Threat Detection ManagementThreat Detection Management Guide

Abnormal number of failed logins to one or more applications for this user

First application login event from this ISP for the organization

First application login event from this ISP for this user

First application login event from this ISP for users in this department

First application login event from this ISP for users with this manager

First timeframe of an application login for this user

User is a service account

First application login event from this endpoint for the organization

First application login event from this endpoint for this user

First application login event without multi factor authentication for this user

First application login event from this country for the organization

First application login event from this country for this user

First application login event from this country for users in this department

First application login event from this country for users with this manager

First audit policy modification from this endpoint

First audit policy modification for this user

Asset is a critical system

Bucket policy/ACL was modified to make it public

Public access block was removed from an AWS bucket

First AWS bucket policy/ACL modification to public for this user

First AWS bucket ACL modification for this user

First AWS bucket policy modification for this user

First GCP IAM permissions granted to a user with this user type

First policy attachment to an identity in AWS for this user

First IAM policy creation or modification for this user on this platform

First AWS policy version rollback for this user

First GCP resource in an IAM policy modification for the organization

First GCP resource in an IAM policy modification for this user

An administrative policy was created or attached to an identity in AWS

A cloud resource policy in GCP was modified with administrative permissions

A cloud resource policy in GCP was modified with public permissions

First GCP IAM permissions granted to a user from this domain

Abnormal number of unique volumes attached for this user

First volume attachment for this user

First volume creation from a snapshot for this user

An image resource has been made public in AWS

First image user permissions modification for this user

First image creation for this user

First image creation with this publisher for the organization

A snapshot resource has been made public in AWS

First snapshot user permissions modification for this user

First snapshot creation for this user

First remote command execution on an instance for this user

First instance SSH key modification for this user in GCP

A startup script was added to an instance in AWS

A startup/shutdown script was added to an instance in GCP

First database event in this database from this endpoint for this user

First database event in this database from this IP address for this user

First database event in this database from this network zone for this user

First database operation from this network zone

First database operation on this database for this user

First database operation on this database for users in this department

First database operation on this database for users with this manager

Abnormal number of database operation events observed for this user

Abnormal number of unique database operations observed for this user

First database event in this database for this user

First database event in this database for users in this department

First database event in this database for users with this manager

Abnormal database query response size for this user

Abnormal database query response size in this database for this source network zon

Abnormal database query response size in this database for this user

Abnormal database query size for this user

First failed directory service activity type for this user

First failed directory service activity type for users in this department

First failed directory service activity type for users with this manager

First directory service object class for the organization

First directory service object class for this user

First directory service object class for users in this department

First directory service object class for users with this manager

First directory service activity for this user

First directory service activity for users in this department

First directory service activity for users with this manager

Abnormal number of directory service events for the organization

Abnormal number of directory service events for this user

Abnormal number of directory service events for users in this department

Abnormal number of directory service events for users with this manager

Abnormal number of failed directory service events for the organization

Abnormal number of failed directory service events for this user

Abnormal number of failed directory service object events for users in this department

Abnormal number of failed directory service object events for users with this manager

First directory service activity from this endpoint for the organization

First directory service activity from this network zone for the organization

First directory service activity from this endpoint for this user

First directory service activity from this network zone for this user

First directory service activity from this endpoint for users in this country

First directory service activity from this network zone for users in this country

First directory service activity from this endpoint for users in this department

First directory service activity from this network zone for users in this department

First directory service activity from this endpoint for users with this manager

First directory service activity from this network zone for users with this manager

First directory service activity for this directory service object class

First directory service activity type from this endpoint

First directory service activity type for this user

First directory service object attribute accessed for this privileged user

First DLL image with this extension loaded for the organization

First DLL image with this extension loaded for this process

First DLL image with this extension loaded on this endpoint

MI provider service used to invoke CMD/PowerShell

First DLL image loaded from this folder for the organization

First DLL image with this name loaded for the organization

Abnormal number of unique DNS queries from this endpoint

Abnormal amount of bytes sent in DNS queries for the organization

Abnormal amount of bytes sent in DNS queries from this endpoint

Abnormal amount of bytes sent in DNS queries from this network zone

Abnormal number of DNS queries to NX domains for the organization

Abnormal number of DNS queries to NX domains from this endpoint

Abnormal number of emails received for this user

First email received from this email domain for the organization

First email received from this email domain for this user

First email received from this email domain for users in this department

First email received from this email domain for users with this manager

First email attachment with this extension received for the organization

First email attachment with this extension received for this user

First email attachment with this extension received for users in this department

First email attachment with this extension received for users with this manager

Abnormal amount of bytes received in incoming emails for this user

Email sent outcome

An email containing a resume was sent

First email attachment with this extension sent for the organization

First email attachment with this extension sent for this use

First email attachment with this extension sent for users in this department

First email attachment with this extension sent for users with this manager

Abnormal number of emails sent for this user

First email sent to this country for the organization

First email sent to this country for this user

First email sent to this country for users in this country

First email sent to this country for users in this department

First email sent to this country for users with this manager

An email was sent to a competitor email domain

Abnormal number of email attachments in a sent email for this user

An email containing a source code file was sent

Abnormal amount of bytes sent in outgoing emails for this user

A service account failed an interactive login to an endpoint

First login to this endpoint for this user

First login to this endpoint for users in this country

First login to this endpoint for users in this department

First login to this endpoint for users with this manager

First failed login to this endpoint for this user

Abnormal number of unique users failed to log into this endpoint

Abnormal number of unique users failed to login from this endpoint

Destination endpoint is critical

Destination endpoint is a domain controller

Destination endpoint is a workstation

The user failed to login due to bad credentials

First endpoint login using this domain account for this user

First endpoint login event from this endpoint for this user

First endpoint login event to a domain controller from this network zone for the organization

First successful NTLM login from this endpoint

Abnormal number of unique destination endpoints observed in endpoint login events for the organization

Abnormal number of unique destination endpoints observed in endpoint login events for this user

Abnormal number of unique destination endpoints observed in endpoint login events for users in this country

Abnormal number of unique destination endpoints observed in endpoint login events for users in this department

Abnormal number of unique destination endpoints observed in endpoint login events users with this manager

A disabled user attempted to log into an endpoint

Abnormal number of failed endpoint logins to this endpoint for this user

Abnormal number of failed endpoint logins to this network zone for this user

Abnormal number of failed RDP endpoint logins to this endpoint for this user

Abnormal number of failed endpoint logins from this endpoint for this user

Abnormal number of unique endpoints failed to log into this endpoint

First timeframe of an endpoint login for this user

First timeframe of a failed endpoint login for this user

First endpoint login to an endpoint of this type for this user

Domain account is privileged

User is executive

User is a service account

User is privileged

First network access control login type for the organization

First network access control login type for this user

First network access control login type for users in this department

First network access control login type for users with this manager

First network access control login from this network location for this user

First network access control login event from this MAC address for this user

First source code file activity for this user

First source code file activity for users in this department

First source code file activity for users with this manager

First timeframe of a file activity for this user

First file activity from this network zone for the organization

First file activity from this endpoint for this user

First file activity from this network zone for this user

First file activity on this endpoint for this user

First file activity on this endpoint for users in this country

First file activity on this endpoint for users in this department

First file activity on this endpoint for users with this manager

First file download to this endpoint for the organization

First file download to this endpoint for this user

First file download to this ISP for the organization

First file download to this ISP for this user

First file download to this ISP for users in this department

First file download to this ISP for users with this manager

An executable file was downloaded

First file download to this country for the organization

First file download to this country for this user

First file download to this country for users in this department

First file download to this country for users with this manager

Abnormal amount of file download events for the organization

Abnormal amount of file download events for this user

Abnormal amount of file download events for users in department

Abnormal amount of file download events for users with this manager

First cloud storage object file modification to public for this bucket

First cloud storage object file modification to public for this user

An Outlook file was copied to another folder

A 'PST'\\'OST' file was copied

Abnormal number of unique endpoints in file read events for this user

Abnormal number of unique files read in this bucket for this user

Abnormal number of unique files read in this storage account for this user

Abnormal number of unique files read for this user

Abnormal number of unique files read in this platform for this user

File was read from a repository

Abnormal amount of file bytes read in this bucket for this user

Abnormal amount of file bytes read in this storage account for this user

Abnormal amount of file bytes read in this platform for this user

A process has directly accessed 'lsass.exe' memory space

First file upload from this ISP for the organization

First file upload from this ISP for this user

First file upload from this ISP for users in this department

First file upload from this ISP for users with this manager

First file upload from this country for the organization

First file upload from this country for this user

First file upload from this country for users in this department

First file upload from this country for users with this manager

First file upload from this endpoint for the organization

First file upload from this endpoint for this user

Abnormal amount of file upload events for the organization

Abnormal amount of file upload events for this user

Abnormal amount of file upload events for users in this department

Abnormal amount of file upload events for users with this manager

Activity from a disabled user

First timeframe of any activity for this user

First MIME type for the organization

User is a service account

First OS and browser combination for this user

First OS and browser combination for this organization

First OS and browser combination for users in this department

First OS and browser combination for users with this manager

First activity on this platform for this user

First activity on this platform for users in this department

First activity on this platform for users with this manager

First activity from this network zone for this platform

First activity from this endpoint on this platform for this user

First operation for this platform

Abnormal number of unique destination IPs accessed from this endpoint

First activity from this ISP for the organization

First activity from this ISP for this user

First activity from this ISP for users in this department

First activity from this ISP for users with this manager

Abnormal number of unique failed operations in this platform for this user

First activity from this country for the organization

First activity from this country for this user

First activity from this country for users in this country

First activity from this country for users in this department

First activity from this country for users with this manager

First activity from this country to this zone

First activity to this country from this zone

First activity to this country for the organization

First cloud service in this platfrom for this user

First cloud service in this platfrom for users in this department

First cloud service in this platfrom for users with this manager

First activity from this endpoint to this endpoint

An attempt was made to connect to an IP address with a bad reputation from this endpoint

An attempt was made to connect from an IP address with a bad reputation from this endpoint

A TOR IP address was accessed

First cloud region for the organization

First cloud region for this user

Failed activity

Abnormal number of unique destination endpoints accessed from this endpoint

An attempt was made to connect to an IP address associated to Ransomware from this endpoint

An attempt was made to connect to this endpoint from an IP address associated to Ransomware

First web browser for this organization

First web browser for this user

First web browser for users in this department

First web browser for users with this manager

First operating system for this organization

First operating system for this user

First operating system for users in this department

First operating system for users with this manager

First group member addition for this user

First group member addition for users in this department

First group member addition for users with this manager

First group member addition for this system account on this endpoint

First group member addition on this endpoint

First timeframe of a group member addition for this user

Security group is privileged

First OU in a group member addition to this group

User added themself to a group

First group member addition from this network zone

First group member addition to this group

User is local user

Login type for user

First login from this source network zone to this destination network zone

First login from this network zone for the organization

First login from this network zone for this user

Abnormal number of failed login events in this platform for this user

Abnormal number of unique destination network zones in login events for this user

Abnormal number of unique destination network zones in login events for users in this country

Abnormal number of unique destination network zones in login events for users in this department

Abnormal number of unique destination network zones in login events for users with this manager

First login using this email domain for this platform

A hacking tool domain was used in a login

First login to this network zone for this user

First login to this network zone for users in this country

First login to this network zone for users in this department

First login to this network zone for users with this manager

First login to this platform for this user

Abnormal amount of bytes sent in inbound communication from this network zone

Abnormal amount of bytes sent in outbound communication from this endpoint

Abnormal amount of bytes sent using SSH, Telnet, SMTP, DNS, HTTP or HTTPS protocols in outbound communication from this endpoint to this port

Abnormal amount of bytes sent in outbound communication from this network zone

Abnormal amount of bytes failed to be sent in outbound communication from this endpoint

Network protocol

First communication to this IP address for this process from this endpoint

First communication to a network of this type for this process from this endpoint

Network activity failed

A BitTorrent port was accessed"

First timeframe of a password retrieval for this user

Abnormal number of password retrievals for the organization

Abnormal number of password retrievals for this user

Abnormal number of password retrievals for users in this department

Abnormal number of password retrievals for users with this manager

First password retrieval from this endpoint for this user

First password retrieval from this safe for this user

First password retrieval for this user

First password retrieval for users in this department

First password retrieval for users with manager peer group

Abnormal number of unique safes in password retrieval events for this user

Abnormal number of unique cities physically accessed for this user

Abnormal number of unique doors physically accessed for this user

First timeframe of a physical access for this user

First physical access to this building for this user

First physical access in this city for this user

First physical access to this door for this user

User succeeded/failed to physically access a location

A disabled user accessed a physical location

First Windows privilege use for this user

First Windows privilege use for this users in this department

First Windows privilege use for this users with this manager

Abnormal number of administrative privilege access events for this user

First Windows privilege use from this endpoint and network zone

First Windows privilege use from this endpoint for this user

'devtoolslauncher.exe' deployed a process

The Windows control panel process spawned 'rundll32.exe'

The 'getsystem' Meterpreter/Cobalt Strike command was executed on this endpoint

Artifacts related to Meterpreter and Cobalt Strike have been observed on this endpoint

Parent process is a credential enumeration tool

Parent process is a Microsoft Office process

Parent process is a known pentesting tool

Parent process is a shell process

Parent process is a system enumeration tool

Parent process is a web server process

'regsvr32.exe' loaded a DLL from the 'AppData\\Local' directory

'wbadmin.exe' was used to delete a backup catalog

'assoc.exe' was used to change the association of an extension to execution

schtask.exe' was executed via PowerSploit or Empire default configuration on this endpoint

ntdsutil.exe' was executed on this endpoint

Artifacts related to the group 'TropicTrooper' have been observed on this endpoint

'cdb.exe' was used to execute a script

Abnormal number of critical Windows command executions for the organization

'dnscat.exe' was executed

'iodine.exe' was executed

'powershell.exe' was used to clear an event log

'wevtutil.exe' was used to disable or clear an event tracing

'wmic.exe' was used to clear an event log

sc.exe' was executed with suspicious parameters in the command line on this endpoint

Process execution from a temporary directory

Process executed from suspicious folder

A Microsoft Office application executed regsvr32.exe on this endpoint

Hangul Word Processor (Hanword) executed 'gbb.exe' on this endpoint

'hh.exe' loaded a complied HTML file

'powershell.exe' was used to decode a Base64 string

'powershell.exe' was used to execute a known malicious encoded command

'powershell.exe' was used to disable AMSI scanning

The Windows control panel process loaded control panel items outside of the default folders

sharphound.exe' was executed on this endpoint

fsutil.exe' was executed with suspicious parameters on this endpoint

The security/sam/system registry hives have been dumped on this endpoint using 'reg.exe'

A Shadow copy was deleted on this endpoint using 'vssadmin.exe'

A Shadow copy was deleted on this endpoint using 'wmic.exe'

cmdkey.exe was executed with the parameter '/list' to search for cached credentials on this endpoint

dir.exe was executed on the users folder on this endpoint

First execution of 'powershell.exe' with an encrypted command for this user

irst execution of 'powershell.exe' with an encrypted command for this parent process

A suspicious base64 powershell command was executed on this endpoint

msiexec.exe was executed with web addresses as a parameter on this endpoint

WMI invoked a remote XSL script on this endpoint

First execution of an Office process with a remote document from this web domain

First execution of an Office process with a remote document from this web domain for this user

.NET supporting process created with an URL in the commandline

'dsquery.exe' was used to discover domain trusts

'nltest.exe' was used to discover domain trusts

Applocker bypass

BITSAdmin was used to download a file

certutil.exe' executed with suspicious command line flags on this endpoint

EquationGroup APT

rundll32.exe' was executed the command line 'dll_u' on this endpoint

Endpoint is critical

Process execution on a server

The data exfiltration tool 'plink' was executed on this endpoint

First execution of 'powershell.exe' with the '-ExecutionPolicy Bypass' parameter for this user

A Shadow copy was created on this endpoint using 'powershell.exe'

A Shadow copy was created on this endpoint using 'wmic.exe'

First shadow copy creation using 'vssadmin.exe' from this endpoint

'bcdedit.exe' was used to disable Windows recovery mode

'bcdedit.exe' was used to disable Windows error recovery

'httptunnel.exe' was executed

'socat.exe' was executed

'stunnel.exe' was executed

Potential PowerShell execution from a DLL on this endpoint

PowerShell executed 'rundll32.exe' to load a dll from a temporary folder on this endpoint

The attacker tool, CreateMiniDump, was executed on this endpoint

A process memory dump was taken on this endpoint via 'comsvcs.dll' using 'rundll32.exe'

'mstsc.exe' was executed with command line arguments that indicates the 'shadowing' of an existing RDP session on this endpoint

'forfiles.exe' spawned a child process

'pcalua.exe' was used to execute an indirect command

PowerShell executed command line arguments, used to load an empire module, on this endpoint

Artifacts related to 'Winnti' malware have been observed on this endpoint

'takeown.exe' was used to take ownership of a file or a folder

Artifacts related to the attacker tool 'Koadic' have been observed on this endpoint

ns.exe' executed a suspicious process on this endpoint

The task scheduler was executed with the parameters '/change', '/tn', '/ru' and '/rp' on this endpoint

Abnormal number of PowerShell executions for the organization

Abnormal number of PowerShell executions for this user

Abnormal number of PowerShell executions for users in this department

Abnormal number of PowerShell executions for users with this manager

The LSASS memory space was accessed and credentials may have been dumped on this endpoint

LSASS was dumped on this enpoint using 'procdump.exe'

A WMI script event consumers was executed on this endpoint

'reg.exe' was used to modify an AutoRun registry key

Process with 'system' level integrity is spawned by local/network service

Artifacts related to the APT 'EmpireMonkey' have been observed on this endpoint

Artifacts releted to 'Wocao' operation have been observed on this endpoint

First execution of a critical Windows command from this endpoint

First execution of a critical Windows command from this endpoint for this user

First execution of a critical Windows command from this endpoint for users in this country

First execution of a critical Windows command from this endpoint for users in this department

First execution of a critical Windows command from this endpoint for users with this manager

First execution of 'msbuild.exe' to build and execute a project on this endpoint

Regsvr32.exe used to download/install/register new DLLs, that are hosted on Web, on this endpoint

An IIS native-code modules was installed on this endpoint using 'appcmd.exe'

Execution of 'wmiprvse' version related to FireEye Pentesting

'rundll32.exe' executed an exported DLL function using an ordinal number

'rundll32.exe' loaded a DLL from the AppData folder

Privilege escalation using SetupComplete.cmd and PartnerSetupComplete.cmd

'esentutl.exe' was used to copy files with credentials data

sc.exe was executed by user with Medium integrity level to change service ImagePath or FailureCommand on this endpoint

A service path to powershell command was modified on this endpoint using 'sc.exe'

wscript/cscript.exe executed a VBScript with a suspicious parameter on this endpoint

Either 'wscript.exe' or 'cscript.exe' was executed from the user directory or the ProgramData directory and ran a script on this endpoint

A process with an '.exe' extension follwing a non-executable extension was executed

'schtasks.exe' was used to deactivate a scheduled defragmentation task

The process 'passworddump.exe' from the 'SecurityXploded' toolkit was executed on this endpoint

A screenshot was captured on this endpoint using 'psr.exe'

Abnormal number of unique credential enumeration tools executed for this user

Abnormal number of unique host enumeration tools executed for this user

Artifacts related to 'ZxShell' have been observed on this endpoint

'reg.exe' was used to enable WDigest authentication

'powershell.exe' was used to execute a BITS transfer

A Windows system program executable was executed from an uncommon folder on this endpoint

A suspicious parent process of well-known Windows processes on this endpoint

Artifacts related to the Judgement Panda activity have been observed on this endpoint

Artifacts related to a Russian group activity have been observed on this endpoint

fltmc.exe used to unload Sysmon driver on this endpoint

Artifacts related to 'Mustang Panda' droppers have been seen on this endpoint

First parent process for this known child process

First child process for this known parent process

Remote PowerShell session with wsmprovhost as child process

Remote PowerShell session was detected by monitoring for wsmprovhost as a parent process which are signs of an active PowerShell remote session. This can be a legitimate usage of remote PowerShell for monitoring purposes but should still be noted. This sigma rule is authored by Roberto Rodriguez @Cyb3rWard0g and is licensed under Detection Rule License (DRL), https://github.com/SigmaHQ/sigma/blob/master/LICENSE.Detection.Rules.md. Reference: https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_remote_powershell_session_process.yml

Remote DCOM activation under DcomLaunch service

'powershell.exe' was executed with a hidden or non-interactive window

'bitsadmin.exe' was spawned by a shell process

'certutil.exe' was spawned by a shell process

'csc.exe' was spawned by a shell or a Microsoft Office process

'csi.exe' was spawned by PowerShell

'regsvr32.exe' spawned 'cscript.exe' or 'wscript.exe'

Process is a credential enumeration tool

Process is a known pentesting tool

Process is a shell process

Process is a system enumeration tool

A shim database registered on this endpoint using sdbinst.ex

'icacls.exe' was used to grant global permissions on a file

First file or folder permissions modification using 'icacls.exe' or 'cacls.exe' for this user

'consent.exe' spawned 'iexploer.exe' with system permissions

Artifacts related to the APT group 'Hurricane Panda' have been observed on this endpoint

Find SPNs using setspn.exe

'powershell.exe' was used to record external audio

'soundrecorder.exe' was used to record external audio

Microsoft Workflow Compiler was executed on this endpoint

'OpenWith.exe' executed another program on this endpoint

GoToMyPC remote desktop access agent installed

GoToMyPC remote desktop access service installed

GoToMyPC remote desktop access service started

LogMeIn remote desktop access agent installed

LogMeIn remote desktop access service installed

LogMeIn remote desktop access service started

Splashtop remote desktop access agent installed

Splashtop remote desktop access service installed

Splashtop remote desktop access service started

TeamViewer remote desktop access agent installed

TeamViewer remote desktop access service installed

TeamViewer remote desktop access service started

'bcdedit.exe' was used to enable test signing

The attacker tool 'crackmapexec.exe' was executed on this endpoint

The Notepad++ updater was executed from an unknown path

The PowerShell process executed a script from the AppData folder

First process execution from this directory for the organization

First process execution from this directory for this parent process

First process execution from this directory for this user

Mimikatz was executed on this endpoint via a powershell command

Mimikatz was executed on this endpoint

'at.exe' was used to execute an interactive scheduled task

Mshta.exe executed a javascript code on this endpoint

EquationEditor was executed on this endpoint

'powershell.exe' was used to execute known 'Baby Shark' malware encoded commands

Artifacts related to APT29 have been observed on this endpoint

First execution of this known pentest tool for this user

'bcdedit.exe' was used to delete or import boot entry data

'rundll32.exe' executed the Archer malware

taskmgr.exe' was executed by the user 'system' on this endpoint

whoami.exe' was executed by the user 'system' on this endpoint

'del.exe' was used to execute a formbook

type.exe' was used to execute a formbook

Tasks folder evasion using 'copy.exe'

Tasks folder evasion using 'echo.exe'

Tasks folder evasion using 'type.exe'

First execution of 'ipconfig.exe' for this user

First execution of 'route.exe' for this user

tshark.exe' was executed on this endpoint

windump.exe' was executed on this endpoint

A Shadow copy was symbolically linked on this endpoint using 'mklink.exe'

Artifacts related to the APT 'Elise' have been observed on this endpoint

Microsoft Connection Manager Profile Installer (cmstp.exe) was executed with the parameter '/s' or '/au' on this endpoint

Windows UAC bypass using COM object on this endpoint

fodhelper.exe executed a process on this endpoint

wsreset.exe executed a process that is not conhost.exe on this endpoint

Artifacts related to 'Dtrack' malware have been observed on this endpoint

'ping.exe' was used to ping a hex encoded IP address

'netsh.exe' was used to disable the Windows firewall

Process injection using ZOHO's 'dctask64.exe'

A process from the Outlook temp folder was executed on this endpoint

Artifacts related to the ransomware NotPetya have been observed on this endpoint

Svchost.exe executed without any CLI arguments on this endpoint

First firewall policies enumeration using 'netsh.exe' for this user

First local groups enumeration using 'net.exe' for this user

First local users enumeration using 'net.exe' for this user

'powershell.exe' was used to execute a PowerShell script from an ADS

Artifacts related to the APT 'Chafer' have been observed on this endpoint

Command line parameters used by the attacker tool 'Rubeus' were executed on this endpoint

Bypass application whitelisting using 'bginfo'

'mshta.exe' was used to directly execute a script

Local accounts enumeration using quser.exe

Local accounts enumeration using qwinsta.exe

Local accounts enumeration using whoami.exe

Local accounts enumeration using wmic.exe

A JAVA process is running with remote debugging allowing more than just localhost to connect

First access to a SYSVOL domain group policy using a process for users in this department

First access to a SYSVOL domain group policy using a process for users with this manager

Artifacts related to the 'Emotet' malware have been observed on this endpoint

A network sniffing tool was executed on this endpoint

First execution of a network sniffing tool from this endpoint

irst execution of a network sniffing tool for this user

First execution of a network sniffing tool for users in this department

First execution of a network sniffing tool for users with this manager

First execution of a network sniffing tool from this network zone

'appcmd.exe' was used to disable IIS HTTP logging

A remote process was executed and redirected to an admin share

First scheduled task creation configured to execute this process for the organization

First scheduled task creation configured to execute this process for this user

First scheduled task creation configured to execute this process for this task name

First timeframe of a scheduled task creation on this endpoint

First scheduled task creation on this endpoint

First scheduled task creation on this endpoint for this user

First scheduled task creation on this endpoint for users in this country

First scheduled task creation on this endpoint for users in this department

First scheduled task creation on this endpoint for users with this manager

First creation of a scheduled task with this name for the organization

First creation of a scheduled task with this name for users in this department

First creation of a scheduled task with this name for users with this manager

Scheduled task created to execute PowerShell on this endpoint by this user

Abnormal number of unique alerts triggered from this endpoint

Abnormal number of unique alerts triggered for this user

Abnormal number of unique alerts triggered for users in this department

Abnormal number of unique alerts triggered for users with this manager

Security alert reported on a Critical system

First trigger of a security alert with this subject from this endpoint

First security alert trigger from this endpoint

First security alert trigger in this network zone

First security alert trigger from this endpoint in this network zone

First security alert trigger from this endpoint for this user

First security alert trigger from this endpoint for a user in this country

First security alert trigger from this endpoint for a user in this department

First security alert trigger from this endpoint for a user with this manager

A correlation rule was triggered

First network alert trigger on this port for this destination network zone

First network alert trigger on this port on this endpoint

First network alert trigger on this port in the organization

Security alert reported when logged in via VPN for user

First trigger of this security alert from this endpoint

First trigger of this security alert in the organization

First trigger of this correlation rule in the organization

First trigger of this security alert from this endpoint

First trigger of this correlation rule from this endpoint

First trigger of this security alert in this network zone

First trigger of this security alert for this user

First trigger of this correlation rule for this user

First trigger of this security alert for users in this department

First trigger of this correlation rule for users in this department

First trigger of this security alert for users with this manager

First trigger of this correlation rule for users with this manager

Security violation by Executive

First security alert trigger on this process for this user

First security alert trigger on a server for this destination network zone

First security alert trigger for this user

First security alert trigger for users in this country

First security alert trigger for users in this department

First security alert trigger for users with this manager

A third party security alert reported for user

Alert product and severity

Correlation rule severity

Abnormal number of unique protocols in DLP alerts for this user

First DLP alert trigger on this process for the organization

First DLP alert trigger on this process for this user

First DLP alert trigger on this process for users in this department

First DLP alert trigger on this process for users with this manager

First DLP alert trigger on this protocol for this user

First DLP alert trigger on this domain for this protocol

First access to this network share from this endpoint

First access to this network share for this user

Abnormal number of unique network shares accessed for this user

Share access by privileged user

The share is an admin share

The share is an known named pipe

Abnormal number of unique files accessed in this network share for this user

First peripheral device ID for the organization

First peripheral device ID from this endpoint

First peripheral device ID for this user

First peripheral device ID for users in this department

First peripheral device ID for users with this manager

First peripheral device activity for this user

First peripheral device activity from this endpoint

First peripheral device activity from this endpoint for this user

First peripheral device activity from this endpoint for users in this country

First peripheral device activity from this endpoint for users in this department

First peripheral device activity from this endpoint for users with this manager

First user creation on this endpoint

First user creation on this endpoint for this user

First user creation processed by this DC for this user

First user creation on this domain for this user

User is a local user

First user creation from this endpoint

First user creation from this endpoint for this user

First user creation in this network zone for the organization

First timeframe of a user creation for this user

First user creation for this user

First user creation for users in this department

First user creation for users with this manager

First user creation for this system account on this endpoint

First account switch for this user

First account switch to this account for this user

User switched credentials to a privileged or executive account

User switched credentials from a privileged or executive account

First VPN login from this country for this user

First VPN login from this endpoint for the organization

First VPN login from this endpoint for this user

First VPN login from this endpoint for users in this country

First VPN login from this endpoint for users in this department

First VPN login from this endpoint for users with this manager

First timeframe of a VPN login for this user

First VPN login for this user

First VPN login for users in this country

First VPN login for users in this department

First VPN login for users with this manager

First VPN login with this realm for this user

First VPN login with this realm for users in this country

First VPN login with this realm for users in this department

First VPN login with this realm for users with this manager

First VPN login from this OS for this user

Abnormal number of failed vpn logins for this user

user is a contractor

user is executive

user is a service account

user is a partner

First VPN login to this vpn server for this user

First VPN login to this vpn server for users in this country

First VPN login to this vpn server for users in this department

First VPN login to this vpn server for users with this manager

A VPN login was attempted from an anonymous country

VPN31

WEB-DC

An HTTP communication attempt to a domain known to be associated with phishing was made from this endpoint

Abnormal amount of bytes uploaded to file sharing websites for the organization

Abnormal amount of bytes uploaded to the web with GET requests for this user

Abnormal amount of bytes uploaded to the web with POST requests for this user

Abnormal amount of bytes downloaded from file sharing websites for this user

Abnormal amount of bytes uploaded to file sharing websites for this user

Abnormal amount of bytes uploaded to file sharing websites for users in this department

Abnormal amount of bytes uploaded to file sharing websites for users with this manager

First HTTP communication from this endpoint for the organization

First HTTP communication from this network zone for the organization

First HTTP communication from this network zone for this user

First HTTP communication from this network zone for users in this country

First HTTP communication from this network zone for users in this department

Abnormal number of successful HTTP events for this user

Abnormal number of HTTP responses with 3xx/4xx codes for this user

An HTTP communication attempt to a known TOR web proxy was made from this endpoint

An HTTP communication attempt to a URL containing '/tor/server' was made from this endpoint

First timeframe of an HTTP activity for this user

An executable was downloaded using HTTP

First HTTP communication to this country for the organization

First HTTP communication to to this country for this user

WEB-ALERT-EXEC

WEB-Privileged-User

First HTTP communication to this country for the organization

First HTTP communication to this country from this endpoint

First HTTP communication to this top level domain for the organization

First HTTP communication directly to an IP address for this user

First failed HTTP communication to this country for the organization

First failed HTTP communication to this country from this endpoint

Abnormal number of failed HTTP events for this user

An HTTP communication attempt to a known malicious uri was made from this endpoint

An HTTP communication attempt to a malicious site was made from this endpoint

An HTTP communication attempt to a domain with bad reputation was made from this endpoint

First HTTP communication to this malicious web domain for this user

Abnormal number of unique domains in failed HTTP events for this user

An HTTP communication attempt to a domain known to be associated with ransomware was made from this endpoint

HTTP activity directly to this IP address

Service creation with suspicious execution command parameters

Service creation from a temporary internet files directory

First timeframe of a service creation on this endpoint

First service creation from this endpoint for this source zone

First service creation with this destination user on this endpoint

First service creation on this endpoint for the organization

First service creation on this endpoint for this user

First service creation on this endpoint for users in this country

First service creation on this endpoint for users in this department

First service creation on this endpoint for users with this manager

First process path for this service