| NDMP Server Deleted |
Informational |
📦 Veeam |
| NetClean ProActive Incidents |
High |
📦 NetClean ProActive |
| Netskope - Anomalous User Behavior (High Volume from Unmanaged Device) |
Medium |
📦 NetskopeWebTx |
| Netskope - Data Movement Tracking (Upload/Download Monitoring) |
Informational |
📦 NetskopeWebTx |
| Netskope - Excessive Downloads Detection (Spike vs Baseline) |
Medium |
📦 NetskopeWebTx |
| Netskope - Heavy Personal Cloud Storage Usage (Shadow IT) |
Medium |
📦 NetskopeWebTx |
| Netskope - Impossible Travel Detection (Two Countries in Less Than 1 Hour) |
High |
📦 NetskopeWebTx |
| Netskope - Large Outbound Data Transfer / Sensitive Upload (DLP) |
High |
📦 NetskopeWebTx |
| Netskope - New Risky App Access vs 7-Day Baseline |
Medium |
📦 NetskopeWebTx |
| Netskope - Repeated or Critical Policy Violations |
High |
📦 NetskopeWebTx |
| Netskope - Suspicious Network Context (Unusual IPs/Geo/Ports) |
Medium |
📦 NetskopeWebTx |
| Netskope - Unsanctioned/Risky Cloud App Access (Shadow IT) |
Medium |
📦 NetskopeWebTx |
| Netskope - WebTransaction Error Detection |
Medium |
📦 Netskopev2 |
| Network ACL with all the open ports to a specified CIDR |
High |
📦 Amazon Web Services |
| Network endpoint to host executable correlation |
Medium |
📦 Network Threat Protection Essentials |
| Network Port Sweep from External Network (ASIM Network Session schema) |
High |
📦 Network Session Essentials |
| NetworkSecurityGroups Alert From Prancer ⚠️ |
High |
📦 Prancer PenSuiteAI Integration |
| New access credential added to Application or Service Principal |
Medium |
📦 Microsoft Entra ID |
| New Agent Added to Pool by New User or Added to a New OS Type |
Medium |
📦 AzureDevOpsAuditing |
| New CloudShell User |
Low |
📦 Azure Activity |
| New country signIn with correct password |
Medium |
📄 Standalone Content |
| New Device/Location sign-in along with critical operation |
Medium |
📦 Okta Single Sign-On |
| New direct access policy was granted against organizational policy |
Low |
📦 Authomize |
| New EXE deployed via Default Domain or Default Domain Controller Policies |
High |
📦 Windows Security Events |
| New EXE deployed via Default Domain or Default Domain Controller Policies (ASIM Version) |
High |
📄 Standalone Content |
| New executable via Office FileUploaded Operation |
Low |
📦 Microsoft 365 |
| New External User Granted Admin Role |
Medium |
📦 Cloud Identity Threat Protection Essentials |
| New High Severity Vulnerability Detected Across Multiple Hosts |
Medium |
📦 QualysVM |
| New onmicrosoft domain added to tenant |
Medium |
📦 Microsoft Entra ID |
| New PA, PCA, or PCAS added to Azure DevOps |
Medium |
📦 AzureDevOpsAuditing |
| New service account gained access to IaaS resource |
Informational |
📦 Authomize |
| New Sonrai Ticket |
Medium |
📦 SonraiSecurity |
| New User Assigned to Privileged Role |
High |
📦 Microsoft Entra ID |
| New user created and added to the built-in administrators group |
Low |
📄 Standalone Content |
| New UserAgent observed in last 24 hours |
Low |
📦 Network Threat Protection Essentials |
| NGINX - Command in URI |
High |
📦 NGINX HTTP Server |
| NGINX - Core Dump |
High |
📦 NGINX HTTP Server |
| NGINX - Known malicious user agent |
High |
📦 NGINX HTTP Server |
| NGINX - Multiple client errors from single IP address |
Medium |
📦 NGINX HTTP Server |
| NGINX - Multiple server errors from single IP address |
Medium |
📦 NGINX HTTP Server |
| NGINX - Multiple user agents for single source |
Medium |
📦 NGINX HTTP Server |
| NGINX - Private IP address in URL |
Medium |
📦 NGINX HTTP Server |
| NGINX - Put file and get file from same IP address |
Medium |
📦 NGINX HTTP Server |
| NGINX - Request to sensitive files |
Medium |
📦 NGINX HTTP Server |
| NGINX - Sql injection patterns |
High |
📦 NGINX HTTP Server |
| Ngrok Reverse Proxy on Network (ASIM DNS Solution) |
Medium |
📦 DNS Essentials |
| NIST SP 800-53 Posture Changed |
Medium |
📦 NISTSP80053 |
| No traffic on Sensor Detected (Microsoft Defender for IoT) |
High |
📦 IoTOTThreatMonitoringwithDefenderforIoT |
| Non Domain Controller Active Directory Replication |
High |
📦 Windows Security Events |
| Non-admin guest |
Low |
📦 SenservaPro |
| NordPass - Activity token revocation |
Medium |
📦 NordPass |
| NordPass - Declined invitation |
Low |
📦 NordPass |
| NordPass - Deleting items of deleted member |
High |
📦 NordPass |
| NordPass - Domain data detected in breach |
High |
📦 NordPass |
| NordPass - Manual invitation, suspension, or deletion |
Medium |
📦 NordPass |
| NordPass - User data detected in breach |
High |
📦 NordPass |
| NordPass - User deletes items in bulk |
High |
📦 NordPass |
| NordPass - User fails authentication |
High |
📦 NordPass |
| NordPass - Vault export |
High |
📦 NordPass |
| NRT Authentication Methods Changed for VIP Users |
Medium |
📦 Microsoft Entra ID |
| NRT Azure DevOps Audit Stream Disabled |
High |
📦 AzureDevOpsAuditing |
| NRT Base64 Encoded Windows Process Command-lines |
Medium |
📦 Windows Security Events |
| NRT Creation of expensive computes in Azure |
Medium |
📦 Azure Activity |
| NRT DNS events related to mining pools |
Low |
📦 Windows Server DNS |
| NRT First access credential added to Application or Service Principal where no credential was present |
Medium |
📦 Microsoft Entra ID |
| NRT GitHub Two Factor Auth Disable |
Medium |
📦 GitHub |
| NRT Login to AWS Management Console without MFA |
Low |
📦 Amazon Web Services |
| NRT Malicious Inbox Rule |
Medium |
📄 Standalone Content |
| NRT Microsoft Entra ID Hybrid Health AD FS New Server |
Medium |
📦 Azure Activity |
| NRT Modified domain federation trust settings |
High |
📦 Microsoft Entra ID |
| NRT Multiple users email forwarded to same destination |
Medium |
📄 Standalone Content |
| NRT New access credential added to Application or Service Principal |
Medium |
📦 Microsoft Entra ID |
| NRT PIM Elevation Request Rejected |
High |
📦 Microsoft Entra ID |
| NRT Privileged Role Assigned Outside PIM |
Low |
📦 Microsoft Entra ID |
| NRT Process executed from binary hidden in Base64 encoded file |
Medium |
📦 Windows Security Events |
| NRT Security Event log cleared |
Medium |
📦 Windows Security Events |
| NRT Sensitive Azure Key Vault operations |
Low |
📦 Azure Key Vault |
| NRT Squid proxy events related to mining pools |
Low |
📦 Syslog |
| NRT User added to Microsoft Entra ID Privileged Groups |
Medium |
📦 Microsoft Entra ID |