Navigation : Release Notes User Guides Data Onboarding Guides Features SSE Content - AWS Cloud Provisioning From Previously Unseen City - AWS Cloud Provisioning From Previously Unseen Country - AWS Cloud Provisioning From Previously Unseen IP Address - AWS Cloud Provisioning From Previously Unseen Region - AWS Cross Account Activity From Previously Unseen Account - AWS Detect Attach To Role Policy - AWS Detect Permanent Key Creation - AWS Detect Role Creation - AWS Detect Sts Assume Role Abuse - AWS Detect Sts Get Session Token Abuse - AWS Detect Users Creating Keys With Encrypt Policy Without MFA - AWS Detect Users With Kms Keys Performing Encryption S3 - AWS EKS Kubernetes Cluster Sensitive Object Access - AWS Network Access Control List Created With All Open Ports - AWS Network Access Control List Deleted - AWS Saml Access By Provider User And Principal - AWS Saml Update Identity Provider - Abnormally High AWS Instances Launched By User - Abnormally High AWS Instances Launched By User - MLTK - Abnormally High AWS Instances Launched by User - Abnormally High AWS Instances Terminated By User - Abnormally High AWS Instances Terminated By User - MLTK - Abnormally High Number Of Cloud Infrastructure API Calls - Abnormally High Number Of Cloud Instances Destroyed - Abnormally High Number Of Cloud Instances Launched - Abnormally High Number Of Cloud Security Group API Calls - Abnormally High Number of Endpoint Changes By User - Abnormally High Number of HTTP Method Events By Src - Access LSASS Memory For Dump Creation - Access to In-Scope Unencrypted Resources - Access to In-scope Resources - Account Compromise with Suspicious Internal Activity - Account Compromised followed by Exfiltration - Account Deleted - Activity from Expired User Identity - Activity from Expired User Identity - on Category - Aggregate Risky Events - Amazon EKS Kubernetes Cluster Scan Detection - Amazon EKS Kubernetes Pod Scan Detection - Anomalous Audit Trail Activity Detected - Anomalous New Listening Port - Anomalous New Process - Anomalous New Service - Any Powershell Downloadfile - Any Powershell Downloadstring - Asset Ownership Unspecified - Attempt To Add Certificate To Untrusted Store - Attempt To Set Default PowerShell Execution Policy To Unrestricted or Bypass - Attempt To Set Default Powershell Execution Policy To Unrestricted Or Bypass - Attempt To Stop Security Service - Attempted Credential Dump From Registry Via Reg Exe - Attempted Credential Dump From Registry Via Reg.exe - Auditing Overview of Data Processing Systems (Glass Table) - Authentication Against a New Domain Controller - Basic Brute Force Detection - Basic Dynamic DNS Detection - Basic Malware Outbreak - Basic Scanning - Basic TOR Traffic Detection - Batch File Write To System32 - Bcdedit Failure Recovery Modification - Blacklisted Application - Blacklisted Domain - Blacklisted IP Address - Brute Force - Brute Force Access Behavior Detected - Brute Force Access Behavior Detected - Against Category - Brute Force Access Behavior Detected Over One Day - Brute Force Access Behavior Detected Over One Day - Against Category - Brute Force Attack - Building a Departmental Peer Group - COVID-19 Indicator Check - Certutil Exe Certificate Extraction - Child Processes Of Spoolsv Exe - Child Processes of Spoolsv.exe - Cleartext Password At Rest Detected - Clients Connecting To Multiple DNS Servers - Cloud API Calls From Previously Unseen User Roles - Cloud APIs Called More Often Than Usual Per User - Cloud Compute Instance Created By Previously Unseen User - Cloud Compute Instance Created In Previously Unused Region - Cloud Compute Instance Created With Previously Unseen Image - Cloud Compute Instance Created With Previously Unseen Instance Type - Cloud Compute Instance Started In Previously Unused Region - Cloud Instance Modified By Previously Unseen User - Cloud Network Access Control List Deleted - Cloud Provisioning Activity From Previously Unseen City - Cloud Provisioning Activity From Previously Unseen Country - Cloud Provisioning Activity From Previously Unseen IP Address - Cloud Provisioning Activity From Previously Unseen Region - Cloud Provisioning Activity from Unusual Country - Cloud Provisioning Activity from Unusual IP - Cobalt Strike Named Pipes - Common Filename Launched from New Path - Common Ransomware Extensions - Common Ransomware Notes - Completely Inactive Account - Compromised Account - Compromised Web Server - Concentration of Attacker Tools by Filename - Concentration of Attacker Tools by SHA1 Hash - Concentration of Discovery Tools by Filename - Concentration of Discovery Tools by SHA1 Hash - Concurrent Login Attempts Detected - Connection to New Domain - Create Local Admin Accounts Using Net Exe - Create Or Delete Windows Shares Using Net Exe - Create Remote Thread Into LSASS - Create local admin accounts using net.exe - Create or delete hidden shares using net.exe - Create or delete windows shares using net.exe - Creation Of LSASS Dump With Taskmgr - Creation Of Shadow Copy - Creation Of Shadow Copy With Wmic And Powershell - Credential Dumping Via Copy Command From Shadow Copy - Credential Dumping Via Symlink To Shadow Copy - Credentials In File Detected - Critical Severity Intrusion - DNS Query Length Outliers - MLTK - DNS Query Length With High Standard Deviation - DNS Query Requests Resolved By Unauthorized DNS Servers - DNS Record Changed - Data Exfiltration after Account Takeover, High - Data Exfiltration after Account Takeover, Medium - Data Exfiltration after Data Staging - Data Exfiltration by suspicious user or device - Data Staging - Default Account Activity Detected - Default Account At Rest Detected - Deleting Shadow Copies - Detect API Activity From Users Without MFA - Detect AWS API Activities From Unapproved Accounts - Detect AWS Console Login By New User - Detect AWS Console Login By User From New City - Detect AWS Console Login By User From New Country - Detect AWS Console Login By User From New Region - Detect Activity Related To Pass The Hash Attacks - Detect Arp Poisoning - Detect Attackers Scanning For Vulnerable Jboss Servers - Detect Baron Samedit Cve-2021-3156 - Detect Baron Samedit Cve-2021-3156 Segfault - Detect Baron Samedit Cve-2021-3156 Via Osquery - Detect Computer Changed With Anonymous Account - Detect Credential Dumping Through LSASS Access - Detect Credit Card Numbers using Luhn Algorithm - Detect DNS Requests To Phishing Sites Leveraging Evilginx2 - Detect Excessive Account Lockouts From Endpoint - Detect Excessive User Account Lockouts - Detect F5 Tmui RCE Cve-2020-5902 - Detect GCP Storage Access From A New IP - Detect Hosts Connecting To Dynamic Domain Providers - Detect Html Help Renamed - Detect Html Help Spawn Child Process - Detect Html Help Url In Command Line - Detect Html Help Using Infotech Storage Handlers - Detect Ipv6 Network Infrastructure Threats - Detect Journal Clearing - Detect Large Outbound ICMP Packets - Detect Lateral Movement With WMI - Detect Log Clearing With wevtutil - Detect Long DNS TXT Record Response - Detect Long DNS Txt Record Response - Detect Malicious Requests To Exploit Jboss Servers - Detect Many Unauthorized Access Attempts - Detect Mimikatz Using Loaded Images - Detect Mimikatz Via PowerShell And EventCode 4663 - Detect Mimikatz Via Powershell And Eventcode 4703 - Detect Mshta Exe Running Scripts In Command-Line Arguments - Detect Mshta Inline Hta Execution - Detect Mshta Renamed - Detect Mshta Url In Command Line - Detect New API Calls From User Roles - Detect New Local Admin Account - Detect New Login Attempts To Routers - Detect New Open GCP Storage Buckets - Detect New Open S3 Buckets - Detect New Open S3 Buckets Over AWS Cli - Detect New User AWS Console Login - Detect New User AWS Console Login - Dm - Detect Oulook Exe Writing A Zip File - Detect Oulook exe writing a zip file - Detect Outbound SMB Traffic - Detect Path Interception By Creation Of Program Exe - Detect Path Interception By Creation Of program.exe - Detect Port Security Violation - Detect Processes Used For System Network Configuration Discovery - Detect Prohibited Applications Spawning Cmd Exe - Detect Prohibited Applications Spawning cmd.exe - Detect Psexec With Accepteula Flag - Detect Rare Executables - Detect Regasm Spawning A Process - Detect Regasm With Network Connection - Detect Regasm With No Command Line Arguments - Detect Regsvcs Spawning A Process - Detect Regsvcs With Network Connection - Detect Regsvcs With No Command Line Arguments - Detect Regsvr32 Application Control Bypass - Detect Rogue DHCP Server - Detect Rundll32 Application Control Bypass - Advpack - Detect Rundll32 Application Control Bypass - Setupapi - Detect Rundll32 Application Control Bypass - Syssetup - Detect Rundll32 Inline Hta Execution - Detect S3 Access From A New IP - Detect Snicat Sni Exfiltration - Detect Software Download To Network Device - Detect Spike In AWS API Activity - Detect Spike In AWS Security Hub Alerts For EC2 Instance - Detect Spike In AWS Security Hub Alerts For User - Detect Spike In Blocked Outbound Traffic From Your AWS - Detect Spike In Network ACL Activity - Detect Spike In S3 Bucket Deletion - Detect Spike In Security Group Activity - Detect Traffic Mirroring - Detect USB Device Insertion - Detect Unauthorized Assets By MAC Address - Detect Use Of Cmd Exe To Launch Script Interpreters - Detect Use of cmd.exe to Launch Script Interpreters - Detect Web Traffic To Dynamic Domain Providers - Detect Windows DNS Sigred Via Splunk Stream - Detect Windows DNS Sigred Via Zeek - Detect Zerologon Via Zeek - Detect attackers scanning for vulnerable JBoss servers - Detect mshta exe running scripts in command-line arguments - Detection Of DNS Tunnels - Detection Of Tools Built By Nirsoft - Disabled Update Service - Disabling Remote User Account Control - Download from Internal Server - Dump LSASS Via Comsvcs DLL - Dump LSASS Via Procdump - Dump LSASS Via Procdump Rename - EC2 Instance Isolation - EC2 Instance Modified With Previously Unseen User - EC2 Instance Started In Previously Unseen Region - EC2 Instance Started With Previously Unseen AMI - EC2 Instance Started With Previously Unseen Instance Type - EC2 Instance Started With Previously Unseen User - Email Attachments With Lots Of Spaces - Email Files Written Outside Of The Outlook Directory - Email Servers Sending High Volume Traffic To Hosts - Emails from Outside the Organization with Company Domains - Emails with Lookalike Domains - Endpoint Uncleaned Malware Detection - Eventvwr Uac Bypass - Excessive Box Downloads - Excessive DNS Failures - Excessive DNS Queries - Excessive Data Printed - Excessive Data Transmission - Excessive Downloads via VPN - Excessive Failed Logins - Excessive HTTP Failure Responses - Execution Of File With Multiple Extensions - Execution Of File With Spaces Before Extension - Exfiltration - Exfiltration after Account Compromise - Exfiltration after Infection - Exfiltration after Suspicious Internal Activity - Expected Host Not Reporting - Expected Host Not Reporting - in Category - Extended Period Without Successful Netbackup Backups - External Alarm Activity - External Website Attack - Failed Access by Disabled Badge - Failed Badge Accesses on Multiple Doors - Fake Windows Processes - Familiar Filename Launched with New Path on Host - File With Samsam Extension - Find Processes with Renamed Executables - Find Unusually Long CLI Commands - First Time Access to Jump Server for Peer Group - First Time Accessing an Internal Git Repository - First Time Accessing an Internal Git Repository Not Viewed by Peers - First Time Logon to New Server - First Time Seen Child Process Of Zoom - First Time Seen Child Process of Zoom - First Time Seen Command Line Argument - First Time Seen Running Windows Service - First Time USB Usage - Flight Risk Emailing - Flight Risk Printing - Flight Risk User - Flight Risk Web Browsing - Fodhelper Uac Bypass - GCP Detect Accounts With High Risk Roles By Project - GCP Detect Gcploit Framework - GCP Detect High Risk Permissions By Resource And Account - GCP Detect Oauth Token Abuse - GCP GCR Container Uploaded - GCP Kubernetes Cluster Pod Scan Detection - GCP Kubernetes Cluster Scan Detection - Geographically Improbable Access Detected - Geographically Improbable Access Detected against Category - Geographically Improbable Access Detected for Privileged Accounts - Healthcare Worker Opening More Patient Records Than Usual - Hiding Files And Directories With Attrib Exe - Hiding Files And Directories With Attrib.exe - High Number Of Infected Hosts - High Number Of Login Failures From A Single Source - High Number of Hosts Not Updating Malware Signatures - High Or Critical Priority Host With Malware Detected - High Process Count - High Volume Email Activity to Non-corporate Domains by User - High Volume of Traffic from High or Critical Host Observed - High or Critical Priority Individual Logging into Infected Machine - Host Sending Excessive Email - Host With A Recurring Malware Infection - Host With High Number Of Listening ports - Host With High Number Of Services - Host With Multiple Infections - Host With Old Infection Or Potential Re-Infection - Hosts Receiving High Volume Of Network Traffic From Email Server - Hosts Sending To More Destinations Than Normal - Hosts Where Security Sources Go Quiet - Hosts with Varied and Future Timestamps - Hunting COVID Themed Attacks With IOCs - IP Investigate and Report - Identify New User Accounts - Image From New Repository Detected - In-Scope Device with Outdated Anti-Malware Found - In-Scope System with Windows Update Disabled - Inactive Account Activity Detected - Increase in # of Hosts Logged into - Increase in Pages Printed - Increase in Source Code (Git) Downloads - Increase in Windows Privilege Escalations - Infected Host - Infection followed by Exfiltration - Insecure Or Cleartext Authentication Detected - Instance Created by Unusual User - Instance Modified by Unusual User - Integrating Threat Indicators with MISP and Splunk Enterprise Security - Investigate GDPR Breaches Using ES - Kerberoasting Spn Request With RC4 Encryption - Kerberoasting spn request with RC4 encryption - Kubernetes AWS Detect Most Active Service Accounts By Pod - Kubernetes AWS Detect Rbac Authorization By Account - Kubernetes AWS Detect Sensitive Role Access - Kubernetes AWS Detect Service Accounts Forbidden Failure Access - Kubernetes AWS Detect Suspicious Kubectl Calls - Kubernetes Azure Detect Most Active Service Accounts By Pod Namespace - Kubernetes Azure Detect Rbac Authorization By Account - Kubernetes Azure Detect Sensitive Object Access - Kubernetes Azure Detect Sensitive Role Access - Kubernetes Azure Detect Service Accounts Forbidden Failure Access - Kubernetes Azure Detect Suspicious Kubectl Calls - Kubernetes Azure Pod Scan Fingerprint - Kubernetes Azure Scan Fingerprint - Kubernetes GCP Detect Most Active Service Accounts By Pod - Kubernetes GCP Detect Rbac Authorizations By Account - Kubernetes GCP Detect Sensitive Object Access - Kubernetes GCP Detect Sensitive Role Access - Kubernetes GCP Detect Service Accounts Forbidden Failure Access - Kubernetes GCP Detect Suspicious Kubectl Calls - Land Speed Violation - Large Volume Of DNS Any Queries - Large Web Upload - Lateral Movement - Local Account Creation - Machine Generated Beacon - Macos - Re-Opened Applications - Malicious AD Activity - Malicious Command Line Executions - Malicious Insider Containment - Malicious PowerShell Process With Obfuscation Techniques - Malicious Powershell Process - Connect To Internet With Hidden Window - Malicious Powershell Process - Encoded Command - Malicious Powershell Process - Execution Policy Bypass - Malicious Powershell Process - Multiple Suspicious Command-Line Arguments - Malicious Powershell Process With Obfuscation Techniques - Malicious URI with Potential Malware - Malware - Malware Investigation - Many USB File Copies for User - Monitor AutoRun Registry Keys - Monitor DNS For Brand Abuse - Monitor Email For Brand Abuse - Monitor Registry Keys For Print Monitors - Monitor Successful Backups - Monitor Successful Windows Updates - Monitor Unsuccessful Backups - Monitor Unsuccessful Windows Updates - Monitor Web Traffic For Brand Abuse - Multiple Account Deletion by an Administrator - Multiple Account Disabled by an Administrator - Multiple Account Passwords changed by an Administrator - Multiple Authentication Failures - Multiple Authentications - Multiple Badge Accesses - Multiple Box login errors - Multiple Box logins - Multiple Box operations - Multiple External Alarms - Multiple Failed Badge Access Attempts - Multiple Infections on Host - Multiple Login Errors - Multiple Logins - Multiple Okta Users With Invalid Credentails From The Same IP - Multiple Okta Users With Invalid Credentials From The Same IP - Multiple Outgoing Connections - Multiple Primary Functions Detected - Multiple failed badge attempts and unusual badge access time - Network Change Detected - Network Device Rebooted - Network Protocol Violation - New AD Domain Detected - New Application Accessing Salesforce.com API - New Cloud API Call Per Peer Group - New Cloud Provider for User - New Connection to In-Scope Device - New Container Uploaded To AWS Ecr - New Data Exfil DLP Alerts for User - New High Risk Event Types for Salesforce.com User - New IaaS API Call Per User - New Interactive Logon from a Service Account - New Local Admin Account - New Logon Type for User - New Parent Process for cmd.exe or regedit.exe - New RunAs Host / Privileged Account Combination - New Service Paths for Host - New Suspicious Executable Launch for User - New Suspicious cmd.exe / regedit.exe / powershell.exe Service Launch - New Tables Queried by Salesforce.com Peer Group - New Tables Queried by Salesforce.com User - New User Account Created On Multiple Hosts - New User Taking Privileged Actions - Nishang Powershelltcponeline - Nltest Domain Trust Discovery - No Windows Updates In A Time Frame - Non-Privileged Users taking Privileged Actions - Ntdsutil Export Ntds - O365 Add App Role Assignment Grant User - O365 Added Service Principal - O365 Bypass MFA Via Trusted IP - O365 Disable MFA - O365 Excessive Authentication Failures Alert - O365 Excessive Sso Logon Errors - O365 New Federated Domain Added - O365 Pst Export Alert - O365 Suspicious Admin Email Forwarding - O365 Suspicious Rights Delegation - O365 Suspicious User Email Forwarding - Okta Account Lockout Events - Okta Failed Sso Attempts - Okta User Logins From Multiple Cities - Old Passwords in Use - Open Redirect In Splunk Web - Osquery Pack - Coldroot Detection - Outbreak Detected - Outdated Malware Definitions - Overwriting Accessibility Binaries - Period with Unusual Windows Security Event Sequences - Personally Identifiable Information Detected - Phishing Investigation and Response - Possible Phishing Attempt - Potential Day Trading - Potential Flight Risk Exfiltration - Potential Flight Risk Staging - Potential Gap in Data - Potential Phishing Attack - Potential Webshell Activity - Privilege Escalation after Powershell Activity - Process Creating Lnk File In Suspicious Location - Process Execution Via WMI - Processes Created By Netsh - Processes Launching Netsh - Processes Tapping Keyboard Events - Processes launching netsh - Processes with High Entropy Names - Processes with Lookalike (typo) Filenames - Prohibited Network Traffic Allowed - Prohibited Port Activity Detected - Prohibited Process Detected - Prohibited Service Detected - Prohibited Software On Endpoint - Prompt and Block Domain - Protocol Or Port Mismatch - Protocols Passing Authentication In Cleartext - Public Cloud Storage (Bucket) - Public facing Website Attack - Pull List of Privileged Users - RFC1918 IP Not in CMDB - Ransomware Extensions - Ransomware Investigate and Contain - Ransomware Note Files - Ransomware Vulnerabilities - Recurring Infection on Host - Reg Exe Manipulating Windows Services Registry Keys - Reg Exe Used To Hide Files Directories Via Registry Keys - Reg.exe Manipulating Windows Services Registry Keys - Reg.exe used to hide files/directories via registry keys - Registry Keys For Creating Shim Databases - Registry Keys Used For Persistence - Registry Keys Used For Privilege Escalation - Remote Account Takeover - Remote Desktop Network Bruteforce - Remote Desktop Network Traffic - Remote Desktop Process Running On System - Remote PowerShell Launches - Remote Process Instantiation Via WMI - Remote Registry Key Modifications - Remote WMI Command Attempt - Risky Events from Privileged Users - Rundll Loading DLL By Ordinal - Ryuk Test Files Detected - Ryuk Wake On Lan Command - SMB Traffic Allowed - SMB Traffic Spike - SMB Traffic Spike - MLTK - SQL Injection with Long URLs - Same Error On Many Servers Detected - Samsam Test File Write - Sc Exe Manipulating Windows Services - Sc.exe Manipulating Windows Services - Scanning Activity - Scheduled Task Deleted Or Created Via Cmd - Scheduled Task Name Used By Dragonfly Threat Actors - Scheduled Tasks Used In Badrabbit Ransomware - Schtasks Scheduling Job On Remote System - Schtasks Used For Forcing A Reboot - Script Execution Via WMI - Sensitive Kubernetes Mount Pod Detected - Service Account Login - Shim Database File Creation - Shim Database Installation With Suspicious Parameters - Short Lived Admin Accounts - Short Lived Windows Accounts - Short-lived Account Detected - Significant Increase in Interactive Logons - Significant Increase in Interactively Logged On Users - Single Letter Process On Endpoint - Sources Sending Many DNS Requests - Sources Sending a High Volume of DNS Traffic - Spectre And Meltdown Vulnerable Systems - Spike In File Writes - Spike in Downloaded Documents Per User from Salesforce.com - Spike in Exported Records from Salesforce.com - Spike in Password Reset Emails - Spike in SMB Traffic - Splunk Enterprise Information Disclosure - Sql Injection With Long Urls - Stale Account Usage - Substantial Increase In Events - Substantial Increase In Port Activity - Successful Login of Account for Former Employee - Sunburst Correlation DLL And Network Event - Supernova Webshell - Suspicious Account Activity - Suspicious Account Lockout - Suspicious Activity After Intrusion - Suspicious Badge Activity - Suspicious Behavior - Suspicious Box Usage - Suspicious Changes To File Associations - Suspicious Container Image Name - Suspicious Curl Network Connection - Suspicious Data Collection - Suspicious Data Movement - Suspicious Dllhost No Command Line Arguments - Suspicious Domain Communication - Suspicious Domain Communication followed by Malware Activity - Suspicious Domain Name - Suspicious Email - UBA Anomaly - Suspicious Email Attachment Extensions - Suspicious External Alarm Activity - Suspicious File Write - Suspicious Gpupdate No Command Line Arguments - Suspicious HTTP Redirects - Suspicious HTTP Redirects followed by Suspected Infection - Suspicious IP Address Communication - Suspicious Java Classes - Suspicious Lnk File Launching A Process - Suspicious Microsoft Workflow Compiler Rename - Suspicious Microsoft Workflow Compiler Usage - Suspicious Msbuild Path - Suspicious Msbuild Rename - Suspicious Msbuild Spawn - Suspicious Mshta Child Process - Suspicious Mshta Spawn - Suspicious Network Connection - Suspicious Network Exploration - Suspicious New Access - Suspicious Plistbuddy Usage - Suspicious Plistbuddy Usage Via Osquery - Suspicious Powershell Activity - Suspicious Privilege Escalation - Suspicious Reg Exe Process - Suspicious Reg.exe Process - Suspicious Regsvr32 Register Suspicious Path - Suspicious Rundll32 Dllregisterserver - Suspicious Rundll32 No Command Line Arguments - Suspicious Rundll32 Rename - Suspicious Rundll32 Startw - Suspicious Scheduled Task From Public Directory - Suspicious Searchprotocolhost No Command Line Arguments - Suspicious Sqlite3 Lsquarantine Behavior - Suspicious URL Communications and Redirects - Suspicious Wevtutil Usage - Suspicious Writes To System Volume Information - Suspicious Writes To Windows Recycle Bin - System Information Discovery Detection - System Processes Run From Unexpected Locations - Threat Activity Detected - Threat Hunting - Tor Traffic - USB storage attached an unusually high number of times - Unauthorized Connection Through Firewall - Uncommon Processes On Endpoint - Unified Messaging Service Spawning A Process - Unload Sysmon Filter Driver - Unrouteable Activity Detected - Unsigned Image Loaded By LSASS - Unsuccessful Netbackup Backups - Untriaged Notable Events - Unusual Activity Time - Unusual Badge Reader Access - Unusual Child Process for spoolsv.exe or connhost.exe - Unusual Cloud Regions - Unusual Cloud Storage Deletions - Unusual Cloud Storage Downloads - Unusual External Alarm - Unusual File Extension - Unusual Geolocation of Communication Destination - Unusual Machine Access - Unusual Network Activity - Unusual Number of Modifications to Cloud ACLs - Unusual Printer Usage - Unusual Time of Badge Access - Unusual USB Activity - Unusual USB Device Plugged In - Unusual VPN Login Geolocation - Unusual Volume of Network Activity - Unusual Web Browser - Unusual Windows Security Event (Unusual - Event Code, Process, Directory, LoginType, ReturnCode, Domain) - Unusually Long Command Line - Unusually Long Command Line - MLTK - Unusually Long Content-Type Length - Unusually Long VPN Session - User Finding Project Code Names from Many Departments - User Has Access to In-Scope Splunk Indexes They Should Not - User Logged into In-Scope System They Should Not Have - User Login to Unauthorized Geo - User Login with Local Credentials - User with Increase in Outgoing Email - User with Many DLP Events - Usn Journal Deletion - Vulnerability Scanner Detected (by events) - Vulnerability Scanner Detected (by targets) - W3Wp Spawning Shell - WMI Permanent Event Subscription - WMI Permanent Event Subscription - Sysmon - WMI Temporary Event Subscription - Watchlisted Event Observed - Watering Hole Infection - Wbadmin Delete System Backups - Web Browsing to Unauthorized Sites - Web Fraud - Account Harvesting - Web Fraud - Anomalous User Clickspeed - Web Fraud - Password Sharing Across Accounts - Web Servers Executing Suspicious Processes - Web Site Compromised (Webshell) - Web Uploads to Non-corporate Sites by Users - Windows Adfind Exe - Windows Connhost Exe Started Forcefully - Windows Disableantispyware Registry - Windows Event Log Cleared - Windows Event Log Clearing Events - Windows Hosts File Modification - Windows Security Account Manager Stopped Technical Detail Developing on SSE Installation DocumentationActivity from Expired User IdentityDescriptionAlerts when an event is discovered from a user associated with identity that is now expired (that is, the end date of the identity has been passed).Account Deleted Activity from Expired User Identity - on Category