Skip to main content

AlphaSOC Detections

AE can identify both known and unknown emerging threats. AlphaSOC’s threat detections leverage the comprehensive techniques outlined in the Capabilities section to secure multiple layers, including Network, Infrastructure, and Identity, using data from various origins. These detections deliver high-fidelity alerts with a low false positive ratio, enabling security teams to prioritize real threats with minimal distractions.

The table below is an exhaustive list of the individual detections that the engine supports.

Search
x
Data Types
any_type
TitleData TypeSeverity
C2 communication attempt indicating infectionDNS, IP, HTTP, TLS
Critical
Traffic to a malicious spear phishing siteDNS, HTTP
Critical
Traffic to a suspicious young domain impersonating a known brandDNS, HTTP
Critical
AWS API calls by a malicious callerAWS CloudTrail
High
AWS API calls indicating setup of mass mailer scriptAWS CloudTrail
High
AWS EC2 credential used from an unknown external locationAWS CloudTrail
High
AWS EC2 credential used from an unknown external location BetaAWS CloudTrail
High
AWS WorkMail mailbox exported to a bucket that was made publicAWS CloudTrail
High
AWS console login from an EC2 instanceAWS CloudTrail
High
AWS policy modified to allow any principal to assume an IAM roleAWS CloudTrail
High
AWS root access key createdAWS CloudTrail
High
Anonymizing circuit setup indicating infection or evasion attemptIP
High
Cryptomining indicating infection or resource abuseDNS, IP, HTTP
High
Domain resolves to 169.254.169.254 indicating an AWS rebinding attackDNS, HTTP
High
Encrypted DNS traffic to a server that supports non-ICANN TLDsDNS, IP, HTTP
High
Excessive number of HTTP failures to a known bad destinationHTTP
High
HTTP GET request to a known bad destination indicating infectionHTTP
High
HTTP POST to a known bad destination indicating infectionHTTP
High
Known bad dynamic DNS provider trafficDNS, HTTP
High
Known bad tunneling provider trafficDNS, IP, HTTP
High
Kubernetes API calls by a malicious caller BetaKubernetes
High
Multiple requests to DGA domains indicating infectionDNS, HTTP
High
Multiple requests to long hostnames indicating DNS tunnelingDNS, HTTP
High
Multiple suspicious connections indicating TrickBot infectionDNS, IP, HTTP, TLS
High
Out-of-band application security testing traffic requiring investigationDNS, IP, HTTP
High
Outbound TCP port scan indicating hacking tool use or infectionIP
High
Quarantine applied to possibly compromised AWS credentialsAWS CloudTrail
High
Suspicious AWS API calls with root account credentialsAWS CloudTrail
High
Suspicious IRC traffic indicating infectionDNS, IP
High
Suspicious SSH session masquerading as a different protocolIP
High
Suspicious use of an AWS IAM role that was unused for a long period BetaAWS CloudTrail
High
Telegram Bot API traffic indicating possible infectionDNS, HTTP
High
Traffic from multiple sources to a domain impersonating a known brandDNS, HTTP
High
Traffic to a known malware distribution siteDNS, IP, HTTP
High
Traffic to a known sinkhole indicating infectionDNS, IP, HTTP
High
Traffic to a suspicious domain impersonating a known brandDNS, HTTP
High
Traffic to a web server with a suspicious open directory on an unusual portDNS, IP, HTTP
High
Traffic to a young suspicious domain containing a brand nameDNS, HTTP
High
Traffic to malicious infrastructure capturing credentialsDNS, IP, HTTP
High
A team member was logged out due to a compromised deviceSlack
Medium
AWS API calls indicating S3 buckets discovery in a suspicious way BetaAWS CloudTrail
Medium
AWS API calls with root account access keyAWS CloudTrail
Medium
AWS DataSync task initiated to an unknown external accountAWS CloudTrail
Medium
AWS Detective graph deleted BetaAWS CloudTrail
Medium
AWS EBS snapshot modified to allow public accessAWS CloudTrail
Medium
AWS EC2 Windows Adminstrator encrypted password enumerationAWS CloudTrail
Medium
AWS EC2 export task to an unknown S3 bucked initiatedAWS CloudTrail
Medium
AWS EC2 instance unexpectedly interacted with the IAM APIAWS CloudTrail
Medium
AWS EC2 instances unexpectedly described in multiple regionsAWS CloudTrail
Medium
AWS ECR public repository modified to allow global write accessAWS CloudTrail
Medium
AWS EKS access entry unexpectedly created allowing admin access BetaAWS CloudTrail
Medium
AWS Elastic IP address transfer to an unknown external accountAWS CloudTrail
Medium
AWS GuardDuty disabledAWS CloudTrail
Medium
AWS GuardDuty publishing destination deleted BetaAWS CloudTrail
Medium
AWS IAM policy modified to allow access to any resource via suspicious statementAWS CloudTrail
Medium
AWS IAM user created with admin policy attached BetaAWS CloudTrail
Medium
AWS KMS key modified to allow public accessAWS CloudTrail
Medium
AWS RDS export task to an unknown S3 bucket initiatedAWS CloudTrail
Medium
AWS RDS snapshot modified to allow public accessAWS CloudTrail
Medium
AWS RDS snapshot unexpectedly created and made publicAWS CloudTrail
Medium
AWS Redshift cluster modified to allow public access BetaAWS CloudTrail
Medium
AWS Route 53 domain transfer to an unknown external accountAWS CloudTrail
Medium
AWS S3 bucket accidentally modified to allow public accessAWS CloudTrail
Medium
AWS S3 bucket modified to allow public access via suspicious statementAWS CloudTrail
Medium
AWS S3 bucket replication to an unknown external accountAWS CloudTrail
Medium
AWS S3 object accessed without TLSAWS CloudTrail
Medium
AWS S3 object accessed without authenticationAWS CloudTrail
Medium
AWS S3 object encrypted using an external KMS keyAWS CloudTrail
Medium
AWS SES identities discovery via access keyAWS CloudTrail
Medium
AWS SNS Topic modified to allow public accessAWS CloudTrail
Medium
AWS SQS Queue modified to allow public accessAWS CloudTrail
Medium
AWS Security Hub disabled BetaAWS CloudTrail
Medium
AWS VPC peering connection to an unknown external account establishedAWS CloudTrail
Medium
AWS access key created by the root accountAWS CloudTrail
Medium
AWS access key used to delete itself unexpectedlyAWS CloudTrail
Medium
AWS account password policy changed in a suspicious wayAWS CloudTrail
Medium
AWS decoy resource accessedAWS CloudTrail
Medium
AWS policy allows passing any roleAWS CloudTrail
Medium
AWS policy allows to perform any action via suspicious statementAWS CloudTrail
Medium
AWS policy modified to allow unknown principal to assume an IAM role BetaAWS CloudTrail
Medium
AWS policy suggests denial but allows actionsAWS CloudTrail
Medium
AWS policy suggests narrow access but allows broad accessAWS CloudTrail
Medium
AWS policy suggests read-only access but allows write actionsAWS CloudTrail
Medium
AWS role assumed by an unknown external principalAWS CloudTrail
Medium
AWS root account unexpectedly assumed via temporary credentialsAWS CloudTrail
Medium
AWS root password recovery request from an unknown ASNAWS CloudTrail
Medium
AWS service quota unexpectedly described in multiple regionsAWS CloudTrail
Medium
Anonymous access unexpectedly granted to a Kubernetes cluster BetaKubernetes
Medium
Beaconing to a rare domainDNS, HTTP
Medium
Beaconing to a suspicious domainDNS, HTTP
Medium
Cluster of suspicious requests requiring investigationDNS, IP, HTTP
Medium
Excessive disruption of Slack user sessions via invalidationSlack
Medium
Excessive number of HTTP failures to a suspicious destinationHTTP
Medium
GitHub API calls by a malicious caller BetaGitHub
Medium
GitHub audit log stream destroyed or paused BetaGitHub
Medium
GitHub organization is transferred to another enterprise account BetaGitHub
Medium
GitHub personal access token used to download high number of repositories BetaGitHub
Medium
GitHub repository transferred to another enterprise account BetaGitHub
Medium
GitHub secret scanning disabled or bypassed BetaGitHub
Medium
High volume of outbound ICMP traffic indicating tunnelingIP
Medium
High volume of outbound traffic over FTPIP
Medium
High volume of outbound traffic over SMBIP
Medium
High volume of outbound traffic over SSHIP
Medium
High volume of reverse DNS lookups indicating scanning activityDNS
Medium
IRC traffic requiring investigationDNS, IP
Medium
MFA delete disabled on AWS S3 bucket BetaAWS CloudTrail
Medium
Multiple AWS EC2 instances launched unexpectedlyAWS CloudTrail
Medium
Multiple AWS IAM users deleted within a short period BetaAWS CloudTrail
Medium
Multiple connections to suspicious IP destinationsIP
Medium
Multiple denied AWS assume role API calls requiring investigationAWS CloudTrail
Medium
Multiple encrypted DNS requests requiring investigationDNS, IP, HTTP
Medium
Multiple requests to a rare domainDNS, HTTP
Medium
Multiple requests to suspicious domainsDNS, HTTP
Medium
Multiple unexpected AWS API calls executed in dry run modeAWS CloudTrail
Medium
Okta FastPass blocked a phishing attempt BetaOkta
Medium
Okta MFA bypass attempt detected BetaOkta
Medium
Outbound SSH session using an uncommon server portIP
Medium
Outbound traffic indicating Denial of Service attackIP
Medium
P2P activityDNS, IP, HTTP
Medium
Potential ransomware note uploaded to an AWS S3 bucketAWS CloudTrail
Medium
Potentially unwanted program or browser extension installedDNS, IP, HTTP
Medium
Previously unseen AWS Bedrock model invoked BetaAWS CloudTrail
Medium
Secret found in a GitHub repository BetaGitHub
Medium
Several unsuccessful AWS console login attempts from the same IP address for different usersAWS CloudTrail
Medium
Several unsuccessful Slack login attempts indicating brute force activitySlack
Medium
Slack API calls by a malicious callerSlack
Medium
Slack EKM UnenrolledSlack
Medium
Slack application access expanded with admin scopesSlack
Medium
Slack application with admin scopes addedSlack
Medium
Slack login with unexpected user emailSlack
Medium
Slack organization deletedSlack
Medium
Slack service owner transferredSlack
Medium
Successful AWS console login without MFAAWS CloudTrail
Medium
Suspicious AWS API call with account access keyAWS CloudTrail
Medium
Suspicious AWS API calls indicating AWS API Gateway keys access BetaAWS CloudTrail
Medium
Suspicious AWS API calls indicating AWS Backup plan deletion BetaAWS CloudTrail
Medium
Suspicious AWS API calls indicating AWS Bedrock model invocationAWS CloudTrail
Medium
Suspicious AWS API calls indicating AWS DynamoDB backup restorationAWS CloudTrail
Medium
Suspicious AWS API calls indicating AWS EC2 subnet deletion BetaAWS CloudTrail
Medium
Suspicious AWS API calls indicating AWS Firehose delivery stream destination change BetaAWS CloudTrail
Medium
Suspicious AWS API calls indicating AWS RDS instance with disabled encryption BetaAWS CloudTrail
Medium
Suspicious AWS API calls indicating AWS SageMaker presigned URL generation BetaAWS CloudTrail
Medium
Suspicious AWS API calls indicating Cost Explorer discoveryAWS CloudTrail
Medium
Suspicious AWS API calls indicating ECS cluster creationAWS CloudTrail
Medium
Suspicious AWS API calls indicating IP set modificationAWS CloudTrail
Medium
Suspicious AWS API calls indicating Organizations discoveryAWS CloudTrail
Medium
Suspicious AWS API calls indicating RDS data destructionAWS CloudTrail
Medium
Suspicious AWS API calls indicating Route 53 log tamperingAWS CloudTrail
Medium
Suspicious AWS API calls indicating S3 ACL modificationsAWS CloudTrail
Medium
Suspicious AWS API calls indicating S3 data staging and exfiltrationAWS CloudTrail
Medium
Suspicious AWS API calls indicating S3 delete operationsAWS CloudTrail
Medium
Suspicious AWS API calls indicating S3 reconnaissanceAWS CloudTrail
Medium
Suspicious AWS API calls indicating S3 write operationsAWS CloudTrail
Medium
Suspicious AWS API calls indicating SAML activityAWS CloudTrail
Medium
Suspicious AWS API calls indicating SES discoveryAWS CloudTrail
Medium
Suspicious AWS API calls indicating STS discoveryAWS CloudTrail
Medium
Suspicious AWS API calls indicating WAF disassociationAWS CloudTrail
Medium
Suspicious AWS API calls indicating change of IAM user passwordAWS CloudTrail
Medium
Suspicious AWS API calls indicating command execution via System ManagerAWS CloudTrail
Medium
Suspicious AWS API calls indicating creation of AWS API Gateway keyAWS CloudTrail
Medium
Suspicious AWS API calls indicating creation of AWS REST APIAWS CloudTrail
Medium
Suspicious AWS API calls indicating data staging and exfiltrationAWS CloudTrail
Medium
Suspicious AWS API calls indicating deletion of AWS Elastic File SystemAWS CloudTrail
Medium
Suspicious AWS API calls indicating deletion of AWS access keyAWS CloudTrail
Medium
Suspicious AWS API calls indicating discovery using AWS Tagging APIAWS CloudTrail
Medium
Suspicious AWS API calls indicating disruptionAWS CloudTrail
Medium
Suspicious AWS API calls indicating evasionAWS CloudTrail
Medium
Suspicious AWS API calls indicating infrastructure modification using CloudFormationAWS CloudTrail
Medium
Suspicious AWS API calls indicating modification of AWS Resource Access ManagerAWS CloudTrail
Medium
Suspicious AWS API calls indicating modification of config monitoringAWS CloudTrail
Medium
Suspicious AWS API calls indicating new image being pushed to AWS ECR with latest tagAWS CloudTrail
Medium
Suspicious AWS API calls indicating persistenceAWS CloudTrail
Medium
Suspicious AWS API calls indicating privilege escalationAWS CloudTrail
Medium
Suspicious AWS API calls indicating reconnaissanceAWS CloudTrail
Medium
Suspicious AWS API calls indicating resource enumerationAWS CloudTrail
Medium
Suspicious AWS API calls indicating retrieval of AWS sign-in tokenAWS CloudTrail
Medium
Suspicious AWS API calls indicating unauthorized accessAWS CloudTrail
Medium
Suspicious AWS IAM user created with generic nameAWS CloudTrail
Medium
Suspicious AWS access key createdAWS CloudTrail
Medium
Suspicious AWS console loginAWS CloudTrail
Medium
Suspicious HTTP GET request requiring investigationHTTP
Medium
Suspicious Kubernetes API calls indicating access to Kubernetes secret BetaKubernetes
Medium
Suspicious Kubernetes API calls indicating permission discovery BetaKubernetes
Medium
Suspicious Okta API calls indicating Okta MFA modification BetaOkta
Medium
Suspicious Okta API calls indicating Okta application modification BetaOkta
Medium
Suspicious Okta API calls indicating Okta application sign on policy modification BetaOkta
Medium
Suspicious Okta API calls indicating Okta identity provider creation BetaOkta
Medium
Suspicious Okta API calls indicating Okta user creation BetaOkta
Medium
Suspicious Okta API calls indicating Okta user profile modification BetaOkta
Medium
Suspicious Okta user session created BetaOkta
Medium
Suspicious Tor DNS requestDNS
Medium
Suspicious dynamic DNS provider trafficDNS, HTTP
Medium
Suspicious file downloaded from SlackSlack
Medium
Suspicious hosting provider trafficDNS, HTTP
Medium
Suspicious traffic to DNS server that supports non-ICANN TLDsIP
Medium
Suspicious traffic to a link-in-bio destinationDNS, HTTP
Medium
Suspicious traffic to user survey site indicating possible phishingDNS, HTTP
Medium
Suspicious tunneling provider trafficDNS, IP, HTTP
Medium
Third-party VPN trafficDNS, IP, HTTP
Medium
Third-party remote access software installedDNS, IP, HTTP
Medium
Traffic from multiple sources to a unique young domainDNS, HTTP
Medium
Traffic over a cleartext protocol exposing content and credentialsIP
Medium
Traffic to a TDS mechanism requiring investigationDNS, HTTP
Medium
Traffic to a destination serving malicious JavaScriptDNS, HTTP
Medium
Traffic to a free webhook service indicating potential exfiltrationDNS, HTTP
Medium
Traffic to a likely malicious domainDNS, HTTP
Medium
Traffic to a suspicious domain containing a brand nameDNS, HTTP
Medium
Traffic to a web server with a suspicious open directoryDNS, IP, HTTP
Medium
Traffic to a young domain impersonating a known brandDNS, HTTP
Medium
Traffic to an unknown blocklisted destinationDNS, IP, HTTP
Medium
Traffic to an unusual and suspicious port requiring investigationIP
Medium
Unexpected AWS API calls with root account credentialsAWS CloudTrail
Medium
Unexpected AWS EC2 Windows Adminstrator encrypted password enumerationAWS CloudTrail
Medium
Unexpected AWS role assumed by an external principalAWS CloudTrail
Medium
Unexpected anonymous API call to a Kubernetes cluster BetaKubernetes
Medium
Unsuccessful and unexpected attempt to assume AWS root accountAWS CloudTrail
Medium
Unusual excessive AWS S3 bucket deletion requests BetaAWS CloudTrail
Medium
Unusual mail traffic indicating possible implantIP
Medium
Use of an AWS IAM access key that was unused for a long period BetaAWS CloudTrail
Medium
Use of an AWS IAM role that was unused for a long period BetaAWS CloudTrail
Medium
Use of an AWS IAM user that was unused for a long period BetaAWS CloudTrail
Medium
User activity from previously unseen ASNAWS CloudTrail
Medium
User activity from previously unseen countryAWS CloudTrail
Medium
A large AWS EC2 instance launch with an unusual instance typeAWS CloudTrail
Low
AWS ACM certificate authority deleted BetaAWS CloudTrail
Low
AWS AMI modified to allow public accessAWS CloudTrail
Low
AWS API calls indicating S3 buckets discovery BetaAWS CloudTrail
Low
AWS API calls indicating evasion attempts on Amazon MacieAWS CloudTrail
Low
AWS API calls indicating tampering with Security Hub findingsAWS CloudTrail
Low
AWS Application Load Balancer configured with insecure SSL protocol policy BetaAWS CloudTrail
Low
AWS CloudFront distribution configured with insecure SSL protocol policy BetaAWS CloudTrail
Low
AWS CloudWatch alarm deletedAWS CloudTrail
Low
AWS CodeBuild project modified to allow public accessAWS CloudTrail
Low
AWS DataSync task initiated unexpectedlyAWS CloudTrail
Low
AWS EBS default encryption disabledAWS CloudTrail
Low
AWS EC2 export task initiated unexpectedlyAWS CloudTrail
Low
AWS EC2 instance interacted with the IAM APIAWS CloudTrail
Low
AWS EC2 instance launch in a new regionAWS CloudTrail
Low
AWS EC2 instance launches in multiple regionsAWS CloudTrail
Low
AWS EC2 instances described in multiple regionsAWS CloudTrail
Low
AWS ECR image uploadedAWS CloudTrail
Low
AWS ECS cluster unexpectedly deleted BetaAWS CloudTrail
Low
AWS EKS access entry created allowing admin access BetaAWS CloudTrail
Low
AWS EKS cluster endpoint modified to allow public access BetaAWS CloudTrail
Low
AWS ElastiCache Redis cluster created without encryption at restAWS CloudTrail
Low
AWS ElastiCache security group modified unexpectedlyAWS CloudTrail
Low
AWS GuardDuty threat list disabledAWS CloudTrail
Low
AWS IAM Access Analyzer deleted BetaAWS CloudTrail
Low
AWS IAM entity created unexpectedlyAWS CloudTrail
Low
AWS IAM login profile created unexpectedlyAWS CloudTrail
Low
AWS IAM login profile unexpectedly modified by a different identity than the ownerAWS CloudTrail
Low
AWS IAM policy granting full or admin access attachedAWS CloudTrail
Low
AWS IAM policy modified to allow access to any resourceAWS CloudTrail
Low
AWS IAM user created with generic name unexpectedlyAWS CloudTrail
Low
AWS IAM user groups discoveryAWS CloudTrail
Low
AWS IAM user profile created without password resetAWS CloudTrail
Low
AWS KMS customer managed key disabled or scheduled for deletionAWS CloudTrail
Low
AWS Lambda function modified to allow public invocationAWS CloudTrail
Low
AWS Lambda functions modifiedAWS CloudTrail
Low
AWS Lightsail instance launched unexpectedlyAWS CloudTrail
Low
AWS MFA device disabled unexpectedlyAWS CloudTrail
Low
AWS MFA device registered unexpectedlyAWS CloudTrail
Low
AWS OpenSearch domain configured to allow public access BetaAWS CloudTrail
Low
AWS Organization invite sent for another account to join the organization BetaAWS CloudTrail
Low
AWS RDS Deletion Protection disabled unexpectedlyAWS CloudTrail
Low
AWS RDS export task initiated unexpectedlyAWS CloudTrail
Low
AWS RDS instance modified to allow public accessAWS CloudTrail
Low
AWS RDS instance password changed unexpectedlyAWS CloudTrail
Low
AWS RDS security group created unexpectedlyAWS CloudTrail
Low
AWS RDS snapshot created and made publicAWS CloudTrail
Low
AWS RDS snapshot created manuallyAWS CloudTrail
Low
AWS Redshift cluster encryption disabled BetaAWS CloudTrail
Low
AWS Roles Anywhere profile createdAWS CloudTrail
Low
AWS Route 53 hosted zone associated with a VPCAWS CloudTrail
Low
AWS Route 53 public hosted zone created unexpectedlyAWS CloudTrail
Low
AWS S3 bucket modified to allow public accessAWS CloudTrail
Low
AWS S3 bucket versioning suspended unexpectedlyAWS CloudTrail
Low
AWS SES GetAccount action invoked via AccessKeyAWS CloudTrail
Low
AWS SES identity deletedAWS CloudTrail
Low
AWS SES production access grantedAWS CloudTrail
Low
AWS STS GetFederationToken invoked by aws_consoler utility BetaAWS CloudTrail
Low
AWS SageMaker domain modified to allow public access BetaAWS CloudTrail
Low
AWS System Manager encrypted parameter retrieved unexpectedlyAWS CloudTrail
Low
AWS WorkMail mailbox exportedAWS CloudTrail
Low
AWS access key created for a newly registered IAM userAWS CloudTrail
Low
AWS access key created unexpectedlyAWS CloudTrail
Low
AWS access key used to delete itselfAWS CloudTrail
Low
AWS account created unexpectedlyAWS CloudTrail
Low
AWS account password policy changed in an unexpected wayAWS CloudTrail
Low
AWS account password policy deletedAWS CloudTrail
Low
AWS identity added to an admin groupAWS CloudTrail
Low
AWS network infrastructure modification opening a wide range of portsAWS CloudTrail
Low
AWS policy contains unsubstituted template valuesAWS CloudTrail
Low
AWS policy that allows to perform any action was addedAWS CloudTrail
Low
AWS region was enabled or disabled BetaAWS CloudTrail
Low
AWS root account assumed via temporary credentialsAWS CloudTrail
Low
AWS service quota described in multiple regionsAWS CloudTrail
Low
AWS service quota increase request created BetaAWS CloudTrail
Low
An AWS account removed itself from the organizationAWS CloudTrail
Low
Anonymous access granted to a Kubernetes cluster BetaKubernetes
Low
Connection to an AWS EC2 instance using EC2 Instance Connect by a suspicious userAWS CloudTrail
Low
Connection to multiple AWS EC2 instances using EC2 Instance ConnectAWS CloudTrail
Low
DNS misconfiguration leading to potential compromiseDNS
Low
Encrypted DNS traffic indicating potential infection or evasionDNS, IP, HTTP
Low
Excessive number of DNS failures requiring investigationDNS
Low
Excessive number of HTTP failures to an uncommon destinationHTTP
Low
GitHub OAuth application access restrictions disabled BetaGitHub
Low
GitHub Personal Access Token approval policy modified BetaGitHub
Low
GitHub SSO configuration modified for organization or enterprise BetaGitHub
Low
GitHub account recovery codes accessed BetaGitHub
Low
GitHub audit log stream modified BetaGitHub
Low
GitHub branch protections were disabled for the repository BetaGitHub
Low
GitHub dependabot vulnerability alerts disabled BetaGitHub
Low
GitHub enterprise deleted BetaGitHub
Low
GitHub organization was removed from an enterprise BetaGitHub
Low
GitHub repository deploy key modified or created BetaGitHub
Low
GitHub repository visibility changed to public BetaGitHub
Low
High number of non-public GitHub repositories downloaded BetaGitHub
Low
IAM default policy set to an unexpected versionAWS CloudTrail
Low
IAM role attached to an AWS RDS instance unexpectedlyAWS CloudTrail
Low
MFA disabled for GitHub organization or enterprise BetaGitHub
Low
Malicious pop-up trafficDNS, HTTP
Low
Many AWS Route 53 domains registeredAWS CloudTrail
Low
Modification of multiple AWS EC2 instance startup scriptsAWS CloudTrail
Low
Multiple AWS API calls executed in dry run modeAWS CloudTrail
Low
Multiple AWS EC2 instances launchedAWS CloudTrail
Low
Multiple AWS EC2 instances terminated unexpectedlyAWS CloudTrail
Low
Multiple AWS root password recovery requestsAWS CloudTrail
Low
Multiple denied AWS API calls requiring investigationAWS CloudTrail
Low
Multiple denied AWS S3 API calls requiring investigationAWS CloudTrail
Low
Multiple requests to unreachable domainsDNS, HTTP
Low
Okta admin role assigned BetaOkta
Low
Okta privilege granted BetaOkta
Low
Outbound RDP traffic indicating brute force activityIP
Low
Outbound SSH traffic indicating brute force activityIP
Low
Outbound WinRM traffic indicating brute force activityIP
Low
Registered domain impersonating a known brandDNS
Low
Several unsuccessful AWS console login attempts for a userAWS CloudTrail
Low
Several unsuccessful AWS console login attempts from the same IP addressAWS CloudTrail
Low
Several unsuccessful Okta login attempts for a user BetaOkta
Low
Slack API calls from an unexpected IP addressSlack
Low
Slack API calls from an unexpected clientSlack
Low
Slack API calls from an unexpected user agentSlack
Low
Slack EKM config modifiedSlack
Low
Slack Microsoft Intune MDM disabledSlack
Low
Slack SSO restriction changedSlack
Low
Slack app removedSlack
Low
Slack application access expandedSlack
Low
Slack application addedSlack
Low
Slack data prevention rule was modifiedSlack
Low
Slack identity provider config modifiedSlack
Low
Slack information barrier modifiedSlack
Low
Slack legal hold policy modifiedSlack
Low
Slack manual export downloadedSlack
Low
Slack public link created to file with potentially sensitive dataSlack
Low
Slack user privilege escalationSlack
Low
Successful AWS console login from a new countryAWS CloudTrail
Low
Successful Okta user session created from a new country BetaOkta
Low
Successful anonymous API call to a Kubernetes cluster BetaKubernetes
Low
Suspicious HTTP POST request requiring investigationHTTP
Low
Traffic to a suspicious IP destinationIP
Low
Traffic to a suspicious domainDNS, HTTP
Low
Traffic to a valid domain impersonating a known brandDNS, HTTP
Low
Traffic to a web server with an open directory on an unusual portDNS, IP, HTTP
Low
Traffic to an IP lookup serviceDNS, IP, HTTP
Low
Traffic to an unusual DNS resolverIP
Low
Traffic to an unusual port requiring investigationIP
Low
Unexpected AWS API call with account access keyAWS CloudTrail
Low
Unexpected AWS API calls by a likely malicious callerAWS CloudTrail
Low
Unexpected AWS API calls indicating AWS API Gateway keys access BetaAWS CloudTrail
Low
Unexpected AWS API calls indicating AWS Backup plan deletion BetaAWS CloudTrail
Low
Unexpected AWS API calls indicating AWS Bedrock model invocationAWS CloudTrail
Low
Unexpected AWS API calls indicating AWS DynamoDB backup restorationAWS CloudTrail
Low
Unexpected AWS API calls indicating AWS EC2 subnet deletion BetaAWS CloudTrail
Low
Unexpected AWS API calls indicating AWS Firehose delivery stream destination change BetaAWS CloudTrail
Low
Unexpected AWS API calls indicating AWS RDS instance with disabled encryption BetaAWS CloudTrail
Low
Unexpected AWS API calls indicating AWS SageMaker presigned URL generation BetaAWS CloudTrail
Low
Unexpected AWS API calls indicating Cost Explorer discoveryAWS CloudTrail
Low
Unexpected AWS API calls indicating ECS cluster creationAWS CloudTrail
Low
Unexpected AWS API calls indicating IP set modificationAWS CloudTrail
Low
Unexpected AWS API calls indicating Organizations discoveryAWS CloudTrail
Low
Unexpected AWS API calls indicating RDS data destructionAWS CloudTrail
Low
Unexpected AWS API calls indicating Route 53 log tamperingAWS CloudTrail
Low
Unexpected AWS API calls indicating S3 ACL modificationsAWS CloudTrail
Low
Unexpected AWS API calls indicating S3 data staging and exfiltrationAWS CloudTrail
Low
Unexpected AWS API calls indicating S3 delete operationsAWS CloudTrail
Low
Unexpected AWS API calls indicating S3 reconnaissanceAWS CloudTrail
Low
Unexpected AWS API calls indicating S3 write operationsAWS CloudTrail
Low
Unexpected AWS API calls indicating SAML activityAWS CloudTrail
Low
Unexpected AWS API calls indicating SES discoveryAWS CloudTrail
Low
Unexpected AWS API calls indicating STS discoveryAWS CloudTrail
Low
Unexpected AWS API calls indicating WAF disassociationAWS CloudTrail
Low
Unexpected AWS API calls indicating change of IAM user passwordAWS CloudTrail
Low
Unexpected AWS API calls indicating command execution via System ManagerAWS CloudTrail
Low
Unexpected AWS API calls indicating creation of AWS API Gateway keyAWS CloudTrail
Low
Unexpected AWS API calls indicating creation of AWS REST APIAWS CloudTrail
Low
Unexpected AWS API calls indicating data staging and exfiltrationAWS CloudTrail
Low
Unexpected AWS API calls indicating deletion of AWS Elastic File SystemAWS CloudTrail
Low
Unexpected AWS API calls indicating deletion of AWS access keyAWS CloudTrail
Low
Unexpected AWS API calls indicating discovery using AWS Tagging APIAWS CloudTrail
Low
Unexpected AWS API calls indicating disruptionAWS CloudTrail
Low
Unexpected AWS API calls indicating evasionAWS CloudTrail
Low
Unexpected AWS API calls indicating infrastructure modification using CloudFormationAWS CloudTrail
Low
Unexpected AWS API calls indicating modification of AWS Resource Access ManagerAWS CloudTrail
Low
Unexpected AWS API calls indicating modification of config monitoringAWS CloudTrail
Low
Unexpected AWS API calls indicating new image being pushed to AWS ECR with latest tagAWS CloudTrail
Low
Unexpected AWS API calls indicating persistenceAWS CloudTrail
Low
Unexpected AWS API calls indicating privilege escalationAWS CloudTrail
Low
Unexpected AWS API calls indicating reconnaissanceAWS CloudTrail
Low
Unexpected AWS API calls indicating resource enumerationAWS CloudTrail
Low
Unexpected AWS API calls indicating retrieval of AWS sign-in tokenAWS CloudTrail
Low
Unexpected AWS API calls indicating unauthorized accessAWS CloudTrail
Low
Unexpected AWS EC2 Windows Adminstrator encrypted password fetch attemptAWS CloudTrail
Low
Unexpected AWS EC2 instance launchAWS CloudTrail
Low
Unexpected AWS IAM group deletionAWS CloudTrail
Low
Unexpected AWS console loginAWS CloudTrail
Low
Unexpected AWS role assumed by a principalAWS CloudTrail
Low
Unexpected Kubernetes API calls by a likely malicious caller BetaKubernetes
Low
Unexpected Kubernetes API calls indicating access to Kubernetes secret BetaKubernetes
Low
Unexpected Kubernetes API calls indicating permission discovery BetaKubernetes
Low
Unexpected Okta API calls indicating Okta MFA modification BetaOkta
Low
Unexpected Okta API calls indicating Okta application modification BetaOkta
Low
Unexpected Okta API calls indicating Okta application sign on policy modification BetaOkta
Low
Unexpected Okta API calls indicating Okta identity provider creation BetaOkta
Low
Unexpected Okta API calls indicating Okta user creation BetaOkta
Low
Unexpected Okta API calls indicating Okta user profile modification BetaOkta
Low
Unexpected Okta user session created BetaOkta
Low
Unexpected Slack API actions from admin accountSlack
Low
Unexpected Slack API calls indicating credential testing activitySlack
Low
Unexpected Slack API calls indicating excessive downloadsSlack
Low
Unexpected Slack API calls indicating excessive file sharingSlack
Low
Unexpected Slack API calls indicating malware shareSlack
Low
Unexpected Slack API calls indicating message deletion activitySlack
Low
Unexpected Slack API calls indicating scraping activitySlack
Low
Unexpected Slack session with inconsistent client fingerprintSlack
Low
Unexpected high volume of Slack API callsSlack
Low
Unknown dynamic DNS provider trafficDNS, HTTP
Low
Unknown tunneling provider trafficDNS, IP, HTTP
Low
Unsuccessful AWS IAM password change attemptAWS CloudTrail
Low
Unsuccessful attempt to assume AWS root accountAWS CloudTrail
Low
Unusual AWS API calls with root account credentialsAWS CloudTrail
Low
Unusual excessive traffic requiring investigationIP
Low
User activity from unexpected ASNAWS CloudTrail
Low
User activity from unexpected countryAWS CloudTrail
Low
AWS AMI Block Public Access disabled for an accountAWS CloudTrail
Informational
AWS API calls by a likely malicious callerAWS CloudTrail
Informational
AWS API calls indicating AWS API Gateway keys access BetaAWS CloudTrail
Informational
AWS API calls indicating AWS Backup plan deletion BetaAWS CloudTrail
Informational
AWS API calls indicating AWS Bedrock model invocationAWS CloudTrail
Informational
AWS API calls indicating AWS EC2 subnet deletion BetaAWS CloudTrail
Informational
AWS API calls indicating AWS Firehose delivery stream destination change BetaAWS CloudTrail
Informational
AWS API calls indicating AWS RDS instance with disabled encryption BetaAWS CloudTrail
Informational
AWS API calls indicating AWS SageMaker presigned URL generation BetaAWS CloudTrail
Informational
AWS API calls indicating Cost Explorer discoveryAWS CloudTrail
Informational
AWS API calls indicating ECS cluster creationAWS CloudTrail
Informational
AWS API calls indicating IP set modificationAWS CloudTrail
Informational
AWS API calls indicating Organizations discoveryAWS CloudTrail
Informational
AWS API calls indicating RDS data destructionAWS CloudTrail
Informational
AWS API calls indicating Route 53 log tamperingAWS CloudTrail
Informational
AWS API calls indicating S3 ACL modificationsAWS CloudTrail
Informational
AWS API calls indicating S3 data staging and exfiltrationAWS CloudTrail
Informational
AWS API calls indicating S3 delete operationsAWS CloudTrail
Informational
AWS API calls indicating S3 reconnaissanceAWS CloudTrail
Informational
AWS API calls indicating S3 write operationsAWS CloudTrail
Informational
AWS API calls indicating SAML activityAWS CloudTrail
Informational
AWS API calls indicating SES discoveryAWS CloudTrail
Informational
AWS API calls indicating STS discoveryAWS CloudTrail
Informational
AWS API calls indicating WAF disassociationAWS CloudTrail
Informational
AWS API calls indicating change of IAM user passwordAWS CloudTrail
Informational
AWS API calls indicating command execution via System ManagerAWS CloudTrail
Informational
AWS API calls indicating creation of AWS API Gateway keyAWS CloudTrail
Informational
AWS API calls indicating creation of AWS REST APIAWS CloudTrail
Informational
AWS API calls indicating data staging and exfiltrationAWS CloudTrail
Informational
AWS API calls indicating deletion of AWS Elastic File SystemAWS CloudTrail
Informational
AWS API calls indicating deletion of AWS access keyAWS CloudTrail
Informational
AWS API calls indicating discovery using AWS Tagging APIAWS CloudTrail
Informational
AWS API calls indicating disruptionAWS CloudTrail
Informational
AWS API calls indicating evasionAWS CloudTrail
Informational
AWS API calls indicating infrastructure modification using CloudFormationAWS CloudTrail
Informational
AWS API calls indicating modification of AWS Resource Access ManagerAWS CloudTrail
Informational
AWS API calls indicating modification of config monitoringAWS CloudTrail
Informational
AWS API calls indicating new image being pushed to AWS ECR with latest tagAWS CloudTrail
Informational
AWS API calls indicating persistenceAWS CloudTrail
Informational
AWS API calls indicating privilege escalationAWS CloudTrail
Informational
AWS API calls indicating reconnaissanceAWS CloudTrail
Informational
AWS API calls indicating resource enumerationAWS CloudTrail
Informational
AWS API calls indicating retrieval of AWS sign-in tokenAWS CloudTrail
Informational
AWS API calls indicating unauthorized accessAWS CloudTrail
Informational
AWS API calls with root account credentialsAWS CloudTrail
Informational
AWS DataSync task initiatedAWS CloudTrail
Informational
AWS DynamoDB table restored from backupAWS CloudTrail
Informational
AWS EBS snapshot Block Public Access disabled for an accountAWS CloudTrail
Informational
AWS EC2 NAT gateway deleted BetaAWS CloudTrail
Informational
AWS EC2 Windows Adminstrator encrypted password fetch attemptAWS CloudTrail
Informational
AWS ECS cluster deleted BetaAWS CloudTrail
Informational
AWS ElastiCache security group modifiedAWS CloudTrail
Informational
AWS GuardDuty threat list modifiedAWS CloudTrail
Informational
AWS IAM default policy version setAWS CloudTrail
Informational
AWS IAM group deletedAWS CloudTrail
Informational
AWS IAM login profile createdAWS CloudTrail
Informational
AWS IAM login profile modified by a different identity than the ownerAWS CloudTrail
Informational
AWS IAM permission boundary deletedAWS CloudTrail
Informational
AWS IAM policy modifiedAWS CloudTrail
Informational
AWS IAM user created with generic nameAWS CloudTrail
Informational
AWS MFA device disabledAWS CloudTrail
Informational
AWS MFA device registeredAWS CloudTrail
Informational
AWS RDS Deletion Protection disabledAWS CloudTrail
Informational
AWS RDS instance password changedAWS CloudTrail
Informational
AWS RDS security group createdAWS CloudTrail
Informational
AWS Roles Anywhere trust anchor created with an external CAAWS CloudTrail
Informational
AWS Route 53 domain registeredAWS CloudTrail
Informational
AWS Route 53 domain transfer lock disabled for an accountAWS CloudTrail
Informational
AWS Route 53 domain transfer to an external accountAWS CloudTrail
Informational
AWS Route 53 public hosted zone createdAWS CloudTrail
Informational
AWS S3 Block Public Access disabled for a bucketAWS CloudTrail
Informational
AWS S3 Block Public Access disabled for an accountAWS CloudTrail
Informational
AWS S3 bucket versioning suspendedAWS CloudTrail
Informational
AWS S3 server access logging disabledAWS CloudTrail
Informational
AWS SES service modifiedAWS CloudTrail
Informational
AWS SSO access token createdAWS CloudTrail
Informational
AWS System Manager encrypted parameter retrievedAWS CloudTrail
Informational
AWS access key createdAWS CloudTrail
Informational
AWS account closedAWS CloudTrail
Informational
AWS account createdAWS CloudTrail
Informational
AWS account password policy changedAWS CloudTrail
Informational
AWS role assumed by an external principal with an unexpected user agentAWS CloudTrail
Informational
AWS root password recovery requestAWS CloudTrail
Informational
AWS security group modification allowing access from any IP addressAWS CloudTrail
Informational
Adversary simulation traffic to a benign destinationDNS, IP, HTTP
Informational
Connection to an AWS EC2 instance using EC2 Instance ConnectAWS CloudTrail
Informational
Encrypted DNS traffic to a common destinationDNS, IP, HTTP
Informational
Enumeration of AWS EC2 instance startup scriptsAWS CloudTrail
Informational
GitHub User was added to an organization BetaGitHub
Informational
GitHub application installed BetaGitHub
Informational
GitHub repository ruleset was modified BetaGitHub
Informational
GitHub repository was deleted BetaGitHub
Informational
GitHub user was blocked from accessing an organization’s repositories BetaGitHub
Informational
GitHub user was invited to a repository BetaGitHub
Informational
GitHub user was unblocked from accessing an organization’s repositories BetaGitHub
Informational
IAM role attached to an AWS RDS instanceAWS CloudTrail
Informational
Kubernetes API calls by a likely malicious caller BetaKubernetes
Informational
Kubernetes API calls indicating access to Kubernetes secret BetaKubernetes
Informational
Kubernetes API calls indicating permission discovery BetaKubernetes
Informational
Long AWS console sessionAWS CloudTrail
Informational
MFA disabled for Slack organizationSlack
Informational
Modification of an AWS EC2 instance startup scriptAWS CloudTrail
Informational
Multiple archived files uploaded to Slack in a short periodSlack
Informational
New Okta API token was generated BetaOkta
Informational
Okta API calls indicating Okta MFA modification BetaOkta
Informational
Okta API calls indicating Okta application modification BetaOkta
Informational
Okta API calls indicating Okta application sign on policy modification BetaOkta
Informational
Okta API calls indicating Okta identity provider creation BetaOkta
Informational
Okta API calls indicating Okta user creation BetaOkta
Informational
Okta API calls indicating Okta user profile modification BetaOkta
Informational
Okta MFA challenge without MFA app BetaOkta
Informational
Okta user session created BetaOkta
Informational
Outbound traffic over SMB requiring investigationIP
Informational
Private Slack channel was changed to publicSlack
Informational
Quarantine self applied to AWS credentialsAWS CloudTrail
Informational
Slack organization createdSlack
Informational
Slack user role changedSlack
Informational
Successful AWS console loginAWS CloudTrail
Informational
Successful AWS console logins from different locations in a short periodAWS CloudTrail
Informational
Successful Okta user session created from different locations in a short period BetaOkta
Informational
Traffic to a destination TLD commonly associated with malwareDNS, HTTP
Informational
Traffic to a destination with a known HTTP open directoryDNS, IP, HTTP
Informational
Traffic to a link-in-bio destinationDNS, HTTP
Informational
Traffic to a user survey siteDNS, HTTP
Informational
Traffic to an unknown young domainDNS, HTTP
Informational
Unsuccessful AWS console login attemptAWS CloudTrail
Informational