| PAC high severity |
High |
📦 Prancer PensuiteAI Integration |
| Palo Alto - possible internal to external port scanning |
Low |
📦 PaloAlto-PAN-OS |
| Palo Alto - possible nmap scan on with top 100 option |
Medium |
📦 PaloAlto-PAN-OS |
| Palo Alto - potential beaconing detected |
Low |
📦 Azure Cloud NGFW By Palo Alto Networks |
| Palo Alto - potential beaconing detected |
Low |
📦 PaloAlto-PAN-OS |
| Palo Alto Prisma Cloud - Access keys are not rotated for 90 days |
Medium |
📦 PaloAltoPrismaCloud |
| Palo Alto Prisma Cloud - Anomalous access key usage |
Medium |
📦 PaloAltoPrismaCloud |
| Palo Alto Prisma Cloud - High risk score alert |
Medium |
📦 PaloAltoPrismaCloud |
| Palo Alto Prisma Cloud - High severity alert opened for several days |
Medium |
📦 PaloAltoPrismaCloud |
| Palo Alto Prisma Cloud - IAM Group with Administrator Access Permissions |
Medium |
📦 PaloAltoPrismaCloud |
| Palo Alto Prisma Cloud - Inactive user |
Low |
📦 PaloAltoPrismaCloud |
| Palo Alto Prisma Cloud - Maximum risk score alert |
Medium |
📦 PaloAltoPrismaCloud |
| Palo Alto Prisma Cloud - Multiple failed logins for user |
Medium |
📦 PaloAltoPrismaCloud |
| Palo Alto Prisma Cloud - Network ACL allow all outbound traffic |
Medium |
📦 PaloAltoPrismaCloud |
| Palo Alto Prisma Cloud - Network ACL allow ingress traffic to server administration ports |
Medium |
📦 PaloAltoPrismaCloud |
| Palo Alto Prisma Cloud - Network ACLs Inbound rule to allow All Traffic |
Medium |
📦 PaloAltoPrismaCloud |
| Palo Alto Threat signatures from Unusual IP addresses |
Medium |
📦 PaloAlto-PAN-OS |
| PaloAlto - Dropping or denying session with traffic |
Medium |
📦 PaloAltoCDL |
| PaloAlto - File type changed |
Medium |
📦 PaloAltoCDL |
| PaloAlto - Forbidden countries |
Medium |
📦 PaloAltoCDL |
| PaloAlto - Inbound connection to high risk ports |
Medium |
📦 PaloAltoCDL |
| PaloAlto - MAC address conflict |
Low |
📦 PaloAltoCDL |
| PaloAlto - Possible attack without response |
High |
📦 PaloAltoCDL |
| PaloAlto - Possible flooding |
Medium |
📦 PaloAltoCDL |
| PaloAlto - Possible port scan |
High |
📦 PaloAltoCDL |
| PaloAlto - Put and post method request in high risk file type |
High |
📦 PaloAltoCDL |
| PaloAlto - User privileges was changed |
Medium |
📦 PaloAltoCDL |
| Password Exfiltration over SCIM application |
High |
📦 Authomize |
| Password spray attack against ADFSSignInLogs |
Medium |
📦 Microsoft Entra ID |
| Password spray attack against Microsoft Entra ID application |
Medium |
📦 Microsoft Entra ID |
| Password spray attack against Microsoft Entra ID Seamless SSO |
Medium |
📦 Microsoft Entra ID |
| Password Spraying |
Medium |
📦 FalconFriday |
| Pathlock TDnR - ABAP Runtime Dumps |
Medium |
📦 Pathlock_TDnR |
| Pathlock TDnR - ABAP Source Code Changes |
High |
📦 Pathlock_TDnR |
| Pathlock TDnR - Authorization Check Value Changes (SU24) |
High |
📦 Pathlock_TDnR |
| Pathlock TDnR - Authorization Profile Changes |
High |
📦 Pathlock_TDnR |
| Pathlock TDnR - Authorization Role Changes |
High |
📦 Pathlock_TDnR |
| Pathlock TDnR - Bank Master Data Changes |
High |
📦 Pathlock_TDnR |
| Pathlock TDnR - Business Partner Bank Data Changes |
High |
📦 Pathlock_TDnR |
| Pathlock TDnR - Credit Card Data Changes |
High |
📦 Pathlock_TDnR |
| Pathlock TDnR - Critical File Integrity Changes |
High |
📦 Pathlock_TDnR |
| Pathlock TDnR - CUA Settings Changes |
Medium |
📦 Pathlock_TDnR |
| Pathlock TDnR - Database Cockpit Audit Events |
Medium |
📦 Pathlock_TDnR |
| Pathlock TDnR - DDIC Table Utility Changes (SE14) |
High |
📦 Pathlock_TDnR |
| Pathlock TDnR - Debitor Change Documents |
Medium |
📦 Pathlock_TDnR |
| Pathlock TDnR - Dynamic Access Control Events |
High |
📦 Pathlock_TDnR |
| Pathlock TDnR - Emergency User (AdminTrack) Activity |
High |
📦 Pathlock_TDnR |
| Pathlock TDnR - Function Module Tested in Production |
High |
📦 Pathlock_TDnR |
| Pathlock TDnR - G/L Account Changes |
Medium |
📦 Pathlock_TDnR |
| Pathlock TDnR - Generic SAP Change Documents |
Medium |
📦 Pathlock_TDnR |
| Pathlock TDnR - Generic Table Content Changes |
High |
📦 Pathlock_TDnR |
| Pathlock TDnR - Global System Change Setting Events |
High |
📦 Pathlock_TDnR |
| Pathlock TDnR - GRC Access Control Change Documents |
Medium |
📦 Pathlock_TDnR |
| Pathlock TDnR - HANA Standalone DB Connection Events |
Medium |
📦 Pathlock_TDnR |
| Pathlock TDnR - HR User Master Change Requests |
Medium |
📦 Pathlock_TDnR |
| Pathlock TDnR - IBAN Change Documents |
High |
📦 Pathlock_TDnR |
| Pathlock TDnR - ICF Web Service Changes |
High |
📦 Pathlock_TDnR |
| Pathlock TDnR - ICM Security Events |
Medium |
📦 Pathlock_TDnR |
| Pathlock TDnR - J2EE Security Audit Events |
Medium |
📦 Pathlock_TDnR |
| Pathlock TDnR - J2EE Security Events |
Medium |
📦 Pathlock_TDnR |
| Pathlock TDnR - Kerberos Keytab Changes |
High |
📦 Pathlock_TDnR |
| Pathlock TDnR - LDAP Synchronization Application Log Events |
Medium |
📦 Pathlock_TDnR |
| Pathlock TDnR - Logical OS Command Changes |
High |
📦 Pathlock_TDnR |
| Pathlock TDnR - Missing SAP Security Notes |
Medium |
📦 Pathlock_TDnR |
| Pathlock TDnR - Multiple Login Sessions Detected |
Medium |
📦 Pathlock_TDnR |
| Pathlock TDnR - OData Application Log Events |
Medium |
📦 Pathlock_TDnR |
| Pathlock TDnR - Outbound SAP SMTP Email |
Medium |
📦 Pathlock_TDnR |
| Pathlock TDnR - Outgoing Spool Print Job Events |
Medium |
📦 Pathlock_TDnR |
| Pathlock TDnR - Pathlock Security Radar Internal Events |
Medium |
📦 Pathlock_TDnR |
| Pathlock TDnR - Payment Request Changes |
Medium |
📦 Pathlock_TDnR |
| Pathlock TDnR - RFC Connection Changes |
High |
📦 Pathlock_TDnR |
| Pathlock TDnR - RiskTrack Audit Results |
High |
📦 Pathlock_TDnR |
| Pathlock TDnR - SAP Authorization Changes |
High |
📦 Pathlock_TDnR |
| Pathlock TDnR - SAP Batch Job Events |
Medium |
📦 Pathlock_TDnR |
| Pathlock TDnR - SAP BTP Cloud Foundry Events |
Medium |
📦 Pathlock_TDnR |
| Pathlock TDnR - SAP Client Configuration Changes |
High |
📦 Pathlock_TDnR |
| Pathlock TDnR - SAP Cloud Account Administration Events |
Medium |
📦 Pathlock_TDnR |
| Pathlock TDnR - SAP Cloud Connector Events |
Medium |
📦 Pathlock_TDnR |
| Pathlock TDnR - SAP Download Observer Events |
Medium |
📦 Pathlock_TDnR |
| Pathlock TDnR - SAP HANA Database Audit Trail |
Medium |
📦 Pathlock_TDnR |
| Pathlock TDnR - SAP HANA Parameter Changes |
Medium |
📦 Pathlock_TDnR |
| Pathlock TDnR - SAP HTTP Webserver Events |
Medium |
📦 Pathlock_TDnR |
| Pathlock TDnR - SAP Instance Profile Changes |
High |
📦 Pathlock_TDnR |
| Pathlock TDnR - SAP Public Cloud Security Audit Events |
Medium |
📦 Pathlock_TDnR |
| Pathlock TDnR - SAP Read Access Logging Audit |
Medium |
📦 Pathlock_TDnR |
| Pathlock TDnR - SAP Read Access Logging Data |
Medium |
📦 Pathlock_TDnR |
| Pathlock TDnR - SAP RFC Gateway Events |
Medium |
📦 Pathlock_TDnR |
| Pathlock TDnR - SAP Router Log Events |
Medium |
📦 Pathlock_TDnR |
| Pathlock TDnR - SAP Security Audit Log Events |
High |
📦 Pathlock_TDnR |
| Pathlock TDnR - SAP System Job Monitoring Events |
Medium |
📦 Pathlock_TDnR |
| Pathlock TDnR - SAP System Log Events |
Medium |
📦 Pathlock_TDnR |
| Pathlock TDnR - SAP Web Dispatcher HTTP Events |
Medium |
📦 Pathlock_TDnR |
| Pathlock TDnR - SE16N Direct Table Change Documents |
High |
📦 Pathlock_TDnR |
| Pathlock TDnR - Spool Job Changes |
Medium |
📦 Pathlock_TDnR |
| Pathlock TDnR - STRUST PSE Certificate Changes |
High |
📦 Pathlock_TDnR |
| Pathlock TDnR - SU24 Table USOBT_C Changes |
Medium |
📦 Pathlock_TDnR |
| Pathlock TDnR - SU24 Table USOBX_C Changes |
Medium |
📦 Pathlock_TDnR |
| Pathlock TDnR - Switchable Authorization Design Changes |
High |
📦 Pathlock_TDnR |
| Pathlock TDnR - Switchable Authorization Runtime Changes |
High |
📦 Pathlock_TDnR |
| Pathlock TDnR - System Security Policy Changes |
High |
📦 Pathlock_TDnR |
| Pathlock TDnR - Table Parameter Setting Changes |
High |
📦 Pathlock_TDnR |
| Pathlock TDnR - TMS Transport and Import Events |
High |
📦 Pathlock_TDnR |
| Pathlock TDnR - Transaction and Report Statistics |
Medium |
📦 Pathlock_TDnR |
| Pathlock TDnR - User Access Management Password Resets |
Medium |
📦 Pathlock_TDnR |
| Pathlock TDnR - User Authorization Buffer Manipulation |
High |
📦 Pathlock_TDnR |
| Pathlock TDnR - User Master Data Changes |
High |
📦 Pathlock_TDnR |
| Pathlock TDnR - User-Profile Assignment Changes |
High |
📦 Pathlock_TDnR |
| Pathlock TDnR - User-Role Assignment Changes |
High |
📦 Pathlock_TDnR |
| Pathlock TDnR - Vendor Change Documents |
Medium |
📦 Pathlock_TDnR |
| PE file dropped in Color Profile Folder |
Medium |
📄 Standalone Content |
| Phishing link click observed in Network Traffic |
Medium |
📄 Standalone Content |
| PIM Elevation Request Rejected |
High |
📦 Microsoft Entra ID |
| Ping Federate - Abnormal password reset attempts |
High |
📦 PingFederate |
| Ping Federate - Abnormal password resets for user |
High |
📦 PingFederate |
| Ping Federate - Authentication from new IP. |
Low |
📦 PingFederate |
| Ping Federate - Forbidden country |
High |
📦 PingFederate |
| Ping Federate - New user SSO success login |
Low |
📦 PingFederate |
| Ping Federate - OAuth old version |
Medium |
📦 PingFederate |
| Ping Federate - Password reset request from unexpected source IP address.. |
Medium |
📦 PingFederate |
| Ping Federate - SAML old version |
Medium |
📦 PingFederate |
| Ping Federate - Unexpected authentication URL. |
Medium |
📦 PingFederate |
| Ping Federate - Unexpected country for user |
Medium |
📦 PingFederate |
| Ping Federate - Unusual mail domain. |
Medium |
📦 PingFederate |
| PLC Stop Command (Microsoft Defender for IoT) |
Medium |
📦 IoTOTThreatMonitoringwithDefenderforIoT |
| PLC unsecure key state (Microsoft Defender for IoT) |
Low |
📦 IoTOTThreatMonitoringwithDefenderforIoT |
| Port Scan |
Medium |
📦 Azure Firewall |
| Port Scan Detected |
Medium |
📦 Sophos XG Firewall |
| Port scan detected (ASIM Network Session schema) |
Medium |
📦 Network Session Essentials |
| Port Sweep |
Medium |
📦 Azure Firewall |
| Possible AiTM Phishing Attempt Against Microsoft Entra ID |
Medium |
📦 SecurityThreatEssentialSolution |
| Possible contact with a domain generated by a DGA |
Medium |
📄 Standalone Content |
| Possible Forest Blizzard attempted credential harvesting - Sept 2020 ⚠️ |
- |
📦 Microsoft 365 |
| Possible Phishing with CSL and Network Sessions |
Medium |
📦 Microsoft Defender XDR |
| Possible Resource-Based Constrained Delegation Abuse |
Medium |
📄 Standalone Content |
| Possible SignIn from Azure Backdoor |
Medium |
📦 Microsoft Entra ID |
| Potential beaconing activity (ASIM Network Session schema) |
Low |
📦 Network Session Essentials |
| Potential Build Process Compromise |
Medium |
📄 Standalone Content |
| Potential Build Process Compromise - MDE |
Medium |
📦 Microsoft Defender XDR |
| Potential communication with a Domain Generation Algorithm (DGA) based hostname (ASIM Web Session schema) |
Medium |
📄 Standalone Content |
| Potential DGA detected |
Medium |
📦 Windows Server DNS |
| Potential DGA detected (ASIM DNS Schema) |
Medium |
📄 Standalone Content |
| Potential DGA(Domain Generation Algorithm) detected via Repetitive Failures - Anomaly based (ASIM DNS Solution) |
Medium |
📦 DNS Essentials |
| Potential DGA(Domain Generation Algorithm) detected via Repetitive Failures - Static threshold based (ASIM DNS Solution) |
Medium |
📦 DNS Essentials |
| Potential DHCP Starvation Attack |
Medium |
📦 Infoblox NIOS |
| Potential Fodhelper UAC Bypass |
Medium |
📦 Windows Security Events |
| Potential Fodhelper UAC Bypass (ASIM Version) |
Medium |
📄 Standalone Content |
| Potential Kerberoasting |
Medium |
📄 Standalone Content |
| Potential Password Spray Attack |
Medium |
📦 Okta Single Sign-On |
| Potential Password Spray Attack |
Medium |
📦 Salesforce Service Cloud |
| Potential Password Spray Attack (Uses Authentication Normalization) |
Medium |
📄 Standalone Content |
| Potential Ransomware activity related to Cobalt Strike |
High |
📦 Microsoft Defender XDR |
| Potential re-named sdelete usage |
Low |
📦 Windows Security Events |
| Potential re-named sdelete usage (ASIM Version) |
Low |
📄 Standalone Content |
| Potential Remote Desktop Tunneling |
Medium |
📦 Endpoint Threat Protection Essentials |
| Power Apps - App activity from unauthorized geo |
Low |
📦 Microsoft Business Applications |
| Power Apps - Bulk sharing of Power Apps to newly created guest users |
Medium |
📦 Microsoft Business Applications |
| Power Apps - Multiple apps deleted |
Medium |
📦 Microsoft Business Applications |
| Power Apps - Multiple users access a malicious link after launching new app |
High |
📦 Microsoft Business Applications |
| Power Automate - Departing employee flow activity |
High |
📦 Microsoft Business Applications |
| Power Automate - Unusual bulk deletion of flow resources |
Medium |
📦 Microsoft Business Applications |
| Power Platform - Account added to privileged Microsoft Entra roles |
Low |
📦 Microsoft Business Applications |
| Power Platform - Connector added to a sensitive environment |
Low |
📦 Microsoft Business Applications |
| Power Platform - DLP policy updated or removed |
Low |
📦 Microsoft Business Applications |
| Power Platform - Possibly compromised user accesses Power Platform services |
High |
📦 Microsoft Business Applications |
| Powershell Empire Cmdlets Executed in Command Line |
Medium |
📦 Attacker Tools Threat Protection Essentials |
| Preferred Networks Deleted |
Informational |
📦 Veeam |
| Prestige ransomware IOCs Oct 2022 |
High |
📄 Standalone Content |
| Preview - TI map Domain entity to Cloud App Events |
Medium |
📦 Threat Intelligence |
| Preview - TI map Email entity to Cloud App Events |
Medium |
📦 Threat Intelligence |
| Preview - TI map IP entity to Cloud App Events |
Medium |
📦 Threat Intelligence |
| Preview - TI map URL entity to Cloud App Events |
Medium |
📦 Threat Intelligence |
| Privileged Account Permissions Changed |
Medium |
📦 Business Email Compromise - Financial Fraud |
| Privileged Accounts - Sign in Failure Spikes |
High |
📦 Microsoft Entra ID |
| Privileged Machines Exposed to the Internet |
High |
📦 Authomize |
| Privileged Role Assigned Outside PIM |
Low |
📦 Microsoft Entra ID |
| Privileged User Logon from new ASN |
Medium |
📄 Standalone Content |
| Probable AdFind Recon Tool Usage |
High |
📦 Attacker Tools Threat Protection Essentials |
| Probable AdFind Recon Tool Usage (Normalized Process Events) |
High |
📄 Standalone Content |
| Process Creation with Suspicious CommandLine Arguments |
Medium |
📦 Malware Protection Essentials |
| Process executed from binary hidden in Base64 encoded file |
Medium |
📦 Endpoint Threat Protection Essentials |
| Process Execution Frequency Anomaly |
Medium |
📦 Windows Security Events |
| Process-Level Anomaly |
Medium |
📦 Morphisec |
| Progress MOVEIt File transfer above threshold ⚠️ |
Medium |
📦 Windows Forwarded Events |
| Progress MOVEIt File transfer folder count above threshold ⚠️ |
Medium |
📦 Windows Forwarded Events |
| ProofpointPOD - Binary file in attachment |
Medium |
📦 Proofpoint On demand(POD) Email Security |
| ProofpointPOD - Email sender in TI list |
Medium |
📦 Proofpoint On demand(POD) Email Security |
| ProofpointPOD - Email sender IP in TI list |
Medium |
📦 Proofpoint On demand(POD) Email Security |
| ProofpointPOD - High risk message not discarded |
Low |
📦 Proofpoint On demand(POD) Email Security |
| ProofpointPOD - Multiple archived attachments to the same recipient |
Medium |
📦 Proofpoint On demand(POD) Email Security |
| ProofpointPOD - Multiple large emails to the same recipient |
Medium |
📦 Proofpoint On demand(POD) Email Security |
| ProofpointPOD - Multiple protected emails to unknown recipient |
Medium |
📦 Proofpoint On demand(POD) Email Security |
| ProofpointPOD - Possible data exfiltration to private email |
Medium |
📦 Proofpoint On demand(POD) Email Security |
| ProofpointPOD - Suspicious attachment |
Medium |
📦 Proofpoint On demand(POD) Email Security |
| ProofpointPOD - Weak ciphers |
Low |
📦 Proofpoint On demand(POD) Email Security |
| Protection Group Deleted |
High |
📦 Veeam |
| Protection Group Settings Updated |
Informational |
📦 Veeam |
| PulseConnectSecure - CVE-2021-22893 Possible Pulse Connect Secure RCE Vulnerability Attack |
High |
📄 Standalone Content |
| PulseConnectSecure - Large Number of Distinct Failed User Logins |
Medium |
📦 Pulse Connect Secure |
| PulseConnectSecure - Potential Brute Force Attempts |
Low |
📦 Pulse Connect Secure |
| Pure Controller Failed |
High |
📦 Pure Storage |
| Pure Failed Login |
High |
📦 Pure Storage |