| S3 bucket access point publicly exposed |
Medium |
📦 Amazon Web Services |
| S3 bucket exposed via ACL |
Medium |
📦 Amazon Web Services |
| S3 bucket exposed via policy |
Medium |
📦 Amazon Web Services |
| S3 bucket suspicious ransomware activity |
High |
📦 Amazon Web Services |
| S3 Object Exfiltration from Anonymous User |
Medium |
📦 Amazon Web Services |
| S3 object publicly exposed |
Medium |
📦 Amazon Web Services |
| SailPointIdentityNowAlertForTriggers |
Informational |
📦 SailPointIdentityNow |
| SailPointIdentityNowEventType |
High |
📦 SailPointIdentityNow |
| SailPointIdentityNowEventTypeTechnicalName |
High |
📦 SailPointIdentityNow |
| SailPointIdentityNowFailedEvents |
High |
📦 SailPointIdentityNow |
| SailPointIdentityNowFailedEventsBasedOnTime |
High |
📦 SailPointIdentityNow |
| SailPointIdentityNowUserWithFailedEvent |
High |
📦 SailPointIdentityNow |
| SAML update identity provider |
High |
📦 Amazon Web Services |
| Samsung Knox - Application Privilege Escalation or Change Events |
High |
📦 Samsung Knox Asset Intelligence |
| Samsung Knox - Mobile Device Boot Compromise Events |
High |
📦 Samsung Knox Asset Intelligence |
| Samsung Knox - Password Lockout Events |
High |
📦 Samsung Knox Asset Intelligence |
| Samsung Knox - Peripheral Access Detection with Camera Events |
High |
📦 Samsung Knox Asset Intelligence |
| Samsung Knox - Peripheral Access Detection with Mic Events |
High |
📦 Samsung Knox Asset Intelligence |
| Samsung Knox - Security Log Full Events |
High |
📦 Samsung Knox Asset Intelligence |
| Samsung Knox - Suspicious URL Accessed Events |
High |
📦 Samsung Knox Asset Intelligence |
| SAP ETD - Execution of Sensitive Function Module |
Medium |
📦 SAP ETD Cloud |
| SAP ETD - Login from unexpected network |
Medium |
📦 SAP ETD Cloud |
| SAP ETD - Synch alerts |
Medium |
📦 SAP ETD Cloud |
| SAP ETD - Synch investigations |
High |
📦 SAP ETD Cloud |
| SAP LogServ - HANA DB - Assign Admin Authorizations |
High |
📦 SAP LogServ |
| SAP LogServ - HANA DB - Audit Trail Policy Changes |
High |
📦 SAP LogServ |
| SAP LogServ - HANA DB - Deactivation of Audit Trail |
High |
📦 SAP LogServ |
| SAP LogServ - HANA DB - User Admin actions |
High |
📦 SAP LogServ |
| Scale-Out Backup Repository Deleted |
High |
📦 Veeam |
| Scale-Out Backup Repository Settings Updated |
Low |
📦 Veeam |
| Scheduled Task Hide |
High |
📦 Windows Security Events |
| Sdelete deployed via GPO and run recursively |
Medium |
📦 Windows Security Events |
| Sdelete deployed via GPO and run recursively (ASIM Version) |
Medium |
📄 Standalone Content |
| Security Event log cleared |
Medium |
📦 Endpoint Threat Protection Essentials |
| Security Service Registry ACL Modification |
High |
📄 Standalone Content |
| SecurityBridge: A critical event occured |
Medium |
📦 SecurityBridge App |
| SecurityEvent - Multiple authentication failures followed by a success |
Low |
📦 Windows Security Events |
| Semperis DSP Failed Logons |
Medium |
📦 Semperis Directory Services Protector |
| Semperis DSP Kerberos krbtgt account with old password |
Medium |
📦 Semperis Directory Services Protector |
| Semperis DSP Mimikatz's DCShadow Alert |
High |
📦 Semperis Directory Services Protector |
| Semperis DSP Operations Critical Notifications |
Medium |
📦 Semperis Directory Services Protector |
| Semperis DSP RBAC Changes |
Medium |
📦 Semperis Directory Services Protector |
| Semperis DSP Recent sIDHistory changes on AD objects |
High |
📦 Semperis Directory Services Protector |
| Semperis DSP Well-known privileged SIDs in sIDHistory |
Medium |
📦 Semperis Directory Services Protector |
| Semperis DSP Zerologon vulnerability |
Medium |
📦 Semperis Directory Services Protector |
| SenservaPro AD Applications Not Using Client Credentials |
Medium |
📦 SenservaPro |
| Sensitive Azure Key Vault operations |
Low |
📦 Azure Key Vault |
| Sensitive Data Discovered in the Last 24 Hours |
Informational |
📦 Microsoft Purview |
| Sensitive Data Discovered in the Last 24 Hours - Customized |
Informational |
📦 Microsoft Purview |
| Sentinel One - Admin login from new location |
High |
📦 SentinelOne |
| Sentinel One - Agent uninstalled from multiple hosts |
High |
📦 SentinelOne |
| Sentinel One - Alert from custom rule |
High |
📦 SentinelOne |
| Sentinel One - Blacklist hash deleted |
Medium |
📦 SentinelOne |
| Sentinel One - Exclusion added |
Medium |
📦 SentinelOne |
| Sentinel One - Multiple alerts on host |
High |
📦 SentinelOne |
| Sentinel One - New admin created |
Medium |
📦 SentinelOne |
| Sentinel One - Rule deleted |
Medium |
📦 SentinelOne |
| Sentinel One - Rule disabled |
Medium |
📦 SentinelOne |
| Sentinel One - Same custom rule triggered on different hosts |
High |
📦 SentinelOne |
| Sentinel One - User viewed agent's passphrase |
Medium |
📦 SentinelOne |
| Server Oriented Cmdlet And User Oriented Cmdlet used |
High |
📦 Microsoft Exchange Security - Exchange On-Premises |
| Service Accounts Performing Remote PS |
High |
📦 Microsoft Defender XDR |
| Service Principal Assigned App Role With Sensitive Access |
Medium |
📄 Standalone Content |
| Service Principal Assigned Privileged Role |
Medium |
📄 Standalone Content |
| Service Principal Authentication Attempt from New Country |
Medium |
📄 Standalone Content |
| Service Principal Name (SPN) Assigned to User Account |
Medium |
📄 Standalone Content |
| Service principal not using client credentials |
High |
📦 SenservaPro |
| Service Provider Deleted |
Informational |
📦 Veeam |
| Service Provider Updated |
Informational |
📦 Veeam |
| Several deny actions registered |
Medium |
📦 Azure Firewall |
| SFTP File transfer above threshold |
Medium |
📦 Syslog |
| SFTP File transfer folder count above threshold |
Medium |
📦 Syslog |
| Shadow Copy Deletions |
Medium |
📦 Microsoft Defender XDR |
| SharePointFileOperation via devices with previously unseen user agents |
Medium |
📦 Microsoft 365 |
| SharePointFileOperation via previously unseen IPs |
Medium |
📦 Microsoft 365 |
| Sign-ins from IPs that attempt sign-ins to disabled accounts |
Medium |
📦 Microsoft Entra ID |
| Sign-ins from IPs that attempt sign-ins to disabled accounts (Uses Authentication Normalization) |
Medium |
📄 Standalone Content |
| Silk Typhoon New UM Service Child Process |
Medium |
📄 Standalone Content |
| Silk Typhoon Suspicious Exchange Request |
Medium |
📄 Standalone Content |
| Silk Typhoon Suspicious File Downloads. |
Medium |
📄 Standalone Content |
| Silk Typhoon Suspicious UM Service Error |
Low |
📄 Standalone Content |
| Silverfort - Certifried Incident |
High |
📦 Silverfort |
| Silverfort - Log4Shell Incident |
High |
📦 Silverfort |
| Silverfort - NoPacBreach Incident |
High |
📦 Silverfort |
| Silverfort - UserBruteForce Incident |
High |
📦 Silverfort |
| Sites Alerts for Prancer ⚠️ |
High |
📦 Prancer PenSuiteAI Integration |
| SlackAudit - Empty User Agent |
Low |
📦 SlackAudit |
| SlackAudit - Multiple archived files uploaded in short period of time |
Low |
📦 SlackAudit |
| SlackAudit - Multiple failed logins for user |
Medium |
📦 SlackAudit |
| SlackAudit - Public link created for file which can contain sensitive information. |
Medium |
📦 SlackAudit |
| SlackAudit - Suspicious file downloaded. |
Medium |
📦 SlackAudit |
| SlackAudit - Unknown User Agent |
Low |
📦 SlackAudit |
| SlackAudit - User email linked to account changed. |
Medium |
📦 SlackAudit |
| SlackAudit - User login after deactivated. |
Medium |
📦 SlackAudit |
| SlackAudit - User role changed to admin or owner |
Low |
📦 SlackAudit |
| SMB/Windows Admin Shares |
Medium |
📦 FalconFriday |
| Snowflake - Abnormal query process time |
Medium |
📦 Snowflake |
| Snowflake - Multiple failed queries |
High |
📦 Snowflake |
| Snowflake - Multiple login failures by user |
High |
📦 Snowflake |
| Snowflake - Multiple login failures from single IP |
High |
📦 Snowflake |
| Snowflake - Possible data destraction |
Medium |
📦 Snowflake |
| Snowflake - Possible discovery activity |
Medium |
📦 Snowflake |
| Snowflake - Possible privileges discovery activity |
Medium |
📦 Snowflake |
| Snowflake - Query on sensitive or restricted table |
Medium |
📦 Snowflake |
| Snowflake - Unusual query |
Medium |
📦 Snowflake |
| Snowflake - User granted admin privileges |
Medium |
📦 Snowflake |
| SOCRadar Alarm Volume Spike |
Medium |
📦 SOCRadar |
| SOCRadar High or Critical Severity Alarm |
High |
📦 SOCRadar |
| SOCRadar Unsynced Closed Incident |
Low |
📦 SOCRadar |
| Solorigate Defender Detections |
High |
📄 Standalone Content |
| Solorigate Named Pipe |
High |
📄 Standalone Content |
| SonicWall - Allowed SSH, Telnet, and RDP Connections |
Medium |
📦 SonicWall Firewall |
| SonicWall - Capture ATP Malicious File Detection |
Medium |
📦 SonicWall Firewall |
| Sonrai Ticket Assigned |
Medium |
📦 SonraiSecurity |
| Sonrai Ticket Closed |
Low |
📦 SonraiSecurity |
| Sonrai Ticket Escalation Executed |
Medium |
📦 SonraiSecurity |
| Sonrai Ticket Escalation Executed |
Medium |
📦 SonraiSecurity |
| Sonrai Ticket Reopened |
Medium |
📦 SonraiSecurity |
| Sonrai Ticket Risk Accepted |
Medium |
📦 SonraiSecurity |
| Sonrai Ticket Snoozed |
Medium |
📦 SonraiSecurity |
| Sonrai Ticket Updated |
Medium |
📦 SonraiSecurity |
| SpyCloud Enterprise Breach Detection |
High |
📦 SpyCloud Enterprise Protection |
| SpyCloud Enterprise Malware Detection |
High |
📦 SpyCloud Enterprise Protection |
| Squid proxy events for ToR proxies |
Low |
📦 Syslog |
| Squid proxy events related to mining pools |
Low |
📦 Syslog |
| SSG_Security_Incidents |
HIGH |
📦 SINEC Security Guard |
| SSH - Potential Brute Force |
Low |
📦 Syslog |
| SSH Credentials Changed |
High |
📦 Veeam |
| SSM document is publicly exposed |
Medium |
📦 Amazon Web Services |
| Stale AWS policy attachment to identity |
Low |
📦 Authomize |
| Stale IAAS policy attachment to role |
Informational |
📦 Authomize |
| Stale last password change |
Low |
📦 SenservaPro |
| Star Blizzard C2 Domains August 2022 |
High |
📄 Standalone Content |
| Starting or Stopping HealthService to Avoid Detection |
Medium |
📦 Windows Security Events |
| Stopping multiple processes using taskkill |
Medium |
📦 Microsoft Defender XDR |
| Storage Accounts Alerts From Prancer ⚠️ |
High |
📦 Prancer PenSuiteAI Integration |
| Storage Deleted |
High |
📦 Veeam |
| Storage Settings Updated |
Informational |
📦 Veeam |
| Subnets Alerts for Prancer ⚠️ |
High |
📦 Prancer PenSuiteAI Integration |
| Subscription moved to another tenant |
Low |
📦 Azure Activity |
| Subtenant Deleted |
High |
📦 Veeam |
| Subtenant Updated |
Informational |
📦 Veeam |
| Successful API executed from a Tor exit node |
High |
📦 Amazon Web Services |
| Successful AWS Console Login from IP Address Observed Conducting Password Spray |
Medium |
📦 Multi Cloud Attack Coverage Essentials - Resource Abuse |
| Successful brute force attack on S3 Bucket. |
High |
📦 Amazon Web Services |
| Successful logins to SOC Prime platform from bad IP addresses |
Medium |
📦 SOC Prime CCF |
| Successful logon from IP and failure from a different IP |
Medium |
📦 Microsoft Entra ID |
| SUNBURST and SUPERNOVA backdoor hashes |
High |
📦 Microsoft Defender XDR |
| SUNBURST and SUPERNOVA backdoor hashes (Normalized File Events) |
High |
📄 Standalone Content |
| SUNBURST network beacons |
Medium |
📦 Microsoft Defender XDR |
| SUNBURST suspicious SolarWinds child processes |
Medium |
📄 Standalone Content |
| SUNBURST suspicious SolarWinds child processes (Normalized Process Events) |
Medium |
📄 Standalone Content |
| SUNSPOT malware hashes |
Medium |
📦 Microsoft Defender XDR |
| SUPERNOVA webshell |
High |
📦 Web Shells Threat Protection |
| SureBackup Job Failed |
High |
📦 Veeam |
| Suspicious access of BEC related documents |
Medium |
📦 Business Email Compromise - Financial Fraud |
| Suspicious access of BEC related documents in AWS S3 buckets |
Medium |
📦 Business Email Compromise - Financial Fraud |
| Suspicious application consent for offline access |
Low |
📦 Microsoft Entra ID |
| Suspicious application consent similar to O365 Attack Toolkit |
High |
📦 Microsoft Entra ID |
| Suspicious application consent similar to PwnAuth |
Medium |
📦 Microsoft Entra ID |
| Suspicious AWS CLI Command Execution |
Medium |
📦 Amazon Web Services |
| Suspicious AWS console logins by credential access alerts |
Medium |
📦 Multi Cloud Attack Coverage Essentials - Resource Abuse |
| Suspicious AWS EC2 Compute Resource Deployments |
Medium |
📦 Amazon Web Services |
| Suspicious command sent to EC2 |
High |
📦 Amazon Web Services |
| Suspicious Entra ID Joined Device Update |
Medium |
📦 Microsoft Entra ID |
| Suspicious granting of permissions to an account |
Medium |
📦 Azure Activity |
| Suspicious link sharing pattern |
Low |
📄 Standalone Content |
| Suspicious linking of existing user to external User |
Medium |
📄 Standalone Content |
| Suspicious Login from deleted guest account |
Medium |
📄 Standalone Content |
| Suspicious malware found in the network (Microsoft Defender for IoT) |
High |
📦 IoTOTThreatMonitoringwithDefenderforIoT |
| Suspicious modification of Global Administrator user properties |
Medium |
📄 Standalone Content |
| Suspicious named pipes |
Medium |
📦 FalconFriday |
| Suspicious number of resource creation or deployment activities |
Medium |
📦 Azure Activity |
| Suspicious overly permissive KMS key policy created |
High |
📦 Amazon Web Services |
| Suspicious parentprocess relationship - Office child processes. |
Medium |
📦 FalconFriday |
| Suspicious Powershell Commandlet Executed |
Medium |
📦 Endpoint Threat Protection Essentials |
| Suspicious Process Injection from Office application |
Medium |
📦 FalconFriday |
| Suspicious Resource deployment |
Low |
📦 Azure Activity |
| Suspicious Service Principal creation activity |
Low |
📦 Microsoft Entra ID |
| Suspicious Sign In by Entra ID Connect Sync Account |
Medium |
📄 Standalone Content |
| Suspicious Sign In Followed by MFA Modification |
Medium |
📦 Microsoft Entra ID |
| Suspicious VM Instance Creation Activity Detected |
Medium |
🔗 GitHub Only |
| Syntax errors stateful anomaly on database |
Medium |
📦 Azure SQL Database solution for sentinel |