|
Splunk User Enumeration Attempt
|
Splunk
|
T1078
|
TTP
|
Splunk Vulnerabilities
|
2026-05-14
|
|
Splunk Sensitive Information Disclosure in DEBUG Logging Channels
|
Splunk
|
T1552
|
Hunting
|
Splunk Vulnerabilities
|
2026-05-14
|
|
Splunk Information Disclosure on Account Login
|
Splunk
|
T1087
|
Hunting
|
Splunk Vulnerabilities
|
2026-05-14
|
|
Splunk Code Injection via custom dashboard leading to RCE
|
|
T1210
|
Hunting
|
Splunk Vulnerabilities
|
2026-05-14
|
|
Splunk RCE PDFgen Render
|
Splunk
|
T1210
|
TTP
|
Splunk Vulnerabilities
|
2026-05-14
|
|
Splunk RCE Through Arbitrary File Write to Windows System Root
|
Splunk
|
T1210
|
Hunting
|
Splunk Vulnerabilities
|
2026-05-14
|
|
Splunk App for Lookup File Editing RCE via User XSLT
|
|
T1210
|
Hunting
|
Splunk Vulnerabilities
|
2026-05-14
|
|
Splunk XSS Privilege Escalation via Custom Urls in Dashboard
|
Splunk
|
T1189
|
Hunting
|
Splunk Vulnerabilities
|
2026-05-14
|
|
Splunk Authentication Token Exposure in Debug Log
|
|
T1654
|
TTP
|
Splunk Vulnerabilities
|
2026-05-14
|
|
Splunk Path Traversal In Splunk App For Lookup File Edit
|
Splunk
|
T1083
|
Hunting
|
Splunk Vulnerabilities
|
2026-05-14
|
|
Splunk Enterprise KV Store Incorrect Authorization
|
Splunk
|
T1548
|
Hunting
|
Splunk Vulnerabilities
|
2026-05-14
|
|
Splunk RCE via User XSLT
|
|
T1210
|
Hunting
|
Splunk Vulnerabilities
|
2026-05-14
|
|
M365 Copilot Impersonation Jailbreak Attack
|
M365 Exported eDiscovery Prompts
|
T1685
|
TTP
|
Suspicious Microsoft 365 Copilot Activities
|
2026-05-13
|
|
ESXi Syslog Config Change
|
VMWare ESXi Syslog
|
T1690
|
TTP
|
ESXi Post Compromise, Black Basta Ransomware
|
2026-05-13
|
|
Cisco ASA - Device File Copy to Remote Location
|
Cisco ASA Logs
|
T1005
T1041
T1048.003
|
Anomaly
|
ArcaneDoor, Suspicious Cisco Adaptive Security Appliance Activity
|
2026-05-13
|
|
ESXi Shared or Stolen Root Account
|
VMWare ESXi Syslog
|
T1078
|
Anomaly
|
ESXi Post Compromise, Black Basta Ransomware
|
2026-05-13
|
|
ESXi Bulk VM Termination
|
VMWare ESXi Syslog
|
T1499
T1529
T1673
|
TTP
|
ESXi Post Compromise, Black Basta Ransomware
|
2026-05-13
|
|
ESXi Lockdown Mode Disabled
|
VMWare ESXi Syslog
|
T1685
|
TTP
|
ESXi Post Compromise, Black Basta Ransomware
|
2026-05-13
|
|
ESXi Loghost Config Tampering
|
VMWare ESXi Syslog
|
T1685
|
TTP
|
ESXi Post Compromise, Black Basta Ransomware
|
2026-05-13
|
|
Okta Multiple Accounts Locked Out
|
Okta
|
T1110
|
Anomaly
|
Okta Account Takeover
|
2026-05-13
|
|
Cisco ASA - Logging Disabled via CLI
|
Cisco ASA Logs
|
T1685
|
TTP
|
Suspicious Cisco Adaptive Security Appliance Activity
|
2026-05-13
|
|
ESXi Encryption Settings Modified
|
VMWare ESXi Syslog
|
T1685
|
TTP
|
ESXi Post Compromise, Black Basta Ransomware
|
2026-05-13
|
|
ESXi Firewall Disabled
|
VMWare ESXi Syslog
|
T1686
|
TTP
|
ESXi Post Compromise, Black Basta Ransomware, China-Nexus Threat Activity
|
2026-05-13
|
|
Cisco ASA - New Local User Account Created
|
Cisco ASA Logs
|
T1078.003
T1136.001
|
Anomaly
|
Suspicious Cisco Adaptive Security Appliance Activity
|
2026-05-13
|
|
PingID New MFA Method Registered For User
|
PingID
|
T1098.005
T1556.006
T1621
|
TTP
|
Compromised User Account
|
2026-05-13
|
|
Okta Multi-Factor Authentication Disabled
|
Okta
|
T1556.006
|
TTP
|
Scattered Lapsus$ Hunters, Okta Account Takeover
|
2026-05-13
|
|
Okta Multiple Users Failing To Authenticate From Ip
|
Okta
|
T1110.003
|
Anomaly
|
Okta Account Takeover
|
2026-05-13
|
|
Cisco Duo Policy Allow Old Java
|
Cisco Duo Administrator
|
T1556
|
TTP
|
Cisco Duo Suspicious Activity
|
2026-05-13
|
|
Cisco Duo Admin Login Unusual Os
|
Cisco Duo Activity
|
T1556
|
TTP
|
Cisco Duo Suspicious Activity
|
2026-05-13
|
|
Cisco ASA - User Privilege Level Change
|
Cisco ASA Logs
|
T1078.003
T1098
|
Anomaly
|
ArcaneDoor, Suspicious Cisco Adaptive Security Appliance Activity
|
2026-05-13
|
|
ESXi SSH Brute Force
|
VMWare ESXi Syslog
|
T1110
|
Anomaly
|
ESXi Post Compromise, Black Basta Ransomware, Hellcat Ransomware
|
2026-05-13
|
|
ESXi Sensitive Files Accessed
|
VMWare ESXi Syslog
|
T1003.008
T1005
|
TTP
|
ESXi Post Compromise, Black Basta Ransomware, China-Nexus Threat Activity
|
2026-05-13
|
|
Okta Suspicious Use of a Session Cookie
|
Okta
|
T1539
|
Anomaly
|
Scattered Lapsus$ Hunters, Okta Account Takeover, Suspicious Okta Activity
|
2026-05-13
|
|
M365 Copilot Application Usage Pattern Anomalies
|
M365 Copilot Graph API
|
T1078
|
Anomaly
|
Suspicious Microsoft 365 Copilot Activities
|
2026-05-13
|
|
Zoom Rare Input Devices
|
|
T1123
|
Hunting
|
Remote Employment Fraud
|
2026-05-13
|
|
ESXi Shell Access Enabled
|
VMWare ESXi Syslog
|
T1021
|
TTP
|
ESXi Post Compromise, Black Basta Ransomware
|
2026-05-13
|
|
Detect Password Spray Attempts
|
Windows Event Log Security 4625
|
T1110.003
|
TTP
|
Compromised User Account, Active Directory Password Spraying
|
2026-05-13
|
|
Splunk AppDynamics Secure Application Alerts
|
Splunk AppDynamics Secure Application Alert
|
N/A
|
Anomaly
|
Critical Alerts
|
2026-05-13
|
|
Cisco Duo Policy Allow Devices Without Screen Lock
|
Cisco Duo Administrator
|
T1556
|
TTP
|
Cisco Duo Suspicious Activity
|
2026-05-13
|
|
ESXi SSH Enabled
|
VMWare ESXi Syslog
|
T1021.004
|
TTP
|
ESXi Post Compromise, Hellcat Ransomware, Black Basta Ransomware
|
2026-05-13
|
|
M365 Copilot Failed Authentication Patterns
|
M365 Copilot Graph API
|
T1110
|
Anomaly
|
Suspicious Microsoft 365 Copilot Activities
|
2026-05-13
|
|
Okta New API Token Created
|
Okta
|
T1078.001
|
TTP
|
Scattered Lapsus$ Hunters, Okta Account Takeover
|
2026-05-13
|
|
M365 Copilot Non Compliant Devices Accessing M365 Copilot
|
M365 Copilot Graph API
|
T1685
|
Anomaly
|
Suspicious Microsoft 365 Copilot Activities
|
2026-05-13
|
|
Cisco Duo Policy Allow Old Flash
|
Cisco Duo Administrator
|
T1556
|
TTP
|
Cisco Duo Suspicious Activity
|
2026-05-13
|
|
Cisco Duo Admin Login Unusual Country
|
Cisco Duo Activity
|
T1556
|
TTP
|
Cisco Duo Suspicious Activity
|
2026-05-13
|
|
Cisco AI Defense Security Alerts by Application Name
|
Cisco AI Defense Alerts
|
N/A
|
Anomaly
|
Critical Alerts
|
2026-05-13
|
|
MCP Sensitive System File Search
|
MCP Server
|
T1552.001
|
Hunting
|
Suspicious MCP Activities
|
2026-05-13
|
|
M365 Copilot Jailbreak Attempts
|
M365 Exported eDiscovery Prompts
|
T1685
|
Anomaly
|
Suspicious Microsoft 365 Copilot Activities
|
2026-05-13
|
|
Ivanti VTM New Account Creation
|
Ivanti VTM Audit
|
T1190
|
TTP
|
Scattered Lapsus$ Hunters, Hellcat Ransomware, Ivanti Virtual Traffic Manager CVE-2024-7593
|
2026-05-13
|
|
Zoom High Video Latency
|
|
T1078
|
Anomaly
|
Remote Employment Fraud
|
2026-05-13
|
|
Okta Phishing Detection with FastPass Origin Check
|
Okta
|
T1078.001
T1556
|
TTP
|
Okta Account Takeover
|
2026-05-13
|
|
ESXi External Root Login Activity
|
VMWare ESXi Syslog
|
T1078
|
Anomaly
|
ESXi Post Compromise, Black Basta Ransomware
|
2026-05-13
|
|
Cisco ASA - User Account Deleted From Local Database
|
Cisco ASA Logs
|
T1070.008
T1531
|
Anomaly
|
Suspicious Cisco Adaptive Security Appliance Activity
|
2026-05-13
|
|
Cisco ASA - AAA Policy Tampering
|
Cisco ASA Logs
|
T1556.004
|
Anomaly
|
Suspicious Cisco Adaptive Security Appliance Activity
|
2026-05-13
|
|
Okta New Device Enrolled on Account
|
Okta
|
T1098.005
|
TTP
|
Scattered Lapsus$ Hunters, Okta Account Takeover
|
2026-05-13
|
|
PingID Multiple Failed MFA Requests For User
|
PingID
|
T1078
T1110
T1621
|
TTP
|
Compromised User Account
|
2026-05-13
|
|
Email servers sending high volume traffic to hosts
|
|
T1114.002
|
Anomaly
|
HAFNIUM Group, Collection and Staging
|
2026-05-13
|
|
No Windows Updates in a time frame
|
|
N/A
|
Hunting
|
Monitor for Updates
|
2026-05-13
|
|
Cisco Duo Bypass Code Generation
|
Cisco Duo Administrator
|
T1556
|
TTP
|
Cisco Duo Suspicious Activity
|
2026-05-13
|
|
MCP Github Suspicious Operation
|
MCP Server
|
T1552.001
|
Hunting
|
Suspicious MCP Activities
|
2026-05-13
|
|
Cisco ASA - Logging Message Suppression
|
Cisco ASA Logs
|
T1070
T1685.001
|
Anomaly
|
ArcaneDoor, Suspicious Cisco Adaptive Security Appliance Activity
|
2026-05-13
|
|
Cisco ASA - Reconnaissance Command Activity
|
Cisco ASA Logs
|
T1082
T1590.001
T1590.005
|
Anomaly
|
Suspicious Cisco Adaptive Security Appliance Activity
|
2026-05-13
|
|
Cisco Duo Policy Skip 2FA for Other Countries
|
Cisco Duo Administrator
|
T1556
|
TTP
|
Cisco Duo Suspicious Activity
|
2026-05-13
|
|
ESXi Account Modified
|
VMWare ESXi Syslog
|
T1078
T1098
T1136.001
|
Anomaly
|
ESXi Post Compromise, Black Basta Ransomware
|
2026-05-13
|
|
Okta IDP Lifecycle Modifications
|
Okta
|
T1087.004
|
Anomaly
|
Suspicious Okta Activity
|
2026-05-13
|
|
ESXi User Granted Admin Role
|
VMWare ESXi Syslog
|
T1078
T1098
|
TTP
|
ESXi Post Compromise, Black Basta Ransomware
|
2026-05-13
|
|
Ollama Abnormal Service Crash Availability Attack
|
Ollama Server
|
T1489
|
Anomaly
|
Suspicious Ollama Activities
|
2026-05-13
|
|
ESXi Reverse Shell Patterns
|
VMWare ESXi Syslog
|
T1059
|
TTP
|
ESXi Post Compromise, Black Basta Ransomware
|
2026-05-13
|
|
Email Attachments With Lots Of Spaces
|
|
T1036.008
T1566.001
|
Anomaly
|
Data Destruction, Suspicious Emails, Emotet Malware DHS Report TA18-201A, Hermetic Wiper
|
2026-05-13
|
|
Ollama Possible Memory Exhaustion Resource Abuse
|
Ollama Server
|
T1499
|
Anomaly
|
Suspicious Ollama Activities
|
2026-05-13
|
|
Ollama Possible RCE via Model Loading
|
Ollama Server
|
T1190
|
Anomaly
|
Suspicious Ollama Activities
|
2026-05-13
|
|
Detect HTML Help Spawn Child Process
|
Windows Event Log Security 4688, Sysmon EventID 1, CrowdStrike ProcessRollup2
|
T1218.001
|
TTP
|
Compromised Windows Host, APT37 Rustonotto and FadeStealer, AgentTesla, Living Off The Land, Suspicious Compiled HTML Activity
|
2026-05-13
|
|
Okta Suspicious Activity Reported
|
Okta
|
T1078.001
|
TTP
|
Okta Account Takeover
|
2026-05-13
|
|
ESXi System Clock Manipulation
|
VMWare ESXi Syslog
|
T1070.006
|
TTP
|
ESXi Post Compromise, Black Basta Ransomware
|
2026-05-13
|
|
Cisco ASA - Core Syslog Message Volume Drop
|
Cisco ASA Logs
|
T1685
|
Hunting
|
ArcaneDoor, Suspicious Cisco Adaptive Security Appliance Activity
|
2026-05-13
|
|
Zoom Rare Audio Devices
|
|
T1123
|
Hunting
|
Remote Employment Fraud
|
2026-05-13
|
|
Cisco ASA - Packet Capture Activity
|
Cisco ASA Logs
|
T1040
T1557
|
Anomaly
|
ArcaneDoor, Suspicious Cisco Adaptive Security Appliance Activity
|
2026-05-13
|
|
PingID New MFA Method After Credential Reset
|
PingID
|
T1098.005
T1556.006
T1621
|
TTP
|
Compromised User Account, Scattered Lapsus$ Hunters
|
2026-05-13
|
|
ESXi VM Discovery
|
VMWare ESXi Syslog
|
T1673
|
TTP
|
ESXi Post Compromise, Black Basta Ransomware, China-Nexus Threat Activity
|
2026-05-13
|
|
Okta Multiple Failed MFA Requests For User
|
Okta
|
T1621
|
Anomaly
|
Scattered Lapsus$ Hunters, Okta Account Takeover
|
2026-05-13
|
|
Okta Risk Threshold Exceeded
|
Okta
|
T1078
T1110
|
Correlation
|
Okta MFA Exhaustion, Okta Account Takeover, Suspicious Okta Activity
|
2026-05-13
|
|
Okta Unauthorized Access to Application
|
Okta
|
T1087.004
|
Anomaly
|
Okta Account Takeover
|
2026-05-13
|
|
Suspicious Java Classes
|
|
T1190
|
Anomaly
|
Apache Struts Vulnerability
|
2026-05-13
|
|
MCP Prompt Injection
|
MCP Server
|
T1059
|
TTP
|
Suspicious MCP Activities
|
2026-05-13
|
|
Ollama Abnormal Network Connectivity
|
Ollama Server
|
T1571
|
Anomaly
|
Suspicious Ollama Activities
|
2026-05-13
|
|
Monitor Email For Brand Abuse
|
|
N/A
|
TTP
|
Scattered Lapsus$ Hunters, Brand Monitoring, Suspicious Emails
|
2026-05-13
|
|
Okta User Logins from Multiple Cities
|
Okta
|
T1586.003
|
Anomaly
|
Okta Account Takeover
|
2026-05-13
|
|
Cisco Duo Bulk Policy Deletion
|
Cisco Duo Administrator
|
T1556
|
TTP
|
Cisco Duo Suspicious Activity
|
2026-05-13
|
|
Detect Distributed Password Spray Attempts
|
Azure Active Directory Sign-in activity
|
T1110.003
|
Hunting
|
Compromised User Account, Active Directory Password Spraying
|
2026-05-13
|
|
Ollama Suspicious Prompt Injection Jailbreak
|
Ollama Server
|
T1059
T1190
|
Anomaly
|
Suspicious Ollama Activities
|
2026-05-13
|
|
ESXi VIB Acceptance Level Tampering
|
VMWare ESXi Syslog
|
T1685
|
TTP
|
ESXi Post Compromise, Black Basta Ransomware, China-Nexus Threat Activity
|
2026-05-13
|
|
Suspicious Email Attachment Extensions
|
|
T1566.001
|
Anomaly
|
Data Destruction, Suspicious Emails, Emotet Malware DHS Report TA18-201A, Hermetic Wiper
|
2026-05-13
|
|
Cisco Duo Policy Allow Tampered Devices
|
Cisco Duo Administrator
|
T1556
|
TTP
|
Cisco Duo Suspicious Activity
|
2026-05-13
|
|
Cisco Duo Set User Status to Bypass 2FA
|
Cisco Duo Administrator
|
T1556
|
TTP
|
Cisco Duo Suspicious Activity
|
2026-05-13
|
|
Okta Multiple Failed Requests to Access Applications
|
Okta
|
T1538
T1550.004
|
Hunting
|
Okta Account Takeover
|
2026-05-13
|
|
Email files written outside of the Outlook directory
|
Sysmon EventID 11
|
T1114.001
|
TTP
|
Collection and Staging
|
2026-05-13
|
|
M365 Copilot Information Extraction Jailbreak Attack
|
M365 Exported eDiscovery Prompts
|
T1685
|
TTP
|
Suspicious Microsoft 365 Copilot Activities
|
2026-05-13
|
|
CrushFTP Server Side Template Injection
|
CrushFTP
|
T1190
|
TTP
|
CrushFTP Vulnerabilities, Hellcat Ransomware
|
2026-05-13
|
|
MCP Postgres Suspicious Query
|
MCP Server
|
T1555
|
Hunting
|
Suspicious MCP Activities
|
2026-05-13
|
|
Cisco Duo Policy Deny Access
|
Cisco Duo Administrator
|
T1556
|
TTP
|
Cisco Duo Suspicious Activity
|
2026-05-13
|
|
Cisco Duo Policy Bypass 2FA
|
Cisco Duo Administrator
|
T1556
|
TTP
|
Cisco Duo Suspicious Activity
|
2026-05-13
|
|
ESXi Malicious VIB Forced Install
|
VMWare ESXi Syslog
|
T1505.006
|
TTP
|
ESXi Post Compromise, Black Basta Ransomware, China-Nexus Threat Activity
|
2026-05-13
|
|
Okta Mismatch Between Source and Response for Verify Push Request
|
Okta
|
T1621
|
TTP
|
Scattered Lapsus$ Hunters, Okta MFA Exhaustion, Okta Account Takeover
|
2026-05-13
|
|
Cisco ASA - Logging Filters Configuration Tampering
|
Cisco ASA Logs
|
T1685
|
Anomaly
|
Suspicious Cisco Adaptive Security Appliance Activity
|
2026-05-13
|
|
MCP Filesystem Server Suspicious Extension Write
|
MCP Server
|
T1059
|
Hunting
|
Suspicious MCP Activities
|
2026-05-13
|
|
Okta MFA Exhaustion Hunt
|
Okta
|
T1110
|
Hunting
|
Scattered Lapsus$ Hunters, Okta MFA Exhaustion, Okta Account Takeover
|
2026-05-13
|
|
ESXi System Information Discovery
|
VMWare ESXi Syslog
|
T1082
|
TTP
|
ESXi Post Compromise, Black Basta Ransomware
|
2026-05-13
|
|
Okta Successful Single Factor Authentication
|
Okta
|
T1078.004
T1586.003
T1621
|
Anomaly
|
Okta Account Takeover
|
2026-05-13
|
|
ESXi Audit Tampering
|
VMWare ESXi Syslog
|
T1070
T1690
|
TTP
|
ESXi Post Compromise, Black Basta Ransomware
|
2026-05-13
|
|
Ollama Excessive API Requests
|
Ollama Server
|
T1498
|
Anomaly
|
Suspicious Ollama Activities
|
2026-05-13
|
|
M365 Copilot Session Origin Anomalies
|
M365 Copilot Graph API
|
T1078
|
Anomaly
|
Suspicious Microsoft 365 Copilot Activities
|
2026-05-13
|
|
M365 Copilot Agentic Jailbreak Attack
|
M365 Exported eDiscovery Prompts
|
T1685
|
Anomaly
|
Suspicious Microsoft 365 Copilot Activities
|
2026-05-13
|
|
ESXi VM Exported via Remote Tool
|
VMWare ESXi Syslog
|
T1005
|
TTP
|
ESXi Post Compromise, Black Basta Ransomware
|
2026-05-13
|
|
Cisco ASA - Device File Copy Activity
|
Cisco ASA Logs
|
T1005
T1530
|
Anomaly
|
ArcaneDoor, Suspicious Cisco Adaptive Security Appliance Activity
|
2026-05-13
|
|
Cisco ASA - User Account Lockout Threshold Exceeded
|
Cisco ASA Logs
|
T1110.001
T1110.003
|
Anomaly
|
Suspicious Cisco Adaptive Security Appliance Activity
|
2026-05-13
|
|
Cisco Duo Policy Allow Network Bypass 2FA
|
Cisco Duo Administrator
|
T1556
|
TTP
|
Cisco Duo Suspicious Activity
|
2026-05-13
|
|
Zoom Rare Video Devices
|
|
T1123
|
Hunting
|
Remote Employment Fraud
|
2026-05-13
|
|
Detect New Login Attempts to Routers
|
|
N/A
|
TTP
|
Scattered Lapsus$ Hunters, Router and Infrastructure Security
|
2026-05-13
|
|
Ollama Possible API Endpoint Scan Reconnaissance
|
Ollama Server
|
T1595
|
Anomaly
|
Suspicious Ollama Activities
|
2026-05-13
|
|
Ollama Possible Model Exfiltration Data Leakage
|
Ollama Server
|
T1048
|
Anomaly
|
Suspicious Ollama Activities
|
2026-05-13
|
|
Okta Authentication Failed During MFA Challenge
|
Okta
|
T1078.004
T1586.003
T1621
|
TTP
|
Scattered Lapsus$ Hunters, Okta Account Takeover
|
2026-05-13
|
|
Okta ThreatInsight Threat Detected
|
Okta
|
T1078.004
|
Anomaly
|
Okta Account Takeover
|
2026-05-13
|
|
PingID Mismatch Auth Source and Verification Response
|
PingID
|
T1098.005
T1556.006
T1621
|
TTP
|
Compromised User Account
|
2026-05-13
|
|
Cisco Duo Admin Login Unusual Browser
|
Cisco Duo Activity
|
T1556
|
TTP
|
Cisco Duo Suspicious Activity
|
2026-05-13
|
|
ESXi Download Errors
|
VMWare ESXi Syslog
|
T1601.001
T1685
|
Anomaly
|
ESXi Post Compromise, Black Basta Ransomware
|
2026-05-13
|
