Alerting
  • 07 Feb 2024
  • 14 Minutes to read
  • Dark
    Light

Alerting

  • Dark
    Light

Article summary

Security Manager provides out-of-the-box alerting for the following systems:

RapidIdentity

Alert NameAlert Trigger
Identity Automation - Update to RapidIdentity SMTP settingsThis alert triggers when there is a update to RapidIdentity SMTP settings.
Identity Automation - Risky IP ActivityThis alert triggers any outbound traffic or allowed inbound traffic is observed on network firewalls.
Identity Automation - Authentication policy saved with 1 method and enabledThis alert triggers when a authentication policy was saved with only one method enabled.
Identity Automation - User added to Tenant Administrator GroupThis alert triggers when a user has been added to the Tenant Administrator Group.
Identity Automation - Update to RapidIDentity SMS SettingsThis alert triggers when RapidIDentity SMS settings were updated.
Identity Automation - Enablement of Grant Support AccessThis alert triggers when grant support access is enabled
Identity Automation - CORS Update to allow any originThis alert triggers when CORS is updated to allow any origin.
Identity Automation - New User AgentThis alert triggers when a user agent has changed and its the first occurance of this user agent.
Identity Automation - Possible Brute Force AttackThis alert will be triggered when there is an excessive number of invalid login attempts within a brief duration of time.
Identity Automation - Creation of a service identity key with Tenant Admin or Connect Admin privilegesThis alert triggers when a service identity key with Tenant Admin privileges or Connect Admin privileges is created.
Identity Automation - User added to Connect Administrator GroupThis alert triggers when a user has been added to the Connect Administrator Group.
Identity Automation - Multiple Logons From Same IPThis alert triggers when there are multiple logons to different users from the same IP.
Login from new country - Identity AutomationRule will trigger when the location metadata has changed and the calculated velocity from this event and the last event is over 200 miles per hour.

Google Workspace

Alert NameAlert Trigger
Recovery Email ChangedThis alert is triggered when a users recovery email has been changed.
User suspended (spam)This alert is triggered when a user account has been disabled. This is a suspension for spamming.
User suspended (suspicious activity)This alert is triggered when a user account has been disabled. This is a suspension for suspicious activity.
User suspended (spam through relay)This alert is triggered when a user account has been disabled. This is a suspension for spamming through a relay.
User suspended (generic)This alert is triggered when a user account has been disabled. This is a generic account suspension.
Leaked passwordThis alert is triggered when a user has a leaked password
Google Cloud: Brute Force Login AttemptThis alert is triggered when there is a potential brute force.
Government Attack ObservedThis alert is triggered when an attack has been observed that has been deemed to be backed by a government.
Risky, senstive action allowedThis alert is triggered when a risky, sensitive action is allowed.
Recovery Secret changedThis alert is triggered when a users account recovery secret question/answer has been changed.
Unenrolled in Advanced ProtectionThis alert is triggered when a user is unenrolled in Advanced Protection.
Domain Email Forwarding EnabledThis alert is triggered when out of domain email forwarding gets enabled.
Incorrect Answer On LoginThis alert is triggered when a user enters an incorrect answer on login.
Google Cloud: 2 Step Verification DisabledThis alert is triggered when a user account has disabled 2 step verification.
Recovery Phone Number ChangedThis alert is triggered when a users recovery phone number has been changed.

Microsoft Azure

Alert NameAlert Trigger
Email messages containing malicious file or malware removed after deliveryActivated when Microsoft Defender for Office 365 detects a malicious file in an email message after it was delivered to a user's mailbox. This requires Microsoft Defender for Office 365 to be enabled, alongside a E5/G5 or Microsoft Defender for Office 365 P2 add-on subscription.
Email messages containing malicious/phishing URL removed after deliveryActivated when Microsoft Defender for Office 365 detects a malicious or phishing URL in an email message after it was delivered to a user's mailbox. This requires Microsoft Defender for Office 365 to be enabled.
Risk detection event - Microsoft IdentityTriggered when Microsoft Identity detects a risky event associated with a user account; when the appropriate integration has been configured.
Risky user detected - Microsoft IdentityTriggered when Microsoft Identity detects a risky user; when the appropriate integration has been configured. A risky user is a user account that has been flagged as suspicious by Microsoft Identity. Risky users can be flagged for a variety of reasons, including suspicious sign-in attempts, leaked credentials, and malware-infected devices.

Microsoft Active Directory

Alert NameAlert Trigger
New Service InstalledThis alert is triggered whenever a new service is installed. Unfortunely, Windows does not log events from the Windows installer, which could provide more concrete information about new software being installed. This is a workaround to this shortcoming.
User Right AssignedThis alert is triggered whenever a user right is assigned.
Possible Internal Brute Force or Expired CredentialsThere is an excessive number of invalid login attempts within a brief duration of time from an internal IP address.
System Audit Policy ModifiedThis alert is triggered whenever there has been a change in the computer's system level audit policy.
Possible Compromised CredentialsThis alert monitors the number of successful logons within a specified time frame. An unusually high number of successful logons can be a major indicator that compromised credentials are being used for system crawling or other malicious activity.
User Account LockedThis alert is triggered whenever a user account is locked out due to multiple failed login attempts using the wrong password. The lockout policy may be changed via the Local Security Policy or Group Policy in Active Directory.
Windows Registry Value ModifiedThis alert is triggered whenever a registry value is modified. Additionally, the Object Access auditing policy must be enabled for success and failure, and this event generates only if “Set Value" auditing is set in registry key’s System Access Control List (SACL).
User Account DeletedThis alert is triggered whenever a user account is deleted.
Group Policy Object deletedRule will trigger if a Group Policy Object was deleted.
Windows Management Instrumentation Activity ObservedThis alert is triggered whenever the wmic process is created. Note that auditing must be enabled for "Process Creation" in Windows in order for the event log that this alert looks for to be created.
Windows Firewall Exception ModifiedThis alert is triggered whenever there has been a modification to a rule in the Windows Firewall exception list. A modification would mean that a rule's properties were changed (e.g. type, program, port, action, user exceptions, etc)
Possible Expired CredentialsThis alert will be triggered when there is an unusually large number of unsuccessful logins over an extended period of time. This alert is not to be confused with [Possible Brute Force Attack][1], which triggers when there is an excessive number of unsuccessful logins over a brief duration of time.
Browser Extension DetectedThis alert is triggered when a browser extension is detected.
Possible usage of LOLBins with RCE vulnerability (CVE-2022-30190) "Follina"This alert will be triggered when regsvr32.exe, rundll32.exe, msiexec.exe, mshta.exe, verclsid.exe, msdt.exe are seen executed from a parent process of Word, Outlook, or Excel.
Time Syncronization ErrorThis alert will be trigged when event 12 is logged by the Microsoft-Windows-Time-Service event provider
Disabled Account Multiple Auth FailuresThis alert is triggered whenever someone attempts to logon to a disabled account multiple times in a short duration.
User Self-Service Password Change AttemptThis alert is triggered whenever a user attempts to change his or her own password.
Three Login Lockouts in 24 HoursThis alert is triggered whenever a user account is locked out 3 times within 24 hours.
User Account Name ModifiedThis alert is triggered whenever a user account has its name changed.
Windows Defender has Detected/Blocked MalwareThis alert is triggered whenever Windows Defender AntiVirus detects a malicious file or process that may inflict harm on an endpoint.
RegSvr32 Activity ObservedThis alert is triggered whenever a new scheduled task is created within the Windows Task Scheduler application. Note that auditing must be enabled for "Other Object Access Events" in Windows in order for the event log that this alert looks for to be created.
User's Local Group Membership EnumeratedThis alert is triggered whenever a user account's local group membership was enumerated.
Installation Completed by a Threat Listed IP AddressThis alert is triggered when there is a successful download of an application from a known malcious IP address.
Disabled Account Auth FailureThis alert is triggered whenever someone attempts to logon to a disabled account.
PowerShell Execution Policy BypassThis alert is triggered when a user attempts to change the PowerShell execution policy within the PowerShell console or through the exeuction of a PowerShell script file using the "Set-ExecutionPolicy" cmdlet.
Safe Mode BootThis alert is triggered whenever a host is forced into safe mode, modifications to Boot Configuration Data (BCD) stores are detected, or when relevant Registry values are modified.
Riskware DetectedThis alert is triggered when a program known to be riskware is detected on a machine.
Windows Firewall Exceptions ClearedThis alert is triggered when all rules in the Windows Firewall exception list have been deleted.
Windows Firewall Failed To Load Group PolicyThis alert is triggered when Windows Firewall has failed to load its Group Policy.
Mshta Activity ObservedThis alert is triggered whenever the mshta.exe process is created. Note that auditing must be enabled for "Process Creation" in Windows in order for the event log that this alert looks for to be created.
Threat IP Addresses DetectedThis alert is triggered whenever there's an open network connection to an IP address that cannot be classified as benign.
Microsoft Defender DisabledThis alert is triggered whenever the event code for Microsoft Defender is disabled or status changes
User Removed From Admin GroupThis alert is triggered whenever a user account is removed from the local Administrator group.
Possible execution of the RCE vulnerability (CVE-2022-30190) "Follina"This alert will be triggered when msdt.exe is seen executed from a parent process of Word, Outlook, or Excel.
Malware DetectedThis alert is triggered when malware is detected on a machine.
Network Utility Observed - NET USERThis alert is triggered whenever the net process is created. Note that auditing must be enabled for "Process Creation" in Windows in order for the event log that this alert looks for to be created.
Azorult Registry Key DetectedThis alert is triggered whenever a specific registry key associated with the Azorult trojan is created.
Windows Firewall Setting ModifiedThis alert is triggered whenever there has been a setting in Windows Firewall has been changed.
Object Audit Setting ModifiedThis alert is triggered whenever there has been a change in an Object's auditing settings.
Nmap Activity ObservedThis alert is triggered whenever the netstat process is created. Note that auditing must be enabled for "Process Creation" in Windows in order for the event log that this alert looks for to be created.
Time Syncronization ErrorThis alert will be trigged when event 142 is logged by the Microsoft-Windows-Time-Service event provider
Potential Admin User Account CreatedThis alert is triggered whenever a new user account is created.
Failed Login Attempt to Domain ControllerThis alert will be triggered when Windows Event 531 is generated. This occurs when a user fails to log on to the domain controller itself (such as at the console or through failure to connect to a shared folder).
Detects modifications to Domain DNS ObjectRule will trigger if a modification to a Domain DNS Object occurs.
Access Control (Windows) - T110.003 Disabled Users Failing To Authenticate From Source Using KerberosDetects failed logins with multiple disabled domain accounts from a single source system using the Kerberos protocol.
Windows Firewall Settings Reset To DefaultThis alert is triggered when Windows Firewall has been reset to its default configuration.
User Account EnabledThis alert is triggered whenever a user account is enabled.
Time Syncronization ErrorThis alert will be trigged when event 24 is logged by the Microsoft-Windows-Time-Service event provider
Windows Firewall Exception DeletedThis alert is triggered whenever there has been a deletion of a rule in the Windows Firewall exception list.
Credential Dumping Tools UtilizedThis alert will trigger when any Service Names or services with Image Paths are seen that contain any of ["fgexec","cachedump","mimikatz","mimidrv","wceservice","pwdump"]
User Account DisabledThis alert is triggered whenever a user account is disabled.
Windows Event Logs ClearedThis alert will be triggered upon the detection of a single incident of event logs being cleared.
PowerShell Invoked With Suspicious ParametersThis alert is triggered when the PowerShell process is invoked with launch parameters that are indicative of malicious behaviour, such as hiding the window, using an older version, or supplying encoded commands.
Windows Firewall Group Policy Settings ModifiedThis alert is triggered when Group Policy is refreshed and a change in the Windows Firewall settings is detected
User Added To Admin GroupThis alert is triggered whenever a user account is added to the local Administrator group.
New Scheduled Task CreatedThis alert is triggered whenever a new scheduled task is created within the Windows Task Scheduler application. Note that auditing must be enabled for "Other Object Access Events" in Windows in order for the event log that this alert looks for to be created.
Suspicious msdt.exe excecution with CVE-2022-30190 "Follina"This alert will be triggered when msdt.exe is seen executed with suspicious command line arguements.
T1543.003 Suspicious Windows Service Creation by an Unusual Client ProcessThis alert is triggered new windows service is created that may be suspicious.
User Right RemovedThis alert is triggered whenever a user right is removed.
Default Admin Account Auth AttemptThis alert is triggered whenever a logon to the builtin Administrator account is attempted.
Windows Defender Malware Action FailedThis alert is triggered whenever Windows Defender AntiVirus encounters an error when attempting to perform an action on a file it has deemed malicious.
Possible Ryuk IP CommunicationThis alert is triggered when an IP used in communication was found matching a possible Ryuk Ransomware IOC.
Logon Right Removed From AccountThis alert is triggered whenever a logon right has been removed from a user.
Application (Web Service) - T1505.003 Shells Spawned by Web ServersThis rule detects the spawning of web shells on Windows IIS or web server.
Windows Firewall Exception AddedThis alert is triggered whenever there has been a addition of a rule in the Windows Firewall exception list.
Logon Right Assigned To AccountThis alert is triggered whenever a logon right has been granted to a user.
Network Utility Observed - ARPThis alert is triggered whenever the arp process is created. Note that auditing must be enabled for "Process Creation" in Windows in order for the event log that this alert looks for to be created.
Access Control (Windows) - T110.003 Disabled Users Failing To Authenticate From Source Using KerberosDetects failed logins with multiple disabled domain accounts from a single source system using the Kerberos protocol.
Domain Policy ModifiedThis alert is triggered whenever a domain policy is modified.
Timezone Auto Update Setting has Been Toggled Too Many TimesThis alert will be triggered when there is an excessive number of toggles of the timezone auto update feature.
User Account UnlockedThis alert is triggered whenever a user account is unlocked via account management, but not when a user unlocks the account with a password reset at the Windows user login screen.
PowerShell Encoded Command ObservedThis alert is triggered when the PowerShell process is invoked with the "-EncodedCommand" launch parameter. This capability is often used by adversaries to run malicious code supplied in the form of a base-64-encoded string in order to avoid detection by security tools.
Kerberos Manipulation - Kerberoasting - Suspicious Kerberos error codes and status codes.This alert is triggered whenever someone attempts to do actions that may lead to Kerberoasting.
Host (Windows)- Creation of Windows ServiceDetects when a process creation event (4688) is triggered on a machine and alerts when either the srvany.exe, instsrv.exe, or nssm.exe processes have started.
Possible Brute Force AttackThis alert will be triggered when there is an excessive number of invalid login attempts within a brief duration of time. This alert is not to be confused with [Possible Expired Credentials][1], which triggers when there is an unusually large number of unsuccessful logins over an extended period of time, nor [Possible Brute Force Attack (lateral)][2], which triggers when there have been attempts to login to the same user account across multiple machines.

Was this article helpful?


ESC

Eddy AI, facilitating knowledge discovery through conversational intelligence