| PAC high severity ⚠️ |
High |
📦 Prancer PenSuiteAI Integration |
| Palo Alto - possible internal to external port scanning |
Low |
📦 PaloAlto-PAN-OS |
| Palo Alto - possible nmap scan on with top 100 option |
Medium |
📦 PaloAlto-PAN-OS |
| Palo Alto - potential beaconing detected |
Low |
📦 Azure Cloud NGFW By Palo Alto Networks |
| Palo Alto - potential beaconing detected |
Low |
📦 PaloAlto-PAN-OS |
| Palo Alto Prisma Cloud - Access keys are not rotated for 90 days |
Medium |
📦 PaloAltoPrismaCloud |
| Palo Alto Prisma Cloud - Anomalous access key usage |
Medium |
📦 PaloAltoPrismaCloud |
| Palo Alto Prisma Cloud - High risk score alert |
Medium |
📦 PaloAltoPrismaCloud |
| Palo Alto Prisma Cloud - High severity alert opened for several days |
Medium |
📦 PaloAltoPrismaCloud |
| Palo Alto Prisma Cloud - IAM Group with Administrator Access Permissions |
Medium |
📦 PaloAltoPrismaCloud |
| Palo Alto Prisma Cloud - Inactive user |
Low |
📦 PaloAltoPrismaCloud |
| Palo Alto Prisma Cloud - Maximum risk score alert |
Medium |
📦 PaloAltoPrismaCloud |
| Palo Alto Prisma Cloud - Multiple failed logins for user |
Medium |
📦 PaloAltoPrismaCloud |
| Palo Alto Prisma Cloud - Network ACL allow all outbound traffic |
Medium |
📦 PaloAltoPrismaCloud |
| Palo Alto Prisma Cloud - Network ACL allow ingress traffic to server administration ports |
Medium |
📦 PaloAltoPrismaCloud |
| Palo Alto Prisma Cloud - Network ACLs Inbound rule to allow All Traffic |
Medium |
📦 PaloAltoPrismaCloud |
| Palo Alto Threat signatures from Unusual IP addresses |
Medium |
📦 PaloAlto-PAN-OS |
| PaloAlto - Dropping or denying session with traffic |
Medium |
📦 PaloAltoCDL |
| PaloAlto - File type changed |
Medium |
📦 PaloAltoCDL |
| PaloAlto - Forbidden countries |
Medium |
📦 PaloAltoCDL |
| PaloAlto - Inbound connection to high risk ports |
Medium |
📦 PaloAltoCDL |
| PaloAlto - MAC address conflict |
Low |
📦 PaloAltoCDL |
| PaloAlto - Possible attack without response |
High |
📦 PaloAltoCDL |
| PaloAlto - Possible flooding |
Medium |
📦 PaloAltoCDL |
| PaloAlto - Possible port scan |
High |
📦 PaloAltoCDL |
| PaloAlto - Put and post method request in high risk file type |
High |
📦 PaloAltoCDL |
| PaloAlto - User privileges was changed |
Medium |
📦 PaloAltoCDL |
| Password Exfiltration over SCIM application |
High |
📦 Authomize |
| Password spray attack against ADFSSignInLogs |
Medium |
📦 Microsoft Entra ID |
| Password spray attack against Microsoft Entra ID application |
Medium |
📦 Microsoft Entra ID |
| Password spray attack against Microsoft Entra ID Seamless SSO |
Medium |
📦 Microsoft Entra ID |
| Password Spraying |
Medium |
📦 FalconFriday |
| PE file dropped in Color Profile Folder |
Medium |
📄 Standalone Content |
| Phishing link click observed in Network Traffic |
Medium |
📄 Standalone Content |
| PIM Elevation Request Rejected |
High |
📦 Microsoft Entra ID |
| Ping Federate - Abnormal password reset attempts |
High |
📦 PingFederate |
| Ping Federate - Abnormal password resets for user |
High |
📦 PingFederate |
| Ping Federate - Authentication from new IP. |
Low |
📦 PingFederate |
| Ping Federate - Forbidden country |
High |
📦 PingFederate |
| Ping Federate - New user SSO success login |
Low |
📦 PingFederate |
| Ping Federate - OAuth old version |
Medium |
📦 PingFederate |
| Ping Federate - Password reset request from unexpected source IP address.. |
Medium |
📦 PingFederate |
| Ping Federate - SAML old version |
Medium |
📦 PingFederate |
| Ping Federate - Unexpected authentication URL. |
Medium |
📦 PingFederate |
| Ping Federate - Unexpected country for user |
Medium |
📦 PingFederate |
| Ping Federate - Unusual mail domain. |
Medium |
📦 PingFederate |
| PLC Stop Command (Microsoft Defender for IoT) |
Medium |
📦 IoTOTThreatMonitoringwithDefenderforIoT |
| PLC unsecure key state (Microsoft Defender for IoT) |
Low |
📦 IoTOTThreatMonitoringwithDefenderforIoT |
| Policy version set to default |
Medium |
📦 Amazon Web Services |
| Port Scan |
Medium |
📦 Azure Firewall |
| Port Scan Detected |
Medium |
📦 Sophos XG Firewall |
| Port scan detected (ASIM Network Session schema) |
Medium |
📦 Network Session Essentials |
| Port Sweep |
Medium |
📦 Azure Firewall |
| Possible AiTM Phishing Attempt Against Microsoft Entra ID |
Medium |
📦 SecurityThreatEssentialSolution |
| Possible contact with a domain generated by a DGA |
Medium |
📄 Standalone Content |
| Possible Forest Blizzard attempted credential harvesting - Sept 2020 ⚠️ |
- |
📦 Microsoft 365 |
| Possible Phishing with CSL and Network Sessions |
Medium |
📦 Microsoft Defender XDR |
| Possible Resource-Based Constrained Delegation Abuse |
Medium |
📄 Standalone Content |
| Possible SignIn from Azure Backdoor |
Medium |
📦 Microsoft Entra ID |
| Potential beaconing activity (ASIM Network Session schema) |
Low |
📦 Network Session Essentials |
| Potential Build Process Compromise |
Medium |
📄 Standalone Content |
| Potential Build Process Compromise - MDE |
Medium |
📦 Microsoft Defender XDR |
| Potential communication with a Domain Generation Algorithm (DGA) based hostname (ASIM Web Session schema) |
Medium |
📄 Standalone Content |
| Potential DGA detected |
Medium |
📦 Windows Server DNS |
| Potential DGA detected (ASIM DNS Schema) |
Medium |
📄 Standalone Content |
| Potential DGA(Domain Generation Algorithm) detected via Repetitive Failures - Anomaly based (ASIM DNS Solution) |
Medium |
📦 DNS Essentials |
| Potential DGA(Domain Generation Algorithm) detected via Repetitive Failures - Static threshold based (ASIM DNS Solution) |
Medium |
📦 DNS Essentials |
| Potential DHCP Starvation Attack |
Medium |
📦 Infoblox NIOS |
| Potential Fodhelper UAC Bypass |
Medium |
📦 Windows Security Events |
| Potential Fodhelper UAC Bypass (ASIM Version) |
Medium |
📄 Standalone Content |
| Potential Kerberoasting |
Medium |
📄 Standalone Content |
| Potential Password Spray Attack |
Medium |
📦 Okta Single Sign-On |
| Potential Password Spray Attack |
Medium |
📦 Salesforce Service Cloud |
| Potential Password Spray Attack (Uses Authentication Normalization) |
Medium |
📄 Standalone Content |
| Potential Ransomware activity related to Cobalt Strike |
High |
📦 Microsoft Defender XDR |
| Potential re-named sdelete usage |
Low |
📦 Windows Security Events |
| Potential re-named sdelete usage (ASIM Version) |
Low |
📄 Standalone Content |
| Potential Remote Desktop Tunneling |
Medium |
📦 Endpoint Threat Protection Essentials |
| Power Apps - App activity from unauthorized geo |
Low |
📦 Microsoft Business Applications |
| Power Apps - Bulk sharing of Power Apps to newly created guest users |
Medium |
📦 Microsoft Business Applications |
| Power Apps - Multiple apps deleted |
Medium |
📦 Microsoft Business Applications |
| Power Apps - Multiple users access a malicious link after launching new app |
High |
📦 Microsoft Business Applications |
| Power Automate - Departing employee flow activity |
High |
📦 Microsoft Business Applications |
| Power Automate - Unusual bulk deletion of flow resources |
Medium |
📦 Microsoft Business Applications |
| Power Platform - Account added to privileged Microsoft Entra roles |
Low |
📦 Microsoft Business Applications |
| Power Platform - Connector added to a sensitive environment |
Low |
📦 Microsoft Business Applications |
| Power Platform - DLP policy updated or removed |
Low |
📦 Microsoft Business Applications |
| Power Platform - Possibly compromised user accesses Power Platform services |
High |
📦 Microsoft Business Applications |
| Powershell Empire Cmdlets Executed in Command Line |
Medium |
📦 Attacker Tools Threat Protection Essentials |
| Preferred Networks Deleted |
Informational |
📦 Veeam |
| Prestige ransomware IOCs Oct 2022 |
High |
📄 Standalone Content |
| Preview - TI map Domain entity to Cloud App Events |
Medium |
📦 Threat Intelligence |
| Preview - TI map Email entity to Cloud App Events |
Medium |
📦 Threat Intelligence |
| Preview - TI map IP entity to Cloud App Events |
Medium |
📦 Threat Intelligence |
| Preview - TI map URL entity to Cloud App Events |
Medium |
📦 Threat Intelligence |
| Privilege escalation via CloudFormation policy |
Medium |
📦 Amazon Web Services |
| Privilege escalation via CRUD DynamoDB policy |
Medium |
📦 Amazon Web Services |
| Privilege escalation via CRUD IAM policy |
Medium |
📦 Amazon Web Services |
| Privilege escalation via CRUD KMS policy |
Medium |
📦 Amazon Web Services |
| Privilege escalation via CRUD Lambda policy |
Medium |
📦 Amazon Web Services |
| Privilege escalation via CRUD S3 policy |
Medium |
📦 Amazon Web Services |
| Privilege escalation via DataPipeline policy |
Medium |
📦 Amazon Web Services |
| Privilege escalation via EC2 policy |
Medium |
📦 Amazon Web Services |
| Privilege escalation via Glue policy |
Medium |
📦 Amazon Web Services |
| Privilege escalation via Lambda policy |
Medium |
📦 Amazon Web Services |
| Privilege escalation via SSM policy |
Medium |
📦 Amazon Web Services |
| Privilege escalation with admin managed policy |
Medium |
📦 Amazon Web Services |
| Privilege escalation with AdministratorAccess managed policy |
Medium |
📦 Amazon Web Services |
| Privilege escalation with FullAccess managed policy |
Medium |
📦 Amazon Web Services |
| Privileged Account Permissions Changed |
Medium |
📦 Business Email Compromise - Financial Fraud |
| Privileged Accounts - Sign in Failure Spikes |
High |
📦 Microsoft Entra ID |
| Privileged Machines Exposed to the Internet |
High |
📦 Authomize |
| Privileged Role Assigned Outside PIM |
Low |
📦 Microsoft Entra ID |
| Privileged User Logon from new ASN |
Medium |
📄 Standalone Content |
| Probable AdFind Recon Tool Usage |
High |
📦 Attacker Tools Threat Protection Essentials |
| Probable AdFind Recon Tool Usage (Normalized Process Events) |
High |
📄 Standalone Content |
| Process Creation with Suspicious CommandLine Arguments |
Medium |
📦 Malware Protection Essentials |
| Process executed from binary hidden in Base64 encoded file |
Medium |
📦 Endpoint Threat Protection Essentials |
| Process Execution Frequency Anomaly |
Medium |
📦 Windows Security Events |
| Process-Level Anomaly |
Medium |
📦 Morphisec |
| Progress MOVEIt File transfer above threshold ⚠️ |
Medium |
📦 Windows Forwarded Events |
| Progress MOVEIt File transfer folder count above threshold ⚠️ |
Medium |
📦 Windows Forwarded Events |
| ProofpointPOD - Binary file in attachment |
Medium |
📦 Proofpoint On demand(POD) Email Security |
| ProofpointPOD - Email sender in TI list |
Medium |
📦 Proofpoint On demand(POD) Email Security |
| ProofpointPOD - Email sender IP in TI list |
Medium |
📦 Proofpoint On demand(POD) Email Security |
| ProofpointPOD - High risk message not discarded |
Low |
📦 Proofpoint On demand(POD) Email Security |
| ProofpointPOD - Multiple archived attachments to the same recipient |
Medium |
📦 Proofpoint On demand(POD) Email Security |
| ProofpointPOD - Multiple large emails to the same recipient |
Medium |
📦 Proofpoint On demand(POD) Email Security |
| ProofpointPOD - Multiple protected emails to unknown recipient |
Medium |
📦 Proofpoint On demand(POD) Email Security |
| ProofpointPOD - Possible data exfiltration to private email |
Medium |
📦 Proofpoint On demand(POD) Email Security |
| ProofpointPOD - Suspicious attachment |
Medium |
📦 Proofpoint On demand(POD) Email Security |
| ProofpointPOD - Weak ciphers |
Low |
📦 Proofpoint On demand(POD) Email Security |
| Protection Group Deleted |
High |
📦 Veeam |
| Protection Group Settings Updated |
Informational |
📦 Veeam |
| PulseConnectSecure - CVE-2021-22893 Possible Pulse Connect Secure RCE Vulnerability Attack |
High |
📄 Standalone Content |
| PulseConnectSecure - Large Number of Distinct Failed User Logins |
Medium |
📦 Pulse Connect Secure |
| PulseConnectSecure - Potential Brute Force Attempts |
Low |
📦 Pulse Connect Secure |
| Pure Controller Failed |
High |
📦 Pure Storage |
| Pure Failed Login |
High |
📦 Pure Storage |