Navigation : Release Notes User Guides Data Onboarding Guides Features SSE Content - Access to In-Scope Unencrypted Resources - Access to In-scope Resources - Activity from Expired User Identity - on Category - Aggregate Risky Events - Authentication Against a New Domain Controller - Basic Brute Force Detection - Basic Dynamic DNS Detection - Basic Malware Outbreak - Basic Scanning - Basic TOR Traffic Detection - Brute Force Access Behavior Detected - Against Category - Brute Force Access Behavior Detected Over One Day - Against Category - Building a Departmental Peer Group - Cloud APIs Called More Often Than Usual Per User - Cloud Provisioning Activity from Unusual Country - Cloud Provisioning Activity from Unusual IP - Common Filename Launched from New Path - Concentration of Attacker Tools by Filename - Concentration of Attacker Tools by SHA1 Hash - Concentration of Discovery Tools by Filename - Concentration of Discovery Tools by SHA1 Hash - Connection to New Domain - Detect Journal Clearing - Detect Lateral Movement With WMI - Detect Log Clearing With wevtutil - Detect Many Unauthorized Access Attempts - Disabled Update Service - Emails from Outside the Organization with Company Domains - Emails with Lookalike Domains - Endpoint Uncleaned Malware Detection - Expected Host Not Reporting - in Category - Fake Windows Processes - Familiar Filename Launched with New Path on Host - Find Processes with Renamed Executables - Find Unusually Long CLI Commands - First Time Access to Jump Server for Peer Group - First Time Accessing an Internal Git Repository - First Time Accessing an Internal Git Repository Not Viewed by Peers - First Time Logon to New Server - First Time USB Usage - Flight Risk Emailing - Flight Risk Printing - Flight Risk Web Browsing - Geographically Improbable Access Detected against Category - Geographically Improbable Access Detected for Privileged Accounts - Healthcare Worker Opening More Patient Records Than Usual - Hosts Sending To More Destinations Than Normal - Hosts Where Security Sources Go Quiet - Hosts with Varied and Future Timestamps - In-Scope Device with Outdated Anti-Malware Found - In-Scope System with Windows Update Disabled - Increase in # of Hosts Logged into - Increase in Pages Printed - Increase in Source Code (Git) Downloads - Increase in Windows Privilege Escalations - Instance Created by Unusual User - Instance Modified by Unusual User - Large Web Upload - Malicious Command Line Executions - Many USB File Copies for User - Monitor AutoRun Registry Keys - Monitor Successful Backups - Monitor Successful Windows Updates - Monitor Unsuccessful Backups - Monitor Unsuccessful Windows Updates - Multiple Infections on Host - New AD Domain Detected - New Application Accessing Salesforce.com API - New Cloud API Call Per Peer Group - New Cloud Provider for User - New Connection to In-Scope Device - New Data Exfil DLP Alerts for User - New High Risk Event Types for Salesforce.com User - New IaaS API Call Per User - New Interactive Logon from a Service Account - New Local Admin Account - New Logon Type for User - New Parent Process for cmd.exe or regedit.exe - New RunAs Host / Privileged Account Combination - New Service Paths for Host - New Suspicious Executable Launch for User - New Suspicious cmd.exe / regedit.exe / powershell.exe Service Launch - New Tables Queried by Salesforce.com Peer Group - New Tables Queried by Salesforce.com User - New User Taking Privileged Actions - Non-Privileged Users taking Privileged Actions - Old Passwords in Use - Outdated Malware Definitions - Potential Day Trading - Processes with High Entropy Names - Processes with Lookalike (typo) Filenames - Public Cloud Storage (Bucket) - Pull List of Privileged Users - RFC1918 IP Not in CMDB - Ransomware Extensions - Ransomware Note Files - Ransomware Vulnerabilities - Recurring Infection on Host - Remote PowerShell Launches - Risky Events from Privileged Users - SMB Traffic Allowed - Short Lived Admin Accounts - Significant Increase in Interactive Logons - Significant Increase in Interactively Logged On Users - Sources Sending Many DNS Requests - Sources Sending a High Volume of DNS Traffic - Spike in Downloaded Documents Per User from Salesforce.com - Spike in Exported Records from Salesforce.com - Spike in Password Reset Emails - Spike in SMB Traffic - Stale Account Usage - Successful Login of Account for Former Employee - Unauthorized Connection Through Firewall - Unusual Child Process for spoolsv.exe or connhost.exe - Unusual Cloud Regions - Unusual Number of Modifications to Cloud ACLs - User Finding Project Code Names from Many Departments - User Has Access to In-Scope Splunk Indexes They Should Not - User Logged into In-Scope System They Should Not Have - User Login to Unauthorized Geo - User Login with Local Credentials - User with Increase in Outgoing Email - User with Many DLP Events - Web Browsing to Unauthorized Sites - Windows Event Log Clearing Events Technical Detail Developing on SSE Installation DocumentationSSE ContentSSE has 120+ detections. Consult the list below for the full set of content.Access to In-Scope Unencrypted ResourcesAccess to In-scope ResourcesActivity from Expired User Identity - on CategoryAggregate Risky EventsAuthentication Against a New Domain ControllerBasic Brute Force DetectionBasic Dynamic DNS DetectionBasic Malware OutbreakBasic ScanningBasic TOR Traffic DetectionBrute Force Access Behavior Detected - Against CategoryBrute Force Access Behavior Detected Over One Day - Against CategoryBuilding a Departmental Peer GroupCloud APIs Called More Often Than Usual Per UserCloud Provisioning Activity from Unusual CountryCloud Provisioning Activity from Unusual IPCommon Filename Launched from New PathConcentration of Attacker Tools by FilenameConcentration of Attacker Tools by SHA1 HashConcentration of Discovery Tools by FilenameConcentration of Discovery Tools by SHA1 HashConnection to New DomainDetect Journal ClearingDetect Lateral Movement With WMIDetect Log Clearing With wevtutilDetect Many Unauthorized Access AttemptsDisabled Update ServiceEmails from Outside the Organization with Company DomainsEmails with Lookalike DomainsEndpoint Uncleaned Malware DetectionExpected Host Not Reporting - in CategoryFake Windows ProcessesFamiliar Filename Launched with New Path on HostFind Processes with Renamed ExecutablesFind Unusually Long CLI CommandsFirst Time Access to Jump Server for Peer GroupFirst Time Accessing an Internal Git RepositoryFirst Time Accessing an Internal Git Repository Not Viewed by PeersFirst Time Logon to New ServerFirst Time USB UsageFlight Risk EmailingFlight Risk PrintingFlight Risk Web BrowsingGeographically Improbable Access Detected against CategoryGeographically Improbable Access Detected for Privileged AccountsHealthcare Worker Opening More Patient Records Than UsualHosts Sending To More Destinations Than NormalHosts Where Security Sources Go QuietHosts with Varied and Future TimestampsIn-Scope Device with Outdated Anti-Malware FoundIn-Scope System with Windows Update DisabledIncrease in # of Hosts Logged intoIncrease in Pages PrintedIncrease in Source Code (Git) DownloadsIncrease in Windows Privilege EscalationsInstance Created by Unusual UserInstance Modified by Unusual UserLarge Web UploadMalicious Command Line ExecutionsMany USB File Copies for UserMonitor AutoRun Registry KeysMonitor Successful BackupsMonitor Successful Windows UpdatesMonitor Unsuccessful BackupsMonitor Unsuccessful Windows UpdatesMultiple Infections on HostNew AD Domain DetectedNew Application Accessing Salesforce.com APINew Cloud API Call Per Peer GroupNew Cloud Provider for UserNew Connection to In-Scope DeviceNew Data Exfil DLP Alerts for UserNew High Risk Event Types for Salesforce.com UserNew IaaS API Call Per UserNew Interactive Logon from a Service AccountNew Local Admin AccountNew Logon Type for UserNew Parent Process for cmd.exe or regedit.exeNew RunAs Host / Privileged Account CombinationNew Service Paths for HostNew Suspicious Executable Launch for UserNew Suspicious cmd.exe / regedit.exe / powershell.exe Service LaunchNew Tables Queried by Salesforce.com Peer GroupNew Tables Queried by Salesforce.com UserNew User Taking Privileged ActionsNon-Privileged Users taking Privileged ActionsOld Passwords in UseOutdated Malware DefinitionsPotential Day TradingProcesses with High Entropy NamesProcesses with Lookalike (typo) FilenamesPublic Cloud Storage (Bucket)Pull List of Privileged UsersRFC1918 IP Not in CMDBRansomware ExtensionsRansomware Note FilesRansomware VulnerabilitiesRecurring Infection on HostRemote PowerShell LaunchesRisky Events from Privileged UsersSMB Traffic AllowedShort Lived Admin AccountsSignificant Increase in Interactive LogonsSignificant Increase in Interactively Logged On UsersSources Sending Many DNS RequestsSources Sending a High Volume of DNS TrafficSpike in Downloaded Documents Per User from Salesforce.comSpike in Exported Records from Salesforce.comSpike in Password Reset EmailsSpike in SMB TrafficStale Account UsageSuccessful Login of Account for Former EmployeeUnauthorized Connection Through FirewallUnusual Child Process for spoolsv.exe or connhost.exeUnusual Cloud RegionsUnusual Number of Modifications to Cloud ACLsUser Finding Project Code Names from Many DepartmentsUser Has Access to In-Scope Splunk Indexes They Should NotUser Logged into In-Scope System They Should Not HaveUser Login to Unauthorized GeoUser Login with Local CredentialsUser with Increase in Outgoing EmailUser with Many DLP EventsWeb Browsing to Unauthorized SitesWindows Event Log Clearing EventsSecurity Posture Dashboards Access to In-Scope Unencrypted Resources