|
Cisco AI Defense Security Alerts by Application Name
|
Cisco AI Defense Alerts
|
N/A
|
Anomaly
|
Critical Alerts
|
2025-03-21
|
|
Cisco Secure Application Alerts
|
Cisco Secure Application AppDynamics Alerts
|
N/A
|
Anomaly
|
Critical Alerts
|
2025-02-04
|
|
CrushFTP Server Side Template Injection
|
CrushFTP
|
Exploit Public-Facing Application
|
TTP
|
CrushFTP Vulnerabilities
|
2025-01-21
|
|
Detect Distributed Password Spray Attempts
|
Azure Active Directory Sign-in activity
|
Password Spraying
|
Hunting
|
Active Directory Password Spraying, Compromised User Account
|
2025-02-10
|
|
Detect HTML Help Spawn Child Process
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Compiled HTML File
|
TTP
|
AgentTesla, Compromised Windows Host, Living Off The Land, Suspicious Compiled HTML Activity
|
2025-02-10
|
|
Detect New Login Attempts to Routers
|
|
N/A
|
TTP
|
Router and Infrastructure Security
|
2025-01-21
|
|
Detect Password Spray Attempts
|
Windows Event Log Security 4625
|
Password Spraying
|
TTP
|
Active Directory Password Spraying, Compromised User Account
|
2025-02-10
|
|
Detect Risky SPL using Pretrained ML Model
|
|
Command and Scripting Interpreter
|
Anomaly
|
Splunk Vulnerabilities
|
2024-12-17
|
|
Email Attachments With Lots Of Spaces
|
|
N/A
|
Anomaly
|
Data Destruction, Emotet Malware DHS Report TA18-201A, Hermetic Wiper, Suspicious Emails
|
2025-01-21
|
|
Email files written outside of the Outlook directory
|
Sysmon EventID 11
|
Local Email Collection
|
TTP
|
Collection and Staging
|
2025-02-10
|
|
Email servers sending high volume traffic to hosts
|
|
Remote Email Collection
|
Anomaly
|
Collection and Staging, HAFNIUM Group
|
2025-02-10
|
|
Ivanti VTM New Account Creation
|
Ivanti VTM Audit
|
Exploit Public-Facing Application
|
TTP
|
Ivanti Virtual Traffic Manager CVE-2024-7593
|
2025-01-21
|
|
Monitor Email For Brand Abuse
|
|
N/A
|
TTP
|
Brand Monitoring, Suspicious Emails
|
2025-01-21
|
|
No Windows Updates in a time frame
|
|
N/A
|
Hunting
|
Monitor for Updates
|
2025-01-21
|
|
Okta Authentication Failed During MFA Challenge
|
Okta
|
Cloud Accounts
Cloud Accounts
Multi-Factor Authentication Request Generation
|
TTP
|
Okta Account Takeover
|
2025-02-10
|
|
Okta IDP Lifecycle Modifications
|
Okta
|
Cloud Account
|
Anomaly
|
Suspicious Okta Activity
|
2025-01-21
|
|
Okta MFA Exhaustion Hunt
|
Okta
|
Brute Force
|
Hunting
|
Okta Account Takeover, Okta MFA Exhaustion
|
2025-01-21
|
|
Okta Mismatch Between Source and Response for Verify Push Request
|
Okta
|
Multi-Factor Authentication Request Generation
|
TTP
|
Okta Account Takeover, Okta MFA Exhaustion
|
2025-01-21
|
|
Okta Multi-Factor Authentication Disabled
|
Okta
|
Multi-Factor Authentication
|
TTP
|
Okta Account Takeover
|
2025-02-10
|
|
Okta Multiple Accounts Locked Out
|
Okta
|
Brute Force
|
Anomaly
|
Okta Account Takeover
|
2025-01-21
|
|
Okta Multiple Failed MFA Requests For User
|
Okta
|
Multi-Factor Authentication Request Generation
|
Anomaly
|
Okta Account Takeover
|
2025-01-21
|
|
Okta Multiple Failed Requests to Access Applications
|
Okta
|
Web Session Cookie
Cloud Service Dashboard
|
Hunting
|
Okta Account Takeover
|
2025-01-21
|
|
Okta Multiple Users Failing To Authenticate From Ip
|
Okta
|
Password Spraying
|
Anomaly
|
Okta Account Takeover
|
2025-01-21
|
|
Okta New API Token Created
|
Okta
|
Default Accounts
|
TTP
|
Okta Account Takeover
|
2025-02-10
|
|
Okta New Device Enrolled on Account
|
Okta
|
Device Registration
|
TTP
|
Okta Account Takeover
|
2025-02-10
|
|
Okta Phishing Detection with FastPass Origin Check
|
Okta
|
Default Accounts
Modify Authentication Process
|
TTP
|
Okta Account Takeover
|
2025-02-10
|
|
Okta Risk Threshold Exceeded
|
Okta
|
Valid Accounts
Brute Force
|
Correlation
|
Okta Account Takeover, Okta MFA Exhaustion, Suspicious Okta Activity
|
2025-04-16
|
|
Okta Successful Single Factor Authentication
|
Okta
|
Cloud Accounts
Cloud Accounts
Multi-Factor Authentication Request Generation
|
Anomaly
|
Okta Account Takeover
|
2025-02-10
|
|
Okta Suspicious Activity Reported
|
Okta
|
Default Accounts
|
TTP
|
Okta Account Takeover
|
2025-02-10
|
|
Okta Suspicious Use of a Session Cookie
|
Okta
|
Steal Web Session Cookie
|
Anomaly
|
Okta Account Takeover, Suspicious Okta Activity
|
2025-01-21
|
|
Okta ThreatInsight Threat Detected
|
Okta
|
Cloud Accounts
|
Anomaly
|
Okta Account Takeover
|
2025-02-10
|
|
Okta Unauthorized Access to Application
|
Okta
|
Cloud Account
|
Anomaly
|
Okta Account Takeover
|
2025-01-21
|
|
Okta User Logins from Multiple Cities
|
Okta
|
Cloud Accounts
|
Anomaly
|
Okta Account Takeover
|
2025-01-21
|
|
PingID Mismatch Auth Source and Verification Response
|
PingID
|
Multi-Factor Authentication Request Generation
Multi-Factor Authentication
Device Registration
|
TTP
|
Compromised User Account
|
2025-01-21
|
|
PingID Multiple Failed MFA Requests For User
|
PingID
|
Multi-Factor Authentication Request Generation
Valid Accounts
Brute Force
|
TTP
|
Compromised User Account
|
2025-01-21
|
|
PingID New MFA Method After Credential Reset
|
PingID
|
Multi-Factor Authentication Request Generation
Multi-Factor Authentication
Device Registration
|
TTP
|
Compromised User Account
|
2025-01-21
|
|
PingID New MFA Method Registered For User
|
PingID
|
Multi-Factor Authentication Request Generation
Multi-Factor Authentication
Device Registration
|
TTP
|
Compromised User Account
|
2025-01-21
|
|
Splunk App for Lookup File Editing RCE via User XSLT
|
|
Exploitation of Remote Services
|
Hunting
|
Splunk Vulnerabilities
|
2025-04-16
|
|
Splunk Authentication Token Exposure in Debug Log
|
|
Log Enumeration
|
TTP
|
Splunk Vulnerabilities
|
2025-04-16
|
|
Splunk Code Injection via custom dashboard leading to RCE
|
|
Exploitation of Remote Services
|
Hunting
|
Splunk Vulnerabilities
|
2025-04-16
|
|
Splunk Command and Scripting Interpreter Delete Usage
|
Splunk
|
Command and Scripting Interpreter
|
Anomaly
|
Splunk Vulnerabilities
|
2025-01-21
|
|
Splunk Command and Scripting Interpreter Risky Commands
|
Splunk
|
Command and Scripting Interpreter
|
Hunting
|
Splunk Vulnerabilities
|
2024-12-17
|
|
Splunk Command and Scripting Interpreter Risky SPL MLTK
|
Splunk
|
Command and Scripting Interpreter
|
Anomaly
|
Splunk Vulnerabilities
|
2024-12-16
|
|
Splunk Enterprise KV Store Incorrect Authorization
|
Splunk
|
Abuse Elevation Control Mechanism
|
Hunting
|
Splunk Vulnerabilities
|
2025-04-16
|
|
Splunk Improperly Formatted Parameter Crashes splunkd
|
Splunk
|
Endpoint Denial of Service
|
TTP
|
Splunk Vulnerabilities
|
2025-04-16
|
|
Splunk Information Disclosure on Account Login
|
Splunk
|
Account Discovery
|
Hunting
|
Splunk Vulnerabilities
|
2025-04-16
|
|
Splunk Path Traversal In Splunk App For Lookup File Edit
|
Splunk
|
File and Directory Discovery
|
Hunting
|
Splunk Vulnerabilities
|
2025-04-16
|
|
Splunk RCE PDFgen Render
|
Splunk
|
Exploitation of Remote Services
|
TTP
|
Splunk Vulnerabilities
|
2025-04-16
|
|
Splunk RCE Through Arbitrary File Write to Windows System Root
|
Splunk
|
Exploitation of Remote Services
|
Hunting
|
Splunk Vulnerabilities
|
2025-04-16
|
|
Splunk RCE via User XSLT
|
|
Exploitation of Remote Services
|
Hunting
|
Splunk Vulnerabilities
|
2025-04-16
|
|
Splunk Sensitive Information Disclosure in DEBUG Logging Channels
|
Splunk
|
Unsecured Credentials
|
Hunting
|
Splunk Vulnerabilities
|
2025-04-16
|
|
Splunk User Enumeration Attempt
|
Splunk
|
Valid Accounts
|
TTP
|
Splunk Vulnerabilities
|
2025-04-16
|
|
Splunk XSS Privilege Escalation via Custom Urls in Dashboard
|
Splunk
|
Drive-by Compromise
|
Hunting
|
Splunk Vulnerabilities
|
2025-04-16
|
|
Suspicious Email Attachment Extensions
|
|
Spearphishing Attachment
|
Anomaly
|
Data Destruction, Emotet Malware DHS Report TA18-201A, Hermetic Wiper, Suspicious Emails
|
2025-02-10
|
|
Suspicious Java Classes
|
|
N/A
|
Anomaly
|
Apache Struts Vulnerability
|
2025-01-21
|