# AlphaSOC Documentation > AlphaSOC is a cloud-native threat detection and response platform that analyzes network telemetry, cloud audit logs, and identity events to surface security threats. This documentation covers platform setup, configuration, integrations, data collection, and detection capabilities. ## Documentation Files The following markdown files are available for AI agents and LLMs: ### Overview - /api_reference.md - /architecture.md - /capabilities.md - /index.md - /licensing.md ### ae - /ae/on-premise-installation.md ### collecting_data - /collecting_data/overview.md - /collecting_data/transports/amazon_s3.md - /collecting_data/transports/azure_blob_storage.md - /collecting_data/transports/azure_event_hub.md - /collecting_data/transports/coredns.md - /collecting_data/transports/cribl.md - /collecting_data/transports/google_cloud_storage.md - /collecting_data/transports/https.md - /collecting_data/transports/kafka.md - /collecting_data/transports/s3_protocol.md - /collecting_data/transports/sftp.md - /collecting_data/transports/snowflake.md - /collecting_data/transports/splunk.md ### data_origins - /data_origins/1password.md - /data_origins/atlassian.md - /data_origins/aws/cloudtrail.md - /data_origins/aws/eks.md - /data_origins/aws/route53.md - /data_origins/aws/vpc_flow.md - /data_origins/azure/azure_activity.md - /data_origins/azure/nsg_flow.md - /data_origins/azure/vnet_flow.md - /data_origins/carbonblack_netconn.md - /data_origins/confluence.md - /data_origins/coredns.md - /data_origins/corelight.md - /data_origins/crowdstrike_fdr.md - /data_origins/entra_id.md - /data_origins/gcp/audit.md - /data_origins/gcp/cloud_dns.md - /data_origins/gcp/gke.md - /data_origins/gcp/security_operations.md - /data_origins/gcp/vpc_flow.md - /data_origins/github.md - /data_origins/google_workspace.md - /data_origins/jira.md - /data_origins/kubernetes.md - /data_origins/limacharlie.md - /data_origins/okta.md - /data_origins/overview.md - /data_origins/pan.md - /data_origins/sentinelone.md - /data_origins/slack.md - /data_origins/systemd_journal.md - /data_origins/zeek.md ### detections_and_findings - /detections_and_findings/alphasoc_detections.md - /detections_and_findings/alphasoc_detections/1password_brute_force.md - /detections_and_findings/alphasoc_detections/1password_login.md - /detections_and_findings/alphasoc_detections/1password_login_anomalous_device.md - /detections_and_findings/alphasoc_detections/1password_login_impossible_travel.md - /detections_and_findings/alphasoc_detections/1password_login_suspicious.md - /detections_and_findings/alphasoc_detections/1password_malicious_caller.md - /detections_and_findings/alphasoc_detections/1password_modification.md - /detections_and_findings/alphasoc_detections/1password_service_account_token.md - /detections_and_findings/alphasoc_detections/1password_unexpected_action.md - /detections_and_findings/alphasoc_detections/1password_value_exported.md - /detections_and_findings/alphasoc_detections/adversary_simulation.md - /detections_and_findings/alphasoc_detections/alternate_dns.md - /detections_and_findings/alphasoc_detections/anon_circuit.md - /detections_and_findings/alphasoc_detections/atlassian_added_organization_admin.md - /detections_and_findings/alphasoc_detections/atlassian_admin_api_token_created.md - /detections_and_findings/alphasoc_detections/atlassian_malicious_caller.md - /detections_and_findings/alphasoc_detections/atlassian_user_added_to_admin_group.md - /detections_and_findings/alphasoc_detections/atlassian_user_impersonated.md - /detections_and_findings/alphasoc_detections/atlassian_user_invited_as_admin.md - /detections_and_findings/alphasoc_detections/audit_unseen_asn.md - /detections_and_findings/alphasoc_detections/audit_unseen_asn_unique.md - /detections_and_findings/alphasoc_detections/audit_unseen_country.md - /detections_and_findings/alphasoc_detections/audit_unseen_country_unique.md - /detections_and_findings/alphasoc_detections/aws_access_denied.md - /detections_and_findings/alphasoc_detections/aws_access_key_created.md - /detections_and_findings/alphasoc_detections/aws_access_key_created_anomaly.md - /detections_and_findings/alphasoc_detections/aws_access_key_created_by_root.md - /detections_and_findings/alphasoc_detections/aws_access_key_created_suspicious.md - /detections_and_findings/alphasoc_detections/aws_access_key_deleted.md - /detections_and_findings/alphasoc_detections/aws_access_key_deleted_anomaly.md - /detections_and_findings/alphasoc_detections/aws_access_key_deleted_self.md - /detections_and_findings/alphasoc_detections/aws_access_key_deleted_self_anomaly.md - /detections_and_findings/alphasoc_detections/aws_access_key_deleted_suspicious.md - /detections_and_findings/alphasoc_detections/aws_access_key_used_anomaly.md - /detections_and_findings/alphasoc_detections/aws_access_key_used_suspicious.md - /detections_and_findings/alphasoc_detections/aws_account_closed.md - /detections_and_findings/alphasoc_detections/aws_account_created.md - /detections_and_findings/alphasoc_detections/aws_account_created_anomaly.md - /detections_and_findings/alphasoc_detections/aws_account_left_organization.md - /detections_and_findings/alphasoc_detections/aws_acm_ca_deleted.md - /detections_and_findings/alphasoc_detections/aws_alb_insecure_ssl.md - /detections_and_findings/alphasoc_detections/aws_ami_public.md - /detections_and_findings/alphasoc_detections/aws_ami_public_block_disabled.md - /detections_and_findings/alphasoc_detections/aws_apigateway_key_created.md - /detections_and_findings/alphasoc_detections/aws_apigateway_key_created_anomaly.md - /detections_and_findings/alphasoc_detections/aws_apigateway_key_created_suspicious.md - /detections_and_findings/alphasoc_detections/aws_assume_role_access_denied.md - /detections_and_findings/alphasoc_detections/aws_assume_role_external_principal.md - /detections_and_findings/alphasoc_detections/aws_assume_role_new.md - /detections_and_findings/alphasoc_detections/aws_assume_role_new_external.md - /detections_and_findings/alphasoc_detections/aws_assume_role_user_agent.md - /detections_and_findings/alphasoc_detections/aws_assume_root.md - /detections_and_findings/alphasoc_detections/aws_assume_root_anomaly.md - /detections_and_findings/alphasoc_detections/aws_assume_root_failure.md - /detections_and_findings/alphasoc_detections/aws_assume_root_failure_anomaly.md - /detections_and_findings/alphasoc_detections/aws_autoscaling_group_changed.md - /detections_and_findings/alphasoc_detections/aws_autoscaling_group_changed_anomaly.md - /detections_and_findings/alphasoc_detections/aws_autoscaling_group_changed_suspicious.md - /detections_and_findings/alphasoc_detections/aws_autoscaling_large_group_launched.md - /detections_and_findings/alphasoc_detections/aws_autoscaling_large_group_launched_anomaly.md - /detections_and_findings/alphasoc_detections/aws_autoscaling_large_group_launched_suspicious.md - /detections_and_findings/alphasoc_detections/aws_backup_plan_deleted.md - /detections_and_findings/alphasoc_detections/aws_backup_plan_deleted_anomaly.md - /detections_and_findings/alphasoc_detections/aws_backup_plan_deleted_suspicious.md - /detections_and_findings/alphasoc_detections/aws_backup_vault_public.md - /detections_and_findings/alphasoc_detections/aws_bedrock_discovery.md - /detections_and_findings/alphasoc_detections/aws_bedrock_discovery_access_key.md - /detections_and_findings/alphasoc_detections/aws_bedrock_discovery_anomaly.md - /detections_and_findings/alphasoc_detections/aws_bedrock_discovery_suspicious.md - /detections_and_findings/alphasoc_detections/aws_bedrock_model_invoked.md - /detections_and_findings/alphasoc_detections/aws_bedrock_model_invoked_anomaly.md - /detections_and_findings/alphasoc_detections/aws_bedrock_model_invoked_suspicious.md - /detections_and_findings/alphasoc_detections/aws_bedrock_model_invoked_unseen.md - /detections_and_findings/alphasoc_detections/aws_bedrock_suspicious_api.md - /detections_and_findings/alphasoc_detections/aws_cloudformation_modify.md - /detections_and_findings/alphasoc_detections/aws_cloudformation_modify_anomaly.md - /detections_and_findings/alphasoc_detections/aws_cloudformation_modify_suspicious.md - /detections_and_findings/alphasoc_detections/aws_cloudfront_insecure_ssl.md - /detections_and_findings/alphasoc_detections/aws_cloudshell_file_downloaded.md - /detections_and_findings/alphasoc_detections/aws_cloudtrail_event_selector_coverage_limited.md - /detections_and_findings/alphasoc_detections/aws_cloudwatch_alarm_deleted.md - /detections_and_findings/alphasoc_detections/aws_codebuild_project_public.md - /detections_and_findings/alphasoc_detections/aws_compromised_key_quarantine.md - /detections_and_findings/alphasoc_detections/aws_compromised_key_quarantine_self.md - /detections_and_findings/alphasoc_detections/aws_config_monitoring_modified.md - /detections_and_findings/alphasoc_detections/aws_config_monitoring_modified_anomaly.md - /detections_and_findings/alphasoc_detections/aws_config_monitoring_modified_suspicious.md - /detections_and_findings/alphasoc_detections/aws_console_login.md - /detections_and_findings/alphasoc_detections/aws_console_login_anomaly.md - /detections_and_findings/alphasoc_detections/aws_console_login_ec2.md - /detections_and_findings/alphasoc_detections/aws_console_login_failure.md - /detections_and_findings/alphasoc_detections/aws_console_login_failure_ip.md - /detections_and_findings/alphasoc_detections/aws_console_login_failure_user.md - /detections_and_findings/alphasoc_detections/aws_console_login_failure_users.md - /detections_and_findings/alphasoc_detections/aws_console_login_impossible_travel.md - /detections_and_findings/alphasoc_detections/aws_console_login_new_country.md - /detections_and_findings/alphasoc_detections/aws_console_login_no_mfa.md - /detections_and_findings/alphasoc_detections/aws_console_login_suspicious.md - /detections_and_findings/alphasoc_detections/aws_console_long_session.md - /detections_and_findings/alphasoc_detections/aws_cost_explorer_discovery.md - /detections_and_findings/alphasoc_detections/aws_cost_explorer_discovery_anomaly.md - /detections_and_findings/alphasoc_detections/aws_cost_explorer_discovery_suspicious.md - /detections_and_findings/alphasoc_detections/aws_data_exfiltration.md - /detections_and_findings/alphasoc_detections/aws_data_exfiltration_anomaly.md - /detections_and_findings/alphasoc_detections/aws_data_exfiltration_suspicious.md - /detections_and_findings/alphasoc_detections/aws_datasync_task.md - /detections_and_findings/alphasoc_detections/aws_datasync_task_anomaly.md - /detections_and_findings/alphasoc_detections/aws_datasync_task_unknown.md - /detections_and_findings/alphasoc_detections/aws_decoy_resource_accessed.md - /detections_and_findings/alphasoc_detections/aws_delete_permission_boundary.md - /detections_and_findings/alphasoc_detections/aws_describe_quota_multi_region.md - /detections_and_findings/alphasoc_detections/aws_describe_quota_multi_region_anomaly.md - /detections_and_findings/alphasoc_detections/aws_detective_graph_deleted.md - /detections_and_findings/alphasoc_detections/aws_disruption.md - /detections_and_findings/alphasoc_detections/aws_disruption_anomaly.md - /detections_and_findings/alphasoc_detections/aws_disruption_suspicious.md - /detections_and_findings/alphasoc_detections/aws_dry_run.md - /detections_and_findings/alphasoc_detections/aws_dry_run_anomaly.md - /detections_and_findings/alphasoc_detections/aws_dynamodb_backup_restored.md - /detections_and_findings/alphasoc_detections/aws_dynamodb_backup_restored_anomaly.md - /detections_and_findings/alphasoc_detections/aws_dynamodb_backup_restored_suspicious.md - /detections_and_findings/alphasoc_detections/aws_ebs_encryption_disabled.md - /detections_and_findings/alphasoc_detections/aws_ebs_snapshot_copied.md - /detections_and_findings/alphasoc_detections/aws_ebs_snapshot_public.md - /detections_and_findings/alphasoc_detections/aws_ebs_snapshot_public_block_disabled.md - /detections_and_findings/alphasoc_detections/aws_ec2_admin_credential_enumeration.md - /detections_and_findings/alphasoc_detections/aws_ec2_admin_credential_enumeration_anomaly.md - /detections_and_findings/alphasoc_detections/aws_ec2_admin_credential_fetch_attempt.md - /detections_and_findings/alphasoc_detections/aws_ec2_admin_credential_fetch_attempt_anomaly.md - /detections_and_findings/alphasoc_detections/aws_ec2_connect_ssh.md - /detections_and_findings/alphasoc_detections/aws_ec2_connect_ssh_suspicious.md - /detections_and_findings/alphasoc_detections/aws_ec2_connect_ssh_volume.md - /detections_and_findings/alphasoc_detections/aws_ec2_credential_external_location.md - /detections_and_findings/alphasoc_detections/aws_ec2_delete_nat_gateway.md - /detections_and_findings/alphasoc_detections/aws_ec2_describe_multi_region.md - /detections_and_findings/alphasoc_detections/aws_ec2_describe_multi_region_anomaly.md - /detections_and_findings/alphasoc_detections/aws_ec2_export_task_anomaly.md - /detections_and_findings/alphasoc_detections/aws_ec2_export_task_unknown.md - /detections_and_findings/alphasoc_detections/aws_ec2_iam_access.md - /detections_and_findings/alphasoc_detections/aws_ec2_iam_access_anomaly.md - /detections_and_findings/alphasoc_detections/aws_ec2_launch_anomaly.md - /detections_and_findings/alphasoc_detections/aws_ec2_launch_multi_region.md - /detections_and_findings/alphasoc_detections/aws_ec2_launch_multiple.md - /detections_and_findings/alphasoc_detections/aws_ec2_launch_multiple_anomaly.md - /detections_and_findings/alphasoc_detections/aws_ec2_launch_new_region.md - /detections_and_findings/alphasoc_detections/aws_ec2_launch_new_type.md - /detections_and_findings/alphasoc_detections/aws_ec2_list_s3_buckets.md - /detections_and_findings/alphasoc_detections/aws_ec2_multiple_actions.md - /detections_and_findings/alphasoc_detections/aws_ec2_open_port.md - /detections_and_findings/alphasoc_detections/aws_ec2_startup_script_enumeration.md - /detections_and_findings/alphasoc_detections/aws_ec2_startup_script_modify.md - /detections_and_findings/alphasoc_detections/aws_ec2_startup_script_modify_volume.md - /detections_and_findings/alphasoc_detections/aws_ec2_subnet_deleted.md - /detections_and_findings/alphasoc_detections/aws_ec2_subnet_deleted_anomaly.md - /detections_and_findings/alphasoc_detections/aws_ec2_subnet_deleted_suspicious.md - /detections_and_findings/alphasoc_detections/aws_ec2_termination_anomaly.md - /detections_and_findings/alphasoc_detections/aws_ec2_wide_ports_open.md - /detections_and_findings/alphasoc_detections/aws_ecr_automatic_registry_scanning_disabled.md - /detections_and_findings/alphasoc_detections/aws_ecr_automatic_repository_scanning_disabled.md - /detections_and_findings/alphasoc_detections/aws_ecr_automatic_repository_scanning_disabled_anomaly.md - /detections_and_findings/alphasoc_detections/aws_ecr_automatic_repository_scanning_disabled_suspicious.md - /detections_and_findings/alphasoc_detections/aws_ecr_image_latest.md - /detections_and_findings/alphasoc_detections/aws_ecr_image_latest_anomaly.md - /detections_and_findings/alphasoc_detections/aws_ecr_image_latest_suspicious.md - /detections_and_findings/alphasoc_detections/aws_ecr_image_uploaded.md - /detections_and_findings/alphasoc_detections/aws_ecr_public_global_write.md - /detections_and_findings/alphasoc_detections/aws_ecr_public_image_uploaded.md - /detections_and_findings/alphasoc_detections/aws_ecs_cluster_deleted.md - /detections_and_findings/alphasoc_detections/aws_ecs_cluster_deleted_anomaly.md - /detections_and_findings/alphasoc_detections/aws_ecs_create_cluster.md - /detections_and_findings/alphasoc_detections/aws_ecs_create_cluster_anomaly.md - /detections_and_findings/alphasoc_detections/aws_ecs_create_cluster_suspicious.md - /detections_and_findings/alphasoc_detections/aws_efs_deleted.md - /detections_and_findings/alphasoc_detections/aws_efs_deleted_anomaly.md - /detections_and_findings/alphasoc_detections/aws_efs_deleted_suspicious.md - /detections_and_findings/alphasoc_detections/aws_eks_admin_access_entry.md - /detections_and_findings/alphasoc_detections/aws_eks_admin_access_entry_anomaly.md - /detections_and_findings/alphasoc_detections/aws_eks_endpoint_public.md - /detections_and_findings/alphasoc_detections/aws_eks_multicluster_privilege_escalation.md - /detections_and_findings/alphasoc_detections/aws_eks_principal_granted_multiple_clusters.md - /detections_and_findings/alphasoc_detections/aws_elasticache_cluster_created_unencrypted.md - /detections_and_findings/alphasoc_detections/aws_elasticache_security_group_modified.md - /detections_and_findings/alphasoc_detections/aws_elasticache_security_group_modified_anomaly.md - /detections_and_findings/alphasoc_detections/aws_elb_security_groups_modified.md - /detections_and_findings/alphasoc_detections/aws_elb_security_groups_modified_anomaly.md - /detections_and_findings/alphasoc_detections/aws_elb_security_groups_modified_suspicious.md - /detections_and_findings/alphasoc_detections/aws_evasion.md - /detections_and_findings/alphasoc_detections/aws_evasion_anomaly.md - /detections_and_findings/alphasoc_detections/aws_evasion_suspicious.md - /detections_and_findings/alphasoc_detections/aws_firehose_destination_changed.md - /detections_and_findings/alphasoc_detections/aws_firehose_destination_changed_anomaly.md - /detections_and_findings/alphasoc_detections/aws_firehose_destination_changed_suspicious.md - /detections_and_findings/alphasoc_detections/aws_gateway_api_key_access.md - /detections_and_findings/alphasoc_detections/aws_gateway_api_key_access_anomaly.md - /detections_and_findings/alphasoc_detections/aws_gateway_api_key_access_suspicious.md - /detections_and_findings/alphasoc_detections/aws_get_signin_token.md - /detections_and_findings/alphasoc_detections/aws_get_signin_token_anomaly.md - /detections_and_findings/alphasoc_detections/aws_get_signin_token_suspicious.md - /detections_and_findings/alphasoc_detections/aws_glue_catalog_public.md - /detections_and_findings/alphasoc_detections/aws_guardduty_destination_deleted.md - /detections_and_findings/alphasoc_detections/aws_guardduty_disabled.md - /detections_and_findings/alphasoc_detections/aws_guardduty_threat_list_disabled.md - /detections_and_findings/alphasoc_detections/aws_guardduty_threat_list_modified.md - /detections_and_findings/alphasoc_detections/aws_iac_drift.md - /detections_and_findings/alphasoc_detections/aws_iam_access_key_wakeup.md - /detections_and_findings/alphasoc_detections/aws_iam_analyzer_deleted.md - /detections_and_findings/alphasoc_detections/aws_iam_entity_created.md - /detections_and_findings/alphasoc_detections/aws_iam_group_deleted.md - /detections_and_findings/alphasoc_detections/aws_iam_group_deleted_anomaly.md - /detections_and_findings/alphasoc_detections/aws_iam_group_discovery.md - /detections_and_findings/alphasoc_detections/aws_iam_oidc_thumbprints_updated.md - /detections_and_findings/alphasoc_detections/aws_iam_oidc_thumbprints_updated_anomaly.md - /detections_and_findings/alphasoc_detections/aws_iam_oidc_thumbprints_updated_suspicious.md - /detections_and_findings/alphasoc_detections/aws_iam_password_change_failure.md - /detections_and_findings/alphasoc_detections/aws_iam_policy_any_resource.md - /detections_and_findings/alphasoc_detections/aws_iam_policy_any_resource_suspicious_statement.md - /detections_and_findings/alphasoc_detections/aws_iam_policy_broad_pass_role.md - /detections_and_findings/alphasoc_detections/aws_iam_policy_modified.md - /detections_and_findings/alphasoc_detections/aws_iam_policy_modified_permissive.md - /detections_and_findings/alphasoc_detections/aws_iam_policy_role_external_principal.md - /detections_and_findings/alphasoc_detections/aws_iam_policy_role_public.md - /detections_and_findings/alphasoc_detections/aws_iam_role_wakeup.md - /detections_and_findings/alphasoc_detections/aws_iam_role_wakeup_suspicious.md - /detections_and_findings/alphasoc_detections/aws_iam_trust_policy_oidc_misconfigured.md - /detections_and_findings/alphasoc_detections/aws_iam_update_trust_policy_failed.md - /detections_and_findings/alphasoc_detections/aws_iam_update_trust_policy_failed_anomaly.md - /detections_and_findings/alphasoc_detections/aws_iam_update_trust_policy_failed_suspicious.md - /detections_and_findings/alphasoc_detections/aws_iam_user_created_with_admin_policy.md - /detections_and_findings/alphasoc_detections/aws_iam_user_created_with_key.md - /detections_and_findings/alphasoc_detections/aws_iam_user_generic_name.md - /detections_and_findings/alphasoc_detections/aws_iam_user_generic_name_anomaly.md - /detections_and_findings/alphasoc_detections/aws_iam_user_generic_name_suspicious.md - /detections_and_findings/alphasoc_detections/aws_iam_user_profile_no_reset.md - /detections_and_findings/alphasoc_detections/aws_iam_user_wakeup.md - /detections_and_findings/alphasoc_detections/aws_iam_users_deleted.md - /detections_and_findings/alphasoc_detections/aws_identity_added_to_admin_group.md - /detections_and_findings/alphasoc_detections/aws_ip_transfer_unknown.md - /detections_and_findings/alphasoc_detections/aws_ipset_modified.md - /detections_and_findings/alphasoc_detections/aws_ipset_modified_anomaly.md - /detections_and_findings/alphasoc_detections/aws_ipset_modified_suspicious.md - /detections_and_findings/alphasoc_detections/aws_kms_key_created_with_bypass.md - /detections_and_findings/alphasoc_detections/aws_kms_key_disruption.md - /detections_and_findings/alphasoc_detections/aws_kms_key_public.md - /detections_and_findings/alphasoc_detections/aws_lambda_layer_version_public.md - /detections_and_findings/alphasoc_detections/aws_lambda_modified.md - /detections_and_findings/alphasoc_detections/aws_lambda_public.md - /detections_and_findings/alphasoc_detections/aws_lightsail_launch.md - /detections_and_findings/alphasoc_detections/aws_logging_evasion.md - /detections_and_findings/alphasoc_detections/aws_logging_evasion_anomaly.md - /detections_and_findings/alphasoc_detections/aws_logging_evasion_suspicious.md - /detections_and_findings/alphasoc_detections/aws_login_profile_created.md - /detections_and_findings/alphasoc_detections/aws_login_profile_created_anomaly.md - /detections_and_findings/alphasoc_detections/aws_login_profile_modified.md - /detections_and_findings/alphasoc_detections/aws_login_profile_modified_anomaly.md - /detections_and_findings/alphasoc_detections/aws_macie_evasion.md - /detections_and_findings/alphasoc_detections/aws_malicious_caller.md - /detections_and_findings/alphasoc_detections/aws_malicious_caller_anomaly.md - /detections_and_findings/alphasoc_detections/aws_malicious_caller_likely.md - /detections_and_findings/alphasoc_detections/aws_mass_mailer_script_setup.md - /detections_and_findings/alphasoc_detections/aws_mfa_disabled.md - /detections_and_findings/alphasoc_detections/aws_mfa_disabled_anomaly.md - /detections_and_findings/alphasoc_detections/aws_mfa_registered.md - /detections_and_findings/alphasoc_detections/aws_mfa_registered_anomaly.md - /detections_and_findings/alphasoc_detections/aws_opensearch_domain_public.md - /detections_and_findings/alphasoc_detections/aws_opensearch_insufficient_encryption.md - /detections_and_findings/alphasoc_detections/aws_organization_discovery.md - /detections_and_findings/alphasoc_detections/aws_organization_discovery_anomaly.md - /detections_and_findings/alphasoc_detections/aws_organization_discovery_suspicious.md - /detections_and_findings/alphasoc_detections/aws_organization_invite_sent.md - /detections_and_findings/alphasoc_detections/aws_password_changed.md - /detections_and_findings/alphasoc_detections/aws_password_changed_anomaly.md - /detections_and_findings/alphasoc_detections/aws_password_changed_suspicious.md - /detections_and_findings/alphasoc_detections/aws_password_policy_change.md - /detections_and_findings/alphasoc_detections/aws_password_policy_change_anomaly.md - /detections_and_findings/alphasoc_detections/aws_password_policy_change_suspicious.md - /detections_and_findings/alphasoc_detections/aws_password_policy_delete.md - /detections_and_findings/alphasoc_detections/aws_persistence.md - /detections_and_findings/alphasoc_detections/aws_persistence_anomaly.md - /detections_and_findings/alphasoc_detections/aws_persistence_suspicious.md - /detections_and_findings/alphasoc_detections/aws_policy_accidental_allow.md - /detections_and_findings/alphasoc_detections/aws_policy_accidental_broad.md - /detections_and_findings/alphasoc_detections/aws_policy_accidental_write.md - /detections_and_findings/alphasoc_detections/aws_policy_any_action.md - /detections_and_findings/alphasoc_detections/aws_policy_any_action_suspicious_statement.md - /detections_and_findings/alphasoc_detections/aws_policy_template.md - /detections_and_findings/alphasoc_detections/aws_privilege_escalation.md - /detections_and_findings/alphasoc_detections/aws_privilege_escalation_anomaly.md - /detections_and_findings/alphasoc_detections/aws_privilege_escalation_cloudformation.md - /detections_and_findings/alphasoc_detections/aws_privilege_escalation_datapipeline.md - /detections_and_findings/alphasoc_detections/aws_privilege_escalation_dynamodb.md - /detections_and_findings/alphasoc_detections/aws_privilege_escalation_ec2.md - /detections_and_findings/alphasoc_detections/aws_privilege_escalation_glue.md - /detections_and_findings/alphasoc_detections/aws_privilege_escalation_iam.md - /detections_and_findings/alphasoc_detections/aws_privilege_escalation_kms.md - /detections_and_findings/alphasoc_detections/aws_privilege_escalation_lambda.md - /detections_and_findings/alphasoc_detections/aws_privilege_escalation_s3.md - /detections_and_findings/alphasoc_detections/aws_privilege_escalation_ssm.md - /detections_and_findings/alphasoc_detections/aws_privilege_escalation_suspicious.md - /detections_and_findings/alphasoc_detections/aws_quota_increase_request.md - /detections_and_findings/alphasoc_detections/aws_ram_modified.md - /detections_and_findings/alphasoc_detections/aws_ram_modified_anomaly.md - /detections_and_findings/alphasoc_detections/aws_ram_modified_suspicious.md - /detections_and_findings/alphasoc_detections/aws_rds_attach_role.md - /detections_and_findings/alphasoc_detections/aws_rds_attach_role_anomaly.md - /detections_and_findings/alphasoc_detections/aws_rds_deletion_protection_disabled.md - /detections_and_findings/alphasoc_detections/aws_rds_deletion_protection_disabled_anomaly.md - /detections_and_findings/alphasoc_detections/aws_rds_destruction.md - /detections_and_findings/alphasoc_detections/aws_rds_destruction_anomaly.md - /detections_and_findings/alphasoc_detections/aws_rds_destruction_suspicious.md - /detections_and_findings/alphasoc_detections/aws_rds_export_task_anomaly.md - /detections_and_findings/alphasoc_detections/aws_rds_export_task_unknown.md - /detections_and_findings/alphasoc_detections/aws_rds_instance_public.md - /detections_and_findings/alphasoc_detections/aws_rds_instance_unencrypted.md - /detections_and_findings/alphasoc_detections/aws_rds_instance_unencrypted_anomaly.md - /detections_and_findings/alphasoc_detections/aws_rds_instance_unencrypted_suspicious.md - /detections_and_findings/alphasoc_detections/aws_rds_password_changed.md - /detections_and_findings/alphasoc_detections/aws_rds_password_changed_anomaly.md - /detections_and_findings/alphasoc_detections/aws_rds_security_group.md - /detections_and_findings/alphasoc_detections/aws_rds_security_group_anomaly.md - /detections_and_findings/alphasoc_detections/aws_rds_snapshot_copied.md - /detections_and_findings/alphasoc_detections/aws_rds_snapshot_created.md - /detections_and_findings/alphasoc_detections/aws_rds_snapshot_created_public.md - /detections_and_findings/alphasoc_detections/aws_rds_snapshot_created_public_anomaly.md - /detections_and_findings/alphasoc_detections/aws_rds_snapshot_public.md - /detections_and_findings/alphasoc_detections/aws_rebinding.md - /detections_and_findings/alphasoc_detections/aws_reconnaissance.md - /detections_and_findings/alphasoc_detections/aws_reconnaissance_anomaly.md - /detections_and_findings/alphasoc_detections/aws_reconnaissance_suspicious.md - /detections_and_findings/alphasoc_detections/aws_redshift_cluster_public.md - /detections_and_findings/alphasoc_detections/aws_redshift_encryption_disabled.md - /detections_and_findings/alphasoc_detections/aws_region_toggled.md - /detections_and_findings/alphasoc_detections/aws_resource_explorer_enumeration.md - /detections_and_findings/alphasoc_detections/aws_resource_explorer_enumeration_anomaly.md - /detections_and_findings/alphasoc_detections/aws_resource_explorer_enumeration_suspicious.md - /detections_and_findings/alphasoc_detections/aws_restapi_created.md - /detections_and_findings/alphasoc_detections/aws_restapi_created_anomaly.md - /detections_and_findings/alphasoc_detections/aws_restapi_created_suspicious.md - /detections_and_findings/alphasoc_detections/aws_rolesanywhere_profile_created.md - /detections_and_findings/alphasoc_detections/aws_rolesanywhere_trust_external_ca.md - /detections_and_findings/alphasoc_detections/aws_root_access.md - /detections_and_findings/alphasoc_detections/aws_root_access_anomaly.md - /detections_and_findings/alphasoc_detections/aws_root_access_key.md - /detections_and_findings/alphasoc_detections/aws_root_access_key_created.md - /detections_and_findings/alphasoc_detections/aws_root_access_suspicious.md - /detections_and_findings/alphasoc_detections/aws_root_access_unusual.md - /detections_and_findings/alphasoc_detections/aws_root_password_recovery.md - /detections_and_findings/alphasoc_detections/aws_root_password_recovery_unknown_asn.md - /detections_and_findings/alphasoc_detections/aws_root_password_recovery_volume.md - /detections_and_findings/alphasoc_detections/aws_route53_associated_vpc.md - /detections_and_findings/alphasoc_detections/aws_route53_domain_registered.md - /detections_and_findings/alphasoc_detections/aws_route53_domain_registered_volume.md - /detections_and_findings/alphasoc_detections/aws_route53_domain_transfer.md - /detections_and_findings/alphasoc_detections/aws_route53_domain_transfer_unknown.md - /detections_and_findings/alphasoc_detections/aws_route53_evasion.md - /detections_and_findings/alphasoc_detections/aws_route53_evasion_anomaly.md - /detections_and_findings/alphasoc_detections/aws_route53_evasion_suspicious.md - /detections_and_findings/alphasoc_detections/aws_route53_public_zone_created.md - /detections_and_findings/alphasoc_detections/aws_route53_public_zone_created_anomaly.md - /detections_and_findings/alphasoc_detections/aws_route53_transfer_lock_disabled.md - /detections_and_findings/alphasoc_detections/aws_s3_access_denied.md - /detections_and_findings/alphasoc_detections/aws_s3_access_point_public.md - /detections_and_findings/alphasoc_detections/aws_s3_account_public_block_disabled.md - /detections_and_findings/alphasoc_detections/aws_s3_bucket_delete_spike.md - /detections_and_findings/alphasoc_detections/aws_s3_bucket_lifecycle_disabled.md - /detections_and_findings/alphasoc_detections/aws_s3_bucket_mfa_delete_disabled.md - /detections_and_findings/alphasoc_detections/aws_s3_bucket_policy_external_account.md - /detections_and_findings/alphasoc_detections/aws_s3_bucket_public.md - /detections_and_findings/alphasoc_detections/aws_s3_bucket_public_accidental.md - /detections_and_findings/alphasoc_detections/aws_s3_bucket_public_block_disabled.md - /detections_and_findings/alphasoc_detections/aws_s3_bucket_public_suspicious_statement.md - /detections_and_findings/alphasoc_detections/aws_s3_bucket_replication_unknown.md - /detections_and_findings/alphasoc_detections/aws_s3_bucket_versioning_suspended.md - /detections_and_findings/alphasoc_detections/aws_s3_bucket_versioning_suspended_anomaly.md - /detections_and_findings/alphasoc_detections/aws_s3_buckets_discovery.md - /detections_and_findings/alphasoc_detections/aws_s3_buckets_discovery_suspicious.md - /detections_and_findings/alphasoc_detections/aws_s3_delete.md - /detections_and_findings/alphasoc_detections/aws_s3_delete_anomaly.md - /detections_and_findings/alphasoc_detections/aws_s3_delete_suspicious.md - /detections_and_findings/alphasoc_detections/aws_s3_encryption_reset.md - /detections_and_findings/alphasoc_detections/aws_s3_encryption_reset_anomaly.md - /detections_and_findings/alphasoc_detections/aws_s3_encryption_reset_suspicious.md - /detections_and_findings/alphasoc_detections/aws_s3_exfiltration.md - /detections_and_findings/alphasoc_detections/aws_s3_exfiltration_anomaly.md - /detections_and_findings/alphasoc_detections/aws_s3_exfiltration_suspicious.md - /detections_and_findings/alphasoc_detections/aws_s3_external_kms_bucket_encryption.md - /detections_and_findings/alphasoc_detections/aws_s3_external_kms_encryption.md - /detections_and_findings/alphasoc_detections/aws_s3_logging_disabled.md - /detections_and_findings/alphasoc_detections/aws_s3_modify_acl.md - /detections_and_findings/alphasoc_detections/aws_s3_modify_acl_anomaly.md - /detections_and_findings/alphasoc_detections/aws_s3_modify_acl_suspicious.md - /detections_and_findings/alphasoc_detections/aws_s3_ransom_note_uploaded.md - /detections_and_findings/alphasoc_detections/aws_s3_reconnaissance.md - /detections_and_findings/alphasoc_detections/aws_s3_reconnaissance_anomaly.md - /detections_and_findings/alphasoc_detections/aws_s3_reconnaissance_suspicious.md - /detections_and_findings/alphasoc_detections/aws_s3_short_bucket_retention_period.md - /detections_and_findings/alphasoc_detections/aws_s3_short_bucket_retention_period_anomaly.md - /detections_and_findings/alphasoc_detections/aws_s3_short_bucket_retention_period_suspicious.md - /detections_and_findings/alphasoc_detections/aws_s3_static_website.md - /detections_and_findings/alphasoc_detections/aws_s3_unauthenticated.md - /detections_and_findings/alphasoc_detections/aws_s3_unencrypted.md - /detections_and_findings/alphasoc_detections/aws_s3_write.md - /detections_and_findings/alphasoc_detections/aws_s3_write_anomaly.md - /detections_and_findings/alphasoc_detections/aws_s3_write_suspicious.md - /detections_and_findings/alphasoc_detections/aws_sagemaker_domain_public.md - /detections_and_findings/alphasoc_detections/aws_sagemaker_presigned_url.md - /detections_and_findings/alphasoc_detections/aws_sagemaker_presigned_url_anomaly.md - /detections_and_findings/alphasoc_detections/aws_sagemaker_presigned_url_suspicious.md - /detections_and_findings/alphasoc_detections/aws_saml_activity.md - /detections_and_findings/alphasoc_detections/aws_saml_activity_anomaly.md - /detections_and_findings/alphasoc_detections/aws_saml_activity_suspicious.md - /detections_and_findings/alphasoc_detections/aws_secretsmanager_cloudshell_read.md - /detections_and_findings/alphasoc_detections/aws_secretsmanager_discovery.md - /detections_and_findings/alphasoc_detections/aws_secretsmanager_discovery_anomaly.md - /detections_and_findings/alphasoc_detections/aws_secretsmanager_discovery_suspicious.md - /detections_and_findings/alphasoc_detections/aws_security_hub_disabled.md - /detections_and_findings/alphasoc_detections/aws_security_hub_finding_evasion.md - /detections_and_findings/alphasoc_detections/aws_ses_discovery.md - /detections_and_findings/alphasoc_detections/aws_ses_discovery_anomaly.md - /detections_and_findings/alphasoc_detections/aws_ses_discovery_suspicious.md - /detections_and_findings/alphasoc_detections/aws_ses_get_account.md - /detections_and_findings/alphasoc_detections/aws_ses_identities_discovery_via_access_key.md - /detections_and_findings/alphasoc_detections/aws_ses_identity_deleted.md - /detections_and_findings/alphasoc_detections/aws_ses_modified.md - /detections_and_findings/alphasoc_detections/aws_ses_production_access_granted.md - /detections_and_findings/alphasoc_detections/aws_set_default_policy_version.md - /detections_and_findings/alphasoc_detections/aws_set_default_policy_version_anomaly.md - /detections_and_findings/alphasoc_detections/aws_sns_topic_public.md - /detections_and_findings/alphasoc_detections/aws_sqs_queue_public.md - /detections_and_findings/alphasoc_detections/aws_ssm_association_all_instances.md - /detections_and_findings/alphasoc_detections/aws_ssm_command_output_external_bucket.md - /detections_and_findings/alphasoc_detections/aws_ssm_decrypt_parameter.md - /detections_and_findings/alphasoc_detections/aws_ssm_decrypt_parameter_anomaly.md - /detections_and_findings/alphasoc_detections/aws_ssm_document_public.md - /detections_and_findings/alphasoc_detections/aws_ssm_send_command.md - /detections_and_findings/alphasoc_detections/aws_ssm_send_command_anomaly.md - /detections_and_findings/alphasoc_detections/aws_ssm_send_command_multiple_instances.md - /detections_and_findings/alphasoc_detections/aws_ssm_send_command_multiple_instances_anomaly.md - /detections_and_findings/alphasoc_detections/aws_ssm_send_command_multiple_instances_suspicious.md - /detections_and_findings/alphasoc_detections/aws_ssm_send_command_suspicious.md - /detections_and_findings/alphasoc_detections/aws_sso_access_token_created.md - /detections_and_findings/alphasoc_detections/aws_sso_access_token_created_anomaly.md - /detections_and_findings/alphasoc_detections/aws_sso_access_token_created_suspicious.md - /detections_and_findings/alphasoc_detections/aws_sts_consoler.md - /detections_and_findings/alphasoc_detections/aws_sts_discovery.md - /detections_and_findings/alphasoc_detections/aws_sts_discovery_anomaly.md - /detections_and_findings/alphasoc_detections/aws_sts_discovery_suspicious.md - /detections_and_findings/alphasoc_detections/aws_sts_discovery_truffle_hog.md - /detections_and_findings/alphasoc_detections/aws_sts_get_federation_token_any_action.md - /detections_and_findings/alphasoc_detections/aws_sts_get_federation_token_any_resource.md - /detections_and_findings/alphasoc_detections/aws_tagging_discovery.md - /detections_and_findings/alphasoc_detections/aws_tagging_discovery_anomaly.md - /detections_and_findings/alphasoc_detections/aws_tagging_discovery_suspicious.md - /detections_and_findings/alphasoc_detections/aws_unauthorized_access.md - /detections_and_findings/alphasoc_detections/aws_unauthorized_access_anomaly.md - /detections_and_findings/alphasoc_detections/aws_unauthorized_access_suspicious.md - /detections_and_findings/alphasoc_detections/aws_vpc_peering_unknown.md - /detections_and_findings/alphasoc_detections/aws_waf_control_list_modified.md - /detections_and_findings/alphasoc_detections/aws_waf_control_list_modified_anomaly.md - /detections_and_findings/alphasoc_detections/aws_waf_control_list_modified_suspicious.md - /detections_and_findings/alphasoc_detections/aws_waf_disassociation.md - /detections_and_findings/alphasoc_detections/aws_waf_disassociation_anomaly.md - /detections_and_findings/alphasoc_detections/aws_waf_disassociation_suspicious.md - /detections_and_findings/alphasoc_detections/aws_workmail_export.md - /detections_and_findings/alphasoc_detections/aws_workmail_export_public.md - /detections_and_findings/alphasoc_detections/azure_aks_cluster_deleted.md - /detections_and_findings/alphasoc_detections/azure_aks_cluster_deleted_anomaly.md - /detections_and_findings/alphasoc_detections/azure_aks_cluster_modification.md - /detections_and_findings/alphasoc_detections/azure_aks_cluster_modification_anomaly.md - /detections_and_findings/alphasoc_detections/azure_aks_credential_access.md - /detections_and_findings/alphasoc_detections/azure_aks_credential_access_anomaly.md - /detections_and_findings/alphasoc_detections/azure_aks_credential_enumeration.md - /detections_and_findings/alphasoc_detections/azure_aks_node_pool_modification.md - /detections_and_findings/alphasoc_detections/azure_aks_node_pool_modification_anomaly.md - /detections_and_findings/alphasoc_detections/azure_aks_run_command_execution.md - /detections_and_findings/alphasoc_detections/azure_automation_account_created.md - /detections_and_findings/alphasoc_detections/azure_automation_account_deleted.md - /detections_and_findings/alphasoc_detections/azure_automation_account_deleted_anomaly.md - /detections_and_findings/alphasoc_detections/azure_automation_runbook_created.md - /detections_and_findings/alphasoc_detections/azure_automation_runbook_deleted.md - /detections_and_findings/alphasoc_detections/azure_automation_runbook_deleted_anomaly.md - /detections_and_findings/alphasoc_detections/azure_automation_runbook_modified.md - /detections_and_findings/alphasoc_detections/azure_automation_runbook_modified_anomaly.md - /detections_and_findings/alphasoc_detections/azure_automation_webhook_created.md - /detections_and_findings/alphasoc_detections/azure_backup_vault_deleted.md - /detections_and_findings/alphasoc_detections/azure_backup_vault_deleted_anomaly.md - /detections_and_findings/alphasoc_detections/azure_backup_vault_modified.md - /detections_and_findings/alphasoc_detections/azure_backup_vault_modified_anomaly.md - /detections_and_findings/alphasoc_detections/azure_bastion_modified.md - /detections_and_findings/alphasoc_detections/azure_bastion_modified_anomaly.md - /detections_and_findings/alphasoc_detections/azure_blob_container_modified.md - /detections_and_findings/alphasoc_detections/azure_blob_container_modified_anomaly.md - /detections_and_findings/alphasoc_detections/azure_blob_soft_delete_disabled.md - /detections_and_findings/alphasoc_detections/azure_blob_versioning_disabled.md - /detections_and_findings/alphasoc_detections/azure_compute_restore_point_deleted.md - /detections_and_findings/alphasoc_detections/azure_compute_restore_point_deleted_anomaly.md - /detections_and_findings/alphasoc_detections/azure_compute_snapshot_deleted.md - /detections_and_findings/alphasoc_detections/azure_compute_snapshot_deleted_anomaly.md - /detections_and_findings/alphasoc_detections/azure_container_command_run.md - /detections_and_findings/alphasoc_detections/azure_container_service_provider_registration.md - /detections_and_findings/alphasoc_detections/azure_cosmosdb_connection_strings_viewed.md - /detections_and_findings/alphasoc_detections/azure_cosmosdb_connection_strings_viewed_anomaly.md - /detections_and_findings/alphasoc_detections/azure_cosmosdb_keys_viewed.md - /detections_and_findings/alphasoc_detections/azure_cosmosdb_keys_viewed_anomaly.md - /detections_and_findings/alphasoc_detections/azure_diagnostic_setting_deleted.md - /detections_and_findings/alphasoc_detections/azure_disk_snapshot_export_uri.md - /detections_and_findings/alphasoc_detections/azure_event_hub_authorization_rule_modified.md - /detections_and_findings/alphasoc_detections/azure_event_hub_authorization_rule_modified_anomaly.md - /detections_and_findings/alphasoc_detections/azure_event_hub_deleted.md - /detections_and_findings/alphasoc_detections/azure_event_hub_deleted_anomaly.md - /detections_and_findings/alphasoc_detections/azure_flow_logs_deleted.md - /detections_and_findings/alphasoc_detections/azure_flow_logs_short_retention.md - /detections_and_findings/alphasoc_detections/azure_front_door_waf_policy_deleted.md - /detections_and_findings/alphasoc_detections/azure_key_vault_access_policy_modification.md - /detections_and_findings/alphasoc_detections/azure_key_vault_access_policy_modification_anomaly.md - /detections_and_findings/alphasoc_detections/azure_key_vault_deleted.md - /detections_and_findings/alphasoc_detections/azure_key_vault_deleted_anomaly.md - /detections_and_findings/alphasoc_detections/azure_key_vault_modified.md - /detections_and_findings/alphasoc_detections/azure_key_vault_modified_anomaly.md - /detections_and_findings/alphasoc_detections/azure_log_alert_impaired.md - /detections_and_findings/alphasoc_detections/azure_log_alert_impaired_anomaly.md - /detections_and_findings/alphasoc_detections/azure_malicious_caller.md - /detections_and_findings/alphasoc_detections/azure_ml_workspace_modification.md - /detections_and_findings/alphasoc_detections/azure_ml_workspace_modification_anomaly.md - /detections_and_findings/alphasoc_detections/azure_mysql_database_modified.md - /detections_and_findings/alphasoc_detections/azure_mysql_database_modified_anomaly.md - /detections_and_findings/alphasoc_detections/azure_mysql_firewall_modified.md - /detections_and_findings/alphasoc_detections/azure_mysql_firewall_modified_anomaly.md - /detections_and_findings/alphasoc_detections/azure_mysql_firewall_public.md - /detections_and_findings/alphasoc_detections/azure_network_packet_capture_created.md - /detections_and_findings/alphasoc_detections/azure_network_watcher_deleted.md - /detections_and_findings/alphasoc_detections/azure_network_watcher_updated.md - /detections_and_findings/alphasoc_detections/azure_notebook_proxy_modification.md - /detections_and_findings/alphasoc_detections/azure_notebook_proxy_modification_anomaly.md - /detections_and_findings/alphasoc_detections/azure_nsg_deleted.md - /detections_and_findings/alphasoc_detections/azure_nsg_deleted_anomaly.md - /detections_and_findings/alphasoc_detections/azure_nsg_modified.md - /detections_and_findings/alphasoc_detections/azure_nsg_modified_anomaly.md - /detections_and_findings/alphasoc_detections/azure_nsg_public.md - /detections_and_findings/alphasoc_detections/azure_postgresql_database_modified.md - /detections_and_findings/alphasoc_detections/azure_postgresql_database_modified_anomaly.md - /detections_and_findings/alphasoc_detections/azure_postgresql_firewall_modified.md - /detections_and_findings/alphasoc_detections/azure_postgresql_firewall_modified_anomaly.md - /detections_and_findings/alphasoc_detections/azure_postgresql_firewall_public.md - /detections_and_findings/alphasoc_detections/azure_postgresql_logging_config_changed.md - /detections_and_findings/alphasoc_detections/azure_postgresql_logging_config_changed_anomaly.md - /detections_and_findings/alphasoc_detections/azure_postgresql_security_config_changed.md - /detections_and_findings/alphasoc_detections/azure_postgresql_security_config_changed_anomaly.md - /detections_and_findings/alphasoc_detections/azure_postgresql_service_access_modified.md - /detections_and_findings/alphasoc_detections/azure_private_dns_zone_linked.md - /detections_and_findings/alphasoc_detections/azure_private_dns_zone_linked_anomaly.md - /detections_and_findings/alphasoc_detections/azure_resource_group_deleted.md - /detections_and_findings/alphasoc_detections/azure_resource_group_deleted_anomaly.md - /detections_and_findings/alphasoc_detections/azure_resource_group_mass_deletion.md - /detections_and_findings/alphasoc_detections/azure_security_contact_modified.md - /detections_and_findings/alphasoc_detections/azure_security_contact_modified_anomaly.md - /detections_and_findings/alphasoc_detections/azure_sql_server_audit_settings_modified.md - /detections_and_findings/alphasoc_detections/azure_sql_server_audit_settings_modified_anomaly.md - /detections_and_findings/alphasoc_detections/azure_sql_server_modified.md - /detections_and_findings/alphasoc_detections/azure_sql_server_modified_anomaly.md - /detections_and_findings/alphasoc_detections/azure_storage_account_deleted.md - /detections_and_findings/alphasoc_detections/azure_storage_account_deleted_anomaly.md - /detections_and_findings/alphasoc_detections/azure_storage_account_enumeration.md - /detections_and_findings/alphasoc_detections/azure_storage_account_modified.md - /detections_and_findings/alphasoc_detections/azure_storage_account_modified_anomaly.md - /detections_and_findings/alphasoc_detections/azure_storage_account_role_assigned.md - /detections_and_findings/alphasoc_detections/azure_storage_account_role_assigned_anomaly.md - /detections_and_findings/alphasoc_detections/azure_storage_allow_public_blobs.md - /detections_and_findings/alphasoc_detections/azure_storage_cross_tenant_replication.md - /detections_and_findings/alphasoc_detections/azure_storage_keys_accessed.md - /detections_and_findings/alphasoc_detections/azure_storage_keys_accessed_anomaly.md - /detections_and_findings/alphasoc_detections/azure_storage_network_public.md - /detections_and_findings/alphasoc_detections/azure_storage_secure_rest_disabled.md - /detections_and_findings/alphasoc_detections/azure_storage_shared_key_access_enabled.md - /detections_and_findings/alphasoc_detections/azure_storage_weak_tls.md - /detections_and_findings/alphasoc_detections/azure_vm_command_run.md - /detections_and_findings/alphasoc_detections/azure_waf_policy_deleted.md - /detections_and_findings/alphasoc_detections/azure_waf_policy_deleted_anomaly.md - /detections_and_findings/alphasoc_detections/azure_waf_policy_disabled.md - /detections_and_findings/alphasoc_detections/azure_waf_policy_disabled_anomaly.md - /detections_and_findings/alphasoc_detections/azure_webapp_config_modified.md - /detections_and_findings/alphasoc_detections/azure_webapp_config_modified_anomaly.md - /detections_and_findings/alphasoc_detections/bad_dynamic_dns.md - /detections_and_findings/alphasoc_detections/bad_irc_traffic.md - /detections_and_findings/alphasoc_detections/bad_tld.md - /detections_and_findings/alphasoc_detections/bad_tunnel.md - /detections_and_findings/alphasoc_detections/blocklist.md - /detections_and_findings/alphasoc_detections/c2_communication.md - /detections_and_findings/alphasoc_detections/capture.md - /detections_and_findings/alphasoc_detections/cleartext_protocol.md - /detections_and_findings/alphasoc_detections/confluence_admin_key_bypass.md - /detections_and_findings/alphasoc_detections/confluence_global_setting_modified.md - /detections_and_findings/alphasoc_detections/confluence_public_link.md - /detections_and_findings/alphasoc_detections/confluence_site_export.md - /detections_and_findings/alphasoc_detections/confluence_space_export.md - /detections_and_findings/alphasoc_detections/cryptomining.md - /detections_and_findings/alphasoc_detections/dga_volume.md - /detections_and_findings/alphasoc_detections/dns_misconfiguration.md - /detections_and_findings/alphasoc_detections/dos_outbound.md - /detections_and_findings/alphasoc_detections/encrypted_dns.md - /detections_and_findings/alphasoc_detections/encrypted_dns_common.md - /detections_and_findings/alphasoc_detections/encrypted_dns_suspicious.md - /detections_and_findings/alphasoc_detections/encrypted_dns_volume.md - /detections_and_findings/alphasoc_detections/entra_role_assignment.md - /detections_and_findings/alphasoc_detections/entra_role_assignment_anomaly.md - /detections_and_findings/alphasoc_detections/entra_role_assignment_suspicious.md - /detections_and_findings/alphasoc_detections/entra_signin_anomaly.md - /detections_and_findings/alphasoc_detections/entra_signin_brute_force.md - /detections_and_findings/alphasoc_detections/entra_signin_impossible_travel.md - /detections_and_findings/alphasoc_detections/entra_signin_new_country.md - /detections_and_findings/alphasoc_detections/entra_signin_success.md - /detections_and_findings/alphasoc_detections/entra_signin_success_no_mfa.md - /detections_and_findings/alphasoc_detections/entra_signin_suspicious.md - /detections_and_findings/alphasoc_detections/excessive_dns_failures.md - /detections_and_findings/alphasoc_detections/excessive_http_failures.md - /detections_and_findings/alphasoc_detections/excessive_http_failures_bad.md - /detections_and_findings/alphasoc_detections/excessive_http_failures_suspicious.md - /detections_and_findings/alphasoc_detections/gcp_access_denied.md - /detections_and_findings/alphasoc_detections/gcp_api_key_created.md - /detections_and_findings/alphasoc_detections/gcp_api_key_created_anomaly.md - /detections_and_findings/alphasoc_detections/gcp_api_key_created_suspicious.md - /detections_and_findings/alphasoc_detections/gcp_bigquery_dataset_public.md - /detections_and_findings/alphasoc_detections/gcp_bigquery_exfiltration.md - /detections_and_findings/alphasoc_detections/gcp_cloud_run_service_created.md - /detections_and_findings/alphasoc_detections/gcp_cloud_run_service_created_anomaly.md - /detections_and_findings/alphasoc_detections/gcp_cloud_run_service_created_suspicious.md - /detections_and_findings/alphasoc_detections/gcp_cloud_run_service_modified.md - /detections_and_findings/alphasoc_detections/gcp_cloud_run_service_modified_anomaly.md - /detections_and_findings/alphasoc_detections/gcp_cloud_run_service_modified_suspicious.md - /detections_and_findings/alphasoc_detections/gcp_cloud_sql_automatic_backup_disabled.md - /detections_and_findings/alphasoc_detections/gcp_cloud_sql_automatic_backup_disabled_anomaly.md - /detections_and_findings/alphasoc_detections/gcp_cloud_sql_automatic_backup_disabled_suspicious.md - /detections_and_findings/alphasoc_detections/gcp_cloud_sql_instance_exported.md - /detections_and_findings/alphasoc_detections/gcp_cloud_sql_instance_exported_anomaly.md - /detections_and_findings/alphasoc_detections/gcp_cloud_sql_instance_exported_suspicious.md - /detections_and_findings/alphasoc_detections/gcp_cloud_sql_instance_modified.md - /detections_and_findings/alphasoc_detections/gcp_cloud_sql_instance_modified_anomaly.md - /detections_and_findings/alphasoc_detections/gcp_cloud_sql_instance_modified_suspicious.md - /detections_and_findings/alphasoc_detections/gcp_cloud_sql_postgres_suspicious_parameters.md - /detections_and_findings/alphasoc_detections/gcp_cloud_sql_public.md - /detections_and_findings/alphasoc_detections/gcp_cloud_sql_server_suspicious_parameters.md - /detections_and_findings/alphasoc_detections/gcp_cloud_sql_ssl_disabled.md - /detections_and_findings/alphasoc_detections/gcp_compute_engine_external_ip_assigned.md - /detections_and_findings/alphasoc_detections/gcp_compute_engine_external_ip_assigned_anomaly.md - /detections_and_findings/alphasoc_detections/gcp_compute_engine_external_ip_assigned_suspicious.md - /detections_and_findings/alphasoc_detections/gcp_compute_engine_gpu_instance_created.md - /detections_and_findings/alphasoc_detections/gcp_compute_engine_gpu_instance_created_anomaly.md - /detections_and_findings/alphasoc_detections/gcp_compute_engine_gpu_instance_created_suspicious.md - /detections_and_findings/alphasoc_detections/gcp_compute_engine_iam_policy_modified.md - /detections_and_findings/alphasoc_detections/gcp_compute_engine_iam_policy_modified_anomaly.md - /detections_and_findings/alphasoc_detections/gcp_compute_engine_iam_policy_modified_suspicious.md - /detections_and_findings/alphasoc_detections/gcp_compute_engine_instance_service_account_modified.md - /detections_and_findings/alphasoc_detections/gcp_compute_engine_instance_service_account_modified_anomaly.md - /detections_and_findings/alphasoc_detections/gcp_compute_engine_instance_service_account_modified_suspicious.md - /detections_and_findings/alphasoc_detections/gcp_compute_engine_multiple_instances_created.md - /detections_and_findings/alphasoc_detections/gcp_compute_engine_multiple_instances_created_anomaly.md - /detections_and_findings/alphasoc_detections/gcp_compute_engine_serial_port_enabled.md - /detections_and_findings/alphasoc_detections/gcp_compute_engine_serial_port_enabled_anomaly.md - /detections_and_findings/alphasoc_detections/gcp_compute_engine_serial_port_enabled_suspicious.md - /detections_and_findings/alphasoc_detections/gcp_compute_engine_shield_config_disabled.md - /detections_and_findings/alphasoc_detections/gcp_compute_engine_shield_config_disabled_anomaly.md - /detections_and_findings/alphasoc_detections/gcp_compute_engine_shield_config_disabled_suspicious.md - /detections_and_findings/alphasoc_detections/gcp_compute_engine_snapshot_created.md - /detections_and_findings/alphasoc_detections/gcp_compute_engine_snapshot_created_anomaly.md - /detections_and_findings/alphasoc_detections/gcp_compute_engine_snapshot_created_suspicious.md - /detections_and_findings/alphasoc_detections/gcp_compute_engine_startup_script_modified.md - /detections_and_findings/alphasoc_detections/gcp_compute_engine_startup_script_modified_anomaly.md - /detections_and_findings/alphasoc_detections/gcp_compute_engine_startup_script_modified_suspicious.md - /detections_and_findings/alphasoc_detections/gcp_dns_logs_disabled.md - /detections_and_findings/alphasoc_detections/gcp_dns_logs_disabled_anomaly.md - /detections_and_findings/alphasoc_detections/gcp_dns_logs_disabled_suspicious.md - /detections_and_findings/alphasoc_detections/gcp_dns_zone_modified.md - /detections_and_findings/alphasoc_detections/gcp_dns_zone_modified_anomaly.md - /detections_and_findings/alphasoc_detections/gcp_dns_zone_modified_suspicious.md - /detections_and_findings/alphasoc_detections/gcp_firewall_modified.md - /detections_and_findings/alphasoc_detections/gcp_firewall_modified_anomaly.md - /detections_and_findings/alphasoc_detections/gcp_firewall_modified_suspicious.md - /detections_and_findings/alphasoc_detections/gcp_flow_logs_disabled.md - /detections_and_findings/alphasoc_detections/gcp_gcs_bucket_deleted.md - /detections_and_findings/alphasoc_detections/gcp_gcs_bucket_deleted_anomaly.md - /detections_and_findings/alphasoc_detections/gcp_gcs_bucket_deleted_suspicious.md - /detections_and_findings/alphasoc_detections/gcp_gcs_bucket_iam_modified.md - /detections_and_findings/alphasoc_detections/gcp_gcs_bucket_iam_modified_anomaly.md - /detections_and_findings/alphasoc_detections/gcp_gcs_bucket_iam_modified_suspicious.md - /detections_and_findings/alphasoc_detections/gcp_gcs_bucket_modified.md - /detections_and_findings/alphasoc_detections/gcp_gcs_bucket_modified_anomaly.md - /detections_and_findings/alphasoc_detections/gcp_gcs_bucket_modified_suspicious.md - /detections_and_findings/alphasoc_detections/gcp_gcs_bucket_permissions_modified.md - /detections_and_findings/alphasoc_detections/gcp_gcs_bucket_permissions_modified_anomaly.md - /detections_and_findings/alphasoc_detections/gcp_gcs_bucket_permissions_modified_suspicious.md - /detections_and_findings/alphasoc_detections/gcp_gcs_bucket_public.md - /detections_and_findings/alphasoc_detections/gcp_gcs_fine_grained_control_enabled.md - /detections_and_findings/alphasoc_detections/gcp_gke_auto_upgrade_disabled.md - /detections_and_findings/alphasoc_detections/gcp_gke_control_plane_public.md - /detections_and_findings/alphasoc_detections/gcp_gke_intranode_visibility_disabled.md - /detections_and_findings/alphasoc_detections/gcp_gke_intranode_visibility_disabled_anomaly.md - /detections_and_findings/alphasoc_detections/gcp_gke_intranode_visibility_disabled_suspicious.md - /detections_and_findings/alphasoc_detections/gcp_gke_logging_disabled.md - /detections_and_findings/alphasoc_detections/gcp_gke_logging_disabled_anomaly.md - /detections_and_findings/alphasoc_detections/gcp_gke_logging_disabled_suspicious.md - /detections_and_findings/alphasoc_detections/gcp_gke_metrics_disabled.md - /detections_and_findings/alphasoc_detections/gcp_gke_metrics_disabled_anomaly.md - /detections_and_findings/alphasoc_detections/gcp_gke_metrics_disabled_suspicious.md - /detections_and_findings/alphasoc_detections/gcp_iam_custom_role_created.md - /detections_and_findings/alphasoc_detections/gcp_iam_custom_role_created_anomaly.md - /detections_and_findings/alphasoc_detections/gcp_iam_custom_role_created_suspicious.md - /detections_and_findings/alphasoc_detections/gcp_iam_role_deleted.md - /detections_and_findings/alphasoc_detections/gcp_iam_role_deleted_anomaly.md - /detections_and_findings/alphasoc_detections/gcp_iam_role_deleted_suspicious.md - /detections_and_findings/alphasoc_detections/gcp_iam_role_modified.md - /detections_and_findings/alphasoc_detections/gcp_iam_role_modified_anomaly.md - /detections_and_findings/alphasoc_detections/gcp_iam_role_modified_suspicious.md - /detections_and_findings/alphasoc_detections/gcp_iam_service_account_key_created.md - /detections_and_findings/alphasoc_detections/gcp_iam_service_account_key_created_anomaly.md - /detections_and_findings/alphasoc_detections/gcp_iam_service_account_key_created_suspicious.md - /detections_and_findings/alphasoc_detections/gcp_iam_workforce_pool_modified.md - /detections_and_findings/alphasoc_detections/gcp_image_created.md - /detections_and_findings/alphasoc_detections/gcp_image_created_anomaly.md - /detections_and_findings/alphasoc_detections/gcp_image_created_suspicious.md - /detections_and_findings/alphasoc_detections/gcp_instance_ssh_key_modified.md - /detections_and_findings/alphasoc_detections/gcp_instance_ssh_key_modified_anomaly.md - /detections_and_findings/alphasoc_detections/gcp_instance_ssh_key_modified_suspicious.md - /detections_and_findings/alphasoc_detections/gcp_kms_key_disabled.md - /detections_and_findings/alphasoc_detections/gcp_kms_key_disabled_anomaly.md - /detections_and_findings/alphasoc_detections/gcp_kms_key_disabled_suspicious.md - /detections_and_findings/alphasoc_detections/gcp_kms_key_iam_modified.md - /detections_and_findings/alphasoc_detections/gcp_kms_key_iam_modified_anomaly.md - /detections_and_findings/alphasoc_detections/gcp_kms_key_iam_modified_suspicious.md - /detections_and_findings/alphasoc_detections/gcp_kms_key_without_rotation.md - /detections_and_findings/alphasoc_detections/gcp_log_deleted.md - /detections_and_findings/alphasoc_detections/gcp_log_deleted_anomaly.md - /detections_and_findings/alphasoc_detections/gcp_log_deleted_suspicious.md - /detections_and_findings/alphasoc_detections/gcp_logging_bucket_deleted.md - /detections_and_findings/alphasoc_detections/gcp_logging_bucket_deleted_anomaly.md - /detections_and_findings/alphasoc_detections/gcp_logging_bucket_deleted_suspicious.md - /detections_and_findings/alphasoc_detections/gcp_logging_sink_deleted.md - /detections_and_findings/alphasoc_detections/gcp_logging_sink_modified.md - /detections_and_findings/alphasoc_detections/gcp_monitoring_policy_impaired.md - /detections_and_findings/alphasoc_detections/gcp_monitoring_policy_modified.md - /detections_and_findings/alphasoc_detections/gcp_monitoring_policy_modified_anomaly.md - /detections_and_findings/alphasoc_detections/gcp_monitoring_policy_modified_suspicious.md - /detections_and_findings/alphasoc_detections/gcp_network_security_firewall_public_egress.md - /detections_and_findings/alphasoc_detections/gcp_project_ssh_key_modified.md - /detections_and_findings/alphasoc_detections/gcp_project_ssh_key_modified_anomaly.md - /detections_and_findings/alphasoc_detections/gcp_project_ssh_key_modified_suspicious.md - /detections_and_findings/alphasoc_detections/gcp_project_wide_ssh_block_removed.md - /detections_and_findings/alphasoc_detections/gcp_pubsub_subscription_created.md - /detections_and_findings/alphasoc_detections/gcp_pubsub_subscription_created_anomaly.md - /detections_and_findings/alphasoc_detections/gcp_pubsub_subscription_created_suspicious.md - /detections_and_findings/alphasoc_detections/gcp_pubsub_subscription_deleted.md - /detections_and_findings/alphasoc_detections/gcp_pubsub_subscription_deleted_anomaly.md - /detections_and_findings/alphasoc_detections/gcp_pubsub_subscription_deleted_suspicious.md - /detections_and_findings/alphasoc_detections/gcp_pubsub_subscription_modified.md - /detections_and_findings/alphasoc_detections/gcp_pubsub_subscription_modified_anomaly.md - /detections_and_findings/alphasoc_detections/gcp_pubsub_subscription_modified_suspicious.md - /detections_and_findings/alphasoc_detections/gcp_pubsub_topic_created.md - /detections_and_findings/alphasoc_detections/gcp_pubsub_topic_created_anomaly.md - /detections_and_findings/alphasoc_detections/gcp_pubsub_topic_created_suspicious.md - /detections_and_findings/alphasoc_detections/gcp_pubsub_topic_deleted.md - /detections_and_findings/alphasoc_detections/gcp_pubsub_topic_deleted_anomaly.md - /detections_and_findings/alphasoc_detections/gcp_pubsub_topic_deleted_suspicious.md - /detections_and_findings/alphasoc_detections/gcp_service_account_created.md - /detections_and_findings/alphasoc_detections/gcp_service_account_created_anomaly.md - /detections_and_findings/alphasoc_detections/gcp_service_account_created_suspicious.md - /detections_and_findings/alphasoc_detections/gcp_service_account_deleted.md - /detections_and_findings/alphasoc_detections/gcp_service_account_deleted_anomaly.md - /detections_and_findings/alphasoc_detections/gcp_service_account_deleted_suspicious.md - /detections_and_findings/alphasoc_detections/gcp_service_account_disabled.md - /detections_and_findings/alphasoc_detections/gcp_service_account_disabled_anomaly.md - /detections_and_findings/alphasoc_detections/gcp_service_account_disabled_suspicious.md - /detections_and_findings/alphasoc_detections/gcp_vpc_network_created.md - /detections_and_findings/alphasoc_detections/gcp_vpc_network_created_anomaly.md - /detections_and_findings/alphasoc_detections/gcp_vpc_network_created_suspicious.md - /detections_and_findings/alphasoc_detections/gcp_vpc_network_deleted.md - /detections_and_findings/alphasoc_detections/gcp_vpc_network_deleted_anomaly.md - /detections_and_findings/alphasoc_detections/gcp_vpc_network_deleted_suspicious.md - /detections_and_findings/alphasoc_detections/gcp_vpc_route_created.md - /detections_and_findings/alphasoc_detections/gcp_vpc_route_created_anomaly.md - /detections_and_findings/alphasoc_detections/gcp_vpc_route_created_suspicious.md - /detections_and_findings/alphasoc_detections/gcp_vpc_route_deleted.md - /detections_and_findings/alphasoc_detections/gcp_vpc_route_deleted_anomaly.md - /detections_and_findings/alphasoc_detections/gcp_vpc_route_deleted_suspicious.md - /detections_and_findings/alphasoc_detections/gcp_workload_identity_pool_modified.md - /detections_and_findings/alphasoc_detections/gcp_workload_identity_pool_modified_anomaly.md - /detections_and_findings/alphasoc_detections/gcp_workload_identity_pool_modified_suspicious.md - /detections_and_findings/alphasoc_detections/github_advanced_security_modification.md - /detections_and_findings/alphasoc_detections/github_anomalous_bot_activity.md - /detections_and_findings/alphasoc_detections/github_app_restrictions_disabled.md - /detections_and_findings/alphasoc_detections/github_application_installed.md - /detections_and_findings/alphasoc_detections/github_audit_log_stream_disabled.md - /detections_and_findings/alphasoc_detections/github_audit_log_stream_modified.md - /detections_and_findings/alphasoc_detections/github_branch_protection_bypassed.md - /detections_and_findings/alphasoc_detections/github_branch_protection_policy_changed.md - /detections_and_findings/alphasoc_detections/github_dependabot_repository_access_changed.md - /detections_and_findings/alphasoc_detections/github_enterprise_deleted.md - /detections_and_findings/alphasoc_detections/github_enterprise_owner_added.md - /detections_and_findings/alphasoc_detections/github_enterprise_recovery_codes.md - /detections_and_findings/alphasoc_detections/github_ip_allow_list_modified.md - /detections_and_findings/alphasoc_detections/github_malicious_caller.md - /detections_and_findings/alphasoc_detections/github_mass_pushes.md - /detections_and_findings/alphasoc_detections/github_mfa_disabled.md - /detections_and_findings/alphasoc_detections/github_oauth_secret_removed.md - /detections_and_findings/alphasoc_detections/github_oauth_token_anomaly.md - /detections_and_findings/alphasoc_detections/github_organization_member_updated.md - /detections_and_findings/alphasoc_detections/github_organization_moderators_changed.md - /detections_and_findings/alphasoc_detections/github_organization_recovery_codes.md - /detections_and_findings/alphasoc_detections/github_organization_removed_from_enterprise.md - /detections_and_findings/alphasoc_detections/github_organization_transferred.md - /detections_and_findings/alphasoc_detections/github_payment_method_removed.md - /detections_and_findings/alphasoc_detections/github_public_repo_created.md - /detections_and_findings/alphasoc_detections/github_recovery_codes_accessed.md - /detections_and_findings/alphasoc_detections/github_register_self_hosted_runner.md - /detections_and_findings/alphasoc_detections/github_repo_download_anomaly.md - /detections_and_findings/alphasoc_detections/github_repos_exfiltration.md - /detections_and_findings/alphasoc_detections/github_repos_exfiltration_with_pat.md - /detections_and_findings/alphasoc_detections/github_repository_archived.md - /detections_and_findings/alphasoc_detections/github_repository_branch_protection_disabled.md - /detections_and_findings/alphasoc_detections/github_repository_deleted.md - /detections_and_findings/alphasoc_detections/github_repository_deploy_key_changed.md - /detections_and_findings/alphasoc_detections/github_repository_made_public.md - /detections_and_findings/alphasoc_detections/github_repository_ruleset_modified.md - /detections_and_findings/alphasoc_detections/github_repository_transferred.md - /detections_and_findings/alphasoc_detections/github_secret_scanning_alert.md - /detections_and_findings/alphasoc_detections/github_secret_scanning_disabled.md - /detections_and_findings/alphasoc_detections/github_ssh_certificate_authority_created.md - /detections_and_findings/alphasoc_detections/github_ssh_certificate_authority_deleted.md - /detections_and_findings/alphasoc_detections/github_ssh_certificate_requirement_disabled.md - /detections_and_findings/alphasoc_detections/github_ssh_key_added_by_suspicious_ip.md - /detections_and_findings/alphasoc_detections/github_sso_configuration_modified.md - /detections_and_findings/alphasoc_detections/github_team_changed.md - /detections_and_findings/alphasoc_detections/github_token_auto_approve_policy_modified.md - /detections_and_findings/alphasoc_detections/github_unknown_user_repo_clone.md - /detections_and_findings/alphasoc_detections/github_user_added_to_org.md - /detections_and_findings/alphasoc_detections/github_user_added_to_repository.md - /detections_and_findings/alphasoc_detections/github_user_blocked.md - /detections_and_findings/alphasoc_detections/github_user_removed_from_org.md - /detections_and_findings/alphasoc_detections/github_user_removed_from_repository.md - /detections_and_findings/alphasoc_detections/github_user_unblocked.md - /detections_and_findings/alphasoc_detections/github_vulnerability_alerts_disabled.md - /detections_and_findings/alphasoc_detections/github_webhook_modified.md - /detections_and_findings/alphasoc_detections/google_calendar_shared_externally.md - /detections_and_findings/alphasoc_detections/google_drive_document_public.md - /detections_and_findings/alphasoc_detections/google_drive_document_shared_externally.md - /detections_and_findings/alphasoc_detections/google_workspace_account_disabled.md - /detections_and_findings/alphasoc_detections/google_workspace_account_hijacked.md - /detections_and_findings/alphasoc_detections/google_workspace_external_email_forwarding.md - /detections_and_findings/alphasoc_detections/google_workspace_mobile_app_whitelisted.md - /detections_and_findings/alphasoc_detections/google_workspace_password_leaked.md - /detections_and_findings/alphasoc_detections/google_workspace_password_reuse_enabled.md - /detections_and_findings/alphasoc_detections/google_workspace_strong_password_enforcement_disabled.md - /detections_and_findings/alphasoc_detections/google_workspace_suspicious_login.md - /detections_and_findings/alphasoc_detections/high_volume_ftp.md - /detections_and_findings/alphasoc_detections/high_volume_ssh.md - /detections_and_findings/alphasoc_detections/http_get_bad.md - /detections_and_findings/alphasoc_detections/http_get_suspicious.md - /detections_and_findings/alphasoc_detections/http_post_bad.md - /detections_and_findings/alphasoc_detections/http_post_suspicious.md - /detections_and_findings/alphasoc_detections/icmp_tunneling.md - /detections_and_findings/alphasoc_detections/imposter.md - /detections_and_findings/alphasoc_detections/imposter_registered_domain.md - /detections_and_findings/alphasoc_detections/imposter_suspicious.md - /detections_and_findings/alphasoc_detections/imposter_suspicious_young.md - /detections_and_findings/alphasoc_detections/imposter_volume.md - /detections_and_findings/alphasoc_detections/imposter_young.md - /detections_and_findings/alphasoc_detections/ip_lookup.md - /detections_and_findings/alphasoc_detections/irc_traffic.md - /detections_and_findings/alphasoc_detections/jira_malicious_caller.md - /detections_and_findings/alphasoc_detections/jira_user_added_to_admin_group.md - /detections_and_findings/alphasoc_detections/k8_admission_controller_created.md - /detections_and_findings/alphasoc_detections/k8s_access_denied.md - /detections_and_findings/alphasoc_detections/k8s_anonymous_access.md - /detections_and_findings/alphasoc_detections/k8s_anonymous_access_anomaly.md - /detections_and_findings/alphasoc_detections/k8s_anonymous_access_granted.md - /detections_and_findings/alphasoc_detections/k8s_anonymous_access_granted_anomaly.md - /detections_and_findings/alphasoc_detections/k8s_hostnetwork_pod_created.md - /detections_and_findings/alphasoc_detections/k8s_malicious_caller.md - /detections_and_findings/alphasoc_detections/k8s_malicious_caller_anomaly.md - /detections_and_findings/alphasoc_detections/k8s_malicious_caller_likely.md - /detections_and_findings/alphasoc_detections/k8s_namespace_created.md - /detections_and_findings/alphasoc_detections/k8s_namespace_created_anomaly.md - /detections_and_findings/alphasoc_detections/k8s_namespace_created_suspicious.md - /detections_and_findings/alphasoc_detections/k8s_permission_discovery.md - /detections_and_findings/alphasoc_detections/k8s_permission_discovery_anomaly.md - /detections_and_findings/alphasoc_detections/k8s_permission_discovery_suspicious.md - /detections_and_findings/alphasoc_detections/k8s_pod_exec.md - /detections_and_findings/alphasoc_detections/k8s_privileged_pod_created.md - /detections_and_findings/alphasoc_detections/k8s_resource_created_in_public_namespace.md - /detections_and_findings/alphasoc_detections/k8s_resource_created_in_service_namespace.md - /detections_and_findings/alphasoc_detections/k8s_secret_access.md - /detections_and_findings/alphasoc_detections/k8s_secret_access_anomaly.md - /detections_and_findings/alphasoc_detections/k8s_secret_access_suspicious.md - /detections_and_findings/alphasoc_detections/k8s_service_account_created_in_public_namespace.md - /detections_and_findings/alphasoc_detections/k8s_service_account_created_in_service_namespace.md - /detections_and_findings/alphasoc_detections/k8s_user_attached_to_pod.md - /detections_and_findings/alphasoc_detections/likely_malicious_domain.md - /detections_and_findings/alphasoc_detections/link_in_bio.md - /detections_and_findings/alphasoc_detections/link_in_bio_suspicious.md - /detections_and_findings/alphasoc_detections/linux_sshd_malicious_caller.md - /detections_and_findings/alphasoc_detections/mail_implant.md - /detections_and_findings/alphasoc_detections/malicious_js.md - /detections_and_findings/alphasoc_detections/malware_distribution.md - /detections_and_findings/alphasoc_detections/multiple_long_hostnames.md - /detections_and_findings/alphasoc_detections/oast_traffic.md - /detections_and_findings/alphasoc_detections/okta_admin_role_assigned.md - /detections_and_findings/alphasoc_detections/okta_api_token_created.md - /detections_and_findings/alphasoc_detections/okta_api_token_revoked.md - /detections_and_findings/alphasoc_detections/okta_app_token_reuse.md - /detections_and_findings/alphasoc_detections/okta_application_modified.md - /detections_and_findings/alphasoc_detections/okta_application_modified_anomaly.md - /detections_and_findings/alphasoc_detections/okta_application_modified_suspicious.md - /detections_and_findings/alphasoc_detections/okta_application_sign_on_modified.md - /detections_and_findings/alphasoc_detections/okta_application_sign_on_modified_anomaly.md - /detections_and_findings/alphasoc_detections/okta_application_sign_on_modified_suspicious.md - /detections_and_findings/alphasoc_detections/okta_fastpass_phishing.md - /detections_and_findings/alphasoc_detections/okta_identity_provider_created.md - /detections_and_findings/alphasoc_detections/okta_identity_provider_created_anomaly.md - /detections_and_findings/alphasoc_detections/okta_identity_provider_created_suspicious.md - /detections_and_findings/alphasoc_detections/okta_idp_login.md - /detections_and_findings/alphasoc_detections/okta_impersonation.md - /detections_and_findings/alphasoc_detections/okta_mfa_bypass.md - /detections_and_findings/alphasoc_detections/okta_mfa_failed_number_challenge.md - /detections_and_findings/alphasoc_detections/okta_mfa_mismatch.md - /detections_and_findings/alphasoc_detections/okta_mfa_modified.md - /detections_and_findings/alphasoc_detections/okta_mfa_modified_anomaly.md - /detections_and_findings/alphasoc_detections/okta_mfa_modified_suspicious.md - /detections_and_findings/alphasoc_detections/okta_mfa_push_bruteforce.md - /detections_and_findings/alphasoc_detections/okta_multiple_login_failed.md - /detections_and_findings/alphasoc_detections/okta_multiple_mfa_push_rejected.md - /detections_and_findings/alphasoc_detections/okta_multiple_users_login_failed_from_ip.md - /detections_and_findings/alphasoc_detections/okta_org2org_app_modified.md - /detections_and_findings/alphasoc_detections/okta_password_extraction_via_scim.md - /detections_and_findings/alphasoc_detections/okta_privilege_granted.md - /detections_and_findings/alphasoc_detections/okta_suspicious_activity_reported.md - /detections_and_findings/alphasoc_detections/okta_suspicious_session_cookie.md - /detections_and_findings/alphasoc_detections/okta_user_created.md - /detections_and_findings/alphasoc_detections/okta_user_created_anomaly.md - /detections_and_findings/alphasoc_detections/okta_user_created_suspicious.md - /detections_and_findings/alphasoc_detections/okta_user_profile_modified.md - /detections_and_findings/alphasoc_detections/okta_user_profile_modified_anomaly.md - /detections_and_findings/alphasoc_detections/okta_user_profile_modified_suspicious.md - /detections_and_findings/alphasoc_detections/okta_user_session_created_anomaly.md - /detections_and_findings/alphasoc_detections/okta_user_session_created_impossible_travel.md - /detections_and_findings/alphasoc_detections/okta_user_session_created_new_country.md - /detections_and_findings/alphasoc_detections/okta_user_session_created_suspicious.md - /detections_and_findings/alphasoc_detections/okta_weak_mfa_fallback.md - /detections_and_findings/alphasoc_detections/opendir.md - /detections_and_findings/alphasoc_detections/opendir_suspicious.md - /detections_and_findings/alphasoc_detections/opendir_suspicious_unusual_port.md - /detections_and_findings/alphasoc_detections/opendir_unusual_port.md - /detections_and_findings/alphasoc_detections/outbound_port_scan.md - /detections_and_findings/alphasoc_detections/p2p_activity.md - /detections_and_findings/alphasoc_detections/popup_traffic.md - /detections_and_findings/alphasoc_detections/rare_domain_beacon.md - /detections_and_findings/alphasoc_detections/rare_domain_volume.md - /detections_and_findings/alphasoc_detections/rdp_brute_force.md - /detections_and_findings/alphasoc_detections/remote_access_software.md - /detections_and_findings/alphasoc_detections/reverse_lookup_volume.md - /detections_and_findings/alphasoc_detections/sinkholed_destination.md - /detections_and_findings/alphasoc_detections/slack_admin_action_anomaly.md - /detections_and_findings/alphasoc_detections/slack_admin_app_access_expanded.md - /detections_and_findings/alphasoc_detections/slack_admin_app_added.md - /detections_and_findings/alphasoc_detections/slack_api_call_volume_anomaly.md - /detections_and_findings/alphasoc_detections/slack_app_access_expanded.md - /detections_and_findings/alphasoc_detections/slack_app_added.md - /detections_and_findings/alphasoc_detections/slack_app_removed.md - /detections_and_findings/alphasoc_detections/slack_credential_testing_anomaly.md - /detections_and_findings/alphasoc_detections/slack_device_compromised.md - /detections_and_findings/alphasoc_detections/slack_dlp_rule_modified.md - /detections_and_findings/alphasoc_detections/slack_ekm_logging_config_modified.md - /detections_and_findings/alphasoc_detections/slack_ekm_unenrolled.md - /detections_and_findings/alphasoc_detections/slack_excessive_downloads_anomaly.md - /detections_and_findings/alphasoc_detections/slack_excessive_file_sharing_anomaly.md - /detections_and_findings/alphasoc_detections/slack_idp_config_modified.md - /detections_and_findings/alphasoc_detections/slack_information_barrier_modified.md - /detections_and_findings/alphasoc_detections/slack_ip_anomaly.md - /detections_and_findings/alphasoc_detections/slack_legal_hold_policy_modified.md - /detections_and_findings/alphasoc_detections/slack_link_created_to_sensitive_file.md - /detections_and_findings/alphasoc_detections/slack_login_brute_force.md - /detections_and_findings/alphasoc_detections/slack_login_email_anomaly.md - /detections_and_findings/alphasoc_detections/slack_malicious_caller.md - /detections_and_findings/alphasoc_detections/slack_malware_share_anomaly.md - /detections_and_findings/alphasoc_detections/slack_manual_export_downloaded.md - /detections_and_findings/alphasoc_detections/slack_message_deletion_anomaly.md - /detections_and_findings/alphasoc_detections/slack_mfa_disabled.md - /detections_and_findings/alphasoc_detections/slack_microsoft_intune_mdm_disabled.md - /detections_and_findings/alphasoc_detections/slack_multiple_archives_uploaded.md - /detections_and_findings/alphasoc_detections/slack_organization_created.md - /detections_and_findings/alphasoc_detections/slack_organization_deleted.md - /detections_and_findings/alphasoc_detections/slack_private_channel_made_public.md - /detections_and_findings/alphasoc_detections/slack_privilege_escalation.md - /detections_and_findings/alphasoc_detections/slack_scraping_anomaly.md - /detections_and_findings/alphasoc_detections/slack_service_owner_transferred.md - /detections_and_findings/alphasoc_detections/slack_session_anomaly.md - /detections_and_findings/alphasoc_detections/slack_sessions_disruption.md - /detections_and_findings/alphasoc_detections/slack_sso_settings_modified.md - /detections_and_findings/alphasoc_detections/slack_suspicious_file.md - /detections_and_findings/alphasoc_detections/slack_unexpected_client_anomaly.md - /detections_and_findings/alphasoc_detections/slack_user_agent_anomaly.md - /detections_and_findings/alphasoc_detections/slack_user_role_changed.md - /detections_and_findings/alphasoc_detections/smb_outbound.md - /detections_and_findings/alphasoc_detections/smb_outbound_volume.md - /detections_and_findings/alphasoc_detections/spearphishing_traffic.md - /detections_and_findings/alphasoc_detections/ssh_brute_force.md - /detections_and_findings/alphasoc_detections/ssh_mask.md - /detections_and_findings/alphasoc_detections/ssh_uncommon.md - /detections_and_findings/alphasoc_detections/survey.md - /detections_and_findings/alphasoc_detections/survey_suspicious.md - /detections_and_findings/alphasoc_detections/suspicious_cluster_volume.md - /detections_and_findings/alphasoc_detections/suspicious_domain.md - /detections_and_findings/alphasoc_detections/suspicious_domain_beacon.md - /detections_and_findings/alphasoc_detections/suspicious_domain_brand.md - /detections_and_findings/alphasoc_detections/suspicious_domain_brand_young.md - /detections_and_findings/alphasoc_detections/suspicious_domain_volume.md - /detections_and_findings/alphasoc_detections/suspicious_dynamic_dns.md - /detections_and_findings/alphasoc_detections/suspicious_hosting_provider.md - /detections_and_findings/alphasoc_detections/suspicious_ip.md - /detections_and_findings/alphasoc_detections/suspicious_ip_trickbot.md - /detections_and_findings/alphasoc_detections/suspicious_ip_volume.md - /detections_and_findings/alphasoc_detections/suspicious_tunnel.md - /detections_and_findings/alphasoc_detections/tds_traffic.md - /detections_and_findings/alphasoc_detections/telegram_bot.md - /detections_and_findings/alphasoc_detections/tor_dns.md - /detections_and_findings/alphasoc_detections/unique_young_domain_volume.md - /detections_and_findings/alphasoc_detections/unknown_dynamic_dns.md - /detections_and_findings/alphasoc_detections/unknown_tunnel.md - /detections_and_findings/alphasoc_detections/unreachable_domain_volume.md - /detections_and_findings/alphasoc_detections/unusual_dns_resolver.md - /detections_and_findings/alphasoc_detections/unusual_high_traffic_volume.md - /detections_and_findings/alphasoc_detections/unusual_network_port.md - /detections_and_findings/alphasoc_detections/unusual_network_port_suspicious.md - /detections_and_findings/alphasoc_detections/unwanted_program.md - /detections_and_findings/alphasoc_detections/vpn_activity.md - /detections_and_findings/alphasoc_detections/webhook_traffic.md - /detections_and_findings/alphasoc_detections/winrm_brute_force.md - /detections_and_findings/alphasoc_detections/young_domain.md - /detections_and_findings/sigma/alphasoc_extensions/custom_prefixes/ocsf.md - /detections_and_findings/sigma/alphasoc_extensions/custom_prefixes/wisdom.md - /detections_and_findings/sigma/alphasoc_extensions/overview.md - /detections_and_findings/sigma/introduction.md - /detections_and_findings/sigma/supported_features/arrays.md - /detections_and_findings/sigma/supported_features/correlations.md - /detections_and_findings/sigma/supported_features/supported_attributes.md - /detections_and_findings/wisdom_flags.md ### escalating_findings - /escalating_findings/ocsf.md - /escalating_findings/overview.md - /escalating_findings/transports/aws_eventbridge.md - /escalating_findings/transports/aws_s3.md - /escalating_findings/transports/bigquery.md - /escalating_findings/transports/cribl.md - /escalating_findings/transports/kafka.md - /escalating_findings/transports/secops.md - /escalating_findings/transports/snowflake.md - /escalating_findings/v1eventalert.md ### getting_started - /getting_started/account_setup.md - /getting_started/cloud_vs_onprem.md - /getting_started/detections_and_findings.md - /getting_started/pipeline_configuration.md ### integration_guides - /integration_guides/aws.md - /integration_guides/azure.md - /integration_guides/cribl.md - /integration_guides/crowdstrike.md - /integration_guides/gcp.md - /integration_guides/snowflake.md ### processing_data - /processing_data/data_normalization.md - /processing_data/ocsf/ocsf_aws_cloudtrail.md - /processing_data/ocsf/ocsf_network.md - /processing_data/ocsf/ocsf_okta.md - /processing_data/ocsf/ocsf_system.md - /processing_data/ocsf/overview.md - /processing_data/product_field_mappings.md ### web_console - /web_console/administration.md - /web_console/configuring_sso/entra.md - /web_console/configuring_sso/okta.md - /web_console/demo_workspace.md - /web_console/destinations.md - /web_console/detection_findings.md - /web_console/introduction.md - /web_console/monitoring_scope.md - /web_console/rule_management.md - /web_console/signup.md - /web_console/sources.md - /web_console/user_settings.md ## UI-Only Pages (Not Documentation Content) The following paths are interactive UI features for human browser use and do not contain documentation content. AI agents should not request .md versions of these paths: - /search/ - Interactive search interface - /tags/ - Tag-based navigation index - /tags/* - Individual tag pages (e.g., /tags/alpha-soc/, /tags/cisa/) ## Usage Notes - All documentation is available in markdown format at the paths listed above - Replace trailing `/` with `.md` to get the markdown version (e.g., `/architecture/` -> `/architecture.md`) - The main sitemap at /sitemap.xml contains HTML page URLs - For questions or support: support@alphasoc.com