Skip to main content

AlphaSOC Detections

AE can identify both known and unknown emerging threats. AlphaSOC’s threat detections leverage the comprehensive techniques outlined in the Capabilities section to secure multiple layers, including Network, Infrastructure, and Identity, using data from various origins. These detections deliver high-fidelity alerts with a low false positive ratio, enabling security teams to prioritize real threats with minimal distractions.

The table below is an exhaustive list of the individual detections that the engine supports.

Search
x
Data Types
any_type
TitleData TypeSeverity
C2 communication attempt indicating infectionDNS, IP, HTTP, TLS
Critical
Traffic to a malicious spear phishing siteDNS, HTTP
Critical
Traffic to a suspicious young domain impersonating a known brandDNS, HTTP
Critical
AWS API calls by a malicious callerAWS CloudTrail
High
AWS API calls indicating setup of mass mailer scriptAWS CloudTrail
High
AWS EC2 credential used from an unknown external locationAWS CloudTrail
High
AWS EC2 credential used from an unknown external location BetaAWS CloudTrail
High
AWS WorkMail mailbox exported to a bucket that was made publicAWS CloudTrail
High
AWS console login from an EC2 instanceAWS CloudTrail
High
AWS policy modified to allow any principal to assume an IAM roleAWS CloudTrail
High
AWS root access key createdAWS CloudTrail
High
Anonymizing circuit setup indicating infection or evasion attemptIP
High
Cryptomining indicating infection or resource abuseDNS, IP, HTTP
High
Domain resolves to 169.254.169.254 indicating an AWS rebinding attackDNS, HTTP
High
Encrypted DNS traffic to a server that supports non-ICANN TLDsDNS, IP, HTTP
High
Excessive number of HTTP failures to a known bad destinationHTTP
High
GitHub SSH key added by suspicious IP addressGitHub
High
HTTP GET request to a known bad destination indicating infectionHTTP
High
HTTP POST to a known bad destination indicating infectionHTTP
High
Known bad dynamic DNS provider trafficDNS, HTTP
High
Known bad tunneling provider trafficDNS, IP, HTTP
High
Kubernetes API calls by a malicious caller BetaKubernetes
High
Multiple requests to DGA domains indicating infectionDNS, HTTP
High
Multiple requests to long hostnames indicating DNS tunnelingDNS, HTTP
High
Multiple suspicious connections indicating TrickBot infectionDNS, IP, HTTP, TLS
High
Out-of-band application security testing traffic requiring investigationDNS, IP, HTTP
High
Outbound TCP port scan indicating hacking tool use or infectionIP
High
Quarantine applied to possibly compromised AWS credentialsAWS CloudTrail
High
Suspicious AWS API calls with root account credentialsAWS CloudTrail
High
Suspicious IRC traffic indicating infectionDNS, IP
High
Suspicious SSH session masquerading as a different protocolIP
High
Suspicious use of an AWS IAM role that was unused for a long period BetaAWS CloudTrail
High
Telegram Bot API traffic indicating possible infectionDNS, HTTP
High
Traffic from multiple sources to a domain impersonating a known brandDNS, HTTP
High
Traffic to a known malware distribution siteDNS, IP, HTTP
High
Traffic to a known sinkhole indicating infectionDNS, IP, HTTP
High
Traffic to a suspicious domain impersonating a known brandDNS, HTTP
High
Traffic to a web server with a suspicious open directory on an unusual portDNS, IP, HTTP
High
Traffic to a young suspicious domain containing a brand nameDNS, HTTP
High
Traffic to malicious infrastructure capturing credentialsDNS, IP, HTTP
High
1Password actions by a likely malicious caller Beta1Password
Medium
AWS API calls indicating EKS privilege escalation in multiple clusters BetaAWS CloudTrail
Medium
AWS API calls indicating S3 buckets discovery in a suspicious way BetaAWS CloudTrail
Medium
AWS API calls with root account access keyAWS CloudTrail
Medium
AWS Backup vault modified to allow public access BetaAWS CloudTrail
Medium
AWS DataSync task initiated to an unknown external accountAWS CloudTrail
Medium
AWS Detective graph deleted BetaAWS CloudTrail
Medium
AWS EBS snapshot modified to allow public accessAWS CloudTrail
Medium
AWS EC2 Windows Adminstrator encrypted password enumerationAWS CloudTrail
Medium
AWS EC2 export task to an unknown S3 bucked initiatedAWS CloudTrail
Medium
AWS EC2 instance unexpectedly interacted with the IAM APIAWS CloudTrail
Medium
AWS EC2 instances unexpectedly described in multiple regionsAWS CloudTrail
Medium
AWS ECR public repository modified to allow global write accessAWS CloudTrail
Medium
AWS EKS access entry unexpectedly created allowing admin access BetaAWS CloudTrail
Medium
AWS Elastic IP address transfer to an unknown external accountAWS CloudTrail
Medium
AWS GuardDuty disabledAWS CloudTrail
Medium
AWS GuardDuty publishing destination deleted BetaAWS CloudTrail
Medium
AWS IAM policy modified to allow access to any resource via suspicious statementAWS CloudTrail
Medium
AWS IAM trust policy misconfigured for OIDC BetaAWS CloudTrail
Medium
AWS IAM user created with admin policy attached BetaAWS CloudTrail
Medium
AWS KMS key modified to allow public accessAWS CloudTrail
Medium
AWS Lambda layer modified to allow public access BetaAWS CloudTrail
Medium
AWS RDS export task to an unknown S3 bucket initiatedAWS CloudTrail
Medium
AWS RDS snapshot modified to allow public accessAWS CloudTrail
Medium
AWS RDS snapshot unexpectedly created and made publicAWS CloudTrail
Medium
AWS Redshift cluster modified to allow public access BetaAWS CloudTrail
Medium
AWS Route 53 domain transfer to an unknown external accountAWS CloudTrail
Medium
AWS S3 bucket accidentally modified to allow public accessAWS CloudTrail
Medium
AWS S3 bucket configured with short retention period in a suspicious way BetaAWS CloudTrail
Medium
AWS S3 bucket modified to allow public access via suspicious statementAWS CloudTrail
Medium
AWS S3 bucket replication to an unknown external accountAWS CloudTrail
Medium
AWS S3 object accessed without TLSAWS CloudTrail
Medium
AWS S3 object accessed without authenticationAWS CloudTrail
Medium
AWS S3 object encrypted using an external KMS keyAWS CloudTrail
Medium
AWS SES identities discovery via access keyAWS CloudTrail
Medium
AWS SNS Topic modified to allow public accessAWS CloudTrail
Medium
AWS SQS Queue modified to allow public accessAWS CloudTrail
Medium
AWS SSM document modified to allow public access BetaAWS CloudTrail
Medium
AWS STS discovery with Truffle HogAWS CloudTrail
Medium
AWS Security Hub disabled BetaAWS CloudTrail
Medium
AWS VPC peering connection to an unknown external account establishedAWS CloudTrail
Medium
AWS access key created by the root accountAWS CloudTrail
Medium
AWS access key used to delete itself unexpectedlyAWS CloudTrail
Medium
AWS account password policy changed in a suspicious wayAWS CloudTrail
Medium
AWS decoy resource accessedAWS CloudTrail
Medium
AWS policy allows passing any roleAWS CloudTrail
Medium
AWS policy allows to perform any action via suspicious statementAWS CloudTrail
Medium
AWS policy modified to allow unknown principal to assume an IAM role BetaAWS CloudTrail
Medium
AWS policy suggests denial but allows actionsAWS CloudTrail
Medium
AWS policy suggests narrow access but allows broad accessAWS CloudTrail
Medium
AWS policy suggests read-only access but allows write actionsAWS CloudTrail
Medium
AWS role assumed by an unknown external principalAWS CloudTrail
Medium
AWS root account unexpectedly assumed via temporary credentialsAWS CloudTrail
Medium
AWS root password recovery request from an unknown ASNAWS CloudTrail
Medium
AWS service quota unexpectedly described in multiple regionsAWS CloudTrail
Medium
Anonymous access unexpectedly granted to a Kubernetes cluster BetaKubernetes
Medium
Atlassian actions by a likely malicious caller BetaAtlassian
Medium
Beaconing to a rare domainDNS, HTTP
Medium
Beaconing to a suspicious domainDNS, HTTP
Medium
Cluster of suspicious requests requiring investigationDNS, IP, HTTP
Medium
Excessive disruption of Slack user sessions via invalidationSlack
Medium
Excessive number of HTTP failures to a suspicious destinationHTTP
Medium
GitHub API calls by a malicious callerGitHub
Medium
GitHub audit log stream destroyed or pausedGitHub
Medium
GitHub personal access token used to download high number of repositoriesGitHub
Medium
High volume of outbound ICMP traffic indicating tunnelingIP
Medium
High volume of outbound traffic over FTPIP
Medium
High volume of outbound traffic over SMBIP
Medium
High volume of outbound traffic over SSHIP
Medium
High volume of reverse DNS lookups indicating scanning activityDNS
Medium
IRC traffic requiring investigationDNS, IP
Medium
Jira actions by a likely malicious caller BetaJira
Medium
Kubernetes resource created in public namespace BetaKubernetes
Medium
Kubernetes service account created in public namespace BetaKubernetes
Medium
Linux SSHD login by a likely malicious caller BetaLinux
Medium
MFA delete disabled on AWS S3 bucket BetaAWS CloudTrail
Medium
Multiple AWS EC2 instances launched unexpectedlyAWS CloudTrail
Medium
Multiple AWS IAM users deleted within a short period BetaAWS CloudTrail
Medium
Multiple connections to suspicious IP destinationsIP
Medium
Multiple denied AWS assume role API calls requiring investigationAWS CloudTrail
Medium
Multiple encrypted DNS requests requiring investigationDNS, IP, HTTP
Medium
Multiple requests to a rare domainDNS, HTTP
Medium
Multiple requests to suspicious domainsDNS, HTTP
Medium
Multiple unexpected AWS API calls executed in dry run modeAWS CloudTrail
Medium
Okta FastPass blocked a phishing attemptOkta
Medium
Okta MFA bypass attempt detectedOkta
Medium
Outbound SSH session using an uncommon server portIP
Medium
Outbound traffic indicating Denial of Service attackIP
Medium
P2P activityDNS, IP, HTTP
Medium
Possible 1Password login brute force Beta1Password
Medium
Potential ransomware note uploaded to an AWS S3 bucketAWS CloudTrail
Medium
Potentially unwanted program or browser extension installedDNS, IP, HTTP
Medium
Previously unseen AWS Bedrock model invoked BetaAWS CloudTrail
Medium
Secret found in a GitHub repositoryGitHub
Medium
Several unsuccessful AWS console login attempts from the same IP address for different usersAWS CloudTrail
Medium
Several unsuccessful Slack login attempts indicating brute force activitySlack
Medium
Slack API calls by a malicious callerSlack
Medium
Slack EKM UnenrolledSlack
Medium
Slack application access expanded with admin scopesSlack
Medium
Slack application with admin scopes addedSlack
Medium
Slack login with unexpected user emailSlack
Medium
Slack organization deletedSlack
Medium
Slack service owner transferredSlack
Medium
Slack team member logged out due to a compromised deviceSlack
Medium
Successful AWS console login without MFAAWS CloudTrail
Medium
Successful Okta MFA login after multiple MFA pushesOkta
Medium
Suspicious 1Password login Beta1Password
Medium
Suspicious AWS API call with account access keyAWS CloudTrail
Medium
Suspicious AWS API calls indicating API Gateway keys access BetaAWS CloudTrail
Medium
Suspicious AWS API calls indicating Backup plan deletion BetaAWS CloudTrail
Medium
Suspicious AWS API calls indicating Bedrock model invocationAWS CloudTrail
Medium
Suspicious AWS API calls indicating Cost Explorer discoveryAWS CloudTrail
Medium
Suspicious AWS API calls indicating DynamoDB backup restorationAWS CloudTrail
Medium
Suspicious AWS API calls indicating EC2 subnet deletion BetaAWS CloudTrail
Medium
Suspicious AWS API calls indicating ECR repository with automatic scanning disabled BetaAWS CloudTrail
Medium
Suspicious AWS API calls indicating ECS cluster creationAWS CloudTrail
Medium
Suspicious AWS API calls indicating Firehose delivery stream destination change BetaAWS CloudTrail
Medium
Suspicious AWS API calls indicating IAM role trust policy modification failure BetaAWS CloudTrail
Medium
Suspicious AWS API calls indicating IP set modificationAWS CloudTrail
Medium
Suspicious AWS API calls indicating Organizations discoveryAWS CloudTrail
Medium
Suspicious AWS API calls indicating RDS data destructionAWS CloudTrail
Medium
Suspicious AWS API calls indicating RDS instance with disabled encryption BetaAWS CloudTrail
Medium
Suspicious AWS API calls indicating Route 53 log tamperingAWS CloudTrail
Medium
Suspicious AWS API calls indicating S3 ACL modificationsAWS CloudTrail
Medium
Suspicious AWS API calls indicating S3 bucket encryption reset to default BetaAWS CloudTrail
Medium
Suspicious AWS API calls indicating S3 data staging and exfiltrationAWS CloudTrail
Medium
Suspicious AWS API calls indicating S3 delete operationsAWS CloudTrail
Medium
Suspicious AWS API calls indicating S3 reconnaissanceAWS CloudTrail
Medium
Suspicious AWS API calls indicating S3 write operationsAWS CloudTrail
Medium
Suspicious AWS API calls indicating SAML activityAWS CloudTrail
Medium
Suspicious AWS API calls indicating SES discoveryAWS CloudTrail
Medium
Suspicious AWS API calls indicating STS discoveryAWS CloudTrail
Medium
Suspicious AWS API calls indicating SageMaker presigned URL generation BetaAWS CloudTrail
Medium
Suspicious AWS API calls indicating Secrets Manager discovery BetaAWS CloudTrail
Medium
Suspicious AWS API calls indicating WAF control list modification BetaAWS CloudTrail
Medium
Suspicious AWS API calls indicating WAF disassociationAWS CloudTrail
Medium
Suspicious AWS API calls indicating change of IAM user passwordAWS CloudTrail
Medium
Suspicious AWS API calls indicating command execution via System ManagerAWS CloudTrail
Medium
Suspicious AWS API calls indicating creation of API Gateway keyAWS CloudTrail
Medium
Suspicious AWS API calls indicating creation of REST APIAWS CloudTrail
Medium
Suspicious AWS API calls indicating data staging and exfiltrationAWS CloudTrail
Medium
Suspicious AWS API calls indicating deletion of Elastic File SystemAWS CloudTrail
Medium
Suspicious AWS API calls indicating deletion of access keyAWS CloudTrail
Medium
Suspicious AWS API calls indicating discovery using Tagging APIAWS CloudTrail
Medium
Suspicious AWS API calls indicating disruptionAWS CloudTrail
Medium
Suspicious AWS API calls indicating evasionAWS CloudTrail
Medium
Suspicious AWS API calls indicating infrastructure modification using CloudFormationAWS CloudTrail
Medium
Suspicious AWS API calls indicating modification of Resource Access ManagerAWS CloudTrail
Medium
Suspicious AWS API calls indicating modification of config monitoringAWS CloudTrail
Medium
Suspicious AWS API calls indicating new image being pushed to ECR with latest tagAWS CloudTrail
Medium
Suspicious AWS API calls indicating persistenceAWS CloudTrail
Medium
Suspicious AWS API calls indicating privilege escalationAWS CloudTrail
Medium
Suspicious AWS API calls indicating reconnaissanceAWS CloudTrail
Medium
Suspicious AWS API calls indicating resource enumerationAWS CloudTrail
Medium
Suspicious AWS API calls indicating retrieval of sign-in tokenAWS CloudTrail
Medium
Suspicious AWS API calls indicating unauthorized accessAWS CloudTrail
Medium
Suspicious AWS Bedrock API usage via programmatic access BetaAWS CloudTrail
Medium
Suspicious AWS IAM user created with generic nameAWS CloudTrail
Medium
Suspicious AWS S3 bucket encryption configuration BetaAWS CloudTrail
Medium
Suspicious AWS access key createdAWS CloudTrail
Medium
Suspicious AWS console loginAWS CloudTrail
Medium
Suspicious HTTP GET request requiring investigationHTTP
Medium
Suspicious Kubernetes API calls indicating access to secret BetaKubernetes
Medium
Suspicious Kubernetes API calls indicating namespace creation BetaKubernetes
Medium
Suspicious Kubernetes API calls indicating permission discovery BetaKubernetes
Medium
Suspicious Okta API calls indicating MFA modificationOkta
Medium
Suspicious Okta API calls indicating application modificationOkta
Medium
Suspicious Okta API calls indicating application sign on policy modificationOkta
Medium
Suspicious Okta API calls indicating identity provider creationOkta
Medium
Suspicious Okta API calls indicating user creationOkta
Medium
Suspicious Okta API calls indicating user profile modificationOkta
Medium
Suspicious Okta user session createdOkta
Medium
Suspicious Tor DNS requestDNS
Medium
Suspicious dynamic DNS provider trafficDNS, HTTP
Medium
Suspicious file accessed or uploaded to SlackSlack
Medium
Suspicious hosting provider trafficDNS, HTTP
Medium
Suspicious traffic to DNS server that supports non-ICANN TLDsIP
Medium
Suspicious traffic to a link-in-bio destinationDNS, HTTP
Medium
Suspicious traffic to user survey site indicating possible phishingDNS, HTTP
Medium
Suspicious tunneling provider trafficDNS, IP, HTTP
Medium
Third-party VPN trafficDNS, IP, HTTP
Medium
Third-party remote access software installedDNS, IP, HTTP
Medium
Traffic from multiple sources to a unique young domainDNS, HTTP
Medium
Traffic over a cleartext protocol exposing content and credentialsIP
Medium
Traffic to a TDS mechanism requiring investigationDNS, HTTP
Medium
Traffic to a destination serving malicious JavaScriptDNS, HTTP
Medium
Traffic to a free webhook service indicating potential exfiltrationDNS, HTTP
Medium
Traffic to a likely malicious domainDNS, HTTP
Medium
Traffic to a suspicious domain containing a brand nameDNS, HTTP
Medium
Traffic to a web server with a suspicious open directoryDNS, IP, HTTP
Medium
Traffic to a young domain impersonating a known brandDNS, HTTP
Medium
Traffic to an unknown blocklisted destinationDNS, IP, HTTP
Medium
Traffic to an unusual and suspicious port requiring investigationIP
Medium
Unexpected AWS API calls with root account credentialsAWS CloudTrail
Medium
Unexpected AWS EC2 Windows Adminstrator encrypted password enumerationAWS CloudTrail
Medium
Unexpected AWS role assumed by an external principalAWS CloudTrail
Medium
Unexpected anonymous API call to a Kubernetes cluster BetaKubernetes
Medium
Unsuccessful and unexpected attempt to assume AWS root accountAWS CloudTrail
Medium
Unusual excessive AWS S3 bucket deletion requests BetaAWS CloudTrail
Medium
Unusual mail traffic indicating possible implantIP
Medium
Use of an AWS IAM access key that was unused for a long period BetaAWS CloudTrail
Medium
Use of an AWS IAM role that was unused for a long period BetaAWS CloudTrail
Medium
Use of an AWS IAM user that was unused for a long period BetaAWS CloudTrail
Medium
User activity from previously unseen ASNAWS CloudTrail
Medium
User activity from previously unseen countryAWS CloudTrail
Medium
1Password login from unexpected device Beta1Password
Low
1Password service account token activity Beta1Password
Low
1Password values exported Beta1Password
Low
A large AWS EC2 instance launch with an unusual instance typeAWS CloudTrail
Low
AWS ACM certificate authority deleted BetaAWS CloudTrail
Low
AWS AMI modified to allow public accessAWS CloudTrail
Low
AWS API calls indicating CloudFormation privilege escalation BetaAWS CloudTrail
Low
AWS API calls indicating DataPipeline privilege escalation BetaAWS CloudTrail
Low
AWS API calls indicating DynamoDB privilege escalation BetaAWS CloudTrail
Low
AWS API calls indicating EC2 privilege escalation BetaAWS CloudTrail
Low
AWS API calls indicating Glue privilege escalation BetaAWS CloudTrail
Low
AWS API calls indicating IAM privilege escalation BetaAWS CloudTrail
Low
AWS API calls indicating KMS privilege escalation BetaAWS CloudTrail
Low
AWS API calls indicating Lambda privilege escalation BetaAWS CloudTrail
Low
AWS API calls indicating S3 buckets discovery BetaAWS CloudTrail
Low
AWS API calls indicating SSM privilege escalation BetaAWS CloudTrail
Low
AWS API calls indicating evasion attempts on Amazon MacieAWS CloudTrail
Low
AWS API calls indicating tampering with Security Hub findingsAWS CloudTrail
Low
AWS Application Load Balancer configured with insecure SSL protocol policy BetaAWS CloudTrail
Low
AWS CloudFront distribution configured with insecure SSL protocol policy BetaAWS CloudTrail
Low
AWS CloudTrail event selector does not cover all management events BetaAWS CloudTrail
Low
AWS CloudWatch alarm deletedAWS CloudTrail
Low
AWS CodeBuild project modified to allow public accessAWS CloudTrail
Low
AWS DataSync task initiated unexpectedlyAWS CloudTrail
Low
AWS EBS default encryption disabledAWS CloudTrail
Low
AWS EC2 export task initiated unexpectedlyAWS CloudTrail
Low
AWS EC2 instance interacted with the IAM APIAWS CloudTrail
Low
AWS EC2 instance launch in a new regionAWS CloudTrail
Low
AWS EC2 instance launches in multiple regionsAWS CloudTrail
Low
AWS EC2 instance performed multiple unique API actions BetaAWS CloudTrail
Low
AWS EC2 instances described in multiple regionsAWS CloudTrail
Low
AWS ECR automatic registry scanning disabled BetaAWS CloudTrail
Low
AWS ECR image uploadedAWS CloudTrail
Low
AWS ECS cluster unexpectedly deleted BetaAWS CloudTrail
Low
AWS EKS access entry created allowing admin access BetaAWS CloudTrail
Low
AWS EKS cluster endpoint modified to allow public access BetaAWS CloudTrail
Low
AWS ElastiCache Redis cluster created without encryption at restAWS CloudTrail
Low
AWS ElastiCache security group modified unexpectedlyAWS CloudTrail
Low
AWS GuardDuty threat list disabledAWS CloudTrail
Low
AWS IAM Access Analyzer deleted BetaAWS CloudTrail
Low
AWS IAM entity created unexpectedlyAWS CloudTrail
Low
AWS IAM login profile created unexpectedlyAWS CloudTrail
Low
AWS IAM login profile unexpectedly modified by a different identity than the ownerAWS CloudTrail
Low
AWS IAM policy granting full or admin access attachedAWS CloudTrail
Low
AWS IAM policy modified to allow access to any resourceAWS CloudTrail
Low
AWS IAM user created with generic name unexpectedlyAWS CloudTrail
Low
AWS IAM user groups discoveryAWS CloudTrail
Low
AWS IAM user profile created without password resetAWS CloudTrail
Low
AWS KMS customer managed key disabled or scheduled for deletionAWS CloudTrail
Low
AWS Lambda function modified to allow public invocationAWS CloudTrail
Low
AWS Lambda functions modifiedAWS CloudTrail
Low
AWS Lightsail instance launched unexpectedlyAWS CloudTrail
Low
AWS MFA device disabled unexpectedlyAWS CloudTrail
Low
AWS MFA device registered unexpectedlyAWS CloudTrail
Low
AWS OpenSearch domain configured to allow public access BetaAWS CloudTrail
Low
AWS Organization invite sent for another account to join the organization BetaAWS CloudTrail
Low
AWS RDS Deletion Protection disabled unexpectedlyAWS CloudTrail
Low
AWS RDS export task initiated unexpectedlyAWS CloudTrail
Low
AWS RDS instance modified to allow public accessAWS CloudTrail
Low
AWS RDS instance password changed unexpectedlyAWS CloudTrail
Low
AWS RDS security group created unexpectedlyAWS CloudTrail
Low
AWS RDS snapshot created and made publicAWS CloudTrail
Low
AWS RDS snapshot created manuallyAWS CloudTrail
Low
AWS Redshift cluster encryption disabled BetaAWS CloudTrail
Low
AWS Roles Anywhere profile createdAWS CloudTrail
Low
AWS Route 53 hosted zone associated with a VPCAWS CloudTrail
Low
AWS Route 53 public hosted zone created unexpectedlyAWS CloudTrail
Low
AWS S3 Access Point modified to allow public access BetaAWS CloudTrail
Low
AWS S3 bucket lifecycle disabled BetaAWS CloudTrail
Low
AWS S3 bucket modified to allow public accessAWS CloudTrail
Low
AWS S3 bucket policy allows actions by external accounts BetaAWS CloudTrail
Low
AWS S3 bucket versioning suspended unexpectedlyAWS CloudTrail
Low
AWS SES GetAccount action invoked via AccessKeyAWS CloudTrail
Low
AWS SES identity deletedAWS CloudTrail
Low
AWS SES production access grantedAWS CloudTrail
Low
AWS STS GetFederationToken invoked by aws_consoler utility BetaAWS CloudTrail
Low
AWS STS federation token issued with access to all resources BetaAWS CloudTrail
Low
AWS STS federation token issued with permissions allowing all actions BetaAWS CloudTrail
Low
AWS SageMaker domain modified to allow public access BetaAWS CloudTrail
Low
AWS Secrets Manager access from CloudShell session BetaAWS CloudTrail
Low
AWS System Manager encrypted parameter retrieved unexpectedlyAWS CloudTrail
Low
AWS WorkMail mailbox exportedAWS CloudTrail
Low
AWS access key created for a newly registered IAM userAWS CloudTrail
Low
AWS access key created unexpectedlyAWS CloudTrail
Low
AWS access key used to delete itselfAWS CloudTrail
Low
AWS account created unexpectedlyAWS CloudTrail
Low
AWS account password policy changed in an unexpected wayAWS CloudTrail
Low
AWS account password policy deletedAWS CloudTrail
Low
AWS identity added to an admin groupAWS CloudTrail
Low
AWS network infrastructure modification opening a wide range of portsAWS CloudTrail
Low
AWS policy contains unsubstituted template valuesAWS CloudTrail
Low
AWS policy that allows to perform any action was addedAWS CloudTrail
Low
AWS region enabled or disabled BetaAWS CloudTrail
Low
AWS resource drift from IaC configuration BetaAWS CloudTrail
Low
AWS root account assumed via temporary credentialsAWS CloudTrail
Low
AWS service quota described in multiple regionsAWS CloudTrail
Low
AWS service quota increase request created BetaAWS CloudTrail
Low
An AWS account removed itself from the organizationAWS CloudTrail
Low
Anonymous access granted to a Kubernetes cluster BetaKubernetes
Low
Atlassian admin API token created BetaAtlassian
Low
Atlassian administrator impersonated another user BetaAtlassian
Low
Atlassian organization admin added BetaAtlassian
Low
Atlassian user added to administrative group BetaAtlassian
Low
Confluence global setting modified BetaConfluence
Low
Confluence public link for a page turned on BetaConfluence
Low
Confluence site exported BetaConfluence
Low
Confluence space exported BetaConfluence
Low
Connection to an AWS EC2 instance using EC2 Instance Connect by a suspicious userAWS CloudTrail
Low
Connection to multiple AWS EC2 instances using EC2 Instance ConnectAWS CloudTrail
Low
DNS misconfiguration leading to potential compromiseDNS
Low
Encrypted DNS traffic indicating potential infection or evasionDNS, IP, HTTP
Low
Excessive number of DNS failures requiring investigationDNS
Low
Excessive number of HTTP failures to an uncommon destinationHTTP
Low
GitHub Advanced Security setting modifiedGitHub
Low
GitHub bot unexpected activitiesGitHub
Low
GitHub branch protections were disabled for the repositoryGitHub
Low
GitHub mass pushesGitHub
Low
GitHub organization transferred to another Enterprise accountGitHub
Low
GitHub public repository createdGitHub
Low
GitHub repository transferred to another Enterprise accountGitHub
Low
GitHub repository visibility changed to publicGitHub
Low
GitHub secret scanning disabled or bypassedGitHub
Low
High number of non-public GitHub repositories downloadedGitHub
Low
IAM default policy set to an unexpected versionAWS CloudTrail
Low
IAM role attached to an AWS RDS instance unexpectedlyAWS CloudTrail
Low
Jira user added to administrative group BetaJira
Low
Kubernetes admission controller created BetaAWS CloudTrail
Low
Kubernetes pod command executed BetaKubernetes
Low
Kubernetes privileged pod created BetaKubernetes
Low
Kubernetes resource created in service namespace BetaKubernetes
Low
Kubernetes service account created in service namespace BetaKubernetes
Low
MFA disabled for GitHub organization or Enterprise accountGitHub
Low
Malicious pop-up trafficDNS, HTTP
Low
Many AWS Route 53 domains registeredAWS CloudTrail
Low
Modification of multiple AWS EC2 instance startup scriptsAWS CloudTrail
Low
Multiple AWS API calls executed in dry run modeAWS CloudTrail
Low
Multiple AWS EC2 instances launchedAWS CloudTrail
Low
Multiple AWS EC2 instances terminated unexpectedlyAWS CloudTrail
Low
Multiple AWS root password recovery requestsAWS CloudTrail
Low
Multiple Okta users failed to login from a single IP addressOkta
Low
Multiple denied AWS API calls requiring investigationAWS CloudTrail
Low
Multiple denied AWS S3 API calls requiring investigationAWS CloudTrail
Low
Multiple denied Kubernetes API calls requiring investigation BetaKubernetes
Low
Multiple rejected Okta MFA Push notifications for a single userOkta
Low
Multiple requests to unreachable domainsDNS, HTTP
Low
Okta MFA IP mismatch between challenge and verification BetaOkta
Low
Okta admin role assignedOkta
Low
Okta suspicious session cookie usage BetaOkta
Low
Outbound RDP traffic indicating brute force activityIP
Low
Outbound SSH traffic indicating brute force activityIP
Low
Outbound WinRM traffic indicating brute force activityIP
Low
Registered domain impersonating a known brandDNS
Low
Several unsuccessful AWS console login attempts for a userAWS CloudTrail
Low
Several unsuccessful AWS console login attempts from the same IP addressAWS CloudTrail
Low
Several unsuccessful Okta login attempts for a user BetaOkta
Low
Slack API calls from an unexpected IP addressSlack
Low
Slack API calls from an unexpected clientSlack
Low
Slack API calls from an unexpected user agentSlack
Low
Slack EKM logging config modifiedSlack
Low
Slack Microsoft Intune MDM disabledSlack
Low
Slack SSO restriction changedSlack
Low
Slack app removedSlack
Low
Slack application access expandedSlack
Low
Slack application addedSlack
Low
Slack data prevention rule modifiedSlack
Low
Slack identity provider config modifiedSlack
Low
Slack information barrier modifiedSlack
Low
Slack legal hold policy modifiedSlack
Low
Slack manual export downloadedSlack
Low
Slack public link created to file with potentially sensitive dataSlack
Low
Slack user privilege escalationSlack
Low
Successful AWS console login from a new countryAWS CloudTrail
Low
Successful Okta user session created from a new countryOkta
Low
Successful anonymous API call to a Kubernetes cluster BetaKubernetes
Low
Suspicious GitHub activity performed via OAuth access tokenGitHub
Low
Suspicious HTTP POST request requiring investigationHTTP
Low
Traffic to a suspicious IP destinationIP
Low
Traffic to a suspicious domainDNS, HTTP
Low
Traffic to a valid domain impersonating a known brandDNS, HTTP
Low
Traffic to a web server with an open directory on an unusual portDNS, IP, HTTP
Low
Traffic to an IP lookup serviceDNS, IP, HTTP
Low
Traffic to an unusual DNS resolverIP
Low
Traffic to an unusual port requiring investigationIP
Low
Unexpected 1Password item usage action observed Beta1Password
Low
Unexpected AWS API call with account access keyAWS CloudTrail
Low
Unexpected AWS API calls by a likely malicious callerAWS CloudTrail
Low
Unexpected AWS API calls indicating API Gateway keys access BetaAWS CloudTrail
Low
Unexpected AWS API calls indicating Backup plan deletion BetaAWS CloudTrail
Low
Unexpected AWS API calls indicating Bedrock model invocationAWS CloudTrail
Low
Unexpected AWS API calls indicating Cost Explorer discoveryAWS CloudTrail
Low
Unexpected AWS API calls indicating DynamoDB backup restorationAWS CloudTrail
Low
Unexpected AWS API calls indicating EC2 subnet deletion BetaAWS CloudTrail
Low
Unexpected AWS API calls indicating ECR repository with automatic scanning disabled BetaAWS CloudTrail
Low
Unexpected AWS API calls indicating ECS cluster creationAWS CloudTrail
Low
Unexpected AWS API calls indicating Firehose delivery stream destination change BetaAWS CloudTrail
Low
Unexpected AWS API calls indicating IAM role trust policy modification failure BetaAWS CloudTrail
Low
Unexpected AWS API calls indicating IP set modificationAWS CloudTrail
Low
Unexpected AWS API calls indicating Organizations discoveryAWS CloudTrail
Low
Unexpected AWS API calls indicating RDS data destructionAWS CloudTrail
Low
Unexpected AWS API calls indicating RDS instance with disabled encryption BetaAWS CloudTrail
Low
Unexpected AWS API calls indicating Route 53 log tamperingAWS CloudTrail
Low
Unexpected AWS API calls indicating S3 ACL modificationsAWS CloudTrail
Low
Unexpected AWS API calls indicating S3 bucket encryption reset to default BetaAWS CloudTrail
Low
Unexpected AWS API calls indicating S3 data staging and exfiltrationAWS CloudTrail
Low
Unexpected AWS API calls indicating S3 delete operationsAWS CloudTrail
Low
Unexpected AWS API calls indicating S3 reconnaissanceAWS CloudTrail
Low
Unexpected AWS API calls indicating S3 write operationsAWS CloudTrail
Low
Unexpected AWS API calls indicating SAML activityAWS CloudTrail
Low
Unexpected AWS API calls indicating SES discoveryAWS CloudTrail
Low
Unexpected AWS API calls indicating STS discoveryAWS CloudTrail
Low
Unexpected AWS API calls indicating SageMaker presigned URL generation BetaAWS CloudTrail
Low
Unexpected AWS API calls indicating Secrets Manager discovery BetaAWS CloudTrail
Low
Unexpected AWS API calls indicating WAF control list modification BetaAWS CloudTrail
Low
Unexpected AWS API calls indicating WAF disassociationAWS CloudTrail
Low
Unexpected AWS API calls indicating change of IAM user passwordAWS CloudTrail
Low
Unexpected AWS API calls indicating command execution via System ManagerAWS CloudTrail
Low
Unexpected AWS API calls indicating creation of API Gateway keyAWS CloudTrail
Low
Unexpected AWS API calls indicating creation of REST APIAWS CloudTrail
Low
Unexpected AWS API calls indicating data staging and exfiltrationAWS CloudTrail
Low
Unexpected AWS API calls indicating deletion of Elastic File SystemAWS CloudTrail
Low
Unexpected AWS API calls indicating deletion of access keyAWS CloudTrail
Low
Unexpected AWS API calls indicating discovery using Tagging APIAWS CloudTrail
Low
Unexpected AWS API calls indicating disruptionAWS CloudTrail
Low
Unexpected AWS API calls indicating evasionAWS CloudTrail
Low
Unexpected AWS API calls indicating infrastructure modification using CloudFormationAWS CloudTrail
Low
Unexpected AWS API calls indicating modification of Resource Access ManagerAWS CloudTrail
Low
Unexpected AWS API calls indicating modification of config monitoringAWS CloudTrail
Low
Unexpected AWS API calls indicating new image being pushed to ECR with latest tagAWS CloudTrail
Low
Unexpected AWS API calls indicating persistenceAWS CloudTrail
Low
Unexpected AWS API calls indicating privilege escalationAWS CloudTrail
Low
Unexpected AWS API calls indicating reconnaissanceAWS CloudTrail
Low
Unexpected AWS API calls indicating resource enumerationAWS CloudTrail
Low
Unexpected AWS API calls indicating retrieval of sign-in tokenAWS CloudTrail
Low
Unexpected AWS API calls indicating unauthorized accessAWS CloudTrail
Low
Unexpected AWS EC2 Windows Adminstrator encrypted password fetch attemptAWS CloudTrail
Low
Unexpected AWS EC2 instance launchAWS CloudTrail
Low
Unexpected AWS IAM group deletionAWS CloudTrail
Low
Unexpected AWS S3 bucket configured with short retention period BetaAWS CloudTrail
Low
Unexpected AWS console loginAWS CloudTrail
Low
Unexpected AWS role assumed by a principalAWS CloudTrail
Low
Unexpected Kubernetes API calls by a likely malicious caller BetaKubernetes
Low
Unexpected Kubernetes API calls indicating access to secret BetaKubernetes
Low
Unexpected Kubernetes API calls indicating namespace creation BetaKubernetes
Low
Unexpected Kubernetes API calls indicating permission discovery BetaKubernetes
Low
Unexpected Okta API calls indicating MFA modificationOkta
Low
Unexpected Okta API calls indicating application modificationOkta
Low
Unexpected Okta API calls indicating application sign on policy modificationOkta
Low
Unexpected Okta API calls indicating identity provider creationOkta
Low
Unexpected Okta API calls indicating user creationOkta
Low
Unexpected Okta API calls indicating user profile modificationOkta
Low
Unexpected Okta user session createdOkta
Low
Unexpected Slack API actions from admin accountSlack
Low
Unexpected Slack API calls indicating credential testing activitySlack
Low
Unexpected Slack API calls indicating excessive downloadsSlack
Low
Unexpected Slack API calls indicating excessive file sharingSlack
Low
Unexpected Slack API calls indicating malware shareSlack
Low
Unexpected Slack API calls indicating message deletion activitySlack
Low
Unexpected Slack API calls indicating scraping activitySlack
Low
Unexpected Slack session with inconsistent client fingerprintSlack
Low
Unexpected high volume of Slack API callsSlack
Low
Unknown GitHub user cloned private repositoryGitHub
Low
Unknown dynamic DNS provider trafficDNS, HTTP
Low
Unknown tunneling provider trafficDNS, IP, HTTP
Low
Unsuccessful AWS IAM password change attemptAWS CloudTrail
Low
Unsuccessful attempt to assume AWS root accountAWS CloudTrail
Low
Unusual AWS API calls with root account credentialsAWS CloudTrail
Low
Unusual excessive traffic requiring investigationIP
Low
User activity from unexpected ASNAWS CloudTrail
Low
User activity from unexpected countryAWS CloudTrail
Low
User invited to Atlassian organization as an administrator BetaAtlassian
Low
1Password logins from different locations in a short period Beta1Password
Informational
1Password value modification Beta1Password
Informational
AWS AMI Block Public Access disabled for an accountAWS CloudTrail
Informational
AWS API calls indicating API Gateway keys access BetaAWS CloudTrail
Informational
AWS API calls indicating Backup plan deletion BetaAWS CloudTrail
Informational
AWS API calls indicating Bedrock model invocationAWS CloudTrail
Informational
AWS API calls indicating Cost Explorer discoveryAWS CloudTrail
Informational
AWS API calls indicating EC2 subnet deletion BetaAWS CloudTrail
Informational
AWS API calls indicating ECR repository with automatic scanning disabled BetaAWS CloudTrail
Informational
AWS API calls indicating ECS cluster creationAWS CloudTrail
Informational
AWS API calls indicating Firehose delivery stream destination change BetaAWS CloudTrail
Informational
AWS API calls indicating IAM role trust policy modification failure BetaAWS CloudTrail
Informational
AWS API calls indicating IP set modificationAWS CloudTrail
Informational
AWS API calls indicating Organizations discoveryAWS CloudTrail
Informational
AWS API calls indicating RDS data destructionAWS CloudTrail
Informational
AWS API calls indicating RDS instance with disabled encryption BetaAWS CloudTrail
Informational
AWS API calls indicating Route 53 log tamperingAWS CloudTrail
Informational
AWS API calls indicating S3 ACL modificationsAWS CloudTrail
Informational
AWS API calls indicating S3 bucket encryption reset to default BetaAWS CloudTrail
Informational
AWS API calls indicating S3 data staging and exfiltrationAWS CloudTrail
Informational
AWS API calls indicating S3 delete operationsAWS CloudTrail
Informational
AWS API calls indicating S3 reconnaissanceAWS CloudTrail
Informational
AWS API calls indicating S3 write operationsAWS CloudTrail
Informational
AWS API calls indicating SAML activityAWS CloudTrail
Informational
AWS API calls indicating SES discoveryAWS CloudTrail
Informational
AWS API calls indicating STS discoveryAWS CloudTrail
Informational
AWS API calls indicating SageMaker presigned URL generation BetaAWS CloudTrail
Informational
AWS API calls indicating Secrets Manager discovery BetaAWS CloudTrail
Informational
AWS API calls indicating WAF control list modification BetaAWS CloudTrail
Informational
AWS API calls indicating WAF disassociationAWS CloudTrail
Informational
AWS API calls indicating change of IAM user passwordAWS CloudTrail
Informational
AWS API calls indicating command execution via System ManagerAWS CloudTrail
Informational
AWS API calls indicating creation of API Gateway keyAWS CloudTrail
Informational
AWS API calls indicating creation of REST APIAWS CloudTrail
Informational
AWS API calls indicating data staging and exfiltrationAWS CloudTrail
Informational
AWS API calls indicating deletion of Elastic File SystemAWS CloudTrail
Informational
AWS API calls indicating deletion of access keyAWS CloudTrail
Informational
AWS API calls indicating discovery using Tagging APIAWS CloudTrail
Informational
AWS API calls indicating disruptionAWS CloudTrail
Informational
AWS API calls indicating evasionAWS CloudTrail
Informational
AWS API calls indicating infrastructure modification using CloudFormationAWS CloudTrail
Informational
AWS API calls indicating modification of Resource Access ManagerAWS CloudTrail
Informational
AWS API calls indicating modification of config monitoringAWS CloudTrail
Informational
AWS API calls indicating new image being pushed to ECR with latest tagAWS CloudTrail
Informational
AWS API calls indicating persistenceAWS CloudTrail
Informational
AWS API calls indicating privilege escalationAWS CloudTrail
Informational
AWS API calls indicating reconnaissanceAWS CloudTrail
Informational
AWS API calls indicating resource enumerationAWS CloudTrail
Informational
AWS API calls indicating retrieval of sign-in tokenAWS CloudTrail
Informational
AWS API calls indicating unauthorized accessAWS CloudTrail
Informational
AWS API calls with root account credentialsAWS CloudTrail
Informational
AWS DataSync task initiatedAWS CloudTrail
Informational
AWS DynamoDB table restored from backupAWS CloudTrail
Informational
AWS EBS snapshot Block Public Access disabled for an accountAWS CloudTrail
Informational
AWS EC2 NAT gateway deleted BetaAWS CloudTrail
Informational
AWS EC2 Windows Adminstrator encrypted password fetch attemptAWS CloudTrail
Informational
AWS ECS cluster deleted BetaAWS CloudTrail
Informational
AWS ElastiCache security group modifiedAWS CloudTrail
Informational
AWS GuardDuty threat list modifiedAWS CloudTrail
Informational
AWS IAM default policy version setAWS CloudTrail
Informational
AWS IAM group deletedAWS CloudTrail
Informational
AWS IAM login profile createdAWS CloudTrail
Informational
AWS IAM login profile modified by a different identity than the ownerAWS CloudTrail
Informational
AWS IAM permission boundary deletedAWS CloudTrail
Informational
AWS IAM policy modifiedAWS CloudTrail
Informational
AWS IAM role can assume roles in any account BetaAWS CloudTrail
Informational
AWS IAM user created with generic nameAWS CloudTrail
Informational
AWS MFA device disabledAWS CloudTrail
Informational
AWS MFA device registeredAWS CloudTrail
Informational
AWS RDS Deletion Protection disabledAWS CloudTrail
Informational
AWS RDS instance password changedAWS CloudTrail
Informational
AWS RDS security group createdAWS CloudTrail
Informational
AWS Roles Anywhere trust anchor created with an external CAAWS CloudTrail
Informational
AWS Route 53 domain registeredAWS CloudTrail
Informational
AWS Route 53 domain transfer lock disabled for an accountAWS CloudTrail
Informational
AWS Route 53 domain transfer to an external accountAWS CloudTrail
Informational
AWS Route 53 public hosted zone createdAWS CloudTrail
Informational
AWS S3 Block Public Access disabled for a bucketAWS CloudTrail
Informational
AWS S3 Block Public Access disabled for an accountAWS CloudTrail
Informational
AWS S3 bucket configured with short retention period BetaAWS CloudTrail
Informational
AWS S3 bucket versioning suspendedAWS CloudTrail
Informational
AWS S3 server access logging disabledAWS CloudTrail
Informational
AWS S3 static website hosting enabled BetaAWS CloudTrail
Informational
AWS SES service modifiedAWS CloudTrail
Informational
AWS SSO access token createdAWS CloudTrail
Informational
AWS System Manager encrypted parameter retrievedAWS CloudTrail
Informational
AWS access key createdAWS CloudTrail
Informational
AWS account closedAWS CloudTrail
Informational
AWS account createdAWS CloudTrail
Informational
AWS account password policy changedAWS CloudTrail
Informational
AWS role assumed by an external principal with an unexpected user agentAWS CloudTrail
Informational
AWS root password recovery requestAWS CloudTrail
Informational
AWS security group modification allowing access from any IP addressAWS CloudTrail
Informational
Adversary simulation traffic to a benign destinationDNS, IP, HTTP
Informational
Anomalous GitHub repository downloadGitHub
Informational
Confluence page restrictions bypassed with an admin key BetaConfluence
Informational
Connection to an AWS EC2 instance using EC2 Instance ConnectAWS CloudTrail
Informational
Encrypted DNS traffic to a common destinationDNS, IP, HTTP
Informational
Enumeration of AWS EC2 instance startup scriptsAWS CloudTrail
Informational
GitHub Dependabot repository access changedGitHub
Informational
GitHub Dependabot vulnerability alerts disabledGitHub
Informational
GitHub Enterprise account deletedGitHub
Informational
GitHub Enterprise account owner addedGitHub
Informational
GitHub Enterprise recovery codes accessedGitHub
Informational
GitHub IP allow list modifiedGitHub
Informational
GitHub OAuth application access restrictions disabledGitHub
Informational
GitHub OAuth secret removedGitHub
Informational
GitHub Personal Access Token approval policy modifiedGitHub
Informational
GitHub SSH certificate authority createdGitHub
Informational
GitHub SSH certificate authority deletedGitHub
Informational
GitHub SSH certificate requirement disabledGitHub
Informational
GitHub SSO configuration modified for organization or Enterprise accountGitHub
Informational
GitHub account recovery codes accessedGitHub
Informational
GitHub application installedGitHub
Informational
GitHub audit log stream modifiedGitHub
Informational
GitHub branch protection policy changedGitHub
Informational
GitHub organization member updatedGitHub
Informational
GitHub organization moderators changedGitHub
Informational
GitHub organization recovery codes accessedGitHub
Informational
GitHub organization removed from an Enterprise accountGitHub
Informational
GitHub payment method removedGitHub
Informational
GitHub repository archivedGitHub
Informational
GitHub repository deletedGitHub
Informational
GitHub repository deploy key modified or createdGitHub
Informational
GitHub repository ruleset modifiedGitHub
Informational
GitHub self hosted runner registeredGitHub
Informational
GitHub team changedGitHub
Informational
GitHub user added to an organizationGitHub
Informational
GitHub user blocked from accessing an organization’s repositoriesGitHub
Informational
GitHub user invited to a repositoryGitHub
Informational
GitHub user removed from a repositoryGitHub
Informational
GitHub user removed from an organizationGitHub
Informational
GitHub user unblocked from accessing an organization’s repositoriesGitHub
Informational
GitHub webhook modifiedGitHub
Informational
IAM role attached to an AWS RDS instanceAWS CloudTrail
Informational
Kubernetes API calls by a likely malicious caller BetaKubernetes
Informational
Kubernetes API calls indicating access to secret BetaKubernetes
Informational
Kubernetes API calls indicating namespace creation BetaKubernetes
Informational
Kubernetes API calls indicating permission discovery BetaKubernetes
Informational
Kubernetes pod with host network created BetaKubernetes
Informational
Kubernetes user attached to pod BetaKubernetes
Informational
Long AWS console sessionAWS CloudTrail
Informational
Low source port for outbound trafficAWS CloudTrail
Informational
MFA disabled for Slack organizationSlack
Informational
Modification of an AWS EC2 instance startup scriptAWS CloudTrail
Informational
Multiple archived files uploaded to Slack in a short periodSlack
Informational
New Okta API token generatedOkta
Informational
Okta API calls indicating MFA modificationOkta
Informational
Okta API calls indicating application modificationOkta
Informational
Okta API calls indicating application sign on policy modificationOkta
Informational
Okta API calls indicating identity provider creationOkta
Informational
Okta API calls indicating user creationOkta
Informational
Okta API calls indicating user profile modificationOkta
Informational
Okta MFA challenge without MFA app BetaOkta
Informational
Okta MFA number challenge failedOkta
Informational
Okta privilege grantedOkta
Informational
Outbound traffic over SMB requiring investigationIP
Informational
Private Slack channel changed to publicSlack
Informational
Quarantine self applied to AWS credentialsAWS CloudTrail
Informational
Slack organization createdSlack
Informational
Slack user role changedSlack
Informational
Successful 1Password login Beta1Password
Informational
Successful AWS console loginAWS CloudTrail
Informational
Successful AWS console logins from different locations in a short periodAWS CloudTrail
Informational
Successful Okta user session created from different locations in a short periodOkta
Informational
Traffic to a destination TLD commonly associated with malwareDNS, HTTP
Informational
Traffic to a destination with a known HTTP open directoryDNS, IP, HTTP
Informational
Traffic to a link-in-bio destinationDNS, HTTP
Informational
Traffic to a user survey siteDNS, HTTP
Informational
Traffic to an unknown young domainDNS, HTTP
Informational
Unsuccessful AWS console login attemptAWS CloudTrail
Informational
Use of AWS APIs by a likely malicious callerAWS CloudTrail
Informational