Created
November 15, 2021 10:55
-
-
Save ertugrulakbas/aff787b0dba24e9357ecfa2e6544d61d to your computer and use it in GitHub Desktop.
Simplest SIEM Rule List
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
1 dakikada 10'dan fazla hatali giris | |
---|---|
10 dakika içerisinde 10 defa basarisiz giris denemesindne sonra basarili oturum testpiti | |
445 Port Events | |
A basic application group was changed | |
A basic application group was changed | |
A basic application group was created | |
A basic application group was deleted | |
A change was made to the Windows Firewall exception list. A rule was added | |
A change was made to the Windows Firewall exception list. A rule was deleted | |
A change was made to the Windows Firewall exception list. A rule was modified | |
A computer account was changed | |
A computer account was created | |
A computer account was deleted | |
A critical event was detected | |
A critical event was detected | |
A directory service object was created | |
A directory service object was deleted | |
A directory service object was modified | |
A directory service object was moved | |
A directory service object was undeleted | |
A Dos Attack was detected | |
A group?s type was changed | |
A handle to an object was requested | |
A handle to an object was requested with intent to delete | |
A Kerberos authentication ticket (TGT) was requested | |
A Kerberos authentication ticket request failed | |
A Kerberos service ticket request failed | |
A Kerberos service ticket was renewed | |
A Kerberos service ticket was requested | |
A member was added to a basic application group | |
A member was added to a security-disabled global group | |
A member was added to a security-disabled local group | |
A member was added to a security-disabled universal group | |
A member was added to a security-enabled global group | |
A member was added to a security-enabled global group | |
A member was added to a security-enabled local group | |
A member was added to a security-enabled universal group | |
A member was removed from a basic application group | |
A member was removed from a security-disabled global group | |
A member was removed from a security-disabled local group | |
A member was removed from a security-disabled universal group | |
A member was removed from a security-enabled global group | |
A member was removed from a security-enabled local group | |
A member was removed from a security-enabled universal group | |
A message was created | |
A message was delivered | |
A message was not created | |
A message was not delivered | |
A message was not sended | |
A message was sended | |
A message was suspended | |
A message was throttled | |
A more restrictive Windows Filtering Platform filter has blocked a packet | |
A more restrictive Windows Filtering Platform filter has blocked a packet | |
A namespace collision was detected | |
A network share object was accessed | |
A network share object was added | |
A network share object was deleted | |
A network share object was modified | |
A Network Trojan was detected | |
A new process has been created | |
A non-member was added to a basic application group | |
A non-member was removed from a basic application group | |
A process has exited | |
A registry key was virtualized | |
A registry value was modified | |
A Remote Procedure Call (RPC) was attempted | |
A replay attack was detected | |
A scheduled task was created | |
A scheduled task was deleted | |
A scheduled task was disabled | |
A scheduled task was enabled | |
A scheduled task was updated | |
A security-disabled global group was changed | |
A security-disabled global group was created | |
A security-disabled global group was deleted | |
A security-disabled local group was changed | |
A security-disabled local group was created | |
A security-disabled local group was deleted | |
A security-disabled universal group was changed | |
A security-disabled universal group was created | |
A security-enabled global group was changed | |
A security-enabled global group was created | |
A security-enabled global group was deleted | |
A security-enabled local group was changed | |
A security-enabled local group was created | |
A security-enabled local group was deleted | |
A security-enabled universal group was changed | |
A security-enabled universal group was created | |
A security-enabled universal group was deleted | |
A service was installed in the system | |
A Spam message was detected | |
A Suspicious filename was detected | |
A user account was changed | |
A user account was created | |
A user account was deleted | |
A user account was disabled | |
A user account was enabled | |
A user account was locked out | |
A user account was unlocked | |
A user right was assigned | |
A user right was removed | |
A Virus was detected | |
A Windows Firewall setting was changed | |
Abnormal UserAgent Pattern Detected | |
Access to Forbidden Web Site was Attempted | |
Added new PC to Domain | |
Address Not Allowed | |
Admin Terminate | |
Admin User has Executed File | |
Administrator login denied due to bad credentials | |
Administrator login denied from ; logins disabled from this interface | |
Administrator violation was detected | |
AFC harmful threat warning was received | |
All authentication methods are disabled | |
Aloha1Connection Request Rejected | |
Aloha1Uncompleted Connection Request | |
Already Exist Object | |
Amessage was hadiscard | |
An account failed to log on | |
An account login was failed | |
An account was logged off | |
An Account was not logined | |
An account was successfully logged on | |
An Attack was detected | |
An attack was detected | |
An attempt was made to access an object | |
An attempt was made to change an account's password | |
An attempt was made to create a hard link | |
An attempt was made to reset an account's password | |
An attempted login using a suspicious username was detected | |
An critical event was detected | |
An critical event was detected | |
An critical wvent was deteceted | |
An importan event was detected | |
An important event was detected | |
An important event was detected | |
An important event was detected | |
An important event was detected | |
An important event was detected | |
An important event was detected | |
An important event was detected | |
An LDAP query group was created | |
An LDAP query group was deleted | |
An object was deleted | |
An System event was detected | |
Anomaly Detector for DPI | |
Anomaly Detector for DPI | |
Anonymous Authentication | |
Anti-spyware detection alert: | |
Anti-spyware prevention alert: | |
Antivirus Disabled | |
Application - VPN Denied | |
Application Attack Detector for DPI | |
Application filter detection alert: | |
Application filters block alert: | |
Application firewall alert: | |
ARP Spoofing Attack | |
ARP Spoofing Attack | |
Association flood from wlan station | |
Asymmetric Routing Attack | |
Attack Detected on Security Device | |
Attack Detector for DPI | |
Attacker Host Connection Allowed After Port Scanner Activity to DMZ Network | |
Attacker Host Process Created on DMZ | |
Attempted - Administrator Privilege Gain | |
Attempted - Dos | |
Attempted - Recon | |
Attempted - User Privilege Gain | |
Auditing settings on an object were changed | |
Auditing settings on object were changed | |
Authentication - Bruteforce | |
Authentication - Bypass | |
Authentication fail | |
Availability - State Critical | |
Availability - State Unreachable | |
Back orifice attack dropped | |
Backup firewall has transitioned to active | |
Backup firewall has transitioned to idle | |
Bad crl format | |
Bad Length Packet Dropped | |
Bad Signature | |
Bad TCP Checksum Dropped | |
Bad Unknown | |
Bad Version | |
Badÿ Key | |
Blacklist Activity (Lan to Wan) | |
Blacklist Activity (Lan to Wan) | |
Blacklist Activity (Wan to Lan) | |
Botnet Event Activity Detected | |
Botnet Host Detected by Threat Intelligence Source | |
Broadcast Packet Dropped | |
Brute Force Attack Detected | |
Brute Force Attack Event Detected | |
Brute Force FTP Attack Detected | |
Brute Force Hosts Detected by Threat Intelligence Source | |
Brute Force MsSQL Attack Detected | |
Brute Force Oracle DB Attack Detected | |
Brute Force RDP Attack Detected | |
Brute Force VPN Attack Detected | |
Buffer is Full | |
Buffer Overflow Attack Event Detected | |
Cannot connect to remote server | |
Cannot connect to the crl server | |
Cannot open data connection | |
Cannot validate issuer path | |
Certificate on revoked list(crl) | |
Client IP didn't match the client IP on the data channel | |
Client IP Login Successful on Datacenter Network | |
Client IP Login Successful on Network Device | |
Client Side Exploit | |
Command execution | |
Confguration failed | |
Configuration was changded | |
Configuration was copied | |
Configuration was moved | |
Configuration was validated | |
Configurationÿ ÿwas changed | |
Conneciton Allowed from the Guest Network to DMZ Network | |
Connection Dropped | |
Connection Killed | |
Connection Quarantined | |
Connection timed out | |
Contactor User Deleted Multiple Files | |
Contactor User has Executed File | |
Contactor User Process Created on DMZ | |
Contractor User Login Failure | |
Contractor User Login Successful | |
Contractor User Multiple Login Failure Detected | |
Crl has expired | |
Crl missing - issuer requires crl checking | |
Crl validation failure for root certificate | |
Cross-Site Request Forgery Event Detected | |
Custom authentication call failed | |
Data Transfered between Internal Attacker to External Attacker | |
Database - Login Failed | |
Database Server Shutdown | |
Database Server Startup | |
Database User Login Successful After Multiple Login Failures | |
DDoS Attack Event Detected | |
Default Login Attempt | |
Deleted PC from Domain | |
Denial Of Service | |
DFS Replication Failed | |
Directory not empty | |
Dlp event was detected | |
DNS DDoS Attack Detected | |
DNS Quota Exceeded | |
DNS was updated | |
Domain Policy was changed | |
Domain was not accessed | |
Dos attack was detected | |
Drop WLAN traffic from non-SonicPoint devices | |
E-mail fragment dropped | |
Exceeded storage allocation | |
Excessive Denied Connection to Unique Sources | |
Excessive Mail Received | |
Excessive Mail Sent | |
Excessive Malware Infection on a Host | |
Excessive Successfull Web Connections Detected | |
Excessive System Errors Detected | |
Excessive Web Client Errors Detected | |
Excessive Web Redirects Detected | |
Excessive Web Request Detected from Suspicious UserAgent | |
Excessive Web Server Errors Detected | |
Executed File Activity Detected | |
Exploit - ActiveX | |
Exploit - Attack-response | |
Exploit - Browser | |
Exploit - Buffer overflow | |
Exploit - Command Execution | |
Exploit - Denial Of Service | |
Exploit - DNS | |
Exploit - Format String | |
Exploit - Ftp | |
Exploit - Linux | |
Exploit - Mail | |
Exploit - PDF | |
Exploit - Samba | |
Exploit - Shellcode | |
Exploit - sql injection | |
Exploit - Windows | |
Exploit Event Activity Detected | |
Exploit Hosts Detected by Threat Intelligence Source | |
External Aggressive Scanner Detected | |
External Attacker Allowed Connection to Honeypot Network | |
External Attacker Host Connection to Multiple DMZ Hosts | |
External Attacker Host Login Failure on Datacenter | |
External Attacker Host Login Successful on Datacenter | |
External Database Scanner Detected | |
External DHCP Scanner Detected | |
External DNS Scanner Detected | |
External FTP Scanner Detected | |
External Host Excessive Denied Connection | |
External Host Excessive GET Request Detected | |
External Host Excessive HEAD Request Detected | |
External Host Excessive POST Request Detected | |
External Host Login Failure | |
External Host Login Successful | |
External Host Login Successful from Foreign Country | |
External Host Logon Attempt on Security Device from Foregin Country | |
External Host RDP Login Failure | |
External Host RDP Login Successful | |
External HTTP/S Scanner Detected | |
External ICMP Flood Attack Detected | |
External ICMP Scanner Detected | |
External LDAP Scanner Detected | |
External Port Scanner Detected | |
External SMB Scanner Detected | |
External SMTP Scanner Detected | |
External SNMP Scanner Detected | |
External SSH Scanner Detected | |
External Suspicious Host Allowed Connection to Honeypot Network | |
External Suspicious Host Allowed Connection to Multiple DMZ Hosts | |
External Suspicious Host High Volume Data Transfer Detected | |
External Suspicious Host Login Failure on Datacenter | |
External Suspicious Host Login Failures to Multiple Servers on DMZ | |
External Suspicious Host Login Successful on Datacenter | |
External TCP Flood Attack Detected | |
External TCP Scanner Detected | |
External Telnet Scanner Detected | |
External UDP Flood Attack Detected | |
External UDP Scanner Detected | |
Fail Transact To IPsec | |
Fail Transact To Transition To IPsec | |
Failed to find certificate | |
Failed to get crl from | |
Failed to process crl from | |
Fan failure | |
File Inclusion Pattern Detected on Apache Web Server | |
File Inclusion Pattern Detected on IIS Web Server | |
File Take Ownership Activity Detected | |
File was Accessed | |
File was accessed | |
File was changed | |
File was changed | |
File was deleted | |
File wasÿ deleted | |
Fin-flooding machineÿ blacklisted | |
Firewall Admin Login Failure | |
Firewall Policy Authentication Failure | |
Firewall Portal Login Failure | |
Firewall System disabled ruleset | |
Flood Event Detected | |
Forbidden e-mail attachment deleted | |
Forbidden e-mail attachment disabled | |
Former User Logon Attempt Detected | |
Found rogue access point | |
Found rogue access point | |
Fragment Packet Dropped | |
FTP 421 (Service Not Available) | |
FTP 4xx (Permanent Negative Completion Reply) | |
FTP 502 (Command Not Implementedl) | |
FTP 530 (User Not Logged In) | |
FTP 534 (Request Denied For Policy Reasons) | |
FTP 535 (Failed Security Check) | |
FTP 551 (Page Type Unknown) | |
FTP 5xx (Transient Negative Completion Reply) | |
FTP 6xx (Protected Reply) | |
FTP BRUTE-FORCE Login Attempt same IP | |
FTP BRUTE-FORCE Login Attempt same User Name | |
FTP Login Failure | |
FTP Login Successful | |
Ftp: data connection from non default port dropped | |
Ftp: pasv response bounce attack dropped | |
Ftp: pasv response spoof attack dropped | |
Ftp: port bounce attack dropped | |
Full Deny Dropped | |
Gateway anti-virus alert | |
Guest User Multiple Login Failure Detected | |
High Priority | |
Honeypot Activity as Destination | |
Host Login Successful After Multiple Login Failures | |
HTTP 400 (Bad Request) | |
HTTP 401 (Unauthorized) | |
HTTP 403 (Forbidden) | |
HTTP 404 (Not Found) | |
HTTP 405 (Method Not Allowed) | |
HTTP 408 (Request Timeout) | |
HTTP 409 (Conflict) | |
HTTP 413 (Request Entity Too Large) | |
HTTP 414 (Request-URI Too Long) | |
HTTP 415 (Unsupported Media Type) | |
HTTP 4xx (Client Error ) | |
HTTP 500 (Internal Server Error) | |
HTTP 501 (Not Implemented) | |
HTTP 502 (Bad Gateway) | |
HTTP 503 (Service Unavailable) | |
HTTP 504 (Gateway Timeout) | |
HTTP 505 (HTTP Version Not Supported) | |
HTTP 5xx (Server Error) | |
HTTP Deobfuscation Attack | |
HTTP URL Length Exceeded Attack | |
ICMP flood attackÿ was detected | |
Important event was detected | |
Important event was detected | |
Important event was detected | |
Inappropriate Content was Detected | |
Infected Host Detected | |
Infected Host Login Successful on Database Server | |
Infected Host Multiple Login Failed on DMZ Server | |
Ini killer attack dropped | |
Internal Aggressive Scanner Detected | |
Internal Attacker Allowed Connection to Honeypot Network | |
Internal Attacker Host Allowed Connection to DMZ Network | |
Internal Attacker Host Connection to External Attacker Detected | |
Internal Attacker Login Failures on Multiple Hosts | |
Internal Attacker Multiple Login Failure on Datacenter | |
Internal Database Scanner Detected | |
Internal DHCP Scanner Detected | |
Internal DNS Scanner Detected | |
Internal FTP Scanner Detected | |
Internal Host Connection to Multiple Suspicious External Hosts | |
Internal Host Excessive Denied Connection | |
Internal Host Excessive DNS Connection to External Host | |
Internal Host Excessive ICMP Connection to External Host | |
Internal Host Login Failure | |
Internal Host Login Successful | |
Internal Host Multiple Unknown Unique Ports Connection to External Host | |
Internal Host RDP Login Failure | |
Internal Host RDP Login Successful | |
Internal Host Uploaded Data to External Host | |
Internal HTTP/S Scanner Detected | |
Internal ICMP Flood Attack Detected | |
Internal ICMP Scanner Detected | |
Internal LDAP Scanner Detected | |
Internal Port Scanner Detected | |
Internal Scanner Host Login Succesfull on DMZ Server | |
Internal SMB Scanner Detected | |
Internal SMTP Scanner Detected | |
Internal SNMP Scanner Detected | |
Internal SSH Scanner Detected | |
Internal Suspicious Activity | |
Internal Suspicious Activity for Fortigate | |
Internal Suspicious Host Allowed Connection to Honeypot Network | |
Internal Suspicious Host Communicated with Threat Intelligence Reported Source | |
Internal Suspicious Host Data Transferred to Foreign Countries | |
Internal TCP Flood Attack Detected | |
Internal TCP Scanner Detected | |
Internal Telnet Scanner Detected | |
Internal UDP Flood Attack Detected | |
Internal UDP Scanner Detected | |
Invalid Argument | |
Invalid Protocol Packet Dropped | |
Invalid vlan packet dropped | |
IP address was conflicted | |
IP adress was assigned | |
IP adresss was quarantined | |
IP could not be assigned | |
IP Half Scan Packet Dropped | |
IP Options Dropped | |
IP Packets that are not TCP or UDP | |
IP restriction rules denied the access. | |
Ip spoof detected on packet to centralgateway, packet dropped | |
Ip spoof dropped | |
IP spoofing Activity Detected | |
IP Spoofing Attack | |
IP spoofing event was detected | |
IP spoofing eventÿ was detected | |
IP was conflicted | |
IP was not assigned | |
IPS Blocked | |
IPS Detected | |
Ips detection alert | |
Ips detection alert | |
Ips prevention alert | |
Ips prevention alert | |
IPSec Dropped | |
IPsec No Route Dropped | |
Ipsec packet from or to an illegal host | |
Ipsec replay detected | |
Issuer match failed | |
Kerberos policy was changed | |
Kerberos pre-authentication failed | |
Land Attack | |
Land Attack Dopped | |
Land attack dropped | |
Large Data Download Transfer Detected | |
Large Data Transfer Detected by Scanner Host | |
Large Data Transfer Detected by VPN Host | |
Large Data Transfer Detected from DMZ Server | |
Large Data Transfer Detected from Threat Intelligence Host | |
Large Data Transferred Detected between Infected Host and Threat Intelligence Host | |
Large Data Transferred Detected between Internal Attacker Host and Client Network | |
Large Data Transferred Detected between Scanner Client Host and DMZ Hosts | |
Large Data Transferred Detected between User Network and External Attacker | |
Large Data Upload Transfer Detected | |
Locked User Account | |
Log Deletion Activity Detected | |
Log Full Activity Detected | |
Login Failure to Account | |
Login Failure to Expired Account | |
Login Success after Brute Force Attack Detected | |
Login Success after Brute Force VPN Attack Detected | |
Logon Attempt Detected to Honeypot Server | |
Logon Attempt Host Detected by Threat Intelligence Source | |
Low Data Detection from Syslog UDP Source | |
Low Data Detection from WMI Source | |
MAC Poisoning Attack | |
MAC Spoofing Attack | |
Machineÿ removed from fin flood blacklist | |
Machineÿ removed from rst flood blacklist | |
Machineÿ removed from syn flood blacklist | |
Mail Account Sent Email to Multiple Different Domains | |
Malformed or unhandled ip packet dropped | |
Malicious File Format | |
Malicious pattern in an e-mail address | |
Malware - Backdoor | |
Malware - CNC | |
Malware - Fake Antivirus | |
Malware - Keylogger | |
Malware - Spyware | |
Malware - Trojan | |
Malware - Virus | |
Malware - Worm | |
Malware Event Activity Detected | |
Malware Host Allowed Connection to DMZ Server | |
Malware Hosts Detected by Threat Intelligence Source | |
Malware ransomware was detected | |
Malware spyware drop | |
Malware spyware reset | |
Malware spyware was detectedÿ | |
Malware virus was detected | |
Malware was detected | |
Maximum connection limit was reached | |
Maximum events per second threshold exceeded | |
Maximum file size was exceeded | |
Maximum sequential failed dial attempts (10) to a single dial-up number: | |
Maximum syslog data per second threshold exceeded | |
Mimikatz Golden Ticket Activity Detected | |
Misc Attack | |
Moderation was expired | |
Modifying this property is not allowed for this session | |
MSSQL - Also Master Table Changes | |
MSSQL - Also MsdbTable Changes | |
MSSQL - Alter Connection | |
MSSQL - Alter Server Configuration | |
MSSQL - Alter Server State | |
MSSQL - Alter Settings | |
MSSQL - Application Role Change Password Group | |
MSSQL - Audit Change Group | |
MSSQL - Audit Session Changed | |
MSSQL - Audit Shutdown On Failure | |
MSSQL - Audit Trail Altered | |
MSSQL - Backup | |
MSSQL - Backup Log | |
MSSQL - C2 Auditing Disabled | |
MSSQL - C2 Auditing Enabled | |
MSSQL - Change Login Credential | |
MSSQL - Change Own Password | |
MSSQL - Change Password | |
MSSQL - Checkpoint | |
MSSQL - Configuration Change | |
MSSQL - Data Truncated | |
MSSQL - Database Altered | |
MSSQL - Database Backup | |
MSSQL - Database Configuration Changes | |
MSSQL - Database Created | |
MSSQL - Database Dropped | |
MSSQL - Database Object Ownership Change Group | |
MSSQL - Database Object Permission Change Group | |
MSSQL - Database Ownership Change Group | |
MSSQL - Database Permission Change Group | |
MSSQL - DATABASE PRINCIPAL IMPERSONATION GROUP | |
MSSQL - Database Restore | |
MSSQL - Database Role Member Change Group | |
MSSQL - DBCC Command | |
MSSQL - DBCC Command | |
MSSQL - DBO Changed | |
MSSQL - DTS Password Scan | |
MSSQL - E-Mail Control | |
MSSQL - Extended Procedure Added | |
MSSQL - External Access ASSEMBLY | |
MSSQL - Failed Login | |
MSSQL - Function Altered | |
MSSQL - Function Created | |
MSSQL - Function Dropped | |
MSSQL - Grant ALL | |
MSSQL - Grant Option | |
MSSQL - IMPERSONATE | |
MSSQL - Javascript Tag in SQL | |
MSSQL - Job Control | |
MSSQL - Login Added | |
MSSQL - Login Change Password Group | |
MSSQL - Login Dropped | |
MSSQL - Login Info Scan | |
MSSQL - Master Table Changes | |
MSSQL - Member Added | |
MSSQL - Member Dropped | |
MSSQL - MsdbTable Changes | |
MSSQL - Must Change Password | |
MSSQL - OLE Automation | |
MSSQL - OS Command Executed | |
MSSQL - Password Expiration | |
MSSQL - Password Policy | |
MSSQL - Possible SQL Injection Using CAST | |
MSSQL - Privileges Changed | |
MSSQL - Privileges Granted | |
MSSQL - Privileges Revoked | |
MSSQL - Privileges Revoked | |
MSSQL - Privileges Revoked | |
MSSQL - Procedure Created | |
MSSQL - Procedure Dropped | |
MSSQL - Process Killed | |
MSSQL - Registry Control | |
MSSQL - Reset Own Password | |
MSSQL - Reset Password | |
MSSQL - Schema Changes | |
MSSQL - Schema Changes | |
MSSQL - Schema Object Ownership Change Group | |
MSSQL - Schema Object Permission Change Group | |
MSSQL - Server Configuration Changes | |
MSSQL - Server Object Ownership Change Group | |
MSSQL - Server Object Permission Change Group | |
MSSQL - Server Paused | |
MSSQL - Server Permission Change Group | |
MSSQL - SERVER PRINCIPAL IMPERSONATION GROUP | |
MSSQL - Server Role Member Change Group | |
MSSQL - Server Shutdown | |
MSSQL - Server Shutdown | |
MSSQL - Server Started | |
MSSQL - SQLAgent Password Scan | |
MSSQL - Table Altered | |
MSSQL - Table Changes -- DELETE | |
MSSQL - Table Changes -- INSERT | |
MSSQL - Table Changes -- UPDATE | |
MSSQL - Table Created | |
MSSQL - Table Dropped | |
MSSQL - Take Ownership | |
MSSQL - Trace Altered | |
MSSQL - Trace Audit C2 OFF | |
MSSQL - Trace Audit C2 ON | |
MSSQL - Trace Audit Start | |
MSSQL - Trace Audit Stop | |
MSSQL - Trace Change Group | |
MSSQL - Trace Configuration
 | |
MSSQL - Trace Disabled | |
MSSQL - Trace Enabled
 | |
MSSQL - Transfer | |
MSSQL - Trigger Created | |
MSSQL - Trigger Dropped | |
MSSQL - Unauthorized Change to Audit Trail | |
MSSQL - Unlock Account | |
MSSQL - Unsafe ASSEMBLY | |
MSSQL - User Added | |
MSSQL - User Dropped | |
MSSQL - View Created | |
MSSQL - View Dropped | |
MSSQL - Web Job Control | |
Multicast packet dropped, invalid src ip received on interface : | |
Multicast packet dropped, wrong mac address received on interface : | |
Multiple Botnet Activity Detected | |
Multiple Critical Alerts Detected in 1 hour | |
Multiple Different Critical Alerts Detected in 1 hour | |
Multiple Different Critical Alerts Detected in 24 hour | |
Multiple Different Viruses on a Host | |
Multiple Different Warning Level Alerts Detected in 1 hour | |
Multiple Files Deleted | |
Multiple Files Deleted by Admin User | |
Multiple IP Addresses Anomaly Detected for a Mac address | |
Multiple Kerberos Login Failures Host Detected | |
Multiple Kerberos Login Failures User Detected | |
Multiple Kerberos Login Successful Host Detected | |
Multiple Login Failures Detected on Honeypot Server | |
Multiple Login Failures Host Detected | |
Multiple Login Failures User Detected | |
Multiple Login Failures User Detected on FTP Server | |
Multiple Login Failures User Detected on MsSQL | |
Multiple Login Failures User on Oracle DB | |
Multiple Mac Addresses Anomaly Detected for an IP Address | |
Multiple NTLM Login Failures Host Detected | |
Multiple NTLM Login Failures User Detected | |
Multiple Passwords Reset Activity Detected | |
Multiple RDP Login Failures User Detected | |
Multiple Unauthorized File Change Attempts Detected | |
Multiple Unique Suspicious Web Activities Detected After Network Scanning | |
Multiple Users Activity Detected | |
Multiple Users Created Activity Detected | |
Multiple Users Deleted Activity Detected | |
Multiple VPN Login Failures Activity Detected | |
Multiple VPN Login Successful User Detected | |
Multiple Vulnerabilities found on a Host | |
MySQL - Data Truncated | |
MySQL - Password Change | |
MySQL - Procedure Created | |
MySQL - Procedure Dropped | |
MySQL - Successful Superuser(root) Logins | |
MySQL - System Table Changes | |
MySQL - Table Altered | |
MySQL - Table Created | |
MySQL - Table Dropped | |
MySQL - Table Loaded | |
MySQL - Table Renamed | |
MySQL - Table Restored | |
MySQL - Trigger Created | |
MySQL - Trigger Dropped | |
MySQL - View Created | |
MySQL - View Dropped | |
Need account for storing files | |
Nessus Scan | |
Net spy attack dropped | |
Netbus attack dropped | |
Network monitor: hostÿ is offline | |
Network monitor: hostÿ is online | |
Network Rules Denied | |
Network Scanning Activity Detected from Infected Host | |
Network Scanning Activity Detected from Threat Intelligence Host | |
Network security appliance activated | |
Newly Created User has gained Admin Rights | |
NIS Load Policy Failed | |
No BackLog Packet Dropped | |
No certificate for | |
No UDP Server or TCP not belong to any session | |
Non Standard Protocol | |
NTP DDoS Attack Detected | |
Off-hours Large Data Transfer Detected | |
Off-hours Login Successful from Contractor User | |
Off-hours Logon Attempt | |
Off-hours Logon Attempt on Datacenter Network | |
OpenVas High CSV Score Vulnerability Detected | |
OpenVas Medium CSV Score Vulnerability Detected | |
Oracle - Attempt Revoke Privileges | |
Oracle - Commit | |
Oracle - Context Created | |
Oracle - Context Dropped | |
Oracle - Data Truncated | |
Oracle - Database Altered | |
Oracle - Database Created | |
Oracle - Default Auditing | |
Oracle - Default NoAuditing | |
Oracle - Execute Procedure | |
Oracle - Failed Login | |
Oracle - Failed Login | |
Oracle - Failed Superuser Login | |
Oracle - FGA Package Access | |
Oracle - Function Altered | |
Oracle - Function Created | |
Oracle - Function Dropped | |
Oracle - Library Created | |
Oracle - Library Dropped | |
Oracle - Lock | |
Oracle - Object Auditing | |
Oracle - Object Granted | |
Oracle - Object NoAuditing | |
Oracle - Object Revoked | |
Oracle - Package Altered | |
Oracle - Package Created | |
Oracle - Package Dropped | |
Oracle - Password Scan | |
Oracle - PL/SQL Execute | |
Oracle - Policy Change | |
Oracle - Procedure Altered | |
Oracle - Procedure Created | |
Oracle - Procedure Dropped | |
Oracle - Profile Altered | |
Oracle - Profile Created | |
Oracle - Profile Dropped | |
Oracle - Role Altered | |
Oracle - Role Created | |
Oracle - Role Dropped | |
Oracle - Role Granted | |
Oracle - Role Revoked | |
Oracle - Role Set | |
Oracle - Rollback | |
Oracle - Savepoint | |
Oracle - Schema Created | |
Oracle - Security Violation | |
Oracle - Session Altered | |
Oracle - Set Transactionÿ | |
Oracle - Successful Superuser Logins | |
Oracle - Synonym Created | |
Oracle - Synonym Dropped | |
Oracle - System Altered | |
Oracle - System Auditing | |
Oracle - System Granted | |
Oracle - System NoAuditing | |
Oracle - System Revoked | |
Oracle - Table Altered | |
Oracle - Table Changes -- DELETE | |
Oracle - Table Changes -- INSERT | |
Oracle - Table Changes -- UPDATE | |
Oracle - Table Created | |
Oracle - Table Dropped | |
Oracle - Tablespace Altered | |
Oracle - Tablespace Created | |
Oracle - Tablespace Dropped | |
Oracle - Trigger Altered | |
Oracle - Trigger Created | |
Oracle - Trigger Disabled | |
Oracle - Trigger Dropped | |
Oracle - Trigger Enabled | |
Oracle - Triggers All Disabled | |
Oracle - Triggers All Enabled | |
Oracle - User Altered | |
Oracle - User Created | |
Oracle - User Dropped | |
Oracle - Username Info Scan | |
Oracle - View Created | |
Oracle - View Dropped | |
Oracle Account Lockout | |
Oracle Cluster Activity | |
Oracle DataBases Activity | |
Oracle DB Denial of Service Event Detected | |
Oracle DB Function Activity | |
Oracle DB Login Failed | |
Oracle DB Login Successful | |
Oracle DB Password Expired | |
Oracle Procedure Activity | |
Oracle Role Activity | |
Oracle Schema Activity | |
Oracle System Grant | |
Oracle System Revoke | |
Oracle Users Activity | |
Out Of Band Packet Dropped | |
Out Of Resources | |
Outbound Path Through Dropped | |
P2P Large Data Transfer Detected | |
Packet dropped. no firewall rule associated with vpn policy | |
Packet dropped; connection limit for this destination ip address has been reached | |
Packet dropped; connection limit for this source ip address has been reached | |
Partner User Deleted Multiple Files | |
Partner User has Executed File | |
Partner User Multiple Login Failure Detected | |
Password Change | |
Password Reset | |
Per User Audit Policy was changed | |
Ping of Death Attack Detected | |
Ping of death dropped | |
Ping of Death Packet Dropped | |
Policy - Violation | |
Policy Connection Closed | |
Policy Rules Denied | |
Port Scan | |
Port Scan Detector | |
Port Scan Detector For DPI | |
Port scan was detected | |
Port Zero Packet Dropped | |
Possible ARP Poisoning Attack | |
Possible Attack Pattern - GTP not supported version | |
Possible Attack Pattern - GTPv0 packet parsing error | |
Possible Attack Pattern - Invalid IP fragment | |
Possible Attack Pattern - invalid spi | |
Possible Attack Pattern - missing an expected AH or ESP header | |
Possible Attack Pattern - Too Many Failed Logins | |
Possible Attack Pattern - tunnel_limit exceeded | |
Possible DoS Attack | |
Possible DoS Attack | |
Possible DoS Attack - Embryonic limit exceeded | |
Possible DoS Attack - Exceeded Embryonic limit | |
Possible DoS Attack - Fragment database limit exceeded | |
Possible DoS Attack - proxy connection limit exceeded | |
Possible fin flood on if | |
Possible fin flood on ifÿ has ceased | |
Possible FTP Session Hijacking Attack | |
Possible man in the middle attack | |
Possible port scan detected | |
Possible rst flood on if | |
Possible rst flood on ifÿ has ceased | |
Possible Spoofing Attack | |
Possible syn flood detected on wan ifÿ - switching to connection-proxy mode | |
Possible syn flood on if | |
Possible syn flood on ifÿ has ceased | |
PostgreSQL - Data Truncated | |
PostgreSQL - Database Altered | |
PostgreSQL - Database Backup | |
PostgreSQL - Database Created | |
PostgreSQL - Database Dropped | |
PostgreSQL - Database Restore | |
PostgreSQL - Failed Login | |
PostgreSQL - Failed Superuser Logins | |
PostgreSQL - Function Altered | |
PostgreSQL - Function Created | |
PostgreSQL - Function Dropped | |
PostgreSQL - Grant ALL | |
PostgreSQL - Login Info Scan | |
PostgreSQL - Permission Denied | |
PostgreSQL - Privileges Granted | |
PostgreSQL - Privileges Revoked | |
PostgreSQL - Procedure Created | |
PostgreSQL - Procedure Dropped | |
PostgreSQL - Schema Changes | |
PostgreSQL - Successful Superuser Login | |
PostgreSQL - System Table Changes | |
PostgreSQL - Table Altered | |
PostgreSQL - Table Changes -- DELETE | |
PostgreSQL - Table Changes -- INSERT | |
PostgreSQL - Table Changes -- UPDATE | |
PostgreSQL - Table Created | |
PostgreSQL - Table Dropped | |
PostgreSQL - Trace Configuration | |
PostgreSQL - Trigger Created | |
PostgreSQL - Trigger Dropped | |
PostgreSQL - Union Command Failed | |
PostgreSQL - View Created | |
PostgreSQL - View Dropped | |
PowerShell Bad Commands Detected | |
Powershell Base64 Encoded Attack Detected | |
Powershell Hidden Command Attack Detected | |
Powershell Process Created by Chrome | |
Powershell Process Created by Firefox | |
Powershell Process Created by Internet Explorer | |
Powershell Process Created by Notepad | |
Powershell Process Created by Office Excel | |
Powershell Process Created by Office PowerPoint | |
Powershell Process Created by Office Word | |
Powershell Process Created by Outlook | |
PowerShell Restircted Setting Change | |
Primary firewall has transitioned to active | |
Primary firewall has transitioned to idle | |
Priority attack dropped | |
Probable port scan detected | |
Probable tcp fin scan detected | |
Probable tcp null scan detected | |
Probable tcp xmas scan detected | |
Probing failure on | |
Probing succeeded on | |
Ransomware BadRabbit Attack Detected | |
Ransomware Petya Attack Detected | |
Ransomware WannaCry Attack Detected | |
RDP Logon Attempt Detected from Foreign Country | |
RDP Logon Attempt Host Detected by Threat Intelligence Source | |
Recon scan was detected | |
Registry Object Changed | |
Regulatory requirements prohibitÿ from being re-dialed for 30 minutes | |
Remote Thread Detected | |
Remove File system returned an error | |
Replay Attack was Detected | |
Response was refused | |
RIP pkt failed attack | |
RIP reply message with bad authentication attack | |
Ripper attack dropped | |
RPC Portmap Decode | |
Rst-flooding machineÿ blacklisted | |
Rule Change Activity | |
Rule Quota Exceed Dropped | |
Rule Quota Exceeded Dropped | |
Scanner Host Logon Attempt Detected | |
Scanning Event Activity Detected | |
SDF - Sensitive Data Transmitted | |
Security Device Vulnerability Detected | |
Senna spy attack dropped | |
Sensitive Web URL Path Detected | |
Service event was detected | |
Service Started | |
Service Stopped | |
Service Stopped on DMZ Server | |
Session is Not Authenticated | |
Session was removed | |
Session was started | |
Session was updated | |
Shellcodeÿ Detect | |
Siber Saldiri Simlasyonu | |
Siber Saldiri Simulasyonu02 | |
Siber Saldiri Simulasyonu02 | |
Smurf amplification attack dropped | |
Snapshot was reverted | |
SNMP DDoS Attack Detected | |
SNORT NMAP TARAMA VAR | |
Spam Activity Detected | |
Spam Hosts Detected by Threat Intelligence Source | |
Spank attack multicast packet dropped | |
Special Groups have been assigned to a New Logon | |
Special Groups Logon table modified | |
Spoofing Packet Dropped | |
Spyware Event Activity Detected | |
SQL Injection Detected After Scanning | |
SQL Injection Detector | |
SQL Injection Detector for DPI | |
SQL Injection Event Detected | |
SQL Injection Pattern Detected | |
SQL ping | |
SQLServer Account Lock/Unlocked | |
SQLServer Application Role Activity | |
SQLServer Credential Dropped | |
SQLServer Database Activity | |
SQLServer Database Role Activity | |
SQLServer Groups Changed | |
SQLServer Index Activity | |
SQLServer Login Failed | |
SQLServer Login Success | |
SQLServer Own Password Changes | |
SQLServer Password Reset | |
SQLServer Schema Activity | |
SQLServer Server Audit Activity | |
SQLServer Server Audit Specification Activity | |
SQLServer Stored Procedure Activity | |
SQLServer Table Activity | |
SQLServer Trigger Activity | |
SQLServer User Activity | |
SQLServer User Enabled/Disabled | |
SQLServer User Rights Changed | |
SQLServer View Activity | |
SSDP DDoS Attack Detected | |
SSH Brute Force | |
Striker attack dropped | |
Sub seven attack dropped | |
Successful - Administrator Privilege Gain | |
Successful - Dos | |
Successful - Recon Largescale | |
Successful - Recon Limited | |
Successful User Privilege Gain | |
Suricata/Snort Abnormal DNS Activity Detected | |
Suricata/Snort Abnormal FTP Activity Detected | |
Suricata/Snort Abnormal SQL Activity Detected | |
Suricata/Snort Abnormal Telnet Activity Detected | |
Suricata/Snort Abnormal TROJAN Activity Detected | |
Suricata/Snort Abnormal User-Agent Activity Detected | |
Suricata/Snort Abnormal WORM Activity Detected | |
Suricata/Snort Exploit Activity Detected | |
Suricata/Snort Scada Attack Detected | |
Suricata/Snort Web Server Attack Detected | |
Suspicious - Filename Detect | |
Suspicious - Login | |
Suspicious - Web Attack or Scan | |
Suspicious Activity | |
Suspicious Activity - Config Change | |
Suspicious Attack Detect | |
Suspicious attackÿ was detected | |
Suspicious ICMP Traffic Detected from Many Hosts to a Single Target | |
Suspicious TCP Traffic Detected from Many Hosts to a Single Target | |
Suspicious Traffic Detected from Many Hosts to a Single Target | |
Suspicious UDP Traffic Detected from Many Hosts to a Single Target | |
Suspicious Web Activity Detected After Network Scanning | |
SYN Attack End | |
SYN Attack Start | |
SYN flood attackÿ was detected | |
Syn flood ceased or flooding machines blacklisted - connection proxy disabled | |
Syn-flooding machineÿ blacklisted | |
System Audit Policy was Changed | |
System audit policy was changed | |
System Call Detect | |
System Reboot | |
System Shutdown | |
System Shutdown on DMZ Network | |
System Started | |
System was restarted | |
System was started | |
TCP No Server Reply | |
TCP Not SYN Packet Dropped | |
TCP Rate Quota Exceeded Dropped | |
Tcp syn/fin packet dropped | |
Tcp xmas tree dropped | |
TCP/IP Packet Dropped | |
The ACL was set on accounts which are members of administrators groups | |
The administrator right was attempted violation | |
The attack was detected | |
The audit log was cleared | |
The audit policy (SACL) on an object was changed | |
The Blocking Operation is Already Started | |
The connection is already emulated by another filter | |
The DoS attack has subsided and normal processing is being resumed | |
The e-mail was blackholed | |
The e-mail was quarantined | |
The e-mail was rejected | |
The event logging service has shut down | |
The Filter is Not Registered | |
The log file is full | |
The log file was cleared | |
The name of an account was changed | |
The password hash an account was accessed | |
The Password Policy Checking API was called | |
The Per-user audit policy table was created | |
The previous system shutdown was unexpected | |
The screen saver was dismissed | |
The screen saver was invoked | |
The security log is now %1 percent full | |
The security log is now full | |
The STA eventÿ was detected | |
The system time was changed | |
The web application attack was detected | |
The Windows Filtering Platform has blocked a bind to a local port | |
The Windows Filtering Platform has blocked a connection | |
The Windows Filtering Platform has blocked a packet | |
The Windows Filtering Platform has blocked a packet | |
The Windows Filtering Platform has blocked an application or service from listening on a port for incoming connections | |
The Windows Filtering Platform has detected a DoS attack and entered a defensive mode; packets associated with this attack will be discarded | |
The Windows Filtering Platform has permitted a bind to a local port | |
The Windows Filtering Platform has permitted a connection | |
The Windows Filtering Platform has permitted an application or service to listen on a port for incoming connections | |
The Windows Firewall Driver failed to start | |
The Windows Firewall Driver started successfully | |
The Windows Firewall Driver was stopped | |
The Windows Firewall Service blocked an application from accepting incoming connections on the network | |
The Windows Firewall service failed to start | |
The Windows Firewall service started successfully | |
The Windows Firewall service was stopped | |
The workstation was locked | |
The workstation was unlocked | |
There is no blocking operation to be ended | |
Thermal red | |
Thermal red timer exceeded | |
Thermal yellow | |
Thread Quota Exceeded | |
Threat Intelligence Host Allowed Connection Activity Detected | |
Threat Intelligence Host Allowed Connection to Internal Network | |
Timeout | |
Too many DNS Queries | |
Too many failed login attempts | |
Too many users, server is full | |
Traffic was blocked by DLP | |
Trojan - Activity | |
Trojan Detector for DPI | |
UDP Bomb Dropped | |
UDP floodÿ attack was detected | |
Unanswered HTTP Requests Exceeded Attack | |
Unauthorized File Change Attempt Detected | |
Unlocked User Account | |
Unreachable Address | |
Unsuccessful User Privilege Gain | |
Unsuccessful vpn event was detected | |
Unsupported IPv6 Dropped | |
Unsupported NAT-PT Dropped | |
Unusual Client Port Connection | |
User Added to Group | |
User Added to Local Group | |
User Added to VPN Group | |
User Created | |
User Deleted | |
User Deleted from Local Group | |
User Disabled | |
User Enabled | |
User Failed to Authenticate | |
User Group Change | |
User Group Created | |
User Group Deleted | |
User has gained Admin Rights | |
User Login Failure | |
User Login from Multiple Hosts | |
User Login Successful | |
User Login Successful After Multiple Login Failures | |
User Removed from Group | |
User violation was detected | |
User was attempted violation | |
Validate Quarantine Failed | |
Victim Host Process Created on DMZ | |
Victim Host Scanning Activity Detected | |
Virtual Machine was created snapshot | |
Virtual Machine was reset | |
VirtualMachine was created snapshotÿ | |
VirtualMachine was reconfigured | |
VirtualMachine was suspended | |
Virus Host Detected by Threat Intelligence Source | |
Virus Infected on DMZ Server | |
Virus was Detected on Multiple Hosts | |
VPN Connections Limit Exceeded | |
VPN Host Login Successful from Foreign Country | |
VPN User Deleted Multiple Files | |
VPN User has Executed File | |
VPN User Login Failure | |
VPN User Login Successful | |
VPN User Mapping Failed | |
VPN User RDP Logon to DMZ Network | |
Vpn was expired | |
Vulnerability exploit alert | |
Vulnerability exploit drop | |
Vulnerability exploit reset | |
Vulnerable Internal Host communicated with External Attacker | |
Vulnerable Internal Host Communicated with Foregin Countries | |
Vulnerable Internal Host Data Transferred to Foreign Countries | |
WannaCry Activity Detected | |
WannaCry Activity Detected | |
Web Application - Activity | |
Web Application - Attack | |
Web request was blocked | |
Windows Audit Policy on an Object was Changed | |
Windows DHCP Server - Too many IP Assign | |
Windows Firewall changed the active profile | |
Windows is starting up | |
Windows Permissions on Object were Changed | |
Windows Policy Changed | |
Windows Service Error | |
Windows Service Stopped | |
Windows Task Created | |
Windows Task Deleted | |
Wireless - Flood | |
Wireless - Misc | |
Wireless - Scanner Detected | |
Wireless - Spoofing | |
Wlb failback initiated by | |
Wlb failover in progress | |
Wlb resource failed | |
Wlb resource is now available | |
Worm Activity | |
Worm Activity | |
Worm Detector for DPI | |
Write access for the root of the virtual directory is forbidden | |
XML-RPC Attack Detected | |
XSS Attack Patterns Detected on Apache Web Server | |
XSS Attack Patterns Detected on IIS Web Server |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment