|
Cisco AI Defense Security Alerts by Application Name
|
Cisco AI Defense Alerts
|
N/A
|
Anomaly
|
Critical Alerts
|
2025-05-02
|
|
Cisco Duo Admin Login Unusual Browser
|
Cisco Duo Activity
|
Modify Authentication Process
|
TTP
|
Cisco Duo Suspicious Activity
|
2025-07-10
|
|
Cisco Duo Admin Login Unusual Country
|
Cisco Duo Activity
|
Modify Authentication Process
|
TTP
|
Cisco Duo Suspicious Activity
|
2025-07-10
|
|
Cisco Duo Admin Login Unusual Os
|
Cisco Duo Activity
|
Modify Authentication Process
|
TTP
|
Cisco Duo Suspicious Activity
|
2025-07-10
|
|
Cisco Duo Bulk Policy Deletion
|
Cisco Duo Administrator
|
Modify Authentication Process
|
TTP
|
Cisco Duo Suspicious Activity
|
2025-07-10
|
|
Cisco Duo Bypass Code Generation
|
Cisco Duo Administrator
|
Modify Authentication Process
|
TTP
|
Cisco Duo Suspicious Activity
|
2025-07-08
|
|
Cisco Duo Policy Allow Devices Without Screen Lock
|
Cisco Duo Administrator
|
Modify Authentication Process
|
TTP
|
Cisco Duo Suspicious Activity
|
2025-07-10
|
|
Cisco Duo Policy Allow Network Bypass 2FA
|
Cisco Duo Administrator
|
Modify Authentication Process
|
TTP
|
Cisco Duo Suspicious Activity
|
2025-07-09
|
|
Cisco Duo Policy Allow Old Flash
|
Cisco Duo Administrator
|
Modify Authentication Process
|
TTP
|
Cisco Duo Suspicious Activity
|
2025-07-09
|
|
Cisco Duo Policy Allow Old Java
|
Cisco Duo Administrator
|
Modify Authentication Process
|
TTP
|
Cisco Duo Suspicious Activity
|
2025-07-09
|
|
Cisco Duo Policy Allow Tampered Devices
|
Cisco Duo Administrator
|
Modify Authentication Process
|
TTP
|
Cisco Duo Suspicious Activity
|
2025-07-10
|
|
Cisco Duo Policy Bypass 2FA
|
Cisco Duo Administrator
|
Modify Authentication Process
|
TTP
|
Cisco Duo Suspicious Activity
|
2025-07-08
|
|
Cisco Duo Policy Deny Access
|
Cisco Duo Administrator
|
Modify Authentication Process
|
TTP
|
Cisco Duo Suspicious Activity
|
2025-07-08
|
|
Cisco Duo Policy Skip 2FA for Other Countries
|
Cisco Duo Administrator
|
Modify Authentication Process
|
TTP
|
Cisco Duo Suspicious Activity
|
2025-07-08
|
|
Cisco Duo Set User Status to Bypass 2FA
|
Cisco Duo Administrator
|
Modify Authentication Process
|
TTP
|
Cisco Duo Suspicious Activity
|
2025-07-08
|
|
Cisco Secure Application Alerts
|
Cisco Secure Application AppDynamics Alerts
|
N/A
|
Anomaly
|
Critical Alerts
|
2025-05-02
|
|
CrushFTP Server Side Template Injection
|
CrushFTP
|
Exploit Public-Facing Application
|
TTP
|
CrushFTP Vulnerabilities
|
2025-05-02
|
|
Detect Distributed Password Spray Attempts
|
Azure Active Directory Sign-in activity
|
Password Spraying
|
Hunting
|
Active Directory Password Spraying, Compromised User Account
|
2025-05-02
|
|
Detect HTML Help Spawn Child Process
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Compiled HTML File
|
TTP
|
AgentTesla, Compromised Windows Host, Living Off The Land, Suspicious Compiled HTML Activity
|
2025-05-02
|
|
Detect New Login Attempts to Routers
|
|
N/A
|
TTP
|
Router and Infrastructure Security
|
2025-05-02
|
|
Detect Password Spray Attempts
|
Windows Event Log Security 4625
|
Password Spraying
|
TTP
|
Active Directory Password Spraying, Compromised User Account
|
2025-05-02
|
|
Detect Risky SPL using Pretrained ML Model
|
|
Command and Scripting Interpreter
|
Anomaly
|
Splunk Vulnerabilities
|
2025-05-02
|
|
Email Attachments With Lots Of Spaces
|
|
N/A
|
Anomaly
|
Data Destruction, Emotet Malware DHS Report TA18-201A, Hermetic Wiper, Suspicious Emails
|
2025-05-02
|
|
Email files written outside of the Outlook directory
|
Sysmon EventID 11
|
Local Email Collection
|
TTP
|
Collection and Staging
|
2025-05-02
|
|
Email servers sending high volume traffic to hosts
|
|
Remote Email Collection
|
Anomaly
|
Collection and Staging, HAFNIUM Group
|
2025-05-02
|
|
ESXi Account Modified
|
VMWare ESXi Syslog
|
Local Account
Valid Accounts
Account Manipulation
|
Anomaly
|
Black Basta Ransomware, ESXi Post Compromise
|
2025-07-01
|
|
ESXi Audit Tampering
|
VMWare ESXi Syslog
|
Impair Command History Logging
Indicator Removal
|
TTP
|
Black Basta Ransomware, ESXi Post Compromise
|
2025-07-01
|
|
ESXi Bulk VM Termination
|
VMWare ESXi Syslog
|
Virtual Machine Discovery
System Shutdown/Reboot
Endpoint Denial of Service
|
TTP
|
Black Basta Ransomware, ESXi Post Compromise
|
2025-05-12
|
|
ESXi Download Errors
|
VMWare ESXi Syslog
|
Patch System Image
Disable or Modify Tools
|
Anomaly
|
Black Basta Ransomware, ESXi Post Compromise
|
2025-05-12
|
|
ESXi Encryption Settings Modified
|
VMWare ESXi Syslog
|
Impair Defenses
|
TTP
|
Black Basta Ransomware, ESXi Post Compromise
|
2025-07-07
|
|
ESXi External Root Login Activity
|
VMWare ESXi Syslog
|
Valid Accounts
|
Anomaly
|
Black Basta Ransomware, ESXi Post Compromise
|
2025-05-13
|
|
ESXi Firewall Disabled
|
VMWare ESXi Syslog
|
Disable or Modify System Firewall
|
TTP
|
Black Basta Ransomware, ESXi Post Compromise
|
2025-05-12
|
|
ESXi Lockdown Mode Disabled
|
VMWare ESXi Syslog
|
Impair Defenses
|
TTP
|
Black Basta Ransomware, ESXi Post Compromise
|
2025-05-12
|
|
ESXi Loghost Config Tampering
|
VMWare ESXi Syslog
|
Impair Defenses
|
TTP
|
Black Basta Ransomware, ESXi Post Compromise
|
2025-05-13
|
|
ESXi Malicious VIB Forced Install
|
VMWare ESXi Syslog
|
vSphere Installation Bundles
|
TTP
|
Black Basta Ransomware, ESXi Post Compromise
|
2025-05-09
|
|
ESXi Reverse Shell Patterns
|
VMWare ESXi Syslog
|
Command and Scripting Interpreter
|
TTP
|
Black Basta Ransomware, ESXi Post Compromise
|
2025-05-12
|
|
ESXi Sensitive Files Accessed
|
VMWare ESXi Syslog
|
/etc/passwd and /etc/shadow
Data from Local System
|
TTP
|
Black Basta Ransomware, ESXi Post Compromise
|
2025-05-19
|
|
ESXi Shared or Stolen Root Account
|
VMWare ESXi Syslog
|
Valid Accounts
|
Anomaly
|
Black Basta Ransomware, ESXi Post Compromise
|
2025-05-09
|
|
ESXi Shell Access Enabled
|
VMWare ESXi Syslog
|
Remote Services
|
TTP
|
Black Basta Ransomware, ESXi Post Compromise
|
2025-05-12
|
|
ESXi SSH Brute Force
|
VMWare ESXi Syslog
|
Brute Force
|
Anomaly
|
Black Basta Ransomware, ESXi Post Compromise
|
2025-05-12
|
|
ESXi SSH Enabled
|
VMWare ESXi Syslog
|
SSH
|
TTP
|
Black Basta Ransomware, ESXi Post Compromise
|
2025-05-12
|
|
ESXi Syslog Config Change
|
VMWare ESXi Syslog
|
Impair Command History Logging
|
TTP
|
Black Basta Ransomware, ESXi Post Compromise
|
2025-05-13
|
|
ESXi System Clock Manipulation
|
VMWare ESXi Syslog
|
Timestomp
|
TTP
|
Black Basta Ransomware, ESXi Post Compromise
|
2025-05-19
|
|
ESXi System Information Discovery
|
VMWare ESXi Syslog
|
System Information Discovery
|
TTP
|
Black Basta Ransomware, ESXi Post Compromise
|
2025-05-14
|
|
ESXi User Granted Admin Role
|
VMWare ESXi Syslog
|
Account Manipulation
Valid Accounts
|
TTP
|
Black Basta Ransomware, ESXi Post Compromise
|
2025-05-15
|
|
ESXi VIB Acceptance Level Tampering
|
VMWare ESXi Syslog
|
Impair Defenses
|
TTP
|
Black Basta Ransomware, ESXi Post Compromise
|
2025-05-15
|
|
ESXi VM Discovery
|
VMWare ESXi Syslog
|
Virtual Machine Discovery
|
TTP
|
Black Basta Ransomware, ESXi Post Compromise
|
2025-05-15
|
|
ESXi VM Exported via Remote Tool
|
VMWare ESXi Syslog
|
Data from Local System
|
TTP
|
Black Basta Ransomware, ESXi Post Compromise
|
2025-05-15
|
|
Ivanti VTM New Account Creation
|
Ivanti VTM Audit
|
Exploit Public-Facing Application
|
TTP
|
Ivanti Virtual Traffic Manager CVE-2024-7593
|
2025-05-02
|
|
Monitor Email For Brand Abuse
|
|
N/A
|
TTP
|
Brand Monitoring, Suspicious Emails
|
2025-05-02
|
|
No Windows Updates in a time frame
|
|
N/A
|
Hunting
|
Monitor for Updates
|
2025-05-02
|
|
Okta Authentication Failed During MFA Challenge
|
Okta
|
Cloud Accounts
Cloud Accounts
Multi-Factor Authentication Request Generation
|
TTP
|
Okta Account Takeover
|
2025-05-02
|
|
Okta IDP Lifecycle Modifications
|
Okta
|
Cloud Account
|
Anomaly
|
Suspicious Okta Activity
|
2025-05-02
|
|
Okta MFA Exhaustion Hunt
|
Okta
|
Brute Force
|
Hunting
|
Okta Account Takeover, Okta MFA Exhaustion
|
2025-05-02
|
|
Okta Mismatch Between Source and Response for Verify Push Request
|
Okta
|
Multi-Factor Authentication Request Generation
|
TTP
|
Okta Account Takeover, Okta MFA Exhaustion
|
2025-05-02
|
|
Okta Multi-Factor Authentication Disabled
|
Okta
|
Multi-Factor Authentication
|
TTP
|
Okta Account Takeover
|
2025-05-02
|
|
Okta Multiple Accounts Locked Out
|
Okta
|
Brute Force
|
Anomaly
|
Okta Account Takeover
|
2025-05-02
|
|
Okta Multiple Failed MFA Requests For User
|
Okta
|
Multi-Factor Authentication Request Generation
|
Anomaly
|
Okta Account Takeover
|
2025-05-02
|
|
Okta Multiple Failed Requests to Access Applications
|
Okta
|
Web Session Cookie
Cloud Service Dashboard
|
Hunting
|
Okta Account Takeover
|
2025-05-02
|
|
Okta Multiple Users Failing To Authenticate From Ip
|
Okta
|
Password Spraying
|
Anomaly
|
Okta Account Takeover
|
2025-05-02
|
|
Okta New API Token Created
|
Okta
|
Default Accounts
|
TTP
|
Okta Account Takeover
|
2025-05-02
|
|
Okta New Device Enrolled on Account
|
Okta
|
Device Registration
|
TTP
|
Okta Account Takeover
|
2025-05-02
|
|
Okta Phishing Detection with FastPass Origin Check
|
Okta
|
Default Accounts
Modify Authentication Process
|
TTP
|
Okta Account Takeover
|
2025-05-02
|
|
Okta Risk Threshold Exceeded
|
Okta
|
Valid Accounts
Brute Force
|
Correlation
|
Okta Account Takeover, Okta MFA Exhaustion, Suspicious Okta Activity
|
2025-05-02
|
|
Okta Successful Single Factor Authentication
|
Okta
|
Cloud Accounts
Cloud Accounts
Multi-Factor Authentication Request Generation
|
Anomaly
|
Okta Account Takeover
|
2025-05-02
|
|
Okta Suspicious Activity Reported
|
Okta
|
Default Accounts
|
TTP
|
Okta Account Takeover
|
2025-05-02
|
|
Okta Suspicious Use of a Session Cookie
|
Okta
|
Steal Web Session Cookie
|
Anomaly
|
Okta Account Takeover, Suspicious Okta Activity
|
2025-05-02
|
|
Okta ThreatInsight Threat Detected
|
Okta
|
Cloud Accounts
|
Anomaly
|
Okta Account Takeover
|
2025-05-02
|
|
Okta Unauthorized Access to Application
|
Okta
|
Cloud Account
|
Anomaly
|
Okta Account Takeover
|
2025-05-02
|
|
Okta User Logins from Multiple Cities
|
Okta
|
Cloud Accounts
|
Anomaly
|
Okta Account Takeover
|
2025-05-02
|
|
PingID Mismatch Auth Source and Verification Response
|
PingID
|
Multi-Factor Authentication Request Generation
Multi-Factor Authentication
Device Registration
|
TTP
|
Compromised User Account
|
2025-05-02
|
|
PingID Multiple Failed MFA Requests For User
|
PingID
|
Multi-Factor Authentication Request Generation
Valid Accounts
Brute Force
|
TTP
|
Compromised User Account
|
2025-05-02
|
|
PingID New MFA Method After Credential Reset
|
PingID
|
Multi-Factor Authentication Request Generation
Multi-Factor Authentication
Device Registration
|
TTP
|
Compromised User Account
|
2025-05-02
|
|
PingID New MFA Method Registered For User
|
PingID
|
Multi-Factor Authentication Request Generation
Multi-Factor Authentication
Device Registration
|
TTP
|
Compromised User Account
|
2025-05-02
|
|
Splunk App for Lookup File Editing RCE via User XSLT
|
|
Exploitation of Remote Services
|
Hunting
|
Splunk Vulnerabilities
|
2025-05-02
|
|
Splunk Authentication Token Exposure in Debug Log
|
|
Log Enumeration
|
TTP
|
Splunk Vulnerabilities
|
2025-05-02
|
|
Splunk Code Injection via custom dashboard leading to RCE
|
|
Exploitation of Remote Services
|
Hunting
|
Splunk Vulnerabilities
|
2025-05-02
|
|
Splunk Command and Scripting Interpreter Delete Usage
|
Splunk
|
Command and Scripting Interpreter
|
Anomaly
|
Splunk Vulnerabilities
|
2025-05-02
|
|
Splunk Enterprise KV Store Incorrect Authorization
|
Splunk
|
Abuse Elevation Control Mechanism
|
Hunting
|
Splunk Vulnerabilities
|
2025-05-02
|
|
Splunk Improperly Formatted Parameter Crashes splunkd
|
Splunk
|
Endpoint Denial of Service
|
TTP
|
Splunk Vulnerabilities
|
2025-05-02
|
|
Splunk Information Disclosure on Account Login
|
Splunk
|
Account Discovery
|
Hunting
|
Splunk Vulnerabilities
|
2025-05-02
|
|
Splunk Path Traversal In Splunk App For Lookup File Edit
|
Splunk
|
File and Directory Discovery
|
Hunting
|
Splunk Vulnerabilities
|
2025-05-02
|
|
Splunk RCE PDFgen Render
|
Splunk
|
Exploitation of Remote Services
|
TTP
|
Splunk Vulnerabilities
|
2025-05-02
|
|
Splunk RCE Through Arbitrary File Write to Windows System Root
|
Splunk
|
Exploitation of Remote Services
|
Hunting
|
Splunk Vulnerabilities
|
2025-05-02
|
|
Splunk RCE via User XSLT
|
|
Exploitation of Remote Services
|
Hunting
|
Splunk Vulnerabilities
|
2025-05-02
|
|
Splunk Sensitive Information Disclosure in DEBUG Logging Channels
|
Splunk
|
Unsecured Credentials
|
Hunting
|
Splunk Vulnerabilities
|
2025-05-02
|
|
Splunk User Enumeration Attempt
|
Splunk
|
Valid Accounts
|
TTP
|
Splunk Vulnerabilities
|
2025-05-02
|
|
Splunk XSS Privilege Escalation via Custom Urls in Dashboard
|
Splunk
|
Drive-by Compromise
|
Hunting
|
Splunk Vulnerabilities
|
2025-05-02
|
|
Suspicious Email Attachment Extensions
|
|
Spearphishing Attachment
|
Anomaly
|
Data Destruction, Emotet Malware DHS Report TA18-201A, Hermetic Wiper, Suspicious Emails
|
2025-05-02
|
|
Suspicious Java Classes
|
|
N/A
|
Anomaly
|
Apache Struts Vulnerability
|
2025-05-02
|
|
Zoom High Video Latency
|
|
Valid Accounts
|
Anomaly
|
Remote Employment Fraud
|
2025-06-02
|
|
Zoom Rare Audio Devices
|
|
Audio Capture
|
Hunting
|
Remote Employment Fraud
|
2025-06-02
|
|
Zoom Rare Input Devices
|
|
Audio Capture
|
Hunting
|
Remote Employment Fraud
|
2025-06-02
|
|
Zoom Rare Video Devices
|
|
Audio Capture
|
Hunting
|
Remote Employment Fraud
|
2025-06-02
|
