N/A Detections

Name	Data Source	Technique	Type	Analytic Story	Date
Cisco AI Defense Security Alerts by Application Name	Cisco AI Defense Alerts	N/A	Anomaly	Critical Alerts	2025-02-14
Cisco Secure Application Alerts	Cisco Secure Application AppDynamics Alerts	N/A	Anomaly	Critical Alerts	2025-02-04
CrushFTP Server Side Template Injection	CrushFTP	Exploit Public-Facing Application	TTP	CrushFTP Vulnerabilities	2025-01-21
Detect New Login Attempts to Routers		N/A	TTP	Router and Infrastructure Security	2025-01-21
Detect Risky SPL using Pretrained ML Model		Command and Scripting Interpreter	Anomaly	Splunk Vulnerabilities	2024-12-17
Email Attachments With Lots Of Spaces		N/A	Anomaly	Data Destruction, Emotet Malware DHS Report TA18-201A, Hermetic Wiper, Suspicious Emails	2025-01-21
Email servers sending high volume traffic to hosts		Remote Email Collection	Anomaly	Collection and Staging, HAFNIUM Group	2025-02-10
Ivanti VTM New Account Creation	Ivanti VTM Audit	Exploit Public-Facing Application	TTP	Ivanti Virtual Traffic Manager CVE-2024-7593	2025-01-21
Monitor Email For Brand Abuse		N/A	TTP	Brand Monitoring, Suspicious Emails	2025-01-21
Okta Authentication Failed During MFA Challenge	Okta	Cloud Accounts Cloud Accounts Multi-Factor Authentication Request Generation	TTP	Okta Account Takeover	2025-02-10
Okta IDP Lifecycle Modifications	Okta	Cloud Account	Anomaly	Suspicious Okta Activity	2025-01-21
Okta MFA Exhaustion Hunt	Okta	Brute Force	Hunting	Okta Account Takeover, Okta MFA Exhaustion	2025-01-21
Okta Mismatch Between Source and Response for Verify Push Request	Okta	Multi-Factor Authentication Request Generation	TTP	Okta Account Takeover, Okta MFA Exhaustion	2025-01-21
Okta Multi-Factor Authentication Disabled	Okta	Multi-Factor Authentication	TTP	Okta Account Takeover	2025-02-10
Okta Multiple Accounts Locked Out	Okta	Brute Force	Anomaly	Okta Account Takeover	2025-01-21
Okta Multiple Failed MFA Requests For User	Okta	Multi-Factor Authentication Request Generation	Anomaly	Okta Account Takeover	2025-01-21
Okta Multiple Failed Requests to Access Applications	Okta	Web Session Cookie Cloud Service Dashboard	Hunting	Okta Account Takeover	2025-01-21
Okta Multiple Users Failing To Authenticate From Ip	Okta	Password Spraying	Anomaly	Okta Account Takeover	2025-01-21
Okta New API Token Created	Okta	Default Accounts	TTP	Okta Account Takeover	2025-02-10
Okta New Device Enrolled on Account	Okta	Device Registration	TTP	Okta Account Takeover	2025-02-10
Okta Phishing Detection with FastPass Origin Check	Okta	Default Accounts Modify Authentication Process	TTP	Okta Account Takeover	2025-02-10
Okta Risk Threshold Exceeded	Okta	Valid Accounts Brute Force	Correlation	Okta Account Takeover, Okta MFA Exhaustion, Suspicious Okta Activity	2025-01-21
Okta Successful Single Factor Authentication	Okta	Cloud Accounts Cloud Accounts Multi-Factor Authentication Request Generation	Anomaly	Okta Account Takeover	2025-02-10
Okta Suspicious Activity Reported	Okta	Default Accounts	TTP	Okta Account Takeover	2025-02-10
Okta Suspicious Use of a Session Cookie	Okta	Steal Web Session Cookie	Anomaly	Okta Account Takeover, Suspicious Okta Activity	2025-01-21
Okta ThreatInsight Threat Detected	Okta	Cloud Accounts	Anomaly	Okta Account Takeover	2025-02-10
Okta Unauthorized Access to Application	Okta	Cloud Account	Anomaly	Okta Account Takeover	2025-01-21
Okta User Logins from Multiple Cities	Okta	Cloud Accounts	Anomaly	Okta Account Takeover	2025-01-21
PingID Mismatch Auth Source and Verification Response	PingID	Multi-Factor Authentication Request Generation Multi-Factor Authentication Device Registration	TTP	Compromised User Account	2025-01-21
PingID Multiple Failed MFA Requests For User	PingID	Multi-Factor Authentication Request Generation Valid Accounts Brute Force	TTP	Compromised User Account	2025-01-21
PingID New MFA Method After Credential Reset	PingID	Multi-Factor Authentication Request Generation Multi-Factor Authentication Device Registration	TTP	Compromised User Account	2025-01-21
PingID New MFA Method Registered For User	PingID	Multi-Factor Authentication Request Generation Multi-Factor Authentication Device Registration	TTP	Compromised User Account	2025-01-21
Suspicious Email Attachment Extensions		Spearphishing Attachment	Anomaly	Data Destruction, Emotet Malware DHS Report TA18-201A, Hermetic Wiper, Suspicious Emails	2025-02-10
Suspicious Java Classes		N/A	Anomaly	Apache Struts Vulnerability	2025-01-21
Circle CI Disable Security Job	CircleCI	Compromise Host Software Binary	Anomaly	Dev Sec Ops	2024-11-14
Circle CI Disable Security Step	CircleCI	Compromise Host Software Binary	Anomaly	Dev Sec Ops	2024-11-14
Detect S3 access from a new IP		Data from Cloud Storage	Anomaly	Suspicious AWS S3 Activities	2024-11-14
Gdrive suspicious file sharing		Phishing	Hunting	Data Exfiltration, Spearphishing Attachments	2024-11-14
GitHub Enterprise Delete Branch Ruleset	GitHub Enterprise Audit Logs	Disable or Modify Tools Supply Chain Compromise	Anomaly	GitHub Malicious Activity	2025-01-17
GitHub Enterprise Disable 2FA Requirement	GitHub Enterprise Audit Logs	Disable or Modify Tools Supply Chain Compromise	Anomaly	GitHub Malicious Activity	2025-01-17
GitHub Enterprise Disable Audit Log Event Stream	GitHub Enterprise Audit Logs	Disable or Modify Cloud Logs Supply Chain Compromise	Anomaly	GitHub Malicious Activity	2025-01-16
GitHub Enterprise Disable Classic Branch Protection Rule	GitHub Enterprise Audit Logs	Disable or Modify Tools Supply Chain Compromise	Anomaly	GitHub Malicious Activity	2025-01-17
GitHub Enterprise Disable Dependabot	GitHub Enterprise Audit Logs	Disable or Modify Tools Supply Chain Compromise	Anomaly	GitHub Malicious Activity	2025-01-14
GitHub Enterprise Disable IP Allow List	GitHub Enterprise Audit Logs	Disable or Modify Tools Supply Chain Compromise	Anomaly	GitHub Malicious Activity	2025-01-20
GitHub Enterprise Modify Audit Log Event Stream	GitHub Enterprise Audit Logs	Disable or Modify Cloud Logs Supply Chain Compromise	Anomaly	GitHub Malicious Activity	2025-01-16
GitHub Enterprise Pause Audit Log Event Stream	GitHub Enterprise Audit Logs	Disable or Modify Cloud Logs Supply Chain Compromise	Anomaly	GitHub Malicious Activity	2025-01-16
GitHub Enterprise Register Self Hosted Runner	GitHub Enterprise Audit Logs	Disable or Modify Tools Supply Chain Compromise	Anomaly	GitHub Malicious Activity	2025-01-20
GitHub Enterprise Remove Organization	GitHub Enterprise Audit Logs	Data Destruction Supply Chain Compromise	Anomaly	GitHub Malicious Activity	2025-01-16
GitHub Enterprise Repository Archived	GitHub Enterprise Audit Logs	Data Destruction Supply Chain Compromise	Anomaly	GitHub Malicious Activity	2025-01-17
GitHub Enterprise Repository Deleted	GitHub Enterprise Audit Logs	Data Destruction Supply Chain Compromise	Anomaly	GitHub Malicious Activity	2025-01-16
GitHub Organizations Delete Branch Ruleset	GitHub Organizations Audit Logs	Disable or Modify Tools Supply Chain Compromise	Anomaly	GitHub Malicious Activity	2025-01-17
GitHub Organizations Disable 2FA Requirement	GitHub Organizations Audit Logs	Disable or Modify Tools Supply Chain Compromise	Anomaly	GitHub Malicious Activity	2025-01-17
GitHub Organizations Disable Classic Branch Protection Rule	GitHub Organizations Audit Logs	Disable or Modify Tools Supply Chain Compromise	Anomaly	GitHub Malicious Activity	2025-01-17
GitHub Organizations Disable Dependabot	GitHub Organizations Audit Logs	Disable or Modify Tools Supply Chain Compromise	Anomaly	GitHub Malicious Activity	2025-01-14
GitHub Organizations Repository Archived	GitHub Organizations Audit Logs	Data Destruction Supply Chain Compromise	Anomaly	GitHub Malicious Activity	2025-01-17
GitHub Organizations Repository Deleted	GitHub Organizations Audit Logs	Data Destruction Supply Chain Compromise	Anomaly	GitHub Malicious Activity	2025-01-17
Gsuite Drive Share In External Email	G Suite Drive	Exfiltration to Cloud Storage	Anomaly	Dev Sec Ops, Insider Threat	2025-02-10
GSuite Email Suspicious Attachment	G Suite Gmail	Spearphishing Attachment	Anomaly	Dev Sec Ops	2025-02-10
Gsuite Email Suspicious Subject With Attachment	G Suite Gmail	Spearphishing Attachment	Anomaly	Dev Sec Ops	2025-02-10
Gsuite Email With Known Abuse Web Service Link	G Suite Gmail	Spearphishing Attachment	Anomaly	Dev Sec Ops	2025-02-10
Gsuite Outbound Email With Attachment To External Domain	G Suite Gmail	Exfiltration Over Unencrypted Non-C2 Protocol	Hunting	Dev Sec Ops, Insider Threat	2025-02-10
Gsuite suspicious calendar invite		Phishing	Hunting	Spearphishing Attachments	2024-11-14
Gsuite Suspicious Shared File Name	G Suite Drive	Spearphishing Attachment	Anomaly	Dev Sec Ops	2025-02-10
High Number of Login Failures from a single source	O365 UserLoginFailed	Password Guessing	Anomaly	Office 365 Account Takeover	2025-02-10
O365 Add App Role Assignment Grant User	O365 Add app role assignment grant to user.	Cloud Account	TTP	Cloud Federated Credential Abuse, Office 365 Persistence Mechanisms	2025-02-10
O365 Added Service Principal	O365	Cloud Account	TTP	Cloud Federated Credential Abuse, NOBELIUM Group, Office 365 Persistence Mechanisms	2025-02-10
O365 Admin Consent Bypassed by Service Principal	O365 Add app role assignment to service principal.	Additional Cloud Roles	TTP	Office 365 Persistence Mechanisms	2024-11-14
O365 Advanced Audit Disabled	O365 Change user license.	Disable or Modify Cloud Logs	TTP	Office 365 Persistence Mechanisms	2025-02-10
O365 Application Available To Other Tenants	Office 365 Universal Audit Log	Additional Cloud Roles	TTP	Azure Active Directory Account Takeover, Azure Active Directory Persistence, Data Exfiltration	2025-02-10
O365 Application Registration Owner Added	O365 Add owner to application.	Account Manipulation	TTP	NOBELIUM Group, Office 365 Persistence Mechanisms	2024-11-14
O365 ApplicationImpersonation Role Assigned	O365	Additional Email Delegate Permissions	TTP	NOBELIUM Group, Office 365 Collection Techniques, Office 365 Persistence Mechanisms	2025-02-10
O365 BEC Email Hiding Rule Created		Email Hiding Rules	TTP	Office 365 Account Takeover	2025-02-14
O365 Block User Consent For Risky Apps Disabled	O365 Update authorization policy.	Impair Defenses	TTP	Office 365 Account Takeover	2024-11-14
O365 Bypass MFA via Trusted IP	O365 Set Company Information.	Disable or Modify Cloud Firewall	TTP	Office 365 Persistence Mechanisms	2025-02-10
O365 Compliance Content Search Exported		Remote Email Collection	TTP	Office 365 Collection Techniques	2025-02-10
O365 Compliance Content Search Started		Remote Email Collection	TTP	Office 365 Collection Techniques	2025-02-10
O365 Concurrent Sessions From Different Ips	O365 UserLoggedIn	Browser Session Hijacking	TTP	Office 365 Account Takeover	2024-11-14
O365 Cross-Tenant Access Change	Office 365 Universal Audit Log	Trust Modification	TTP	Azure Active Directory Persistence	2024-11-14
O365 Disable MFA	O365 Disable Strong Authentication.	Modify Authentication Process	TTP	Office 365 Persistence Mechanisms	2024-11-14
O365 DLP Rule Triggered	Office 365 Universal Audit Log	Exfiltration Over Alternative Protocol Exfiltration Over Web Service	Anomaly	Data Exfiltration	2024-11-14
O365 Elevated Mailbox Permission Assigned		Additional Email Delegate Permissions	TTP	Office 365 Collection Techniques	2025-02-10
O365 Email Access By Security Administrator	Office 365 Universal Audit Log	Remote Email Collection Exfiltration Over Web Service	TTP	Azure Active Directory Account Takeover, Data Exfiltration, Office 365 Account Takeover	2025-02-10
O365 Email Hard Delete Excessive Volume	Office 365 Universal Audit Log	Clear Mailbox Data Data Destruction	Anomaly	Data Destruction, Office 365 Account Takeover, Suspicious Emails	2025-01-20
O365 Email New Inbox Rule Created	Office 365 Universal Audit Log	Email Forwarding Rule Email Hiding Rules	Anomaly	Office 365 Collection Techniques	2025-01-20
O365 Email Password and Payroll Compromise Behavior	Office 365 Reporting Message Trace, Office 365 Universal Audit Log	Clear Mailbox Data Data Destruction Local Email Collection	TTP	Data Destruction, Office 365 Account Takeover, Office 365 Collection Techniques, Suspicious Emails	2025-01-20
O365 Email Receive and Hard Delete Takeover Behavior	Office 365 Reporting Message Trace, Office 365 Universal Audit Log	Clear Mailbox Data Data Destruction Local Email Collection	Anomaly	Data Destruction, Office 365 Account Takeover, Office 365 Collection Techniques, Suspicious Emails	2025-01-20
O365 Email Reported By Admin Found Malicious	Office 365 Universal Audit Log	Spearphishing Attachment Spearphishing Link	TTP	Spearphishing Attachments, Suspicious Emails	2025-02-10
O365 Email Reported By User Found Malicious	Office 365 Universal Audit Log	Spearphishing Attachment Spearphishing Link	TTP	Spearphishing Attachments, Suspicious Emails	2025-02-10
O365 Email Security Feature Changed	Office 365 Universal Audit Log	Disable or Modify Tools Disable or Modify Cloud Logs	TTP	Office 365 Account Takeover, Office 365 Persistence Mechanisms	2025-02-10
O365 Email Send and Hard Delete Exfiltration Behavior	Office 365 Reporting Message Trace, Office 365 Universal Audit Log	Local Email Collection Clear Mailbox Data Data Destruction	Anomaly	Data Destruction, Office 365 Account Takeover, Office 365 Collection Techniques, Suspicious Emails	2025-01-20
O365 Email Send and Hard Delete Suspicious Behavior	Office 365 Universal Audit Log	Local Email Collection Clear Mailbox Data Data Destruction	Anomaly	Data Destruction, Office 365 Account Takeover, Office 365 Collection Techniques, Suspicious Emails	2025-01-20
O365 Email Send Attachments Excessive Volume	Office 365 Universal Audit Log	Clear Mailbox Data Data Destruction	Anomaly	Office 365 Account Takeover, Suspicious Emails	2025-01-20
O365 Email Suspicious Behavior Alert	Office 365 Universal Audit Log	Email Forwarding Rule	TTP	Office 365 Account Takeover, Office 365 Collection Techniques, Suspicious Emails	2025-02-10
O365 Email Suspicious Search Behavior	Office 365 Universal Audit Log	Remote Email Collection Unsecured Credentials	Anomaly	CISA AA22-320A, Compromised User Account, Office 365 Account Takeover, Office 365 Collection Techniques	2025-02-27
O365 Email Transport Rule Changed	Office 365 Universal Audit Log	Email Forwarding Rule Email Hiding Rules	Anomaly	Data Exfiltration, Office 365 Account Takeover	2025-01-15
O365 Excessive Authentication Failures Alert		Brute Force	Anomaly	Office 365 Account Takeover	2024-11-14
O365 Excessive SSO logon errors	O365 UserLoginFailed	Modify Authentication Process	Anomaly	Cloud Federated Credential Abuse, Office 365 Account Takeover	2024-11-14
O365 Exfiltration via File Access	Office 365 Universal Audit Log	Exfiltration Over Web Service Data from Cloud Storage	Anomaly	Data Exfiltration, Office 365 Account Takeover	2024-10-14
O365 Exfiltration via File Download	Office 365 Universal Audit Log	Exfiltration Over Web Service Data from Cloud Storage	Anomaly	Data Exfiltration, Office 365 Account Takeover	2024-10-14
O365 Exfiltration via File Sync Download	Office 365 Universal Audit Log	Exfiltration Over Web Service Data from Cloud Storage	Anomaly	Data Exfiltration, Office 365 Account Takeover	2024-10-14
O365 External Guest User Invited	Office 365 Universal Audit Log	Cloud Account	TTP	Azure Active Directory Persistence	2024-11-14
O365 External Identity Policy Changed	Office 365 Universal Audit Log	Cloud Account	TTP	Azure Active Directory Persistence	2024-11-14
O365 File Permissioned Application Consent Granted by User	O365 Consent to application.	Steal Application Access Token	TTP	Office 365 Account Takeover	2024-11-14
O365 FullAccessAsApp Permission Assigned	O365 Update application.	Additional Email Delegate Permissions Additional Cloud Roles	TTP	NOBELIUM Group, Office 365 Persistence Mechanisms	2024-11-14
O365 High Number Of Failed Authentications for User	O365 UserLoginFailed	Password Guessing	TTP	Office 365 Account Takeover	2025-02-10
O365 High Privilege Role Granted	O365 Add member to role.	Additional Cloud Roles	TTP	Office 365 Persistence Mechanisms	2025-02-10
O365 Mail Permissioned Application Consent Granted by User	O365 Consent to application.	Steal Application Access Token	TTP	Office 365 Account Takeover	2024-11-14
O365 Mailbox Email Forwarding Enabled		Email Forwarding Rule	TTP	Office 365 Collection Techniques	2025-02-10
O365 Mailbox Folder Read Permission Assigned		Additional Email Delegate Permissions	TTP	Office 365 Collection Techniques	2025-02-10
O365 Mailbox Folder Read Permission Granted		Additional Email Delegate Permissions	TTP	Office 365 Collection Techniques	2025-02-10
O365 Mailbox Inbox Folder Shared with All Users	O365 ModifyFolderPermissions	Remote Email Collection	TTP	Office 365 Persistence Mechanisms	2025-02-10
O365 Mailbox Read Access Granted to Application	O365 Update application.	Additional Cloud Roles Remote Email Collection	TTP	Office 365 Persistence Mechanisms	2025-02-10
O365 Multi-Source Failed Authentications Spike	O365 UserLoginFailed	Password Spraying Credential Stuffing Cloud Accounts	Hunting	NOBELIUM Group, Office 365 Account Takeover	2025-02-10
O365 Multiple AppIDs and UserAgents Authentication Spike	O365 UserLoggedIn, O365 UserLoginFailed	Valid Accounts	Anomaly	Office 365 Account Takeover	2024-11-14
O365 Multiple Failed MFA Requests For User	O365 UserLoginFailed	Multi-Factor Authentication Request Generation	TTP	Office 365 Account Takeover	2024-11-14
O365 Multiple Mailboxes Accessed via API	O365 MailItemsAccessed	Remote Email Collection	TTP	NOBELIUM Group, Office 365 Collection Techniques	2024-11-14
O365 Multiple OS Vendors Authenticating From User	Office 365 Universal Audit Log	Brute Force	TTP	Office 365 Account Takeover	2024-12-19
O365 Multiple Service Principals Created by SP	O365 Add service principal.	Cloud Account	Anomaly	NOBELIUM Group, Office 365 Persistence Mechanisms	2024-11-14
O365 Multiple Service Principals Created by User	O365 Add service principal.	Cloud Account	Anomaly	NOBELIUM Group, Office 365 Persistence Mechanisms	2024-11-14
O365 Multiple Users Failing To Authenticate From Ip	O365 UserLoginFailed	Password Spraying Credential Stuffing Cloud Accounts	TTP	NOBELIUM Group, Office 365 Account Takeover	2025-02-10
O365 New Email Forwarding Rule Created		Email Forwarding Rule	TTP	Office 365 Collection Techniques	2025-02-10
O365 New Email Forwarding Rule Enabled		Email Forwarding Rule	TTP	Office 365 Collection Techniques	2025-02-10
O365 New Federated Domain Added	O365	Cloud Account	TTP	Cloud Federated Credential Abuse, Office 365 Persistence Mechanisms	2025-02-10
O365 New Forwarding Mailflow Rule Created		Email Collection	TTP	Office 365 Collection Techniques	2024-11-14
O365 New MFA Method Registered	O365 Update user.	Device Registration	TTP	Office 365 Persistence Mechanisms	2025-02-10
O365 OAuth App Mailbox Access via EWS	O365 MailItemsAccessed	Remote Email Collection	TTP	NOBELIUM Group, Office 365 Collection Techniques	2024-11-14
O365 OAuth App Mailbox Access via Graph API	O365 MailItemsAccessed	Remote Email Collection	TTP	NOBELIUM Group, Office 365 Collection Techniques	2024-11-14
O365 Privileged Graph API Permission Assigned	O365 Update application.	Security Account Manager	TTP	NOBELIUM Group, Office 365 Persistence Mechanisms	2024-11-14
O365 Privileged Role Assigned	Office 365 Universal Audit Log	Additional Cloud Roles	TTP	Azure Active Directory Persistence	2025-02-10
O365 Privileged Role Assigned To Service Principal	Office 365 Universal Audit Log	Additional Cloud Roles	TTP	Azure Active Directory Privilege Escalation	2025-02-10
O365 PST export alert	O365	Email Collection	TTP	Data Exfiltration, Office 365 Collection Techniques	2024-11-14
O365 Safe Links Detection	Office 365 Universal Audit Log	Spearphishing Attachment	TTP	Office 365 Account Takeover, Spearphishing Attachments	2025-02-10
O365 Security And Compliance Alert Triggered		Cloud Accounts	TTP	Office 365 Account Takeover	2025-02-10
O365 Service Principal New Client Credentials	O365	Additional Cloud Credentials	TTP	NOBELIUM Group, Office 365 Persistence Mechanisms	2025-02-10
O365 Service Principal Privilege Escalation	O365 Add app role assignment grant to user.	Additional Cloud Roles	TTP	Azure Active Directory Privilege Escalation, Office 365 Account Takeover	2025-02-10
O365 SharePoint Allowed Domains Policy Changed	Office 365 Universal Audit Log	Cloud Account	TTP	Azure Active Directory Persistence	2024-11-14
O365 SharePoint Malware Detection	Office 365 Universal Audit Log	Malicious File	TTP	Azure Active Directory Persistence, Office 365 Account Takeover, Ransomware Cloud	2025-02-10
O365 SharePoint Suspicious Search Behavior	Office 365 Universal Audit Log	Sharepoint Unsecured Credentials	Anomaly	CISA AA22-320A, Compromised User Account, Office 365 Account Takeover, Office 365 Collection Techniques	2025-02-27
O365 Tenant Wide Admin Consent Granted	O365 Consent to application.	Additional Cloud Roles	TTP	NOBELIUM Group, Office 365 Persistence Mechanisms	2025-02-10
O365 Threat Intelligence Suspicious Email Delivered	Office 365 Universal Audit Log	Spearphishing Attachment Spearphishing Link	Anomaly	Spearphishing Attachments, Suspicious Emails	2025-02-10
O365 Threat Intelligence Suspicious File Detected	Office 365 Universal Audit Log	Malicious File	TTP	Azure Active Directory Account Takeover, Office 365 Account Takeover, Ransomware Cloud	2025-02-10
O365 User Consent Blocked for Risky Application	O365 Consent to application.	Steal Application Access Token	TTP	Office 365 Account Takeover	2024-11-14
O365 User Consent Denied for OAuth Application	O365	Steal Application Access Token	TTP	Office 365 Account Takeover	2024-11-14
O365 ZAP Activity Detection	Office 365 Universal Audit Log	Spearphishing Attachment Spearphishing Link	Anomaly	Spearphishing Attachments, Suspicious Emails	2025-02-10
Risk Rule for Dev Sec Ops by Repository		Malicious Image	Correlation	Dev Sec Ops	2025-02-10
GitHub Actions Disable Security Workflow	GitHub Webhooks	Compromise Software Supply Chain	Anomaly	Dev Sec Ops	2025-02-10
Github Commit Changes In Master	GitHub Webhooks	Trusted Relationship	Anomaly	Dev Sec Ops	2024-11-14
Github Commit In Develop	GitHub Webhooks	Trusted Relationship	Anomaly	Dev Sec Ops	2024-11-14
GitHub Dependabot Alert	GitHub Webhooks	Compromise Software Dependencies and Development Tools	Anomaly	Dev Sec Ops	2025-02-10
GitHub Pull Request from Unknown User	GitHub Webhooks	Compromise Software Dependencies and Development Tools	Anomaly	Dev Sec Ops	2025-02-10
Active Directory Lateral Movement Identified		Exploitation of Remote Services	Correlation	Active Directory Lateral Movement	2024-11-13
Active Directory Privilege Escalation Identified		Domain or Tenant Policy Modification	Correlation	Active Directory Privilege Escalation	2024-11-13
Crowdstrike Admin Weak Password Policy		Brute Force	TTP	Compromised Windows Host	2024-11-13
Crowdstrike Admin With Duplicate Password		Brute Force	TTP	Compromised Windows Host	2024-11-13
Crowdstrike High Identity Risk Severity		Brute Force	TTP	Compromised Windows Host	2024-11-13
Crowdstrike Medium Identity Risk Severity		Brute Force	TTP	Compromised Windows Host	2024-11-13
Crowdstrike Medium Severity Alert		Brute Force	Anomaly	Compromised Windows Host	2024-11-13
Crowdstrike Multiple LOW Severity Alerts		Brute Force	Anomaly	Compromised Windows Host	2024-11-13
Crowdstrike Privilege Escalation For Non-Admin User		Brute Force	Anomaly	Compromised Windows Host	2024-11-13
Crowdstrike User Weak Password Policy		Brute Force	Anomaly	Compromised Windows Host	2024-11-13
Crowdstrike User with Duplicate Password		Brute Force	Anomaly	Compromised Windows Host	2024-11-13
Detect Baron Samedit CVE-2021-3156		Exploitation for Privilege Escalation	TTP	Baron Samedit CVE-2021-3156	2024-11-13
Detect Baron Samedit CVE-2021-3156 Segfault		Exploitation for Privilege Escalation	TTP	Baron Samedit CVE-2021-3156	2024-11-13
Detect Baron Samedit CVE-2021-3156 via OSQuery		Exploitation for Privilege Escalation	TTP	Baron Samedit CVE-2021-3156	2024-11-13
Detect Excessive Account Lockouts From Endpoint		Domain Accounts	Anomaly	Active Directory Password Spraying	2025-02-10
Detect Excessive User Account Lockouts		Local Accounts	Anomaly	Active Directory Password Spraying	2025-02-10
Living Off The Land Detection		Ingress Tool Transfer Exploit Public-Facing Application Command and Scripting Interpreter External Remote Services	Correlation	Living Off The Land	2024-11-13
Log4Shell CVE-2021-44228 Exploitation		Ingress Tool Transfer Exploit Public-Facing Application Command and Scripting Interpreter External Remote Services	Correlation	CISA AA22-320A, Log4Shell CVE-2021-44228	2024-11-13
Microsoft Defender ATP Alerts	MS Defender ATP Alerts	N/A	TTP	Critical Alerts	2025-01-20
Microsoft Defender Incident Alerts	MS365 Defender Incident Alerts	N/A	TTP	Critical Alerts	2025-01-20
MOVEit Certificate Store Access Failure		Exploit Public-Facing Application	Hunting	MOVEit Transfer Authentication Bypass	2024-11-13
MOVEit Empty Key Fingerprint Authentication Attempt		Exploit Public-Facing Application	Hunting	MOVEit Transfer Authentication Bypass	2024-11-13
PaperCut NG Suspicious Behavior Debug Log		Exploit Public-Facing Application External Remote Services	Hunting	PaperCut MF NG Vulnerability	2024-11-13
Processes Tapping Keyboard Events		N/A	TTP	ColdRoot MacOS RAT	2024-11-13
Steal or Forge Authentication Certificates Behavior Identified		Steal or Forge Authentication Certificates	Correlation	Windows Certificate Services	2024-11-13
Suspicious PlistBuddy Usage via OSquery		Launch Agent	TTP	Silver Sparrow	2025-02-10
WMI Permanent Event Subscription		Windows Management Instrumentation	TTP	Suspicious WMI Use	2024-11-13
WMI Temporary Event Subscription		Windows Management Instrumentation	TTP	Suspicious WMI Use	2024-11-13
Detect ARP Poisoning		Hardware Additions Network Denial of Service ARP Cache Poisoning	TTP	Router and Infrastructure Security	2025-02-10
Detect DGA domains using pretrained model in DSDL		Domain Generation Algorithms	Anomaly	Command And Control, DNS Hijacking, Data Exfiltration, Dynamic DNS, Suspicious DNS Traffic	2024-11-15
Detect DNS Data Exfiltration using pretrained model in DSDL		Exfiltration Over Unencrypted Non-C2 Protocol	Anomaly	Command And Control, DNS Hijacking, Suspicious DNS Traffic	2024-11-15
Detect Outbound SMB Traffic		File Transfer Protocols	TTP	DHS Report TA18-074A, Hidden Cobra Malware, NOBELIUM Group	2025-02-10
Detect Port Security Violation		Hardware Additions Network Denial of Service ARP Cache Poisoning	TTP	Router and Infrastructure Security	2025-02-10
Detect Rogue DHCP Server		Hardware Additions Network Denial of Service Adversary-in-the-Middle	TTP	Router and Infrastructure Security	2024-11-15
Detect SNICat SNI Exfiltration		Exfiltration Over C2 Channel	TTP	Data Exfiltration	2024-11-15
Detect suspicious DNS TXT records using pretrained model in DSDL		Domain Generation Algorithms	Anomaly	Command And Control, DNS Hijacking, Suspicious DNS Traffic	2024-11-15
Detect Traffic Mirroring		Traffic Duplication Hardware Additions Network Denial of Service	TTP	Router and Infrastructure Security	2025-02-10
Detect Unauthorized Assets by MAC address		N/A	TTP	Asset Tracking	2024-11-15
Detect Zerologon via Zeek		Exploit Public-Facing Application	TTP	Black Basta Ransomware, Detect Zerologon Attack, Rhysida Ransomware	2025-03-03
DNS Query Length Outliers - MLTK		DNS	Anomaly	Command And Control, Hidden Cobra Malware, Suspicious DNS Traffic	2025-02-10
Excessive DNS Failures		DNS	Anomaly	Command And Control, Suspicious DNS Traffic	2025-02-10
Internal Vulnerability Scan		Vulnerability Scanning Network Service Discovery	TTP	Network Discovery	2024-11-15
Large Volume of DNS ANY Queries		Reflection Amplification	Anomaly	DNS Amplification Attacks	2025-02-10
Protocol or Port Mismatch		Exfiltration Over Unencrypted Non-C2 Protocol	Anomaly	Command And Control, Prohibited Traffic Allowed or Protocol Mismatch	2025-02-10
Protocols passing authentication in cleartext		N/A	TTP	Use of Cleartext Protocols	2024-11-15
SMB Traffic Spike		SMB/Windows Admin Shares	Anomaly	DHS Report TA18-074A, Emotet Malware DHS Report TA18-201A, Hidden Cobra Malware, Ransomware	2025-02-10
SMB Traffic Spike - MLTK		SMB/Windows Admin Shares	Anomaly	DHS Report TA18-074A, Emotet Malware DHS Report TA18-201A, Hidden Cobra Malware, Ransomware	2025-02-10
SSL Certificates with Punycode		Encrypted Channel	Hunting	OpenSSL CVE-2022-3602	2024-11-15
Zeek x509 Certificate with Punycode		Encrypted Channel	Hunting	OpenSSL CVE-2022-3602	2024-11-15
Access to Vulnerable Ivanti Connect Secure Bookmark Endpoint	Suricata	Exploit Public-Facing Application	TTP	CISA AA24-241A, Ivanti Connect Secure VPN Vulnerabilities	2024-11-15
Adobe ColdFusion Access Control Bypass	Suricata	Exploit Public-Facing Application	TTP	Adobe ColdFusion Arbitrary Code Execution CVE-2023-29298 CVE-2023-26360	2024-11-15
Adobe ColdFusion Unauthenticated Arbitrary File Read	Suricata	Exploit Public-Facing Application	TTP	Adobe ColdFusion Arbitrary Code Execution CVE-2023-29298 CVE-2023-26360	2024-11-15
Cisco IOS XE Implant Access	Suricata	Exploit Public-Facing Application	TTP	Cisco IOS XE Software Web Management User Interface vulnerability	2024-11-15
Citrix ADC and Gateway Unauthorized Data Disclosure	Suricata	Exploit Public-Facing Application	TTP	Citrix NetScaler ADC and NetScaler Gateway CVE-2023-4966	2024-11-15
Citrix ShareFile Exploitation CVE-2023-24489	Suricata	Exploit Public-Facing Application	Hunting	Citrix ShareFile RCE CVE-2023-24489	2024-11-15
Confluence CVE-2023-22515 Trigger Vulnerability	Suricata	Exploit Public-Facing Application	TTP	CVE-2023-22515 Privilege Escalation Vulnerability Confluence Data Center and Server	2024-11-15
Confluence Data Center and Server Privilege Escalation	Nginx Access	Exploit Public-Facing Application	TTP	CVE-2023-22515 Privilege Escalation Vulnerability Confluence Data Center and Server, Confluence Data Center and Confluence Server Vulnerabilities	2024-11-15
Confluence Pre-Auth RCE via OGNL Injection CVE-2023-22527	Suricata	Exploit Public-Facing Application	TTP	Confluence Data Center and Confluence Server Vulnerabilities	2024-11-15
ConnectWise ScreenConnect Authentication Bypass	Suricata	Exploit Public-Facing Application	TTP	ConnectWise ScreenConnect Vulnerabilities	2024-11-15
Detect attackers scanning for vulnerable JBoss servers		System Information Discovery External Remote Services	TTP	JBoss Vulnerability, SamSam Ransomware	2024-11-15
Detect F5 TMUI RCE CVE-2020-5902		Exploit Public-Facing Application	TTP	F5 TMUI RCE CVE-2020-5902	2024-11-15
Detect malicious requests to exploit JBoss servers		N/A	TTP	JBoss Vulnerability, SamSam Ransomware	2024-11-15
Exploit Public Facing Application via Apache Commons Text	Nginx Access	External Remote Services Exploit Public-Facing Application Web Shell	Anomaly	Text4Shell CVE-2022-42889	2025-02-10
F5 TMUI Authentication Bypass	Suricata	N/A	TTP	F5 Authentication Bypass with TMUI	2024-11-15
High Volume of Bytes Out to Url	Nginx Access	Exfiltration Over Web Service	Anomaly	Data Exfiltration	2024-11-15
Hunting for Log4Shell	Nginx Access	Exploit Public-Facing Application External Remote Services	Hunting	CISA AA22-320A, Log4Shell CVE-2021-44228	2024-11-15
Ivanti Connect Secure Command Injection Attempts	Suricata	Exploit Public-Facing Application	TTP	CISA AA24-241A, Ivanti Connect Secure VPN Vulnerabilities	2024-11-15
Ivanti Connect Secure SSRF in SAML Component	Suricata	Exploit Public-Facing Application	TTP	Ivanti Connect Secure VPN Vulnerabilities	2024-11-15
Ivanti Connect Secure System Information Access via Auth Bypass	Suricata	Exploit Public-Facing Application	Anomaly	CISA AA24-241A, Ivanti Connect Secure VPN Vulnerabilities	2024-11-15
Ivanti EPM SQL Injection Remote Code Execution	Suricata	Exploit Public-Facing Application	TTP	Ivanti EPM Vulnerabilities	2024-11-15
Ivanti EPMM Remote Unauthenticated API Access CVE-2023-35078	Suricata	Exploit Public-Facing Application External Remote Services	TTP	Ivanti EPMM Remote Unauthenticated Access	2024-11-15
Ivanti EPMM Remote Unauthenticated API Access CVE-2023-35082	Suricata	Exploit Public-Facing Application External Remote Services	TTP	Ivanti EPMM Remote Unauthenticated Access	2024-11-15
Ivanti Sentry Authentication Bypass	Suricata	Exploit Public-Facing Application	TTP	Ivanti Sentry Authentication Bypass CVE-2023-38035	2024-11-15
Jenkins Arbitrary File Read CVE-2024-23897	Nginx Access	Exploit Public-Facing Application	TTP	Jenkins Server Vulnerabilities	2024-11-15
JetBrains TeamCity Authentication Bypass CVE-2024-27198	Suricata	Exploit Public-Facing Application	TTP	JetBrains TeamCity Vulnerabilities	2024-11-15
JetBrains TeamCity Authentication Bypass Suricata CVE-2024-27198	Suricata	Exploit Public-Facing Application	TTP	JetBrains TeamCity Vulnerabilities	2024-11-15
JetBrains TeamCity Limited Auth Bypass Suricata CVE-2024-27199	Suricata	Exploit Public-Facing Application	TTP	JetBrains TeamCity Vulnerabilities	2024-11-15
JetBrains TeamCity RCE Attempt	Suricata	Exploit Public-Facing Application	TTP	CISA AA23-347A, JetBrains TeamCity Unauthenticated RCE, JetBrains TeamCity Vulnerabilities	2024-11-15
Log4Shell JNDI Payload Injection Attempt	Nginx Access	Exploit Public-Facing Application External Remote Services	Anomaly	CISA AA22-257A, CISA AA22-320A, Log4Shell CVE-2021-44228	2024-11-15
Log4Shell JNDI Payload Injection with Outbound Connection		Exploit Public-Facing Application External Remote Services	Anomaly	CISA AA22-320A, Log4Shell CVE-2021-44228	2024-11-15
Microsoft SharePoint Server Elevation of Privilege	Suricata	Exploitation for Privilege Escalation	TTP	Microsoft SharePoint Server Elevation of Privilege CVE-2023-29357	2024-11-15
Monitor Web Traffic For Brand Abuse		N/A	TTP	Brand Monitoring	2024-11-15
Nginx ConnectWise ScreenConnect Authentication Bypass	Nginx Access	Exploit Public-Facing Application	TTP	ConnectWise ScreenConnect Vulnerabilities	2024-11-15
PaperCut NG Remote Web Access Attempt	Suricata	Exploit Public-Facing Application External Remote Services	TTP	PaperCut MF NG Vulnerability	2024-11-15
ProxyShell ProxyNotShell Behavior Detected		Exploit Public-Facing Application External Remote Services	Correlation	BlackByte Ransomware, ProxyNotShell, ProxyShell	2024-11-15
Spring4Shell Payload URL Request	Nginx Access	External Remote Services Exploit Public-Facing Application Web Shell	TTP	Spring4Shell CVE-2022-22965	2025-02-10
SQL Injection with Long URLs		Exploit Public-Facing Application	TTP	SQL Injection	2024-11-15
Supernova Webshell		Web Shell External Remote Services	TTP	NOBELIUM Group	2024-11-15
Unusually Long Content-Type Length		N/A	Anomaly	Apache Struts Vulnerability	2024-11-15
Web JSP Request via URL	Nginx Access	External Remote Services Exploit Public-Facing Application Web Shell	TTP	Spring4Shell CVE-2022-22965	2025-02-10
Web Remote ShellServlet Access	Nginx Access	Exploit Public-Facing Application	TTP	CVE-2023-22515 Privilege Escalation Vulnerability Confluence Data Center and Server	2024-11-15
WordPress Bricks Builder plugin RCE	Nginx Access	Exploit Public-Facing Application	TTP	WordPress Vulnerabilities	2024-11-15
WS FTP Remote Code Execution	Suricata	Exploit Public-Facing Application	TTP	WS FTP Server Critical Vulnerabilities	2024-11-15
Zscaler Adware Activities Threat Blocked		Phishing	Anomaly	Zscaler Browser Proxy Threats	2024-11-15
Zscaler Behavior Analysis Threat Blocked		Phishing	Anomaly	Zscaler Browser Proxy Threats	2024-11-15
Zscaler CryptoMiner Downloaded Threat Blocked		Phishing	Anomaly	Zscaler Browser Proxy Threats	2024-11-15
Zscaler Employment Search Web Activity		Phishing	Anomaly	Zscaler Browser Proxy Threats	2024-11-15
Zscaler Exploit Threat Blocked		Phishing	TTP	Zscaler Browser Proxy Threats	2024-11-15
Zscaler Legal Liability Threat Blocked		Phishing	Anomaly	Zscaler Browser Proxy Threats	2024-11-15
Zscaler Malware Activity Threat Blocked		Phishing	Anomaly	Zscaler Browser Proxy Threats	2024-11-15
Zscaler Phishing Activity Threat Blocked		Phishing	Anomaly	Zscaler Browser Proxy Threats	2024-11-15
Zscaler Potentially Abused File Download		Phishing	Anomaly	Zscaler Browser Proxy Threats	2024-11-15
Zscaler Privacy Risk Destinations Threat Blocked		Phishing	Anomaly	Zscaler Browser Proxy Threats	2024-11-15
Zscaler Scam Destinations Threat Blocked		Phishing	Anomaly	Zscaler Browser Proxy Threats	2024-11-15
Zscaler Virus Download threat blocked		Phishing	Anomaly	Zscaler Browser Proxy Threats	2024-11-15