AlertLogic logs via ALERTLOGIC_API_v3 or ALERTLOGIC_IRIS_API
Cisco Application Visibility and Control (AVC) logs via Netflow V9
CrowdStrike Falcon via FALCON_STREAMING_API/FALCON_DATA_REPLICATOR
Crowdstrike via FALCON_STREAMING_API or FALCON_DATA_REPLICATOR
Dragos Platform via Syslog and Nozomi SCADA Guardian/CMC via NOZOMI_API
The following Windows osqueries via FortiSIEM Agent: Windows_services.exe_unusual_parent
The following Windows osqueries via FortiSIEM Agent: windows_conhost.exe_incorrect_path
Windows Firewall with Advanced Security logs via FortiSIEM Agent
Windows osquery windows_debugger_registry_keys via FortiSIEM Agent
Windows osquery windows_processes_communicating_outbound_to_public_addresses_on_ports_other_than_80
Windows osquery windows_processes_with_deleted_binaries via FortiSIEM Agent
Name | Tactic | Technique | Severity |
---|---|---|---|
Linux: NMAP Process Activity | Reconnaissance | T1592.002,T1595.001 | 7 |
Linux: Nping Process Activity | Reconnaissance | T1595.001 | 7 |
Phishing attack found but not remediated | Reconnaissance | T1598.002,T1598.003 | 9 |
Windows: PUA - Crassus Execution | Reconnaissance | T1590.001 | 7 |
Name | Tactic | Technique | Severity |
---|---|---|---|
Suspicious Botnet like End host DNS Behavior | Command and Control | none | 6 |
Traffic to bogon networks | Command and Control | none | 8 |
AWS SecHub: Tactics: Command-and-Control Detected | Command and Control | none | 8 |
Crowdstrike: User Compromise | Command and Control | none | 8 |
FortiGate detects Botnet | Command and Control | none | 9 |
FortiSandbox detects Botnet | Command and Control | none | 9 |
Outbreak: HAFNIUM Exchange OWA Server Authentication Bypass | Command and Control | none | 9 |
Outbreak: HAFNIUM FortiGate Permitted IPS Event | Command and Control | none | 9 |
Outbreak: HAFNIUM Infected File Detected by FortiGate | Command and Control | none | 9 |
Outbreak: HAFNIUM Suspicious File hash match | Command and Control | none | 9 |
Outbreak: SUNBURST Suspicious File Created | Command and Control | none | 9 |
Outbreak: SUNBURST Suspicious File Hash Match | Command and Control | none | 9 |
Permitted Traffic from Emerging Threat IP List | Command and Control | none | 7 |
Windows: Powershell opening TCP Connection | Command and Control | none | 7 |
Name | Tactic | Technique | Severity |
---|---|---|---|
Suspicious Botnet like End host DNS Behavior | Command and Control | none | 6 |
FortiGate detects Botnet | Command and Control | none | 9 |
FortiSandbox detects Botnet | Command and Control | none | 9 |
Outbreak: FortiWeb detected Zerobot Botnet Activity on Network | Lateral Movement | T1210 | 9 |
Outbreak: Sysrv-K Botnet Activity Detected on Host | Resource Development | T1584.005 | 9 |
Outbreak: Sysrv-K Botnet Activity Detected on Network | Resource Development | T1584.005 | 9 |
Outbreak: Zerobot Botnet Activity Detected on Host | Lateral Movement | T1210 | 9 |
Outbreak: Zerobot Botnet Activity Detected on Network | Lateral Movement | T1210 | 9 |
Name | Tactic | Technique | Severity |
---|---|---|---|
AWS EC2 Instance Down | Impact | T1529 | 4 |
Name | Tactic | Technique | Severity |
---|---|---|---|
Code Injection Attack detected by NIPS | Execution | none | 9 |
FortiSandbox detects Network Attack | Execution | none | 7 |
FortiWeb: Permitted Inbound Attack Detected | Lateral Movement | T1210 | 9 |
High Risk Rating Cisco IPS Exploit | Execution | none | 9 |
High Severity Inbound Denied Security Exploit | Execution | none | 5 |
High Severity Inbound Permitted IPS Exploit | Execution | none | 9 |
High Severity Outbound Denied IPS Exploit | Execution | none | 9 |
High Severity Outbound Permitted IPS Exploit | Execution | none | 9 |
High Severity Symantec Host IPS Exploit | Execution | none | 9 |
Multiple Distinct IPS Events From Same Src | Execution | none | 9 |
System Exploit Detected by Network IPS | Execution | none | 7 |
System Exploit Detected by Network IPS: Likely Success | Execution | none | 9 |
Name | Tactic | Technique | Severity |
---|---|---|---|
Concurrent Failed Authentications To Same Account From Multiple Cities | Credential Access | T1110.001 | 7 |
Concurrent Failed Authentications To Same Account From Multiple Countries | Credential Access | T1110.001 | 9 |
Concurrent Successful Authentications To Same Account From Multiple Cities | Credential Access | T1110.001 | 7 |
Concurrent Successful Authentications To Same Account From Multiple Countries | Credential Access | T1110.001 | 9 |
Concurrent Successful VPN Authentications To Same Account From Different Countries | Credential Access | T1110.001 | 9 |
Sudden User Location Change | Credential Access | none | 9 |
Sudden User Login Pattern Change | Behavioral Anomaly | none | 7 |
Name | Tactic | Technique | Severity |
---|---|---|---|
AWS SecHub: Tactics: Impact: Data Destruction Detected | Impact | none | 7 |
Crowdstrike: Data Deletion | Impact | none | 8 |
Website defacement attack | Impact | T1491.001,T1491.002 | 9 |
Windows: Deleted Data Overwritten Via Cipher.EXE | Impact | T1485 | 5 |
Windows: Deletion of Volume Shadow Copies via WMI with PowerShell | Impact | T1490 | 7 |
Windows: Potential File Overwrite Via Sysinternals SDelete | Impact | T1485 | 7 |
Windows: Shadow Copies Deletion Using Operating Systems Utilities | Impact | T1490 | 7 |
Name | Tactic | Technique | Severity |
---|---|---|---|
Half Open TCP DDOS Attack | Impact | T1498.001 | 7 |
TCP DDOS Attack | Impact | T1498.001 | 8 |
AWS SecHub: Tactics: Impact: Denial of Service Detected | Impact | T1498.001 | 8 |
Distributed DoS Attack detected by NIPS | Impact | T1498.001 | 9 |
DoS Attack detected by NIPS | Impact | T1498.001 | 9 |
DoS Attack on Network Devices by Network IPS | Impact | T1498.001 | 9 |
DoS Attack on WLAN Infrastructure by Network IPS | Impact | T1498.001 | 9 |
Name | Tactic | Technique | Severity |
---|---|---|---|
Critical APC Trap | Environmental | none | 9 |
Critical APC Trap: can be auto cleared | Environmental | none | 9 |
FPC Current THD high | Environmental | none | 9 |
FPC Voltage THD high | Environmental | none | 9 |
FPC ground current high | Environmental | none | 9 |
HVAC humidity high | HVAC | none | 9 |
HVAC humidity low | HVAC | none | 9 |
HVAC temp high | HVAC | none | 9 |
HVAC temp low | HVAC | none | 9 |
NetBotz camera motion detected | Environmental | none | 7 |
NetBotz module door open | Environmental | none | 7 |
UPS Battery Metrics Critical | UPS | none | 9 |
UPS Battery Status Critical | UPS | none | 9 |
Warning APC Trap | Environmental | none | 7 |
Warning APC Trap: can be auto cleared | Environmental | none | 7 |
Name | Tactic | Technique | Severity |
---|---|---|---|
AlertLogic Incident | Execution | none | 7 |
Armis Alert Detected | Behavioral Anomaly | none | 9 |
Cortex XDR Alert Detected | Behavioral Anomaly | none | 9 |
Cortex XDR Alert Prevented | Behavioral Anomaly | none | 7 |
Cylance Waived Threat | Execution | none | 3 |
FortiNDR Cloud: High Severity Detection triggered for a Host | Privilege Escalation | T1068 | 9 |
FortiNDR Cloud: Low Severity Detection triggered for a Host | Privilege Escalation | T1068 | 4 |
FortiNDR Cloud: Moderate Severity Detection triggered for a Host | Privilege Escalation | T1068 | 7 |
MS 365 Defender: Delivery Detected | Impact | none | 8 |
MS 365 Defender: Exploit Detected | Execution | none | 9 |
MS 365 Defender: Generic Alert | PH_RULE_SECURITY_Suspicious_Activity | none | 7 |
MS 365 Defender: Incident Triggered | Suspicious Activity | none | 7 |
Microsoft ATA Center: Security Alert Triggered | Behavioral Anomaly | none | 6 |
UserGate UTM IDPS Alert Detected | Behavioral Anomaly | none | 8 |
Name | Tactic | Technique | Severity |
---|---|---|---|
FortiDeceptor: IPS Attack to Decoy | Lateral Movement | none | 9 |
FortiDeceptor: Successful FTP/TFTP Operations to Decoy | Initial Access ICS | T0886 | 9 |
FortiDeceptor: Successful IOT SCADA Operations to Decoy | Initial Access ICS | T0886 | 9 |
FortiDeceptor: Successful RDP Login to Decoy | Initial Access ICS | T0886 | 9 |
FortiDeceptor: Successful SAMBA Operations to Decoy | Initial Access ICS | T0886 | 9 |
FortiDeceptor: Successful SSH Login to Decoy | Initial Access ICS | T0886 | 9 |
Name | Tactic | Technique | Severity |
---|---|---|---|
AWS SecHub: Tactics: Initial Access Detected | Initial Access | none | 7 |
Azure External Guest User Invitation | Initial Access | T1078.004 | 3 |
Windows: External Disk Drive or USB Storage Device | Initial Access | T1091,T1200 | 3 |
Windows: ISO Image Mount | Initial Access | T1566.001 | 5 |
Name | Tactic | Technique | Severity |
---|---|---|---|
AWS CloudTrail Log Deleted | Defense Evasion | T1562.008 | 9 |
AWS CloudWatch Alarm Deleted | Defense Evasion | T1562.008 | 5 |
AWS CloudWatch Log Stream Deleted | Defense Evasion | T1070.004 | 9 |
AWS EC2 Flow Log Deleted | Defense Evasion | T1562.008 | 7 |
CyberArk Vault User History Clear | Defense Evasion | T1070.003 | 8 |
GCP: Logging Sink Deleted | Defense Evasion | T1562.008 | 8 |
GCP: Storage or Logging Bucket Deleted | Defense Evasion | T1562.008 | 6 |
Linux: Clear System Logs | Defense Evasion | T1070.002 | 9 |
Windows Security Log Cleared | Defense Evasion | T1070.001 | 9 |
Windows: Backup Catalog Deleted | Defense Evasion | T1070.004 | 5 |
Windows: Disable of ETW Trace | Defense Evasion | T1562.006 | 7 |
Windows: Eventlog Cleared | Defense Evasion | T1070.001 | 5 |
Windows: Security Event Log Cleared | Defense Evasion | T1070.001 | 5 |
Windows: Suspicious Eventlog Clear or Configuration Change | Defense Evasion | T1562.002 | 7 |
Windows: System Eventlog Cleared | Defense Evasion | T1070.001 | 7 |
Name | Tactic | Technique | Severity |
---|---|---|---|
AWS CloudTrail Log Suspended | Defense Evasion | T1562.008 | 9 |
AWS CloudWatch Log Group Deleted | Defense Evasion | T1070.004 | 9 |
AWS Configuration Recorder Stopped | Defense Evasion | T1562.008 | 7 |
AWS GuardDuty Detector Deleted | Defense Evasion | T1562.008 | 7 |
Azure Event Hub Deleted | Defense Evasion | T1562.008 | 9 |
Azure Network Watcher Deleted | Defense Evasion | T1562.007 | 5 |
Linux: Attempt to Disable Syslog Service | Defense Evasion | T1562.004 | 9 |
Windows Logging Service Shutdown | Defense Evasion | T1562.002 | 9 |
Windows Security Log is Full | Defense Evasion | T1070.001 | 9 |
Windows: Disable Security Events Logging Adding Reg Key MiniNt | Defense Evasion | T1562.001 | 7 |
Windows: Disable Windows IIS HTTP Logging | Defense Evasion | T1562.002 | 7 |
Windows: Disabling Windows Event Auditing | Defense Evasion | T1562.002 | 7 |
Windows: Sysmon Channel Reference Deletion | Defense Evasion | T1112 | 7 |
Windows: SystemStateBackup Deleted Using Wbadmin.EXE | Impact | T1490 | 7 |
Name | Tactic | Technique | Severity |
---|---|---|---|
AWS RDS Instance/Cluster Stopped | Impact | T1489 | 5 |
Windows: Application Uninstalled | Impact | T1489 | 3 |
Windows: Delete All Scheduled Tasks | Impact | T1489 | 7 |
Windows: Delete Important Scheduled Task | Impact | T1489 | 7 |
Windows: Disable Important Scheduled Task | Impact | T1489 | 7 |
Windows: Stop Windows Service Via Net.EXE | Impact | T1489 | 3 |
Windows: Stop Windows Service Via PowerShell Stop-Service | Impact | T1489 | 3 |
Windows: Stop Windows Service Via Sc.EXE | Impact | T1489 | 3 |
Windows: Suspicious Execution of Shutdown | Impact | T1529 | 5 |
Windows: Suspicious Execution of Shutdown to Log Out | Impact | T1529 | 5 |
Windows: Suspicious Execution of Taskkill | Impact | T1489 | 3 |
Name | Tactic | Technique | Severity |
---|---|---|---|
Windows: Cobalt Strike Service Installations: Security Log | Execution | T1569.002 | 7 |
Windows: CobaltStrike Service Installations: System Log | Execution | T1569.002 | 9 |
Windows: Metasploit Or Impacket Service Installation Via SMB PsExec | Lateral Movement | T1570 | 7 |
Windows: Meterpreter or Cobalt Strike Getsystem Service Installation - System | Defense Evasion | T1134.002 | 9 |
Windows: Meterpreter or Cobalt Strike Service Installation: Security Log | Defense Evasion | T1134.002 | 9 |
Windows: Potential Meterpreter/CobaltStrike Activity | Defense Evasion | T1134.002 | 7 |
Windows: PsExec Service Child Process Execution as LOCAL SYSTEM | Persistence | none | 7 |
Windows: PsExec Service Execution | Persistence | none | 5 |
Windows: PsExec Service File Creation | Execution | T1569.002 | 3 |
Windows: Renamed PsExec Service Execution | Persistence | none | 7 |
Windows: Suspicious PsExec Execution | Lateral Movement | T1021.002 | 7 |
Name | Tactic | Technique | Severity |
---|---|---|---|
Linux: Potential DNS Tunneling via Iodine | Command And Control | T1071.004 | 7 |
Tunneled traffic detected | Command And Control | T1572 | 7 |
Windows: Communication To Ngrok Tunneling Service | Command And Control | T1572 | 7 |
Windows: DNS Exfiltration and Tunneling Tools Execution | Command And Control | T1048.001,T1071.004,T1132.001 | 7 |
Windows: Exfiltration and Tunneling Tools Execution | Command And Control | T1572 | 5 |
Windows: PUA - Chisel Tunneling Tool Execution | Command And Control | T1090.001 | 7 |
Windows: Potential RDP Tunneling Via SSH | Command And Control | T1572 | 7 |
Windows: Potential RDP Tunneling Via SSH Plink | Command And Control | T1572 | 7 |
Windows: RDP Over Reverse SSH Tunnel | Command And Control | T1572 | 7 |
Windows: RDP over Reverse SSH Tunnel WFP | Command And Control | T1090.002 | 7 |
Name | Tactic | Technique | Severity |
---|---|---|---|
Machine Learning Anomaly Detected | Policy Violation | none | 7 |
UEBA AI detects unusual drive unmounted | UEBA | none | 7 |
UEBA AI detects unusual file creation | UEBA | T1074.001 | 7 |
UEBA AI detects unusual file deletion | UEBA | none | 7 |
UEBA AI detects unusual file download | UEBA | none | 7 |
UEBA AI detects unusual file movement | UEBA | none | 7 |
UEBA AI detects unusual file printed | UEBA | none | 7 |
UEBA AI detects unusual file reading | UEBA | none | 7 |
UEBA AI detects unusual file renamed | UEBA | none | 7 |
UEBA AI detects unusual file upload | UEBA | none | 7 |
UEBA AI detects unusual file writing | UEBA | none | 7 |
UEBA AI detects unusual machine off | UEBA | none | 7 |
UEBA AI detects unusual machine on | UEBA | none | 7 |
UEBA AI detects unusual new drive mounted | UEBA | none | 7 |
UEBA AI detects unusual process created | UEBA | none | 7 |
UEBA AI detects unusual process not restarted | UEBA | none | 7 |
UEBA AI detects unusual process started | UEBA | none | 7 |
UEBA AI detects unusual process stopped | UEBA | none | 7 |
Windows DNS Server: Suspicious DNS Traffic Resolved | Behavioral Anomaly | none | 9 |
Name | Tactic | Technique | Severity |
---|---|---|---|
AWS SecHub: Host Vulnerability Detected | Impact | T1499.004 | 8 |
Otorio RAM2 Vulnerability Discovered | Policy Violation | none | 9 |
Scanner found medium vulnerability | Impact | T1499.004 | 7 |
Scanner found severe vulnerability | Impact | T1499.004 | 9 |
Name | Tactic | Technique | Severity |
---|---|---|---|
NetBotz camera motion detected | Environmental | none | 7 |
NetBotz module door open | Environmental | none | 7 |
Name | Tactic | Technique | Severity |
---|---|---|---|
Critical APC Trap | Environmental | none | 9 |
Critical APC Trap: can be auto cleared | Environmental | none | 9 |
Warning APC Trap | Environmental | none | 7 |
Warning APC Trap: can be auto cleared | Environmental | none | 7 |
Name | Tactic | Technique | Severity |
---|---|---|---|
AWS EC2 Instance Down | Impact | T1529 | 4 |
Name | Tactic | Technique | Severity |
---|---|---|---|
Web Traffic to Anomali ThreatStream Malicious URLs | Exfiltration | T1041 | 9 |
Web Traffic to FortiGuard Malicious URLs | Exfiltration | T1041 | 9 |
Web Traffic to FortiSandbox Malicious URLs | Exfiltration | T1041 | 9 |
Name | Tactic | Technique | Severity |
---|---|---|---|
AlertLogic Incident | Execution | none | 7 |
Name | Tactic | Technique | Severity |
---|---|---|---|
Agent FIM: Linux File Content Modified | Defense Evasion | T1070.004,T1565.001 | 7 |
Agentless FIM: Audited file or directory created | Collection | T1074.001,T1565.001 | 8 |
Agentless FIM: Audited file or directory deleted | Defense Evasion | T1070.004,T1565.001 | 8 |
Agentless FIM: Audited file or directory ownership or permission changed | Defense Evasion | T1222.002,T1565.001 | 9 |
Agentless FIM: Audited target file content modified | Defense Evasion | T1070.004,T1565.001 | 8 |
Audited file or directory content modified in SVN | Defense Evasion | T1070.004,T1565.001 | 8 |
Name | Tactic | Technique | Severity |
---|---|---|---|
Difference between Running and Startup Config | Policy Violation | none | 7 |
Running Config Change | Defense Evasion | T1562.004 | 6 |
Startup Config Change | Defense Evasion | T1562.004 | 6 |
Name | Tactic | Technique | Severity |
---|---|---|---|
Default Password Detected by System | Policy Violation | none | 7 |
Name | Tactic | Technique | Severity |
---|---|---|---|
Network Device Degraded: Lossy Ping Response | Impact | T1529 | 7 |
Network Device Down: no ping response | Impact | T1529 | 7 |
Server Degraded: Lossy Ping Response | Impact | T1529 | 7 |
Server Down: No Ping Response | Impact | T1529 | 7 |
Sudden Increase in Ping Response Times | Impact | T1499.002 | 7 |
Name | Tactic | Technique | Severity |
---|---|---|---|
Service Degraded: Slow Response to STM | Impact | T1489 | 7 |
Service Degraded: Slow Response to STM: Has IP | Impact | T1499.003 | 7 |
Service Down: No Response to STM | Impact | T1499.003 | 9 |
Service Down: No Response to STM: Has IP | Application | none | 9 |
Service Staying Down: No Response to STM | Impact | T1499.003 | 8 |
Service Staying Down: No Response to STM: Has IP | Application | none | 8 |
Sudden Increase in STM Response Times | Impact | T1499.002 | 7 |
Name | Tactic | Technique | Severity |
---|---|---|---|
Sudden Decrease in Reported Events From A Host | FortiSIEM | none | 7 |
Sudden Increase in Reported Events From A Host | Discovery | none | 7 |
Name | Tactic | Technique | Severity |
---|---|---|---|
Network Installed Software Change | Defense Evasion | T1218.001 | 6 |
Name | Tactic | Technique | Severity |
---|---|---|---|
UPS Battery Metrics Critical | UPS | none | 9 |
UPS Battery Status Critical | UPS | none | 9 |
Name | Tactic | Technique | Severity |
---|---|---|---|
Brute Force App Login Success | Credential Access | T1110.001 | 9 |
Excessive HTTP Client Side Errors | Impact | T1498.001 | 7 |
Excessive Web Request Failures | Application | none | 7 |
Repeated Multiple Logon Failures: Misc App | Credential Access | T1110.001 | 9 |
Web Traffic to Anomali ThreatStream Malicious URLs | Exfiltration | T1041 | 9 |
Web Traffic to FortiGuard Malicious URLs | Exfiltration | T1041 | 9 |
Web Traffic to FortiSandbox Malicious URLs | Exfiltration | T1041 | 9 |
Name | Tactic | Technique | Severity |
---|---|---|---|
Armis Alert Detected | Behavioral Anomaly | none | 9 |
Name | Tactic | Technique | Severity |
---|---|---|---|
ArubaOS-CX: Config Change Detected | Audit | none | 7 |
ArubaOS-CX: Multiple Users Deleted | Impact | T1531 | 9 |
ArubaOS-CX: User Added | Persistence | T1136.001 | 9 |
ArubaOS-CX: User Deleted | Impact | T1531 | 9 |
Name | Tactic | Technique | Severity |
---|---|---|---|
Multiple Logon Failures: WLAN | Credential Access | T1110.001 | 6 |
Repeated Multiple Logon Failures: WLAN | Credential Access | T1110.001 | 9 |
Name | Tactic | Technique | Severity |
---|---|---|---|
Rogue or Unsecure AP Detected | Initial Access | none | 7 |
Name | Tactic | Technique | Severity |
---|---|---|---|
MS 365 Defender: Generic Alert | PH_RULE_SECURITY_Suspicious_Activity | none | 7 |
MS 365 Defender: Incident Triggered | Suspicious Activity | none | 7 |
MS 365 Defender: Ingress Tool Transfer Alert | Command And Control | T1105 | 7 |
MS 365 Defender: LSASS Memory - Credential Access Alert | Credential Access | T1003.001 | 9 |
MS 365 Defender: Masquerading - Execution Alert | Defense Evasion | T1036.004 | 9 |
MS 365 Defender: OS Credential Dumping - Suspicious Activity Alert | Credential Access | T1003.007 | 9 |
MS 365 Defender: Process Injection - Defense Evasion Alert | Defense Evasion | T1055.001 | 9 |
MS 365 Defender: Suspicious PowerShell command line Execution Alert | Execution | T1059.001 | 7 |
MS 365 Defender: Suspicious Process Discovery - Discovery Alert | Discovery | T1057 | 7 |
MS 365 Defender: Suspicious Task Scheduler activity - Persistence Alert | Persistence | T1053.002 | 9 |
MS 365 Defender: System Network Configuration Discovery - Discovery Alert | Discovery | T1016.001 | 6 |
MS 365 Defender: System Service Discovery - Discovery Alert | Discovery | T1007 | 6 |
Name | Tactic | Technique | Severity |
---|---|---|---|
Excessive Uncommon DNS Queries | Exfiltration | T1048.002 | 6 |
DNS Traffic to Anomali ThreatStream Malware Domains | Exfiltration | T1048.001 | 9 |
DNS Traffic to FortiGuard Malware Domains | Exfiltration | T1048.001 | 9 |
Outbreak: SUNBURST Domain Traffic | Command And Control | T1568.001 | 9 |
Name | Tactic | Technique | Severity |
---|---|---|---|
Web Traffic to Anomali ThreatStream Malicious URLs | Exfiltration | T1041 | 9 |
Web Traffic to FortiGuard Malicious URLs | Exfiltration | T1041 | 9 |
Web Traffic to FortiSandbox Malicious URLs | Exfiltration | T1041 | 9 |
Name | Tactic | Technique | Severity |
---|---|---|---|
Barracuda WAF: Config Change Detected | Defense Evasion | T1562.004 | 7 |
Name | Tactic | Technique | Severity |
---|---|---|---|
Carbon Black Fatal Errors | Application | none | 8 |
Malware found but not remediated | Exfiltration | T1041 | 9 |
Spyware found but not remediated | Execution | T1204.001 | 9 |
Virus outbreak | Lateral Movement | none | 9 |
Name | Tactic | Technique | Severity |
---|---|---|---|
Failed Checkpoint Firewall Policy Install | Audit | none | 8 |
Successful Checkpoint Firewall Policy Install | Audit | none | 7 |
Web Traffic to Anomali ThreatStream Malicious URLs | Exfiltration | T1041 | 9 |
Web Traffic to FortiGuard Malicious URLs | Exfiltration | T1041 | 9 |
Web Traffic to FortiSandbox Malicious URLs | Exfiltration | T1041 | 9 |
Name | Tactic | Technique | Severity |
---|---|---|---|
Cisco ACI Cluster Unavailable | SDN | none | 9 |
Cisco ACI Critical Fault | SDN | none | 9 |
Cisco ACI Node Health Critical | SDN | none | 9 |
Cisco ACI Node Health Warning | SDN | none | 7 |
Cisco ACI System Health Critical | SDN | none | 9 |
Cisco ACI System Health Warning | SDN | none | 7 |
Cisco ACI Tenant Health Critical | SDN | none | 9 |
Cisco ACI Tenant Health Warning | SDN | none | 7 |
Name | Tactic | Technique | Severity |
---|---|---|---|
Spyware Found And Cleaned | Execution | T1204.001 | 5 |
Name | Tactic | Technique | Severity |
---|---|---|---|
Running Config Change: with login info | Defense Evasion | T1562.004 | 6 |
Startup Config Change: with login | Defense Evasion | T1562.004 | 6 |
Name | Tactic | Technique | Severity |
---|---|---|---|
High throughput VPN session | Audit | none | 7 |
Long lasting VPN session | Audit | none | 7 |
Name | Tactic | Technique | Severity |
---|---|---|---|
Cisco AVC: Application Flows with QoS Queue Packet Drops | Application | none | 5 |
Cisco AVC: Application Response Time Late | Application | none | 7 |
Cisco AVC: P2P Applications that exceed interface utilization | Interface | none | 1 |
Name | Tactic | Technique | Severity |
---|---|---|---|
Degraded VoIP Call Quality | Impact | T1499.002 | 7 |
Poor VoIP Call Quality | Impact | T1499.002 | 9 |
Name | Tactic | Technique | Severity |
---|---|---|---|
Malware found but not remediated | Exfiltration | T1041 | 9 |
Spyware found but not remediated | Execution | T1204.001 | 9 |
Virus outbreak | Lateral Movement | none | 9 |
Name | Tactic | Technique | Severity |
---|---|---|---|
FireAMP Malicious file execution | Persistence | none | 9 |
Name | Tactic | Technique | Severity |
---|---|---|---|
Running Config Change: with login info | Defense Evasion | T1562.004 | 6 |
Startup Config Change: with login | Defense Evasion | T1562.004 | 6 |
Name | Tactic | Technique | Severity |
---|---|---|---|
Degraded IPSLA DNS Test | Impact | T1499.002 | 7 |
Degraded IPSLA ICMP Test | Impact | T1499.002 | 7 |
Degraded IPSLA UDP Echo Test | Impact | T1499.002 | 7 |
Degraded VoIP IPSLA Call Quality | Impact | T1499.002 | 7 |
IPSLA HTTP Test Failure | Impact | T1499.002 | 7 |
Poor VoIP IPSLA Call Quality | Impact | T1499.002 | 9 |
Name | Tactic | Technique | Severity |
---|---|---|---|
Account Locked: Network Device | Credential Access | T1110.001 | 9 |
EIGRP Neighbor Down | Impact | T1529 | 9 |
IOS Packet Memory Test Failure | Network | none | 9 |
Layer 2 Switch Port Security Violation | Suspicious Activity | none | 9 |
Network Device Redundancy Lost | Network | none | 6 |
Network Interface Duplex Mismatch | Network | none | 7 |
Name | Tactic | Technique | Severity |
---|---|---|---|
Mail Hard Bounce Delivery Failures | Mail Server | none | 7 |
Name | Tactic | Technique | Severity |
---|---|---|---|
Excessive Uncommon DNS Queries | Exfiltration | T1048.002 | 6 |
Cisco Umbrella: Failed DNS Requests to Malware Domains: Same source and Multiple Destinations | Command And Control | T1071.004 | 9 |
Cisco Umbrella: Intelligent Proxy Blocked a Malware Request by Policy | Command And Control | T1071.004 | 9 |
Cisco Umbrella: Multiple Failed DNS Requests to a Malware Domain: Same Source and Destination | Command And Control | T1071.004 | 9 |
DNS Traffic to Anomali ThreatStream Malware Domains | Exfiltration | T1048.001 | 9 |
DNS Traffic to FortiGuard Malware Domains | Exfiltration | T1048.001 | 9 |
Outbreak: SUNBURST Domain Traffic | Command And Control | T1568.001 | 9 |
Name | Tactic | Technique | Severity |
---|---|---|---|
Excessive Uncommon DNS Queries | Exfiltration | T1048.002 | 6 |
Cisco Umbrella: Failed DNS Requests to Malware Domains: Same source and Multiple Destinations | Command And Control | T1071.004 | 9 |
Cisco Umbrella: Intelligent Proxy Blocked a Malware Request by Policy | Command And Control | T1071.004 | 9 |
Cisco Umbrella: Multiple Failed DNS Requests to a Malware Domain: Same Source and Destination | Command And Control | T1071.004 | 9 |
DNS Traffic to Anomali ThreatStream Malware Domains | Exfiltration | T1048.001 | 9 |
DNS Traffic to FortiGuard Malware Domains | Exfiltration | T1048.001 | 9 |
Outbreak: SUNBURST Domain Traffic | Command And Control | T1568.001 | 9 |
Name | Tactic | Technique | Severity |
---|---|---|---|
Multiple Logon Failures: WLAN | Credential Access | T1110.001 | 6 |
Repeated Multiple Logon Failures: WLAN | Credential Access | T1110.001 | 9 |
Name | Tactic | Technique | Severity |
---|---|---|---|
Excessive Rogue or Unsecure APs Detected | Initial Access | none | 9 |
Wireless Host Blacklisted | Policy Violation | none | 9 |
Name | Tactic | Technique | Severity |
---|---|---|---|
Rogue or Unsecure AP Detected | Initial Access | none | 7 |
Name | Tactic | Technique | Severity |
---|---|---|---|
Malware found but not remediated | Exfiltration | T1041 | 9 |
Spyware found but not remediated | Execution | T1204.001 | 9 |
Virus outbreak | Lateral Movement | none | 9 |
Name | Tactic | Technique | Severity |
---|---|---|---|
CyberArk Vault Blocked Operations | Credential Access | none | 8 |
CyberArk Vault CPM Password Disabled | Credential Access | none | 8 |
CyberArk Vault Excessive Failed PSM Connections | Credential Access | none | 8 |
CyberArk Vault Excessive Impersonations | Credential Access | none | 8 |
CyberArk Vault Excessive PSM Keystroke Logging Failure | Credential Access | none | 8 |
CyberArk Vault Excessive PSM Session Monitoring Failure | Credential Access | T1110.001 | 8 |
CyberArk Vault Excessive Password Release Failure | Credential Access | T1110.001 | 8 |
CyberArk Vault File Operation Failure | Credential Access | none | 8 |
CyberArk Vault Object Content Validation Failure | Credential Access | none | 8 |
CyberArk Vault Unauthorized User Stations | Credential Access | none | 8 |
CyberArk Vault User History Clear | Defense Evasion | T1070.003 | 8 |
Name | Tactic | Technique | Severity |
---|---|---|---|
CyberX Detected Malware | Behavioral Anomaly | none | 9 |
Name | Tactic | Technique | Severity |
---|---|---|---|
Cylance Blocked Exploit | Execution | none | 7 |
Cylance Found Active Script | Execution | none | 7 |
Cylance Found Corrupt File | Impact | none | 7 |
Cylance High Severity Threat | Persistence | none | 9 |
Cylance Low Severity Threat | Persistence | none | 3 |
Cylance Medium Severity Threat | Persistence | none | 7 |
Cylance Quarantined Host | Execution | none | 7 |
Cylance Waived Threat | Execution | none | 3 |
CylanceProtect Threat Changed | Execution | none | 7 |
Malware found but not remediated | Exfiltration | T1041 | 9 |
Spyware found but not remediated | Execution | T1204.001 | 9 |
Virus outbreak | Lateral Movement | none | 9 |
Name | Tactic | Technique | Severity |
---|---|---|---|
EqualLogic Connection Read/Write Latency Critical | Impact | T1499.001 | 9 |
EqualLogic Connection Read/Write Latency Warning | Impact | T1499.001 | 5 |
Name | Tactic | Technique | Severity |
---|---|---|---|
Scanner found medium vulnerability | Impact | T1499.004 | 7 |
Scanner found severe vulnerability | Impact | T1499.004 | 9 |
Name | Tactic | Technique | Severity |
---|---|---|---|
Server Hardware Critical | Hardware | none | 9 |
Storage Port Down | Impact | T1489 | 9 |
Name | Tactic | Technique | Severity |
---|---|---|---|
Unregistered EMC Clariion Host | Storage | none | 4 |
Name | Tactic | Technique | Severity |
---|---|---|---|
Brute Force App Login Success | Credential Access | T1110.001 | 9 |
Repeated Multiple Logon Failures: Misc App | Credential Access | T1110.001 | 9 |
Web Traffic to Anomali ThreatStream Malicious URLs | Exfiltration | T1041 | 9 |
Web Traffic to FortiGuard Malicious URLs | Exfiltration | T1041 | 9 |
Web Traffic to FortiSandbox Malicious URLs | Exfiltration | T1041 | 9 |
Name | Tactic | Technique | Severity |
---|---|---|---|
FireEye HX IOC found | Persistence | none | 9 |
Name | Tactic | Technique | Severity |
---|---|---|---|
FireEye Malware Callback | Exfiltration | T1041 | 9 |
Name | Tactic | Technique | Severity |
---|---|---|---|
Sudden Increase In Firewall Connections | Impact | T1498.001 | 7 |
Name | Tactic | Technique | Severity |
---|---|---|---|
FortiAnalyzer: No logs received from a device in 4 hours | Network | none | 6 |
Name | Tactic | Technique | Severity |
---|---|---|---|
Scanner found medium vulnerability | Impact | T1499.004 | 7 |
Scanner found severe vulnerability | Impact | T1499.004 | 9 |
Name | Tactic | Technique | Severity |
---|---|---|---|
Account Locked: Network Device | Credential Access | T1110.001 | 9 |
FortiDeceptor: IPS Attack to Decoy | Lateral Movement | none | 9 |
FortiDeceptor: Successful FTP/TFTP Operations to Decoy | Initial Access ICS | T0886 | 9 |
FortiDeceptor: Successful IOT SCADA Operations to Decoy | Initial Access ICS | T0886 | 9 |
FortiDeceptor: Successful RDP Login to Decoy | Initial Access ICS | T0886 | 9 |
FortiDeceptor: Successful SAMBA Operations to Decoy | Initial Access ICS | T0886 | 9 |
FortiDeceptor: Successful SSH Login to Decoy | Initial Access ICS | T0886 | 9 |
Suspicious logon attempt | Credential Access | T1110.001 | 9 |
Name | Tactic | Technique | Severity |
---|---|---|---|
FortiEDR: Inconclusive or PUP Process Blocked | Execution | T1204.002 | 7 |
FortiEDR: Inconclusive or PUP Process Detected | Execution | T1204.002 | 8 |
FortiEDR: Likely Safe Process Blocked | Execution | T1204.002 | 2 |
FortiEDR: Likely Safe Process Detected | Execution | T1204.002 | 4 |
FortiEDR: Malicious Process Blocked | Execution | T1204.002 | 9 |
FortiEDR: Malicious Process Detected | Execution | T1204.002 | 10 |
FortiEDR: Safe Process Blocked | Execution | T1204.002 | 1 |
FortiEDR: Safe Process Detected | Execution | T1204.002 | 3 |
FortiEDR: Suspicious Process Blocked | Execution | T1204.002 | 7 |
FortiEDR: Suspicious Process Detected | Execution | T1204.002 | 8 |
Malware found but not remediated | Exfiltration | T1041 | 9 |
Spyware found but not remediated | Execution | T1204.001 | 9 |
Virus outbreak | Lateral Movement | none | 9 |
Name | Tactic | Technique | Severity |
---|---|---|---|
Malware found but not remediated | Exfiltration | T1041 | 9 |
Outbreak: Apache RocketMQ RCE Vuln Detected on Network | Lateral Movement | T1210 | 9 |
Outbreak: Multiple Vendor Camera System Attack Detected on Network | Lateral Movement | T1210 | 9 |
Outbreak: SolarView Compact Command Injection Vuln Detected on Network | Lateral Movement | T1210 | 9 |
Outbreak: VMware Aria Operations for Networks Command Injection Vuln Detected on Network | Lateral Movement | T1210 | 9 |
Spyware found but not remediated | Execution | T1204.001 | 9 |
Virus outbreak | Lateral Movement | none | 9 |
Name | Tactic | Technique | Severity |
---|---|---|---|
FortiMail Failover | Mail Server | none | 7 |
FortiMail: Malicious Spam File Attachment Found | Collection | T1114.001 | 9 |
FortiMail: Malicious URL found | Collection | T1114.001 | 9 |
Outbreak: DARKSIDE Ransomware File Activity Detected on Network | Exfiltration | T1041 | 9 |
Outbreak: DEARCRY Infected File Detected on Network | Exploit | none | 9 |
Spam/Malicious Mail Attachment found but not remediated | Collection | T1114.001 | 7 |
Virus found in mail | Collection | T1114.001 | 9 |
Name | Tactic | Technique | Severity |
---|---|---|---|
FortiNDR Cloud: High Severity Detection triggered for a Host | Privilege Escalation | T1068 | 9 |
FortiNDR Cloud: Low Severity Detection triggered for a Host | Privilege Escalation | T1068 | 4 |
FortiNDR Cloud: Moderate Severity Detection triggered for a Host | Privilege Escalation | T1068 | 7 |
Name | Tactic | Technique | Severity |
---|---|---|---|
FortiNDR: Attack Chain Blocked | Malware | none | 8 |
Name | Tactic | Technique | Severity |
---|---|---|---|
FortiNDR: Attack Chain Permitted | Malware | none | 10 |
Outbreak: DARKSIDE Ransomware File Activity Detected on Network | Exfiltration | T1041 | 9 |
Outbreak: DEARCRY Infected File Detected on Network | Exploit | none | 9 |
Name | Tactic | Technique | Severity |
---|---|---|---|
Exposed Service Detected on Host | Lateral Movement | T1210 | 9 |
FortiRecon: Certificate Issue Found for an Asset | Lateral Movement | T1210 | 9 |
FortiRecon: High Severity Reputation Issue Found for an Asset | Lateral Movement | T1210 | 9 |
FortiRecon: Leaked Credit or Debit Cards Found Online | Collection | T1119 | 9 |
Name | Tactic | Technique | Severity |
---|---|---|---|
Machine Learning Anomaly Detected | Policy Violation | none | 7 |
Name | Tactic | Technique | Severity |
---|---|---|---|
Sudden Increase In System CPU Usage | Impact | T1499.001 | 7 |
Sudden Increase in Network Interface Errors | Interface | none | 7 |
Sudden Increase in Network Interface Traffic | Impact | T1498.001 | 7 |
Sudden Increase in System Memory Usage | Impact | T1499.001 | 7 |
Name | Tactic | Technique | Severity |
---|---|---|---|
FortiSandbox detects file malware with high or medium risk | Exfiltration | T1041 | 9 |
FortiSandbox detects Botnet | Command and Control | none | 9 |
FortiSandbox detects Network Attack | Execution | none | 7 |
FortiSandbox detects URL Malware | Exfiltration | T1041 | 9 |
FortiSandbox detects malicious file malware from file upload | Exfiltration | T1041 | 9 |
FortiSandbox detects multiple attacks from same source | Lateral Movement | none | 9 |
FortiSandbox detects multiple hosts with infected files | Exfiltration | T1041 | 9 |
FortiSandbox detects unknown risk file malware | Exfiltration | T1041 | 7 |
Outbreak: DARKSIDE Ransomware File Activity Detected on Host | Exfiltration | T1041 | 9 |
Outbreak: DEARCRY Infected File Detected on Host | Exploit | none | 9 |
Outbreak: SUNBURST Suspicious File Hash Match | Command and Control | none | 9 |
Outbreak: SUNBURST Suspicious File Hash match by Source and Destination | Command And Control | T1095 | 9 |
Name | Tactic | Technique | Severity |
---|---|---|---|
Account Locked: Network Device | Credential Access | T1110.001 | 9 |
Name | Tactic | Technique | Severity |
---|---|---|---|
FortiWeb: Permitted Inbound Attack Detected | Lateral Movement | T1210 | 9 |
Name | Tactic | Technique | Severity |
---|---|---|---|
Running Config Change: with login info | Defense Evasion | T1562.004 | 6 |
Startup Config Change: with login | Defense Evasion | T1562.004 | 6 |
Name | Tactic | Technique | Severity |
---|---|---|---|
Google Workspace: 2FA Enforcement Disabled for Organization | Audit | none | 9 |
Google Workspace: 2FA Verification Disabled for Organization | Audit | none | 10 |
Google Workspace: API Access Permitted for OAUTH Client | Persistence | T1098.001 | 7 |
Google Workspace: Application Added to Domain | Audit | none | 9 |
Google Workspace: Domain added to Trusted Domains List | Audit | none | 9 |
Google Workspace: Password Management Policy Changed | Audit | none | 9 |
Google Workspace: Role Assigned to User | Persistence | T1098.001 | 9 |
Google Workspace: Role Created by User | Persistence | T1098.001 | 9 |
Google Workspace: Role Deleted by User | Audit | none | 9 |
Google Workspace: Role Modified by User | Persistence | T1098.001 | 9 |
Uncommon GSuite Login | Defense Evasion | T1484.001 | 7 |
Name | Tactic | Technique | Severity |
---|---|---|---|
Database DDL changes | Audit | none | 7 |
Database user or group changes | Persistence | T1098.001 | 7 |
Multiple Logon Failures: Database | Credential Access | T1110.001 | 9 |
Multiple Logon Failures: Misc App | Credential Access | T1110.001 | 6 |
Repeated Multiple Logon Failures: Database | Credential Access | T1110.001 | 9 |
Repeated Multiple Logon Failures: Misc App | Credential Access | T1110.001 | 9 |
Suspicious Database Logon | Initial Access | T1078.003 | 7 |
Name | Tactic | Technique | Severity |
---|---|---|---|
Repeated Multiple Logon Failures: Misc App | Credential Access | T1110.001 | 9 |
Name | Tactic | Technique | Severity |
---|---|---|---|
Excessive Uncommon DNS Queries | Exfiltration | T1048.002 | 6 |
Name | Tactic | Technique | Severity |
---|---|---|---|
Isilon Protocol Latency Critical | Impact | T1499.001 | 9 |
Name | Tactic | Technique | Severity |
---|---|---|---|
Brute Force App Login Success | Credential Access | T1110.001 | 9 |
Repeated Multiple Logon Failures: Misc App | Credential Access | T1110.001 | 9 |
Name | Tactic | Technique | Severity |
---|---|---|---|
Failed VPN Logon From Outside My Country | Credential Access | T1110.001 | 7 |
Multiple Logon Failures: VPN | Credential Access | T1110.001 | 6 |
Successful VPN Logon From Outside My Country | Credential Access | T1110.001 | 7 |
Brute Force App Login Success | Credential Access | T1110.001 | 9 |
Concurrent Successful VPN Authentications To Same Account From Different Countries | Credential Access | T1110.001 | 9 |
Name | Tactic | Technique | Severity |
---|---|---|---|
FPC Current THD high | Environmental | none | 9 |
FPC Voltage THD high | Environmental | none | 9 |
FPC ground current high | Environmental | none | 9 |
Name | Tactic | Technique | Severity |
---|---|---|---|
HVAC humidity high | HVAC | none | 9 |
HVAC humidity low | HVAC | none | 9 |
HVAC temp high | HVAC | none | 9 |
HVAC temp low | HVAC | none | 9 |
Name | Tactic | Technique | Severity |
---|---|---|---|
Agent FIM: Linux Directory Ownership or Permission Changed | Defense Evasion | T1222.002,T1565.001 | 7 |
Agent FIM: Linux File Changed From Baseline | Defense Evasion | T1070.004,T1565.001 | 7 |
Agent FIM: Linux File Ownership or Permission Changed | Defense Evasion | T1222.002,T1565.001 | 9 |
Agent FIM: Linux File or Directory Created | Collection | T1074.001,T1565.001 | 7 |
Agent FIM: Linux File or Directory Deleted | Defense Evasion | T1070.004,T1565.001 | 7 |
Name | Tactic | Technique | Severity |
---|---|---|---|
Linux: Creation of Kernel Module | Persistence | T1547.006 | 5 |
Linux: Creation or Modification of Systemd Service | Persistence | T1543.002 | 5 |
Linux: Job Schedule Modification | Persistence | T1053.003 | 5 |
Linux: Modifications of .bash-profile and .bashrc | Persistence | T1546.004 | 7 |
Linux: Sudoers File Modification | Privilege Escalation | T1548.003 | 9 |
Modification of ld.so.preload | Defense Evasion | T1055.009 | 5 |
Name | Tactic | Technique | Severity |
---|---|---|---|
Database Server Disk Latency Critical | Storage I/O | none | 8 |
Name | Tactic | Technique | Severity |
---|---|---|---|
Important process down | Impact | T1489 | 7 |
Important process staying Down | Impact | T1489 | 9 |
Name | Tactic | Technique | Severity |
---|---|---|---|
Uncommon Linux process Created | Defense Evasion | T1484.001 | 7 |
Name | Tactic | Technique | Severity |
---|---|---|---|
High Process CPU: Server | Impact | T1499.003 | 8 |
High Process Memory: Server | Impact | T1499.003 | 8 |
Server CPU Critical | Impact | T1499.001 | 9 |
Server CPU Warning | Impact | T1499.001 | 5 |
Server Disk Latency Critical | Impact | T1499.001 | 9 |
Server Disk Latency Warning | Impact | T1499.001 | 5 |
Server Disk Space Critical | Impact | T1499.001 | 9 |
Server Disk space Warning | Impact | T1499.001 | 5 |
Server Installed Software Change | Defense Evasion | T1218.001 | 6 |
Server Intf Error Critical | Impact | T1499.001 | 9 |
Server Intf Error Warning | Impact | T1499.001 | 5 |
Server Intf Util Critical | Impact | T1499.001 | 9 |
Server Intf Util Warning | Impact | T1499.001 | 5 |
Server Memory Critical | Impact | T1499.001 | 9 |
Server Memory Warning | Impact | T1499.001 | 5 |
Server Network Low Port Staying Down | Network | none | 7 |
Server Swap Memory Critical | Impact | T1499.001 | 9 |
Sudden Increase in Server Process Count | Impact | T1499.001 | 7 |
Unix Server Health: Critical | Impact | T1499.001 | 9 |
Unix Server Health: Warning | Impact | T1499.001 | 5 |
Name | Tactic | Technique | Severity |
---|---|---|---|
Sudden Increase in Failed Logons To A Host | Initial Access | T1078.003 | 7 |
Sudden Increase in Successful Logons To A Host | Initial Access | T1078.003 | 7 |
Uncommon Linux SSH Login | Defense Evasion | T1484.001 | 7 |
Uncommon Server Login | Defense Evasion | T1484.001 | 7 |
Uncommon VPN Login | Defense Evasion | T1484.001 | 7 |
Uncommon Windows Service | Defense Evasion | T1484.001 | 7 |
Name | Tactic | Technique | Severity |
---|---|---|---|
MS 365 Defender: Delivery Detected | Impact | none | 8 |
MS 365 Defender: Exploit Detected | Execution | none | 9 |
MS 365 Defender: Malware Detected | Exfiltration | T1041 | 9 |
MS 365 Defender: Persistence Detected | Persistence | none | 8 |
MS 365 Defender: Suspicious Activity Detected | Persistence | none | 7 |
MS 365 Defender: Unwanted Software Detected | Persistence | none | 7 |
Name | Tactic | Technique | Severity |
---|---|---|---|
MS 365 Defender: Generic Alert | PH_RULE_SECURITY_Suspicious_Activity | none | 7 |
MS 365 Defender: Incident Triggered | Suspicious Activity | none | 7 |
MS 365 Defender: Ingress Tool Transfer Alert | Command And Control | T1105 | 7 |
MS 365 Defender: LSASS Memory - Credential Access Alert | Credential Access | T1003.001 | 9 |
MS 365 Defender: Masquerading - Execution Alert | Defense Evasion | T1036.004 | 9 |
MS 365 Defender: OS Credential Dumping - Suspicious Activity Alert | Credential Access | T1003.007 | 9 |
MS 365 Defender: Process Injection - Defense Evasion Alert | Defense Evasion | T1055.001 | 9 |
MS 365 Defender: Suspicious PowerShell command line Execution Alert | Execution | T1059.001 | 7 |
MS 365 Defender: Suspicious Process Discovery - Discovery Alert | Discovery | T1057 | 7 |
MS 365 Defender: Suspicious Task Scheduler activity - Persistence Alert | Persistence | T1053.002 | 9 |
MS 365 Defender: System Network Configuration Discovery - Discovery Alert | Discovery | T1016.001 | 6 |
MS 365 Defender: System Service Discovery - Discovery Alert | Discovery | T1007 | 6 |
Name | Tactic | Technique | Severity |
---|---|---|---|
Azure Service Discovery | Discovery | T1526 | 3 |
Name | Tactic | Technique | Severity |
---|---|---|---|
Microsoft ATA Center: Security Alert Triggered | Behavioral Anomaly | none | 6 |
Name | Tactic | Technique | Severity |
---|---|---|---|
Exchange Server Mailbox Queue high | Impact | T1499.002 | 7 |
Exchange Server RPC latency high | Impact | T1499.002 | 7 |
Exchange Server RPC request high | Impact | T1499.002 | 7 |
Exchange Server SMTP Queue high | Impact | T1499.002 | 7 |
Name | Tactic | Technique | Severity |
---|---|---|---|
Brute Force App Login Success | Credential Access | T1110.001 | 9 |
Name | Tactic | Technique | Severity |
---|---|---|---|
Excessively Slow SQL Server DB Query | Database | none | 7 |
SQL Server Excessive Blocking | Database | none | 7 |
SQL Server Excessive Deadlock | Database | none | 7 |
SQL Server Excessive Full Scan | Discovery | T1046 | 7 |
SQL Server Excessive Page Read/Write | Database | none | 7 |
SQL Server Low Buffer Cache Hit Ratio | Database | none | 7 |
SQL Server Low Free Pages in Buffer Pool | Database | none | 7 |
SQL Server Low Log Cache Hit Ratio | Database | none | 7 |
Slow MySQL DB Query | Database | none | 7 |
Name | Tactic | Technique | Severity |
---|---|---|---|
MySQL Database Instance Down | Impact | T1489 | 9 |
Name | Tactic | Technique | Severity |
---|---|---|---|
Meraki Device Cellular Connection Disconnected | Network | none | 7 |
Meraki Device Down | Impact | T1489 | 9 |
Meraki Device IP Conflict | Network | none | 7 |
Meraki Device Interface Down | Network | none | 7 |
Meraki Device Port Cable Error | Network | none | 8 |
Meraki Device VPN Connectivity Down | Network | none | 9 |
Meraki Foreign AP Detected | Policy Violation | none | 7 |
Meraki New DHCP Server | Network | none | 7 |
Meraki New Splash User | Persistence | T1098.001 | 7 |
Meraki No DHCP lease | Network | none | 7 |
Meraki Rogue DHCP Server | Policy Violation | none | 7 |
Meraki Unreachable Device | Network | none | 9 |
Meraki Unreachable RADIUS Server | Network | none | 9 |
Meraki VPN Failover | Network | none | 7 |
Name | Tactic | Technique | Severity |
---|---|---|---|
Excessive Uncommon DNS Queries | Exfiltration | T1048.002 | 6 |
Name | Tactic | Technique | Severity |
---|---|---|---|
Malware found but not remediated | Exfiltration | T1041 | 9 |
Spyware found but not remediated | Execution | T1204.001 | 9 |
Virus outbreak | Lateral Movement | none | 9 |
Name | Tactic | Technique | Severity |
---|---|---|---|
HyperV Logical Processor Total Run Time Percent Critical | Impact | T1499.001 | 5 |
HyperV Disk I/O Warning | Impact | T1499.001 | 5 |
HyperV Disk Latency Critical | Impact | T1499.001 | 9 |
HyperV Guest Critical | Impact | T1499.001 | 9 |
HyperV Guest Hypervisor Run Time Percent Warning | Impact | T1499.001 | 7 |
HyperV Logical Processor Total Run Time Percent Warning | Impact | T1499.001 | 7 |
HyperV Page fault Critical | Impact | T1499.001 | 9 |
HyperV Page fault Warning | Impact | T1499.001 | 7 |
HyperV Remaining Guest Memory Warning | Impact | T1499.001 | 7 |
Name | Tactic | Technique | Severity |
---|---|---|---|
IIS Virtual Memory Critical | Impact | T1499.003 | 9 |
Name | Tactic | Technique | Severity |
---|---|---|---|
Excessive FTP Client Side Errors | Impact | T1498.001 | 7 |
Excessive HTTP Client Side Errors | Impact | T1498.001 | 7 |
Outbreak: HAFNIUM Exchange OWA Server Authentication Bypass | Command and Control | none | 9 |
Web Traffic to Anomali ThreatStream Malicious URLs | Exfiltration | T1041 | 9 |
Web Traffic to FortiGuard Malicious URLs | Exfiltration | T1041 | 9 |
Web Traffic to FortiSandbox Malicious URLs | Exfiltration | T1041 | 9 |
Name | Tactic | Technique | Severity |
---|---|---|---|
Database DDL changes | Audit | none | 7 |
Database user or group changes | Persistence | T1098.001 | 7 |
Multiple Logon Failures: Database | Credential Access | T1110.001 | 9 |
Multiple Logon Failures: Misc App | Credential Access | T1110.001 | 6 |
Repeated Multiple Logon Failures: Database | Credential Access | T1110.001 | 9 |
Repeated Multiple Logon Failures: Misc App | Credential Access | T1110.001 | 9 |
Suspicious Database Logon | Initial Access | T1078.003 | 7 |
Name | Tactic | Technique | Severity |
---|---|---|---|
Excessive Web Request Failures | Application | none | 7 |
Name | Tactic | Technique | Severity |
---|---|---|---|
Multiple Logon Failures: WLAN | Credential Access | T1110.001 | 6 |
Repeated Multiple Logon Failures: WLAN | Credential Access | T1110.001 | 9 |
Name | Tactic | Technique | Severity |
---|---|---|---|
Multiple Logon Failures: WLAN | Credential Access | T1110.001 | 6 |
Repeated Multiple Logon Failures: WLAN | Credential Access | T1110.001 | 9 |
Name | Tactic | Technique | Severity |
---|---|---|---|
NetApp Back to Back Consistency Point | Impact | T1499.001 | 9 |
NetApp CIFS Latency Critical | Impact | T1499.001 | 9 |
NetApp CIFS Read/Write Latency Warning | Impact | T1499.001 | 5 |
NetApp FCP Read/Write Latency Critical | Impact | T1499.001 | 9 |
NetApp FCP Read/Write Latency Warning | Impact | T1499.001 | 5 |
NetApp ISCSI Read/Write Latency Critical | Impact | T1499.001 | 9 |
NetApp ISCSI Read/Write Latency Warning | Impact | T1499.001 | 5 |
NetApp NFS Read/Write Latency Critical | Impact | T1499.001 | 9 |
NetApp NFS Read/Write Latency Warning | Impact | T1499.001 | 5 |
NetApp Volume Read/Write Latency Critical | Impact | T1499.001 | 9 |
NetApp Volume Read/Write Latency Warning | Impact | T1499.001 | 5 |
Name | Tactic | Technique | Severity |
---|---|---|---|
Critical NetApp Trap | Storage | none | 9 |
Critical NetApp Trap: can be auto cleared | Storage | none | 9 |
Warning NetApp Trap | Storage | none | 7 |
Warning NetApp Trap: can be auto cleared | Storage | none | 7 |
Name | Tactic | Technique | Severity |
---|---|---|---|
Excessive Repeated DNS Queries To Same Domain | Command And Control | T1568.001 | 6 |
Suspicious Botnet like End host DNS Behavior | Command and Control | none | 6 |
Executable file posting from external source | Execution | none | 9 |
Unapproved File Execution | Execution | none | 8 |
Name | Tactic | Technique | Severity |
---|---|---|---|
Multiple Login Failures: Net Device: No Source IP | Credential Access | T1110.001 | 9 |
Name | Tactic | Technique | Severity |
---|---|---|---|
Excessively Slow Oracle DB Query | Database | none | 7 |
High Oracle Non-System Table Space Usage | Database | none | 7 |
High Oracle System Table Space Usage | Database | none | 7 |
Oracle DB Alert Log Error | Database | none | 8 |
Oracle DB Low Buffer Cache Hit Ratio | Database | none | 7 |
Oracle DB Low Library Cache Hit Ratio | Database | none | 7 |
Oracle DB Low Row Cache Hit Ratio | Database | none | 7 |
Oracle DB Low Row Memory Sorts Ratio | Memory | none | 7 |
Oracle Database Instance Down | Impact | T1489 | 9 |
Oracle Database Listener Down | Impact | T1489 | 9 |
Oracle Database not backed up for 1 day | Database | none | 9 |
Name | Tactic | Technique | Severity |
---|---|---|---|
Database DDL changes | Audit | none | 7 |
Database user or group changes | Persistence | T1098.001 | 7 |
Multiple Logon Failures: Database | Credential Access | T1110.001 | 9 |
Multiple Logon Failures: Misc App | Credential Access | T1110.001 | 6 |
Repeated Multiple Logon Failures: Database | Credential Access | T1110.001 | 9 |
Repeated Multiple Logon Failures: Misc App | Credential Access | T1110.001 | 9 |
Suspicious Database Logon | Initial Access | T1078.003 | 7 |
Name | Tactic | Technique | Severity |
---|---|---|---|
Oracle OCI: Customer Secret Key Created | Persistence | T1098.001 | 9 |
Oracle OCI: Group Created | Persistence | T1098.001 | 7 |
Oracle OCI: Policy Created | Defense Evasion | T1562.007 | 7 |
Oracle OCI: Policy Deleted | Defense Evasion | T1562.007 | 7 |
Oracle OCI: User API Key Created and Uploaded | Persistence | T1098.001 | 7 |
Oracle OCI: User Activated MFA | Audit | none | 4 |
Oracle OCI: User Added to a Group | Persistence | T1098.001 | 9 |
Oracle OCI: User Auth Token Created | Persistence | T1098.001 | 7 |
Oracle OCI: User Created | Persistence | T1136.003 | 9 |
Oracle OCI: User Deleted | Impact | T1531 | 9 |
Oracle OCI: User Disabled MFA | Persistence | T1098.001 | 9 |
Oracle OCI: User OAuth Client Credential Created | Persistence | T1098.001 | 9 |
Oracle OCI: User SMTP Credentials Created | Resource Development | T1585.002 | 7 |
Name | Tactic | Technique | Severity |
---|---|---|---|
Otorio RAM2 Alert has Triggered | Policy Violation | none | 9 |
Otorio RAM2 Vulnerability Discovered | Policy Violation | none | 9 |
Name | Tactic | Technique | Severity |
---|---|---|---|
Cortex XDR Alert Detected | Behavioral Anomaly | none | 9 |
Cortex XDR Alert Prevented | Behavioral Anomaly | none | 7 |
Name | Tactic | Technique | Severity |
---|---|---|---|
Palo Alto Config Change Failed | Audit | none | 6 |
Palo Alto Config Change Succeeded | Audit | none | 4 |
Unauthorized Palo Alto Firewall Config Change | Audit | none | 8 |
Name | Tactic | Technique | Severity |
---|---|---|---|
Failed VPN Logon From Outside My Country | Credential Access | T1110.001 | 7 |
Multiple Logon Failures: VPN | Credential Access | T1110.001 | 6 |
Successful VPN Logon From Outside My Country | Credential Access | T1110.001 | 7 |
Brute Force App Login Success | Credential Access | T1110.001 | 9 |
Concurrent Successful VPN Authentications To Same Account From Different Countries | Credential Access | T1110.001 | 9 |
Name | Tactic | Technique | Severity |
---|---|---|---|
Malware found but not remediated | Exfiltration | T1041 | 9 |
Spyware found but not remediated | Execution | T1204.001 | 9 |
Virus outbreak | Lateral Movement | none | 9 |
Name | Tactic | Technique | Severity |
---|---|---|---|
Adware process found | Persistence | none | 7 |
Malware found by firewall but not remediated | Persistence | none | 9 |
Phishing attack found but not remediated | Reconnaissance | T1598.002,T1598.003 | 9 |
Rootkit found | Persistence | T1014,T1554,T1601.001 | 9 |
Name | Tactic | Technique | Severity |
---|---|---|---|
Excessive Postfix gateway connection failures | Impact | T1499.002 | 8 |
Excessive Postfix mail send error | Impact | T1499.002 | 8 |
Excessive Postfix mail send latency | Collection | T1114.001 | 6 |
Name | Tactic | Technique | Severity |
---|---|---|---|
Scanner found medium vulnerability | Impact | T1499.004 | 7 |
Scanner found severe vulnerability | Impact | T1499.004 | 9 |
Name | Tactic | Technique | Severity |
---|---|---|---|
Radvision Corrupt video packets | Video Conferencing | none | 7 |
Radvision Ethernet Loss | Impact | T1489 | 7 |
Radvision Gateway Down | Impact | T1489 | 9 |
Radvision Hardware Removed/Swapped | Video Conferencing | none | 7 |
Radvision ISDN Loss | Impact | T1489 | 7 |
Radvision call setup issues | Video Conferencing | none | 7 |
Name | Tactic | Technique | Severity |
---|---|---|---|
Scanner found medium vulnerability | Impact | T1499.004 | 7 |
Scanner found severe vulnerability | Impact | T1499.004 | 9 |
Name | Tactic | Technique | Severity |
---|---|---|---|
BGP Neighbor Down | Impact | T1529 | 9 |
OSPF Neighbor Down | Impact | T1529 | 9 |
Name | Tactic | Technique | Severity |
---|---|---|---|
Malware found but not remediated | Exfiltration | T1041 | 9 |
Spyware found but not remediated | Execution | T1204.001 | 9 |
Virus outbreak | Lateral Movement | none | 9 |
Name | Tactic | Technique | Severity |
---|---|---|---|
Website access policy violation | Policy Violation | none | 5 |
Website access policy violation: High volume | Policy Violation | none | 9 |
Website access policy violation: Multiple categories | Policy Violation | none | 9 |
Name | Tactic | Technique | Severity |
---|---|---|---|
Excessive HTTP Client Side Errors | Impact | T1498.001 | 7 |
Name | Tactic | Technique | Severity |
---|---|---|---|
NFS Disk space Warning | Impact | T1499.001 | 5 |
Storage CPU Warning | Impact | T1499.001 | 5 |
Storage Device CPU Critical | Impact | T1499.001 | 9 |
Storage Device Disk Space Critical | Impact | T1499.001 | 9 |
Name | Tactic | Technique | Severity |
---|---|---|---|
High Severity Symantec Host IPS Exploit | Execution | none | 9 |
Name | Tactic | Technique | Severity |
---|---|---|---|
Malware found but not remediated | Exfiltration | T1041 | 9 |
Spyware found but not remediated | Execution | T1204.001 | 9 |
Virus outbreak | Lateral Movement | none | 9 |
Name | Tactic | Technique | Severity |
---|---|---|---|
Scanner found medium vulnerability | Impact | T1499.004 | 7 |
Scanner found severe vulnerability | Impact | T1499.004 | 9 |
Name | Tactic | Technique | Severity |
---|---|---|---|
Common Windows process launched by unusual parent | Persistence | T1037.001 | 8 |
Name | Tactic | Technique | Severity |
---|---|---|---|
Common Windows process launched from unusual path | Persistence | T1037.001 | 8 |
Name | Tactic | Technique | Severity |
---|---|---|---|
Website access policy violation | Policy Violation | none | 5 |
Website access policy violation: High volume | Policy Violation | none | 9 |
Website access policy violation: Multiple categories | Policy Violation | none | 9 |
Name | Tactic | Technique | Severity |
---|---|---|---|
UserGate UTM IDPS Alert Detected | Behavioral Anomaly | none | 8 |
Name | Tactic | Technique | Severity |
---|---|---|---|
Web Traffic to Anomali ThreatStream Malicious URLs | Exfiltration | T1041 | 9 |
Web Traffic to FortiGuard Malicious URLs | Exfiltration | T1041 | 9 |
Web Traffic to FortiSandbox Malicious URLs | Exfiltration | T1041 | 9 |
Name | Tactic | Technique | Severity |
---|---|---|---|
Datastore Space Warning | Impact | T1499.001 | 7 |
ESX CPU Critical | Impact | T1499.001 | 9 |
ESX CPU Warning | Impact | T1499.001 | 5 |
ESX Disk I/O Critical | Impact | T1499.001 | 9 |
ESX Disk I/O Warning | Impact | T1499.001 | 5 |
ESX Memory Critical | Impact | T1499.001 | 9 |
ESX Memory Warning | Impact | T1499.001 | 5 |
ESX Network I/O Critical | Impact | T1499.001 | 9 |
ESX Network I/O Warning | Impact | T1499.001 | 5 |
Sudden Increase in Disk I/O | Impact | T1499.001 | 7 |
VCenter Datastore Space Critical | Impact | T1499.001 | 9 |
Name | Tactic | Technique | Severity |
---|---|---|---|
ESX Server Health: Critical | Impact | T1499.001 | 9 |
ESX Server Health: Warning | Impact | T1499.001 | 7 |
Virtual Machine CPU Critical | Impact | T1499.001 | 9 |
Virtual Machine CPU Warning | Impact | T1499.001 | 5 |
Virtual Machine Health: Critical | Impact | T1499.001 | 9 |
Virtual Machine Health: Warning | Impact | T1499.001 | 5 |
Virtual Machine Memory Swapping Critical | Impact | T1499.001 | 9 |
Virtual Machine Memory Swapping Warning | Impact | T1499.001 | 5 |
Name | Tactic | Technique | Severity |
---|---|---|---|
Database Server Disk Latency Critical | Storage I/O | none | 8 |
Name | Tactic | Technique | Severity |
---|---|---|---|
Windows: Deployment AppX Package Was Blocked By AppLocker | Persistence | none | 5 |
Windows: Deployment Of The AppX Package Was Blocked By The Policy | Persistence | none | 5 |
Windows: Potential Malicious AppX Package Installation Attempts | Persistence | none | 5 |
Windows: Suspicious AppX Package Installation Attempt | Persistence | none | 5 |
Windows: Suspicious AppX Package Locations | Persistence | none | 7 |
Windows: Suspicious Digital Signature Of AppX Package | Persistence | none | 5 |
Windows: Suspicious Remote AppX Package Locations | Persistence | none | 7 |
Windows: Uncommon AppX Package Locations | Persistence | none | 5 |
Name | Tactic | Technique | Severity |
---|---|---|---|
Windows: Backup Catalog Deleted | Defense Evasion | T1070.004 | 5 |
Name | Tactic | Technique | Severity |
---|---|---|---|
Windows: BITS Transfer Job Download To Potential Suspicious Folder | Defense Evasion | T1197 | 7 |
Windows: BITS Transfer Job With Uncommon Or Suspicious Remote TLD | Defense Evasion | T1197 | 5 |
Name | Tactic | Technique | Severity |
---|---|---|---|
Self-signed Windows Certificate Added | none | 6 |
Name | Tactic | Technique | Severity |
---|---|---|---|
Windows: Block Load Of Revoked Driver | Persistence | none | 7 |
Windows: Code Integrity Attempted DLL Load | Persistence | none | 7 |
Windows: Code Integrity Blocked Driver Load | Persistence | none | 7 |
Name | Tactic | Technique | Severity |
---|---|---|---|
Windows DNS Server: Suspicious DNS Traffic Resolved | Behavioral Anomaly | none | 9 |
Name | Tactic | Technique | Severity |
---|---|---|---|
Windows: DNS Query for Anonfiles.com Domain - DNS Client | Exfiltration | T1567.002 | 7 |
Windows: DNS Query for Ufile.io Upload Domain - DNS Client | Exfiltration | T1567.002 | 7 |
Name | Tactic | Technique | Severity |
---|---|---|---|
DNS Traffic to Anomali ThreatStream Malware Domains | Exfiltration | T1048.001 | 9 |
DNS Traffic to FortiGuard Malware Domains | Exfiltration | T1048.001 | 9 |
Outbreak: SUNBURST Domain Traffic | Command And Control | T1568.001 | 9 |
Name | Tactic | Technique | Severity |
---|---|---|---|
Windows: Loading Diagcab Package From Remote Path | Persistence | none | 7 |
Name | Tactic | Technique | Severity |
---|---|---|---|
Agent FIM: Windows File Changed From Baseline | Defense Evasion | T1070.004,T1565.001 | 7 |
Agent FIM: Windows File Content Modified | Defense Evasion | T1070.004,T1565.001 | 7 |
Agent FIM: Windows File Ownership Changed | Defense Evasion | T1070.004,T1565.001 | 7 |
Agent FIM: Windows File Permission Changed | Defense Evasion | T1222.001,T1565.001 | 7 |
Agent FIM: Windows File or Directory Archive Bit Changed | Defense Evasion | T1070.004,T1565.001 | 7 |
Agent FIM: Windows File or Directory Created | Collection | T1074.001,T1565.001 | 7 |
Agent FIM: Windows File or Directory Deleted | Defense Evasion | T1070.004,T1565.001 | 7 |
Windows Server USB File Write | Exfiltration | T1052.001 | 7 |
Name | Tactic | Technique | Severity |
---|---|---|---|
Windows: New Firewall Exception Rule Added For A Suspicious Folder | Persistence | none | 7 |
Name | Tactic | Technique | Severity |
---|---|---|---|
Windows: Failed MSExchange Transport Agent Installation | Persistence | T1505.002 | 7 |
Windows: Possible Exploitation of Exchange RCE CVE-2021-42321 | Lateral Movement | T1210 | 7 |
Name | Tactic | Technique | Severity |
---|---|---|---|
Windows: OpenSSH Server Listening On Socket | Lateral Movement | T1021.004 | 5 |
Name | Tactic | Technique | Severity |
---|---|---|---|
Manual Service Started | Server | none | 6 |
Name | Tactic | Technique | Severity |
---|---|---|---|
Database Server Disk Latency Critical | Storage I/O | none | 8 |
Name | Tactic | Technique | Severity |
---|---|---|---|
High Process CPU: Server | Impact | T1499.003 | 8 |
High Process Memory: Server | Impact | T1499.003 | 8 |
Server CPU Critical | Impact | T1499.001 | 9 |
Server CPU Warning | Impact | T1499.001 | 5 |
Server Disk Latency Critical | Impact | T1499.001 | 9 |
Server Disk Latency Warning | Impact | T1499.001 | 5 |
Server Disk Space Critical | Impact | T1499.001 | 9 |
Server Disk space Warning | Impact | T1499.001 | 5 |
Server Intf Error Critical | Impact | T1499.001 | 9 |
Server Intf Error Warning | Impact | T1499.001 | 5 |
Server Intf Util Critical | Impact | T1499.001 | 9 |
Server Intf Util Warning | Impact | T1499.001 | 5 |
Server Memory Critical | Impact | T1499.001 | 9 |
Server Memory Warning | Impact | T1499.001 | 5 |
Server Network Low Port Staying Down | Network | none | 7 |
Server Swap Memory Critical | Impact | T1499.001 | 9 |
Sudden Increase in Server Process Count | Impact | T1499.001 | 7 |
Windows Server Health: Critical | Impact | T1499.001 | 9 |
Windows Server Health: Warning | Impact | T1499.001 | 5 |
Windows Server Paging File Usage Critical | Impact | T1499.001 | 9 |
Name | Tactic | Technique | Severity |
---|---|---|---|
Auto Service Stopped | Impact | T1489 | 4 |
Name | Tactic | Technique | Severity |
---|---|---|---|
Important process down | Impact | T1489 | 7 |
Important process staying Down | Impact | T1489 | 9 |
Name | Tactic | Technique | Severity |
---|---|---|---|
PowerShell Commandlet of Well Known Exploitation Framework Detected | Execution | T1059.001 | 9 |
PowerShell Downgrade Attack Detected | Lateral Movement | T1210 | 8 |
Name | Tactic | Technique | Severity |
---|---|---|---|
Windows: Dump Ntds.dit To Suspicious Location | Persistence | none | 5 |
Windows: Ntdsutil Abuse | Persistence | none | 5 |
Name | Tactic | Technique | Severity |
---|---|---|---|
Windows: Microsoft Defender Blocked from Loading Unsigned DLL | Defense Evasion | T1574.002 | 7 |
Windows: Unsigned Binary Loaded From Suspicious Location | Defense Evasion | T1574.002 | 7 |
Name | Tactic | Technique | Severity |
---|---|---|---|
Windows: Suspicious Application Installed | Persistence | none | 5 |
Name | Tactic | Technique | Severity |
---|---|---|---|
Virtual Machine SCSI Bus Reset | Impact | T1499.001 | 9 |
Name | Tactic | Technique | Severity |
---|---|---|---|
Windows Disk controller problem | Storage | none | 9 |
Windows Server Shutting Down | Impact | T1489 | 6 |
Name | Tactic | Technique | Severity |
---|---|---|---|
Windows Debugger registry key for common Windows accessibility tools | Privilege Escalation | T1574.002 | 8 |
Name | Tactic | Technique | Severity |
---|---|---|---|
Windows process communicating outbound to unusual ports | Execution | T1129 | 6 |
Name | Tactic | Technique | Severity |
---|---|---|---|
Windows Process with deleted binaries | Defense Evasion | T1070.004 | 8 |
Name | Tactic | Technique | Severity |
---|---|---|---|
Successful Windows Dormant Account Logon | Credential Access | T1110.001 | 7 |
Name | Tactic | Technique | Severity |
---|---|---|---|
Server Installed Software Change | Defense Evasion | T1218.001 | 6 |
Name | Tactic | Technique | Severity |
---|---|---|---|
Sudden Increase in WMI or OMI Response Times | Impact | T1499.002 | 7 |
WMI or OMI Service Unavailable | Impact | T1489 | 9 |
Name | Tactic | Technique | Severity |
---|---|---|---|
Common Windows process launched by unusual parent | Persistence | T1037.001 | 8 |
Name | Tactic | Technique | Severity |
---|---|---|---|
Common Windows process launched by unusual parent | Persistence | T1037.001 | 8 |
Name | Tactic | Technique | Severity |
---|---|---|---|
Common Windows process launched by unusual parent | Persistence | T1037.001 | 8 |
Name | Tactic | Technique | Severity |
---|---|---|---|
Common Windows process launched by unusual parent | Persistence | T1037.001 | 8 |
Name | Tactic | Technique | Severity |
---|---|---|---|
Common Windows process launched from unusual path | Persistence | T1037.001 | 8 |
Name | Tactic | Technique | Severity |
---|---|---|---|
Common Windows process launched by unusual parent | Persistence | T1037.001 | 8 |
Name | Tactic | Technique | Severity |
---|---|---|---|
Common Windows process launched by unusual parent | Persistence | T1037.001 | 8 |
Name | Tactic | Technique | Severity |
---|---|---|---|
Common Windows process launched by unusual parent | Persistence | T1037.001 | 8 |
Name | Tactic | Technique | Severity |
---|---|---|---|
Common Windows process launched by unusual parent | Persistence | T1037.001 | 8 |
Name | Tactic | Technique | Severity |
---|---|---|---|
Common Windows process launched from unusual path | Persistence | T1037.001 | 8 |
Name | Tactic | Technique | Severity |
---|---|---|---|
Common Windows process launched from unusual path | Persistence | T1037.001 | 8 |
Name | Tactic | Technique | Severity |
---|---|---|---|
Common Windows process launched from unusual path | Persistence | T1037.001 | 8 |
Name | Tactic | Technique | Severity |
---|---|---|---|
Common Windows process launched by unusual parent | Persistence | T1037.001 | 8 |
Name | Tactic | Technique | Severity |
---|---|---|---|
Common Windows process launched from unusual path | Persistence | T1037.001 | 8 |
Name | Tactic | Technique | Severity |
---|---|---|---|
Common Windows process launched from unusual path | Persistence | T1037.001 | 8 |
Name | Tactic | Technique | Severity |
---|---|---|---|
Common Windows process launched from unusual path | Persistence | T1037.001 | 8 |
Name | Tactic | Technique | Severity |
---|---|---|---|
Windows process communicating outbound to unusual ports | Execution | T1129 | 6 |
Name | Tactic | Technique | Severity |
---|---|---|---|
Excessive Web Request Failures | Application | none | 7 |
Web Traffic to Anomali ThreatStream Malicious URLs | Exfiltration | T1041 | 9 |
Web Traffic to FortiGuard Malicious URLs | Exfiltration | T1041 | 9 |
Web Traffic to FortiSandbox Malicious URLs | Exfiltration | T1041 | 9 |
Name | Tactic | Technique | Severity |
---|---|---|---|
Web Traffic to Anomali ThreatStream Malicious URLs | Exfiltration | T1041 | 9 |
Web Traffic to FortiGuard Malicious URLs | Exfiltration | T1041 | 9 |
Web Traffic to FortiSandbox Malicious URLs | Exfiltration | T1041 | 9 |
Name | Tactic | Technique | Severity |
---|---|---|---|
Common Windows process launched from unusual path | Persistence | T1037.001 | 8 |
Name | Tactic | Technique | Severity |
---|---|---|---|
Common Windows process launched from unusual path | Persistence | T1037.001 | 8 |
Name | Tactic | Technique | Severity |
---|---|---|---|
Common Windows process launched from unusual path | Persistence | T1037.001 | 8 |