| A client made a web request to a potentially harmful file (ASIM Web Session schema) |
Medium |
📄 Standalone Content |
| A host is potentially running a crypto miner (ASIM Web Session schema) |
Medium |
📄 Standalone Content |
| A host is potentially running a hacking tool (ASIM Web Session schema) |
Medium |
📄 Standalone Content |
| A host is potentially running PowerShell to send HTTP(S) requests (ASIM Web Session schema) |
Medium |
📄 Standalone Content |
| A potentially malicious web request was executed against a web server |
Medium |
📦 Azure Web Application Firewall (WAF) |
| Abnormal Deny Rate for Source IP |
Medium |
📦 Azure Firewall |
| Abnormal Port to Protocol |
Medium |
📦 Azure Firewall |
| Access to AWS without MFA |
Medium |
📦 Authomize |
| Access Token Manipulation - Create Process with Token |
Medium |
📦 FalconFriday |
| Accessed files shared by temporary external user |
Low |
📦 Microsoft 365 |
| Account added and removed from privileged groups |
Low |
📄 Standalone Content |
| Account Created and Deleted in Short Timeframe |
High |
📦 Microsoft Entra ID |
| Account created from non-approved sources |
Medium |
📄 Standalone Content |
| Account created or deleted by non-approved user |
Medium |
📦 Microsoft Entra ID |
| Account Creation |
Medium |
📦 Microsoft Defender XDR |
| Account Elevated to New Role |
Medium |
📦 Business Email Compromise - Financial Fraud |
| Acronis - Login from Abnormal IP - Low Occurrence |
Medium |
📦 Acronis Cyber Protect Cloud |
| Acronis - Multiple Endpoints Accessing Malicious URLs |
Medium |
📦 Acronis Cyber Protect Cloud |
| Acronis - Multiple Endpoints Infected by Ransomware |
High |
📦 Acronis Cyber Protect Cloud |
| Acronis - Multiple Inboxes with Malicious Content Detected |
Medium |
📦 Acronis Cyber Protect Cloud |
| AD account with Don't Expire Password |
Low |
📄 Standalone Content |
| AD FS Abnormal EKU object identifier attribute |
High |
📄 Standalone Content |
| AD FS Remote Auth Sync Connection |
Medium |
📦 Windows Security Events |
| AD FS Remote HTTP Network Connection |
Medium |
📦 Windows Security Events |
| AD user enabled and password not set within 48 hours |
Low |
📦 Windows Security Events |
| Adding User or Group Failed |
Low |
📦 Veeam |
| Addition of a Temporary Access Pass to a Privileged Account |
High |
📄 Standalone Content |
| ADFS Database Named Pipe Connection |
Medium |
📦 Windows Security Events |
| ADFS DKM Master Key Export |
Medium |
📄 Standalone Content |
| Admin password not updated in 30 days |
Medium |
📦 Authomize |
| Admin promotion after Role Management Application Permission Grant |
High |
📦 Microsoft Entra ID |
| Admin SaaS account detected |
Low |
📦 Authomize |
| AdminSDHolder Modifications |
High |
📄 Standalone Content |
| AFD WAF - Code Injection |
High |
📦 Azure Web Application Firewall (WAF) |
| AFD WAF - Path Traversal Attack |
High |
📦 Azure Web Application Firewall (WAF) |
| Affected rows stateful anomaly on database |
Medium |
📦 Azure SQL Database solution for sentinel |
| AIShield - Image classification AI Model Evasion high suspicious vulnerability detection |
High |
📦 AIShield AI Security Monitoring |
| AIShield - Image classification AI Model Evasion low suspicious vulnerability detection |
High |
📦 AIShield AI Security Monitoring |
| AIShield - Image classification AI Model extraction high suspicious vulnerability detection |
High |
📦 AIShield AI Security Monitoring |
| AIShield - Image Segmentation AI Model extraction high suspicious vulnerability detection |
High |
📦 AIShield AI Security Monitoring |
| AIShield - Natural language processing AI model extraction high suspicious vulnerability detection |
High |
📦 AIShield AI Security Monitoring |
| AIShield - Tabular classification AI Model Evasion high suspicious vulnerability detection |
High |
📦 AIShield AI Security Monitoring |
| AIShield - Tabular classification AI Model Evasion low suspicious vulnerability detection |
Medium |
📦 AIShield AI Security Monitoring |
| AIShield - Tabular classification AI Model extraction high suspicious vulnerability detection |
High |
📦 AIShield AI Security Monitoring |
| AIShield - Timeseries Forecasting AI Model extraction high suspicious vulnerability detection |
High |
📦 AIShield AI Security Monitoring |
| Alarming number of anomalies generated in NetBackup |
Medium |
📦 Veritas NetBackup |
| Alsid Active Directory attacks pathways |
Low |
📦 Alsid For AD |
| Alsid DCShadow |
High |
📦 Alsid For AD |
| Alsid DCSync |
High |
📦 Alsid For AD |
| Alsid Golden Ticket |
High |
📦 Alsid For AD |
| Alsid Indicators of Attack |
Low |
📦 Alsid For AD |
| Alsid Indicators of Exposures |
Low |
📦 Alsid For AD |
| Alsid LSASS Memory |
High |
📦 Alsid For AD |
| Alsid Password Guessing |
High |
📦 Alsid For AD |
| Alsid Password issues |
Low |
📦 Alsid For AD |
| Alsid Password Spraying |
High |
📦 Alsid For AD |
| Alsid privileged accounts issues |
Low |
📦 Alsid For AD |
| Alsid user accounts issues |
Low |
📦 Alsid For AD |
| Anomalous login followed by Teams action |
Medium |
📄 Standalone Content |
| Anomalous sign-in location by user account and authenticating application |
Medium |
📦 Microsoft Entra ID |
| Anomalous Single Factor Signin |
Low |
📄 Standalone Content |
| Anomalous User Agent connection attempt |
Low |
📄 Standalone Content |
| Anomaly found in Network Session Traffic (ASIM Network Session schema) |
Medium |
📦 Network Session Essentials |
| Anomaly in SMB Traffic(ASIM Network Session schema) |
Medium |
📦 Network Session Essentials |
| Anomaly Sign In Event from an IP |
Medium |
📄 Standalone Content |
| Antivirus Detected an Infected File |
High |
📦 CTERA |
| Anvilogic Alert |
Medium |
📦 Anvilogic |
| Apache - Apache 2.4.49 flaw CVE-2021-41773 |
High |
📦 ApacheHTTPServer |
| Apache - Command in URI |
High |
📦 ApacheHTTPServer |
| Apache - Known malicious user agent |
High |
📦 ApacheHTTPServer |
| Apache - Multiple client errors from single IP |
Medium |
📦 ApacheHTTPServer |
| Apache - Multiple server errors from single IP |
Medium |
📦 ApacheHTTPServer |
| Apache - Private IP in URL |
Medium |
📦 ApacheHTTPServer |
| Apache - Put suspicious file |
Medium |
📦 ApacheHTTPServer |
| Apache - Request from private IP |
Medium |
📦 ApacheHTTPServer |
| Apache - Request to sensitive files |
Medium |
📦 ApacheHTTPServer |
| Apache - Requests to rare files |
Medium |
📦 ApacheHTTPServer |
| ApexOne - Attack Discovery Detection |
High |
📦 Trend Micro Apex One |
| ApexOne - C&C callback events |
High |
📦 Trend Micro Apex One |
| ApexOne - Commands in Url |
High |
📦 Trend Micro Apex One |
| ApexOne - Device access permissions was changed |
Medium |
📦 Trend Micro Apex One |
| ApexOne - Inbound remote access connection |
High |
📦 Trend Micro Apex One |
| ApexOne - Multiple deny or terminate actions on single IP |
High |
📦 Trend Micro Apex One |
| ApexOne - Possible exploit or execute operation |
High |
📦 Trend Micro Apex One |
| ApexOne - Spyware with failed response |
High |
📦 Trend Micro Apex One |
| ApexOne - Suspicious commandline arguments |
High |
📦 Trend Micro Apex One |
| ApexOne - Suspicious connections |
High |
📦 Trend Micro Apex One |
| API - Account Takeover |
High |
📦 42Crunch API Protection |
| API - Anomaly Detection |
Low |
📦 42Crunch API Protection |
| API - API Scraping |
High |
📦 42Crunch API Protection |
| API - BOLA |
Medium |
📦 42Crunch API Protection |
| API - Invalid host access |
Low |
📦 42Crunch API Protection |
| API - JWT validation |
Low |
📦 42Crunch API Protection |
| API - Kiterunner detection |
Medium |
📦 42Crunch API Protection |
| API - Password Cracking |
High |
📦 42Crunch API Protection |
| API - Rate limiting |
Low |
📦 42Crunch API Protection |
| API - Rate limiting |
Medium |
📦 42Crunch API Protection |
| API - Suspicious Login |
High |
📦 42Crunch API Protection |
| App Gateway WAF - Scanner Detection |
High |
📦 Azure Web Application Firewall (WAF) |
| App Gateway WAF - SQLi Detection |
High |
📦 Azure Web Application Firewall (WAF) |
| App Gateway WAF - XSS Detection |
High |
📦 Azure Web Application Firewall (WAF) |
| App GW WAF - Code Injection |
High |
📦 Azure Web Application Firewall (WAF) |
| App GW WAF - Path Traversal Attack |
High |
📦 Azure Web Application Firewall (WAF) |
| Application Gateway WAF - SQLi Detection |
High |
📄 Standalone Content |
| Application Gateway WAF - XSS Detection |
High |
📄 Standalone Content |
| Application Group Deleted |
Informational |
📦 Veeam |
| Application Group Settings Updated |
Informational |
📦 Veeam |
| Application ID URI Changed |
Medium |
📄 Standalone Content |
| Application Redirect URL Update |
Medium |
📄 Standalone Content |
| AppServices AV Scan Failure |
Informational |
📄 Standalone Content |
| AppServices AV Scan with Infected Files |
Informational |
📄 Standalone Content |
| Aqua Blizzard AV hits - Feb 2022 |
High |
📦 MicrosoftDefenderForEndpoint |
| Archive Repository Deleted |
High |
📦 Veeam |
| Archive Repository Settings Updated |
Low |
📦 Veeam |
| ARGOS Cloud Security - Exploitable Cloud Resources |
High |
📦 ARGOSCloudSecurity |
| Armorblox Needs Review Alert |
Medium |
📦 Armorblox |
| ASR Bypassing Writing Executable Content |
Medium |
📦 FalconFriday |
| Atlassian Beacon Alert |
High |
📦 Integration for Atlassian Beacon |
| Attempt to bypass conditional access rule in Microsoft Entra ID |
Low |
📦 Microsoft Entra ID |
| Attempt to Delete Backup Failed |
High |
📦 Veeam |
| Attempt to Update Security Object Failed |
High |
📦 Veeam |
| Attempts to sign in to disabled accounts |
Medium |
📦 Microsoft Entra ID |
| Audit policy manipulation using auditpol utility |
Medium |
📄 Standalone Content |
| Authentication Attempt from New Country |
Medium |
📄 Standalone Content |
| Authentication Method Changed for Privileged Account |
High |
📦 Business Email Compromise - Financial Fraud |
| Authentication Methods Changed for Privileged Account |
High |
📦 Microsoft Entra ID |
| Authentications of Privileged Accounts Outside of Expected Controls |
Medium |
📄 Standalone Content |
| Automatic image scanning disabled for ECR |
Medium |
📦 Amazon Web Services |
| AV detections related to Dev-0530 actors |
High |
📄 Standalone Content |
| AV detections related to Europium actors |
High |
📄 Standalone Content |
| AV detections related to Hive Ransomware |
High |
📄 Standalone Content |
| AV detections related to SpringShell Vulnerability |
High |
📦 Microsoft Defender XDR |
| AV detections related to Tarrask malware |
High |
📦 Microsoft Defender XDR |
| AV detections related to Ukraine threats |
High |
📦 Microsoft Defender XDR |
| AV detections related to Zinc actors |
High |
📦 Zinc Open Source |
| Awake Security - High Match Counts By Device |
Medium |
📦 AristaAwakeSecurity |
| Awake Security - High Severity Matches By Device |
Medium |
📦 AristaAwakeSecurity |
| Awake Security - Model With Multiple Destinations |
Medium |
📦 AristaAwakeSecurity |
| AWS Config Service Resource Deletion Attempts |
Low |
📦 Amazon Web Services |
| AWS Guard Duty Alert |
Medium |
📦 Amazon Web Services |
| AWS role with admin privileges |
High |
📦 Authomize |
| AWS role with shadow admin privileges |
High |
📦 Authomize |
| AWS Security Hub - Detect CloudTrail trails lacking KMS encryption |
Medium |
📦 AWS Security Hub |
| AWS Security Hub - Detect EC2 Security groups allowing unrestricted high-risk ports |
High |
📦 AWS Security Hub |
| AWS Security Hub - Detect IAM Policies allowing full administrative privileges |
High |
📦 AWS Security Hub |
| AWS Security Hub - Detect IAM root user Access Key existence |
High |
📦 AWS Security Hub |
| AWS Security Hub - Detect root user lacking MFA |
High |
📦 AWS Security Hub |
| AWS Security Hub - Detect SQS Queue lacking encryption at rest |
Medium |
📦 AWS Security Hub |
| AWS Security Hub - Detect SQS Queue policy allowing public access |
High |
📦 AWS Security Hub |
| AWS Security Hub - Detect SSM documents public sharing enabled |
High |
📦 AWS Security Hub |
| Azure DevOps Administrator Group Monitoring |
Medium |
📦 AzureDevOpsAuditing |
| Azure DevOps Agent Pool Created Then Deleted |
High |
📦 AzureDevOpsAuditing |
| Azure DevOps Audit Detection for known malicious tooling |
High |
📦 AzureDevOpsAuditing |
| Azure DevOps Audit Stream Disabled |
High |
📦 AzureDevOpsAuditing |
| Azure DevOps Build Variable Modified by New User |
Medium |
📦 AzureDevOpsAuditing |
| Azure DevOps New Extension Added |
Low |
📦 AzureDevOpsAuditing |
| Azure DevOps PAT used with Browser |
Medium |
📦 AzureDevOpsAuditing |
| Azure DevOps Personal Access Token (PAT) misuse |
High |
📦 AzureDevOpsAuditing |
| Azure DevOps Pipeline Created and Deleted on the Same Day |
Medium |
📦 AzureDevOpsAuditing |
| Azure DevOps Pipeline modified by a new user |
Medium |
📦 AzureDevOpsAuditing |
| Azure DevOps Pull Request Policy Bypassing - Historic allow list |
Medium |
📦 AzureDevOpsAuditing |
| Azure DevOps Retention Reduced |
Low |
📦 AzureDevOpsAuditing |
| Azure DevOps Service Connection Abuse |
Medium |
📦 AzureDevOpsAuditing |
| Azure DevOps Service Connection Addition/Abuse - Historic allow list |
Medium |
📦 AzureDevOpsAuditing |
| Azure DevOps Variable Secret Not Secured |
Medium |
📦 AzureDevOpsAuditing |
| Azure Diagnostic settings removed from a resource |
Medium |
📄 Standalone Content |
| Azure Key Vault access TimeSeries anomaly |
Low |
📦 Azure Key Vault |
| Azure Machine Learning Write Operations |
Low |
📦 Azure Activity |
| Azure Portal sign in from another Azure Tenant |
Medium |
📦 Microsoft Entra ID |
| Azure RBAC (Elevate Access) |
High |
📦 Microsoft Entra ID |
| Azure secure score admin MFA |
High |
📦 SenservaPro |
| Azure secure score block legacy authentication |
High |
📦 SenservaPro |
| Azure secure score MFA registration V2 |
Medium |
📦 SenservaPro |
| Azure secure score one admin |
High |
📦 SenservaPro |
| Azure secure score PW age policy new |
Medium |
📦 SenservaPro |
| Azure secure score role overlap |
Medium |
📦 SenservaPro |
| Azure Secure Score Self Service Password Reset |
High |
📦 SenservaPro |
| Azure secure score sign in risk policy |
Medium |
📦 SenservaPro |
| Azure secure score user risk policy |
Medium |
📦 SenservaPro |
| Azure Security Benchmark Posture Changed |
Medium |
📦 AzureSecurityBenchmark |
| Azure VM Run Command operation executed during suspicious login window |
High |
📄 Standalone Content |
| Azure VM Run Command operations executing a unique PowerShell script |
Medium |
📄 Standalone Content |
| Azure WAF matching for Log4j vuln(CVE-2021-44228) |
High |
📦 Apache Log4j Vulnerability Detection |