| Gain Code Execution on ADFS Server via Remote WMI Execution |
Medium |
📄 Standalone Content |
| Gain Code Execution on ADFS Server via SMB + Remote Service or Scheduled Task |
Medium |
📦 Windows Security Events |
| GCP Audit Logs - Data Access Logging Exemption Added for Principal |
High |
📦 Google Cloud Platform Audit Logs |
| GCP Audit Logs - Detect Bulk VM Snapshot Deletion |
High |
📦 Google Cloud Platform Audit Logs |
| GCP Audit Logs - Detect Organization Policy Deletion or Updation |
High |
📦 Google Cloud Platform Audit Logs |
| GCP Audit Logs - DNSSEC Disabled on Managed DNS Zone |
High |
📦 Google Cloud Platform Audit Logs |
| GCP Audit Logs - Open Firewall Rule Created or Modified |
High |
📦 Google Cloud Platform Audit Logs |
| GCP Audit Logs - Storage Bucket Made Public |
High |
📦 Google Cloud Platform Audit Logs |
| GCP Audit Logs - VPC Flow Logs Disabled |
High |
📦 Google Cloud Platform Audit Logs |
| GCP IAM - Disable Data Access Logging |
Medium |
📦 GoogleCloudPlatformIAM |
| GCP IAM - Empty user agent |
Medium |
📦 GoogleCloudPlatformIAM |
| GCP IAM - High privileged role added to service account |
High |
📦 GoogleCloudPlatformIAM |
| GCP IAM - New Authentication Token for Service Account |
Medium |
📦 GoogleCloudPlatformIAM |
| GCP IAM - New Service Account |
Low |
📦 GoogleCloudPlatformIAM |
| GCP IAM - New Service Account Key |
Low |
📦 GoogleCloudPlatformIAM |
| GCP IAM - Privileges Enumeration |
Low |
📦 GoogleCloudPlatformIAM |
| GCP IAM - Publicly exposed storage bucket |
Medium |
📦 GoogleCloudPlatformIAM |
| GCP IAM - Service Account Enumeration |
Low |
📦 GoogleCloudPlatformIAM |
| GCP IAM - Service Account Keys Enumeration |
Low |
📦 GoogleCloudPlatformIAM |
| GCP Security Command Center - Detect DNSSEC disabled for DNS zones |
Medium |
📦 Google Cloud Platform Security Command Center |
| GCP Security Command Center - Detect Firewall rules allowing unrestricted high-risk ports |
High |
📦 Google Cloud Platform Security Command Center |
| GCP Security Command Center - Detect Open/Unrestricted API Keys |
Medium |
📦 Google Cloud Platform Security Command Center |
| GCP Security Command Center - Detect projects with API Keys present |
Medium |
📦 Google Cloud Platform Security Command Center |
| GCP Security Command Center - Detect Resources with Logging Disabled |
Medium |
📦 Google Cloud Platform Security Command Center |
| General Settings Updated |
Informational |
📦 Veeam |
| Generate alerts based on ExtraHop detections recommended for triage |
Medium |
📦 ExtraHop |
| GitHub - A payment method was removed |
Medium |
📦 GitHub |
| GitHub - Oauth application - a client secret was removed |
Medium |
📦 GitHub |
| GitHub - pull request was created |
Medium |
📦 GitHub |
| GitHub - pull request was merged |
Medium |
📦 GitHub |
| GitHub - Repository was created |
Medium |
📦 GitHub |
| GitHub - Repository was destroyed |
Medium |
📦 GitHub |
| GitHub - User visibility Was changed |
Medium |
📦 GitHub |
| GitHub - User was added to the organization |
Medium |
📦 GitHub |
| GitHub - User was blocked |
Medium |
📦 GitHub |
| GitHub - User was invited to the repository |
Medium |
📦 GitHub |
| GitHub Activites from a New Country |
Medium |
📦 GitHub |
| GitHub Security Vulnerability in Repository |
Informational |
📦 GitHub |
| GitHub Signin Burst from Multiple Locations |
Medium |
📦 Microsoft Entra ID |
| GitHub Two Factor Auth Disable |
Medium |
📦 GitHub |
| GitLab - Abnormal number of repositories deleted |
Medium |
📦 GitLab |
| GitLab - Brute-force Attempts |
Medium |
📦 GitLab |
| GitLab - External User Added to GitLab |
Medium |
📦 GitLab |
| GitLab - Local Auth - No MFA |
Medium |
📦 GitLab |
| GitLab - Personal Access Tokens creation over time |
Medium |
📦 GitLab |
| GitLab - Repository visibility to Public |
Medium |
📦 GitLab |
| GitLab - SSO - Sign-Ins Burst |
Medium |
📦 GitLab |
| GitLab - TI - Connection from Malicious IP |
Medium |
📦 GitLab |
| GitLab - User Impersonation |
Medium |
📦 GitLab |
| Global Network Traffic Rules Deleted |
Low |
📦 Veeam |
| Global VM Exclusions Added |
High |
📦 Veeam |
| Global VM Exclusions Changed |
High |
📦 Veeam |
| Global VM Exclusions Deleted |
Low |
📦 Veeam |
| Google DNS - CVE-2020-1350 (SIGRED) exploitation pattern |
High |
📦 GoogleCloudPlatformDNS |
| Google DNS - CVE-2021-34527 (PrintNightmare) external exploit |
High |
📦 GoogleCloudPlatformDNS |
| Google DNS - CVE-2021-40444 exploitation |
High |
📦 GoogleCloudPlatformDNS |
| Google DNS - Exchange online autodiscover abuse |
Medium |
📦 GoogleCloudPlatformDNS |
| Google DNS - IP check activity |
Medium |
📦 GoogleCloudPlatformDNS |
| Google DNS - Malicous Python packages |
High |
📦 GoogleCloudPlatformDNS |
| Google DNS - Multiple errors for source |
Medium |
📦 GoogleCloudPlatformDNS |
| Google DNS - Multiple errors to same domain |
Medium |
📦 GoogleCloudPlatformDNS |
| Google DNS - Possible data exfiltration |
High |
📦 GoogleCloudPlatformDNS |
| Google DNS - Request to dynamic DNS service |
Medium |
📦 GoogleCloudPlatformDNS |
| Google DNS - UNC2452 (Nobelium) APT Group activity |
High |
📦 GoogleCloudPlatformDNS |
| Google Threat Intelligence - Threat Hunting Domain |
Medium |
📦 Google Threat Intelligence |
| Google Threat Intelligence - Threat Hunting Hash |
Medium |
📦 Google Threat Intelligence |
| Google Threat Intelligence - Threat Hunting IP |
Medium |
📦 Google Threat Intelligence |
| Google Threat Intelligence - Threat Hunting Url |
Medium |
📦 Google Threat Intelligence |
| GreyNoise TI Map IP Entity to CommonSecurityLog |
Medium |
📦 GreyNoiseThreatIntelligence |
| GreyNoise TI Map IP Entity to DnsEvents |
Medium |
📦 GreyNoiseThreatIntelligence |
| GreyNoise TI map IP entity to Network Session Events (ASIM Network Session schema) |
Medium |
📦 GreyNoiseThreatIntelligence |
| GreyNoise TI map IP entity to OfficeActivity |
Medium |
📦 GreyNoiseThreatIntelligence |
| GreyNoise TI Map IP Entity to SigninLogs |
Medium |
📦 GreyNoiseThreatIntelligence |
| Group created then added to built in domain local or global group |
Medium |
📄 Standalone Content |
| GSA - Detect Abnormal Deny Rate for Source to Destination IP |
Medium |
📦 Global Secure Access |
| GSA - Detect Connections Outside Operational Hours |
High |
📦 Global Secure Access |
| GSA - Detect Protocol Changes for Destination Ports |
Medium |
📦 Global Secure Access |
| GSA - Detect Source IP Scanning Multiple Open Ports |
Medium |
📦 Global Secure Access |
| GSA - TI Domain Entity |
Medium |
📦 Global Secure Access |
| GSA - TI IP Entity |
Medium |
📦 Global Secure Access |
| GSA - TI URL Entity |
Medium |
📦 Global Secure Access |
| GuardDuty detector disabled or suspended |
High |
📦 Amazon Web Services |
| Guardian- Additional check JSON Policy Violation Detection |
Informational |
📦 AIShield AI Security Monitoring |
| Guardian- Ban Topic Policy Violation Detection |
Medium |
📦 AIShield AI Security Monitoring |
| Guardian- BII Detection Policy Violation Detection |
High |
📦 AIShield AI Security Monitoring |
| Guardian- Block Competitor Policy Violation Detection |
Low |
📦 AIShield AI Security Monitoring |
| Guardian- Blocks specific strings of text Policy Violation Detection |
Low |
📦 AIShield AI Security Monitoring |
| Guardian- Code Detection Policy Violation Detection |
Low |
📦 AIShield AI Security Monitoring |
| Guardian- Content Access Control Allowed List Policy Violation Detection |
Low |
📦 AIShield AI Security Monitoring |
| Guardian- Content Access Control Blocked List Policy Violation Detection |
Medium |
📦 AIShield AI Security Monitoring |
| Guardian- Content Safety Profanity Policy Violation Detection |
Low |
📦 AIShield AI Security Monitoring |
| Guardian- Content Safety Toxicity Policy Violation Detection. |
Low |
📦 AIShield AI Security Monitoring |
| Guardian- Gender Bias Policy Violation Detection |
Low |
📦 AIShield AI Security Monitoring |
| Guardian- Input Output Relevance Policy Violation Detection |
Informational |
📦 AIShield AI Security Monitoring |
| Guardian- Input Rate Limiter Policy Violation Detection |
Informational |
📦 AIShield AI Security Monitoring |
| Guardian- Invisible Text Policy Violation Detection |
Low |
📦 AIShield AI Security Monitoring |
| Guardian- Language Detection Policy Violation Detection |
Informational |
📦 AIShield AI Security Monitoring |
| Guardian- Malicious URL Policy Violation Detection |
Medium |
📦 AIShield AI Security Monitoring |
| Guardian- No LLM Output Policy Violation Detection |
Low |
📦 AIShield AI Security Monitoring |
| Guardian- Not Safe For Work Policy Violation Detection |
Low |
📦 AIShield AI Security Monitoring |
| Guardian- Privacy Protection PII Policy Violation Detection |
High |
📦 AIShield AI Security Monitoring |
| Guardian- Racial Bias Policy Violation Detection |
Low |
📦 AIShield AI Security Monitoring |
| Guardian- Regex Policy Violation Detection |
Low |
📦 AIShield AI Security Monitoring |
| Guardian- Same Input/Output Language Detection Policy Violation Detection |
Informational |
📦 AIShield AI Security Monitoring |
| Guardian- Secrets Policy Violation Detection |
Medium |
📦 AIShield AI Security Monitoring |
| Guardian- Security Integrity Checks Prompt Injection Policy Violation Detection |
High |
📦 AIShield AI Security Monitoring |
| Guardian- Sentiment Policy Violation Detection |
Low |
📦 AIShield AI Security Monitoring |
| Guardian- Special PII Detection Policy Violation Detection |
High |
📦 AIShield AI Security Monitoring |
| Guardian- Token Limit Policy Violation Detection |
Informational |
📦 AIShield AI Security Monitoring |
| Guardian- URL Detection Policy Violation Detection |
Informational |
📦 AIShield AI Security Monitoring |
| Guardian- URL Reachability Policy Violation Detection |
Informational |
📦 AIShield AI Security Monitoring |
| Guest accounts added in Entra ID Groups other than the ones specified |
High |
📦 Microsoft Entra ID |
| Guest Users Invited to Tenant by New Inviters |
Medium |
📄 Standalone Content |
| GWorkspace - Admin permissions granted |
High |
📦 GoogleWorkspaceReports |
| GWorkspace - Alert events |
High |
📦 GoogleWorkspaceReports |
| GWorkspace - An Outbound Relay has been added to a G Suite Domain |
Medium |
📦 GoogleWorkspaceReports |
| GWorkspace - API Access Granted |
Medium |
📦 GoogleWorkspaceReports |
| GWorkspace - Multiple user agents for single source |
Medium |
📦 GoogleWorkspaceReports |
| GWorkspace - Possible brute force attack |
Medium |
📦 GoogleWorkspaceReports |
| GWorkspace - Possible maldoc file name in Google drive |
Medium |
📦 GoogleWorkspaceReports |
| GWorkspace - Two-step authentification disabled for a user |
Medium |
📦 GoogleWorkspaceReports |
| GWorkspace - Unexpected OS update |
Medium |
📦 GoogleWorkspaceReports |
| GWorkspace - User access has been changed |
Low |
📦 GoogleWorkspaceReports |