-
Notifications
You must be signed in to change notification settings - Fork 477
Expand file tree
/
Copy pathPlaybook.schema.json
More file actions
3007 lines (3007 loc) · 149 KB
/
Copy pathPlaybook.schema.json
File metadata and controls
3007 lines (3007 loc) · 149 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
478
479
480
481
482
483
484
485
486
487
488
489
490
491
492
493
494
495
496
497
498
499
500
501
502
503
504
505
506
507
508
509
510
511
512
513
514
515
516
517
518
519
520
521
522
523
524
525
526
527
528
529
530
531
532
533
534
535
536
537
538
539
540
541
542
543
544
545
546
547
548
549
550
551
552
553
554
555
556
557
558
559
560
561
562
563
564
565
566
567
568
569
570
571
572
573
574
575
576
577
578
579
580
581
582
583
584
585
586
587
588
589
590
591
592
593
594
595
596
597
598
599
600
601
602
603
604
605
606
607
608
609
610
611
612
613
614
615
616
617
618
619
620
621
622
623
624
625
626
627
628
629
630
631
632
633
634
635
636
637
638
639
640
641
642
643
644
645
646
647
648
649
650
651
652
653
654
655
656
657
658
659
660
661
662
663
664
665
666
667
668
669
670
671
672
673
674
675
676
677
678
679
680
681
682
683
684
685
686
687
688
689
690
691
692
693
694
695
696
697
698
699
700
701
702
703
704
705
706
707
708
709
710
711
712
713
714
715
716
717
718
719
720
721
722
723
724
725
726
727
728
729
730
731
732
733
734
735
736
737
738
739
740
741
742
743
744
745
746
747
748
749
750
751
752
753
754
755
756
757
758
759
760
761
762
763
764
765
766
767
768
769
770
771
772
773
774
775
776
777
778
779
780
781
782
783
784
785
786
787
788
789
790
791
792
793
794
795
796
797
798
799
800
801
802
803
804
805
806
807
808
809
810
811
812
813
814
815
816
817
818
819
820
821
822
823
824
825
826
827
828
829
830
831
832
833
834
835
836
837
838
839
840
841
842
843
844
845
846
847
848
849
850
851
852
853
854
855
856
857
858
859
860
861
862
863
864
865
866
867
868
869
870
871
872
873
874
875
876
877
878
879
880
881
882
883
884
885
886
887
888
889
890
891
892
893
894
895
896
897
898
899
900
901
902
903
904
905
906
907
908
909
910
911
912
913
914
915
916
917
918
919
920
921
922
923
924
925
926
927
928
929
930
931
932
933
934
935
936
937
938
939
940
941
942
943
944
945
946
947
948
949
950
951
952
953
954
955
956
957
958
959
960
961
962
963
964
965
966
967
968
969
970
971
972
973
974
975
976
977
978
979
980
981
982
983
984
985
986
987
988
989
990
991
992
993
994
995
996
997
998
999
1000
{
"$defs": {
"DefendTechnique": {
"description": "List of Supported D3FEND Techniques.",
"enum": [
"D3-AA",
"D3-ABPI",
"D3-ACA",
"D3-ACH",
"D3-AH",
"D3-AI",
"D3-AL",
"D3-ALLM",
"D3-AM",
"D3-AMED",
"D3-ANAA",
"D3-ANCI",
"D3-ANET",
"D3-APA",
"D3-APLM",
"D3-AVE",
"D3-AZET",
"D3-BA",
"D3-BAN",
"D3-BDI",
"D3-BSE",
"D3-CA",
"D3-CAA",
"D3-CBAN",
"D3-CCSA",
"D3-CE",
"D3-CERO",
"D3-CF",
"D3-CFC",
"D3-CH",
"D3-CHN",
"D3-CI",
"D3-CIA",
"D3-CM",
"D3-CNE",
"D3-CNR",
"D3-CNS",
"D3-CP",
"D3-CQ",
"D3-CR",
"D3-CRO",
"D3-CS",
"D3-CSPP",
"D3-CTS",
"D3-CV",
"D3-DA",
"D3-DAM",
"D3-DCE",
"D3-DE",
"D3-DEM",
"D3-DENCR",
"D3-DF",
"D3-DI",
"D3-DKE",
"D3-DKF",
"D3-DKP",
"D3-DLIC",
"D3-DNR",
"D3-DNRA",
"D3-DNSAL",
"D3-DNSCE",
"D3-DNSDL",
"D3-DNSTA",
"D3-DO",
"D3-DP",
"D3-DPLM",
"D3-DPR",
"D3-DQSA",
"D3-DRT",
"D3-DST",
"D3-DTP",
"D3-DUC",
"D3-EAL",
"D3-EBWSAM",
"D3-EDL",
"D3-EF",
"D3-EFA",
"D3-EHB",
"D3-EHPV",
"D3-EI",
"D3-ER",
"D3-ET",
"D3-FA",
"D3-FAPA",
"D3-FBA",
"D3-FC",
"D3-FCA",
"D3-FCDC",
"D3-FCOA",
"D3-FCR",
"D3-FE",
"D3-FEMC",
"D3-FEV",
"D3-FFV",
"D3-FH",
"D3-FHRA",
"D3-FIM",
"D3-FISV",
"D3-FMBV",
"D3-FMCV",
"D3-FMVV",
"D3-FRDDL",
"D3-FRIDL",
"D3-FV",
"D3-HBPI",
"D3-HCI",
"D3-HD",
"D3-HDDL",
"D3-HDL",
"D3-HR",
"D3-HS",
"D3-IAA",
"D3-IBCA",
"D3-ID",
"D3-IDA",
"D3-IHN",
"D3-IOPR",
"D3-IPCTA",
"D3-IPRA",
"D3-IRA",
"D3-IRV",
"D3-ISVA",
"D3-ITF",
"D3-JFAPA",
"D3-KBPI",
"D3-LAM",
"D3-LAMED",
"D3-LFAM",
"D3-LFP",
"D3-LLM",
"D3-MA",
"D3-MAN",
"D3-MBSV",
"D3-MBT",
"D3-MENCR",
"D3-MFA",
"D3-MH",
"D3-NAM",
"D3-NI",
"D3-NM",
"D3-NNI",
"D3-NPC",
"D3-NRAM",
"D3-NTA",
"D3-NTCD",
"D3-NTF",
"D3-NTPM",
"D3-NTSA",
"D3-NVA",
"D3-OAM",
"D3-ODM",
"D3-OE",
"D3-OM",
"D3-ORA",
"D3-OSM",
"D3-OTF",
"D3-OTP",
"D3-PA",
"D3-PAM",
"D3-PAN",
"D3-PBWSAM",
"D3-PCA",
"D3-PCSV",
"D3-PE",
"D3-PFV",
"D3-PH",
"D3-PHDURA",
"D3-PLA",
"D3-PLLM",
"D3-PLM",
"D3-PM",
"D3-PMAD",
"D3-PR",
"D3-PS",
"D3-PSA",
"D3-PSEP",
"D3-PSMD",
"D3-PT",
"D3-PV",
"D3-PWA",
"D3-RA",
"D3-RAM",
"D3-RAPA",
"D3-RC",
"D3-RD",
"D3-RDI",
"D3-RE",
"D3-RF",
"D3-RFAM",
"D3-RFS",
"D3-RIC",
"D3-RKD",
"D3-RN",
"D3-RNA",
"D3-RO",
"D3-RPA",
"D3-RRID",
"D3-RS",
"D3-RTA",
"D3-RTSD",
"D3-RUAA",
"D3-SAOR",
"D3-SBV",
"D3-SCA",
"D3-SCF",
"D3-SCH",
"D3-SCP",
"D3-SDA",
"D3-SDM",
"D3-SEA",
"D3-SFA",
"D3-SFCV",
"D3-SFV",
"D3-SHN",
"D3-SICA",
"D3-SJA",
"D3-SMRA",
"D3-SPP",
"D3-SRA",
"D3-SSC",
"D3-ST",
"D3-SU",
"D3-SVCDM",
"D3-SWI",
"D3-SYSDM",
"D3-SYSM",
"D3-SYSVA",
"D3-TAAN",
"D3-TB",
"D3-TBA",
"D3-TBI",
"D3-TL",
"D3-UA",
"D3-UAP",
"D3-UBA",
"D3-UDTA",
"D3-UGLPA",
"D3-ULA",
"D3-URA",
"D3-USICA",
"D3-VI",
"D3-VTV",
"D3-WSAA",
"D3-WSAM"
],
"title": "DefendTechnique",
"type": "string"
},
"EventBasedDetectionEnum": {
"description": "Empty Placeholder Enum for baselines.\n\nNOTE: This enum is dynamically populated at runtime by the EventBasedDetection.UpdateDynamicEnum method.",
"enum": [
"3CX Supply Chain Attack Network Indicators",
"7zip CommandLine To SMB Share Path",
"ASL AWS Concurrent Sessions From Different Ips",
"ASL AWS Create Access Key",
"ASL AWS Create Policy Version to allow all resources",
"ASL AWS Credential Access GetPasswordData",
"ASL AWS Credential Access RDS Password reset",
"ASL AWS Defense Evasion Delete CloudWatch Log Group",
"ASL AWS Defense Evasion Delete Cloudtrail",
"ASL AWS Defense Evasion Impair Security Services",
"ASL AWS Defense Evasion PutBucketLifecycle",
"ASL AWS Defense Evasion Stop Logging Cloudtrail",
"ASL AWS Defense Evasion Update Cloudtrail",
"ASL AWS Detect Users creating keys with encrypt policy without MFA",
"ASL AWS Disable Bucket Versioning",
"ASL AWS EC2 Snapshot Shared Externally",
"ASL AWS ECR Container Upload Outside Business Hours",
"ASL AWS ECR Container Upload Unknown User",
"ASL AWS IAM AccessDenied Discovery Events",
"ASL AWS IAM Assume Role Policy Brute Force",
"ASL AWS IAM Delete Policy",
"ASL AWS IAM Failure Group Deletion",
"ASL AWS IAM Successful Group Deletion",
"ASL AWS Multi-Factor Authentication Disabled",
"ASL AWS Network Access Control List Created with All Open Ports",
"ASL AWS Network Access Control List Deleted",
"ASL AWS New MFA Method Registered For User",
"ASL AWS SAML Update identity provider",
"ASL AWS UpdateLoginProfile",
"AWS AMI Attribute Modification for Exfiltration",
"AWS Bedrock Claude Cross Region Possible Inference Abuse",
"AWS Bedrock Claude High Risk Filesystem and Exec Tool Invocation",
"AWS Bedrock Claude Hostile Prompt Sentiment",
"AWS Bedrock Claude Possible Prompt Injection",
"AWS Bedrock Claude Sensitive Data in Prompts",
"AWS Bedrock Claude Unusually Large Prompts",
"AWS Bedrock Claude excessive use of tokens",
"AWS Bedrock Delete GuardRails",
"AWS Bedrock Delete Knowledge Base",
"AWS Bedrock Delete Model Invocation Logging Configuration",
"AWS Bedrock High Number List Foundation Model Failures",
"AWS Bedrock Invoke Model Access Denied",
"AWS Concurrent Sessions From Different Ips",
"AWS Console Login Failed During MFA Challenge",
"AWS Create Policy Version to allow all resources",
"AWS CreateAccessKey",
"AWS CreateLoginProfile",
"AWS Credential Access Failed Login",
"AWS Credential Access GetPasswordData",
"AWS Credential Access RDS Password reset",
"AWS Defense Evasion Delete CloudWatch Log Group",
"AWS Defense Evasion Delete Cloudtrail",
"AWS Defense Evasion Impair Security Services",
"AWS Defense Evasion PutBucketLifecycle",
"AWS Defense Evasion Stop Logging Cloudtrail",
"AWS Defense Evasion Update Cloudtrail",
"AWS Detect Users creating keys with encrypt policy without MFA",
"AWS Detect Users with KMS keys performing encryption S3",
"AWS Disable Bucket Versioning",
"AWS EC2 Snapshot Shared Externally",
"AWS ECR Container Scanning Findings High",
"AWS ECR Container Scanning Findings Low Informational Unknown",
"AWS ECR Container Scanning Findings Medium",
"AWS ECR Container Upload Outside Business Hours",
"AWS ECR Container Upload Unknown User",
"AWS Excessive Security Scanning",
"AWS Exfiltration via Anomalous GetObject API Activity",
"AWS Exfiltration via Batch Service",
"AWS Exfiltration via Bucket Replication",
"AWS Exfiltration via DataSync Task",
"AWS Exfiltration via EC2 Snapshot",
"AWS High Number Of Failed Authentications For User",
"AWS High Number Of Failed Authentications From Ip",
"AWS IAM AccessDenied Discovery Events",
"AWS IAM Assume Role Policy Brute Force",
"AWS IAM Delete Policy",
"AWS IAM Failure Group Deletion",
"AWS IAM Successful Group Deletion",
"AWS Lambda UpdateFunctionCode",
"AWS Multi-Factor Authentication Disabled",
"AWS Multiple Failed MFA Requests For User",
"AWS Multiple Users Failing To Authenticate From Ip",
"AWS Network Access Control List Created with All Open Ports",
"AWS Network Access Control List Deleted",
"AWS New MFA Method Registered For User",
"AWS Password Policy Changes",
"AWS S3 Exfiltration Behavior Identified",
"AWS SAML Update identity provider",
"AWS SetDefaultPolicyVersion",
"AWS Successful Console Authentication From Multiple IPs",
"AWS Successful Single-Factor Authentication",
"AWS Unusual Number of Failed Authentications From Ip",
"AWS UpdateLoginProfile",
"Access LSASS Memory for Dump Creation",
"Access to Vulnerable Ivanti Connect Secure Bookmark Endpoint",
"Active Directory Lateral Movement Identified",
"Active Directory Privilege Escalation Identified",
"Active Setup Registry Autostart",
"Add DefaultUser And Password In Registry",
"Add or Set Windows Defender Exclusion",
"Adobe ColdFusion Access Control Bypass",
"Adobe ColdFusion Unauthenticated Arbitrary File Read",
"AdsiSearcher Account Discovery",
"Advanced IP or Port Scanner Execution",
"Allow File And Printing Sharing In Firewall",
"Allow Inbound Traffic By Firewall Rule Registry",
"Allow Inbound Traffic In Firewall Rule",
"Allow Network Discovery In Firewall",
"Allow Operation with Consent Admin",
"Amazon EKS Kubernetes Pod scan detection",
"Amazon EKS Kubernetes cluster scan detection",
"Anomalous usage of 7zip",
"Attacker Tools On Endpoint",
"Auto Admin Logon Registry Entry",
"Azure AD Admin Consent Bypassed by Service Principal",
"Azure AD Application Administrator Role Assigned",
"Azure AD Authentication Failed During MFA Challenge",
"Azure AD AzureHound UserAgent Detected",
"Azure AD Block User Consent For Risky Apps Disabled",
"Azure AD Concurrent Sessions From Different Ips",
"Azure AD Device Code Authentication",
"Azure AD External Guest User Invited",
"Azure AD FullAccessAsApp Permission Assigned",
"Azure AD Global Administrator Role Assigned",
"Azure AD High Number Of Failed Authentications For User",
"Azure AD High Number Of Failed Authentications From Ip",
"Azure AD Multi-Factor Authentication Disabled",
"Azure AD Multi-Source Failed Authentications Spike",
"Azure AD Multiple AppIDs and UserAgents Authentication Spike",
"Azure AD Multiple Denied MFA Requests For User",
"Azure AD Multiple Failed MFA Requests For User",
"Azure AD Multiple Service Principals Created by SP",
"Azure AD Multiple Service Principals Created by User",
"Azure AD Multiple Users Failing To Authenticate From Ip",
"Azure AD New Custom Domain Added",
"Azure AD New Federated Domain Added",
"Azure AD New MFA Method Registered",
"Azure AD New MFA Method Registered For User",
"Azure AD OAuth Application Consent Granted By User",
"Azure AD PIM Role Assigned",
"Azure AD PIM Role Assignment Activated",
"Azure AD Privileged Authentication Administrator Role Assigned",
"Azure AD Privileged Graph API Permission Assigned",
"Azure AD Privileged Role Assigned",
"Azure AD Privileged Role Assigned to Service Principal",
"Azure AD Service Principal Authentication",
"Azure AD Service Principal Created",
"Azure AD Service Principal Enumeration",
"Azure AD Service Principal New Client Credentials",
"Azure AD Service Principal Owner Added",
"Azure AD Service Principal Privilege Escalation",
"Azure AD Successful Authentication From Different Ips",
"Azure AD Successful PowerShell Authentication",
"Azure AD Successful Single-Factor Authentication",
"Azure AD Tenant Wide Admin Consent Granted",
"Azure AD Unusual Number of Failed Authentications From Ip",
"Azure AD User Consent Blocked for Risky Application",
"Azure AD User Consent Denied for OAuth Application",
"Azure AD User Enabled And Password Reset",
"Azure AD User ImmutableId Attribute Updated",
"Azure Active Directory High Risk Sign-in",
"Azure Automation Account Created",
"Azure Automation Runbook Created",
"Azure Runbook Webhook Created",
"BCDEdit Failure Recovery Modification",
"BITS Job Persistence",
"BITSAdmin Download File",
"Batch File Write to System32",
"Bcdedit Command Back To Normal Mode Boot",
"CMD Carry Out String Command Parameter",
"CMD Echo Pipe - Escalation",
"CMLUA Or CMSTPLUA UAC Bypass",
"CSC Net On The Fly Compilation",
"CertUtil With Decode Argument",
"Certutil exe certificate extraction",
"Change To Safe Mode With Network Config",
"Check Elevated CMD using whoami",
"Child Processes of Spoolsv exe",
"Circle CI Disable Security Job",
"Circle CI Disable Security Step",
"Cisco AI Defense Security Alerts by Application Name",
"Cisco ASA - AAA Policy Tampering",
"Cisco ASA - Core Syslog Message Volume Drop",
"Cisco ASA - Device File Copy Activity",
"Cisco ASA - Device File Copy to Remote Location",
"Cisco ASA - Logging Disabled via CLI",
"Cisco ASA - Logging Filters Configuration Tampering",
"Cisco ASA - Logging Message Suppression",
"Cisco ASA - New Local User Account Created",
"Cisco ASA - Packet Capture Activity",
"Cisco ASA - Reconnaissance Command Activity",
"Cisco ASA - User Account Deleted From Local Database",
"Cisco ASA - User Account Lockout Threshold Exceeded",
"Cisco ASA - User Privilege Level Change",
"Cisco Configuration Archive Logging Analysis",
"Cisco Duo Admin Login Unusual Browser",
"Cisco Duo Admin Login Unusual Country",
"Cisco Duo Admin Login Unusual Os",
"Cisco Duo Bulk Policy Deletion",
"Cisco Duo Bypass Code Generation",
"Cisco Duo Policy Allow Devices Without Screen Lock",
"Cisco Duo Policy Allow Network Bypass 2FA",
"Cisco Duo Policy Allow Old Flash",
"Cisco Duo Policy Allow Old Java",
"Cisco Duo Policy Allow Tampered Devices",
"Cisco Duo Policy Bypass 2FA",
"Cisco Duo Policy Deny Access",
"Cisco Duo Policy Skip 2FA for Other Countries",
"Cisco Duo Set User Status to Bypass 2FA",
"Cisco IOS Suspicious Privileged Account Creation",
"Cisco IOS XE Guestshell Activation and Destroy",
"Cisco IOS XE Implant Access",
"Cisco IOS XE Log Clearing Sequence With Optional Loopback Removal",
"Cisco IOS XE Reconnaissance Command Activity",
"Cisco IOS XE Remote Access Probe Burst",
"Cisco IOS XE Request Platform Package Describe Shell Pattern",
"Cisco IOS XE Tunnel Interface Configuration",
"Cisco IOS XE VTY Access Class Tampering",
"Cisco IOS XE WebUI Login From IOSd Local Port",
"Cisco IOS XE WebUI Programmatic Configuration",
"Cisco Isovalent - Access To Cloud Metadata Service",
"Cisco Isovalent - Cron Job Creation",
"Cisco Isovalent - Curl Execution With Insecure Flags",
"Cisco Isovalent - Kprobe Spike",
"Cisco Isovalent - Late Process Execution",
"Cisco Isovalent - Non Allowlisted Image Use",
"Cisco Isovalent - Nsenter Usage in Kubernetes Pod",
"Cisco Isovalent - Pods Running Offensive Tools",
"Cisco Isovalent - Potential Escape to Host",
"Cisco Isovalent - Shell Execution",
"Cisco NVM - Curl Execution With Insecure Flags",
"Cisco NVM - Installation of Typosquatted Python Package",
"Cisco NVM - MSHTML or MSHTA Network Execution Without URL in CLI",
"Cisco NVM - Non-Network Binary Making Network Connection",
"Cisco NVM - Outbound Connection to Suspicious Port",
"Cisco NVM - Rclone Execution With Network Activity",
"Cisco NVM - Rundll32 Abuse of MSHTML.DLL for Payload Download",
"Cisco NVM - Susp Script From Archive Triggering Network Activity",
"Cisco NVM - Suspicious Download From File Sharing Website",
"Cisco NVM - Suspicious File Download via Headless Browser",
"Cisco NVM - Suspicious Network Connection From Process With No Args",
"Cisco NVM - Suspicious Network Connection Initiated via MsXsl",
"Cisco NVM - Suspicious Network Connection to IP Lookup Service API",
"Cisco NVM - Webserver Download From File Sharing Website",
"Cisco Network Interface Modifications",
"Cisco Privileged Account Creation with HTTP Command Execution",
"Cisco Privileged Account Creation with Suspicious SSH Activity",
"Cisco SA - Access to Anonymizer Services",
"Cisco SA - Automated Web Reconnaissance via HTTP Access Errors",
"Cisco SD-WAN - Arbitrary File Overwrite Exploitation Activity",
"Cisco SD-WAN - Low Frequency Rogue Peer",
"Cisco SD-WAN - Peering Activity",
"Cisco SD-WAN - Uncommon User-Agent Multi-URI Activity",
"Cisco SD-WAN Multiple SSH key Authentication from Same Source",
"Cisco SD-WAN Multiple Source IP vManage Admin SSH Authentication",
"Cisco SNMP Community String Configuration Changes",
"Cisco Secure Firewall - Binary File Type Download",
"Cisco Secure Firewall - Bits Network Activity",
"Cisco Secure Firewall - Blacklisted SSL Certificate Fingerprint",
"Cisco Secure Firewall - Blocked Connection",
"Cisco Secure Firewall - Citrix NetScaler Memory Overread Attempt",
"Cisco Secure Firewall - Communication Over Suspicious Ports",
"Cisco Secure Firewall - Connection to File Sharing Domain",
"Cisco Secure Firewall - File Download Over Uncommon Port",
"Cisco Secure Firewall - High EVE Threat Confidence",
"Cisco Secure Firewall - High Priority Intrusion Classification",
"Cisco Secure Firewall - High Volume of Intrusion Events Per Host",
"Cisco Secure Firewall - Intrusion Events by Threat Activity",
"Cisco Secure Firewall - Lumma Stealer Activity",
"Cisco Secure Firewall - Lumma Stealer Download Attempt",
"Cisco Secure Firewall - Lumma Stealer Outbound Connection Attempt",
"Cisco Secure Firewall - Malware File Downloaded",
"Cisco Secure Firewall - Oracle E-Business Suite Correlation",
"Cisco Secure Firewall - Oracle E-Business Suite Exploitation",
"Cisco Secure Firewall - Possibly Compromised Host",
"Cisco Secure Firewall - Potential Data Exfiltration",
"Cisco Secure Firewall - Privileged Command Execution via HTTP",
"Cisco Secure Firewall - Rare Snort Rule Triggered",
"Cisco Secure Firewall - React Server Components RCE Attempt",
"Cisco Secure Firewall - Remote Access Software Usage Traffic",
"Cisco Secure Firewall - Repeated Blocked Connections",
"Cisco Secure Firewall - Repeated Malware Downloads",
"Cisco Secure Firewall - SSH Connection to Non-Standard Port",
"Cisco Secure Firewall - SSH Connection to sshd_operns",
"Cisco Secure Firewall - Snort Rule Triggered Across Multiple Hosts",
"Cisco Secure Firewall - Static Tundra Smart Install Abuse",
"Cisco Secure Firewall - Veeam CVE-2023-27532 Exploitation Activity",
"Cisco Secure Firewall - Wget or Curl Download",
"Cisco Smart Install Oversized Packet Detection",
"Cisco Smart Install Port Discovery and Status",
"Cisco TFTP Server Configuration for Data Exfiltration",
"Citrix ADC Exploitation CVE-2023-3519",
"Citrix ADC and Gateway CitrixBleed 2 Memory Disclosure",
"Citrix ADC and Gateway Unauthorized Data Disclosure",
"Citrix ShareFile Exploitation CVE-2023-24489",
"Clear Unallocated Sector Using Cipher App",
"Clop Common Exec Parameter",
"Clop Ransomware Known Service Name",
"Cloud API Calls From Previously Unseen User Roles",
"Cloud Compute Instance Created By Previously Unseen User",
"Cloud Compute Instance Created In Previously Unused Region",
"Cloud Compute Instance Created With Previously Unseen Image",
"Cloud Compute Instance Created With Previously Unseen Instance Type",
"Cloud Instance Modified By Previously Unseen User",
"Cloud Provisioning Activity From Previously Unseen City",
"Cloud Provisioning Activity From Previously Unseen Country",
"Cloud Provisioning Activity From Previously Unseen IP Address",
"Cloud Provisioning Activity From Previously Unseen Region",
"Cloud Security Groups Modifications by User",
"Common Ransomware Extensions",
"Common Ransomware Notes",
"Confluence CVE-2023-22515 Trigger Vulnerability",
"Confluence Data Center and Server Privilege Escalation",
"Confluence Pre-Auth RCE via OGNL Injection CVE-2023-22527",
"Confluence Unauthenticated Remote Code Execution CVE-2022-26134",
"ConnectWise ScreenConnect Authentication Bypass",
"ConnectWise ScreenConnect Path Traversal",
"ConnectWise ScreenConnect Path Traversal Windows SACL",
"Conti Common Exec parameter",
"Control Loading from World Writable Directory",
"Create Remote Thread In Shell Application",
"Create Remote Thread into LSASS",
"Create or delete windows shares using net exe",
"Creation of Shadow Copy",
"Creation of Shadow Copy with wmic and powershell",
"Creation of lsass Dump with Taskmgr",
"Credential Dumping via Copy Command from Shadow Copy",
"Credential Dumping via Symlink to Shadow Copy",
"CrowdStrike Falcon Stream Alerts",
"Crowdstrike Admin Weak Password Policy",
"Crowdstrike Admin With Duplicate Password",
"Crowdstrike High Identity Risk Severity",
"Crowdstrike Medium Identity Risk Severity",
"Crowdstrike Medium Severity Alert",
"Crowdstrike Multiple LOW Severity Alerts",
"Crowdstrike Privilege Escalation For Non-Admin User",
"Crowdstrike User Weak Password Policy",
"Crowdstrike User with Duplicate Password",
"CrushFTP Authentication Bypass Exploitation",
"CrushFTP Max Simultaneous Users From IP",
"CrushFTP Server Side Template Injection",
"Curl Execution with Percent Encoded URL",
"DLLHost with no Command Line Arguments with Network",
"DNS Exfiltration Using Nslookup App",
"DNS Kerberos Coercion",
"DNS Query Length With High Standard Deviation",
"DSQuery Domain Discovery",
"Delete ShadowCopy With PowerShell",
"Deleting Shadow Copies",
"Detect ARP Poisoning",
"Detect AWS Console Login by New User",
"Detect AWS Console Login by User from New City",
"Detect AWS Console Login by User from New Country",
"Detect AWS Console Login by User from New Region",
"Detect AzureHound Command-Line Arguments",
"Detect AzureHound File Modifications",
"Detect Baron Samedit CVE-2021-3156",
"Detect Baron Samedit CVE-2021-3156 Segfault",
"Detect Baron Samedit CVE-2021-3156 via OSQuery",
"Detect Certify Command Line Arguments",
"Detect Certify With PowerShell Script Block Logging",
"Detect Certipy File Modifications",
"Detect Computer Changed with Anonymous Account",
"Detect Copy of ShadowCopy with Script Block Logging",
"Detect Credential Dumping through LSASS access",
"Detect DNS Query to Decommissioned S3 Bucket",
"Detect Distributed Password Spray Attempts",
"Detect Empire with PowerShell Script Block Logging",
"Detect Excessive Account Lockouts From Endpoint",
"Detect Excessive User Account Lockouts",
"Detect Exchange Web Shell",
"Detect F5 TMUI RCE CVE-2020-5902",
"Detect GCP Storage access from a new IP",
"Detect HTML Help Renamed",
"Detect HTML Help Spawn Child Process",
"Detect HTML Help URL in Command Line",
"Detect HTML Help Using InfoTech Storage Handlers",
"Detect IPv6 Network Infrastructure Threats",
"Detect Large ICMP Traffic",
"Detect MSHTA Url in Command Line",
"Detect Mimikatz With PowerShell Script Block Logging",
"Detect New Local Admin account",
"Detect New Login Attempts to Routers",
"Detect New Open GCP Storage Buckets",
"Detect New Open S3 Buckets over AWS CLI",
"Detect New Open S3 buckets",
"Detect Outbound LDAP Traffic",
"Detect Outbound SMB Traffic",
"Detect Outlook exe writing a zip file",
"Detect Password Spray Attack Behavior From Source",
"Detect Password Spray Attack Behavior On User",
"Detect Password Spray Attempts",
"Detect Path Interception By Creation Of program exe",
"Detect Port Security Violation",
"Detect Prohibited Applications Spawning cmd exe",
"Detect PsExec With accepteula Flag",
"Detect RClone Command-Line Usage",
"Detect RTLO In File Name",
"Detect RTLO In Process",
"Detect Rare Executables",
"Detect Regasm Spawning a Process",
"Detect Regasm with Network Connection",
"Detect Regasm with no Command Line Arguments",
"Detect Regsvcs Spawning a Process",
"Detect Regsvcs with Network Connection",
"Detect Regsvcs with No Command Line Arguments",
"Detect Regsvr32 Application Control Bypass",
"Detect Remote Access Software Usage DNS",
"Detect Remote Access Software Usage File",
"Detect Remote Access Software Usage FileInfo",
"Detect Remote Access Software Usage Process",
"Detect Remote Access Software Usage Registry",
"Detect Remote Access Software Usage Traffic",
"Detect Remote Access Software Usage URL",
"Detect Renamed 7-Zip",
"Detect Renamed PSExec",
"Detect Renamed RClone",
"Detect Renamed WinRAR",
"Detect Rogue DHCP Server",
"Detect Rundll32 Inline HTA Execution",
"Detect S3 access from a new IP",
"Detect SNICat SNI Exfiltration",
"Detect SharpHound Command-Line Arguments",
"Detect SharpHound File Modifications",
"Detect SharpHound Usage",
"Detect Software Download To Network Device",
"Detect Spike in AWS Security Hub Alerts for EC2 Instance",
"Detect Spike in AWS Security Hub Alerts for User",
"Detect Spike in S3 Bucket deletion",
"Detect Spike in blocked Outbound Traffic from your AWS",
"Detect Traffic Mirroring",
"Detect Unauthorized Assets by MAC address",
"Detect Use of cmd exe to Launch Script Interpreters",
"Detect WMI Event Subscription Persistence",
"Detect Web Access to Decommissioned S3 Bucket",
"Detect Windows DNS SIGRed via Splunk Stream",
"Detect Windows DNS SIGRed via Zeek",
"Detect Zerologon via Zeek",
"Detect attackers scanning for vulnerable JBoss servers",
"Detect hosts connecting to dynamic domain providers",
"Detect malicious requests to exploit JBoss servers",
"Detect mshta inline hta execution",
"Detect mshta renamed",
"Detection of tools built by NirSoft",
"Disable AMSI Through Registry",
"Disable Defender AntiVirus Registry",
"Disable Defender BlockAtFirstSeen Feature",
"Disable Defender Enhanced Notification",
"Disable Defender MpEngine Registry",
"Disable Defender Spynet Reporting",
"Disable Defender Submit Samples Consent Feature",
"Disable ETW Through Registry",
"Disable Logs Using WevtUtil",
"Disable Registry Tool",
"Disable Schedule Task",
"Disable Security Logs Using MiniNt Registry",
"Disable Show Hidden Files",
"Disable UAC Remote Restriction",
"Disable Windows App Hotkeys",
"Disable Windows Behavior Monitoring",
"Disable Windows SmartScreen Protection",
"Disabled Kerberos Pre-Authentication Discovery With Get-ADUser",
"Disabled Kerberos Pre-Authentication Discovery With PowerView",
"Disabling CMD Application",
"Disabling ControlPanel",
"Disabling Defender Services",
"Disabling Firewall with Netsh",
"Disabling FolderOptions Windows Feature",
"Disabling NoRun Windows App",
"Disabling Remote User Account Control",
"Disabling SystemRestore In Registry",
"Disabling Task Manager",
"Disabling Windows Local Security Authority Defences via Registry",
"Domain Account Discovery with Dsquery",
"Domain Account Discovery with Wmic",
"Domain Controller Discovery with Nltest",
"Domain Controller Discovery with Wmic",
"Domain Group Discovery With Dsquery",
"Domain Group Discovery With Wmic",
"Domain Group Discovery with Adsisearcher",
"Download Files Using Telegram",
"Drop IcedID License dat",
"Dump LSASS via comsvcs DLL",
"Dump LSASS via procdump",
"ESXi Account Modified",
"ESXi Audit Tampering",
"ESXi Bulk VM Termination",
"ESXi Download Errors",
"ESXi Encryption Settings Modified",
"ESXi External Root Login Activity",
"ESXi Firewall Disabled",
"ESXi Lockdown Mode Disabled",
"ESXi Loghost Config Tampering",
"ESXi Malicious VIB Forced Install",
"ESXi Reverse Shell Patterns",
"ESXi SSH Brute Force",
"ESXi SSH Enabled",
"ESXi Sensitive Files Accessed",
"ESXi Shared or Stolen Root Account",
"ESXi Shell Access Enabled",
"ESXi Syslog Config Change",
"ESXi System Clock Manipulation",
"ESXi System Information Discovery",
"ESXi User Granted Admin Role",
"ESXi VIB Acceptance Level Tampering",
"ESXi VM Discovery",
"ESXi VM Exported via Remote Tool",
"ETW Registry Disabled",
"Elevated Group Discovery With Wmic",
"Elevated Group Discovery with PowerView",
"Email Attachments With Lots Of Spaces",
"Email files written outside of the Outlook directory",
"Email servers sending high volume traffic to hosts",
"Enable RDP In Other Port Number",
"Enable WDigest UseLogonCredential Registry",
"Enumerate Users Local Group Using Telegram",
"Esentutl SAM Copy",
"Eventvwr UAC Bypass",
"Excessive Attempt To Disable Services",
"Excessive DNS Failures",
"Excessive File Deletion In WinDefender Folder",
"Excessive Usage Of Cacls App",
"Excessive Usage Of SC Service Utility",
"Excessive Usage Of Taskkill",
"Excessive Usage of NSLOOKUP App",
"Excessive distinct processes from Windows Temp",
"Excessive number of service control start as disabled",
"Excessive number of taskhost processes",
"Exchange PowerShell Abuse via SSRF",
"Exchange PowerShell Module Usage",
"Executable File Written in Administrative SMB Share",
"Executables Or Script Creation In Suspicious Path",
"Executables Or Script Creation In Temp Path",
"Execute Javascript With Jscript COM CLSID",
"Execution of File with Multiple Extensions",
"Exploit Public Facing Application via Apache Commons Text",
"Exploit Public-Facing Fortinet FortiNAC CVE-2022-39952",
"F5 BIG-IP iControl REST Vulnerability CVE-2022-1388",
"F5 TMUI Authentication Bypass",
"File Download or Read to Pipe Execution",
"File with Samsam Extension",
"Firewall Allowed Program Enable",
"First Time Seen Child Process of Zoom",
"First Time Seen Running Windows Service",
"FodHelper UAC Bypass",
"Fortinet Appliance Auth bypass",
"Fsutil Zeroing File",
"GCP Authentication Failed During MFA Challenge",
"GCP Detect gcploit framework",
"GCP Kubernetes cluster pod scan detection",
"GCP Multi-Factor Authentication Disabled",
"GCP Multiple Failed MFA Requests For User",
"GCP Multiple Users Failing To Authenticate From Ip",
"GCP Successful Single-Factor Authentication",
"GCP Unusual Number of Failed Authentications From Ip",
"GPUpdate with no Command Line Arguments with Network",
"GSuite Email Suspicious Attachment",
"Gdrive suspicious file sharing",
"Geographic Improbable Location",
"Get ADDefaultDomainPasswordPolicy with Powershell",
"Get ADDefaultDomainPasswordPolicy with Powershell Script Block",
"Get ADUser with PowerShell",
"Get ADUser with PowerShell Script Block",
"Get ADUserResultantPasswordPolicy with Powershell",
"Get ADUserResultantPasswordPolicy with Powershell Script Block",
"Get DomainPolicy with Powershell",
"Get DomainPolicy with Powershell Script Block",
"Get DomainUser with PowerShell",
"Get DomainUser with PowerShell Script Block",
"Get WMIObject Group Discovery",
"Get WMIObject Group Discovery with Script Block Logging",
"Get-DomainTrust with PowerShell",
"Get-DomainTrust with PowerShell Script Block",
"Get-ForestTrust with PowerShell",
"Get-ForestTrust with PowerShell Script Block",
"GetAdComputer with PowerShell",
"GetAdComputer with PowerShell Script Block",
"GetAdGroup with PowerShell",
"GetAdGroup with PowerShell Script Block",
"GetCurrent User with PowerShell",
"GetCurrent User with PowerShell Script Block",
"GetDomainComputer with PowerShell",
"GetDomainComputer with PowerShell Script Block",
"GetDomainController with PowerShell",
"GetDomainController with PowerShell Script Block",
"GetDomainGroup with PowerShell",
"GetDomainGroup with PowerShell Script Block",
"GetLocalUser with PowerShell",
"GetLocalUser with PowerShell Script Block",
"GetNetTcpconnection with PowerShell",
"GetNetTcpconnection with PowerShell Script Block",
"GetWmiObject DS User with PowerShell",
"GetWmiObject DS User with PowerShell Script Block",
"GetWmiObject Ds Computer with PowerShell",
"GetWmiObject Ds Computer with PowerShell Script Block",
"GetWmiObject Ds Group with PowerShell",
"GetWmiObject Ds Group with PowerShell Script Block",
"GetWmiObject User Account with PowerShell",
"GetWmiObject User Account with PowerShell Script Block",
"GitHub Enterprise Delete Branch Ruleset",
"GitHub Enterprise Disable 2FA Requirement",
"GitHub Enterprise Disable Audit Log Event Stream",
"GitHub Enterprise Disable Classic Branch Protection Rule",
"GitHub Enterprise Disable Dependabot",
"GitHub Enterprise Disable IP Allow List",
"GitHub Enterprise Modify Audit Log Event Stream",
"GitHub Enterprise Pause Audit Log Event Stream",
"GitHub Enterprise Register Self Hosted Runner",
"GitHub Enterprise Remove Organization",
"GitHub Enterprise Repository Archived",
"GitHub Enterprise Repository Deleted",
"GitHub Organizations Delete Branch Ruleset",
"GitHub Organizations Disable 2FA Requirement",
"GitHub Organizations Disable Classic Branch Protection Rule",
"GitHub Organizations Disable Dependabot",
"GitHub Organizations Repository Archived",
"GitHub Organizations Repository Deleted",
"GitHub Workflow File Creation or Modification",
"Gsuite Drive Share In External Email",
"Gsuite Email Suspicious Subject With Attachment",
"Gsuite Email With Known Abuse Web Service Link",
"Gsuite Outbound Email With Attachment To External Domain",
"Gsuite Suspicious Shared File Name",
"Gsuite suspicious calendar invite",
"HTTP C2 Framework User Agent",
"HTTP Duplicated Header",
"HTTP Malware User Agent",
"HTTP PUA User Agent",
"HTTP Possible Request Smuggling",
"HTTP RMM User Agent",
"HTTP Rapid POST with Mixed Status Codes",
"HTTP Request to Reserved Name on IIS Server",
"HTTP Scripting Tool User Agent",
"Headless Browser Mockbin or Mocky Request",
"Headless Browser Usage",
"Hide User Account From Sign-In Screen",
"Hiding Files And Directories With Attrib exe",
"High Frequency Copy Of Files In Network Share",
"High Number of Login Failures from a single source",
"High Process Termination Frequency",
"High Volume of Bytes Out to Url",
"Hosts receiving high volume of network traffic from email server",
"Hunting 3CXDesktopApp Software",
"Hunting for Log4Shell",
"ICACLS Grant Command",
"Icacls Deny Command",
"IcedID Exfiltrated Archived File Creation",
"Impacket Lateral Movement Commandline Parameters",
"Impacket Lateral Movement WMIExec Commandline Parameters",
"Impacket Lateral Movement smbexec CommandLine Parameters",
"Interactive Session on Remote Endpoint with PowerShell",
"Internal Horizontal Port Scan",
"Internal Horizontal Port Scan NMAP Top 20",
"Internal Vertical Port Scan",
"Internal Vulnerability Scan",
"Ivanti Connect Secure Command Injection Attempts",
"Ivanti Connect Secure SSRF in SAML Component",
"Ivanti Connect Secure System Information Access via Auth Bypass",
"Ivanti EPM SQL Injection Remote Code Execution",
"Ivanti EPMM Remote Unauthenticated API Access CVE-2023-35078",
"Ivanti EPMM Remote Unauthenticated API Access CVE-2023-35082",
"Ivanti VTM New Account Creation",
"Java Class File download by Java User Agent",
"Java Writing JSP File",
"Jenkins Arbitrary File Read CVE-2024-23897",
"JetBrains TeamCity Authentication Bypass CVE-2024-27198",
"JetBrains TeamCity Authentication Bypass Suricata CVE-2024-27198",
"JetBrains TeamCity Limited Auth Bypass Suricata CVE-2024-27199",
"JetBrains TeamCity RCE Attempt",
"Jscript Execution Using Cscript App",
"Juniper Networks Remote Code Execution Exploit Detection",
"Kerberoasting spn request with RC4 encryption",
"Kerberos Pre-Authentication Flag Disabled in UserAccountControl",
"Kerberos Pre-Authentication Flag Disabled with PowerShell",
"Kerberos Service Ticket Request Using RC4 Encryption",
"Kerberos TGT Request Using RC4 Encryption",
"Kerberos User Enumeration",
"Kubernetes AWS detect suspicious kubectl calls",
"Kubernetes Abuse of Secret by Unusual Location",
"Kubernetes Abuse of Secret by Unusual User Agent",
"Kubernetes Abuse of Secret by Unusual User Group",
"Kubernetes Abuse of Secret by Unusual User Name",
"Kubernetes Access Scanning",
"Kubernetes Anomalous Inbound Network Activity from Process",
"Kubernetes Anomalous Inbound Outbound Network IO",
"Kubernetes Anomalous Inbound to Outbound Network IO Ratio",
"Kubernetes Anomalous Outbound Network Activity from Process",
"Kubernetes Anomalous Traffic on Network Edge",
"Kubernetes Create or Update Privileged Pod",
"Kubernetes Cron Job Creation",
"Kubernetes DaemonSet Deployed",
"Kubernetes Falco Shell Spawned",
"Kubernetes Nginx Ingress LFI",
"Kubernetes Nginx Ingress RFI",
"Kubernetes Node Port Creation",
"Kubernetes Pod Created in Default Namespace",
"Kubernetes Pod With Host Network Attachment",
"Kubernetes Previously Unseen Container Image Name",
"Kubernetes Previously Unseen Process",
"Kubernetes Process Running From New Path",
"Kubernetes Process with Anomalous Resource Utilisation",
"Kubernetes Process with Resource Ratio Anomalies",
"Kubernetes Scanner Image Pulling",
"Kubernetes Scanning by Unauthenticated IP Address",
"Kubernetes Shell Running on Worker Node",
"Kubernetes Shell Running on Worker Node with CPU Activity",
"Kubernetes Suspicious Image Pulling",
"Kubernetes Unauthorized Access",
"Kubernetes newly seen TCP edge",
"Kubernetes newly seen UDP edge",
"LLM Model File Creation",
"LOLBAS With Network Traffic",
"Large Volume of DNS ANY Queries",
"Linux APT Privilege Escalation",
"Linux AWK Privilege Escalation",
"Linux Account Manipulation Of SSH Config and Keys",
"Linux Add Files In Known Crontab Directories",
"Linux Add User Account",
"Linux Adding Crontab Using List Parameter",
"Linux At Allow Config File Creation",
"Linux At Application Execution",
"Linux Auditd AI CLI Permission Override Activated",
"Linux Auditd Add User Account",
"Linux Auditd Add User Account Type",
"Linux Auditd At Application Execution",
"Linux Auditd Auditd Daemon Abort",
"Linux Auditd Auditd Daemon Shutdown",
"Linux Auditd Auditd Daemon Start",
"Linux Auditd Auditd Service Stop",
"Linux Auditd Base64 Decode Files",
"Linux Auditd Change File Owner To Root",
"Linux Auditd Clipboard Data Copy",
"Linux Auditd Copy Fail Privilege Escalation",
"Linux Auditd Data Destruction Command",
"Linux Auditd Data Transfer Size Limits Via Split",
"Linux Auditd Data Transfer Size Limits Via Split Syscall",
"Linux Auditd Database File And Directory Discovery",
"Linux Auditd Dd File Overwrite",
"Linux Auditd Disable Or Modify System Firewall",
"Linux Auditd Doas Conf File Creation",
"Linux Auditd Doas Tool Execution",
"Linux Auditd Edit Cron Table Parameter",
"Linux Auditd File And Directory Discovery",
"Linux Auditd File Permission Modification Via Chmod",