Alerting
- 07 Feb 2024
- 14 Minutes to read
- Print
- DarkLight
Alerting
- Updated on 07 Feb 2024
- 14 Minutes to read
- Print
- DarkLight
Article Summary
Share feedback
Thanks for sharing your feedback!
Security Manager provides out-of-the-box alerting for the following systems:
RapidIdentity
| Alert Name | Alert Trigger |
|---|---|
| Identity Automation - Update to RapidIdentity SMTP settings | This alert triggers when there is a update to RapidIdentity SMTP settings. |
| Identity Automation - Risky IP Activity | This alert triggers any outbound traffic or allowed inbound traffic is observed on network firewalls. |
| Identity Automation - Authentication policy saved with 1 method and enabled | This alert triggers when a authentication policy was saved with only one method enabled. |
| Identity Automation - User added to Tenant Administrator Group | This alert triggers when a user has been added to the Tenant Administrator Group. |
| Identity Automation - Update to RapidIDentity SMS Settings | This alert triggers when RapidIDentity SMS settings were updated. |
| Identity Automation - Enablement of Grant Support Access | This alert triggers when grant support access is enabled |
| Identity Automation - CORS Update to allow any origin | This alert triggers when CORS is updated to allow any origin. |
| Identity Automation - New User Agent | This alert triggers when a user agent has changed and its the first occurance of this user agent. |
| Identity Automation - Possible Brute Force Attack | This alert will be triggered when there is an excessive number of invalid login attempts within a brief duration of time. |
| Identity Automation - Creation of a service identity key with Tenant Admin or Connect Admin privileges | This alert triggers when a service identity key with Tenant Admin privileges or Connect Admin privileges is created. |
| Identity Automation - User added to Connect Administrator Group | This alert triggers when a user has been added to the Connect Administrator Group. |
| Identity Automation - Multiple Logons From Same IP | This alert triggers when there are multiple logons to different users from the same IP. |
| Login from new country - Identity Automation | Rule will trigger when the location metadata has changed and the calculated velocity from this event and the last event is over 200 miles per hour. |
Google Workspace
| Alert Name | Alert Trigger |
|---|---|
| Recovery Email Changed | This alert is triggered when a users recovery email has been changed. |
| User suspended (spam) | This alert is triggered when a user account has been disabled. This is a suspension for spamming. |
| User suspended (suspicious activity) | This alert is triggered when a user account has been disabled. This is a suspension for suspicious activity. |
| User suspended (spam through relay) | This alert is triggered when a user account has been disabled. This is a suspension for spamming through a relay. |
| User suspended (generic) | This alert is triggered when a user account has been disabled. This is a generic account suspension. |
| Leaked password | This alert is triggered when a user has a leaked password |
| Google Cloud: Brute Force Login Attempt | This alert is triggered when there is a potential brute force. |
| Government Attack Observed | This alert is triggered when an attack has been observed that has been deemed to be backed by a government. |
| Risky, senstive action allowed | This alert is triggered when a risky, sensitive action is allowed. |
| Recovery Secret changed | This alert is triggered when a users account recovery secret question/answer has been changed. |
| Unenrolled in Advanced Protection | This alert is triggered when a user is unenrolled in Advanced Protection. |
| Domain Email Forwarding Enabled | This alert is triggered when out of domain email forwarding gets enabled. |
| Incorrect Answer On Login | This alert is triggered when a user enters an incorrect answer on login. |
| Google Cloud: 2 Step Verification Disabled | This alert is triggered when a user account has disabled 2 step verification. |
| Recovery Phone Number Changed | This alert is triggered when a users recovery phone number has been changed. |
Microsoft Azure
| Alert Name | Alert Trigger |
|---|---|
| Email messages containing malicious file or malware removed after delivery | Activated when Microsoft Defender for Office 365 detects a malicious file in an email message after it was delivered to a user's mailbox. This requires Microsoft Defender for Office 365 to be enabled, alongside a E5/G5 or Microsoft Defender for Office 365 P2 add-on subscription. |
| Email messages containing malicious/phishing URL removed after delivery | Activated when Microsoft Defender for Office 365 detects a malicious or phishing URL in an email message after it was delivered to a user's mailbox. This requires Microsoft Defender for Office 365 to be enabled. |
| Risk detection event - Microsoft Identity | Triggered when Microsoft Identity detects a risky event associated with a user account; when the appropriate integration has been configured. |
| Risky user detected - Microsoft Identity | Triggered when Microsoft Identity detects a risky user; when the appropriate integration has been configured. A risky user is a user account that has been flagged as suspicious by Microsoft Identity. Risky users can be flagged for a variety of reasons, including suspicious sign-in attempts, leaked credentials, and malware-infected devices. |
Microsoft Active Directory
| Alert Name | Alert Trigger |
|---|---|
| New Service Installed | This alert is triggered whenever a new service is installed. Unfortunely, Windows does not log events from the Windows installer, which could provide more concrete information about new software being installed. This is a workaround to this shortcoming. |
| User Right Assigned | This alert is triggered whenever a user right is assigned. |
| Possible Internal Brute Force or Expired Credentials | There is an excessive number of invalid login attempts within a brief duration of time from an internal IP address. |
| System Audit Policy Modified | This alert is triggered whenever there has been a change in the computer's system level audit policy. |
| Possible Compromised Credentials | This alert monitors the number of successful logons within a specified time frame. An unusually high number of successful logons can be a major indicator that compromised credentials are being used for system crawling or other malicious activity. |
| User Account Locked | This alert is triggered whenever a user account is locked out due to multiple failed login attempts using the wrong password. The lockout policy may be changed via the Local Security Policy or Group Policy in Active Directory. |
| Windows Registry Value Modified | This alert is triggered whenever a registry value is modified. Additionally, the Object Access auditing policy must be enabled for success and failure, and this event generates only if “Set Value" auditing is set in registry key’s System Access Control List (SACL). |
| User Account Deleted | This alert is triggered whenever a user account is deleted. |
| Group Policy Object deleted | Rule will trigger if a Group Policy Object was deleted. |
| Windows Management Instrumentation Activity Observed | This alert is triggered whenever the wmic process is created. Note that auditing must be enabled for "Process Creation" in Windows in order for the event log that this alert looks for to be created. |
| Windows Firewall Exception Modified | This alert is triggered whenever there has been a modification to a rule in the Windows Firewall exception list. A modification would mean that a rule's properties were changed (e.g. type, program, port, action, user exceptions, etc) |
| Possible Expired Credentials | This alert will be triggered when there is an unusually large number of unsuccessful logins over an extended period of time. This alert is not to be confused with [Possible Brute Force Attack][1], which triggers when there is an excessive number of unsuccessful logins over a brief duration of time. |
| Browser Extension Detected | This alert is triggered when a browser extension is detected. |
| Possible usage of LOLBins with RCE vulnerability (CVE-2022-30190) "Follina" | This alert will be triggered when regsvr32.exe, rundll32.exe, msiexec.exe, mshta.exe, verclsid.exe, msdt.exe are seen executed from a parent process of Word, Outlook, or Excel. |
| Time Syncronization Error | This alert will be trigged when event 12 is logged by the Microsoft-Windows-Time-Service event provider |
| Disabled Account Multiple Auth Failures | This alert is triggered whenever someone attempts to logon to a disabled account multiple times in a short duration. |
| User Self-Service Password Change Attempt | This alert is triggered whenever a user attempts to change his or her own password. |
| Three Login Lockouts in 24 Hours | This alert is triggered whenever a user account is locked out 3 times within 24 hours. |
| User Account Name Modified | This alert is triggered whenever a user account has its name changed. |
| Windows Defender has Detected/Blocked Malware | This alert is triggered whenever Windows Defender AntiVirus detects a malicious file or process that may inflict harm on an endpoint. |
| RegSvr32 Activity Observed | This alert is triggered whenever a new scheduled task is created within the Windows Task Scheduler application. Note that auditing must be enabled for "Other Object Access Events" in Windows in order for the event log that this alert looks for to be created. |
| User's Local Group Membership Enumerated | This alert is triggered whenever a user account's local group membership was enumerated. |
| Installation Completed by a Threat Listed IP Address | This alert is triggered when there is a successful download of an application from a known malcious IP address. |
| Disabled Account Auth Failure | This alert is triggered whenever someone attempts to logon to a disabled account. |
| PowerShell Execution Policy Bypass | This alert is triggered when a user attempts to change the PowerShell execution policy within the PowerShell console or through the exeuction of a PowerShell script file using the "Set-ExecutionPolicy" cmdlet. |
| Safe Mode Boot | This alert is triggered whenever a host is forced into safe mode, modifications to Boot Configuration Data (BCD) stores are detected, or when relevant Registry values are modified. |
| Riskware Detected | This alert is triggered when a program known to be riskware is detected on a machine. |
| Windows Firewall Exceptions Cleared | This alert is triggered when all rules in the Windows Firewall exception list have been deleted. |
| Windows Firewall Failed To Load Group Policy | This alert is triggered when Windows Firewall has failed to load its Group Policy. |
| Mshta Activity Observed | This alert is triggered whenever the mshta.exe process is created. Note that auditing must be enabled for "Process Creation" in Windows in order for the event log that this alert looks for to be created. |
| Threat IP Addresses Detected | This alert is triggered whenever there's an open network connection to an IP address that cannot be classified as benign. |
| Microsoft Defender Disabled | This alert is triggered whenever the event code for Microsoft Defender is disabled or status changes |
| User Removed From Admin Group | This alert is triggered whenever a user account is removed from the local Administrator group. |
| Possible execution of the RCE vulnerability (CVE-2022-30190) "Follina" | This alert will be triggered when msdt.exe is seen executed from a parent process of Word, Outlook, or Excel. |
| Malware Detected | This alert is triggered when malware is detected on a machine. |
| Network Utility Observed - NET USER | This alert is triggered whenever the net process is created. Note that auditing must be enabled for "Process Creation" in Windows in order for the event log that this alert looks for to be created. |
| Azorult Registry Key Detected | This alert is triggered whenever a specific registry key associated with the Azorult trojan is created. |
| Windows Firewall Setting Modified | This alert is triggered whenever there has been a setting in Windows Firewall has been changed. |
| Object Audit Setting Modified | This alert is triggered whenever there has been a change in an Object's auditing settings. |
| Nmap Activity Observed | This alert is triggered whenever the netstat process is created. Note that auditing must be enabled for "Process Creation" in Windows in order for the event log that this alert looks for to be created. |
| Time Syncronization Error | This alert will be trigged when event 142 is logged by the Microsoft-Windows-Time-Service event provider |
| Potential Admin User Account Created | This alert is triggered whenever a new user account is created. |
| Failed Login Attempt to Domain Controller | This alert will be triggered when Windows Event 531 is generated. This occurs when a user fails to log on to the domain controller itself (such as at the console or through failure to connect to a shared folder). |
| Detects modifications to Domain DNS Object | Rule will trigger if a modification to a Domain DNS Object occurs. |
| Access Control (Windows) - T110.003 Disabled Users Failing To Authenticate From Source Using Kerberos | Detects failed logins with multiple disabled domain accounts from a single source system using the Kerberos protocol. |
| Windows Firewall Settings Reset To Default | This alert is triggered when Windows Firewall has been reset to its default configuration. |
| User Account Enabled | This alert is triggered whenever a user account is enabled. |
| Time Syncronization Error | This alert will be trigged when event 24 is logged by the Microsoft-Windows-Time-Service event provider |
| Windows Firewall Exception Deleted | This alert is triggered whenever there has been a deletion of a rule in the Windows Firewall exception list. |
| Credential Dumping Tools Utilized | This alert will trigger when any Service Names or services with Image Paths are seen that contain any of ["fgexec","cachedump","mimikatz","mimidrv","wceservice","pwdump"] |
| User Account Disabled | This alert is triggered whenever a user account is disabled. |
| Windows Event Logs Cleared | This alert will be triggered upon the detection of a single incident of event logs being cleared. |
| PowerShell Invoked With Suspicious Parameters | This alert is triggered when the PowerShell process is invoked with launch parameters that are indicative of malicious behaviour, such as hiding the window, using an older version, or supplying encoded commands. |
| Windows Firewall Group Policy Settings Modified | This alert is triggered when Group Policy is refreshed and a change in the Windows Firewall settings is detected |
| User Added To Admin Group | This alert is triggered whenever a user account is added to the local Administrator group. |
| New Scheduled Task Created | This alert is triggered whenever a new scheduled task is created within the Windows Task Scheduler application. Note that auditing must be enabled for "Other Object Access Events" in Windows in order for the event log that this alert looks for to be created. |
| Suspicious msdt.exe excecution with CVE-2022-30190 "Follina" | This alert will be triggered when msdt.exe is seen executed with suspicious command line arguements. |
| T1543.003 Suspicious Windows Service Creation by an Unusual Client Process | This alert is triggered new windows service is created that may be suspicious. |
| User Right Removed | This alert is triggered whenever a user right is removed. |
| Default Admin Account Auth Attempt | This alert is triggered whenever a logon to the builtin Administrator account is attempted. |
| Windows Defender Malware Action Failed | This alert is triggered whenever Windows Defender AntiVirus encounters an error when attempting to perform an action on a file it has deemed malicious. |
| Possible Ryuk IP Communication | This alert is triggered when an IP used in communication was found matching a possible Ryuk Ransomware IOC. |
| Logon Right Removed From Account | This alert is triggered whenever a logon right has been removed from a user. |
| Application (Web Service) - T1505.003 Shells Spawned by Web Servers | This rule detects the spawning of web shells on Windows IIS or web server. |
| Windows Firewall Exception Added | This alert is triggered whenever there has been a addition of a rule in the Windows Firewall exception list. |
| Logon Right Assigned To Account | This alert is triggered whenever a logon right has been granted to a user. |
| Network Utility Observed - ARP | This alert is triggered whenever the arp process is created. Note that auditing must be enabled for "Process Creation" in Windows in order for the event log that this alert looks for to be created. |
| Access Control (Windows) - T110.003 Disabled Users Failing To Authenticate From Source Using Kerberos | Detects failed logins with multiple disabled domain accounts from a single source system using the Kerberos protocol. |
| Domain Policy Modified | This alert is triggered whenever a domain policy is modified. |
| Timezone Auto Update Setting has Been Toggled Too Many Times | This alert will be triggered when there is an excessive number of toggles of the timezone auto update feature. |
| User Account Unlocked | This alert is triggered whenever a user account is unlocked via account management, but not when a user unlocks the account with a password reset at the Windows user login screen. |
| PowerShell Encoded Command Observed | This alert is triggered when the PowerShell process is invoked with the "-EncodedCommand" launch parameter. This capability is often used by adversaries to run malicious code supplied in the form of a base-64-encoded string in order to avoid detection by security tools. |
| Kerberos Manipulation - Kerberoasting - Suspicious Kerberos error codes and status codes. | This alert is triggered whenever someone attempts to do actions that may lead to Kerberoasting. |
| Host (Windows)- Creation of Windows Service | Detects when a process creation event (4688) is triggered on a machine and alerts when either the srvany.exe, instsrv.exe, or nssm.exe processes have started. |
| Possible Brute Force Attack | This alert will be triggered when there is an excessive number of invalid login attempts within a brief duration of time. This alert is not to be confused with [Possible Expired Credentials][1], which triggers when there is an unusually large number of unsuccessful logins over an extended period of time, nor [Possible Brute Force Attack (lateral)][2], which triggers when there have been attempts to login to the same user account across multiple machines. |
Was this article helpful?