Default Correlation Alerts
Navigate to "Settings > Alerts > Realtime". In the Realtime page we will find all alerts defined in CYBERQUEST. These is a list with all default alers defined in CYBERQUEST:
1. A computer account was removed from domain
Description - A new event is generated containing details of a computer account that was deleted from domain. In Active Directory, when a computer is deleted, the EventID gets logged.
In CYBERQUEST, this alert with 1 Rule will trigger on first event that will match the condition. To receive the alert information via email, click the following options: 
and set 
.
Prerequisites - Windows Security Log.
2. A computer account was added to domain
Description - A new event is generated containing details of a computer account that was created to domain. In Active Directory, when a computer object is created, the EventID gets logged.
In CYBERQUEST, this alert with 1 Rule will trigger on first event that will match the condition. To receive the alert information via email, click the following options: and set .
Prerequisites - Windows Security Log.
3. UBA - User set to Non-Expiring Password
Description - A new event is generated containing details of a user that is set Enabled to Non-Expiring Password. In CYBERQUEST, this alert with 1 Rule will trigger on first event that will match the conditions. To receive the alert information via email, click the following options: and set .
Prerequisites - Windows Security Log.
4. UBA - Restricted Domain Account Failed Logon
Description - A new event is generated when a logon request fails on the computer where access was attempted. The alert is generated when the event is registered with an status and sub-status code and is providing the information: "User logon from an unauthorized workstation".
In CYBERQUEST, this alert with 1 Rule will trigger on first event that will match the conditions. To receive the alert information via email, click the following options: and set .
Prerequisites - Windows Security Log.
5. UBA - Failed Domain Logon on Restricted Host
Description - A new event is generated when a logon request fails. The alert is generated when the event is registered with an status and sub-status code and is providing the information: "User logon from an unauthorized workstation".
In CYBERQUEST, this alert with 1 Rule will trigger on first event that will match the conditions. To receive the alert information via email, click the following options: and set .
Prerequisites - Windows Security Log.
6. UBA - Domain User Logon After Multiple Failed Attempts
Description - A new event is generated containing details of Domain User Logon After Multiple Failed Attempts. In CYBERQUEST, this alert with 3 Rules will trigger on first event that will match the conditions: failed logon, Multiple Login Fails Count and 1 success.
To receive the alert information via email, click the following options: and set .
Prerequisites - Windows Security Log.
7. UBA - Domain User Failed Logon Due to Invalid Password
Description - A new event is generated containing details of Domain User Failed Logon Due to Invalid Password. The alert is generated when the event is registered with an status and sub-status code and is providing the information: "User logon with misspelled or bad password".
In CYBERQUEST, this alert with 1 Rule will trigger on first event that will match the condition. To receive the alert information via email, click the following options: and set .
Prerequisites - Windows Security Log.
8. UBA - User Logon from Multiple IP Addresses
Description - A new event is generated when a logon session from multiple IP addresses is created. It generates on the computer that was accessed, where the session was created.
In CYBERQUEST, this alert with 2 Rules will trigger on first event that will match the conditions. To receive the alert information via email, click the following options: and set .
Prerequisites - Windows Security Log.
9. UBA - User Logon from Multiple Hosts
Description - A new event is generated containing details of User Logon from Multiple Hosts*. Detects when a single user logs in from more than an allowed number of devices.
In CYBERQUEST, this alert with 2 Rules will trigger on first event that will match the conditions. To receive the alert information via email, click the following options: and set .
Prerequisites - Windows Security Log.
10. UBA - Username ending with Dollar Sign
Description - A new event is generated containing details of Username ending with Dollar Sign. In CYBERQUEST, this alert with 1 Rule will trigger on first event that will match the condition. To receive the alert information via email, click the following options: and set .
Prerequisites - Windows Security Log.
11. UBA - Remote Login to Server
Description - A new event is generated containing details of UBA - Remote Login to Server. In CYBERQUEST, this alert with 1 Rule will trigger on first event that will match the condition. To receive the alert information via email, click the following options: and set .
Prerequisites - Windows Security Log.
12. UBA - New User Observed
Description - A new event is generated containing details of New User Observed. Detects when an account successfully used for the first time.
In CYBERQUEST, this alert with 1 Rule will trigger on first event that will match the condition. To receive the alert information via email, click the following options: and set .
Prerequisites - Windows Security Log.
13. UBA - Login Attempt from User with Expired Password
Description - A new event is generated containing details of Login Attempt from User with Expired Password. This alert detects when a user attempted to log in to a disabled or and expired account. The alert is generated when the event is registered with an status and sub-status code and is providing the information: "User logon with expired password".
In CYBERQUEST, this alert with 1 Rule will trigger on first event that will match the condition. To receive the alert information via email, click the following options: and set .
Prerequisites - Windows Security Log.
14. UBA - Login Attempt from Locked or Disabled Account
Description - A new event is generated containing details of Login Attempt from Locked or Disabled Account. This alert detects when a user is trying to access the organization resources by using a disabled or locked account. The alert is generated when the event is registered with an status and sub-status code and is providing the information: "User logon from an unauthorized workstation".
In CYBERQUEST, this alert with 1 Rule will trigger on first event that will match the condition. To receive the alert information via email, click the following options: and set .
Prerequisites - Windows Security Log.
15. Domain Policy - User Removed from Local Security Group
Description - A new event is generated every time member was removed from security-enabled local group.
In CYBERQUEST, this alert with 1 Rule will trigger on first event that will match the condition. To receive the alert information via email, click the following options: and set .
Prerequisites - Windows Security Log.
16. Domain Policy - User Removed from Domain Security Group
Description - A new event is generated every time member was removed from security-enabled domain group.
In CYBERQUEST, this alert with 1 Rule will trigger on first event that will match the condition. To receive the alert information via email, click the following options: and set .
Prerequisites - Windows Security Log.
17. Domain Policy - User Added to Local Security Group
Description - A new event is generated every time member was added to a security-enabled local group.
In CYBERQUEST, this alert with 1 Rule will trigger on first event that will match the condition. To receive the alert information via email, click the following options: and set .
Prerequisites - Windows Security Log.
18. Domain Policy - User Added to Domain Security Group
Description - A new event is generated every time member was added to a security-enabled domain group.
In CYBERQUEST, this alert with 1 Rule will trigger on first event that will match the condition. To receive the alert information via email, click the following options: and set .
Prerequisites - Windows Security Log.
19. Domain Policy - Group Policy Object Modified
Description - A new event is generated containing details of Group Policy Object Modified. This event generates every time an Active Directory object is modified.
In CYBERQUEST, this alert with 1 Rule will trigger on first event that will match the condition. To receive the alert information via email, click the following options: and set .
Prerequisites - Windows Security Log.
20. Domain Policy - Group Policy Object Created
Description - A new event is generated containing details of Group Policy Object Created. This event generates every time an Active Directory object is created.
In CYBERQUEST, this alert with 1 Rule will trigger on first event that will match the condition. To receive the alert information via email, click the following options: and set .
Prerequisites - Windows Security Log.
21. Domain Policy - Group Policy Object Deleted
Description - A new event is generated containing details of Group Policy Object Deleted. This event generates every time an Active Directory object is deleted.
In CYBERQUEST, this alert with 1 Rule will trigger on first event that will match the condition. To receive the alert information via email, click the following options: and set .
Prerequisites - Windows Security Log.
22. Domain Policy - Domain Policy Changed
Description - A new event is generated containing details of Domain Policy Changed. This event generates every time an Active Directory object is changed.
In CYBERQUEST, this alert with 1 Rule will trigger on first event that will match the condition. To receive the alert information via email, click the following options: and set .
Prerequisites - Windows Security Log.
23. Windows - Multiple Failed Packaged App Applocker Events - Multiple Hosts
Description - A new event is generated containing details of Multiple Failed Packaged App Applocker Events - Multiple Hosts. The alert generates if the message information: "Packaged app disabled" or "Packaged app installation audited".
AppLocker can help you improve the management of application control and the maintenance of application control policies.
In CYBERQUEST, this alert with 2 Rules will trigger on first event that will match the conditions. To receive the alert information via email, click the following options: and set .
Prerequisites - Microsoft-Windows-AppLocker/Packaged app-Deployment.
24. Windows - Multiple Failed Packaged App Applocker Events - Single Host
Description - A new event is generated containing details of Multiple Failed Packaged App Applocker Events - Single Host. The alert generates if the message information: "Packaged app disabled" or "Packaged app installation audited".
AppLocker can help you improve the management of application control and the maintenance of application control policies.
In CYBERQUEST, this alert with 2 Rules will trigger on first event that will match the conditions. To receive the alert information via email, click the following options: and set .
Prerequisites - Microsoft-Windows-AppLocker/Packaged app-Deployment / Microsoft-Windows-AppLocker/Packaged app-Execution.
25. Windows - Multiple Failed MSI or Script Applocker Events - Multiple Hosts
Description - is generated if more than one time events with the .msi or script type are generated in a time interval on a multiple hosts. This event will have this error in the message: "
AppLocker can help you improve the management of application control and the maintenance of application control policies.
In CYBERQUEST, this alert with 2 Rules will trigger on first event that will match the conditions. To receive the alert information via email, click the following options: and set .
Prerequisites - Microsoft-Windows-AppLocker/MSI and Script.
26. Windows - Multiple Failed MSI or Script Applocker Events - Single Host
Description - is generated if more than one time events with the .msi or script type are generated in a time interval on a single host. This event will have this error in the message: "
AppLocker can help you improve the management of application control and the maintenance of application control policies. In CYBERQUEST, this alert with 2 Rules will trigger on first event that will match the conditions.
To receive the alert information via email, click the following options: and set .
Prerequisites - Microsoft-Windows-AppLocker/MSI and Script
27. Windows - Multiple Failed EXE or DLL Applocker Events - Multiple Hosts
Description - is generated if more than one time events with the .exe or .dll type are generated in a time interval on a multiple hosts. This event will have this error in the message: "
AppLocker can help you improve the management of application control and the maintenance of application control policies. In CYBERQUEST, this alert with 2 Rules will trigger on first event that will match the conditions:
To receive the alert information via email, click the following options: and set .
Prerequisites - Microsoft-Windows-AppLocker/EXE and DLL
28. Windows - Multiple Failed EXE or DLL Applocker Events - Single Host
Description - is generated if more than one time events with the .exe or .dll type are generated in a time interval on a single host. This event will have this error in the message: "
AppLocker can help you improve the management of application control and the maintenance of application control policies. In CYBERQUEST, this alert with 2 Rules will trigger on first event that will match the conditions.
To receive the alert information via email, click the following options: and set .
Prerequisites - Microsoft-Windows-AppLocker/EXE and DLL
29. Windows - BSoD System Crashes on Multiple Hosts
Description - A new event is generated containing details of BSoD System Crashes on Multiple Hosts. This alert detects when the system has rebooted without cleanly shutting down first, in a time frame on multiple hosts.
In CYBERQUEST, this alert with 2 Rules will trigger on first event that will match the conditions.
To receive the alert information via email, click the following options: 
and set .
Prerequisites - Windows System Log.
30. Windows - BSoD System Crashes on a Single Host
Description - A new event is generated containing details of BSoD System Crashes on a Single Host. This alert detects when the system has rebooted without cleanly shutting down first, in a time frame on a single host.
In CYBERQUEST, this alert with 1 Rule will trigger on first event that will match the condition. To receive the alert information via email, click the following options: and set .
Prerequisites - Windows System Log.
31. Windows - Application Crashes or Hangs on Multiple Hosts
Description - A new event is generated containing details of Application Crashes or Hangs on Multiple Hosts. This alert detects the general application error or an application hang, in a time frame on multiple hosts.
In CYBERQUEST, this alert with 2 Rules will trigger on first event that will match the conditions.
To receive the alert information via email, click the following options: and set .
Prerequisites - Windows Application Log.
32. Windows - Application Crashes or Hangs on a Single Host
Description - A new event is generated containing details of Application Crashes or Hangs on a Single Host. This alert detects the general application error or an application hang in a time frame on a single host.
In CYBERQUEST, this alert with 1 Rule will trigger on first event that will match the condition. To receive the alert information via email, click the following options: and set .
Prerequisites - Windows Application Log.
33. Windows - System or Service Failures on a Single Host
Description - A new event is generated containing details of System or Service Failures on a Single Host. Service Control Manager (SCM) stops services and driver services. It also reports when services closes unexpectedly or fail to restart after it takes corrective action.
In CYBERQUEST, this alert with 1 Rule will trigger on first event that will match the condition. To receive the alert information via email, click the following options: and set .
Prerequisites - Windows System Log.
34. Administrator Account logon on 2000-2003-XP
Description - A new event is generated containing details of Administrator Account logon on 2000-2003-XP. In CYBERQUEST, this alert with 1 Rule will trigger on first event that will match the condition. To receive the alert information via email, click the following options: and set .
Prerequisites - Windows Security Log.
35. Administrator Account Logon on Vista-2008 or Later
Description - A new event is generated containing details of Administrator Account Logon on Vista-2008 or Later. This event lets you know whenever an account asssigned any "administrator equivalent" user rights log on.
In CYBERQUEST, this alert with 1 Rule will trigger on first event that will match the condition. To receive the alert information via email, click the following options: and set .
Prerequisites - Windows Security Log.
36. Domain User Failed Logon Due to Invalid Password
Description - A new event is generated when a user fails to logon. The alert is generated when the event is registered with an status and sub-status code and is providing the information: "User logon with misspelled or bad password".
In CYBERQUEST, this alert with 1 Rule will trigger on first event that will match the condition. To receive the alert information via email, click the following options: and set .
Prerequisites - Windows Security Log.
37. Software Uninstalled
Description - A new event is generated when a application has been uninstalled and tell us the name of application and the user account who uninstalled it.
In CYBERQUEST, this alert with 1 Rule will trigger on first event that will match the condition. To receive the alert information via email, click the following options: and set .
Prerequisites - Windows Application Log.
38. New Software Installation
Description - A new event is generated containing details of New Software Installation. This event is logged when Windows Installer installed the product.
In CYBERQUEST, this alert with 1 Rule will trigger on first event that will match the condition. To receive the alert information via email, click the following options:
Prerequisites - Windows Application Log.
39. FTP Scan Distinct DestIP
Description - A new event is generated containing details of File Transfer Protocol Scan Distinct DestIP. In CYBERQUEST, this alert with 2 Rules will trigger on first event that will match the conditions. To receive the alert information via email, click the following options: and set .
Prerequisites - NetFlow
40. High data received flow single event
Description - A new event is generated containing details of High data received flow single event. In CYBERQUEST, this alert with 1 Rule will trigger on first event that will match the condition. To receive the alert information via email, click the following options: and set .
Prerequisites - NetFlow
41. High data transfered flow single event
Description - A new event is generated containing details of High data transfered flow single event. In CYBERQUEST, this alert with 1 Rule will trigger on first event that will match the condition. To receive the alert information via email, click the following options: and set .
Prerequisites - NetFlow
42. User Logon Failed on not allowed computer
Description - A new event is generated containing details of User Logon Failed on not allowed computer. The alert is generated when the event is registered with an status and sub-status code and is providing the information: "User logon from an unauthorized workstation".
In CYBERQUEST, this alert with 1 Rule will trigger on first event that will match the condition. To receive the alert information via email, click the following options: and set .
Prerequisites -Windows Security Log.
43. User Failed Logon outside his time of day restrictions
Description - A new event is generated containing details of User Failed Logon outside his time of day restrictions. The alert is generated when the event is registered with an status and sub-status code and is providing the information: "User logon outside authorized hours".
In CYBERQUEST, this alert with 1 Rule will trigger on first event that will match the condition. To receive the alert information via email, click the following options: and set .
Prerequisites - Windows Security Log.
44. Locked Out Domain Account Failed Logon
Description - A new event is generated containing details of Locked Out Domain Account Failed Logon.The alert is generated when the event is registered with an status and sub-status code and is providing the information: "User logon with locked account".
In CYBERQUEST, this alert with 1 Rule will trigger on first event that will match the condition. To receive the alert information via email, click the following options: and set .
Prerequisites - Windows Security Log.
45. Disable Domain Account Failed Logon
Description - A new event is generated containing details of Disable Domain Account Failed Logon. The alert is generated when the event is registered with an status and sub-status code and is providing the information: "User logon to account disabled by admin".
In CYBERQUEST, this alert with 1 Rule will trigger on first event that will match the condition. To receive the alert information via email, click the following options: and set .
Prerequisites - Windows Security Log.
46. Domain Account Created
Description - A new event is generated containing details of Domain Account Created. When a user account is created in Active Directory, the EventID is logged. This event generates every time a new user object is created.
In CYBERQUEST, this alert with 1 Rule will trigger on first event that will match the condition. To receive the alert information via email, click the following options: and set .
Prerequisites - Windows Security Log.
47. Failed Logon Due to Invalid Domain Username
Description - A new event is generated containing details of Failed Logon Due to Invalid Domain Username. For this alert the hexadecimal status and sub-status code generated when the event is registered and provide this information: "User logon with misspelled or bad user account".
In CYBERQUEST, this alert with 1 Rule will trigger on first event that will match the condition. To receive the alert information via email, click the following options: and set .
Prerequisites - Windows Security Log.
48. Network admin login
Description - A new event is generated containing details of Network admin login. The alert is generated if the username is in the administrator list.
In CYBERQUEST, this alert with 1 Rule will trigger on first event that will match the condition. To receive the alert information via email, click the following options: and set .
Prerequisites - Windows Security Log.
49. File Deleted
Description - A new event is generated containing details of File Deleted. The alert detects when a file was deleted.
In CYBERQUEST, this alert with 1 Rule will trigger on first event that will match the condition. To receive the alert information via email, click the following options: and set .
Prerequisites - Windows Security Log.
50. SSH Scan Distinct DestIP
Description - A new event is generated if contains a Source IP, Destination IP and Networking default Port (e.g. SSH Scan default port is 22).
In CYBERQUEST, this alert with 2 Rules will trigger on first event that will match the conditions. To receive the alert information via email, click the following options: and set .
Prerequisites - NetFlow
51. Print Doc Confidential
Description - A new event is generated containing details of Print Doc Confidential. In CYBERQUEST, this alert with 2 Rules will trigger on first event that will match the conditions. To receive the alert information via email, click the following options: and set .
Prerequisites - Microsoft-Windows-PrintService/Operational.
52. External IP FTP Scan
Description - A new event is generated if contains a newtorking protocol, Source IP(from external private networks), Destination IP and a Networking default Port (e.g. FTP Scan default port is 21).
File Transfer Protocol (FTP) is a method of transferring files from one computer to another over the Internet.
In CYBERQUEST, this alert with 2 Rules will trigger on first event that will match the conditions. To receive the alert information via email, click the following options: and set .
Prerequisites - NetFlow
53. VNC Scan
Description - A new event is generated if contains a newtorking protocol, Source IP, Destination IP and a Networking default Port (e.g. VNC Scan default port is 4900).
Virtual Network Computing is a graphical desktop-sharing system that uses the Remote Frame Buffer protocol (RFB) to remotely control another computer.
In CYBERQUEST, this alert with 2 Rules will trigger on first event that will match the conditions. To receive the alert information via email, click the following options: and set .
Prerequisites - NetFlow
54. PostgreSQL Scan
Description - A new event is generated if contains a newtorking protocol, Source IP, Destination IP and a Networking default Port (e.g. PostgreSQL Scan default port is 5432).
In CYBERQUEST, this alert with 2 Rules will trigger on first event that will match the conditions. To receive the alert information via email, click the following options: and set .
Prerequisites - NetFlow
55. Telnet Scan
Description - A new event is generated if contains a newtorking protocol, Source IP, Destination IP and a Networking default Port (e.g. Telnet Scan default port is 23).
Telnet is a network protocol used to virtually access a computer and provide a text-based communication channel between two machines.
In CYBERQUEST, this alert with 2 Rules will trigger on first event that will match the conditions. To receive the alert information via email, click the following options: and set .
Prerequisites - NetFlow
56. Windows RPC Scan
Description - A new event is generated if contains a newtorking protocol, Source IP, Destination IP and a Networking default Port (e.g. Windows RPC Scan default port is 135).
Remote Procedure Call is a software communication protocol that one program can use to request a service from a program located in another computer on a network without having to understand the network's details.
In CYBERQUEST, this alert with 2 Rules will trigger on first event that will match the conditions. To receive the alert information via email, click the following options: and set .
Prerequisites - NetFlow
57. RDP Scan
Description - A new event is generated if contains a newtorking protocol, Source IP, Destination IP and a Networking default Port (e.g. RDP Scan default port is 3389).
Remote desktop protocol - is a secure network communications protocol developed by Microsoft. It enables network administrators to remotely diagnose problems that individual users encounter and gives users remote access to their physical work desktop computers.
In CYBERQUEST, this alert with 2 Rules will trigger on first event that will match the conditions. To receive the alert information via email, click the following options: and set .
Prerequisites - NetFlow
58. MySQL Scan
Description - A new event is generated if contains a newtorking protocol, Source IP, Destination IP and a Networking default Port (e.g. MySQL Scan default port is 3306).
In CYBERQUEST, this alert with 2 Rules will trigger on first event that will match the conditions. To receive the alert information via email, click the following options: and set .
Prerequisites - NetFlow
59. MSSQL Scan
Description - A new event is generated if contains a newtorking protocol, Source IP, Destination IP and a Networking default Port (e.g. MySQL Scan default port is 1433).
In CYBERQUEST, this alert with 2 Rules will trigger on first event that will match the conditions. To receive the alert information via email, click the following options: and set .
Prerequisites - NetFlow
60. SSH Scan
Description - A new event is generated if contains a Source IP, Destination IP and Networking default Port (e.g. SSH Scan default port is 22).
Is an prototype SSH configuration and policy scanner for Linux and UNIX servers.
In CYBERQUEST, this alert with 2 Rules will trigger on first event that will match the conditions. To receive the alert information via email, click the following options: and set .
Prerequisites - NetFlow
61. Event Log Cleared
Description - A new event is generated containing details of Windows Event log cleared.
In CYBERQUEST, this alert will trigger on the first event that will match the conditions from Windows Event log cleared report. This Report shows if and when the Windows Sercurity Event Log was cleared.
To receive the alert information via email, click the following options: and set .
Prerequisites - Windows Security Log.
62. Internal IP FTP Scan
Description - A new event is generated if contains a newtorking protocol, Source IP (from internal private networks), Destination IP and a Networking default Port (e.g. FTP Scan default port is 21).
File Transfer Protocol (FTP) is a method of transferring files from one computer to another over the Internet.
In CYBERQUEST, this alert with 2 Rules will trigger on first event that will match the Conditions. To receive the alert information via email, click the following options: and set .
Prerequisites - NetFlow
63. ICMP Scan
Description - A new event is generated containing details of ICMP Scan. Internet Control Message Protocol requests are used to map network topology. Receipt of an ICMP request is classified as a normal, possibly suspicious, or highly suspicious event.
In CYBERQUEST, this alert with 2 Rules will trigger on first event that will match the Conditions. To receive the alert information via email, click the following options: and set .
Prerequisites - NetFlow
64. VPN Geographic Impossible Traveling
Description - A new event is generated containing details of VPN Geographic Impossible Traveling.
In CYBERQUEST, this alert with 2 Rules will trigger on first event that will match the Conditions. To receive the alert information via email, click the following options: and set .
Prerequisites - FortiGate
65. Malware Detection
Description - A new event is generated containing details of Malware Detection. Malware detection refers to the process of detecting the presence of malware on a host system or of distinguishing whether a specific program is malicious.
In CYBERQUEST, this alert with 2 Rules will trigger on first event that will match the Conditions. To receive the alert information via email, click the following options: and set .
Prerequisites - FortiGate
66. Network Intrusion Detection
Description - A new event is generated containing details of UTM > IPS > Alert. In CYBERQUEST, this alert with 1 Rule will trigger on first event that will match the Condition. To receive the alert information via email, click the following options: and set .
Prerequisites - FortiGate
67. FortiGate UTM-WAF High Severity Level
Description - A new event is generated containing details of Traffic High Reputation Level. In CYBERQUEST, this alert with 1 Rule will trigger on first event that will match the Condition. To receive the alert information via email, click the following options: and set .
Prerequisites - FortiGate
68. Domain OR Enterprise Admins Modification
Description - A new event is generated containing details of Group Modification. In CYBERQUEST, this alert with 1 Rule will trigger on first event that will match the Condition. To receive the alert information via email, click the following options: and set .
Prerequisites - Windows Security Log.
69. Network DoS
Description - A new event is generated containing details of Network DoS. A Denial-of-Service (DoS) attack is an attack meant to shut down a machine or network, making it inaccessible to its intended users.
In CYBERQUEST, this alert with 2 Rules will trigger on first event that will match the Conditions. To receive the alert information via email, click the following options: and set .
Prerequisites - NetFlow
70. Network DDoS on Other Protocol
Description - A new event is generated containing details of Network DDoS on Other Protocol. In CYBERQUEST, this alert with 2 Rules will trigger on first event that will match the Conditions.
To receive the alert information via email, click the following options: and set .
Prerequisites - NetFlow
71. Network DDoS on ICMP Protocol
Description - A new event is generated containing details of Network DDoS on ICMP Protocol. In CYBERQUEST, this alert with 2 Rules will trigger on first event that will match the Conditions.
To receive the alert information via email, click the following options: and set .
Prerequisites - NetFlow
72. Network DDoS on TCP Protocol
Description - A new event is generated containing details of Network DDoS on TCP Protocol. In CYBERQUEST, this alert with 2 Rules will trigger on first event that will match the Conditions.
To receive the alert information via email, click the following options: and set .
Prerequisites - NetFlow
73. Network DDoS on UDP Protocol
Description - A new event is generated containing details of Network DDoS on UDP Protocol. In CYBERQUEST, this alert with 2 Rules will trigger on first event that will match the Conditions.
To receive the alert information via email, click the following options: and set .
Prerequisites - NetFlow
74. High dataTransfer flow
Description - A new event is generated containing details of High dataTransfer flow. In CYBERQUEST, this alert with 2 Rules will trigger on first event that will match the Conditions.
To receive the alert information via email, click the following options: and set .
Prerequisites - NetFlow
75. 3 failed SU password for root
Description - A new event is generated containing details of 3 failed SU password for root. In CYBERQUEST, this alert with 2 Rules will trigger on first event that will match the Conditions.
To receive the alert information via email, click the following options: and set .
Prerequisites - syslog
76. Unable to log events to Windows Security
Description - A new event is generated containing details of Unable to log events to Windows Security. The event is logged if Windows was unable to write events to the Security event log.
In CYBERQUEST, this alert with 1 Rule will trigger on first event that will match the Condition. To receive the alert information via email, click the following options: and set .
Prerequisites - Windows Security Log.
77. A security-enabled universal group was changed
Description - A new event is generated containing details of A security-enabled universal group was changed. When a universal security group is changed in Active Directory, the EventID gets logged.
In CYBERQUEST, this alert with 1 Rule will trigger on first event that will match the Condition. To receive the alert information via email, click the following options: and set .
Prerequisites - Windows Security Log.
78. A security-enabled universal group was created
Description - A new event is generated containing details of A security-enabled universal group was created. When a universal security group is created in Active Directory, the EventID gets logged.
In CYBERQUEST, this alert with 1 Rule will trigger on first event that will match the Condition. To receive the alert information via email, click the following options: and set .
Prerequisites - Windows Security Log.
79. A security-enabled global group was changed
Description - A new event is generated containing details of A security-enabled global group was changed. When a universal security group is changed in Active Directory, the EventID gets logged.
In CYBERQUEST, this alert with 1 Rule will trigger on first event that will match the Condition. To receive the alert information via email, click the following options: and set .
Prerequisites - Windows Security Log.
80. A security-enabled local group was changed
Description - A new event is generated containing details of A security-enabled local group was changed. The event generates every time a security-enabled local group is changed.
In CYBERQUEST, this alert with 1 Rule will trigger on first event that will match the Condition. To receive the alert information via email, click the following options: and set .
Prerequisites - Windows Security Log.
81. A security-enabled local group was deleted
Description - A new event is generated containing details of A security-enabled local group was deleted. The event generates every time a security-enabled local group is deleted.
In CYBERQUEST, this alert with 1 Rule will trigger on first event that will match the Condition. To receive the alert information via email, click the following options: and set .
Prerequisites - Windows Security Log.
82. A member was removed to a AD Local Group
Description - A new event is generated containing details of A member was removed to a AD Local Group. The event generates every time member was removed from a security-enabled local group.
In CYBERQUEST, this alert with 1 Rule will trigger on first event that will match the Condition. To receive the alert information via email, click the following options: and set .
Prerequisites - Windows Security Log.
83. A member was added to a AD Local Group
Description - A new event is generated containing details of A member was added to a AD Local Group. The event generates every time member was added to a security-enabled local group.
In CYBERQUEST, this alert with 1 Rule will trigger on first event that will match the Condition. To receive the alert information via email, click the following options: and set .
Prerequisites - Windows Security Log.
84. A security-enabled global group was created
Description - A new event is generated containing details of A security-enabled global group was created. When a security-enable global group is created in Active Directory, the EventID gets logged.
In CYBERQUEST, this alert with 1 Rule will trigger on first event that will match the Condition. To receive the alert information via email, click the following options: and set .
Prerequisites - Windows Security Log.
85. User Added/Removed from AD Global Group
Description - A new event is generated containing details of User Added/Removed from AD Global Group. When Active Directory objects such as an user/group/computer is added or removed to a security global group, the EventID gets logged.
In CYBERQUEST, this alert with 1 Rule will trigger on first event that will match the Condition.
To receive the alert information via email, click the following options: and set .
Prerequisites - Windows Security Log.
86. A security-enabled local group was created
Description - A new event is generated containing details of User Added or Removed from Security-Enabled Global Admins Group. The event generates every time a security-enabled local group was created.
In CYBERQUEST, this alert with 1 Rule will trigger on first event that will match the Condition. To receive the alert information via email, click the following options: and set .
Prerequisites - Windows Security Log.
87. A security-enabled global group was deleted
Description - A new event is generated containing details of A security-enabled global group was deleted. In Active Directory, when a Security Global Group is deleted, the EventID gets logged.
In CYBERQUEST, this alert with 1 Rule will trigger on first event that will match the Condition. To receive the alert information via email, click the following options: and set .
Prerequisites - Windows Security Log.
88. User Added/Removed from AD Global Admins Group
Description - A new event is generated containing details of User Added or Removed from Security-Enabled Global Admins Group. When Active Directory objects such as an user/group/computer is added or removed to a security global admins group, the EventID gets logged.
In CYBERQUEST, this alert with 1 Rule will trigger on first event that will match the Condition. To receive the alert information via email, click the following options: and set .
Prerequisites - Windows Security Log.
89. Windows Authentication Brute Force same UserName And Computer
Description - A new event is generated containing details of Windows Authentication Brute Force same UserName And Computer. In CYBERQUEST, this alert with 2 Rules will trigger on first event that will match the Conditions.
To receive the alert information via email, click the following options: and set .
Prerequisites - Windows Security Log.
90. ROOT authentication failure
Description - A new event is generated containing details of Invalid user. In CYBERQUEST, this alert with 1 Rule will trigger on first event that will match the Condition. To receive the alert information via email, click the following options: and set .
Prerequisites - syslog
91. VPN Login and RDP with another UserName
Description - A new event is generated containing details of VPN Login and RDP with another UserName. In CYBERQUEST, this alert with 2 Rules will trigger on first event that will match the Conditions.
To receive the alert information via email, click the following options: and set .
Prerequisites - syslog
92. Authorization policy change
Description - A new event is generated containing details of Authorization policy change. Audit Authentication Policy Change determines whether the operating system generates audit events when changes are made to authentication policy. Events list for this alert:
- Permissions on an object were changed
- A new trust was created to a domain
- A trust to a domain was removed
- Trusted domain information was modified
- Kerberos policy was changed
- System security access was granted to an account
- System security access was removed from an account
- Domain Policy was changed
- A namespace collision was detected
- A trusted forest information entry was added
- A trusted forest information entry was removed
- A trusted forest information entry was modified
In CYBERQUEST, this alert with 1 Rule will trigger on first event that will match the Condition. To receive the alert information via email, click the following options: and set .
Prerequisites - Windows Security Log.
93. Active Directory Domain Policy modified
Description - A new event is generated containing details of Active Directory Domain Policy modified. The event generates when one of the following changes was made to local computer security policy:
- Computer’s “\Security Settings\Account Policies\Account Lockout Policy” settings were modified.
- Computer's “\Security Settings\Account Policies\Password Policy” settings were modified.
- "Network security: Force logoff when logon hours expire" group policy setting was changed.
In CYBERQUEST, this alert with 1 Rule will trigger on first event that will match the Condition. To receive the alert information via email, click the following options: and set .
Prerequisites - Windows Security Log.
94. Drop table or database alert
Description - A new event is generated containing details of Drop table or database alert. In CYBERQUEST, this alert with 1 Rule will trigger on first event that will match the Condition. To receive the alert information via email, click the following options: and set .
Prerequisites - Windows Application Log.
95. Blacklist IP Alert
Description - A new event is generated containing details of Blacklist IP Alert. Detects all the events which contains a SourceIP and DestIP from the BlackList.
In CYBERQUEST, this alert with 1 Rule will trigger on first event that will match the Condition. To receive the alert information via email, click the following options: and set .
Prerequisites - Network Communications
96. Linux authentication failure
Description - A new event is generated containing details of Linux authentication failure. In CYBERQUEST, this alert with 2 Rules will trigger on first event that will match the Conditions.
To receive the alert information via email, click the following options: and set .
Prerequisites - syslog
97. Audit policy change
Description - A new event is generated containing details of Audit policy change. This event generates when the computer's audit policy changes.
In CYBERQUEST, this alert with 1 Rule will trigger on first event that will match the Condition. To receive the alert information via email, click the following options: and set .
Prerequisites - Windows Security Log.
98. Succesful Login After Multiple Fails
Description - A new event is generated containing details of Succesful Login After Multiple Fails. In CYBERQUEST, this alert with 3 Rules will trigger on first event that will match the Conditions.
To receive the alert information via email, click the following options: and set .
Prerequisites - Windows Security Log.
99. DDOS
Description - A new event is generated containing details of DDOS. DDoS Attack means "Distributed Denial-of-Service (DDoS) Attack" and it is a cybercrime in which the attacker floods a server with internet traffic to prevent users from accessing connected online services and sites.
In CYBERQUEST, this alert with 2 Rules will trigger on first event that will match the Conditions.
To receive the alert information via email, click the following options: and set .
Prerequisites - NetFlow
100. Suspicious RDP Connection Success
Description - this alert indicates a successful Remote Desktop Protocol (RDP) connection with suspicious attributes. RDP is commonly used to remotely access systems or servers, and when connections occur unexpectedly or under unusual circumstances, they may represent a security threat. RDP connections are often targeted by brute-force attacks, exploitation of vulnerabilities, or unauthorized access to sensitive systems.
To receive the alert information via email, click the following options: and set .
Prerequisites - Windows Security Log
100. Suspicious RDP Connection Failed
Description - identifies Remote Desktop Protocol (RDP) connection attempts originating from potentially unsafe, unrecognized, or high-risk geographic locations. The purpose is to detect unauthorized access attempts, often indicative of brute-force attacks, credential theft, or reconnaissance by threat actors.
To receive the alert information via email, click the following options: and set .
Prerequisites - Windows Security Log
101. Recon - Horizontal Telnet Scan: Events or Flows
Description - triggered when a single IP tries to connect via Telnet to multiple internal devices. Trigger if over 5 Telnet attempts from a single IP are detected to different IPs. Port 23
To receive the alert information via email, click the following options: and set .
Prerequisites - NetFlow
102. Recon - Horizontal SSH Scan: Events or Flows
Description - triggered when multiple SSH connection attempts are made from a single IP to various destinations, indicating an SSH brute-force or discovery attempt. If over 5 SSH attempts to different hosts are observed within 5 minutes.
To receive the alert information via email, click the following options: and set .
Prerequisites - NetFlow
103. Recon - Horizontal SNMP Scan: Events or Flows
Description - triggered when an IP makes multiple SNMP requests across various internal devices, possibly searching for misconfigured SNMP services.Trigger if more than 5 SNMP queries are sent to different IPs. Port 161 and 162.
To receive the alert information via email, click the following options: and set .
Prerequisites - NetFlow
104. Recon - Horizontal SMTP Scan: Events or Flows
Description - an IP makes multiple SMTP connection attempts across different internal IPs, indicating potential spam relay discovery or vulnerability probing. If more than 5 SMTP connection attempts to different hosts occur within a short timeframe.
To receive the alert information via email, click the following options: and set .
Prerequisites - NetFlow
105. Recon - Horizontal SMB Scan: Events or Flows
Description - triggered when multiple SMB connection attempts are detected from a single IP across different destination IPs, potentially indicating a scan for vulnerable SMB services. Trigger if over 10 SMB connection attempts are made from a single source IP to different destination IPs within a 3 minutes.
To receive the alert information via email, click the following options: and set .
Prerequisites - NetFlow
106. Recon - Horizontal RPC Scan: Events or Flows
Description - this alert detects when multiple hosts are targeted via Remote Procedure Call (RPC) services, usually to identify systems with exposed RPC ports.Trigger if multiple connections from one IP to port 135, 593 (RPC) across multiple hosts.
To receive the alert information via email, click the following options: and set .
Prerequisites - NetFlow
107. Recon - Horizontal RDP Scan: Events or Flows
Description - alerts when an attacker scans multiple hosts for open RDP (Remote Desktop Protocol) ports, typically port 3389. Trigger on 5+ RDP connection attempts within 5 minutes from a single source IP to multiple destination IPs.
To receive the alert information via email, click the following options: and set .
Prerequisites - NetFlow
108. Recon - Horizontal NetBIOS Scan: Port 139: Events and Flows
Description - detects potential lateral movement or scanning of SMB services on port 139 (NetBIOS Session Service). Trigger if the same IP sends packets to port 139 on different internal hosts within a short period.
To receive the alert information via email, click the following options: and set .
Prerequisites - NetFlow
109. Recon - Horizontal NETBIOS Scan: Port 137 and 138
Description - this alert detects multiple NETBIOS queries on ports 137 and 138, commonly used for network discovery and potential SMB-related attacks. Trigger if multiple connections are made to NETBIOS ports (137/138) from a single IP across different hosts.
To receive the alert information via email, click the following options: and set .
Prerequisites - NetFlow
110. Recon - Horizontal HTTPS Scan: Events or Flows
Description - this alert is generated when HTTPS traffic is being scanned across multiple internal hosts.
To receive the alert information via email, click the following options: and set .
Prerequisites - NetFlow
111. Recon - Horizontal HTTP Scan: Events or Flows
Description - triggered when multiple HTTP requests are detected from a single host across different IP addresses, indicative of a scan for open HTTP ports.
To receive the alert information via email, click the following options: and set .
Prerequisites - NetFlow
112. CiscoASA - No matching connection for ICMP error message
Description - triggers when an ICMP (Internet Control Message Protocol) error message is detected without a corresponding initial connection. Normally, ICMP error messages, like "Destination Unreachable" or "Time Exceeded," are responses to previously sent network packets. When these error messages appear without an initiating connection, it can indicate several potential issues, such as packet spoofing, malicious scanning, or routing misconfigurations.
To receive the alert information via email, click the following options: and set .
Prerequisites - CiscoASA
113. Checkpoint DROP From Blocked IP By Country
Description - identifies when a Check Point firewall drops traffic originating from IP addresses in countries that are blocked based on organizational policy or threat intelligence feeds. The alert is designed to monitor and flag incoming traffic from high-risk or geopolitically restricted regions.
To receive the alert information via email, click the following options: and set .
Prerequisites - Checkpoint
114. New USB Detected
Description - this alert indicates that a USB device has been connected to a monitored system. USB devices can be used for various purposes, but they also represent a security risk, as they can be used to transfer unauthorized files, introduce malware, or steal sensitive data.
To receive the alert information via email, click the following options: and set .
Prerequisites - Windows Security Log
115. Web Filter - Excessive Web Connections
Description - set a rule to count the number of web connections (HTTP/HTTPS) initiated by a user or an IP address within a specific time frame (e.g., 5 minutes). The specific threshold may vary depending on the network, but generally, it defines a maximum number of allowed connections within a given period (e.g., 100 connections in a 5-minute window).
To receive the alert information via email, click the following options: and set .
Prerequisites - Fortigate
116. Web Filter - Multiple Blocked Web Policy Connections
Description - Monitor the traffic on ports 80 (HTTP) and 443 (HTTPS) to track attempts to access blocked websites. Identify the same SrcIP within a 2-minute interval or 5-10 attempts to access blocked sites.
This alert indicates that a user, device, or application has attempted to access a significant number of websites or resources that are blocked according to the organization's web filtering policy. This behavior may signal unintentional activities, unauthorized access, or potentially malicious intent.
To receive the alert information via email, click the following options: and set .
Prerequisites - Fortigate
117. Recon - Multiple UDP Recon Events from a Remote Host
Description - Monitors for UDP-based reconnaissance. Indicators: Probing of open UDP ports (e.g., DNS, SNMP, NTP). Excessive traffic from a single source. Threshold: >30 UDP packets in 5 minutes.
To receive the alert information via email, click the following options: and set .
Prerequisites - NetFlow
118. Recon - Multiple UDP Recon Events from a Local Host
Description - Monitors for UDP-based reconnaissance. Indicators: Probing of open UDP ports (e.g., DNS, SNMP, NTP). Excessive traffic from a single source. Threshold: >40 UDP packets targeting multiple ports in 5 minutes.
To receive the alert information via email, click the following options: and set .
Prerequisites - NetFlow
119. Recon - Multiple TCP Recon Events from a Remote Host
Description - Identifies TCP-based port scans or probing. Indicators: SYN packets without completed handshakes. Sequential connection attempts to multiple ports. Threshold:>30 connection attempts in 5 minutes.
To receive the alert information via email, click the following options: and set .
Prerequisites - NetFlow
120. DNS - Communication with Malicious Host - Event or Flow
Description - A device within internal network, such as a computer, server, or any networked device, initiating communication with a known malicious host via DNS queries.
To receive the alert information via email, click the following options: and set .
Prerequisites - NetFlow
121. GTI Communication with Malicious Host_Event_FortiGate
Description - Communication detected between a local device and a host identified as malicious by Global Threat Intelligence (GTI) sources, based on logs from FortiGate firewall.
To receive the alert information via email, click the following options: and set .
Prerequisites - FortiGate
122. DNS - Local Host Communicating with External DNS Server - Flow
Description - Indicates that a local host within your network is communicating with an external DNS server.
To receive the alert information via email, click the following options: and set .
Prerequisites - NetFlow
123. DNS - Multiple Recon Events from a Local Host
Description - A local host from internal network is performing multiple reconnaissance (recon) events through DNS queries. Reconnaissance is a technique used to gather information about a network, systems, or services to identify potential vulnerabilities. Multiple recon events suggest that the local host is systematically probing the network
To receive the alert information via email, click the following options: and set .
Prerequisites - NetFlow
124. DNS - Multiple Recon Events from a Remote Host
Description - A remote host is performing multiple reconnaissance (recon) events through DNS queries.
To receive the alert information via email, click the following options: and set .
Prerequisites - NetFlow
125. DNS - Possible DNS Amplification Attack
Description - A Distributed Denial of Service (DDoS) attack type where an attacker exploits the functionality of open DNS resolvers to flood a target with an overwhelming amount of traffic: The attacker sends DNS queries with a spoofed IP address (the target's IP) to a vulnerable DNS server. The server responds to these queries, amplifying the volume of traffic sent to the target. Open DNS Resolver: A DNS server that responds to queries from any IP address, often exploited in amplification attacks. Spoofed IP Address: The attacker falsifies the source IP address in DNS requests, making it appear as if the target IP is requesting information.
To receive the alert information via email, click the following options: and set .
Prerequisites - NetFlow
126. IPS Events
Description - Pertains to events detected by an Intrusion Prevention System (IPS)-a network security device or software that monitors network traffic for suspicious activity and takes immediate action to prevent potential threats from causing harm.
To receive the alert information via email, click the following options: and set .
Prerequisites - CheckPointFirewall
127. Virus detected
Description - A virus has been detected on a device within the network, using Gdata Antivirus.
To receive the alert information via email, click the following options: and set .
Prerequisites - Antivirus Gdata
128. AD blocked users
Description - A user account in Active Directory (AD) has been blocked or locked out. This typically happens due to multiple failed login attempts, policy violations, or manual administrative actions.
To receive the alert information via email, click the following options: and set .
Prerequisites - Windows Security Log
129. DNS - Data Exfiltration Detection
Description - Unauthorized transfer of data from a computer or network: unusual volumes of data being transferred, especially during off-hours; data being sent to unknown or unauthorized external IP addresses; usage of uncommon protocols or ports for data transfer; repeated or large data transfers to cloud storage services or external servers.
To receive the alert information via email, click the following options: and set .
Prerequisites - NetFlow
131. Exfiltration - FTP Traffic with High-Value Host
Description - Indicates that FTP (File Transfer Protocol) traffic involving a high-value host has been detected, which may be a sign of data exfiltration. This type of alert is important because FTP is often used to transfer files between systems, and when it involves a high-value host, it may indicate that sensitive or critical data is being improperly transferred.
To receive the alert information via email, click the following options: and set .
Prerequisites - NetFlow
132. Exfiltration - IM Client File Transfers with High-Value Hosts
Description - Detect file transfers via instant messaging (IM) clients on high value hosts.
To receive the alert information via email, click the following options: and set .
Prerequisites - NetFlow
133. Exfiltration - P2P Activity with High-Value Hosts
Description - Detect file transfers via instant messaging (IM) clients on high value hosts.
To receive the alert information via email, click the following options: and set .
Prerequisites - Fortigate
134. GData - Detected WebPhishing
Description - This alert indicates that the GData security solution has detected a phishing attempt through a website accessed by a user or a connection containing a malicious URL. The phishing site is designed to steal sensitive information, such as authentication credentials, financial details, or other personal data, by deceiving the user.
To receive the alert information via email, click the following options: and set .
Prerequisites - GData
135. Exfiltration - High Number of File Status Events on High-Value Hosts
Description - Unusually high number of file status events (such as file creations, deletions, modifications, or movements) occurring on high-value hosts. High-value hosts are systems that hold critical or sensitive data, making them prime targets for attackers
To receive the alert information via email, click the following options: and set .
Prerequisites - Windows File Access
136. GData - Detected WebInfection
Description - This alert indicates that the GData security solution has identified a web infection, suggesting the possibility of a compromised website or a malicious download. The device may have accessed infected content or fallen victim to a drive-by download attack, where malicious code is executed without the user’s knowledge.
To receive the alert information via email, click the following options: and set .
Prerequisites - GData
137. Administrator Account Locked
Description - A administrator account in Active Directory (AD) has been blocked or locked out. This typically happens due to multiple failed login attempts, policy violations, or manual administrative actions.
To receive the alert information via email, click the following options: and set .
Prerequisites - Windows Security Log
138. A user account was locked out
Description - A user account in Active Directory (AD) has been blocked or locked out. This typically happens due to multiple failed login attempts, policy violations, or manual administrative actions.
To receive the alert information via email, click the following options: and set .
Prerequisites - Windows Security Log
139. A user account was locked out
Description - A user account in Active Directory (AD) has been blocked or locked out. This typically happens due to multiple failed login attempts, policy violations, or manual administrative actions.
To receive the alert information via email, click the following options: and set .
Prerequisites - Windows Security Log
140. FortiGate Torrent Activity Detected
Description - Indicates that the FortiGate firewall has detected torrent activity within the network.
To receive the alert information via email, click the following options: and set .
Prerequisites - Fortigate
141. Forti High Traffic from single IP
Description - A single IP address is generating an unusually high volume of network traffic.
To receive the alert information via email, click the following options: and set .
Prerequisites - Fortigate
142. Possible Malicious File By Filename Match
Description - A single IP address is generating an unusually high volume of network traffic.
To receive the alert information via email, click the following options: and set .
143. Fortigate - Malware - Botnet Activity
Description - Triggered when a FortiGate device identifies network traffic indicative of botnet activity. Botnets are collections of compromised devices under the control of an attacker, often used for malicious purposes such as DDoS attacks, spamming, data theft, or lateral movement within a network.
To receive the alert information via email, click the following options: and set .
Prerequisites - Fortigate
144. FortiGate update failed
Description - Triggered when a FortiGate device fails to complete a firmware update, pattern update, or feature upgrade. Such failures can indicate potential issues with system functionality, network security, or communication between the FortiGate and update servers.
To receive the alert information via email, click the following options: and set .
Prerequisites - Fortigate
145. CiscoASA - SSH Admin Login
Description - An administrative login has been detected on the Cisco ASA device using the SSH protocol. This event indicates an attempt to access the device for management purposes. Ensure the activity is authorized and aligns with operational policies.
To receive the alert information via email, click the following options: and set .
Prerequisites - CiscoASA
146. CiscoASA - TELNET Admin Login
Description - An administrative login attempt has been detected on the Cisco ASA device using the Telnet protocol. Since Telnet transmits data unencrypted, this activity should be reviewed for compliance and security risks.
To receive the alert information via email, click the following options: and set .
Prerequisites - CiscoASA
147. CiscoASA - HTTPS Admin Login
Description - An administrative login was detected on the Cisco ASA device using the HTTPS protocol. Ensure the access was authorized and verify that the connection is secure.
To receive the alert information via email, click the following options: and set .
Prerequisites - CiscoASA
148. CiscoASA - A new username was created
Description - A new administrative username has been created on the Cisco ASA device. This action may indicate routine administrative activity or potential unauthorized changes. Verify the legitimacy of this account creation.
To receive the alert information via email, click the following options: and set .
Prerequisites - CiscoASA
149. CiscoASA - A new username was deleted
Description - An existing administrative username has been deleted on the Cisco ASA device. This action could indicate routine administrative cleanup or an attempt to remove traces of unauthorized access. Investigate as needed.
To receive the alert information via email, click the following options: and set .
Prerequisites - CiscoASA
150. Recon - DNS Recon Events from a Local Host
Description - Detects anomalous DNS queries originating from a local host, indicating potential subdomain enumeration or DNS reconnaissance activity. Indicators: Large number of DNS queries in a short time. Queries to non-corporate or suspicious domains. Repeated queries with incremental subdomain changes (e.g., a.example.com, b.example.com). Threshold: >50 DNS queries to different domains or subdomains within 10 minutes.
To receive the alert information via email, click the following options: and set .
Prerequisites - NetFlow
151. Recon - DNS Recon Events from a Remote Host
Description - Identifies DNS recon attempts from an external source targeting internal infrastructure. Indicators: Queries aimed at internal domain names. High-frequency requests from a single IP address. Threshold: >30 queries from a single external IP to internal domains in 5 minutes.
To receive the alert information via email, click the following options: and set .
Prerequisites - NetFlow
152. Recon - MySQL/MariaDB Database Recon Events from a Local Host
Description - Monitors local activity for database enumeration or brute force attempts on MySQL/MariaDB. Indicators: Failed login attempts. Use of commands like SHOW DATABASES, SHOW TABLES. Threshold: >5 failed logins or enumeration commands in 5 minutes.
To receive the alert information via email, click the following options: and set .
Prerequisites - NetFlow
153. Recon - PostgreSQL Database Recon Events from a Local Host
Description - Tracks PostgreSQL-specific recon or enumeration activities locally. Indicators: Commands such as \l (list databases), \dt (list tables). Failed connection attempts. Threshold: >3 enumeration commands or failed logins in 5 minutes.
To receive the alert information via email, click the following options: and set .
Prerequisites - NetFlow
154. Recon - Microsoft SQL Server Database Recon Events from a Local Host
Description - Identifies local recon attempts targeting MSSQL. Multiple failed logins. Threshold: >10 recon queries or failed login attempts within 10 minutes.
To receive the alert information via email, click the following options: and set .
Prerequisites - NetFlow
155. Recon - MySQL/MariaDB Database Recon Events from a Remote Host
Description - Monitors remote attempts to probe MySQL/MariaDB databases. Indicators: Network connections from external IPs attempting to access database ports (3306). Enumeration commands detected. Threshold: >10 attempts to access MySQL from a remote source in 5 minutes.
To receive the alert information via email, click the following options: and set .
Prerequisites - NetFlow
156. Recon - MySQL/MariaDB Database Recon Events from a Remote Host
Description - Tracks external recon activity against PostgreSQL. Indicators: Unauthorized connection attempts. Use of PostgreSQL-specific commands from external IPs. Threshold: >10 connection attempts or enumeration commands from a remote host in 10 minutes.
To receive the alert information via email, click the following options: and set .
Prerequisites - NetFlow
157. Recon - Microsoft SQL Server Database Recon Events from a Remote Host
Description - Detects MSSQL recon activity originating from remote sources. Indicators: Connection attempts to default MSSQL port (1433). Failed logins combined with recon commands. Threshold: >15 unauthorized attempts within 10 minutes.
To receive the alert information via email, click the following options: and set .
Prerequisites - NetFlow
158. Recon - MySQL/MariaDB Database Multiple Recon Events from a Local Host
Description - Indicates that multiple scanning or reconnaissance (recon) events targeting MySQL/MariaDB databases have been detected originating from a local host.
To receive the alert information via email, click the following options: and set .
Prerequisites - NetFlow
159. Recon - PostgreSQL Database Multiple Recon Events from a Local Host
Description - Detects MSSQL recon activity originating from remote sources. Indicators: Connection attempts to default MSSQL port (1433). Failed logins combined with recon commands. Threshold: >15 unauthorized attempts within 10 minutes.
To receive the alert information via email, click the following options: and set .
Prerequisites - NetFlow
160. Recon - Microsoft SQL Server Database Multiple Recon Events from a Local Host
Description - Indicates that a local device on the network has made multiple scanning or access attempts toward a Microsoft SQL Server database.
To receive the alert information via email, click the following options: and set .
Prerequisites - NetFlow
161. Recon - Oracle Database Multiple Recon Events from a Local Host
Description - Indicates the detection of multiple reconnaissance activities targeting an Oracle database, initiated by a host within the local network.
To receive the alert information via email, click the following options: and set .
Prerequisites - NetFlow
162. Recon - MySQL/MariaDB Database Multiple Recon Events from a Remote Host
Description - Indicates that multiple reconnaissance events targeting MySQL/MariaDB databases have been detected, originating from a remote host.
To receive the alert information via email, click the following options: and set .
Prerequisites - NetFlow
163. Recon - PostgreSQL Database Multiple Recon Events from a Remote Host
Description - Indicates multiple reconnaissance events targeting a PostgreSQL database from an external location. Reconnaissance is the process by which an attacker or external user gathers information about the database structure, users, permissions, or software versions to identify potential vulnerabilities that could later be exploited.
To receive the alert information via email, click the following options: and set .
Prerequisites - NetFlow
164. Recon - Microsoft SQL Server Database Multiple Recon Events from a Remote Host
Description - Indicates the detection of multiple reconnaissance events conducted by an external host targeting a Microsoft SQL server within the network
To receive the alert information via email, click the following options: and set .
Prerequisites - NetFlow
165. Recon - Oracle Database Multiple Recon Events from a Remote Host
Description - Signals the detection of multiple reconnaissance events conducted by an external host targeting a Microsoft SQL server within the network.
To receive the alert information via email, click the following options: and set .
Prerequisites - NetFlow
166. Recon - FTP Recon Events from a Local Host
Description - Tracks local probing activity against FTP servers. Indicators: Repeated login attempts (successful or failed). Directory enumeration commands (e.g., LIST, NLST). Threshold: >5 login attempts or >10 directory commands in 5 minutes.
To receive the alert information via email, click the following options: and set .
Prerequisites - NetFlow
167. Recon - FTP Recon Events from a Remote Host
Description - Identifies remote FTP recon activity. Indicators: Connections to FTP ports (21). Login brute force attempts. Threshold: >10 login attempts or >20 enumeration commands in 10 minutes.
To receive the alert information via email, click the following options: and set .
Prerequisites - NetFlow
168. Recon - FTP Multiple Recon Events from a Local Host
Description - Indicates the detection of multiple reconnaissance (recon) events via the FTP (File Transfer Protocol) by a local host within the network. These activities involve repeated access attempts, directory listings, or resource identification on FTP servers, which could suggest an attempt to map available FTP services in the network.
To receive the alert information via email, click the following options: and set .
Prerequisites - NetFlow
169. Recon - FTP Multiple Recon Events from a Remote Host
Description - Indicates the detection of multiple reconnaissance activities targeting the FTP (File Transfer Protocol) service from an external host.
To receive the alert information via email, click the following options: and set .
Prerequisites - NetFlow
170. Recon - Multiple ICMP Recon Events from a Remote Host
Description - Detects ICMP reconnaissance activity like ping sweeps or path discovery. Indicators: Multiple ICMP echo requests in quick succession. ICMP requests targeting restricted or sensitive segments. Threshold: >30 ICMP packets in 5 minutes.
To receive the alert information via email, click the following options: and set .
Prerequisites - NetFlow
171. Recon - Multiple ICMP Recon Events from a Local Host
Description - Detects ICMP reconnaissance activity like ping sweeps or path discovery. Indicators: Multiple ICMP echo requests in quick succession. ICMP requests targeting restricted or sensitive segments. Threshold:>50 ICMP packets in 5 minutes.
To receive the alert information via email, click the following options: and set .
Prerequisites - NetFlow
172. Recon - Multiple TCP Recon Events from a Local Host
Description - Identifies TCP-based port scans or probing. Indicators: SYN packets without completed handshakes. Sequential connection attempts to multiple ports. Threshold: >50 connection attempts in 5 minutes.
To receive the alert information via email, click the following options: and set .
Prerequisites - NetFlow
173. Forti Admin Session
Description - Admin login successful, admin logout successful - minimum 1, maximum 30 in 600 seconds identifies admin login events and checks if other types of events have occurred as well.
To receive the alert information via email, click the following options: and set .
Prerequisites - Fortigate
174. Recon - Oracle Database Recon Events from a Remote Host
Description - Monitors remote recon or probing of Oracle databases. Indicators: Attempts to access Oracle listener ports (1521). Enumeration commands executed by external IPs. Threshold: >10 access attempts or queries from a single external source in 10 minutes.
To receive the alert information via email, click the following options: and set .
Prerequisites - NetFlow
175. User Added/Removed from AD Global Admins Group
Description - Indicates that a user has been added or removed from the Global Admins group in Active Directory (AD). Any changes to this group are highly sensitive and can have significant implications for the security and integrity of the organization.
To receive the alert information via email, click the following options: and set .
Prerequisites - Windows Security Log
176. VPNSuccess - from outside Romania
Description - Indicates a successful VPN authentication from a geographic location outside of Romania. This could represent legitimate activity if the user is traveling or working remotely, but it may also signal a potential security breach, especially if access from other countries is unusual for the organization.
To receive the alert information via email, click the following options: and set .
177. Forti Admin Login successful
Description - Indicates that a user has successfully authenticated on a FortiGate device using an administrative account (admin).
To receive the alert information via email, click the following options: and set .
Prerequisites - Fortigate
178. VPNFailed - from outside Romania
Description - Indicates a failed VPN connection attempt to the organization's network from a location outside of Romania. This type of event may signal unauthorized access attempts, the use of compromised credentials, or incorrect user configurations.
To receive the alert information via email, click the following options: and set .
179. VPNSuccess - from User Not in WindowsUserList
Description - Indicates that a user who is not present in the Windows User List (WindowsUserList) has successfully authenticated into the network via VPN.
To receive the alert information via email, click the following options: and set .
180. Recon - Oracle Database Recon Events from a Local Host
Description - Detects enumeration or login attempts targeting Oracle databases locally. Repeated login failures. Threshold: >5 recon-related commands or failed logins in 5 minutes.
To receive the alert information via email, click the following options: and set .
Prerequisites - NetFlow
181. Forti Admin login failed
Description - Indicates a failed authentication attempt on the administrative interface of a Fortinet FortiGate device.
To receive the alert information via email, click the following options: and set .
Prerequisites - Fortigate