Security Content c2105.2 (i57) Release Notes

July 26, 2023 · View on GitHub

These Release Notes document security content updates from content package c2102.5(i56) to c2105.2 (i57).

The security content updates listed below include changes to the following areas:

Parsers
Models
Rules

In the lists below, each item represents a specific parser, model, or rule that has been added, updated, or deprecated. To facilitate finding every data source where the changed content items are referenced, a content library query has been created for each changed parser, model, or rule. To view the results of each query, click on the link for the relevant content item.

New Parsers

Updated Parsers

Deprecated Parsers

sonicwall-network-alert
sonicwall-network-alert-1
sonicwall-network-alert-2
sonicwall-network-alert-3
sonicwall-network-alert-4
sonicwall-network-connection-successful
sonicwall-network-connection-successful-1
windows-xml-member-added-2008

Models

New
Updated
Deprecated

New Models

DS-OAT-new – Directory services activity types per object class
DS-UAT-new – Directory services activity types for user per object class

Updated Models

A-AL-DhU – Users per Host
A-NET-HCountry-Inbound – Inbound country per asset
A-NET-HCountry-Outbound – Outbound country per asset
A-NET-OCountry-Inbound – Origination country per organization
A-NET-OCountry-Outbound – Outbound country per organization
A-NET-ZCountry-Inbound – Origination country per zone
A-NET-ZCountry-Outbound – Outbound country per zone
A-NETF-HCountry-Outbound – Failed outbound country per asset
A-NETF-OCountry-Outbound – Failed outbound country per organization
A-NETF-ZCountry-Outbound – Failed outbound country per zone
A-NETFLOW-OsH-Scanners – Assets that access multiple assets within seconds in the organization
AE-UP-TEMP – Process executable TEMP directories for this user during a session
DB-OPCOUNT-TOTAL – Count of total database operations for user
DB-UP-TEMP – Process executable TEMP directories for this user during database activity
EM-EdC – Countries per Email Domain
EM-Gcountry – Email Countries from/to peer group
EM-Ucountry – Email Countries from/to user
EM-country – Email Countries
EPA-UP-TEMP – Process executable TEMP directories for this user during endpoint activity
FA-UA-GC – Countries for peer groups file activities
FA-UA-OC – Countries for organization file activities
FA-UA-UC – Countries for user file activity
FA-UP-TEMP – Process executable TEMP directories for this user during file activity
UA-GC – Countries for peer groups
UA-OC – Countries for organization
UA-UC – Countries for user activity
WCA-Ucountry – Web conference login countries for user
WEB-OC – Web destination countries for org
WEB-UC – Web destination countries for user

Deprecated Models

There are no deprecated models in this release.

Rules

New
Updated
Deprecated

New Rules

A-AC-DhU-system-A – Abnormal account creation by system account on asset
A-AC-DhU-system-F – First account creation by system account on asset
A-ACCT-CR-DEL – Account created and deleted on asset
A-AD-Diagnostic-Tool – Invocation of Active Directory Diagnostic Tool (ntdsutil.exe) on this asset
A-AE-SwSh-F – New server hostname using NTLM authentication in the organization.
A-AL-DhU-A – Abnormal user per asset
A-AL-DhU-F – First user per asset
A-AL-DhU-count – Abnormal number of users
A-ALERT-Critical – Security Alert on a critical asset
A-ALERT-Other – Alert on asset
A-ALERT – Security alert on asset
A-APT-Hurricane-Panda – Artifacts used by the APT group 'Hurricane Panda' have been observed on this asset
A-ATP-PSexec – PSExec service was run on the asset.
A-ATP-Tool-FGDump – Malicious exe/dll.
A-ATP-Tool-PSTGDump – Malicious pstgdump.exe was run from a temp folder on this asset.
A-AccountDiscovery – Local accounts were enumerated on this asset
A-Applocker-Bypass – Execution of executables that can be used to bypass Applocker on this asset
A-Archer – 'Archer' malware executed on this asset
A-Attrib-Hide-Files – Attrib.exe was used to hide files on this asset.
A-AutoRun-Modification – AutoRun Keys modified using reg.exe on this asset
A-BITS-Suspicious-Service – First abnormal BITS job created on the asset.
A-Baby-Shark-Activity – Activity related to Baby Shark malware has been found on this asset.
A-Base64-CommandLine – Base64 string in command line execution on this asset
A-Base64-Powershell-CmdLine-Keywords – Base64 encoded strings were found in hidden malicious Powershell command lines on this asset.
A-Bginfo-App-Whitelisting – VBscript referenced in a .bgi file was executed on this asset.
A-Bitsadmin-Download – Bitsadmin was used to download a file on this asset.
A-Bypass-UAC-CMSTP – Child process of automatically elevated instance of Microsoft Connection Manager Profile Installer (cmstp.exe) was created via command line on this asset.
A-CDB-App-Whitelisting – 64-bit shellcode was launched using cdb.exe on this asset.
A-CMD-Spawn-From-Office – A command line executable was spawned from an Office application on this asset
A-CP-Sensitive-Files – Copying sensitive files with credential data on this asset
A-CSC-Suspicious-Folder – Csc.exe spawned from suspicious folder on this asset
A-CSC-Suspicious-Parent-Process – Suspicious parent process for csc.exe, possible payload delivery on this asset
A-CSharp-Interactive-Console – Execution of CSharp interactive console by PowerShell on this asset.
A-CertUtil-Suspicious-Usage – The 'certutil' Windows utility was used with known suspicious command line flags on this asset
A-Certutil-Encode – Certutil commands to encode files were used on this asset.
A-Cmdkey-Cred-Recon – Cmdkey Cached Credentials Recon on this asset
A-CreateMiniDump-Hacktool – CreateMiniDump Hacktool detected on this asset.
A-DB-AN-ALERT-A – Abnormal database alert name on the asset
A-DB-AN-ALERT-F – First database alert name on the asset
A-DB-OA-ALERT-A – Abnormal asset triggering database alert in the organization
A-DB-OA-ALERT-F – First database alert triggered for asset in the organization
A-DB-ON-ALERT-A – Abnormal database alert (by name) in the organization
A-DB-ON-ALERT-F – First database alert (by name) in the organization
A-DB-ZA-ALERT-A – Abnormal asset triggering database alert for zone
A-DB-ZA-ALERT-F – First database alert triggered for asset inb the zone
A-DB-ZN-ALERT-A – Abnormal database alert (by name) in the zone
A-DB-ZN-ALERT-F – First database alert (by name) in the zone
A-DCOMActivation-Known – Remote DCOM activation under DcomLaunch service on this asset.
A-DCOMFailure-Known – Remote DCOM activation failure on this asset.
A-DCSync – Possible DCSync Attack: New domain controller detected
A-DLL-AppData – DLL loaded from 'AppData(slash)Local' path on this asset
A-DLL-ULOAD-EquationGroup – A known 'Equation Group' artifact was observed on this asset
A-DLP-AN-ALERT-A – Abnormal DLP alert name on the asset
A-DLP-AN-ALERT-F – First DLP alert name on the asset
A-DLP-HN-ALERT-A – Abnormal DLP alert (by name) in the asset
A-DLP-HN-ALERT-F – First DLP alert (by name) in the asset
A-DLP-OA-ALERT-A – Abnormal asset triggering DLP alert in the organization
A-DLP-OA-ALERT-F – First DLP alert triggered for asset in the organization
A-DLP-ON-ALERT-A – Abnormal DLP alert (by name) in the organization
A-DLP-ON-ALERT-F – First DLP alert (by name) in the organization
A-DLP-ZN-ALERT-A – Abnormal DLP alert (by name) in the zone
A-DLP-ZN-ALERT-F – First DLP alert (by name) in the zone
A-DNS-ABSum-A – Abnormal amount of data of DNS queries has been sent from this asset
A-DNS-AQCount-A – Abnormal number of DNS queries from this asset
A-DNS-AQNXCount-A – Abnormal number of DNS queries to NX domains from this asset
A-DNS-DGADOM-QUERY – DNS query for DGA domain from this asset
A-DNS-DGADOM-RESPONSE – DNS query for DGA domain was successful from this asset
A-DNS-Exfiltration-Tools-Exec – Well-known DNS Exfiltration tools were executed on this asset.
A-DNS-MALDOM-QUERY – DNS query for blacklisted domain from this asset
A-DNS-MALDOM-RESPONSE – DNS query for blacklisted domain was successful from this asset
A-DNS-OBSum-A – Abnormal amount of data of DNS queries in the organization
A-DNS-OQNXCount-A – Abnormal number of DNS queries to NX domains for organization
A-DNS-SW-MALDOM – DNS query for SUNBURST malware from this asset
A-DNS-ZBSum-A – Abnormal amount of data of DNS queries in the zone
A-DNX-App-Whitelisting – C# code located in consoleapp folder was executed on this asset.
A-DS-DCShadow – Possible DCShadow attack by asset detected.
A-DS-Replication – First time a new server replicated itself on this asset
A-Defrag-Deactivation – Scheduled defragmentation task was deactivated on this asset.
A-Devtoolslauncher-Binary – Devtoolslauncher.exe has executed a binary on this asset
A-DomainTrust-Discovery – Enumeration of Windows Domain Trusts identified on this asset
A-DotNET-URL – DotNET command line contains remote file on this asset.
A-Dtrack – Known banking malware, Dtrack, observed on this asset
A-Dxcap-Possible-Subprocess – Dxcap.exe was executed on this asset.
A-EPA-DLL – Dll loaded from a temp folder via PowerShell on this asset
A-EPA-HP-A – Abnormal execution of process on asset
A-EPA-HP-F – First execution of process on asset
A-EPA-HPP-A – Abnormal parent-process combination on asset
A-EPA-HPP-F – First parent-process combination on asset
A-EPA-OH-CENUM-A – Abnormal for this asset to run credential enumeration tool
A-EPA-OH-CENUM-F – Asset running credential enumeration tool for the first time
A-EPA-OH-HENUM-A – Abnormal for this asset to run host enumeration tool
A-EPA-OH-HENUM-F – Asset running host enumeration tool for the first time
A-EPA-OH-SNIFF-A – Abnormal asset running network sniffing tool
A-EPA-OH-SNIFF-F – First time this asset has had an execution of a network sniffing tool
A-EPA-OP-A – Abnormal execution of process for the asset in this organization
A-EPA-OP-F – First execution of process for the asset in this organization
A-EPA-OPP-A – Abnormal parent-process combination in this organization
A-EPA-OPP-F – First parent-process combination in this organization
A-EPA-OZ-SNIFF-A – Abnormal zone on which network sniffing tool was run
A-EPA-OZ-SNIFF-F – First zone on which network sniffing tool was run
A-EPA-RAT-GI – GoToMyPC remote desktop access agent installed on this asset
A-EPA-RAT-GSI – GoToMyPC remote desktop access service installed on this asset
A-EPA-RAT-GSS – GoToMyPC remote desktop access service started on this asset
A-EPA-RAT-LI – LogMeIn remote desktop access agent installed on this asset
A-EPA-RAT-LSI – LogMeIn remote desktop access service installed on this asset
A-EPA-RAT-LSS – LogMeIn remote desktop access service started on this asset
A-EPA-RAT-SI – Splashtop remote desktop access agent installed on this asset
A-EPA-RAT-SSI – Splashtop remote desktop access service installed on this asset
A-EPA-RAT-SSS – Splashtop remote desktop access service started on this asset
A-EPA-RAT-TI – TeamViewer remote desktop access agent installed on this asset
A-EPA-RAT-TSI – TeamViewer remote desktop access service installed on this asset
A-EPA-RAT-TSS – TeamViewer remote desktop access service started on this asset
A-EPA-REG-Query-A – Abnormal execution of process with req query arguments for windows policies on this asset
A-EPA-REG-Query-F – First execution of process with req query arguments for windows policies on this asset
A-EPA-Rundll-FTP-A – Abnormal rundll activity for FTP firewall port blocking/unblocking
A-EPA-Rundll-FTP-F – First rundll activity for FTP firewall port blocking/unblocking on the asset.
A-EPA-SNIFF – Network sniffing tool has been found running on this asset
A-EPA-Shadow-Mining-name – Process ending with 'miner.exe' has been run on this asset
A-EPA-TEMP-DIRECTORY-A – Abnormal execution of this process from a temporary directory
A-EPA-TEMP-DIRECTORY-F – First execution of this process from a temporary directory on this asset
A-EPA-UP-CENUM – Abnormal number of unique credential enumeration tools run on this asset
A-EPA-UP-HENUM – Abnormal number of unique host enumeration tools run on this asset
A-EPA-USF-F – First process per service name for asset
A-EPA-ZP-A – Abnormal execution of process for the asset in this zone
A-EPA-ZP-F – First execution of process for the asset in this zone
A-ETW-Trace-Disable – Event tracing has been disabled, possible logging evasion on this asset
A-Emotet – A process associated with the Emotet malware has been executed on this asset
A-Empire-Monkey – EmpireMonkey APT activity was found on this asset.
A-EquationEditor-Droppers – Possible 'Eqnetd32.exe' exploit usage on this asset
A-EventLog-Tamper – EventLog has been tampered with on this asset
A-Exec-Outlook-Temp – A suspicious program was executed in the Outlook temp folder on this asset.
A-Executable-Suspicious-Folder – A process has been run from a binary located in a suspicious folder on this asset
A-Exfil-Tunnel-Tools-Exec – Tools known for data exfiltration and tunneling were executed on this asset.
A-FA-LSASS – Possible Mimikatz attack on this asset by a user process
A-FL-MULTI-DEST-M – Failed logins to multiple destinations from host (M)
A-FL-MULTI-DEST-S – Failed logins to multiple destinations from host (S)
A-FL-MULTI-DEST – Failed logins to multiple destinations from host
A-FL-MULTI-USERS-L – Multiple users failed to login (L)
A-FL-MULTI-USERS-M – Multiple users failed to login (M)
A-FL-MULTI-USERS-SRC – The same host failed to login to multiple users
A-FL-MULTI-USERS-S – Multiple users failed to login (S)
A-FL-MULTI-USERS – Multiple users failed to login
A-FLDh-Count-A – Abnormal number of failed logons to asset
A-FLDz-Count-A – Abnormal number of failed logons for zone
A-FLSh-Count-A – Abnormal number of failed logons from asset
A-FW-UMWorkerProcess-FileName-F – First time file creation for Exchange Unified Messaging service UMWorkerProcess.exe
A-File-Folder-Perm-Mod – The permissions of a file or folder were modified on this asset.
A-FileType-Association-Change – File Association changed for this file extension on this asset
A-Firewall-Disabled-Netsh – Windows firewall was turned off using netsh commands on this asset.
A-Formbook – Possible Formbook usage on this asset
A-Fsutil-Sus-Invocation – Suspicious parameters of fsutil were detected on this asset.
A-GM-DhU-system-F – First group management by system account on asset
A-GRAB-REG-HIVES – Grabbing Sensitive Hives via Reg Utility on this asset
A-HBytes-Failed-Outbound-IOT – Abnormal size of failed outbound network data from IOT/OT device
A-HBytes-Failed-Outbound – Abnormal size of failed outbound data from host
A-HBytes-Outbound-IOT – Abnormal size of outbound network data from IOT/OT device
A-HBytes-Outbound – Abnormal size of outbound data from host
A-HH-EXE-CHM – HH.exe usage, possible code execution on this asset
A-Hanword-Subprocess – Suspicious processes spawned by the Hangul word processor on this asset
A-IDS-HdPort-A – Abnormal network alert on port for asset
A-IDS-HdPort-F – First network alert on port for asset
A-IDS-LZAN-A – Abnormal network alert (by name) for zone
A-IDS-LZAN-F – First network alert (by name) for zone
A-IDS-OAN-A – Abnormal network alert (by name) for organization
A-IDS-OAN-F – First network alert (by name) for organization
A-IDS-OLA-A – Abnormal network alert for asset for organization
A-IDS-OLA-F – First network alert on asset with no previous alerts for organization
A-IDS-OLZ-A – Abnormal network alert for zone in the organization
A-IDS-OLZ-F – First network alert for zone in the organization
A-IDS-OdPort-A – Abnormal network alert on port for organization
A-IDS-OdPort-F – First network alert on port for organization
A-IDS-SERVER – First or Abnormal network alert in server zone
A-IDS-ZLA-A – Abnormal network alert for asset for zone
A-IDS-ZLA-F – First network alert on asset with no previous alerts for zone
A-IDS-dZdPort-A – Abnormal network alert on port for zone
A-IDS-dZdPort-F – First network alert on port for zone
A-INTERACTIVE-JOB – Interactive job from the 'at' program seen on this asset
A-Impacket-Lateral-Detection – Activity related to Impacket framework using wmiexec, dcomexe, or smbexec processes via command line have been found on this asset.
A-Indirect-Cmd-Exec – An indirect command was executed via Program Compatibility Assistant pcalua.exe or forfiles.exe on this asset.
A-JPanda-Activity – Judgement Panda Exfil Activity detected on this asset
A-JPanda-RUS-G-Activity – Judgement Panda Exfil Activity- Russian group activity detected on this asset
A-Java-Remote-Dubugging – Java executed with remote debugging enabled on this asset
A-KL-ToEt-Roast – Suspicious or weak encryption type used for obtaining the kerberos TGTs using non kerberos service for this asset
A-Koadic-Tool-Usage – 'Koadic' attacker tool usage on this asset
A-LSASS-Mem-Dump – LSASS Memory Dumping detected on this asset
A-MMC-Spawn-Win-Shell – MMC (Microsoft Management Console) started a Windows command line executable on this asset.
A-MSHTA-SVCHOST – Mshta.exe spawned by svchost.exe, possible lateral movement on this asset
A-MSTSC-RDP-Hijack – MSTSC Shadowing, possible RDP session hijack/shadowing of session on this asset
A-Microsoft-Workflow-Compiler – Microsoft Workflow Compiler was invoked on this asset.
A-Mod-Boot-Config – Boot configuration data was deleted or modified using the bcdedit command on this asset.
A-Mshta-CMD-Spawn – Mshta.exe has executed a command line executable on this asset
A-Mshta-Javascript – Mshta.exe has executed a javascript related command on this asset
A-Mshta-Script – Mshta.exe .NET code execution on this asset.
A-MsiExec-Web-Install – A suspicious msiexec process was started with web addresses as a parameter on this asset.
A-Mustang-Panda-Dropper – Possible Mustang Panda droppers execution on this asset.
A-NET-Coin-IP – Connection to IP associated with cryptocurrency mining
A-NET-EXE-Recon – Enumeration and reconnaissance activities were performed on this asset
A-NET-HCountry-Inbound-A – Abnormal connection from this country for asset
A-NET-HCountry-Inbound-F – First inbound connection from this country for asset
A-NET-HCountry-Outbound-A – Abnormal outbound communication country for asset
A-NET-HCountry-Outbound-F – First outbound connection to this country from asset
A-NET-HCountry-Outbound-WEB-A – Abnormal web browsing communication country for asset
A-NET-HCountry-Outbound-WEB-F – First web connection to this country from asset
A-NET-HdPort-Inbound-A – Abnormal inbound network connection to this port for asset
A-NET-HdPort-Inbound-F – First inbound connection on port for asset
A-NET-HsH-Outbound-A – Abnormal outbound connection for asset
A-NET-HsH-Outbound-F – First outbound connection for asset
A-NET-HsZ-Outbound-A – Abnormal outbound connection from zone
A-NET-HsZ-Outbound-F – First outbound connection from zone for asset
A-NET-OCountry-Inbound-A – Abnormal connection from this country for the organization
A-NET-OCountry-Inbound-F – First inbound connection from this country for organization
A-NET-OCountry-Outbound-A – Abnormal outbound connection country for the organization
A-NET-OCountry-Outbound-F – First outbound connection to this country from organization
A-NET-OCountry-Outbound-WEB-A – Abnormal web browsing connection country for the organization
A-NET-OCountry-Outbound-WEB-F – First web browsing connection to this country from organization
A-NET-OdH-Inbound-A – Abnormal inbound connection to host for the organization.
A-NET-OdH-Inbound-F – First inbound connection to host for the organization.
A-NET-OdPort-Inbound-A – Abnormal inbound traffic on previously unused port for the organization.
A-NET-OdPort-Inbound-F – First inbound traffic on previously unused port for the organization.
A-NET-OsH-Outbound-A – Abnormal outbound connection for asset in the organization
A-NET-OsZ-Outbound-A – Abnormal outbound connection from zone for organization
A-NET-OsZ-Outbound-F – First outbound connection from zone for organization
A-NET-TI-H-Inbound – Inbound connection from a known malicious host
A-NET-TI-H-Outbound – Outbound connection to a known malicious host
A-NET-TI-IP-Inbound – Inbound connection from a known malicious IP
A-NET-TOR-Inbound – Inbound connection from a known TOR IP
A-NET-TOR-Outbound – Outbound connection to a known TOR IP
A-NET-ZCountry-Inbound-A – Abnormal connection from this country for the zone
A-NET-ZCountry-Inbound-F – First inbound connection from this country for zone
A-NET-ZCountry-Outbound-A – Abnormal outbound connection country for the zone
A-NET-ZCountry-Outbound-F – First outbound connection to this country from zone
A-NET-ZdH-Inbound-A – Abnormal inbound connection to host for the zone.
A-NET-ZdH-Inbound-F – First inbound connection to host for the zone.
A-NET-ZdPort-Inbound-A – Abnormal inbound connection on port for zone
A-NET-ZdPort-Inbound-F – First inbound connection on port for zone
A-NET-ZsH-Outbound-A – Abnormal outbound connection for asset for zone
A-NET-ZsH-Outbound-F – First outbound connection for asset for zone
A-NET-ZsZ-Outbound-A – Abnormal outbound connection from zone for asset
A-NET-ZsZ-Outbound-F – First outbound connection from zone
A-NETF-HCountry-Outbound-A – Outbound connection to abnormal country for asset has failed
A-NETF-HCountry-Outbound-F – First failed outbound connection to this country from asset
A-NETF-HCountry-Outbound-WEB-A – Web browsing connection to abnormal country for asset has failed
A-NETF-HCountry-Outbound-WEB-F – First failed web browsing connection to this country from asset
A-NETF-HsH-Outbound-A – Abnormal outbound connection from host failed
A-NETF-HsH-Outbound-F – First failed outbound connection for host
A-NETF-OCountry-Outbound-A – Outbound connection to abnormal country for the organization has failed
A-NETF-OCountry-Outbound-F – First failed outbound connection to this country from organization
A-NETF-OCountry-Outbound-WEB-A – Web browsing connection to abnormal country for the organization has failed
A-NETF-OCountry-Outbound-WEB-F – First failed web browsing connection to this country from organization
A-NETF-OsH-Outbound-A – Abnormal outbound connection from host failed in the organization
A-NETF-OsH-Outbound-F – First failed outbound connection for host in the organization
A-NETF-OsZ-Outbound-A – Abnormal outbound connection from zone failed
A-NETF-OsZ-Outbound-F – First failed outbound connection from zone
A-NETF-TI-H-Outbound – Outbound failed connection to a known malicious host
A-NETF-TOR-Outbound – Outbound failed connection to a known TOR IP
A-NETF-ZCountry-Outbound-A – Outbound connection to abnormal country for the zone has failed
A-NETF-ZCountry-Outbound-F – First failed outbound connection to this country from zone
A-NETF-ZsH-Outbound-A – Abnormal outbound connection from host failed in the zone
A-NETF-ZsH-Outbound-F – First failed outbound connection for host in the zone
A-NETFLOW-BitTorrent – Asset accessed BitTorrent application
A-NETFLOW-OsH-PortScan-A – Abnormal vertical port scan for organization
A-NETFLOW-OsH-PortScan-F – First vertical port scan for organization
A-NETFLOW-OsH-PortScan-Slow-A – Abnormal vertical slow port scan for asset
A-NETFLOW-OsH-PortScan-Slow-F – First vertical slow port scan for asset
A-NETFLOW-OsH-PortSweep-Slow – Asset accessed more than 100 assets in 10000 seconds
A-NETFLOW-OsH-SweepScan-A – Abnormal for asset to access 20 assets in 10 seconds
A-NETFLOW-OsH-SweepScan-F – First time for asset to access 20 assets in 10 seconds
A-NETFLOW-RDP-F – Asset receiving RDP connection for the first time
A-NETFLOW-SP-F – Service running on port used by asset
A-NETFLOW-dHdP-LowPort-A – Abnormal access to this port in this asset
A-NETFLOW-dHdP-LowPort-F – First time access to this port in this asset
A-NETFLOW-dZBytes-Inbound – Abnormal amount of data for zone has been received
A-NETFLOW-dZdP-LowPort-A – Abnormal access to this port in this zone
A-NETFLOW-dZdP-LowPort-F – First time access to this port in this zone
A-NETFLOW-dZdP-Service-A – Abnormal access to this service in this zone
A-NETFLOW-dZdP-Service-F – First time access to this service in this zone
A-NETFLOW-sH22Bytes-Outbound – Abnormal amount of data using SSH protocol has been sent outbound
A-NETFLOW-sH23Bytes-Outbound – Abnormal amount of data using telnet protocol has been sent outbound
A-NETFLOW-sH25Bytes-Outbound – Abnormal amount of data using SMTP protocol has been sent outbound
A-NETFLOW-sH443Bytes-Outbound – Abnormal amount of data using HTTPS protocol has been sent outbound
A-NETFLOW-sH53Bytes-Outbound – Abnormal amount of data using DNS protocol has been sent outbound
A-NETFLOW-sH80Bytes-Outbound – Abnormal amount of data using HTTP protocol has been sent outbound
A-NETFLOW-sHFTPBytes-Outbound – Abnormal amount of data using FTP protocol has been sent outbound
A-NETFLOW-sHdP-A – Abnormal access to port by this asset
A-NETFLOW-sHdP-F – First time access of this port by this asset
A-NETFLOW-sHdP-Server-F – First/Abnormal access of this port by this server
A-NSniff-Cred – Potential network sniffing was observed on this asset.
A-NTDS-Access-A – The NTDS database was accessed from a non default location on this asset.
A-NTDS-Access-F – The NTDS database was accessed from a new location on this asset.
A-NTDS-Access – The NTDS database was accessed from a non default location without 'ntds.dit' in the file path on this asset.
A-NTDS-Shadow-Copy1 – The NTDS database changed location to a shadowcopy using 'ntds.dit' and 'harddiskvolumeshadowcopy' in the file path on this asset.
A-NTDS-Shadow-Copy2 – The NTDS database changed location to a shadowcopy using 'harddiskvolumeshadowcopy' in the file path on this asset.
A-NTLM-WsSrv – Hostname contains workstation or server
A-NTLM-mismatch – Mismatch between logged and resolved hostnames
A-Netsh-Connections-Win-Firewall – Netsh commands were used to allow incoming connections by Port or Application on Windows Firewall on this asset.
A-Netsh-Port-Fwd – Netsh commands were used to configure port forwarding on this asset.
A-Netsh-RDP-Port-Fwd – Netsh commands used to configure port forwarding for port 3389, used for RDP, were detected on this asset.
A-New-ScheduledTask – New scheduled task created using shctasks.exe on this asset
A-New-Service – New windows service created using sc.exe on this asset
A-Non-Interactive-Powershell – Non-Interactive Powershell activity was found on this asset.
A-NotPetya-Activity – NotPetya Ransomware Activity detected on this asset
A-Odbcconf-DLL-Load – DLL loaded on this asset via odbcconf.exe execution.
A-Office-Payload-Download – Possible malicious payload download via Microsoft Office binaries on this asset
A-OpenWith-Exec-Cmd – OpenWith.exe executed via command line on this asset.
A-Operation-Wocao-Activity – Possible Operation-Wocao APT activity on this asset, suspicious command line arguments
A-Ordinal-Rundll32-Call – Suspicious calls of DLLs in rundll32.dll exports by ordinal on this asset.
A-Outlook-Unsafe-Execution – A suspicious sub process was spawned by Microsoft Outlook on this asset
A-PC-InstallUtil-dll-A – Abnormal dll file usage by InstallUtil.exe on this asset.
A-PC-InstallUtil-dll-F – First time dll file usage by InstallUtil.exe on this asset.
A-PC-InstallUtil-exe-A – Abnormal for exe file usage by InstallUtil.exe on this asset.
A-PC-InstallUtil-exe-F – First time exe file usage by InstallUtil.exe on this asset.
A-PC-MSBuild-Csproj-F – First time csproj file usage by MSBuild.exe on this asset.
A-PC-MSBuild-xml-F – First time xml file usage by MSBuild.exe on this asset.
A-PC-Mshta-Hta-A – Abnormal hta file usage by Mshta.exe on this asset.
A-PC-Mshta-Hta-F – First time hta file usage by Mshta.exe on this asset.
A-PC-ParentName-ProcessName-DCOM-A – Abnormal child process creation for DCOM associated process on the asset.
A-PC-ParentName-ProcessName-DCOM-F – First time child process creation for DCOM associated process on this asset.
A-PC-ParentName-UMWorkerProcess-F – First time child process creation for Exchange Unified Messaging service UMWorkerProcess.exe
A-PC-ParentName-W3WP-F – First time child process creation for Exchange web front-end process w3wp.exe
A-PC-Procdump-LsassDump – Procdump was executed with lsass dump command line parameters on this asset.
A-PC-Regsvr32-sct-A – Abnormal sct file usage by Regsvr32.exe on the asset.
A-PC-Regsvr32-sct-F – First time sct file usage by Regsvr32.exe on this asset.
A-PC-Rundll-LsassDump – Rundll32 was run with minidump via commandline on this asset.
A-POSS-SPN-ENUMERATION – Possible SPN Enumeration on this asset
A-PSExec-Rename – PS Exec used on this asset
A-PSR-Screenshot – Psr.exe was used to take a screenshot on this asset
A-PTH-ALERT-dH – Possible pass the hash attack by this user account
A-PTH-ALERT-sH-Failed – Failed pass the hash attack with keylength of 0 in NTLM event and a 'null' sid on this source host.
A-PTH-ALERT-sH-Possible – Possible pass the hash attack with keylength of 0 in NTLM event and a 'null' sid on this source host.
A-PTH-ALERT-sH – Possible pass the hash attack from this source host
A-Ping-Hex-IP – A ping command used a hex decoded IP address on this asset.
A-PlugX-DLL-Sideloading – DLL loaded from suspicous location on this asset, typically seen by the PlugX malware family
A-Possible-PrivEsc-SvcPerms – Possible privilege escalation using weak service permissions on this asset
A-PowerShell-BITS-Job – BITS job via PowerShell was created on this asset.
A-Powershell-ADS – Powershell invoked using 'Alternate Data Stream' on this asset
A-Powershell-AMSI-Bypass-NET – Request to amsiInitFailed that can be used to disable AMSI Scanning was found on this asset.
A-Powershell-AudioCapture – Powershell has recorded external audio on this asset
A-Powershell-CMDLETS – Malicious PowerShell script was used via get cmdlets function of PowerShell on the asset
A-Powershell-Exec-DLL – PowerShell Strings applied to rundllas.exe seen in PowerShdll.dll on this asset.
A-Powershell-Script-AppData – Powershell was invoked in a suspicious command line execution with reference to an AppData folder on this asset.
A-PrivEsc-SchedTask-LegacyDACL – Possible privilege escalation using a legacy task file on this asset
A-Proc-Dump-Comsvcs – Process Dump via Rundll32 and Comsvcs.dll detected on this asset
A-Procdump-Comsvcs-DLL – Process Dump via Comsvcs DLL on this asset
A-Qbot – Artifacts related to Qbot banking malware have been observed on this asset
A-RASdial-Activity – Process was executed on this asset with rasdial as a command line argument.
A-RLA-dHsZ-A – Abnormal remote access from zone to asset
A-RLA-dHsZ-F – First remote access from zone to asset
A-RLA-sHdZ-A – Abnormal remote access to zone from asset
A-RLA-sHdZ-F – First remote access to zone from asset
A-Regsvr32-Suspicious-Cmd – Suspicious command line arguments related to regsvr32.exe have been observed on this asset.
A-Remote-Powershell-Session – Remote Powershell session was detected by monitoring for wsmprovhost as a parent or child process on this asset.
A-Rubeus-CMD-Tool – Command line parameters used by Rubeus hack tool detected on this asset
A-RunDll32-ControlPanel – RunDll32.exe run from the control panel on this asset
A-SA-AN-ALERT-A – Abnormal security alert name on the asset
A-SA-AN-ALERT-F – First security alert name on the asset
A-SA-AN-ALERT-IOT-A – Abnormal security alert name on IOT/OT Devices
A-SA-AN-ALERT-IOT-F – First security alert name on the IOT/OT device
A-SA-AsU-A – Abnormal access of admin share on the asset
A-SA-AsU-F – First access of admin share on asset
A-SA-HN-ALERT-A – Abnormal security alert (by name) in the asset
A-SA-HN-ALERT-F – First security alert (by name) in the asset
A-SA-OA-ALERT-A – Abnormal asset triggering security alert for organization
A-SA-OA-ALERT-F – First security alert for this asset for organization
A-SA-OA-ALERT-IOT-A – Abnormal IOT/OT device triggering security alert for organization
A-SA-OH-A – Abnormal admin share on asset in organization
A-SA-OH-F – First admin share on asset for organization
A-SA-ON-ALERT-A – Abnormal security alert (by name) in the organization
A-SA-ON-ALERT-F – First security alert (by name) in the organization
A-SA-OU-A – Abnormal admin share access to asset for the user in the organization
A-SA-OU-F – First admin share access to asset for this user in the organization
A-SA-SCF-Share – A SCF file was created on a network share on this asset.
A-SA-ZH-A – Abnormal admin share on asset for zone
A-SA-ZH-F – First admin share on asset in the zone
A-SA-ZN-ALERT-A – Abnormal security alert (by name) in the zone
A-SA-ZN-ALERT-F – First security alert (by name) in the zone
A-SEQ-UH-16-L – Exceeded number of failed logons for the asset (L)
A-SEQ-UH-16-M – Exceeded number of failed logons for the asset (M)
A-SEQ-UH-16-S – Exceeded number of failed logons for the asset (S)
A-SETUPCOMPLETE-PRIV-ESC – Privilege escalation attempt using the SetupComplete.cmd object on this asset
A-SIGRed – Possible SIGRed (CVE-2020-1350) exploitation on this asset
A-SW-FW – Unusual image loaded by Solar Wind Executable on this asset.
A-SW-UDLL – DLL loaded in unusual location on the system on this asset.
A-SecX-Tool-Exec – SecurityXploded Tool execution detected on this asset
A-ServiceName-ServiceCmdline-A – Abnormal binary command line for this service
A-ServiceName-ServiceCmdline-F – First time binary command line for this service on this asset.
A-ServicePath-Modification – Suspicious service path identified on this asset
A-ShadowCP-OSUtilities – Shadow Copies Creation Using Operating Systems Utilities on this asset
A-ShadowCP-SymLink – Shadow Copies Access via Symlink on this asset
A-Shim-Installation – Possible installation of a 'shim' using sdbinst.exe on this asset
A-SoundRecorder-AudioCapture – SoundRecorder has recorded external audio on this asset
A-Squibly-Two – A WMI SquiblyTwo Attack with possibly renamed WMI by looking for imphash was detected on this asset.
A-Sus-Double-Extension – An .exe extension was used after a different non-executable file extension on this asset.
A-Sus-Encoded-PS-CmdLine – Suspicious Powershell process was started with base64 encoded commands on this asset.
A-Sus-GUP-Usage – Execution of the Notepad++ updater in a suspicious directory on this asset.
A-Sus-MsiExec-Directory – Suspicious msiexec process started in an uncommon directory on this asset.
A-Sus-Powershell-Invocation-Parent-Proc – Suspicious Powershell invocation from interpreters or unusual programs on this asset.
A-Sus-Powershell-Param – Powershell was invoked with a suspicious parameter substring on this asset.
A-Sus-Procdump – Suspicious Use of Procdump on this asset.
A-Sus-Svchost-Process – A suspicious svchost process was started on this asset.
A-Suspicious-Bluekeep1 – The account AAAAAAA failed to logon on this asset.
A-Suspicious-Bluekeep2 – The channel ms_t120 has been closed on this asset.
A-Suspicious-ControlPanel – Control Panel commandlets loaded outside the default directory on this asset
A-Suspicious-DAT – A suspicious .dat file used, possible APT activity on this asset
A-Suspicious-GetSystem-Usage – Possible Meterpeter/Cobalt Strike usage of GetSystem on this asset
A-Suspicious-IIS-Modules – Native-Code modules for IIS installed via command line on this asset
A-Suspicious-LNK – A suspicious .lnk file used, possible ATP activity on this asset
A-Suspicious-Persistence – Suspicious 'schtask' creation, possible attack tool usage on this asset
A-Suspicious-RDP-TSCON – Suspicious usage of RDP using tscon.exe on this asset
A-Suspicious-Shell-Child-Process – Windows shell has spawned a suspicious process on this asset
A-Suspicious-Zerologon – Failed authentication attempt on this asset.
A-Svchost-Suspicious-Launch – Svchost.exe has launched without any command line arguments on this asset
A-Sys-File-Exec-Anomaly – A Windows program executable was started in a suspicious folder on this asset.
A-Sysmon-Driver-Unload – Possible Sysmon driver unloaded on this asset.
A-Sysprep-Appdata – Suspicious sysprep process was started on this asset with AppData folder as target.
A-TSCON-LocalSystem – Tscon.exe was executed as Local System on this asset
A-Tap-Installer – TAP software was installed on this asset.
A-Taskmgr-Local-System – A taskmgr.exe process was executed in the context of LOCAL_SYSTEM
A-Taskmgr-as-Parent – A process was created from Windows task manager on this asset.
A-TasksFolder-Evasion – The 'tasks' directory was observed in a file creation command on this asset
A-Terminal-Svc-Proc-Spawn – Process spawned by the terminal service server on this asset.
A-Trickbot-Recon – Trickbot malware domain recon activity on this asset
A-TrojanLoader – Possible Trojan Loader activity on this asset
A-TropicTrooper-APT – Possible TropicTrooper APT artifacts observed on this asset
A-TurlaGroup-LateralMovement – Artifacts from the ATP 'Turla Group' have been observed on this asset
A-UAC-Bypass-COM-OBJECT – Windows UAC bypass using COM object access on this asset
A-UAC-Bypass-Fodhelper – UAC Bypass using fodhelper.exe on this asset
A-UAC-Bypass-Wsreset – UAC Bypass using wsreset.exe on this asset
A-UAC-IE-INVOKE – Windows UAC consent dialogue was used to invoke an Internet Explorer process running as Local SYSTEM
A-Unauthorized-MBR-Mods – Bcdedit.exe has signs of malicious unauthorized usage on this asset.
A-UserProcess-Spawned-FromOffice – An executable running under the 'Users' path has been spawned from an Office application on this asset
A-Userinit-Child-Process – Userinit had a suspicious child process on this asset.
A-WA-F – Audit log has been cleared on this asset
A-WEB-ALERT – Asset attempted access to a domain with malicious reputation
A-WEB-Count-A – Abnormal number of failed web requests from this asset
A-WEB-DC – Web activity event on a Domain Controller
A-WEB-DGA – Asset has accessed a domain that has been identified as DGA
A-WEB-DLP-A – Possible data exfiltration: Abnormal amount of data had been uploaded to the web from this asset
A-WEB-DynamicDNS – Asset attempted access to a domain generated using Dynamic DNS service
A-WEB-EXFIL-ASSET – Large amount of data exfiltrated from host
A-WEB-GETBytes-In – Abnormal amount of data had been downloaded from the web by this asset
A-WEB-HA-F – First web activity event on asset
A-WEB-IOC – Indicator of Compromise (IOC) found in asset's web activity
A-WEB-IP-Country-A – Abnormal direct access to an IP address by the asset belonging to an abnormal country for the asset to access
A-WEB-IP-Country-F – Asset has directly browsed to an IP address in a country never before accessed
A-WEB-Phishing – Asset has accessed a domain suspected to be a phishing domain.
A-WEB-Reputation-Domain – Asset attempted access to a domain with bad reputation
A-WEB-Reputation-IP – Asset attempted to connect to IP address with bad reputation
A-WEB-Reputation-URL – Asset attempted access to a url with bad reputation
A-WEB-Shadow-Mining – Host has browsed to a known coinmining/shadowmining domain
A-WEB-TorProxy – Asset has accessed a known Tor web proxy
A-WEB-UU-Tor – Asset has accessed a URL containing '/tor/server'
A-WEBF-IP-Country-A – Abnormal direct access to an IP address by the asset belonging to an abnormal country for the asset to access has failed
A-WEBF-IP-Country-F – Asset failed to directly connect to an IP address in a country never before accessed
A-WHOAMI-SYSTEM – Whoami commanded executed by LOCAL SYSTEM
A-WMI-Exec-Suspicious-Cmds – WMI was executed with suspicious commands on this asset.
A-WMI-Script-Event-Consumers – Suspicious usage of WMI script event consumers on this asset.
A-WMI-Spawn-PowerShell – PowerShell was spawned via WMI on this asset.
A-WMI-Suspicious-Process – WMI provider service is used to invoke CMD/PowerShell on this asset.
A-WSC-DhA-A – Abnormal account executing service on this asset
A-WSC-DhA-F – First account to execute service on this asset
A-WSC-DhU-A – Abnormal user installing service on this asset asset
A-WSC-DhU-F – First user installing service on this asset
A-WSC-F – First service installation activity on asset
A-WSC-OS-A – Unusual service name installed on the asset in the organization
A-WSC-RANDOM-SERVICE – Random service name for the asset
A-WSC-SERVICE-PARAMS – Suspicious parameters in service installation process for this asset
A-WSC-SP-A – Unusual process executed by the service on this asset
A-WSC-SP-F – First process executed by the service on this asset
A-WSC-SP-Temp – Service created from temporary or cached internet files for this asset
A-WSC-UZ-F – First service installation in zone on this asset
A-WScript-CScript-Dropper – Wscript or Cscript used for script execution from User directories on this asset
A-WannaCry – Artifacts seen by WannaCry malware have been observed on this asset
A-WebShell-CLI – Possible command line web shell detected on this asset
A-WebShell-WebServer – Possible web server web shell detected on this asset
A-Win-Proc-Sus-Parent – A suspicious parent process of well-known Windows processes was detected on this asset.
A-WinWord-Uncommon-Subprocess – Winword has spawned an uncommon subprocess, csc.exe, on this asset
A-Winnti-Malware – Artifacts of 'Winnti' malware have been observed on this asset
A-Winword-Uncommon-Process – 'MicroScMgmt' executable run by 'WinWord.exe' on this asset
A-Word-FLTLDR-Exploit-Vector – Possible loading of exploit using Microsoft Office and the fltldr.exe application on this asset
A-XSL-Script-Processing – XSL script was used on this asset to execute arbitrary files.
A-ZBytes-Outbound-IOT – Abnormal amount of data exfiltrated by IOT/OT device from network zone
A-ZBytes-Outbound – Abnormal amount of data exfiltrated from network zone
A-Zoho-DCTask – Dctask64.exe executed, possible process injection on this asset
A-ZxShell – Known backdoor software, ZxShell, possibly loaded on this asset
AC-LocUA-A – Abnormal account creation activity by local user
AC-LocUA-F-new – First account creation activity by a new local user
AC-LocUA-F – First account creation activity by local user
AC-OH-A – Abnormal account creation activity from asset in the organization
AC-OH-CLI-F – First host on which account was created using CLI command
AC-OH-F – First account creation activity from asset in the organization
AC-OZ-A – Abnormal account creation activity from network zone
AC-OZ-CLI-F – First zone on which account was created using CLI command
AC-OZ-F – First account creation activity from network zone
AC-UH-A – Abnormal account creation activity from asset for user
AC-UH-F – First account creation activity from asset for user
AC-UT-TOW-A – Abnormal day for user to perform account creation activity
AD-Diagnostic-Tool – Invocation of Active Directory Diagnostic Tool (ntdsutil.exe)
AE-GA-F-VPN-new – First VPN connection for group of new user
AE-GA-F-VPN – First VPN connection for Group
AE-NTLM-WsSrv – New generic hostname found using ntlm authentication
AE-UA-F-VPN – First VPN connection for user
AE-UA-FA – First audit activity type for user
AE-UA-F – First activity type for user
AL-F-A-CS – Abnormal logon to a critical system for user
AL-F-A-DC-G – Abnormal logon to a Domain Controller for Peer Group
AL-F-A-DC – Abnormal logon to a Domain Controller for user
AL-F-F-CS – First logon to a critical system for user
AL-F-F-DC-G – First logon to a Domain Controller for peer group
AL-F-F-DC – First logon to a Domain Controller for user
AL-F-MultiWs – Multiple workstations in a single session
AL-GHcount – Abnormal number of logged on assets compared to group
AL-GZ-A-new – Abnormal logon to network zone for group of new user
AL-GZ-A – Abnormal logon to network zone for group
AL-GZ-F-new – First logon to network zone for new user of group
AL-GZ-F – First logon to network zone for group
AL-HLocU-A – Abnormal local user logon to this asset
AL-HLocU-F – First local user logon to this asset
AL-HT-EXEC-new – New user logon to executive asset
AL-HT-EXEC – Non-Executive user logon to executive asset
AL-HT-PRIV – Non-Privileged logon to privileged asset
AL-OHcount – Abnormal number of logged on assets compared to the organization
AL-OU-F-CS – First logon to a critical system that user has not previously accessed
AL-UH-A-DC – Abnormal logon to a Domain Controller that user has not accessed often previously
AL-UH-CS-NC – Logon to a critical system for a user with no information
AL-UH-DC-NC – Logon to a Domain Controller for user with no information
AL-UH-F-DC – First logon to this Domain Controller for user
AL-UHcount-L – Abnormal number of logon assets (L)
AL-UHcount-M – Abnormal number of logon assets (M)
AL-UHcount-S – Abnormal number of logon assets (S)
AL-UT-A – Logon to Abnormal asset type
AL-UT-F – Logon to New Asset Type
AL-UZ-A – Abnormal logon to network zone
AL-UZ-F – First logon to network zone
ALERT-DL – DL Correlation rule alert on asset accessed by this user
ALERT-EXEC – Security violation by Executive
ALERT-VPN – Security Alert on asset accessed by this user during VPN session
AM-GA-AC-A – Abnormal account creation activity for peer group
AM-GA-AC-F – First account creation activity for peer group
AM-GA-MA-F – First account group management activity for peer group
AM-GA-new – First account management activity for group of a new user
AM-GOU-A – Abnormal account OU addition to this group
AM-GOU-F – First account OU addition to this group
AM-OG-A – Abnormal account addition to this group for the organization
AM-OG-F – First member addition to this group for the organization
AM-OG-SS-A – Abnormal addition and removal of member from a group in a single session in the peer group
AM-OG-SS-F – First addition and removal of member from a group by user in a single session for peer group
AM-OU-SS-A – Abnormal addition and removal of member from a group in a single session in the organization
AM-OU-SS-F – First addition and removal of member from a group by user in a single session for organization
AM-UA-AC-A – Abnormal account creation activity for user
AM-UA-AC-F – First account creation activity for user
AM-UA-AD-F – First account deletion activity for user
AM-UA-APLocU-F – First account password change for local user
AM-UA-MA-F-new – Account management activity for new user
AM-UA-MA-F – First account group management activity for user
AM-UD-A – Abnormal account creation on domain for user
AM-UD-F – First account creation on domain for user
APP-AA-A – Abnormal activity in application for the organization
APP-AA-F – First application activity in the organization
APP-AT-PRIV – Non-privileged user performing privileged application activity
APP-Account-deactivated – Activity from a de-activated user account
APP-AppED-F – New Email-domain found in application
APP-AppG-F – First login to an application for group
APP-AppSz-F – First application access from network zone
APP-AppU-F – First login to an application for a user with no history
APP-F-FL – Failed login to application
APP-F-SA-NC – New service account access to application
APP-F-SA – Service account access to application
APP-GApp-A – Abnormal login to an application for group
APP-GMime-A – Abnormal mime type for peer group
APP-GMime-F – First mime type for peer group
APP-GappA-A – Abnormal application activity for peer group
APP-GappA-F – First application activity for peer group
APP-IdU-F – Reuse of client Id
APP-OMime-A – Abnormal mime type for organization
APP-OMime-F – First mime type for organization
APP-UAg-2 – Second new user agent string for user
APP-UAg-3 – More than two new user agents used by the user in the same session
APP-UAg-F – First user agent string for user
APP-UAgC-F – First activity from country and first os/browser/user agent for user in same session
APP-UApp-A – Abnormal login or activity within an application for user
APP-UApp-F – First login or activity within an application for user
APP-UFL-COUNT – Abnormal number of failed application logins for user
APP-UId-F – First use of client Id for user
APP-UMime-A – Abnormal mime type for user
APP-UMime-F – First mime type for user
APP-UOb-A – Abnormal access to application object for user
APP-UOb-F – First access to application object for user
APP-UOs-F – First os/browser combination for user
APP-UTi – Abnormal user activity time
APP-UappA-A – Abnormal application activity for user
APP-UappA-F – First application activity for user
APP-UsH-A – Abnormal source asset for user in application
APP-UsH-F – First source asset for user in application
APT-Hurricane-Panda – Artifacts used by the APT group 'Hurricane Panda' have been observed
AS-PV-GSize-A – Abnormal number of password retrievals in the peer group
AS-PV-OG-F – First password retrieval activity for user in peer group
AS-PV-OSize-A – Abnormal number of password retrievals in the organization
AS-PV-OU-F – First password retrieval activity for user in organization
AS-PV-PCWoL – Password retrieval with no login to the asset in the session
AS-PV-UHWoPC – Access to Password Vault managed asset with no password checkout for user
AS-PV-US-A – Abnormal password retrieval using this safe value for user
AS-PV-US-F – First password retrieval using this safe value for user
AS-PV-USCOUNT-A – Abnormal number of password safes used by user
AS-PV-USize-A – Abnormal number of password retrievals in the user
AS-PV-UT-A – Abnormal user Password retrieval activity time
AS-PV-UsH-F – First password retrieval from asset for user
AS-UA-A – Abnormal switch to target account for user
AS-UA-F-PRIV – Account switch to a privileged or executive account
AS-UA-FS – First account switch for user
AS-UA-F – First switch to target account for user
ATP-AS-REP-2 – Suspicious UAC directory service change indicating AS-REP Roasting
ATP-AS-REP-3 – First Kerberos logon for abnormal pre-authentication type for the user
ATP-AS-REP – Suspicious UAC status change indicating AS-REP Roasting
ATP-FTP-Exfil – Exfiltration Over Alternative Protocol
ATP-GsecDump – First GsecDump service was run by this user.
ATP-PSexec – PSExec service was run on the asset by this user.
ATP-PWDump – Malicious exe was run which is a part of credential dumping tool
ATP-REG-Password – Scanning registry hives via Reg Utility
ATP-WMIC-Antivirus – Antivirus detection using windows utility msbuild.
AUTH-F-COUNT – Abnormal number of failed authentications for user
Applocker-Bypass – Execution of executables that can be used to bypass Applocker
Attrib-Hide-Files – Attrib.exe was used to hide files.
Auth-Blacklist-Shost – User authentication or login from a known blacklisted IP
Auth-Ransomware-Shost-Failed – User authentication or login failure from a known ransomware IP
Auth-Ransomware-Shost – User authentication or login from a known ransomware IP
Auth-Tor-Shost-Failed – User authentication or login failure from a known TOR IP
Auth-Tor-Shost – User authentication or login from a known TOR IP
AutoRun-Modification – AutoRun Keys modified using reg.exe
B-CS-Bucket-Activity-A – Abnormal type of object access against this bucket
B-CS-Bucket-Activity-F – First type of object access against this bucket
B-CS-Bucket-Bytes-A – Abnormal amount of egress data from bucket
B-CS-Bucket-UA-A – Abnormal user agent access to this bucket, possible exfiltration
B-CS-Bucket-UA-F – New user agent has accessed this bucket, possible exfiltration
B-CS-Bucket-Users-A – Abnormal user accessing this storage container/bucket
B-CS-Bucket-Users-F – First time for user to access this bucket
B-CS-Buckets-F – First cloud storage/bucket in the organization
B-CS-UType-A – Abnormal for this user type to access this bucket
B-CS-UType-F – First time this specific user type has accessed this bucket
BITS-Suspicious-Service – First abnormal BITS jobs created on the endpoint
Baby-Shark-Activity – Activity related to Baby Shark malware has been found.
Base64-CommandLine – Base64 string in command line
Base64-Powershell-CmdLine-Keywords – Base64 encoded strings were found in hidden malicious Powershell command lines
Bginfo-App-Whitelisting – VBscript referenced in a .bgi file was executed.
Bitsadmin-Download – Bitsadmin was used to download a file.
Bypass-UAC-CMSTP – Child process of automatically elevated instance of Microsoft Connection Manager Profile Installer (cmstp.exe) was created via command line.
CA-UniversalPolicy-A – Abnormal for this user to create/attach a 'universal' resource/action policy
CA-UniversalPolicy-F – First time this user has created/attached a 'universal' resource/action policy
CDB-App-Whitelisting – 64-bit shellcode was launched using cdb.exe.
CMD-Spawn-From-Office – A command line executable was spawned from an Office application
CP-Sensitive-Files – Copying sensitive files with credential data
CS-Admin-Activity-A – Abnormal invocation of this specific admin activity
CS-Admin-Activty-F – First time seeing this Cloud administrative operation
CS-Bucket-C-D-F – Cloud Storage bucket/storage container creation/deletion for the first time
CS-Bucket-Created – Cloud storage bucket/storage container creation
CS-Bucket-UA-A – Abnormal user agent access for bucket
CS-Bucket-UA-F – New user agent access for bucket
CS-Critical-Activity-A – Abnormal user to perform a critical Cloud Administrative operation
CS-Critical-Activity-F – First time for this user to perform a critical Cloud Administrative operation
CS-Failed-User-Creation – User attempted and failed to create a Cloud user/account
CS-IAM-Enumeration – Enumeration of Cloud account roles/users
CS-Policies-A – Abnormal cloud policy seen
CS-Policies-F – First time seeing this cloud policy
CS-S3-Enumeration – Cloud Storage container/bucket enumeration
CS-Storage-Activity-A – Abnormal activity against the cloud storage service
CS-Storage-Activity-F – First time using this event activity against the cloud storage service
CS-UA-O-A – Abnormal user agent accessing cloud services in the organization
CS-UA-O-F – First user agent to access cloud services in the organization
CS-UA-P-A – Abnormal user agent for the peer group accessing cloud service
CS-UA-P-F – First user agent for peer group to access cloud services
CS-User-Creation-F – First time for this user to create an account in the cloud
CS-Users-A – Abnormal user is seen accessing the cloud storage service
CS-Users-F – First time this user is seen accessing the cloud storage service
CSC-Suspicious-Folder – Csc.exe spawned from suspicious folder
CSC-Suspicious-Parent-Process – Suspicious parent process for csc.exe, possible payload delivery
CSharp-Interactive-Console – Execution of CSharp interactive console by PowerShell.
CertUtil-Suspicious-Usage – The 'certutil' Windows utility was used with known suspicious command line flags
Certutil-Encode – Certutil commands to encode files were used.
ChaferAPT-Activity-ServiceCreated – Chafer APT related activity observed, a suspicious service was created
ChaferAPT-Activity-TaskCreated – Chafer APT related activity observed, a suspicious task was created
ChaferAPT-Activity – Chafer APT related activity observed
Cmdkey-Cred-Recon – Cmdkey Cached Credentials Recon
CreateMiniDump-Hacktool – CreateMiniDump Hacktool
DAILY-ACTIVITY-CHANGE – Change of daily activity of a user
DB-DbG-A – Abnormal access to database for peer group
DB-DbG-F – First access to database for peer group
DB-DbU-A – Abnormal access to database for user
DB-DbU-F – First access to database for user
DB-DbZO-A – Abnormal database operation from source zone for database
DB-DbZO-F – First database operation from source zone for database
DB-DbZR – Abnormal database query response size for source zone, database
DB-FL-COUNT – Abnormal number of failed database logins for user
DB-GDbO-A – Abnormal database operation for peer group, database
DB-GDbO-F – First database operation for peer group, database
DB-GN-ALERT-A – Abnormal database alert name in the peer group
DB-GN-ALERT-F – First database alert name in the peer group
DB-OG-ALERT-A – Abnormal peer group triggering database alert in the organization
DB-OG-ALERT-F – First database alert triggered for peer group in the organization
DB-ON-ALERT-A – Abnormal database alert name in the organization
DB-ON-ALERT-F – First database alert name in the organization
DB-OPCOUNT-NEW – Abnormal number of distinct database operations
DB-OPCOUNT-TOTAL – Abnormal number of total database operations
DB-OU-ALERT-A – Abnormal user triggering database alert in the organization
DB-OU-ALERT-F – First database alert triggered for this user in the organization
DB-TEMP-DIRECTORY-A – Abnormal process has been executed from a temporary directory by this user during database activity
DB-TEMP-DIRECTORY-F – First time process has been executed from a temporary directory by this user during database activity
DB-UDbH-A – Abnormal database activity from host per user, database
DB-UDbH-F – First database activity from host per user, database
DB-UDbI-A – Abnormal database activity from IP per user, database
DB-UDbI-F – First database activity from IP per user, database
DB-UDbO-A – Abnormal database operation for user, database
DB-UDbO-F – First database operation for user, database
DB-UDbR – Abnormal database query response size for user, database
DB-UDbZ-A – Abnormal database activity from source zone per user, database
DB-UDbZ-F – First database activity from source zone per user, database
DB-UN-ALERT-A – Abnormal database alert name for user
DB-UN-ALERT-F – First database alert name for user
DB-URSum-New – Abnormal sum of database query response sizes in the sequence
DC08d-new – Abnormal number of assets compared to group for a new user
DC14g-new – Abnormal number of accessed assets for group of new user
DC17j-new – Abnormal number of accessed zones for group of a new user
DC18-New – New account switch to privileged account
DC18-new – Account switch by new user
DCOMActivation-Known – Remote DCOM activation under DcomLaunch service
DCOMFailure-Known – Remote DCOM activation failure.
DCSync-ExistHost – Possible DCSync attack - existing host has replicated Active Directory.
DCSync-FirstDS – Possible DCSync attack - first DS access event from host.
DEF-TEMP-DIRECTORY-A – Abnormal process has been executed from a temporary directory by this user
DEF-TEMP-DIRECTORY-F – First time process has been executed from a temporary directory by this user
DLL-AppData – DLL loaded from 'AppData(slash)Local' path
DLL-SideLoading – DLL sideloading malware used, known artifact of APT27
DLL-ULOAD-EquationGroup – A known 'Equation Group' artifact was observed
DLP-BSum – Abnormal amount of data written during DLP policy violation
DLP-GA-F – First DLP policy violation from asset for the peer group
DLP-GBp-F – First blocked process for the peer group
DLP-GP-A – Abnormal DLP policy violation for peer group
DLP-GP-F – First DLP policy violation for peer group
DLP-GPCOUNT – Abnormal number of DLP policy violations for peer group
DLP-OA-F – First DLP policy violation from asset for the organization
DLP-OBp-F – First blocked process for the organization
DLP-OG-ALERT-A – Abnormal peer group triggering DLP alert in the organization
DLP-OG-ALERT-F – First DLP alert triggered for peer group in the organization
DLP-OP-A – Abnormal DLP alert name in the organization
DLP-OP-F – First DLP alert name in the organization
DLP-OU-ALERT-A – Abnormal user triggering DLP alert
DLP-OU-ALERT-F – First DLP alert triggered for this user
DLP-PT-F – First target domain for protocol
DLP-UA-F – First DLP policy violation from asset for user
DLP-UBp-F – First blocked process for the user
DLP-UPCOUNT – Abnormal number of DLP policy violations for user
DLP-UPolicy-A – Abnormal DLP alert name for user
DLP-UPolicy-F – First DLP alert name for user
DLP-UProtocol-A – Abnormal DLP protocol violation for user
DLP-UProtocol-F – First DLP protocol violation for user
DNS-Exfiltration-Tools-Exec – Well-known DNS Exfiltration tools were executed.
DNX-App-Whitelisting – C# code located in consoleapp folder was executed.
DORMANT-USER – Dormant User
DS-APRIV – Non-Privileged user accessing privileged directory service attribute
DS-Count – Abnormal number of directory service events in the organization
DS-DCSh-Add – Directory service server object added
DS-DCSh-Del – Directory service server object created and deleted
DS-DCShadow-E – Possible DCShadow attack from Existing Machine
DS-DCShadow-F – First event for machine in possible DCShadow attack
DS-DCShadow – Possible DCShadow attack detected
DS-GCount – Abnormal number of directory service events in the peer group
DS-GH-A – Abnormal directory service activity on host for peer group
DS-GH-F – First directory service activity on host for peer group
DS-GOC-A – Abnormal directory service object class for peer group
DS-GOC-F – First directory service object class for peer group
DS-GSZ-A – Abnormal directory service activity from source zone for peer group
DS-GSZ-F – First directory service activity from source zone for peer group
DS-OAT-A – Abnormal directory service activity type for object class
DS-OAT-F – First directory service activity type for object class
DS-OG-F – First directory service event for user in the peer group
DS-OH-A – Abnormal directory service activity on host for organization
DS-OH-F – First directory service activity on host for organization
DS-OOC-A – Abnormal directory service object class for organization
DS-OOC-F – First directory service object class for organization
DS-OSZ-A – Abnormal directory service activity from source zone for organization
DS-OSZ-F – First directory service activity from source zone for organization
DS-OU-F – First directory service event for user in the organization
DS-UAT-A – Abnormal directory service activity type for user per object class
DS-UAT-F – First directory service activity type for user per object class
DS-UA – First access to attribute for privileged user
DS-UCount – Abnormal number of directory service events in the user
DS-UH-A – Abnormal directory service activity on host for user
DS-UH-F – First directory service activity on host for user
DS-UOC-A – Abnormal directory service object class for user
DS-UOC-F – First directory service object class for user
DS-USH-A – Abnormal directory service activity on source host for user
DS-USH-F – First directory service activity on source host for user
DS-USZ-A – Abnormal directory service activity from source zone for user
DS-USZ-F – First directory service activity from source zone for user
Defrag-Deactivation – Scheduled defragmentation task was deactivated.
Devtoolslauncher-Binary – Devtoolslauncher.exe has executed a binary
DomainTrust-Discovery – Enumeration of Windows Domain Trusts identified
DotNET-URL – DotNET command line contains remote file
Dxcap-Possible-Subprocess – Dxcap.exe was executed.
EM-Attachments – Abnormal number of attachments in outbound email for user
EM-BSum-5MB-Fail – Failed attempt to email over 5MB of data to a personal email domain.
EM-BSum-5MB – Over 5MB of data emailed to personal email domain.
EM-BSum-first – Large amount of data in email for user with no history
EM-BSum-in – Abnormal size of incoming emails
EM-BSum-personal – Abnormal size of outgoing emails to personal account
EM-BSum – Abnormal size of outgoing emails
EM-Bytes – Abnormally large outbound email for user
EM-Competition – Email to competition
EM-Confidential-File – Confidential file found in outgoing email attachment
EM-DED – Email to a disposable email domain
EM-DNum – Abnormal number of outgoing email domains
EM-EXEC-Personal – Email sent by an Executive user is forwarded to personal email
EM-EXEC-Public – Email sent by an Executive user is forwarded to public email
EM-FNum-in – Abnormal number of incoming emails
EM-FNum – Abnormal number of outgoing emails
EM-File – Source code file found in outgoing email attachment
EM-G-EXEC-A – Abnormal for this peer group has forwarded/sent an email from an executive user
EM-G-EXEC-F – First time this peer group has forwarded/sent an email from an executive user
EM-GD-A – Abnormal email domain for group
EM-GD-F – First email domain for group
EM-GFEXT-A – Abnormal file attachment type in email for peer group
EM-Gcountry-A – Abnormal email to country
EM-Gcountry-F – First email to country for the peer group
EM-InB-Ex – A user has been given mailbox permissions for an executive user
EM-InB-Perm-A – Abnormal number of mailbox permission given by user.
EM-InB-Perm-N-A – Abnormal for user to give mailbox permissions
EM-InB-Perm-N-F – First time a user has given mailbox permissions on another mailbox that is not their own
EM-InRule-EX – User has created an inbox forwarding rule to forward email to an external domain email
EM-InRule-Fin – User has created an inbox forwarding rule to forward emails containing financial keywords
EM-InRule-Public – User has created an inbox forwarding rule to forward email to a public email domain
EM-N-SUM-20 – Over 20MB sent by a new user over email
EM-OD-A – Abnormal email domain for organization
EM-OD-F – First email domain for organization
EM-OFEXT-A – Abnormal file attachment type in email for organization
EM-OutSpam-L – Email sent to more recipients than usual, at least one external. (L)
EM-OutSpam-M – Email sent to more recipients than usual, at least one external. (M)
EM-Personal-Job – Email with job seeking keywords in subject is sent to personal email address from company email address
EM-Personal-PrivacySize – Email with privacy keywords in subject is sent to personal email address from company email address and the email is larger than 10KB
EM-Personal-Privacy – Email with privacy keywords in subject is sent to personal email address from company email address
EM-PersonalEmail – Email sent to their personal email from company email
EM-PublicDomain – Email has been sent to public email domain from company email
EM-UD-A – Abnormal email domain for user
EM-UD-F – First email domain for user
EM-UFEXT-A – Abnormal file attachment type in email for user
EM-Ucountry-A – Abnormal email to country for the user
EM-Ucountry-F – First email to country for the user
EM-country-A – Abnormal email to country for the organization
EM-country-F – First email to country for the organization
EPA-CtrlPnl-A – First control panel function usage for peer group
EPA-DLL – Dll loaded from a temp folder via PowerShell
EPA-EXPERT-DISABLE-RECOVERY – A Suspicious command that disables recovery mode has been executed for process
EPA-EXPERT-SHADOW-COPIES – A Suspicious command that deletes shadow copies has been executed for process
EPA-F-CLI – Suspicious Windows process executed
EPA-GP-A – Abnormal execution of process for this peer group
EPA-GP-F – First execution of process for this peer group
EPA-GSequenceSize-PS – Abnormal number of powershell executions in the peer group
EPA-HDir-Server-F – First execution of a process in this directory on a server
EPA-HI-COUNT – Abnormal number of IPs were accessed from host
EPA-HP-F – First execution of process on host
EPA-OG-SNIFF-A – Abnormal peer group running a network sniffing tool
EPA-OG-SNIFF-F – First time this peer group has run a network sniffing tool
EPA-OH-CENUM-A – Abnormal for this host to run credential enumeration tool
EPA-OH-CENUM-F – Host running credential enumeration tool for the first time
EPA-OH-HENUM-A – Abnormal for this host to run host enumeration tool
EPA-OH-HENUM-F – Host running host enumeration tool for the first time
EPA-OH-SNIFF-A – Abnormal host running a network sniffing tool
EPA-OH-SNIFF-F – First time this host has run a network sniffing tool
EPA-OP-A – Abnormal execution of process in this organization
EPA-OP-F – First execution of process in this organization
EPA-OSequenceSize-PS – Abnormal number of powershell executions in the org
EPA-OU-CENUM-A – Abnormal for this user to run credential enumeration tool
EPA-OU-CENUM-F – First user running credential enumeration tool
EPA-OU-HENUM-A – Abnormal for this user to run host enumeration tool
EPA-OU-HENUM-F – First user running host enumeration tool
EPA-OU-SNIFF-A – Abnormal user has run a network sniffing tool
EPA-OU-SNIFF-F – First time this user has run a network sniffing tool
EPA-OZ-SNIFF-A – Abnormal network zone on which network sniffing tool was run
EPA-OZ-SNIFF-F – First time this network zone on which a networking sniffing tool run.
EPA-PDir-F – First execution of a process in this directory for the organization
EPA-PG-PS-A – Abnormal execution of powershell process for this peer group
EPA-PG-PS-F – First execution of powershell process for this peer group
EPA-PH-F – First execution of process (vssadmin.exe) on host
EPA-PI-F – Process accessed a local network IP address for the first time
EPA-PI-ThreatIp – Process has created a connection to a bad reputation IP address
EPA-PI-TorIp – Process has created a connection to known Tor exit node
EPA-PT-F – Process accessed this internet IP address for the first time
EPA-PU-PS-A – Abnormal execution of powershell process for user
EPA-PU-PS-F – First execution of powershell process for user
EPA-RANDOM-SERVICE – Random service name for the user
EPA-RAT-GI – GoToMyPC remote desktop access agent installed by this user
EPA-RAT-GSI – GoToMyPC remote desktop access service installed by this user
EPA-RAT-GSS – GoToMyPC remote desktop access service started by this user
EPA-RAT-LI – LogMeIn remote desktop access agent installed by this user
EPA-RAT-LSI – LogMeIn remote desktop access service installed by this user
EPA-RAT-LSS – LogMeIn remote desktop access service started by this user
EPA-RAT-SI – Splashtop remote desktop access agent installed by this user
EPA-RAT-SSI – Splashtop remote desktop access service installed by this user
EPA-RAT-SSS – Splashtop remote desktop access service started by this user
EPA-RAT-TI – TeamViewer remote desktop access agent installed by this user
EPA-RAT-TSI – TeamViewer remote desktop access service installed by this user
EPA-RAT-TSS – TeamViewer remote desktop access service started by this user
EPA-SERVICE-PARAMS – Suspicious parameters found in process for service creation
EPA-SNIFF – Network sniffing tool has been run by this user
EPA-Shadow-Mining-name – Process ending with 'miner.exe' has been run
EPA-TEMP-DIRECTORY-A – Abnormal process has been executed from a temporary directory by this user during endpoint activity
EPA-TEMP-DIRECTORY-F – First time process has been executed from a temporary directory by this user during endpoint activity
EPA-UD-DGA-A – Abnormal access to this domain through network which has been identified as DGA
EPA-UD-DGA-F – First access to this domain through network which has been identified as DGA
EPA-UD-DGA-N – Common access to this domain through network which has been identified as DGA
EPA-UH-Pen-F – Known pentest tool used
EPA-UP-ALERT-A – Abnormal security alert for executing this process by the user
EPA-UP-ALERT-F – First security alert for executing this process by the user
EPA-UP-ALERT-N – Common security alert for executing this process by the user
EPA-UP-A – Abnormal execution of process for user
EPA-UP-CENUM – Abnormal number of unique credential enumeration tools run by this user
EPA-UP-HENUM – Abnormal number of unique host enumeration tools run by this user
EPA-USequenceSize-PS – Abnormal number of powershell executions for the user
ETW-Trace-Disable – Event tracing has been disabled, possible logging evasion
EXPERT-PENTEST-DOMAINS – Possible credentials theft attack detected
EXPERT-POWERSHELL-ENCRYPTED – Encrypted argument in a Powershell command detected
Empire-Monkey – EmpireMonkey APT activity was found
EquationEditor-Droppers – Possible 'Eqnetd32.exe' exploit usage
EventLog-Tamper – EventLog has been tampered with
Exec-Outlook-Temp – A suspicious program was executed in the Outlook temp folder.
Executable-Suspicious-Folder – A process has been run from a binary located in a suspicious folder
Exfil-Tunnel-Tools-Exec – Tools known for data exfiltration and tunneling were executed.
FA-Account-deactivated – File Activity from a de-activated user account
FA-EXT – A file has been written and is suspected of Ransomware on host
FA-GC-F – First Failed activity in session from country in which group has never had a successful activity
FA-GD-A – Abnormal file server access for group
FA-GD-F – First file server access for group
FA-GDBytes-A – Abnormal downloaded file size by peer group
FA-LSASS – Possible Mimikatz attack by a user process
FA-OC-F – First Failed activity in session from country in which organization has never had a successful activity
FA-ODBytes-A – Abnormal downloaded file size by organization
FA-OG-A – Abnormal access to source code files for user in the peer group
FA-OG-F – First access to source code files for user in the peer group
FA-OU-A – Abnormal access to source code files for user in the organization
FA-OU-F – First access to source code files for user in the organization
FA-OZ-A – Abnormal file access from network zone for organization
FA-OZ-F – First file access from network zone for organization
FA-Outlook-pst – A file ends with either pst or ost
FA-Outlook – A file has been copied from a path which contains outlook-keyword
FA-TEMP-DIRECTORY-A – Abnormal process has been executed from a temporary directory by this user during file activity
FA-TEMP-DIRECTORY-F – First time process has been executed from a temporary directory by this user during file activity
FA-UA-A – Abnormal file access activity for user
FA-UA-F – First file access activity for user
FA-UA-GC-A – Abnormal file activity from country for group
FA-UA-GC-F – First file activity from country for group
FA-UA-OC-A – Abnormal file activity from country for organization
FA-UA-OC-F – First file activity from country for organization
FA-UA-UC-A – Abnormal file activity from country for user
FA-UA-UC-F – First file activity from country for user
FA-UA-UI-F – First file activity from ISP
FA-UC-F – Failed activity from a new country
FA-UD-A – Abnormal file server access for user
FA-UD-F – First file server access for user
FA-UDBytes-A – Abnormal downloaded file size by user
FA-UFCOUNT-DELETE – Abnormal number of deleted files in a day
FA-UFCOUNT – Abnormal number of files accessed
FA-UH-A – Abnormal file access from asset for user
FA-UH-CRIT – File deletion on a critical system
FA-UH-DELETE – Abnormal number of hosts where files were deleted from
FA-UH-F – First file access from asset for user
FA-UR-A – Abnormal number of file accesses from repository by privileged user
FA-URCOUNT-A – Abnormal number of file reads
FA-UTi – Abnormal user file activity time
FA-UWCOUNT-A – Abnormal number of file writes
FA-UZ-A – Abnormal file access from network zone for user
FA-UZ-F – First file access from network zone for user
FAIL-PTH-ALERT-dH – Possible unsuccessful pass the hash attack by the user
FAIL-PTH-ALERT-sH – Possible unsuccessful pass the hash attack from the source
FDS-Count – Abnormal number of failed directory service events in the organization
FDS-GCount – Abnormal number of failed directory service events in the peer group
FDS-OG-F – First directory service event for user and it failed in the peer group
FDS-OG – Failed directory service event for user in the peer group
FDS-OU-F – First directory service event for user and it failed in the organization
FDS-OU – Failed directory service event for user in the organization
FDS-UCount – Abnormal number of failed directory service events in the user
FE-WC – Modified WMIPRVSE by FIREEYE for pentesting
FEM-FU – Emailing a previously failed attachment
FEM-UD-R – Repeated email failure to domain
FPA-DU – Failed badge access by disabled user
FPA-UB-F – Failed physical access in new building for user
FPA-UC-F – Failed physical access in new location for user
FPA-UD-F – Failed physical access to a door user has never successfully accessed
FPA-UTi-A – Failed badge access at abnormal time
File-Folder-Perm-Mod – The permissions of a file or folder were modified.
FileType-Association-Change – File Association changed for this file extension
Firewall-Disabled-Netsh – Windows firewall was turned off using netsh commands.
Fsutil-Sus-Invocation – Suspicious parameters of fsutil were detected.
GM-LocUA-A – Abnormal group management activity by local user
GM-LocUA-F-new – First group management activity by a new local user
GM-LocUA-F – First group management activity by local user
GM-OH-A – Abnormal group management activity from asset in the organization
GM-OH-F – First group management activity from asset in the organization
GM-OZ-A – Abnormal group management activity from network zone
GM-OZ-F – First group management activity from network zone
GM-UH-A – Abnormal group management activity from asset for user
GM-UH-F – First group management activity from asset for user
GM-UT-TOW-A – Abnormal day for user to perform group management activity
GRAB-REG-HIVES – Grabbing Sensitive Hives via Reg Utility
HH-EXE-CHM – HH.exe usage, possible code execution
Hanword-Subprocess – Suspicious processes spawned by the Hangul word processor
INTERACTIVE-JOB – Interactive job from the 'at' program
Impacket-Lateral-Detection – Activity related to Impacket framework using wmiexec, dcomexe, or smbexec processes via command line have been found.
Indirect-Cmd-Exec – An indirect command was executed via Program Compatibility Assistant pcalua.exe or forfiles.exe.
JPanda-Activity – Judgement Panda Exfil Activity detected
JPanda-RUS-G-Activity – Judgement Panda Exfil Activity- Russian group activity detected
Java-Remote-Dubugging – Java executed with remote debugging enabled
KL-GSnCOUNT-A – Abnormal number of services used to obtain TGTs by peer group
KL-Tf-fail – Failed logon due to a malformed authentication ticket
KL-TfG – Rare Kerberos ticket failure code
KL-ToEt-Roast – Suspicious or weak encryption type used for obtaining kerberos TGTs using non kerberos service
KL-USnCOUNT-A – Abnormal number of services used to obtain TGTs by user
Koadic-Tool-Usage – 'Koadic' attacker tool usage
LL-GH-A-new – Abnormal local logon to asset for group by new user
LL-GH-A – Abnormal local logon to asset for group
LL-GH-F-new – First local logon to asset for group by new user
LL-GH-F – First local logon to asset for group
LL-HU-F-new – Local logon to private asset for new user
LL-UH-A – Abnormal local logon to asset
LL-UH-F – First local logon to asset
LSASS-Mem-Dump – LSASS Memory Dumping
MA-PRIV-A – Abnormal addition to privileged group by user
MA-PRIV-F-local – First addition to privileged group by local user
MA-PRIV-F – First addition to privileged group by user
MA-SELF – User added themself to a group
MMC-Spawn-Win-Shell – MMC (Microsoft Management Console) started a Windows command line executable.
MSHTA-SVCHOST – Mshta.exe spawned by svchost.exe, possible lateral movement
MSTSC-RDP-Hijack – MSTSC Shadowing, possible RDP session hijack/shadowing of session
Microsoft-Workflow-Compiler – Microsoft Workflow Compiler was invoked.
Mimikatz-process – A highly dangerous attacker tool, Mimikatz, has been used
Mod-Boot-Config – Boot configuration data was deleted or modified using the bcdedit command.
Mshta-CMD-Spawn – Mshta.exe has executed a command line executable
Mshta-Javascript – Mshta.exe has executed a javascript related command
Mshta-Script – Mshta.exe .NET code execution
MsiExec-Web-Install – A suspicious msiexec process was started with web addresses as a parameter.
Mustang-Panda-Dropper – Possible Mustang Panda droppers execution.
NAC-GAt-A – Abnormal authentication type for peer group
NAC-GAt-F – First authentication type for peer group
NAC-OAt-A – Abnormal authentication type for organization
NAC-OAt-F – First authentication type for organization
NAC-UAt-A – Abnormal authentication type for user
NAC-UAt-F – First authentication type for user
NAC-UL-A – Abnormal network location for user
NAC-UL-F – First network location for user
NAC-UM-A – Abnormal MAC for user
NAC-UM-F – First MAC for user
NET-EXE-ACTIVE-ORG-A – Abnormal usage of net.exe to disable/enable a user account by this user.
NET-EXE-ACTIVE-ORG-F – First time net.exe has been used to disable/enable a user account by this user.
NET-EXE-ADD-GRP-ORG-A – Abnormal usage of net.exe to create/add to a group by this user.
NET-EXE-ADD-GRP-ORG-F – First time net.exe has been used to create/add to a group by this user.
NET-EXE-ADD-ORG-A – Abnormal usage of net.exe to create a user account by this user.
NET-EXE-ADD-ORG-F – First time net.exe has been used to create a user account by this user.
NET-EXE-DELETE-ORG-A – Abnormal usage of net.exe to delete a user account by this user.
NET-EXE-DELETE-ORG-F – First time net.exe has been used to delete a user account by this user.
NET-EXE-Recon – Enumeration and reconnaissance activities were performed
NEW-USER-F – User with no event history
NKL-GH-A-new – Abnormal kerberos/ntlm logon on asset for peer group by new user
NKL-GH-A – Abnormal NTLM/Kerberos logon to asset for peer group
NKL-GH-F-new – First kerberos/ntlm logon to server for peer group by new user
NKL-GH-F – First NTLM/Kerberos logon to asset for peer group
NKL-HU-F-new – Ntlm/Kerberos logon to private asset for new user
NKL-UH-A – Abnormal NTLM/Kerberos logon to asset
NSniff-Cred – Potential network sniffing was observed
NTLM-mismatch –
Netsh-Connections-Win-Firewall – Netsh commands were used to allow incoming connections by Port or Application on Windows Firewall.
Netsh-Port-Fwd – Netsh commands were used to configure port forwarding.
Netsh-RDP-Port-Fwd – Netsh commands used to configure port forwarding for port 3389, used for RDP, were detected.
New-ScheduledTask – New scheduled task created using shctasks.exe
New-Service – New windows service created
Non-Interactive-Powershell – Non-Interactive Powershell activity was found.
NotPetya-Activity – NotPetya Ransomware Activity detected
OG-SYSVOL-A – Abnormal SYSVOL Domain Group Policy Access for thjis peer group
OG-SYSVOL-F – Suspicious SYSVOL Domain Group Policy Access for the first time for this peer group
Odbcconf-DLL-Load – DLL loaded via odbcconf.exe execution.
Office-Payload-Download – Possible malicious payload download via Microsoft Office binaries
OpenWith-Exec-Cmd – OpenWith.exe executed via command line
Operation-Wocao-Activity – Possible Operation-Wocao APT activity, suspicious command line arguments
Ordinal-Rundll32-Call – Suspicious calls of DLLs in rundll32.dll exports by ordinal.
Outlook-Unsafe-Execution – A suspicious sub process was spawned by Microsoft Outlook
PA-DU – Badge access by disabled user
PA-IT-NoPA – IT presence without badge access
PA-MC – Badge access in multiple cities within a session
PA-NoIT – Badge access without IT presence
PA-UB-A – Abnormal physical access in this building for user
PA-UC-A – Abnormal physical access in this location for user
PA-UC-F – First physical access in this location for user
PA-UTi-A – Badge access at abnormal time
PA-VPN-01 – VPN login after badge access
PA-VPN-02 – Badge access after VPN login
PA-WU – Badge access by watchlist user
PC-InstallUtil-dll-A – Abnormal dll file usage by InstallUtil.exe
PC-InstallUtil-dll-F – First time dll file usage by InstallUtil.exe
PC-InstallUtil-exe-A – Abnormal exe file usage by InstallUtil.exe
PC-InstallUtil-exe-F – First time exe file usage by InstallUtil.exe
PC-MSBuild-Csproj-F – First time csproj file usage by MSBuild.exe
PC-MSBuild-xml-F – First time xml file usage by MSBuild.exe
PC-Mshta-Hta-A – Abnormal hta file usage by Mshta.exe
PC-Mshta-Hta-F – First time hta file usage by Mshta.exe
PC-ParentName-ProcessName-DCOM-A – Abnormal child process creation for DCOM associated process.
PC-ParentName-ProcessName-DCOM-F – First time child process creation for DCOM associated process
PC-ParentName-ProcessName-DotNET-A – Abnormal child process creation for .NET associated process
PC-PowerShell-ExchangeSnapIns – Exchange Snap-In was imported and run by Powershell.
PC-PowerShell-PowerCatDownload – PowerCat tool was downloaded via Powershell.
PC-PowerShell-SocketCreate – Powershell TCP Socket Creation through Powershell.
PC-Powershell-HafniumActivity – Powershell HAFNIUM Activity
PC-Procdump-LsassDump – Procdump was executed with lsass dump command line parameters.
PC-Regsvr32-sct-A – Abnormal sct file usage by Regsvr32.exe
PC-Regsvr32-sct-F – First time sct file usage by Regsvr32.exe
PC-Rundll-LsassDump – Rundll32 was run with minidump via commandline
POSS-SPN-ENUMERATION – Possible SPN Enumeration
PR-NPSum – Abnormal number of pages printed
PR-SRC-CODE – Printed document with source code file extension
PR-UP-A – Abnormal printer for user
PR-UP-F – First print activity from printer for user
PR-UT-TOW – Abnormal print activity time for user
PSExec-Rename – PS Exec used
PSR-Screenshot – Psr.exe was used to take a screenshot
PTH-ALERT-dH – Possible pass the hash attack by the user
PTH-ALERT-sH-Failed – Failed pass the hash attack with keylength of 0 in NTLM event and a 'null' sid.
PTH-ALERT-sH-Possible – Possible pass the hash attack with keylength of 0 in NTLM event and a 'null' sid.
PTH-ALERT-sH – Possible pass the hash attack from the source
ParentProcess-P-A – Abnormal parent process for peer group
ParentProcess-P-F – First execution of this parent process for peer group.
Ping-Hex-IP – A ping command used a hex decoded IP address
PlugX-DLL-Sideloading – DLL loaded from suspicous location typically seen by the PlugX malware family
Possible-PrivEsc-SvcPerms – Possible privilege escalation using weak service permissions
PowerShell-BITS-Job – BITS job via PowerShell was created.
Powershell-ADS – Powershell invoked using 'Alternate Data Stream'
Powershell-AMSI-Bypass-NET – Request to amsiInitFailed that can be used to disable AMSI Scanning was found.
Powershell-Advanced-A – Abnormal user using advanced powershell capabilities
Powershell-Advanced-F – First use of advanced powershell capabilities by user
Powershell-AudioCapture – Powershell has recorded external audio
Powershell-CMDLETS – Malicious PowerShell script was used via get cmdlets function of PowerShell
Powershell-Commands-A – Abnormal Powershell Command
Powershell-Commands-F – First new Powershell Command
Powershell-Empire – The attacker tool, Powershell Empire, has been used
Powershell-Exec-DLL – PowerShell Strings applied to rundllas.exe seen in PowerShdll.dll
Powershell-Invoke-Count – Abnormal number of Invoke-Command/Expression used by the org
Powershell-RunType-A – Abnormal invocation of powershell
Powershell-Script-A – Abnormal powershell script
Powershell-Script-AppData – Powershell was invoked in a suspicious command line execution with reference to an AppData folder.
Powershell-Script-F – First time this powershell script has been run
Powershell-WMI-A – Abnormal user using powershell WMI
Powershell-WMI-F – First time for user using powershell WMI
Powershell-Web-A – Abnormal amount of powershell web activity
PrivEsc-SchedTask-LegacyDACL – Possible privilege escalation using a legacy task file
Proc-Dump-Comsvcs – Process Dump via Rundll32 and Comsvcs.dll
Procdump-Comsvcs-DLL – Process Dump via Comsvcs DLL
RA-F-A-CS – Abnormal remote access to critical system for user
RA-F-F-CS – First remote access to critical system for user
RA-GH-A-new – Abnormal access to asset for group by new user
RA-GH-A – Abnormal access to asset for group
RA-GH-F-new – First access to asset for group by a new user
RA-GH-F – First access to asset for group
RA-GHcount – Abnormal number of accessed assets for group
RA-HT-EXEC-new – New user remote access to executive asset
RA-HT-EXEC – Non-Executive user remote access to executive asset
RA-OHcount – Abnormal number of accessed hosts for the organization
RA-UH-A – Abnormal access to asset
RA-UH-CS-NC – Remote access to a critical system for user with no information
RA-UH-F – First access to asset
RA-UH-sZ-A – Abnormal remote access to asset from first or abnormal zone
RA-UH-sZ-F – First remote access to asset from first or abnormal zone
RA-UHcount-L – Abnormal number of accessed hosts for user (L)
RA-UHcount-M – Abnormal number of accessed hosts for user (M)
RA-UHcount-S – Abnormal number of accessed hosts for user (S)
RASdial-Activity – Process was executed with rasdial as a command line argument.
RDP-Brute-Force – Abnormal number of RDP failed logons for this user
RL-GH-A-new – Abnormal remote logon to asset for group by new user
RL-GH-A – Abnormal remote logon to asset for group
RL-GH-F-new – First remote logon to asset for group by new user
RL-GH-F – First remote logon to asset for group
RL-HU-F-new – Remote logon to private asset for new user
RL-OZ-A-DC – Abnormal logon to a Domain Controller from zone for organization
RL-OZ-F-DC – First logon to a Domain Controller from zone for organization
RL-UH-A – Abnormal remote logon to asset
RL-UH-F – First remote logon to asset
RL-UH-sZ-A – Abnormal remote logon to asset from new or abnormal source network zone
RL-UH-sZ-F – First remote logon to asset from new or abnormal source network zone
RL-UZ-F-DC – First logon to a Domain Controller from zone for user
RLA-UAPackage-A – Abnormal usage of Windows authentication package
RLA-UAPackage-F – First time usage of Windows authentication package
RLA-UsH-dZ-A – Abnormal remote access to zone from new asset
RLA-UsH-dZ-F – First remote access to zone from new asset
RLA-UsZ-A – Abnormal source network zone for user
RLA-UsZ-F – First source network zone for user
RLA-dZsZ-F – First inter-zone communication from destination to source
RLA-sZdZ-A – Abnormal inter-zone communication
RLA-sZdZ-F – First inter-zone communication from source to destination
Regsvr32-Suspicious-Cmd – Suspicious commands related to regscr32.exe have been observed.
Remote-Powershell-Session – Remote Powershell session was detected by monitoring for wsmprovhost as a parent or child process.
Rubeus-CMD-Tool – Command line parameters used by Rubeus hack tool detected
RunDll32-ControlPanel – RunDll32.exe run from control panel
SA-AsU-A – Abnormal access of admin share on this host
SA-AsU-F – First access of admin share on this host
SA-Bloodhound-2 – ADMIN IPC Share samr folder accessed
SA-Bloodhound-3 – ADMIN IPC Share srcsvc accessed
SA-Bloodhound-Main-1 – Possible Bloodhound Tool Usage by this user accessing srcsvc folder.
SA-Bloodhound-Main-2 – Possible Bloodhound Tool Usage by this user accessing lsarpc folder.
SA-Bloodhound-Main-3 – Possible Bloodhound Tool Usage by this user accessing samr folder.
SA-Bloodhound – ADMIN IPC Share lsarpc folder accessed
SA-GA-A – Abnormal security alert name in the peer group
SA-GA-F – First security alert name in the peer group
SA-OA-A – Abnormal security alert name in the organization
SA-OA-F – First security alert name in the organization
SA-OG-ALERT-A – Abnormal peer group triggering security alert in the organization
SA-OG-ALERT-F – First security alert triggered for peer group in the organization
SA-OH-A – Abnormal admin share on this host
SA-OH-F – First admin share on this host
SA-OU-ALERT-A – Abnormal user triggering security alert in the organization
SA-OU-ALERT-F – First security alert triggered for this user in the organization
SA-OU-A – Abnormal admin share access for user in the organization
SA-OU-F – First admin share access for user in the organization
SA-SCF-Share – A SCF file was created on a network share.
SA-UA-A – Abnormal security alert name for user
SA-UA-F – First security alert name for user
SA-US-AA – Possible share scanning by privileged user
SA-US-AU – Abnormal number of network shares accessed by user
SEQ-UH-01 – Account lockout on an asset that belongs to this user
SEQ-UH-02 – Account lockout on an asset that does not belong to this user
SEQ-UH-03 – Failed logon to a top failed logon asset by user
SEQ-UH-04 – Failed logon by a service account
SEQ-UH-05 – Failed interactive logon by a service account
SEQ-UH-06 – Abnormal failed logon to asset by user
SEQ-UH-07 – Failed logon to an asset that user has not previously accessed
SEQ-UH-08 – Abnormal number of failed logons for this user
SEQ-UH-09 – Abnormal time of the week for a failed logon for user
SEQ-UH-10 – Failed logons had multiple reasons
SEQ-UH-11 – Account changed recently
SEQ-UH-12 – Logon attempt on a disabled account
SEQ-UH-14 – Failed logon due to bad credentials
SEQ-UH-15 – Failed VPN login
SEQ-UH-16-L – Exceeded number of failed logons for the user (L)
SEQ-UH-16-M – Exceeded number of failed logons for the user (M)
SEQ-UH-16-S – Exceeded number of failed logons for the user (S)
SEQ-UH-17 – User failed logging on to at least 3 different hosts
SEQ-UH-18 – User failed to logon three times within 10 seconds
SETUPCOMPLETE-PRIV-ESC – Privilege escalation attempt using the SetupComplete.cmd object
SL-UA-F-VPN – First VPN connection for service account
SL-UH-A – Abnormal access from asset for a service account
SL-UH-I – Interactive logon using a service account
SW-UC – Unusual child process loaded by SolarWinds tool
SecX-Tool-Exec – SecurityXploded Tool execution detected
ServicePath-Modification – Suspicious service path identified
ShadowCP-OSUtilities – Shadow Copies Creation Using Operating Systems Utilities
ShadowCP-SymLink – Shadow Copies Access via Symlink
Shim-Installation – Possible installation of a 'shim' using sdbinst.exe
SoundRecorder-AudioCapture – SoundRecorder has recorded external audio
Squibly-Two – A WMI SquiblyTwo Attack with possibly renamed WMI by looking for imphash was detected.
Sus-Double-Extension – An .exe extension was used after a different non-executable file extension.
Sus-Encoded-PS-CmdLine – Suspicious Powershell process was started with base64 encoded commands.
Sus-GUP-Usage – Execution of the Notepad++ updater in a suspicious directory.
Sus-MsiExec-Directory – Suspicious msiexec process started in an uncommon directory.
Sus-Powershell-Invocation-Parent-Proc – Suspicious Powershell invocation from interpreters or unusual programs.
Sus-Powershell-Param – Powershell was invoked with a suspicious parameter substring
Sus-Procdump – Suspicious Use of Procdump
Sus-Svchost-Process – A suspicious svchost process was started.
Suspicious-ControlPanel – Control Panel commandlets loaded outside the default directory
Suspicious-DAT – A suspicious .dat file used, possible APT activity
Suspicious-GetSystem-Usage – Possible Meterpeter/Cobalt Strike usage of GetSystem
Suspicious-IIS-Modules – Native-Code modules for IIS installed via command line
Suspicious-LNK – A suspicious .lnk file used, possible ATP activity
Suspicious-Persistence – Suspicious 'schtask' creation, possible attack tool usage
Suspicious-RDP-TSCON – Suspicious usage of RDP using tscon.exe
Suspicious-Shell-Child-Process – Windows shell has spawned a suspicious process
Svchost-Suspicious-Launch – Svchost.exe has launched without any command line arguments
Sys-File-Exec-Anomaly – A Windows program executable was started in a suspicious folder.
Sysmon-Driver-Unload – Possible Sysmon driver unloaded.
Sysprep-Appdata – Suspicious sysprep process was started with AppData folder as target.
Tap-Installer – TAP software was installed.
Taskmgr-as-Parent – A process was created from Windows task manager.
TasksFolder-Evasion – The 'tasks' directory was observed in a file creation command
Terminal-Svc-Proc-Spawn – Process spawned by the terminal service server
Trickbot-Recon – Trickbot malware domain recon activity
TropicTrooper-APT – Possible TropicTrooper APT artifacts observed
TurlaGroup-LateralMovement – Artifacts from the ATP 'Turla Group' have been observed
UA-GC-A – Abnormal activity from country for group
UA-GC-F – First activity from country for group
UA-GC-new – Abnormal country for group by new user
UA-OC-A – Abnormal activity from country for organization
UA-OC-F – First activity from country for organization
UA-OC-new – Abnormal country for organization by new user
UA-UC-A – Abnormal activity from country for user
UA-UC-F – First activity from country for user
UA-UC-Suspicious – Activity from suspicious country
UA-UC-Three – Activity from 3 different countries
UA-UC-Two – Activity from two different countries
UA-UC-new – Abnormal country for user by new user
UA-UI-F – First activity from ISP
UAC-Bypass-COM-OBJECT – Windows UAC bypass using COM object access
UAC-Bypass-Fodhelper – UAC Bypass using fodhelper.exe
UAC-Bypass-Wsreset – UAC Bypass using wsreset.exe
UW-BSum – Abnormal amount of data written to USB
UW-DH-A – Abnormal asset for USB device
UW-DH-F – First asset for device in USB event
UW-FNum – Abnormal number of files written to USB
UW-PST – A file ending with either pst or ost has been written into USB
UW-UD-A – Abnormal USB device for user
UW-UD-F – First device for user in USB event
UW-UH-A – Abnormal asset for user in USB event
UW-UH-F – First asset for user in USB event
UW-UHD-000 – First USB activity event for user, asset and USB device
UW-UHD-001 – First USB activity event for user and asset. The USB device (if present) has been used by/with other users/assets in the past.
UW-UHD-010 – First USB activity event for user and USB device. The asset has been used with other USB devices in other USB events
UW-UHD-011 – First USB activity event for user. The asset and the USB device (if present) have been seen in other USB events
UW-UHD-100 – First USB activity event for USB device and asset. The user has been seen performing USB activity in other USB events
UW-UHD-101 – First USB activity event for asset. The user and the USB device (if present) have been seen in other USB events
UW-UHD-110 – First USB activity event for USB device. The user and the asset have been seen in other USB events
UW-UHD-F – First asset and device for user in USB event
Unauthorized-MBR-Mods – Bcdedit.exe has signs of malicious unauthorized usage.
UserProcess-Spawned-FromOffice – An executable running under the 'Users' path has been spawned from an Office application
Userinit-Child-Process – Userinit had a suspicious child process.
VPN-BSum – Abnormal amount of data uploaded during VPN Session
VPN-End-DUR – Abnormal VPN session duration
VPN-GsH-A – Abnormal VPN connection from device for peer group
VPN-GsH-F – First VPN connection from device for peer group
WA-CS – Audit activity on a critical system for user
WA-HA-F-1 – First audit log clearance on host
WA-HA-F-2 – First audit policy change on host
WCA-DP – Meeting updated to remove password
WCA-MTOW-A – Abnormal web conference meeting time
WCA-OA-A – Abnormal for any user in the organization to perform this web conference administrative activity
WCA-OA-F – First time for any user in the organization to perform this web conference administrative activity
WCA-OU-A – Abnormal web conference administrative activity by user
WCA-OU-F – First time user performs web conference administrative activity
WCA-Ransomware-IP – User performs web conference login from an IP associated with Ransomware
WCA-TOW-A – Abnormal web conference login time
WCA-Threat-IP – User performs web conference login from a known malicious IP
WCA-Tor-IP – User performs web conference login from a known Tor exit node
WCA-Ucountry-A – Abnormal web conference login country for user
WEB-ALERT-EXEC – Security violation by Executive in web activity
WEB-FS – User has accessed a file sharing domain
WEB-GBytes-A-FS – Abnormal amount of data for peer group has been uploaded to a file sharing site
WEB-GBytes-A-JS – Abnormal amount of data had been uploaded to a job search site in the peer group
WEB-GBytesSum-EWD – Abnormal amount of data for the peer group uploaded to webmail domains
WEB-GSequenceSize-JS – Abnormal number of job search events in the group
WEB-GUa-Browser-F – First activity using this web browser for the peer group
WEB-GUa-OS-F – First web activity using this operating system for the peer group
WEB-GZ-F – First web activity from this zone for the peer group
WEB-IOC – Indicator of Compromise (IOC) found in user's web activity
WEB-IP-COUNTRY-A – Abnormal direct access to an IP address belonging to an abnormal country for user to access
WEB-IP-Country-F – User has directly browsed to an IP address belonging to a country never before accessed
WEB-IPF-Country-F – User has failed trying to directly browse to an IP address belonging to a country never before accessed
WEB-New-File-20-Block – User with no web activity history was blocked from uploading 20MB or more
WEB-New-File-20 – User with no web activity history has uploaded 20MB or more
WEB-New-File – New user accessing file sharing websites
WEB-OBytes-A-FS – Abnormal amount of data for user has been uploaded to a file sharing site
WEB-OBytesSum-EWD – Abnormal amount of data for the organization uploaded to webmail domains
WEB-OG-FS – One of the top file sharing users in the peer group
WEB-OG-JS-A – Abnormal job search activity for user in the peer group
WEB-OG-JS-F – First job search activity for user in the peer group
WEB-OSequenceSize-JS – Abnormal number of job search events in the org
WEB-OU-FS – One of the top file sharing users in the organization
WEB-OU-JS-A – Abnormal job search activity for user in the organization
WEB-OU-JS-F – First job search activity for user in the organization
WEB-OUa-Browser-F – First activity using this web browser for the organization
WEB-OUa-OS-F – First web activity using this operating system for the organization
WEB-OZ-F – First web activity from this zone for the organization
WEB-OsUa-MobileBrowser-F – First activity using this mobile web browser for this mobile operating system
WEB-Phishing – Web activity to a phishing domain.
WEB-RCCount – Abnormal number of proxy events with 3xx/4xx requests for the user
WEB-Shadow-Mining-IP – User has connected to a known coinmining/shadowmining IP
WEB-Shadow-Mining – User has browsed to a known coinmining/shadowmining domain
WEB-UBlock – Abnormal number of denied web access domains
WEB-UBytes-A-JS – Abnormal amount of data had been uploaded to a job search site for the user
WEB-UBytesSum-EWD – Abnormal amount of data for user uploaded to webmail domains
WEB-UBytesSum-In-FS-PU – Abnormal amount of data had been downloaded from file sharing websites by privileged user
WEB-UBytesSum-In-FS – Abnormal amount of data had been downloaded from file sharing websites by non-privileged user
WEB-UBytesSum-Out-FS – Abnormal amount of data for user has been uploaded to file sharing websites
WEB-UD-ALERT-A – Abnormal security alert accessing this malicious domain for user
WEB-UD-ALERT-N – Common security alert on this malicious domain for user
WEB-UD-DGA-A – Abnormal access to this domain which has been identified as DGA
WEB-UD-DGA-N – Common access to this domain which has been identified as DGA
WEB-UD-DynamicDNS – User attempted access to a domain generated using Dynamic DNS service
WEB-UD-Phishing – User attempted to access a domain which is associated to Phishing
WEB-UD-Reputation-A – Abnormal access to this web domain which has been identified as risky by a reputation feed.
WEB-UD-Reputation-F – First access to this web domain which has been identified as risky by a reputation feed.
WEB-UD-Reputation-N – Common access to this web domain which has been identified as risky by a reputation feed.
WEB-UD-TorProxy – User has accessed a known Tor web proxy
WEB-UDLP-A-FS – Abnormal amount of data for organization has been uploaded to a file sharing site
WEB-UDLP-A-JS – Abnormal amount of data had been uploaded to a job search site in the organization
WEB-UDLP-A – Possible data exfiltration: Abnormal amount of data had been uploaded to the web
WEB-UGETDLP-A – Possible data exfiltration: Abnormal amount of data had been written to the web in http GET requests
WEB-UI-Ransomware – User attempted to connect to IP address which is associated to Ransomware
WEB-UI-Reputation-A – Abnormal access to this IP address which has been identified as risky by a reputation feed.
WEB-UI-Reputation-F – First access to this internet IP address which has been identified as risky by a reputation feed.
WEB-UI-Reputation-N – Common access to this IP address which has been identified as risky by a reputation feed.
WEB-UI-Tor – User has accessed a known Tor exit node
WEB-URank-A – Abnormal web activity to this low ranked web domain
WEB-URank-Binary – Executable download from first low ranked web domain
WEB-URank-DLP – Possible data exfiltration: Abnormal amount of data had been uploaded to low ranked websites
WEB-URank-F – First web activity to this low ranked web domain
WEB-URank-Tor – User has accessed a tor-to-web proxy site
WEB-USequenceSize-Denied – Abnormal number of denied web activity events for user
WEB-USequenceSize-JS – Abnormal number of job search events by user
WEB-USequenceSize – Abnormal number of web activity events for user
WEB-UT-TOW-A – Abnormal day for this user to access the web via the organization
WEB-UU-Reputation – User attempted access to a url with bad reputation
WEB-UU-Tor – User has accessed a URL containing '/tor/server'
WEB-UUa-Browser-F – First activity using this web browser for this user to a new domain
WEB-UUa-MobileBrowser-F – First activity using this mobile web browser/app for this user to a new domain
WEB-UUa-OS-F – First web activity using this operating system for this user
WEB-UZ-F – First web activity for this user in this zone
WINCMD-Arp – 'Arp' program used
WINCMD-Netsh – 'Netsh' program used
WINCMD-Route – 'Route' program used
WINCMD-WmiObject – Powershell WMI object to enumerate network adapter was used
WMI-Exec-Suspicious-Cmds – WMI was executed with suspicious commands.
WMI-Script-Event-Consumers – Suspicious usage of WMI script event consumers.
WMI-Spawn-PowerShell – PowerShell was spawned via WMI.
WMIC-EXE-RENAME-GRP-ORG-F – First time WMIC.exe has been used to rename a group by this user.
WMIC-EXE-RENAME-ORG-A – Abnormal usage of WMIC.exe to rename a user account by this user.
WMIC-EXE-RENAME-ORG-F – First time WMIC.exe has been used to rename a user account by this user.
WMIExec-VBS-Script – Suspicious usage of wscript/cscript
WPA-GP-A – Abnormal privileged process for peer group
WPA-GP-F – First privileged process for peer group
WPA-HP-A – Abnormal privileged process for host
WPA-HP-F – First privileged process for host
WPA-HZ-F – First privileged access event on host from zone
WPA-OG-F – First privileged access event for user for peer group
WPA-OP-A – Abnormal privileged process for organization
WPA-OP-F – First privileged process for organization
WPA-OU-F – First privileged access event for user for organization
WPA-PD-A – Abnormal directory for privileged process
WPA-PD-F – First directory for privileged process
WPA-UACount – Abnormal number of privilege access events for user
WPA-UH-F – First privileged access event on host for user
WPA-UP-A – Abnormal privileged process for user
WPA-UP-F – First privileged process for user
WPA-USH-F – First privileged access event on source host for user
WSC-GH-F – First service installation on host in the peer group
WSC-GS-A – Unusual service name in the peer group
WSC-OH-F – First service installation on host in the organization
WSC-OS-A – Unusual service name in the organization
WSC-OZ-F – First service installation in zone for organization
WSC-PSEXEC-A – Abnormal service installation Psexec for the user
WSC-PSEXEC-F – First service installation Psexec for the user
WSC-RANDOM-SERVICE – Random service name found for this user
WSC-SERVICE-PARAMS – Suspicious parameters in service installation process for this user
WSC-SP-A – Unusual process executed by service for this user
WSC-SP-F – First process executed by service for this user
WSC-SP-POWERSHELL – Service created to execute sensitive process
WSC-UH-F – First service installation on host by the user
WSC-US-A – Unusual service name in the user
WSC-UZ-F – First service installation in zone by this user
WScript-CScript-Dropper – Wscript or Cscript used for script execution from User directories
WTC-GH-F – First scheduled task on host in the peer group
WTC-GT-A – Unusual task name in the peer group
WTC-HT-EXEC – Non-Executive user created a scheduled task/service on executive asset
WTC-HT-PRIV – Non-Privileged user created a scheduled task/service on privileged asset
WTC-OH-F – First scheduled task on host in the organization
WTC-OT-A – Unusual task name in the organization
WTC-TP-A – Unusual process for scheduled task
WTC-TP-POWERSHELL – Scheduled task created to execute sensitive process
WTC-UH-F – First scheduled task on host for the user
WTC-UT-A – Unusual task name in the user
WebShell-CLI – Possible command line web shell detected
WebShell-WebServer – Possible web server web shell detected
Win-Proc-Sus-Parent – A suspicious parent process of well-known Windows processes was detected.
WinWord-Uncommon-Subprocess – Winword has spawned an uncommon subprocess, csc.exe
Winnti-Malware – Artifacts of 'Winnti' malware have been observed
Winword-Uncommon-Process – 'MicroScMgmt' executable run by 'WinWord.exe'
Word-FLTLDR-Exploit-Vector – Possible loading of exploit using Microsoft Office and the fltldr.exe application
XSL-Script-Processing – XSL script was used to execute arbitrary files.
Zoho-DCTask – Dctask64.exe executed, possible process injection

Updated Rules

There are no updated rules in this release.

Deprecated Rules

There are no deprecated rules in this release.