SSE Content

SSE has 120+ detections. Consult the list below for the full set of content.

  • Access to In-Scope Unencrypted Resources
  • Access to In-scope Resources
  • Activity from Expired User Identity - on Category
  • Aggregate Risky Events
  • Authentication Against a New Domain Controller
  • Basic Brute Force Detection
  • Basic Dynamic DNS Detection
  • Basic Malware Outbreak
  • Basic Scanning
  • Basic TOR Traffic Detection
  • Brute Force Access Behavior Detected - Against Category
  • Brute Force Access Behavior Detected Over One Day - Against Category
  • Building a Departmental Peer Group
  • Cloud APIs Called More Often Than Usual Per User
  • Cloud Provisioning Activity from Unusual Country
  • Cloud Provisioning Activity from Unusual IP
  • Common Filename Launched from New Path
  • Concentration of Attacker Tools by Filename
  • Concentration of Attacker Tools by SHA1 Hash
  • Concentration of Discovery Tools by Filename
  • Concentration of Discovery Tools by SHA1 Hash
  • Connection to New Domain
  • Detect Journal Clearing
  • Detect Lateral Movement With WMI
  • Detect Log Clearing With wevtutil
  • Detect Many Unauthorized Access Attempts
  • Disabled Update Service
  • Emails from Outside the Organization with Company Domains
  • Emails with Lookalike Domains
  • Endpoint Uncleaned Malware Detection
  • Expected Host Not Reporting - in Category
  • Fake Windows Processes
  • Familiar Filename Launched with New Path on Host
  • Find Processes with Renamed Executables
  • Find Unusually Long CLI Commands
  • First Time Access to Jump Server for Peer Group
  • First Time Accessing an Internal Git Repository
  • First Time Accessing an Internal Git Repository Not Viewed by Peers
  • First Time Logon to New Server
  • First Time USB Usage
  • Flight Risk Emailing
  • Flight Risk Printing
  • Flight Risk Web Browsing
  • Geographically Improbable Access Detected against Category
  • Geographically Improbable Access Detected for Privileged Accounts
  • Healthcare Worker Opening More Patient Records Than Usual
  • Hosts Sending To More Destinations Than Normal
  • Hosts Where Security Sources Go Quiet
  • Hosts with Varied and Future Timestamps
  • In-Scope Device with Outdated Anti-Malware Found
  • In-Scope System with Windows Update Disabled
  • Increase in # of Hosts Logged into
  • Increase in Pages Printed
  • Increase in Source Code (Git) Downloads
  • Increase in Windows Privilege Escalations
  • Instance Created by Unusual User
  • Instance Modified by Unusual User
  • Large Web Upload
  • Malicious Command Line Executions
  • Many USB File Copies for User
  • Monitor AutoRun Registry Keys
  • Monitor Successful Backups
  • Monitor Successful Windows Updates
  • Monitor Unsuccessful Backups
  • Monitor Unsuccessful Windows Updates
  • Multiple Infections on Host
  • New AD Domain Detected
  • New Application Accessing Salesforce.com API
  • New Cloud API Call Per Peer Group
  • New Cloud Provider for User
  • New Connection to In-Scope Device
  • New Data Exfil DLP Alerts for User
  • New High Risk Event Types for Salesforce.com User
  • New IaaS API Call Per User
  • New Interactive Logon from a Service Account
  • New Local Admin Account
  • New Logon Type for User
  • New Parent Process for cmd.exe or regedit.exe
  • New RunAs Host / Privileged Account Combination
  • New Service Paths for Host
  • New Suspicious Executable Launch for User
  • New Suspicious cmd.exe / regedit.exe / powershell.exe Service Launch
  • New Tables Queried by Salesforce.com Peer Group
  • New Tables Queried by Salesforce.com User
  • New User Taking Privileged Actions
  • Non-Privileged Users taking Privileged Actions
  • Old Passwords in Use
  • Outdated Malware Definitions
  • Potential Day Trading
  • Processes with High Entropy Names
  • Processes with Lookalike (typo) Filenames
  • Public Cloud Storage (Bucket)
  • Pull List of Privileged Users
  • RFC1918 IP Not in CMDB
  • Ransomware Extensions
  • Ransomware Note Files
  • Ransomware Vulnerabilities
  • Recurring Infection on Host
  • Remote PowerShell Launches
  • Risky Events from Privileged Users
  • SMB Traffic Allowed
  • Short Lived Admin Accounts
  • Significant Increase in Interactive Logons
  • Significant Increase in Interactively Logged On Users
  • Sources Sending Many DNS Requests
  • Sources Sending a High Volume of DNS Traffic
  • Spike in Downloaded Documents Per User from Salesforce.com
  • Spike in Exported Records from Salesforce.com
  • Spike in Password Reset Emails
  • Spike in SMB Traffic
  • Stale Account Usage
  • Successful Login of Account for Former Employee
  • Unauthorized Connection Through Firewall
  • Unusual Child Process for spoolsv.exe or connhost.exe
  • Unusual Cloud Regions
  • Unusual Number of Modifications to Cloud ACLs
  • User Finding Project Code Names from Many Departments
  • User Has Access to In-Scope Splunk Indexes They Should Not
  • User Logged into In-Scope System They Should Not Have
  • User Login to Unauthorized Geo
  • User Login with Local Credentials
  • User with Increase in Outgoing Email
  • User with Many DLP Events
  • Web Browsing to Unauthorized Sites
  • Windows Event Log Clearing Events