys
  • Monitor Email For Brand Abuse
  • Monitor Registry Keys For Print Monitors
  • Monitor Successful Backups
  • Monitor Successful Windows Updates
  • Monitor Unsuccessful Backups
  • Monitor Unsuccessful Windows Updates
  • Monitor Web Traffic For Brand Abuse
  • Ms Scripting Process Loading Ldap Module
  • Ms Scripting Process Loading WMI Module
  • Mshta Spawning Rundll32 Or Regsvr32 Process
  • Mshtml Module Load In Office Product
  • Msmpeng Application DLL Side Loading
  • Multiple Account Deletion by an Administrator
  • Multiple Account Disabled by an Administrator
  • Multiple Account Passwords changed by an Administrator
  • Multiple Archive Files Http Post Traffic
  • Multiple Authentication Failures
  • Multiple Authentications
  • Multiple Badge Accesses
  • Multiple Box login errors
  • Multiple Box logins
  • Multiple Box operations
  • Multiple Disabled Users Failing To Authenticate From Host Using Kerberos
  • Multiple External Alarms
  • Multiple Failed Badge Access Attempts
  • Multiple Infections on Host
  • Multiple Invalid Users Failing To Authenticate From Host Using Kerberos
  • Multiple Invalid Users Failing To Authenticate From Host Using Ntlm
  • Multiple Login Errors
  • Multiple Logins
  • Multiple Okta Users With Invalid Credentials From The Same IP
  • Multiple Outgoing Connections
  • Multiple Primary Functions Detected
  • Multiple Users Attempting To Authenticate Using Explicit Credentials
  • Multiple Users Failing To Authenticate From Host Using Kerberos
  • Multiple Users Failing To Authenticate From Host Using Ntlm
  • Multiple Users Failing To Authenticate From Process
  • Multiple Users Remotely Failing To Authenticate From Host
  • Multiple failed badge attempts and unusual badge access time
  • Net Localgroup Discovery
  • Net Profiler Uac Bypass
  • Network Change Detected
  • Network Connection Discovery With Arp
  • Network Connection Discovery With Net
  • Network Connection Discovery With Netstat
  • Network Device Rebooted
  • Network Protocol Violation
  • New AD Domain Detected
  • New Application Accessing Salesforce.com API
  • New Cloud API Call Per Peer Group
  • New Cloud Provider for User
  • New Connection to In-Scope Device
  • New Container Uploaded To AWS Ecr
  • New Data Exfil DLP Alerts for User
  • New High Risk Event Types for Salesforce.com User
  • New IaaS API Call Per User
  • New Interactive Logon from a Service Account
  • New Local Admin Account
  • New Logon Type for User
  • New Parent Process for cmd.exe or regedit.exe
  • New RunAs Host / Privileged Account Combination
  • New Service Paths for Host
  • New Suspicious Executable Launch for User
  • New Suspicious cmd.exe / regedit.exe / powershell.exe Service Launch
  • New Tables Queried by Salesforce.com Peer Group
  • New Tables Queried by Salesforce.com User
  • New User Account Created On Multiple Hosts
  • New User Taking Privileged Actions
  • Nishang Powershelltcponeline
  • Nltest Domain Trust Discovery
  • No Windows Updates In A Time Frame
  • Non Chrome Process Accessing Chrome Default Dir
  • Non Firefox Process Access Firefox Profile Dir
  • Non-Privileged Users taking Privileged Actions
  • Ntdsutil Export Ntds
  • O365 Add App Role Assignment Grant User
  • O365 Added Service Principal
  • O365 Bypass MFA Via Trusted IP
  • O365 Disable MFA
  • O365 Excessive Authentication Failures Alert
  • O365 Excessive Sso Logon Errors
  • O365 New Federated Domain Added
  • O365 Pst Export Alert
  • O365 Suspicious Admin Email Forwarding
  • O365 Suspicious Rights Delegation
  • O365 Suspicious User Email Forwarding
  • Office Application Drop Executable
  • Office Application Spawn Regsvr32 Process
  • Office Application Spawn Rundll32 Process
  • Office Document Creating Schedule Task
  • Office Document Executing Macro Code
  • Office Document Spawned Child Process To Download
  • Office Product Spawn Cmd Process
  • Office Product Spawning Bitsadmin
  • Office Product Spawning Certutil
  • Office Product Spawning Mshta
  • Office Product Spawning Rundll32 With No DLL
  • Office Product Spawning Wmic
  • Office Product Writing Cab Or Inf
  • Office Spawning Control
  • Okta Account Lockout Events
  • Okta Failed Sso Attempts
  • Okta User Logins From Multiple Cities
  • Old Passwords in Use
  • Outbreak Detected
  • Outdated Malware Definitions
  • Overwriting Accessibility Binaries
  • Password Policy Discovery With Net
  • Period with Unusual Windows Security Event Sequences
  • Permission Modification Using Takeown App
  • Personally Identifiable Information Detected
  • Petitpotam Network Share Access Request
  • Petitpotam Suspicious Kerberos Tgt Request
  • Phishing Investigation and Response
  • Plain Http Post Exfiltrated Data
  • Possible Phishing Attempt
  • Potential Day Trading
  • Potential Flight Risk Exfiltration
  • Potential Flight Risk Staging
  • Potential Gap in Data
  • Potential Phishing Attack
  • Potential Webshell Activity
  • Powershell 4104 Hunting
  • Powershell Creating Thread Mutex
  • Powershell Disable Security Monitoring
  • Powershell Domain Enumeration
  • Powershell Enable Smb1Protocol Feature
  • Powershell Execute Com Object
  • Powershell Fileless Process Injection Via Getprocaddress
  • Powershell Fileless Script Contains Base64 Encoded Content
  • Powershell Get Localgroup Discovery
  • Powershell Get Localgroup Discovery With Script Block Logging
  • Powershell Loading Dotnet Into Memory Via System Reflection Assembly
  • Powershell Processing Stream Of Data
  • Powershell Remote Thread To Known Windows Process
  • Powershell Start-Bitstransfer
  • Powershell Using Memory As Backing Store
  • Prevent Automatic Repair Mode Using Bcdedit
  • Print Spooler Adding A Printer Driver
  • Print Spooler Failed To Load A Plug-In
  • Privilege Escalation after Powershell Activity
  • Process Creating Lnk File In Suspicious Location
  • Process Deleting Its Process File Path
  • Process Execution Via WMI
  • Process Kill Base On File Path
  • Processes Launching Netsh
  • Processes Tapping Keyboard Events
  • Processes with High Entropy Names
  • Processes with Lookalike (typo) Filenames
  • Prohibited Network Traffic Allowed
  • Prohibited Port Activity Detected
  • Prohibited Process Detected
  • Prohibited Service Detected
  • Prompt and Block Domain
  • Protocol Or Port Mismatch
  • Protocols Passing Authentication In Cleartext
  • Public Cloud Storage (Bucket)
  • Public facing Website Attack
  • Pull List of Privileged Users
  • RFC1918 IP Not in CMDB
  • Ransomware Extensions
  • Ransomware Investigate and Contain
  • Ransomware Note Files
  • Ransomware Notes Bulk Creation
  • Ransomware Vulnerabilities
  • Recon Avproduct Through Pwh Or WMI
  • Recon Using WMI Class
  • Recurring Infection on Host
  • Recursive Delete Of Directory In Batch Cmd
  • Reg Exe Manipulating Windows Services Registry Keys
  • Registry Keys For Creating Shim Databases
  • Registry Keys Used For Persistence
  • Registry Keys Used For Privilege Escalation
  • Remcos Rat File Creation In Remcos Folder
  • Remote Account Takeover
  • Remote Desktop Network Bruteforce
  • Remote Desktop Network Traffic
  • Remote Desktop Process Running On System
  • Remote PowerShell Launches
  • Remote Process Instantiation Via WMI
  • Remote System Discovery With Adsisearcher
  • Remote System Discovery With Dsquery
  • Remote System Discovery With Net
  • Remote System Discovery With Wmic
  • Remote WMI Command Attempt
  • Resize Shadowstorage Volume
  • Revil Common Exec Parameter
  • Revil Registry Entry
  • Risky Events from Privileged Users
  • Rundll Loading DLL By Ordinal
  • Rundll32 Control Rundll Hunt
  • Rundll32 Control Rundll World Writable Directory
  • Rundll32 Create Remote Thread To A Process
  • Rundll32 Createremotethread In Browser
  • Rundll32 Dnsquery
  • Rundll32 Process Creating Exe DLL Files
  • Rundll32 With No Command Line Arguments With Network
  • Ryuk Test Files Detected
  • Ryuk Wake On Lan Command
  • SFDC Suspicious volume of records accessed
  • SMB Traffic Allowed
  • SMB Traffic Spike
  • SMB Traffic Spike - MLTK
  • Sam Database File Access Attempt
  • Same Error On Many Servers Detected
  • Samsam Test File Write
  • Sc Exe Manipulating Windows Services
  • Scanning Activity
  • Schcache Change By App Connect And Create Adsi Object
  • Schedule Task With Http Command Arguments
  • Schedule Task With Rundll32 Command Trigger
  • Scheduled Task Deleted Or Created Via Cmd
  • Schtasks Run Task On Demand
  • Schtasks Scheduling Job On Remote System
  • Schtasks Used For Forcing A Reboot
  • Script Execution Via WMI
  • Sdclt Uac Bypass
  • Searchprotocolhost With No Command Line With Network
  • Secretdumps Offline Ntds Dumping Tool
  • Sensitive Kubernetes Mount Pod Detected
  • Service Account Login
  • Services Escalate Exe
  • Set Default Powershell Execution Policy To Unrestricted Or Bypass
  • Shim Database File Creation
  • Shim Database Installation With Suspicious Parameters
  • Short Lived Admin Accounts
  • Short Lived Windows Accounts
  • Short-lived Account Detected
  • Significant Increase in Interactive Logons
  • Significant Increase in Interactively Logged On Users
  • Silentcleanup Uac Bypass
  • Single Letter Process On Endpoint
  • Slui Runas Elevated
  • Slui Spawning A Process
  • Sources Sending Many DNS Requests
  • Sources Sending a High Volume of DNS Traffic
  • Spike In File Writes
  • Spike in Downloaded Documents Per User from Salesforce.com
  • Spike in Exported Records from Salesforce.com
  • Spike in Password Reset Emails
  • Spike in SMB Traffic
  • Spoolsv Spawning Rundll32
  • Spoolsv Suspicious Loaded Modules
  • Spoolsv Suspicious Process Access
  • Spoolsv Writing A DLL
  • Spoolsv Writing A DLL - Sysmon
  • Sql Injection With Long Urls
  • Sqlite Module In Temp Folder
  • Stale Account Usage
  • Start Up During Safe Mode Boot
  • Substantial Increase In Events
  • Substantial Increase In Port Activity
  • Successful Login of Account for Former Employee
  • Sunburst Correlation DLL And Network Event
  • Supernova Webshell
  • Suspicious Account Activity
  • Suspicious Account Lockout
  • Suspicious Activity After Intrusion
  • Suspicious Badge Activity
  • Suspicious Behavior
  • Suspicious Box Usage
  • Suspicious Container Image Name
  • Suspicious Curl Network Connection
  • Suspicious Data Collection
  • Suspicious Data Movement
  • Suspicious Dllhost No Command Line Arguments
  • Suspicious Domain Communication
  • Suspicious Domain Communication followed by Malware Activity
  • Suspicious Domain Name
  • Suspicious Driver Loaded Path
  • Suspicious Email - UBA Anomaly
  • Suspicious Email Attachment Extensions
  • Suspicious Event Log Service Behavior
  • Suspicious External Alarm Activity
  • Suspicious Gpupdate No Command Line Arguments
  • Suspicious HTTP Redirects
  • Suspicious HTTP Redirects followed by Suspected Infection
  • Suspicious IP Address Communication
  • Suspicious Icedid Regsvr32 Cmdline
  • Suspicious Icedid Rundll32 Cmdline
  • Suspicious Image Creation In Appdata Folder
  • Suspicious Java Classes
  • Suspicious Microsoft Workflow Compiler Rename
  • Suspicious Microsoft Workflow Compiler Usage
  • Suspicious Msbuild Path
  • Suspicious Msbuild Rename
  • Suspicious Msbuild Spawn
  • Suspicious Mshta Child Process
  • Suspicious Mshta Spawn
  • Suspicious Network Connection
  • Suspicious Network Exploration
  • Suspicious New Access
  • Suspicious Plistbuddy Usage
  • Suspicious Plistbuddy Usage Via Osquery
  • Suspicious Powershell Activity
  • Suspicious Privilege Escalation
  • Suspicious Process File Path
  • Suspicious Reg Exe Process
  • Suspicious Regsvr32 Register Suspicious Path
  • Suspicious Rundll32 Dllregisterserver
  • Suspicious Rundll32 No Command Line Arguments
  • Suspicious Rundll32 Plugininit
  • Suspicious Rundll32 Rename
  • Suspicious Rundll32 Startw
  • Suspicious Scheduled Task From Public Directory
  • Suspicious Searchprotocolhost No Command Line Arguments
  • Suspicious Sqlite3 Lsquarantine Behavior
  • Suspicious URL Communications and Redirects
  • Suspicious Wav File In Appdata Folder
  • Suspicious Wevtutil Usage
  • Suspicious Writes To Windows Recycle Bin
  • System Information Discovery Detection
  • System Processes Run From Unexpected Locations
  • System User Discovery With Query
  • System User Discovery With Whoami
  • Threat Activity Detected
  • Threat Hunting
  • Tor Traffic
  • Trickbot Named Pipe
  • USB storage attached an unusually high number of times
  • Uac Bypass Mmc Load Unsigned DLL
  • Uac Bypass With Colorui Com Object
  • Unauthorized Connection Through Firewall
  • Unified Messaging Service Spawning A Process
  • Uninstall App Using Msiexec
  • Unload Sysmon Filter Driver
  • Unloading Amsi Via Reflection
  • Unrouteable Activity Detected
  • Untriaged Notable Events
  • Unusual Activity Time
  • Unusual Badge Reader Access
  • Unusual Child Process for spoolsv.exe or connhost.exe
  • Unusual Cloud Regions
  • Unusual Cloud Storage Deletions
  • Unusual Cloud Storage Downloads
  • Unusual External Alarm
  • Unusual File Extension
  • Unusual Geolocation of Communication Destination
  • Unusual Machine Access
  • Unusual Network Activity
  • Unusual Number of Modifications to Cloud ACLs
  • Unusual Printer Usage
  • Unusual Time of Badge Access
  • Unusual USB Activity
  • Unusual USB Device Plugged In
  • Unusual VPN Login Geolocation
  • Unusual Volume of Network Activity
  • Unusual Web Browser
  • Unusual Windows Security Event (Unusual - Event Code, Process, Directory, LoginType, ReturnCode, Domain)
  • Unusually Long Command Line
  • Unusually Long Command Line - MLTK
  • Unusually Long Content-Type Length
  • Unusually Long VPN Session
  • User Discovery With Env Vars Powershell
  • User Discovery With Env Vars Powershell Script Block
  • User Finding Project Code Names from Many Departments
  • User Has Access to In-Scope Splunk Indexes They Should Not
  • User Logged into In-Scope System They Should Not Have
  • User Login to Unauthorized Geo
  • User Login with Local Credentials
  • User with Increase in Outgoing Email
  • User with Many DLP Events
  • Usn Journal Deletion
  • Vulnerability Scanner Detected (by events)
  • Vulnerability Scanner Detected (by targets)
  • W3Wp Spawning Shell
  • WMI Permanent Event Subscription
  • WMI Permanent Event Subscription - Sysmon
  • WMI Recon Running Process Or Services
  • WMI Temporary Event Subscription
  • Watchlisted Event Observed
  • Watering Hole Infection
  • Wbadmin Delete System Backups
  • Wbemprox Com Object Execution
  • Web Browsing to Unauthorized Sites
  • Web Servers Executing Suspicious Processes
  • Web Site Compromised (Webshell)
  • Web Uploads to Non-corporate Sites by Users
  • Wermgr Process Connecting To IP Check Web Services
  • Wermgr Process Create Executable File
  • Wermgr Process Spawned Cmd Or Powershell Process
  • Windows Adfind Exe
  • Windows Disableantispyware Registry
  • Windows Event Log Cleared
  • Windows Event Log Clearing Events
  • Windows Security Account Manager Stopped
  • Winevent Scheduled Task Created To Spawn Shell
  • Winevent Scheduled Task Created Within Public Path
  • Winrm Spawning A Process
  • Winword Spawning Cmd
  • Winword Spawning Powershell
  • Winword Spawning Windows Script Host
  • Wmic Group Discovery
  • Write Executable In SMB Share
  • Wsreset Uac Bypass
  • Xmrig Driver Loaded
  • Xsl Script Execution With Wmic