1. Home
Location
    Techdocs Logo Techdocs Logo
    • Documentation Home
    • Palo Alto Networks
    • Support
    • Live Community
    • Knowledge Base
    1. Home
    2. Security Operations
    3. Cortex XDR
    4. Cortex XDR™ Analytics Alert Reference
    5. Cortex XDR Analytics Alert Reference
    6. Activity in a dormant region of a cloud project
    Download PDF
    Last Updated:
    Sun Jun 19 06:55:06 PDT 2022

    Table of Contents


    Search the Table of Contents
    copyright
    copyright
    Cortex XDR Analytics Alert Reference
    Analytics Alerts by Required Data Source
    A LOLBIN was copied to a different location
    A Successful VPN connection from TOR
    A Successful login from TOR
    A WMI subscriber was created
    A browser was opened in private mode
    A cloud identity executed an API call from an unusual country
    A cloud identity had escalated its permissions
    A compiled HTML help file wrote a script file to the disk
    A compressed file was exfiltrated over SSH
    A computer account was promoted to DC
    A contained executable from a mounted share initiated a suspicious outbound network connection
    A contained executable was executed by unusual process
    A contained process attempted to escape using notify on release feature
    A disabled user attempted to log in
    A disabled user attempted to log in to a VPN
    A disabled user successfully authenticated via SSO
    A process connected to a rare external host
    A remote service was created via RPC over SMB
    A service was disabled
    A successful SSO sign-in from TOR
    A suspicious file was written to the startup folder
    A suspicious process enrolled for a certificate
    A suspicious process queried AD CS objects via LDAP
    A suspicious service was started
    A user accessed an uncommon AppID
    A user accessed multiple time-wasting websites
    A user accessed multiple unusual resources via SSO
    A user account was modified to password never expires
    A user added a Windows firewall rule
    A user authenticated with weak NTLM to multiple hosts
    A user changed the Windows system time
    A user cleared their browser's history
    A user connected a USB storage device for the first time
    A user connected a new USB storage device to a host
    A user connected a new USB storage device to multiple hosts
    A user connected from a new country
    A user connected to a VPN from a new country
    A user created a pfx file for the first time
    A user created an abnormal password-protected archive
    A user performed suspiciously massive file activity
    A user printed an unusual number of files
    A user successfully authenticated via SSO for the first time
    AWS Cloud Trail log trail modification
    AWS CloudWatch log group deletion
    AWS CloudWatch log stream deletion
    AWS Config Recorder stopped
    AWS EC2 instance exported into S3
    AWS Flow Logs deletion
    AWS Guard-Duty detector deletion
    AWS IAM resource group deletion
    AWS RDS cluster deletion
    AWS Role Trusted Entity modification
    AWS System Manager API call execution
    AWS config resource deletion
    AWS network ACL rule creation
    AWS network ACL rule deletion
    AWS user creation
    AWS web ACL deletion
    Abnormal process connection to default Meterpreter port
    Account probing
    Activity in a dormant region of a cloud project
    Adding execution privileges
    Administrator groups enumerated via LDAP
    An AWS RDS Global Cluster Deletion
    An Azure Firewall policy deletion
    An IAM group was created
    An Identity accessed a secret from Secret Manager
    An identity assumed a Role
    An internal Cloud resource performed port scan on external networks
    An uncommon kubectl secret enumeration command was executed
    Aurora DB cluster stopped
    Authentication Attempt From a Dormant Account
    Autorun.inf created in root C drive
    Azure Automation Account Creation
    Azure Automation Runbook Creation/Modification
    Azure Automation Runbook Deletion
    Azure Automation Webhook creation
    Azure Blob Container Access Level Modification
    Azure Event Hub Authorization rule creation/modification
    Azure Event Hub Deletion
    Azure Key Vault modification
    Azure Network Watcher Deletion
    Azure Resource Group Deletion
    Azure Storage Account key generated
    Azure diagnostic configuration deletion
    Azure user creation
    Azure virtual machine commands execution
    Bitsadmin.exe persistence using command-line callback
    Bronze-Bit exploit
    Browser bookmark files accessed by a rare non-browser process
    Cached credentials discovery with cmdkey
    Certutil pfx parsing
    Change of sudo caching configuration
    Cloud Trail Logging has been stopped/suspended
    Cloud Trail logging deletion
    Cloud Watch alarm deletion
    Cloud impersonation by unusual identity type
    Cloud user performed multiple actions that were denied
    Command execution via wmiexec
    Command running with COMSPEC in the command line argument
    Commonly abused AutoIT script connects to an external domain
    Commonly abused AutoIT script drops an executable file to disk
    Commonly abused process launched as a system service
    Conhost.exe spawned a suspicious child process
    Contained process execution with a rare GitHub URL
    Copy a process memory file
    DNS Tunneling
    Delayed Deletion of Files
    Disable encryption operations
    Discovery of host users via WMIC
    Discovery of misconfigured certificate templates using LDAP
    Domain federation settings have been modified
    EC2 snapshot attribute has been modification
    Editing ld.so.preload for persistence and injection
    Elevation to SYSTEM via services
    Encoded information using Windows certificate management tool
    Excessive user account lockouts
    Executable created to disk by lsass.exe
    Executable moved to Windows system folder
    Execution of dllhost.exe with an empty command line
    Execution of renamed lolbin
    Execution of the Hydra Linux password brute-force tool
    External cloud storage access with an unusual ASN
    External cloud storage access with unusual user agent
    Extracting credentials from Unix files
    Failed Connections
    Failed DNS
    Failed Login For Locked-Out Account
    Failed Login For a Long Username With Special Characters
    File transfer from unusual IP using known tools
    First SSO access from ASN in organization
    First VPN access attempt from a country in organization
    First VPN access from ASN for user
    First VPN access from ASN in organization
    First access to a bucket by an identity
    First cloud API call from a country in organization
    First connection from a country in organization
    Fodhelper.exe UAC bypass
    GCP Firewall Rule Modification
    GCP Firewall Rule creation
    GCP IAM Custom Role Creation
    GCP IAM Role Deletion
    GCP IAM Service Account Key Deletion
    GCP Logging Bucket Deletion
    GCP Logging Sink Deletion
    GCP Logging Sink Modification
    GCP Pub/Sub Subscription Deletion
    GCP Pub/Sub Topic Deletion
    GCP Service Account Disable
    GCP Service Account creation
    GCP Service Account deletion
    GCP Service Account key creation
    GCP Storage Bucket Configuration Modification
    GCP Storage Bucket Permissions Modification
    GCP Storage Bucket deletion
    GCP VPC Firewall Rule Deletion
    GCP Virtual Private Cloud (VPC) Network Deletion
    GCP Virtual Private Network Route Creation
    GCP Virtual Private Network Route Deletion
    Globally uncommon root domain from a signed process
    Globally uncommon root-domain port combination from a signed process
    Hidden Attribute was added to a file using attrib.exe
    IAM Enumeration sequence
    IAM User added to an IAM group
    IAM enumeration activity executed by an IAM user Identity
    Image File Execution Options Registry key injection by unsigned process
    Impossible traveler - SSO
    Impossible traveler - VPN
    Increase in Job-Related Site Visits
    Indicator blocking
    Indirect command execution using the Program Compatibility Assistant
    Installation of a new System-V service
    Interactive at.exe privilege escalation method
    Interactive local account enumeration
    Interactive login by a machine account
    Interactive login by a service account
    Interactive login from a shared user account
    Iptables configuration command was executed
    Kerberos Pre-Auth Failures by Host
    Kerberos Pre-Auth Failures by User and Host
    Kerberos Traffic from Non-Standard Process
    Kerberos User Enumeration
    Keylogging using system commands
    Kubectl administration command execution
    LDAP Traffic from Non-Standard Process
    LDAP search query from an unpopular and unsigned process
    LOLBAS executable injects into another process
    LOLBIN process executed with a high integrity level
    LSASS dump file written to disk
    Large Upload (FTP)
    Large Upload (Generic)
    Large Upload (HTTPS)
    Large Upload (SMTP)
    Linux system firewall was disabled
    Linux system firewall was modified
    Local account discovery
    Log4J exploitation attempt against cloud hosted resources
    Login Password Spray
    Login by a dormant user
    MFA device was removed/deactivated from an IAM user
    MSI accessed a web page running a server-side script
    Machine account was added to a domain admins group
    Mailbox Client Access Setting (CAS) changed
    Manipulation of netsh helper DLLs Registry keys
    Masquerading as Linux crond process
    Massive file activity abnormal to process
    Massive upload to a rare storage or mail domain
    Memory dumping with comsvcs.dll
    Microsoft Office Process Spawning a Suspicious One-Liner
    Microsoft Office adds a value to autostart Registry key
    Microsoft Office injects code into a process
    Microsoft Office process spawns a commonly abused process
    Modification of NTLM restrictions in the Registry
    Modification of PAM
    MpCmdRun.exe was used to download files into the system
    Mshta.exe launched with suspicious arguments
    Multi region enumeration activity
    Multiple Rare LOLBIN Process Executions by User
    Multiple Rare Process Executions in Organization
    Multiple Weakly-Encrypted Kerberos Tickets Received
    Multiple discovery commands
    Multiple suspicious user accounts were created
    Multiple user accounts were deleted
    Multiple users authenticated with weak NTLM to a host
    NTLM Brute Force
    NTLM Brute Force on a Service Account
    NTLM Brute Force on an Administrator Account
    NTLM Hash Harvesting
    NTLM Relay
    Netcat makes or gets connections
    New Administrative Behavior
    New Shared User Account
    New addition to Windows Defender exclusion list
    New process created via a WMI call
    Non-browser access to a pastebin-like site
    Non-browser failed access to a pastebin-like site
    Office process accessed an unusual .LNK file
    Office process creates a scheduled task via file access
    Office process spawned with suspicious command-line arguments
    Outlook files accessed by an unsigned process
    Penetration testing tool activity
    Penetration testing tool attempt
    Permission Groups discovery commands
    Phantom DLL Loading
    Ping to localhost from an uncommon, unsigned parent process
    Port Scan
    Possible AWS Instance Metadata Service (IMDS) Abuse
    Possible Brute-Force attempt
    Possible DCShadow attempt
    Possible DCSync from a non domain controller
    Possible Email collection using Outlook RPC
    Possible Kerberoasting without SPNs
    Possible LDAP enumeration by unsigned process
    Possible Microsoft module side-loading into Microsoft process
    Possible Microsoft process masquerading
    Possible Persistence via group policy Registry keys
    Possible RDP session hijacking using tscon.exe
    Possible Search For Password Files
    Possible binary padding using dd
    Possible brute force on sudo user
    Possible brute force or configuration change attempt on cytool
    Possible code downloading from a remote host by Regsvr32
    Possible compromised machine account
    Possible data exfiltration over a USB storage device
    Possible data obfuscation
    Possible external RDP Brute-Force
    Possible internal data exfiltration over a USB storage device
    Possible malicious .NET compilation started by a commonly abused process
    Possible network connection to a TOR relay server
    Possible network service discovery via command-line tool
    Possible network sniffing attempt via tcpdump or tshark
    Possible new DHCP server
    Possible use of a networking driver for network sniffing
    PowerShell Initiates a Network Connection to GitHub
    PowerShell pfx certificate extraction
    PowerShell runs suspicious base64-encoded commands
    PowerShell suspicious flags
    PowerShell used to export mailbox contents
    PowerShell used to remove mailbox export request logs
    Procdump executed from an atypical directory
    Process execution with a suspicious command line indicative of the Spring4Shell exploit
    Python HTTP server started
    RDP Connection to localhost
    Random-Looking Domain Names
    Rare AppID usage for this destination port to rare destination
    Rare LOLBIN Process Execution by User
    Rare NTLM Access By User To Host
    Rare NTLM Usage by User
    Rare SMTP/S Session
    Rare SSH Session
    Rare Unix process divide files by size
    Rare Unsigned Process Spawned by Office Process Under Suspicious Directory
    Rare WinRM Session
    Rare communication over email ports to external email server by unsigned process
    Rare connection to external IP address or host by an application using RMI-IIOP or LDAP protocol
    Rare machine account creation
    Rare process execution by user
    Rare process execution in organization
    Rare process spawned by srvany.exe
    Rare scheduled task created
    Rare security product signed executable executed in the network
    Rare signature signed executable executed in the network
    Reading bash command history file
    Recurring access to rare IP
    Recurring rare domain access from an unsigned process
    Recurring rare domain access to dynamic DNS domain
    Registration of Uncommon .NET Services and/or Assemblies
    Remote DCOM command execution
    Remote PsExec-like command execution
    Remote WMI process execution
    Remote account enumeration
    Remote command execution via wmic.exe
    Remote service command execution from an uncommon source
    Remote service start from an uncommon source
    Remote usage of AWS Lambda's token
    Remote usage of VM Service Account token
    Remote usage of an App engine Service Account token
    Reverse SSH tunnel to external domain/ip
    Root user logged in to AWS console
    Run downloaded script using pipe
    Rundll32.exe running with no command-line arguments
    Rundll32.exe spawns conhost.exe
    S3 configuration deletion
    SMB Traffic from Non-Standard Process
    SPNs cleared from a machine account
    SSH authentication brute force attempts
    SSO authentication by a machine account
    SSO authentication by a service account
    SSO with abnormal operating system
    SSO with abnormal user agent
    SSO with new operating system
    SUID/GUID permission discovery
    Scrcons.exe Rare Child Process
    Screensaver process executed from Users or temporary folder
    Script file added to startup-related Registry keys
    SecureBoot was disabled
    Security tools detection attempt
    Sensitive account password reset attempt
    Sensitive browser credential files accessed by a rare non browser process
    Service execution via sc.exe
    Service ticket request with a spoofed sAMAccountName
    Setuid and Setgid file bit manipulation
    Short-lived user account
    Signed process performed an unpopular DLL injection
    Signed process performed an unpopular injection
    Space after filename
    Spam Bot Traffic
    Sudoedit Brute force attempt
    Suspicious .NET process loads an MSBuild DLL
    Suspicious AMSI decode attempt
    Suspicious API call from a Tor exit node
    Suspicious Certutil AD CS contact
    Suspicious DotNet log file created
    Suspicious Encrypting File System Remote call (EFSRPC) to domain controller
    Suspicious External RDP Login
    Suspicious GCP compute instance metadata modification
    Suspicious LDAP search query executed
    Suspicious PowerShell Command Line
    Suspicious PowerShell Enumeration of Running Processes
    Suspicious PowerSploit's recon module (PowerView) net function was executed
    Suspicious PowerSploit's recon module (PowerView) used to search for exposed hosts
    Suspicious Process Spawned by Adobe Reader
    Suspicious Process Spawned by wininit.exe
    Suspicious RunOnce Parent Process
    Suspicious SMB connection from domain controller
    Suspicious SSO access from ASN
    Suspicious SearchProtocolHost.exe parent process
    Suspicious Udev driver rule execution manipulation
    Suspicious User Login to Domain Controller
    Suspicious access to shadow file
    Suspicious active setup registered
    Suspicious allocation of compute resources in multiple regions - possible mining activity
    Suspicious authentication package registered
    Suspicious certutil command line
    Suspicious cloud identity impersonation
    Suspicious cloud infrastructure enumeration activity
    Suspicious container orchestration job
    Suspicious curl user agent
    Suspicious data encryption
    Suspicious disablement of the Windows Firewall
    Suspicious disablement of the Windows Firewall using PowerShell commands
    Suspicious domain user account creation
    Suspicious dump of ntds.dit using Shadow Copy with ntdsutil/vssadmin
    Suspicious execution of ODBCConf
    Suspicious failed HTTP request - potential Spring4Shell exploit
    Suspicious hidden user created
    Suspicious identity downloaded multiple objects from a bucket
    Suspicious large allocation of compute resources - possible mining activity
    Suspicious objects encryption in an AWS bucket
    Suspicious print processor registered
    Suspicious process accessed a site masquerading as Google
    Suspicious process accessed certificate files
    Suspicious process changed or created the ssh_authorized_keys file
    Suspicious process executed with a high integrity level
    Suspicious process execution by scheduled task
    Suspicious process execution from tmp folder
    Suspicious process loads a known PowerShell module
    Suspicious process modified RC script file
    Suspicious proxy environment variable setting
    Suspicious reconnaissance using LDAP
    Suspicious runonce.exe parent process
    Suspicious sAMAccountName change
    Suspicious sshpass command execution
    Suspicious systemd timer activity
    Suspicious time provider registered
    Suspicious usage of EC2 token
    Suspicious usage of File Server Remote VSS Protocol (FSRVP)
    Suspicious usage of Microsoft's Active Directory PowerShell module remote discovery cmdlet
    System information discovery via psinfo.exe
    System profiling WMI query execution
    System shutdown or reboot
    TGT request with a spoofed sAMAccountName - Event log
    TGT request with a spoofed sAMAccountName - Network
    TGT reuse from different hosts (pass the ticket)
    Tampering with Internet Explorer Protected Mode configuration
    The CA policy EditFlags was queried
    Uncommon ARP cache listing via arp.exe
    Uncommon DotNet module load relationship
    Uncommon GetClipboardData API function invocation of a possible information stealer
    Uncommon IP Configuration Listing via ipconfig.exe
    Uncommon Managed Object Format (MOF) compiler usage
    Uncommon NtWriteVirtualMemoryRemote API invocation with a PE header buffer
    Uncommon PowerShell commands used to create or alter scheduled task parameters
    Uncommon RDP connection
    Uncommon Security Support Provider (SSP) registered via a registry key
    Uncommon Service Create/Config
    Uncommon SetWindowsHookEx API invocation of a possible keylogger
    Uncommon jsp file write by a Java process
    Uncommon kernel module load
    Uncommon local scheduled task creation via schtasks.exe
    Uncommon msiexec execution of an arbitrary file from the web
    Uncommon multiple service stop commands
    Uncommon net group execution
    Uncommon net localgroup execution
    Uncommon remote scheduled task creation
    Uncommon remote service start via sc.exe
    Uncommon routing table listing via route.exe
    Uncommon user management via net.exe
    Unicode RTL Override Character
    Unprivileged process opened a registry hive
    Unsigned and unpopular process performed a DLL injection
    Unsigned and unpopular process performed an injection
    Unsigned process creates a scheduled task via file access
    Unsigned process injecting into a Windows system binary with no command line
    Unusual AWS credentials creation
    Unusual AWS systems manager activity
    Unusual AWS user added to group
    Unusual IAM enumeration activity by a non-user Identity
    Unusual Identity and Access Management (IAM) activity
    Unusual Lolbins Process Spawned by InstallUtil.exe
    Unusual certificate management activity
    Unusual compressed file password protection
    Unusual key management activity
    Unusual process accessed the PowerShell history file
    Unusual resource modification/creation by newly seen user
    Unusual secret management activity
    Unusual weak authentication by user
    Unverified domain added to Azure AD
    User account delegation change
    User attempted to connect from a suspicious country
    User collected remote shared files in an archive
    User successfully connected from a suspicious country
    VM Detection attempt
    VM Detection attempt on Linux
    VPN access with a new operating system for a user
    VPN access with an abnormal operating system
    VPN login Brute-Force attempt
    VPN login by a dormant user
    VPN login by a service account
    VPN login with a machine account
    Vulnerable driver loaded
    Wbadmin deleted files in quiet mode
    Weakly-Encrypted Kerberos Ticket Requested
    WebDAV drive mounted from net.exe over HTTPS
    Windows Event Log was cleared using wevtutil.exe
    Windows Installer exploitation for local privilege escalation
    Windows event logs were cleared with PowerShell
    WmiPrvSe.exe Rare Child Command Line
    Wscript/Cscript loads .NET DLLs
    Wsmprovhost.exe Rare Child Process
    • copyright
      • copyright
    • Cortex XDR Analytics Alert Reference
      • Analytics Alerts by Required Data Source
      • A LOLBIN was copied to a different location
      • A Successful VPN connection from TOR
      • A Successful login from TOR
      • A WMI subscriber was created
      • A browser was opened in private mode
      • A cloud identity executed an API call from an unusual country
      • A cloud identity had escalated its permissions
      • A compiled HTML help file wrote a script file to the disk
      • A compressed file was exfiltrated over SSH
      • A computer account was promoted to DC
      • A contained executable from a mounted share initiated a suspicious outbound network connection
      • A contained executable was executed by unusual process
      • A contained process attempted to escape using notify on release feature
      • A disabled user attempted to log in
      • A disabled user attempted to log in to a VPN
      • A disabled user successfully authenticated via SSO
      • A process connected to a rare external host
      • A remote service was created via RPC over SMB
      • A service was disabled
      • A successful SSO sign-in from TOR
      • A suspicious file was written to the startup folder
      • A suspicious process enrolled for a certificate
      • A suspicious process queried AD CS objects via LDAP
      • A suspicious service was started
      • A user accessed an uncommon AppID
      • A user accessed multiple time-wasting websites
      • A user accessed multiple unusual resources via SSO
      • A user account was modified to password never expires
      • A user added a Windows firewall rule
      • A user authenticated with weak NTLM to multiple hosts
      • A user changed the Windows system time
      • A user cleared their browser's history
      • A user connected a USB storage device for the first time
      • A user connected a new USB storage device to a host
      • A user connected a new USB storage device to multiple hosts
      • A user connected from a new country
      • A user connected to a VPN from a new country
      • A user created a pfx file for the first time
      • A user created an abnormal password-protected archive
      • A user performed suspiciously massive file activity
      • A user printed an unusual number of files
      • A user successfully authenticated via SSO for the first time
      • AWS Cloud Trail log trail modification
      • AWS CloudWatch log group deletion
      • AWS CloudWatch log stream deletion
      • AWS Config Recorder stopped
      • AWS EC2 instance exported into S3
      • AWS Flow Logs deletion
      • AWS Guard-Duty detector deletion
      • AWS IAM resource group deletion
      • AWS RDS cluster deletion
      • AWS Role Trusted Entity modification
      • AWS System Manager API call execution
      • AWS config resource deletion
      • AWS network ACL rule creation
      • AWS network ACL rule deletion
      • AWS user creation
      • AWS web ACL deletion
      • Abnormal process connection to default Meterpreter port
      • Account probing
      • Activity in a dormant region of a cloud project
      • Adding execution privileges
      • Administrator groups enumerated via LDAP
      • An AWS RDS Global Cluster Deletion
      • An Azure Firewall policy deletion
      • An IAM group was created
      • An Identity accessed a secret from Secret Manager
      • An identity assumed a Role
      • An internal Cloud resource performed port scan on external networks
      • An uncommon kubectl secret enumeration command was executed
      • Aurora DB cluster stopped
      • Authentication Attempt From a Dormant Account
      • Autorun.inf created in root C drive
      • Azure Automation Account Creation
      • Azure Automation Runbook Creation/Modification
      • Azure Automation Runbook Deletion
      • Azure Automation Webhook creation
      • Azure Blob Container Access Level Modification
      • Azure Event Hub Authorization rule creation/modification
      • Azure Event Hub Deletion
      • Azure Key Vault modification
      • Azure Network Watcher Deletion
      • Azure Resource Group Deletion
      • Azure Storage Account key generated
      • Azure diagnostic configuration deletion
      • Azure user creation
      • Azure virtual machine commands execution
      • Bitsadmin.exe persistence using command-line callback
      • Bronze-Bit exploit
      • Browser bookmark files accessed by a rare non-browser process
      • Cached credentials discovery with cmdkey
      • Certutil pfx parsing
      • Change of sudo caching configuration
      • Cloud Trail Logging has been stopped/suspended
      • Cloud Trail logging deletion
      • Cloud Watch alarm deletion
      • Cloud impersonation by unusual identity type
      • Cloud user performed multiple actions that were denied
      • Command execution via wmiexec
      • Command running with COMSPEC in the command line argument
      • Commonly abused AutoIT script connects to an external domain
      • Commonly abused AutoIT script drops an executable file to disk
      • Commonly abused process launched as a system service
      • Conhost.exe spawned a suspicious child process
      • Contained process execution with a rare GitHub URL
      • Copy a process memory file
      • DNS Tunneling
      • Delayed Deletion of Files
      • Disable encryption operations
      • Discovery of host users via WMIC
      • Discovery of misconfigured certificate templates using LDAP
      • Domain federation settings have been modified
      • EC2 snapshot attribute has been modification
      • Editing ld.so.preload for persistence and injection
      • Elevation to SYSTEM via services
      • Encoded information using Windows certificate management tool
      • Excessive user account lockouts
      • Executable created to disk by lsass.exe
      • Executable moved to Windows system folder
      • Execution of dllhost.exe with an empty command line
      • Execution of renamed lolbin
      • Execution of the Hydra Linux password brute-force tool
      • External cloud storage access with an unusual ASN
      • External cloud storage access with unusual user agent
      • Extracting credentials from Unix files
      • Failed Connections
      • Failed DNS
      • Failed Login For Locked-Out Account
      • Failed Login For a Long Username With Special Characters
      • File transfer from unusual IP using known tools
      • First SSO access from ASN in organization
      • First VPN access attempt from a country in organization
      • First VPN access from ASN for user
      • First VPN access from ASN in organization
      • First access to a bucket by an identity
      • First cloud API call from a country in organization
      • First connection from a country in organization
      • Fodhelper.exe UAC bypass
      • GCP Firewall Rule Modification
      • GCP Firewall Rule creation
      • GCP IAM Custom Role Creation
      • GCP IAM Role Deletion
      • GCP IAM Service Account Key Deletion
      • GCP Logging Bucket Deletion
      • GCP Logging Sink Deletion
      • GCP Logging Sink Modification
      • GCP Pub/Sub Subscription Deletion
      • GCP Pub/Sub Topic Deletion
      • GCP Service Account Disable
      • GCP Service Account creation
      • GCP Service Account deletion
      • GCP Service Account key creation
      • GCP Storage Bucket Configuration Modification
      • GCP Storage Bucket Permissions Modification
      • GCP Storage Bucket deletion
      • GCP VPC Firewall Rule Deletion
      • GCP Virtual Private Cloud (VPC) Network Deletion
      • GCP Virtual Private Network Route Creation
      • GCP Virtual Private Network Route Deletion
      • Globally uncommon root domain from a signed process
      • Globally uncommon root-domain port combination from a signed process
      • Hidden Attribute was added to a file using attrib.exe
      • IAM Enumeration sequence
      • IAM User added to an IAM group
      • IAM enumeration activity executed by an IAM user Identity
      • Image File Execution Options Registry key injection by unsigned process
      • Impossible traveler - SSO
      • Impossible traveler - VPN
      • Increase in Job-Related Site Visits
      • Indicator blocking
      • Indirect command execution using the Program Compatibility Assistant
      • Installation of a new System-V service
      • Interactive at.exe privilege escalation method
      • Interactive local account enumeration
      • Interactive login by a machine account
      • Interactive login by a service account
      • Interactive login from a shared user account
      • Iptables configuration command was executed
      • Kerberos Pre-Auth Failures by Host
      • Kerberos Pre-Auth Failures by User and Host
      • Kerberos Traffic from Non-Standard Process
      • Kerberos User Enumeration
      • Keylogging using system commands
      • Kubectl administration command execution
      • LDAP Traffic from Non-Standard Process
      • LDAP search query from an unpopular and unsigned process
      • LOLBAS executable injects into another process
      • LOLBIN process executed with a high integrity level
      • LSASS dump file written to disk
      • Large Upload (FTP)
      • Large Upload (Generic)
      • Large Upload (HTTPS)
      • Large Upload (SMTP)
      • Linux system firewall was disabled
      • Linux system firewall was modified
      • Local account discovery
      • Log4J exploitation attempt against cloud hosted resources
      • Login Password Spray
      • Login by a dormant user
      • MFA device was removed/deactivated from an IAM user
      • MSI accessed a web page running a server-side script
      • Machine account was added to a domain admins group
      • Mailbox Client Access Setting (CAS) changed
      • Manipulation of netsh helper DLLs Registry keys
      • Masquerading as Linux crond process
      • Massive file activity abnormal to process
      • Massive upload to a rare storage or mail domain
      • Memory dumping with comsvcs.dll
      • Microsoft Office Process Spawning a Suspicious One-Liner
      • Microsoft Office adds a value to autostart Registry key
      • Microsoft Office injects code into a process
      • Microsoft Office process spawns a commonly abused process
      • Modification of NTLM restrictions in the Registry
      • Modification of PAM
      • MpCmdRun.exe was used to download files into the system
      • Mshta.exe launched with suspicious arguments
      • Multi region enumeration activity
      • Multiple Rare LOLBIN Process Executions by User
      • Multiple Rare Process Executions in Organization
      • Multiple Weakly-Encrypted Kerberos Tickets Received
      • Multiple discovery commands
      • Multiple suspicious user accounts were created
      • Multiple user accounts were deleted
      • Multiple users authenticated with weak NTLM to a host
      • NTLM Brute Force
      • NTLM Brute Force on a Service Account
      • NTLM Brute Force on an Administrator Account
      • NTLM Hash Harvesting
      • NTLM Relay
      • Netcat makes or gets connections
      • New Administrative Behavior
      • New Shared User Account
      • New addition to Windows Defender exclusion list
      • New process created via a WMI call
      • Non-browser access to a pastebin-like site
      • Non-browser failed access to a pastebin-like site
      • Office process accessed an unusual .LNK file
      • Office process creates a scheduled task via file access
      • Office process spawned with suspicious command-line arguments
      • Outlook files accessed by an unsigned process
      • Penetration testing tool activity
      • Penetration testing tool attempt
      • Permission Groups discovery commands
      • Phantom DLL Loading
      • Ping to localhost from an uncommon, unsigned parent process
      • Port Scan
      • Possible AWS Instance Metadata Service (IMDS) Abuse
      • Possible Brute-Force attempt
      • Possible DCShadow attempt
      • Possible DCSync from a non domain controller
      • Possible Email collection using Outlook RPC
      • Possible Kerberoasting without SPNs
      • Possible LDAP enumeration by unsigned process
      • Possible Microsoft module side-loading into Microsoft process
      • Possible Microsoft process masquerading
      • Possible Persistence via group policy Registry keys
      • Possible RDP session hijacking using tscon.exe
      • Possible Search For Password Files
      • Possible binary padding using dd
      • Possible brute force on sudo user
      • Possible brute force or configuration change attempt on cytool
      • Possible code downloading from a remote host by Regsvr32
      • Possible compromised machine account
      • Possible data exfiltration over a USB storage device
      • Possible data obfuscation
      • Possible external RDP Brute-Force
      • Possible internal data exfiltration over a USB storage device
      • Possible malicious .NET compilation started by a commonly abused process
      • Possible network connection to a TOR relay server
      • Possible network service discovery via command-line tool
      • Possible network sniffing attempt via tcpdump or tshark
      • Possible new DHCP server
      • Possible use of a networking driver for network sniffing
      • PowerShell Initiates a Network Connection to GitHub
      • PowerShell pfx certificate extraction
      • PowerShell runs suspicious base64-encoded commands
      • PowerShell suspicious flags
      • PowerShell used to export mailbox contents
      • PowerShell used to remove mailbox export request logs
      • Procdump executed from an atypical directory
      • Process execution with a suspicious command line indicative of the Spring4Shell exploit
      • Python HTTP server started