Detects when a GitHub repository is archived or unarchived, which may indicate unauthorized changes to repository status.

Read More

Detects activity when a member is added to a security-enabled global group

Read More

Detects activity when a member is removed from a security-enabled global group

Read More

Addition of domains is seldom and should be verified for legitimacy.

Read More

Detects activity when a security-enabled global group is deleted

Read More

Detects when an account was created and deleted in a short period of time.

Read More

Detects when an account is disabled or blocked for sign in but tried to log in

Read More

Detect set Notification_Suppress to 1 to disable the Windows security center notification

Read More

Detect set DisallowRun to 1 to prevent user running specific computer program

Read More

Adversaries may use port monitors to run an attacker supplied DLL during system boot for persistence or privilege escalation. A port monitor can be set through the AddMonitor API call to set a DLL to be loaded at startup.

Read More

Detects when a new credential is added to an existing application. Any additional credentials added outside of expected processes could be a malicious actor using those credentials.

Read More

An attacker can use the SID history attribute to gain additional privileges.

Read More

Detect remote login by Administrator user (depending on internal pattern).

Read More

Detect enable rdp feature to allow specific user to rdp connect on the targeted machine

Read More

Detects suspicious DACL modifications to allow access to a service from a suspicious trustee. This can be used to override access restrictions set by previous ACLs.

Read More

Indicates that there are anomalous patterns of behavior like suspicious changes to the directory.

Read More

Detects when a configuration change is made to an applications AppID URI.

Read More

Detects when a configuration change is made to an applications URI. URIs for domain names that no longer exist (dangling URIs), not using HTTPS, wildcards at the end of the domain, URIs that are no unique to that app, or URIs that point to domains you do not control should be investigated.

Read More

Detects the execution of DLL side-loading malware used by threat group Emissary Panda aka APT27

Read More

Detects potential DLL sideloading activity via the Aruba Networks Virtual Intranet Access "arubanetsvc.exe" process using DLL Search Order Hijacking

Read More

Detects creation/modification of Assistive Technology applications and persistence with usage of 'at'

Read More

Detects the presence of "UWhRC....AAYBAAAA" pattern in command line. The pattern "1UWhRCAAAAA..BAAAA" is a base64-encoded signature that corresponds to a marshaled CREDENTIAL_TARGET_INFORMATION structure. Attackers can use this technique to coerce authentication from victim systems to attacker-controlled hosts. It is one of the strong indicators of a Kerberos coercion attack, where adversaries manipulate DNS records to spoof Service Principal Names (SPNs) and redirect authentication requests like in CVE-2025-33073. If you see this pattern in the command line, it is likely an attempt to add spoofed Service Principal Names (SPNs) to DNS records, or checking for the presence of such records through the nslookup command.

Read More

Detect when authentications to important application(s) only required single-factor authentication

Read More

Detects AWS API key creation for a user by another user. Backdoored users can be used to obtain persistence in the AWS environment. Also with this alert, you can detect a flow of AWS keys in your org.

Read More

Detects S3 Browser utility performing reconnaissance looking for existing IAM Users without a LoginProfile defined then (when found) creating a LoginProfile.

Read More

Detects S3 browser utility creating Inline IAM policy containing default S3 bucket name placeholder value of "".

Read More

Detects S3 Browser utility creating IAM User or AccessKey.

Read More

Detects a change in the AWS Identity Center (FKA AWS SSO) identity provider. A change in identity provider allows an attacker to establish persistent access or escalate privileges via user impersonation.

Read More

Detects the import of SSH key pairs into AWS EC2, which may indicate an attacker attempting to gain unauthorized access to instances. This activity could lead to initial access, persistence, or privilege escalation, potentially compromising sensitive data and operations.

Read More

Detects AWS root account usage

Read More

Detects when a transfer lock was removed from a Route 53 domain. It is recommended to refrain from performing this action unless intending to transfer the domain to a different registrar.

Read More

Detects when a request has been made to transfer a Route 53 domain to another AWS account.

Read More

Detects the deletion of an AWS SAML provider, potentially indicating malicious intent to disrupt administrative or security team access. An attacker can remove the SAML provider for the information security team or a team of system administrators, to make it difficult for them to work and investigate at the time of the attack and after it.

Read More

Detects successful AWS console logins that were performed without Multi-Factor Authentication (MFA). This alert can be used to identify potential unauthorized access attempts, as logging in without MFA can indicate compromised credentials or misconfigured security settings.

Read More

Identifies when suspicious SAML activity has occurred in AWS. An adversary could gain backdoor access via SAML.

Read More

Detects activity when someone is changing passwords on behalf of other users. An attacker with the "iam:UpdateLoginProfile" permission on other users can change the password used to login to the AWS console on any user that already has a login profile setup.

Read More

Detect when users are authenticating without MFA being required.

Read More

Identifies when an user or application modified the federation settings on the domain.

Read More

Identifies when an admission controller is executed in Azure Kubernetes. A Kubernetes Admission controller intercepts, and possibly modifies, requests to the Kubernetes API server. The behavior of this admission controller is determined by an admission webhook (MutatingAdmissionWebhook or ValidatingAdmissionWebhook) that the user deploys in the cluster. An adversary can use such webhooks as the MutatingAdmissionWebhook for obtaining persistence in the cluster. For example, attackers can intercept and modify the pod creation operations in the cluster and add their malicious container to every created pod. An adversary can use the webhook ValidatingAdmissionWebhook, which could be used to obtain access credentials. An adversary could use the webhook to intercept the requests to the API server, record secrets, and other sensitive information.

Read More

Detects a successful login to the Microsoft Intune Company Portal which could allow bypassing Conditional Access Policies and InTune device trust using a tool like TokenSmith.

Read More

Detects when a user has been elevated to manage all Azure Subscriptions. This change should be investigated immediately if it isn't planned. This setting could allow an attacker access to Azure subscriptions in your environment.

Read More

Detects when a user has been elevated to manage all Azure Subscriptions. This change should be investigated immediately if it isn't planned. This setting could allow an attacker access to Azure subscriptions in your environment.

Read More

Detects when there is a interruption in the authentication process.

Read More

Detects user authentication failure events. Please note that this rule can be noisy and it is recommended to use with correlation based on "author.name" field.

Read More

Monitor and alert for Bitlocker key retrieval.

Read More

Detects specific windows registry modifications made by BlackByte ransomware variants. BlackByte set three different registry values to escalate privileges and begin setting the stage for lateral movement and encryption. This rule triggers when any of the following registry keys are set to DWORD 1, however all three should be investigated as part of a larger BlackByte ransomware detection and response effort.

Read More

Attempts to detect system changes made by Blue Mockingbird

Read More

Attempts to detect system changes made by Blue Mockingbird

Read More

Detects when a user is removed from a privileged role. Bulk changes should be investigated.

Read More

Bypasses User Account Control using Event Viewer and a relevant Windows Registry modification

Read More

Monitor and alert on conditional access changes where non approved actor removed CA Policy.

Read More

Monitor and alert on conditional access changes. Is Initiated by (actor) approved to make changes? Review Modified Properties and compare "old" vs "new" value.

Read More

Detects when certificate based authentication has been enabled in an Azure Active Directory tenant.

Read More

Detects when a program changes the default file association of any extension to an executable. When a file is opened, the default program used to open the file (also called the file association or handler) is checked. File association selections are stored in the Windows Registry and can be edited by users, administrators, or programs that have Registry access or by administrators using the built-in assoc utility. Applications can modify the file association for a given file extension to call an arbitrary program when a file with the given extension is opened.

Read More

Detects file association changes using the builtin "assoc" command. When a file is opened, the default program used to open the file (also called the file association or handler) is checked. File association selections are stored in the Windows Registry and can be edited by users, administrators, or programs that have Registry access or by administrators using the built-in assoc utility. Applications can modify the file association for a given file extension to call an arbitrary program when a file with the given extension is opened.

Read More

Detect possible persistence using Fax DLL load when service restart

Read More

Change to authentication method could be an indicator of an attacker adding an auth method to the account so they can have continued access.

Read More

Detect change of the user account associated with the FAX service to avoid the escalation problem.

Read More

Detects when changes are made to PIM roles

Read More

Adversaries may execute their own malicious payloads by hijacking the Registry entries used by services. Adversaries may use flaws in the permissions for registry to redirect from the originally specified executable to one that they control, in order to launch their own code at Service start. Windows stores local service configuration information in the Registry under HKLM\SYSTEM\CurrentControlSet\Services

Read More

Detects execution of ChromeLoader malware via a registered scheduled task

Read More

Find local accounts being created or modified as well as remote authentication configurations

Read More

Modifications to a config that will serve an adversary's impacts or persistence

Read More

Detects modification of autostart extensibility point (ASEP) in registry.

Read More

Detects changes to the ClickOnce trust prompt registry key in order to enable an installation from different locations such as the Internet.

Read More

Detects known malicious service installs that appear in cases in which a Cobalt Strike beacon elevates privileges or lateral movement

Read More

Detects known malicious service installs that appear in cases in which a Cobalt Strike beacon elevates privileges or lateral movement

Read More

Detects the ld.so preload persistence file. See man ld.so for more information.

Read More

Detects blocked load attempts of revoked drivers

Read More

Detects blocked load events that did not meet the authenticode signing level requirements or violated the code integrity policy.

Read More

Detects changes to 'HKCU\Software\Classes\Folder\shell\open\command\DelegateExecute'

Read More

Detect modification of TreatAs key to enable "rundll32.exe -sta" command

Read More

Detects potential COM object hijacking via modification of default system CLSID.

Read More

Detects modification of autostart extensibility point (ASEP) in registry.

Read More

Detects a qlogin.exe command attempting to authenticate as the internal _+_PublicSharingUser_ using a GUID as the password. This could be an indicator of an attacker exploiting CVE-2025-57788 to gain initial access using leaked credentials.

Read More

Detects the malicious use of a control panel item

Read More

Detects the installation of a service named "javamtsup" on the system. The CosmicDuke info stealer uses Windows services typically named "javamtsup" for persistence.

Read More

Detects disabling the CrashDump per registry (as used by HermeticWiper)

Read More

Adversaries may execute their own malicious payloads by hijacking vulnerable file path references. Adversaries can take advantage of paths that lack surrounding quotations by placing an executable in a higher level directory within the path, so that Windows will choose the adversary's executable to launch.

Read More

Detects the creation of a file named "WerFault.exe" or "wer.dll" in an uncommon folder, which could be a sign of WerFault DLL hijacking.

Read More

Detects modification of autostart extensibility point (ASEP) in registry.

Read More

Detects modification of autostart extensibility point (ASEP) in registry.

Read More

Detects modification of autostart extensibility point (ASEP) in registry.

Read More

Detects changes to the default RDP port. Remote desktop is a common feature in operating systems. It allows a user to log into a remote system using an interactive session with a graphical user interface. Microsoft refers to its implementation of the Remote Desktop Protocol (RDP) as Remote Desktop Services (RDS).

Read More

Detects the deactivation and disabling of the Scheduled defragmentation task as seen by Slingshot APT group

Read More

Detects the deactivation and disabling of the Scheduled defragmentation task as seen by Slingshot APT group

Read More

Detects suspicious DACL modifications to deny access to a service that affects critical trustees. This can be used to hide services or make them unstoppable.

Read More

Monitor and alert for device registration or join events where MFA was not performed.

Read More

Detects the installation of a Callout DLL via CalloutDlls and CalloutEnabled parameter in Registry, which can be used to execute code in context of the DHCP server (restart required)

Read More

This rule detects a DHCP server error in which a specified Callout DLL (in registry) could not be loaded

Read More

This rule detects a DHCP server in which a specified Callout DLL (in registry) was loaded

Read More

Detects DLL sideloading activity seen used by Diamond Sleet APT

Read More

Detects direct modification of autostart extensibility point (ASEP) in registry using reg.exe.

Read More

Detects changes to "DsrmAdminLogonBehavior" registry value. During a Domain Controller (DC) promotion, administrators create a Directory Services Restore Mode (DSRM) local administrator account with a password that rarely changes. The DSRM account is an “Administrator” account that logs in with the DSRM mode when the server is booting up to restore AD backups or recover the server from a failure. Attackers could abuse DSRM account to maintain their persistence and access to the organization's Active Directory. If the "DsrmAdminLogonBehavior" value is set to "0", the administrator account can only be used if the DC starts in DSRM. If the "DsrmAdminLogonBehavior" value is set to "1", the administrator account can only be used if the local AD DS service is stopped. If the "DsrmAdminLogonBehavior" value is set to "2", the administrator account can always be used.

Read More

Detects registry modifications that change features of internal Windows tools (malware like Agent Tesla uses this technique)

Read More

Detects the addition of a key 'MiniNt' to the registry. Upon a reboot, Windows Event Log service will stop writing events.

Read More

Detect set UseActionCenterExperience to 0 to disable the Windows security center notification

Read More

Detection for when multi factor authentication has been disabled, which might indicate a malicious activity to bypass authentication mechanisms.

Read More

Detects using register-cimprovider.exe to execute arbitrary dll file.

Read More

Detects a method to load DLL via LSASS process using an undocumented Registry key

Read More

Hunts known SVR-specific DLL names.

Read More

Detects execution of VMware Xfer utility (VMwareXferlogs.exe) from the non-default directory which may be an attempt to sideload arbitrary DLL

Read More

Detects a DNS server error in which a specified plugin DLL (in registry) could not be loaded

Read More

Detects when a user enables DNS-over-HTTPS. This can be used to hide internet activity or be used to hide the process of exfiltrating data. With this enabled organization will lose visibility into data such as query type, response and originating IP that are used to determine bad actors.

Read More

Detects dropping of dll files in system32 that may be used to retrieve user credentials from LSASS

Read More

Detects changes to the "NoLMHash" registry value in order to allow Windows to store LM Hashes. By setting this registry value to "0" (DWORD), Windows will be allowed to store a LAN manager hash of your password in Active Directory and local SAM databases.

Read More

Detects changes to the "NoLMHash" registry value in order to allow Windows to store LM Hashes. By setting this registry value to "0" (DWORD), Windows will be allowed to store a LAN manager hash of your password in Active Directory and local SAM databases.

Read More

Detects scenario where if a user is assigned the SeEnableDelegationPrivilege right in Active Directory it would allow control of other AD user objects.

Read More

Detects execution of the "esxcli" command with the "system" and "permission" flags in order to assign admin permissions to an account.

Read More

Detects changes to the "ExtErrorInformation" key in order to disable ETW logging for rpcrt4.dll

Read More

Detects changes to the "TracingDisabled" key in order to disable ETW logging for services.exe (SCM)

Read More

Potential adversaries stopping ETW providers recording loaded .NET assemblies.

Read More

Potential adversaries stopping ETW providers recording loaded .NET assemblies.

Read More

Detects exploitation attempt of privilege escalation vulnerability via SetupComplete.cmd and PartnerSetupComplete.cmd described in CVE-2019-1378

Read More

Detects successful logon from public IP address via RDP. This can indicate a publicly-exposed RDP port.

Read More

Detects successful logon from public IP address via SMB. This can indicate a publicly-exposed SMB port.

Read More

Detect failed authentications from countries you do not operate out of.

Read More

Detects a failed logon attempt from a public IP. A login from a public IP can indicate a misconfigured firewall or network boundary.

Read More

The Fax service attempts to load ualapi.dll, which is non-existent. An attacker can then (side)load their own malicious DLL using this service.

Read More

Detects msdt.exe creating files in suspicious directories which could be a sign of exploitation of either Follina or Dogwalk vulnerabilities

Read More

Detects FlowCloud malware registry markers from threat group TA410. The malware stores its configuration in the registry alongside drivers utilized by the malware's keylogger components.

Read More

Detects the setting of a custom protocol handler with the name "rogue". Seen being created by Forest Blizzard APT as reported by MSFT.

Read More

Detects the setting of the DLL that handles the custom protocol handler. Seen being created by Forest Blizzard APT as reported by MSFT.

Read More

Detects when an organization member or an outside collaborator is added to or removed from a project board or has their permission level changed or when an owner removes an outside collaborator from an organization or when two-factor authentication is required in an organization and an outside collaborator does not use 2FA or disables 2FA.

Read More

Detects when changes are made to the SSH certificate configuration of the organization.

Read More

Identifies when an admission controller is executed in GCP Kubernetes. A Kubernetes Admission controller intercepts, and possibly modifies, requests to the Kubernetes API server. The behavior of this admission controller is determined by an admission webhook (MutatingAdmissionWebhook or ValidatingAdmissionWebhook) that the user deploys in the cluster. An adversary can use such webhooks as the MutatingAdmissionWebhook for obtaining persistence in the cluster. For example, attackers can intercept and modify the pod creation operations in the cluster and add their malicious container to every created pod. An adversary can use the webhook ValidatingAdmissionWebhook, which could be used to obtain access credentials. An adversary could use the webhook to intercept the requests to the API server, record secrets, and other sensitive information.

Read More

Detects when an API access service account is granted domain authority.

Read More

Detects when an Google Workspace user is granted admin privileges.

Read More

Identifies IPs from which users grant access to other users on azure resources and alerts when a previously unseen source IP address is used.

Read More

Detects attempts to enable the guest account using the sysadminctl utility

Read More

Detects when a user that doesn't have permissions to invite a guest user attempts to invite one.

Read More

Detects guest users being invited to tenant by non-approved inviters

Read More

Detects various execution patterns of the CrackMapExec pentesting framework

Read More

Detects the execution of the hacktool SharPersist - used to deploy various different kinds of persistence mechanisms

Read More

Detects the use of SharpUp, a tool for local privilege escalation

Read More

Detects activity observed by different researchers to be HAFNIUM group activity (or related) on Exchange servers

Read More

Detects the import of the specified file to the registry with regedit.exe.

Read More

Detects the import of a alternate datastream to the registry with regedit.exe.

Read More

Detects when sign-ins increased by 10% or greater.

Read More

Detects an interactive AT job, which may be used as a form of privilege escalation.

Read More

Detects modification of autostart extensibility point (ASEP) in registry.

Read More

Identifies when an organization doesn't have the proper license for PIM and is out of compliance.

Read More

Detects the setting of a new value in the Autorun key that is used by the Kapeka backdoor for persistence.

Read More

Detects Kapeka backdoor persistence activity. Depending on the process privileges, the Kapeka dropper then sets persistence for the backdoor either as a scheduled task (if admin or SYSTEM) or autorun registry (if not). For the scheduled task, it creates a scheduled task called "Sens Api" via schtasks command, which is set to run upon system startup as SYSTEM. To establish persistence through the autorun utility, it adds an autorun entry called "Sens Api" under HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run via the "reg add" command. Both persistence mechanisms are set to launch the binary by calling rundll32 and passing the backdoor's first export ordinal (#1) without any additional argument.

Read More

Detects service creation from KrbRelayUp tool used for privilege escalation in Windows domain environments where LDAP signing is not enforced (the default settings)

Read More

Detects when a modification (create, update or replace) action is taken that affects mutating or validating webhook configurations, as they can be used by an adversary to achieve persistence or exfiltrate access credentials.

Read More

Detects the execution of programs as Launch Agents or Launch Daemons using launchctl on macOS.

Read More

Detects sideloading of trojanized DLLs used in Lazarus APT campaign in the case of a Spanish aerospace company

Read More

Detects registry key used by Leviathan APT in Malaysian focused campaign

Read More

Detect failed attempts to sign in to disabled accounts.

Read More

Detects when a Microsoft Cloud App Security reported when a user signs into your sanctioned apps from a risky IP address.

Read More

Detects registry changes to Office trust records where the path is located in a potentially suspicious location

Read More

Detects loading of known malicious drivers via their hash.

Read More

Detects loading of known malicious drivers via the file name of the drivers.

Read More

Detects when an instance identity has taken an action that isn't inside SSM. This can indicate that a compromised EC2 instance is being used as a pivot point.

Read More

Detects when successful sign-ins increased by 10% or greater.

Read More

Detects when a Microsoft Cloud App Security reported a risky sign-in attempt due to a login associated with an impossible travel.

Read More

Detects Code Integrity (CI) engine blocking Microsoft Defender's processes (MpCmdRun and NisSrv) from loading unsigned DLLs which may be an attempt to sideload arbitrary DLL

Read More

Windows DCE-RPC functions which indicate an execution techniques on the remote system. All credit for the Zeek mapping of the suspicious endpoint/operation field goes to MITRE

Read More

Windows DCE-RPC functions which indicate a persistence techniques on the remote system. All credit for the Zeek mapping of the suspicious endpoint/operation field goes to MITRE.

Read More

Detects modification of the registry settings used for Internet Explorer and other Windows components that use these settings. An attacker can abuse this registry key to add a domain to the trusted sites Zone or insert JavaScript for persistence

Read More

Identifies modification of ld.so.preload for shared object injection. This technique is used by attackers to load arbitrary code into processes.

Read More

Detects suspicious modification of crontab file.

Read More

BITS will allow you to schedule a command to execute after a successful download to notify you that the job is finished. When the job runs on the system the command specified in the BITS job will be executed. This can be abused by actors to create a backdoor within the system and for persistence. It will be chained in a BITS job to schedule the download of malware/additional binaries and execute the program after being downloaded.

Read More

This rule detects the execution of the extended storage procedure backdoor named Maggie in the context of Microsoft SQL server

Read More

User has indicated they haven't instigated the MFA prompt and could indicate an attacker has the password for the account.

Read More

Identifies user login with multifactor authentication failures, which might be an indication an attacker has the password for the account but can't pass the MFA challenge.

Read More

Detects abusing Windows 10 Narrator's Feedback-Hub

Read More

Detects changes to the NGenAssemblyUsageLog registry key. .NET Usage Log output location can be controlled by setting the NGenAssemblyUsageLog CLR configuration knob in the Registry or by configuring an environment variable (as described in the next section). By simplify specifying an arbitrary value (e.g. fake output location or junk data) for the expected value, a Usage Log file for the .NET execution context will not be created.

Read More

Detects NetNTLM downgrade attack

Read More

Detects NetNTLM downgrade attack

Read More

Detects WMIC executions in which an event consumer gets created. This could be used to establish persistence

Read More

Detects setting of a new registry database value related to BgInfo configuration. Attackers can for example set this value to save the results of the commands executed by BgInfo in order to exfiltrate information.

Read More

Detects setting of a new registry value related to BgInfo configuration, which can be abused to execute custom VBScript via "BgInfo.exe"

Read More

Detects setting of a new registry value related to BgInfo configuration, which can be abused to execute custom WMI query via "BgInfo.exe"

Read More

Adversaries may establish persistence and/or elevate privileges by executing malicious content triggered by application shims. The Microsoft Windows Application Compatibility Infrastructure/Framework (Application Shim) was created to allow for backward compatibility of software as the operating system codebase changes over time.

Read More

Dynamic-link libraries (DLLs) that are specified in the AppCertDLLs value in the Registry key can be abused to obtain persistence and privilege escalation by causing a malicious DLL to be loaded and run in the context of separate processes on the computer.

Read More

DLLs that are specified in the AppInit_DLLs value in the Registry key HKLM\Software\Microsoft\Windows NT\CurrentVersion\Windows are loaded by user32.dll into every process that loads user32.dll

Read More

Detects the installation of a DNS plugin DLL via ServerLevelPluginDll parameter in registry, which can be used to execute code in context of the DNS server (restart required)

Read More

Detects the installation of a DNS plugin DLL via ServerLevelPluginDll parameter in registry, which can be used to execute code in context of the DNS server (restart required)

Read More

Detects changes to the Netsh registry key to add a new DLL value that is located on a suspicious location. This change might be an indication of a potential persistence attempt by adding a malicious Netsh helper

Read More

Detects the creation of a macro file for Outlook.

Read More

Detects PDQDeploy service installation on the target system. When a package is deployed via PDQDeploy it installs a remote service on the target machine with the name "PDQDeployRunner-X" where "X" is an integer starting from 1

Read More

Detects a PDQDeploy service installation which indicates that PDQDeploy was installed on the machines. PDQDeploy can be abused by attackers to remotely install packages or execute commands on target machines

Read More

Detects newly added root certificate authority to an AzureAD tenant to support certificate based authentication.

Read More

Detects suspicious new RUN key element pointing to an executable in a suspicious folder

Read More

Search for usage of reg or Powershell by non-privileged users to modify service configuration in registry

Read More

Number of VM creations or deployment activities occur in Azure via the azureactivity log.

Read More

Detects registry keys created in OceanLotus (also known as APT32) attacks

Read More

Detects modification of autostart extensibility point (ASEP) in registry.

Read More

Detects registry changes to Microsoft Office "VBAWarning" to a value of "1" which enables the execution of all macros, whether signed or unsigned.

Read More

Detects OilRig activity as reported by Nyotron in their March 2018 report

Read More

Detects OilRig registry persistence as reported by Nyotron in their March 2018 report

Read More

Detects OilRig schedule task persistence as reported by Nyotron in their March 2018 report

Read More

Detects OilRig schedule task persistence as reported by Nyotron in their March 2018 report

Read More

Detects when an the Administrator role is assigned to an user or group.

Read More

Detects when a new identity provider is created for Okta.

Read More

Detects when Okta identifies new activity in the Admin Console.

Read More

Detects instances where an SSH service on an OpenCanary node has had a login attempt.

Read More

Detects instances where an SSH service on an OpenCanary node has had a connection attempt.

Read More

Detects instances where a Telnet service on an OpenCanary node has had a login attempt.

Read More