Navigation : Release Notes User Guides Data Onboarding Guides Features SSE Content - 7Zip Commandline To SMB Share Path - AWS Create Policy Version To Allow All Resources - AWS Createaccesskey - AWS Createloginprofile - AWS Cross Account Activity From Previously Unseen Account - AWS Detect Attach To Role Policy - AWS Detect Permanent Key Creation - AWS Detect Role Creation - AWS Detect Sts Assume Role Abuse - AWS Detect Sts Get Session Token Abuse - AWS Detect Users Creating Keys With Encrypt Policy Without MFA - AWS Detect Users With Kms Keys Performing Encryption S3 - AWS Ecr Container Scanning Findings High - AWS Ecr Container Scanning Findings Low Informational Unknown - AWS Ecr Container Scanning Findings Medium - AWS Ecr Container Upload Outside Business Hours - AWS Ecr Container Upload Unknown User - AWS Excessive Security Scanning - AWS Iam Accessdenied Discovery Events - AWS Iam Assume Role Policy Brute Force - AWS Iam Delete Policy - AWS Iam Failure Group Deletion - AWS Iam Successful Group Deletion - AWS Network Access Control List Created With All Open Ports - AWS Network Access Control List Deleted - AWS Saml Access By Provider User And Principal - AWS Saml Update Identity Provider - AWS Setdefaultpolicyversion - AWS Updateloginprofile - Abnormally High Number Of Cloud Infrastructure API Calls - Abnormally High Number Of Cloud Instances Destroyed - Abnormally High Number Of Cloud Instances Launched - Abnormally High Number Of Cloud Security Group API Calls - Abnormally High Number of Endpoint Changes By User - Abnormally High Number of HTTP Method Events By Src - Access LSASS Memory For Dump Creation - Access to In-Scope Unencrypted Resources - Access to In-scope Resources - Account Compromise with Suspicious Internal Activity - Account Compromised followed by Exfiltration - Account Deleted - Account Discovery With Net App - Activity from Expired User Identity - Activity from Expired User Identity - on Category - Add Defaultuser And Password In Registry - Adsisearcher Account Discovery - Aggregate Risky Events - Allow File And Printing Sharing In Firewall - Allow Inbound Traffic By Firewall Rule Registry - Allow Inbound Traffic In Firewall Rule - Allow Network Discovery In Firewall - Allow Operation With Consent Admin - Amazon EKS Kubernetes Cluster Scan Detection - Amazon EKS Kubernetes Pod Scan Detection - Anomalous Audit Trail Activity Detected - Anomalous New Listening Port - Anomalous New Process - Anomalous New Service - Anomalous Usage Of 7Zip - Any Powershell Downloadfile - Any Powershell Downloadstring - Asset Ownership Unspecified - Attacker Tools On Endpoint - Attempt To Add Certificate To Untrusted Store - Attempt To Stop Security Service - Attempted Credential Dump From Registry Via Reg Exe - Auditing Overview of Data Processing Systems (Glass Table) - Authentication Against a New Domain Controller - Auto Admin Logon Registry Entry - Basic Brute Force Detection - Basic Dynamic DNS Detection - Basic Malware Outbreak - Basic Scanning - Basic TOR Traffic Detection - Batch File Write To System32 - Bcdedit Command Back To Normal Mode Boot - Bcdedit Failure Recovery Modification - Bits Job Persistence - Bitsadmin Download File - Blacklisted Application - Blacklisted Domain - Blacklisted IP Address - Brute Force - Brute Force Access Behavior Detected - Brute Force Access Behavior Detected - Against Category - Brute Force Access Behavior Detected Over One Day - Brute Force Access Behavior Detected Over One Day - Against Category - Brute Force Attack - Building a Departmental Peer Group - COVID-19 Indicator Check - Certutil Download With Urlcache And Split Arguments - Certutil Download With Verifyctl And Split Arguments - Certutil Exe Certificate Extraction - Certutil With Decode Argument - Change To Safe Mode With Network Config - Chcp Command Execution - Check Elevated Cmd Using Whoami - Child Processes Of Spoolsv Exe - Circle Ci Disable Security Job - Circle Ci Disable Security Step - Clear Unallocated Sector Using Cipher App - Cleartext Password At Rest Detected - Clop Common Exec Parameter - Clop Ransomware Known Service Name - Cloud API Calls From Previously Unseen User Roles - Cloud APIs Called More Often Than Usual Per User - Cloud Compute Instance Created By Previously Unseen User - Cloud Compute Instance Created In Previously Unused Region - Cloud Compute Instance Created With Previously Unseen Image - Cloud Compute Instance Created With Previously Unseen Instance Type - Cloud Instance Modified By Previously Unseen User - Cloud Provisioning Activity From Previously Unseen City - Cloud Provisioning Activity From Previously Unseen Country - Cloud Provisioning Activity From Previously Unseen IP Address - Cloud Provisioning Activity From Previously Unseen Region - Cloud Provisioning Activity from Unusual Country - Cloud Provisioning Activity from Unusual IP - Cmd Echo Pipe - Escalation - Cmdline Tool Not Executed In Cmd Shell - Cmlua Or Cmstplua Uac Bypass - Cobalt Strike Named Pipes - Common Filename Launched from New Path - Common Ransomware Extensions - Common Ransomware Notes - Completely Inactive Account - Compromised Account - Compromised Web Server - Concentration of Attacker Tools by Filename - Concentration of Attacker Tools by SHA1 Hash - Concentration of Discovery Tools by Filename - Concentration of Discovery Tools by SHA1 Hash - Concurrent Login Attempts Detected - Connection to New Domain - Conti Common Exec Parameter - Control Loading From World Writable Directory - Correlation By Repository And Risk - Correlation By User And Risk - Create Local Admin Accounts Using Net Exe - Create Or Delete Windows Shares Using Net Exe - Create Remote Thread In Shell Application - Create Remote Thread Into LSASS - Create Service In Suspicious File Path - Creation Of LSASS Dump With Taskmgr - Creation Of Shadow Copy - Creation Of Shadow Copy With Wmic And Powershell - Credential Dumping Via Copy Command From Shadow Copy - Credential Dumping Via Symlink To Shadow Copy - Credentials In File Detected - DNS Exfiltration Using Nslookup App - DNS Query Length Outliers - MLTK - DNS Query Length With High Standard Deviation - Data Exfiltration after Account Takeover, High - Data Exfiltration after Account Takeover, Medium - Data Exfiltration after Data Staging - Data Exfiltration by suspicious user or device - Data Staging - Default Account Activity Detected - Default Account At Rest Detected - Delete Shadowcopy With Powershell - Deleting Of Net Users - Deleting Shadow Copies - Detect AWS Console Login By New User - Detect AWS Console Login By User From New City - Detect AWS Console Login By User From New Country - Detect AWS Console Login By User From New Region - Detect Activity Related To Pass The Hash Attacks - Detect Arp Poisoning - Detect Attackers Scanning For Vulnerable Jboss Servers - Detect Azurehound Command-Line Arguments - Detect Azurehound File Modifications - Detect Baron Samedit Cve-2021-3156 - Detect Baron Samedit Cve-2021-3156 Segfault - Detect Baron Samedit Cve-2021-3156 Via Osquery - Detect Computer Changed With Anonymous Account - Detect Copy Of Shadowcopy With Script Block Logging - Detect Credential Dumping Through LSASS Access - Detect Credit Card Numbers using Luhn Algorithm - Detect Empire With Powershell Script Block Logging - Detect Excessive Account Lockouts From Endpoint - Detect Excessive User Account Lockouts - Detect Exchange Web Shell - Detect F5 Tmui RCE Cve-2020-5902 - Detect GCP Storage Access From A New IP - Detect Hosts Connecting To Dynamic Domain Providers - Detect Html Help Renamed - Detect Html Help Spawn Child Process - Detect Html Help Url In Command Line - Detect Html Help Using Infotech Storage Handlers - Detect Ipv6 Network Infrastructure Threats - Detect Journal Clearing - Detect Large Outbound ICMP Packets - Detect Lateral Movement With WMI - Detect Log Clearing With wevtutil - Detect Malicious Requests To Exploit Jboss Servers - Detect Many Unauthorized Access Attempts - Detect Mimikatz Using Loaded Images - Detect Mimikatz With Powershell Script Block Logging - Detect Mshta Inline Hta Execution - Detect Mshta Renamed - Detect Mshta Url In Command Line - Detect New Local Admin Account - Detect New Login Attempts To Routers - Detect New Open GCP Storage Buckets - Detect New Open S3 Buckets - Detect New Open S3 Buckets Over AWS Cli - Detect Outbound SMB Traffic - Detect Outlook Exe Writing A Zip File - Detect Path Interception By Creation Of Program Exe - Detect Port Security Violation - Detect Processes Used For System Network Configuration Discovery - Detect Prohibited Applications Spawning Cmd Exe - Detect Psexec With Accepteula Flag - Detect Rare Executables - Detect Rclone Command-Line Usage - Detect Regasm Spawning A Process - Detect Regasm With Network Connection - Detect Regasm With No Command Line Arguments - Detect Regsvcs Spawning A Process - Detect Regsvcs With Network Connection - Detect Regsvcs With No Command Line Arguments - Detect Regsvr32 Application Control Bypass - Detect Renamed 7-Zip - Detect Renamed Psexec - Detect Renamed Rclone - Detect Renamed Winrar - Detect Rogue DHCP Server - Detect Rundll32 Application Control Bypass - Advpack - Detect Rundll32 Application Control Bypass - Setupapi - Detect Rundll32 Application Control Bypass - Syssetup - Detect Rundll32 Inline Hta Execution - Detect S3 Access From A New IP - Detect Shared EC2 Snapshot - Detect Sharphound Command-Line Arguments - Detect Sharphound File Modifications - Detect Sharphound Usage - Detect Snicat Sni Exfiltration - Detect Software Download To Network Device - Detect Spike In AWS Security Hub Alerts For EC2 Instance - Detect Spike In AWS Security Hub Alerts For User - Detect Spike In Blocked Outbound Traffic From Your AWS - Detect Spike In S3 Bucket Deletion - Detect Traffic Mirroring - Detect Unauthorized Assets By MAC Address - Detect Use Of Cmd Exe To Launch Script Interpreters - Detect WMI Event Subscription Persistence - Detect Windows DNS Sigred Via Splunk Stream - Detect Windows DNS Sigred Via Zeek - Detect Zerologon Via Zeek - Detection Of Tools Built By Nirsoft - Disable Amsi Through Registry - Disable Etw Through Registry - Disable Logs Using Wevtutil - Disable Registry Tool - Disable Show Hidden Files - Disable Windows App Hotkeys - Disable Windows Behavior Monitoring - Disable Windows Smartscreen Protection - Disabled Update Service - Disabling Cmd Application - Disabling Controlpanel - Disabling Firewall With Netsh - Disabling Folderoptions Windows Feature - Disabling Net User Account - Disabling Norun Windows App - Disabling Remote User Account Control - Disabling Systemrestore In Registry - Disabling Task Manager - Dllhost With No Command Line Arguments With Network - Domain Account Discovery With Dsquery - Domain Account Discovery With Net App - Domain Account Discovery With Wmic - Domain Controller Discovery With Nltest - Domain Controller Discovery With Wmic - Domain Group Discovery With Adsisearcher - Domain Group Discovery With Dsquery - Domain Group Discovery With Net - Domain Group Discovery With Wmic - Download Files Using Telegram - Download from Internal Server - Drop Icedid License Dat - Dsquery Domain Discovery - Dump LSASS Via Comsvcs DLL - Dump LSASS Via Procdump - EC2 Instance Isolation - Elevated Group Discovery With Net - Elevated Group Discovery With Powerview - Elevated Group Discovery With Wmic - Email Attachments With Lots Of Spaces - Email Files Written Outside Of The Outlook Directory - Email Servers Sending High Volume Traffic To Hosts - Emails from Outside the Organization with Company Domains - Emails with Lookalike Domains - Enable Rdp In Other Port Number - Endpoint Uncleaned Malware Detection - Enumerate Users Local Group Using Telegram - Esentutl Sam Copy - Eventvwr Uac Bypass - Excel Spawning Powershell - Excel Spawning Windows Script Host - Excessive Attempt To Disable Services - Excessive Box Downloads - Excessive DNS Queries - Excessive Data Printed - Excessive Data Transmission - Excessive Downloads via VPN - Excessive Failed Logins - Excessive HTTP Failure Responses - Excessive Number Of Distinct Processes Created In Windows Temp Folder - Excessive Number Of Service Control Start As Disabled - Excessive Number Of Taskhost Processes - Excessive Service Stop Attempt - Excessive Usage Of Cacls App - Excessive Usage Of Net App - Excessive Usage Of Nslookup App - Excessive Usage Of Sc Service Utility - Excessive Usage Of Taskkill - Exchange Powershell Abuse Via Ssrf - Exchange Powershell Module Usage - Executables Or Script Creation In Suspicious Path - Execute Javascript With Jscript Com Clsid - Execution Of File With Multiple Extensions - Exfiltration - Exfiltration after Account Compromise - Exfiltration after Infection - Exfiltration after Suspicious Internal Activity - Expected Host Not Reporting - Expected Host Not Reporting - in Category - External Alarm Activity - External Website Attack - Extraction Of Registry Hives - Failed Access by Disabled Badge - Failed Badge Accesses on Multiple Doors - Fake Windows Processes - Familiar Filename Launched with New Path on Host - File With Samsam Extension - Find Processes with Renamed Executables - Find Unusually Long CLI Commands - First Time Access to Jump Server for Peer Group - First Time Accessing an Internal Git Repository - First Time Accessing an Internal Git Repository Not Viewed by Peers - First Time Logon to New Server - First Time Seen Child Process Of Zoom - First Time Seen Running Windows Service - First Time USB Usage - Flight Risk Emailing - Flight Risk Printing - Flight Risk User - Flight Risk Web Browsing - Fodhelper Uac Bypass - Fsutil Zeroing File - GCP Detect Gcploit Framework - GCP Kubernetes Cluster Pod Scan Detection - Geographically Improbable Access (Physical access and VPN) - Geographically Improbable Access Detected - Geographically Improbable Access Detected against Category - Geographically Improbable Access Detected for Privileged Accounts - Get Addefaultdomainpasswordpolicy With Powershell - Get Addefaultdomainpasswordpolicy With Powershell Script Block - Get Aduser With Powershell - Get Aduser With Powershell Script Block - Get Aduserresultantpasswordpolicy With Powershell - Get Aduserresultantpasswordpolicy With Powershell Script Block - Get Domainpolicy With Powershell - Get Domainpolicy With Powershell Script Block - Get Domainuser With Powershell - Get Domainuser With Powershell Script Block - Get Wmiobject Group Discovery - Get Wmiobject Group Discovery With Script Block Logging - Get-Domaintrust With Powershell - Get-Domaintrust With Powershell Script Block - Get-Foresttrust With Powershell - Get-Foresttrust With Powershell Script Block - Getadcomputer With Powershell - Getadcomputer With Powershell Script Block - Getadgroup With Powershell - Getadgroup With Powershell Script Block - Getcurrent User With Powershell - Getcurrent User With Powershell Script Block - Getdomaincomputer With Powershell - Getdomaincomputer With Powershell Script Block - Getdomaincontroller With Powershell - Getdomaincontroller With Powershell Script Block - Getdomaingroup With Powershell - Getdomaingroup With Powershell Script Block - Getlocaluser With Powershell - Getlocaluser With Powershell Script Block - Getnettcpconnection With Powershell - Getnettcpconnection With Powershell Script Block - Getwmiobject Ds Computer With Powershell - Getwmiobject Ds Computer With Powershell Script Block - Getwmiobject Ds Group With Powershell - Getwmiobject Ds Group With Powershell Script Block - Getwmiobject Ds User With Powershell - Getwmiobject Ds User With Powershell Script Block - Getwmiobject User Account With Powershell - Getwmiobject User Account With Powershell Script Block - Github Commit Changes In Master - Github Commit In Develop - Github Dependabot Alert - Github Pull Request From Unknown User - Gpupdate With No Command Line Arguments With Network - Gsuite Drive Share In External Email - Gsuite Email Suspicious Attachment - Gsuite Email Suspicious Subject With Attachment - Gsuite Email With Known Abuse Web Service Link - Gsuite Outbound Email With Attachment To External Domain - Gsuite Suspicious Shared File Name - Healthcare Worker Opening More Patient Records Than Usual - Hide User Account From Sign-In Screen - Hiding Files And Directories With Attrib Exe - High File Deletion Frequency - High Number Of Infected Hosts - High Number Of Login Failures From A Single Source - High Number of Hosts Not Updating Malware Signatures - High Or Critical Priority Host With Malware Detected - High Process Count - High Process Termination Frequency - High Volume Email Activity to Non-corporate Domains by User - High Volume of Traffic from High or Critical Host Observed - High or Critical Priority Individual Logging into Infected Machine - High or critical risk NGFW application activity detected - Host Sending Excessive Email - Host With A Recurring Malware Infection - Host With High Number Of Listening ports - Host With High Number Of Services - Host With Multiple Infections - Host With Old Infection Or Potential Re-Infection - Hosts Receiving High Volume Of Network Traffic From Email Server - Hosts Sending To More Destinations Than Normal - Hosts Where Security Sources Go Quiet - Hosts with Varied and Future Timestamps - Hunting COVID Themed Attacks With IOCs - IP Investigate and Report - Icacls Deny Command - Icacls Grant Command - Icedid Exfiltrated Archived File Creation - Image From New Repository Detected - In-Scope Device with Outdated Anti-Malware Found - In-Scope System with Windows Update Disabled - Inactive Account Activity Detected - Increase in # of Hosts Logged into - Increase in Pages Printed - Increase in Source Code (Git) Downloads - Increase in Windows Privilege Escalations - Infected Host - Infection followed by Exfiltration - Insecure Or Cleartext Authentication Detected - Instance Created by Unusual User - Instance Modified by Unusual User - Integrating Threat Indicators with MISP and Splunk Enterprise Security - Investigate GDPR Breaches Using ES - Jscript Execution Using Cscript App - Kerberoasting Spn Request With RC4 Encryption - Known Services Killed By Ransomware - Kubernetes AWS Detect Suspicious Kubectl Calls - Kubernetes Nginx Ingress Lfi - Kubernetes Nginx Ingress Rfi - Kubernetes Scanner Image Pulling - Land Speed Violation - Large Volume Of DNS Any Queries - Large Web Upload - Lateral Movement - Local Account Creation - Local Account Discovery With Net - Local Account Discovery With Wmic - Machine Generated Beacon - Macos - Re-Opened Applications - Mailsniper Invoke Functions - Malicious AD Activity - Malicious Command Line Executions - Malicious Insider Containment - Malicious Powershell Executed As A Service - Malicious Powershell Process - Connect To Internet With Hidden Window - Malicious Powershell Process - Encoded Command - Malicious Powershell Process - Execution Policy Bypass - Malicious Powershell Process With Obfuscation Techniques - Malicious URI with Potential Malware - Malware - Malware Investigation - Many USB File Copies for User - Modification Of Wallpaper - Modify ACL Permission To Files Or Folder - Monitor AutoRun Registry Keys - Monitor Email For Brand Abuse - Monitor Registry Keys For Print Monitors - Monitor Successful Backups - Monitor Successful Windows Updates - Monitor Unsuccessful Backups - Monitor Unsuccessful Windows Updates - Monitor Web Traffic For Brand Abuse - Ms Scripting Process Loading Ldap Module - Ms Scripting Process Loading WMI Module - Mshta Spawning Rundll32 Or Regsvr32 Process - Mshtml Module Load In Office Product - Msmpeng Application DLL Side Loading - Multiple Account Deletion by an Administrator - Multiple Account Disabled by an Administrator - Multiple Account Passwords changed by an Administrator - Multiple Archive Files Http Post Traffic - Multiple Authentication Failures - Multiple Authentications - Multiple Badge Accesses - Multiple Box login errors - Multiple Box logins - Multiple Box operations - Multiple Disabled Users Failing To Authenticate From Host Using Kerberos - Multiple External Alarms - Multiple Failed Badge Access Attempts - Multiple Infections on Host - Multiple Invalid Users Failing To Authenticate From Host Using Kerberos - Multiple Invalid Users Failing To Authenticate From Host Using Ntlm - Multiple Login Errors - Multiple Logins - Multiple Okta Users With Invalid Credentials From The Same IP - Multiple Outgoing Connections - Multiple Primary Functions Detected - Multiple Users Attempting To Authenticate Using Explicit Credentials - Multiple Users Failing To Authenticate From Host Using Kerberos - Multiple Users Failing To Authenticate From Host Using Ntlm - Multiple Users Failing To Authenticate From Process - Multiple Users Remotely Failing To Authenticate From Host - Multiple failed badge attempts and unusual badge access time - Net Localgroup Discovery - Net Profiler Uac Bypass - Network Change Detected - Network Connection Discovery With Arp - Network Connection Discovery With Net - Network Connection Discovery With Netstat - Network Device Rebooted - Network Protocol Violation - New AD Domain Detected - New Application Accessing Salesforce.com API - New Cloud API Call Per Peer Group - New Cloud Provider for User - New Connection to In-Scope Device - New Container Uploaded To AWS Ecr - New Data Exfil DLP Alerts for User - New High Risk Event Types for Salesforce.com User - New IaaS API Call Per User - New Interactive Logon from a Service Account - New Local Admin Account - New Logon Type for User - New Parent Process for cmd.exe or regedit.exe - New RunAs Host / Privileged Account Combination - New Service Paths for Host - New Suspicious Executable Launch for User - New Suspicious cmd.exe / regedit.exe / powershell.exe Service Launch - New Tables Queried by Salesforce.com Peer Group - New Tables Queried by Salesforce.com User - New User Account Created On Multiple Hosts - New User Taking Privileged Actions - Nishang Powershelltcponeline - Nltest Domain Trust Discovery - No Windows Updates In A Time Frame - Non Chrome Process Accessing Chrome Default Dir - Non Firefox Process Access Firefox Profile Dir - Non-Privileged Users taking Privileged Actions - Ntdsutil Export Ntds - O365 Add App Role Assignment Grant User - O365 Added Service Principal - O365 Bypass MFA Via Trusted IP - O365 Disable MFA - O365 Excessive Authentication Failures Alert - O365 Excessive Sso Logon Errors - O365 New Federated Domain Added - O365 Pst Export Alert - O365 Suspicious Admin Email Forwarding - O365 Suspicious Rights Delegation - O365 Suspicious User Email Forwarding - Office Application Drop Executable - Office Application Spawn Regsvr32 Process - Office Application Spawn Rundll32 Process - Office Document Creating Schedule Task - Office Document Executing Macro Code - Office Document Spawned Child Process To Download - Office Product Spawn Cmd Process - Office Product Spawning Bitsadmin - Office Product Spawning Certutil - Office Product Spawning Mshta - Office Product Spawning Rundll32 With No DLL - Office Product Spawning Wmic - Office Product Writing Cab Or Inf - Office Spawning Control - Okta Account Lockout Events - Okta Failed Sso Attempts - Okta User Logins From Multiple Cities - Old Passwords in Use - Outbreak Detected - Outdated Malware Definitions - Overwriting Accessibility Binaries - Password Policy Discovery With Net - Period with Unusual Windows Security Event Sequences - Permission Modification Using Takeown App - Personally Identifiable Information Detected - Petitpotam Network Share Access Request - Petitpotam Suspicious Kerberos Tgt Request - Phishing Investigation and Response - Plain Http Post Exfiltrated Data - Possible Phishing Attempt - Potential Day Trading - Potential Flight Risk Exfiltration - Potential Flight Risk Staging - Potential Gap in Data - Potential Phishing Attack - Potential Webshell Activity - Powershell 4104 Hunting - Powershell Creating Thread Mutex - Powershell Disable Security Monitoring - Powershell Domain Enumeration - Powershell Enable Smb1Protocol Feature - Powershell Execute Com Object - Powershell Fileless Process Injection Via Getprocaddress - Powershell Fileless Script Contains Base64 Encoded Content - Powershell Get Localgroup Discovery - Powershell Get Localgroup Discovery With Script Block Logging - Powershell Loading Dotnet Into Memory Via System Reflection Assembly - Powershell Processing Stream Of Data - Powershell Remote Thread To Known Windows Process - Powershell Start-Bitstransfer - Powershell Using Memory As Backing Store - Prevent Automatic Repair Mode Using Bcdedit - Print Spooler Adding A Printer Driver - Print Spooler Failed To Load A Plug-In - Privilege Escalation after Powershell Activity - Process Creating Lnk File In Suspicious Location - Process Deleting Its Process File Path - Process Execution Via WMI - Process Kill Base On File Path - Processes Launching Netsh - Processes Tapping Keyboard Events - Processes with High Entropy Names - Processes with Lookalike (typo) Filenames - Prohibited Network Traffic Allowed - Prohibited Port Activity Detected - Prohibited Process Detected - Prohibited Service Detected - Prompt and Block Domain - Protocol Or Port Mismatch - Protocols Passing Authentication In Cleartext - Public Cloud Storage (Bucket) - Public facing Website Attack - Pull List of Privileged Users - RFC1918 IP Not in CMDB - Ransomware Extensions - Ransomware Investigate and Contain - Ransomware Note Files - Ransomware Notes Bulk Creation - Ransomware Vulnerabilities - Recon Avproduct Through Pwh Or WMI - Recon Using WMI Class - Recurring Infection on Host - Recursive Delete Of Directory In Batch Cmd - Reg Exe Manipulating Windows Services Registry Keys - Registry Keys For Creating Shim Databases - Registry Keys Used For Persistence - Registry Keys Used For Privilege Escalation - Remcos Rat File Creation In Remcos Folder - Remote Account Takeover - Remote Desktop Network Bruteforce - Remote Desktop Network Traffic - Remote Desktop Process Running On System - Remote PowerShell Launches - Remote Process Instantiation Via WMI - Remote System Discovery With Adsisearcher - Remote System Discovery With Dsquery - Remote System Discovery With Net - Remote System Discovery With Wmic - Remote WMI Command Attempt - Resize Shadowstorage Volume - Revil Common Exec Parameter - Revil Registry Entry - Risky Events from Privileged Users - Rundll Loading DLL By Ordinal - Rundll32 Control Rundll Hunt - Rundll32 Control Rundll World Writable Directory - Rundll32 Create Remote Thread To A Process - Rundll32 Createremotethread In Browser - Rundll32 Dnsquery - Rundll32 Process Creating Exe DLL Files - Rundll32 With No Command Line Arguments With Network - Ryuk Test Files Detected - Ryuk Wake On Lan Command - SFDC Suspicious volume of records accessed - SMB Traffic Allowed - SMB Traffic Spike - SMB Traffic Spike - MLTK - Sam Database File Access Attempt - Same Error On Many Servers Detected - Samsam Test File Write - Sc Exe Manipulating Windows Services - Scanning Activity - Schcache Change By App Connect And Create Adsi Object - Schedule Task With Http Command Arguments - Schedule Task With Rundll32 Command Trigger - Scheduled Task Deleted Or Created Via Cmd - Schtasks Run Task On Demand - Schtasks Scheduling Job On Remote System - Schtasks Used For Forcing A Reboot - Script Execution Via WMI - Sdclt Uac Bypass - Searchprotocolhost With No Command Line With Network - Secretdumps Offline Ntds Dumping Tool - Sensitive Kubernetes Mount Pod Detected - Service Account Login - Services Escalate Exe - Set Default Powershell Execution Policy To Unrestricted Or Bypass - Shim Database File Creation - Shim Database Installation With Suspicious Parameters - Short Lived Admin Accounts - Short Lived Windows Accounts - Short-lived Account Detected - Significant Increase in Interactive Logons - Significant Increase in Interactively Logged On Users - Silentcleanup Uac Bypass - Single Letter Process On Endpoint - Slui Runas Elevated - Slui Spawning A Process - Sources Sending Many DNS Requests - Sources Sending a High Volume of DNS Traffic - Spike In File Writes - Spike in Downloaded Documents Per User from Salesforce.com - Spike in Exported Records from Salesforce.com - Spike in Password Reset Emails - Spike in SMB Traffic - Spoolsv Spawning Rundll32 - Spoolsv Suspicious Loaded Modules - Spoolsv Suspicious Process Access - Spoolsv Writing A DLL - Spoolsv Writing A DLL - Sysmon - Sql Injection With Long Urls - Sqlite Module In Temp Folder - Stale Account Usage - Start Up During Safe Mode Boot - Substantial Increase In Events - Substantial Increase In Port Activity - Successful Login of Account for Former Employee - Sunburst Correlation DLL And Network Event - Supernova Webshell - Suspicious Account Activity - Suspicious Account Lockout - Suspicious Activity After Intrusion - Suspicious Badge Activity - Suspicious Behavior - Suspicious Box Usage - Suspicious Container Image Name - Suspicious Curl Network Connection - Suspicious Data Collection - Suspicious Data Movement - Suspicious Dllhost No Command Line Arguments - Suspicious Domain Communication - Suspicious Domain Communication followed by Malware Activity - Suspicious Domain Name - Suspicious Driver Loaded Path - Suspicious Email - UBA Anomaly - Suspicious Email Attachment Extensions - Suspicious Event Log Service Behavior - Suspicious External Alarm Activity - Suspicious Gpupdate No Command Line Arguments - Suspicious HTTP Redirects - Suspicious HTTP Redirects followed by Suspected Infection - Suspicious IP Address Communication - Suspicious Icedid Regsvr32 Cmdline - Suspicious Icedid Rundll32 Cmdline - Suspicious Image Creation In Appdata Folder - Suspicious Java Classes - Suspicious Microsoft Workflow Compiler Rename - Suspicious Microsoft Workflow Compiler Usage - Suspicious Msbuild Path - Suspicious Msbuild Rename - Suspicious Msbuild Spawn - Suspicious Mshta Child Process - Suspicious Mshta Spawn - Suspicious Network Connection - Suspicious Network Exploration - Suspicious New Access - Suspicious Plistbuddy Usage - Suspicious Plistbuddy Usage Via Osquery - Suspicious Powershell Activity - Suspicious Privilege Escalation - Suspicious Process File Path - Suspicious Reg Exe Process - Suspicious Regsvr32 Register Suspicious Path - Suspicious Rundll32 Dllregisterserver - Suspicious Rundll32 No Command Line Arguments - Suspicious Rundll32 Plugininit - Suspicious Rundll32 Rename - Suspicious Rundll32 Startw - Suspicious Scheduled Task From Public Directory - Suspicious Searchprotocolhost No Command Line Arguments - Suspicious Sqlite3 Lsquarantine Behavior - Suspicious URL Communications and Redirects - Suspicious Wav File In Appdata Folder - Suspicious Wevtutil Usage - Suspicious Writes To Windows Recycle Bin - System Information Discovery Detection - System Processes Run From Unexpected Locations - System User Discovery With Query - System User Discovery With Whoami - Threat Activity Detected - Threat Hunting - Tor Traffic - Trickbot Named Pipe - USB storage attached an unusually high number of times - Uac Bypass Mmc Load Unsigned DLL - Uac Bypass With Colorui Com Object - Unauthorized Connection Through Firewall - Unified Messaging Service Spawning A Process - Uninstall App Using Msiexec - Unload Sysmon Filter Driver - Unloading Amsi Via Reflection - Unrouteable Activity Detected - Untriaged Notable Events - Unusual Activity Time - Unusual Badge Reader Access - Unusual Child Process for spoolsv.exe or connhost.exe - Unusual Cloud Regions - Unusual Cloud Storage Deletions - Unusual Cloud Storage Downloads - Unusual External Alarm - Unusual File Extension - Unusual Geolocation of Communication Destination - Unusual Machine Access - Unusual Network Activity - Unusual Number of Modifications to Cloud ACLs - Unusual Printer Usage - Unusual Time of Badge Access - Unusual USB Activity - Unusual USB Device Plugged In - Unusual VPN Login Geolocation - Unusual Volume of Network Activity - Unusual Web Browser - Unusual Windows Security Event (Unusual - Event Code, Process, Directory, LoginType, ReturnCode, Domain) - Unusually Long Command Line - Unusually Long Command Line - MLTK - Unusually Long Content-Type Length - Unusually Long VPN Session - User Discovery With Env Vars Powershell - User Discovery With Env Vars Powershell Script Block - User Finding Project Code Names from Many Departments - User Has Access to In-Scope Splunk Indexes They Should Not - User Logged into In-Scope System They Should Not Have - User Login to Unauthorized Geo - User Login with Local Credentials - User with Increase in Outgoing Email - User with Many DLP Events - Usn Journal Deletion - Vulnerability Scanner Detected (by events) - Vulnerability Scanner Detected (by targets) - W3Wp Spawning Shell - WMI Permanent Event Subscription - WMI Permanent Event Subscription - Sysmon - WMI Recon Running Process Or Services - WMI Temporary Event Subscription - Watchlisted Event Observed - Watering Hole Infection - Wbadmin Delete System Backups - Wbemprox Com Object Execution - Web Browsing to Unauthorized Sites - Web Servers Executing Suspicious Processes - Web Site Compromised (Webshell) - Web Uploads to Non-corporate Sites by Users - Wermgr Process Connecting To IP Check Web Services - Wermgr Process Create Executable File - Wermgr Process Spawned Cmd Or Powershell Process - Windows Adfind Exe - Windows Disableantispyware Registry - Windows Event Log Cleared - Windows Event Log Clearing Events - Windows Security Account Manager Stopped - Winevent Scheduled Task Created To Spawn Shell - Winevent Scheduled Task Created Within Public Path - Winrm Spawning A Process - Winword Spawning Cmd - Winword Spawning Powershell - Winword Spawning Windows Script Host - Wmic Group Discovery - Write Executable In SMB Share - Wsreset Uac Bypass - Xmrig Driver Loaded - Xsl Script Execution With Wmic Technical Detail Developing on SSE Installation DocumentationAbnormally High Number of HTTP Method Events By SrcAbnormally High Number of HTTP Method Events By SrcDescriptionAlerts when a host has an abnormally high number of HTTP requests by http method.Abnormally High Number of Endpoint Changes By User Access LSASS Memory For Dump Creation