Skip to content

Instantly share code, notes, and snippets.

@ertugrulakbas

ertugrulakbas/Simplest SIEM Rule List.csv

Created November 15, 2021 10:55
Show Gist options
  • Star 1 You must be signed in to star a gist
  • Fork 0 You must be signed in to fork a gist
  • Save ertugrulakbas/aff787b0dba24e9357ecfa2e6544d61d to your computer and use it in GitHub Desktop.
Save ertugrulakbas/aff787b0dba24e9357ecfa2e6544d61d to your computer and use it in GitHub Desktop.
Download ZIP
Simplest SIEM Rule List
Raw
Simplest SIEM Rule List.csv
1 dakikada 10'dan fazla hatali giris
10 dakika içerisinde 10 defa basarisiz giris denemesindne sonra basarili oturum testpiti
445 Port Events
A basic application group was changed
A basic application group was changed
A basic application group was created
A basic application group was deleted
A change was made to the Windows Firewall exception list. A rule was added
A change was made to the Windows Firewall exception list. A rule was deleted
A change was made to the Windows Firewall exception list. A rule was modified
A computer account was changed
A computer account was created
A computer account was deleted
A critical event was detected
A critical event was detected
A directory service object was created
A directory service object was deleted
A directory service object was modified
A directory service object was moved
A directory service object was undeleted
A Dos Attack was detected
A group?s type was changed
A handle to an object was requested
A handle to an object was requested with intent to delete
A Kerberos authentication ticket (TGT) was requested
A Kerberos authentication ticket request failed
A Kerberos service ticket request failed
A Kerberos service ticket was renewed
A Kerberos service ticket was requested
A member was added to a basic application group
A member was added to a security-disabled global group
A member was added to a security-disabled local group
A member was added to a security-disabled universal group
A member was added to a security-enabled global group
A member was added to a security-enabled global group
A member was added to a security-enabled local group
A member was added to a security-enabled universal group
A member was removed from a basic application group
A member was removed from a security-disabled global group
A member was removed from a security-disabled local group
A member was removed from a security-disabled universal group
A member was removed from a security-enabled global group
A member was removed from a security-enabled local group
A member was removed from a security-enabled universal group
A message was created
A message was delivered
A message was not created
A message was not delivered
A message was not sended
A message was sended
A message was suspended
A message was throttled
A more restrictive Windows Filtering Platform filter has blocked a packet
A more restrictive Windows Filtering Platform filter has blocked a packet
A namespace collision was detected
A network share object was accessed
A network share object was added
A network share object was deleted
A network share object was modified
A Network Trojan was detected
A new process has been created
A non-member was added to a basic application group
A non-member was removed from a basic application group
A process has exited
A registry key was virtualized
A registry value was modified
A Remote Procedure Call (RPC) was attempted
A replay attack was detected
A scheduled task was created
A scheduled task was deleted
A scheduled task was disabled
A scheduled task was enabled
A scheduled task was updated
A security-disabled global group was changed
A security-disabled global group was created
A security-disabled global group was deleted
A security-disabled local group was changed
A security-disabled local group was created
A security-disabled local group was deleted
A security-disabled universal group was changed
A security-disabled universal group was created
A security-enabled global group was changed
A security-enabled global group was created
A security-enabled global group was deleted
A security-enabled local group was changed
A security-enabled local group was created
A security-enabled local group was deleted
A security-enabled universal group was changed
A security-enabled universal group was created
A security-enabled universal group was deleted
A service was installed in the system
A Spam message was detected
A Suspicious filename was detected
A user account was changed
A user account was created
A user account was deleted
A user account was disabled
A user account was enabled
A user account was locked out
A user account was unlocked
A user right was assigned
A user right was removed
A Virus was detected
A Windows Firewall setting was changed
Abnormal UserAgent Pattern Detected
Access to Forbidden Web Site was Attempted
Added new PC to Domain
Address Not Allowed
Admin Terminate
Admin User has Executed File
Administrator login denied due to bad credentials
Administrator login denied from ; logins disabled from this interface
Administrator violation was detected
AFC harmful threat warning was received
All authentication methods are disabled
Aloha1Connection Request Rejected
Aloha1Uncompleted Connection Request
Already Exist Object
Amessage was hadiscard
An account failed to log on
An account login was failed
An account was logged off
An Account was not logined
An account was successfully logged on
An Attack was detected
An attack was detected
An attempt was made to access an object
An attempt was made to change an account's password
An attempt was made to create a hard link
An attempt was made to reset an account's password
An attempted login using a suspicious username was detected
An critical event was detected
An critical event was detected
An critical wvent was deteceted
An importan event was detected
An important event was detected
An important event was detected
An important event was detected
An important event was detected
An important event was detected
An important event was detected
An important event was detected
An LDAP query group was created
An LDAP query group was deleted
An object was deleted
An System event was detected
Anomaly Detector for DPI
Anomaly Detector for DPI
Anonymous Authentication
Anti-spyware detection alert:
Anti-spyware prevention alert:
Antivirus Disabled
Application - VPN Denied
Application Attack Detector for DPI
Application filter detection alert:
Application filters block alert:
Application firewall alert:
ARP Spoofing Attack
ARP Spoofing Attack
Association flood from wlan station
Asymmetric Routing Attack
Attack Detected on Security Device
Attack Detector for DPI
Attacker Host Connection Allowed After Port Scanner Activity to DMZ Network
Attacker Host Process Created on DMZ
Attempted - Administrator Privilege Gain
Attempted - Dos
Attempted - Recon
Attempted - User Privilege Gain
Auditing settings on an object were changed
Auditing settings on object were changed
Authentication - Bruteforce
Authentication - Bypass
Authentication fail
Availability - State Critical
Availability - State Unreachable
Back orifice attack dropped
Backup firewall has transitioned to active
Backup firewall has transitioned to idle
Bad crl format
Bad Length Packet Dropped
Bad Signature
Bad TCP Checksum Dropped
Bad Unknown
Bad Version
Badÿ Key
Blacklist Activity (Lan to Wan)
Blacklist Activity (Lan to Wan)
Blacklist Activity (Wan to Lan)
Botnet Event Activity Detected
Botnet Host Detected by Threat Intelligence Source
Broadcast Packet Dropped
Brute Force Attack Detected
Brute Force Attack Event Detected
Brute Force FTP Attack Detected
Brute Force Hosts Detected by Threat Intelligence Source
Brute Force MsSQL Attack Detected
Brute Force Oracle DB Attack Detected
Brute Force RDP Attack Detected
Brute Force VPN Attack Detected
Buffer is Full
Buffer Overflow Attack Event Detected
Cannot connect to remote server
Cannot connect to the crl server
Cannot open data connection
Cannot validate issuer path
Certificate on revoked list(crl)
Client IP didn't match the client IP on the data channel
Client IP Login Successful on Datacenter Network
Client IP Login Successful on Network Device
Client Side Exploit
Command execution
Confguration failed
Configuration was changded
Configuration was copied
Configuration was moved
Configuration was validated
Configurationÿ ÿwas changed
Conneciton Allowed from the Guest Network to DMZ Network
Connection Dropped
Connection Killed
Connection Quarantined
Connection timed out
Contactor User Deleted Multiple Files
Contactor User has Executed File
Contactor User Process Created on DMZ
Contractor User Login Failure
Contractor User Login Successful
Contractor User Multiple Login Failure Detected
Crl has expired
Crl missing - issuer requires crl checking
Crl validation failure for root certificate
Cross-Site Request Forgery Event Detected
Custom authentication call failed
Data Transfered between Internal Attacker to External Attacker
Database - Login Failed
Database Server Shutdown
Database Server Startup
Database User Login Successful After Multiple Login Failures
DDoS Attack Event Detected
Default Login Attempt
Deleted PC from Domain
Denial Of Service
DFS Replication Failed
Directory not empty
Dlp event was detected
DNS DDoS Attack Detected
DNS Quota Exceeded
DNS was updated
Domain Policy was changed
Domain was not accessed
Dos attack was detected
Drop WLAN traffic from non-SonicPoint devices
E-mail fragment dropped
Exceeded storage allocation
Excessive Denied Connection to Unique Sources
Excessive Mail Received
Excessive Mail Sent
Excessive Malware Infection on a Host
Excessive Successfull Web Connections Detected
Excessive System Errors Detected
Excessive Web Client Errors Detected
Excessive Web Redirects Detected
Excessive Web Request Detected from Suspicious UserAgent
Excessive Web Server Errors Detected
Executed File Activity Detected
Exploit - ActiveX
Exploit - Attack-response
Exploit - Browser
Exploit - Buffer overflow
Exploit - Command Execution
Exploit - Denial Of Service
Exploit - DNS
Exploit - Format String
Exploit - Ftp
Exploit - Linux
Exploit - Mail
Exploit - PDF
Exploit - Samba
Exploit - Shellcode
Exploit - sql injection
Exploit - Windows
Exploit Event Activity Detected
Exploit Hosts Detected by Threat Intelligence Source
External Aggressive Scanner Detected
External Attacker Allowed Connection to Honeypot Network
External Attacker Host Connection to Multiple DMZ Hosts
External Attacker Host Login Failure on Datacenter
External Attacker Host Login Successful on Datacenter
External Database Scanner Detected
External DHCP Scanner Detected
External DNS Scanner Detected
External FTP Scanner Detected
External Host Excessive Denied Connection
External Host Excessive GET Request Detected
External Host Excessive HEAD Request Detected
External Host Excessive POST Request Detected
External Host Login Failure
External Host Login Successful
External Host Login Successful from Foreign Country
External Host Logon Attempt on Security Device from Foregin Country
External Host RDP Login Failure
External Host RDP Login Successful
External HTTP/S Scanner Detected
External ICMP Flood Attack Detected
External ICMP Scanner Detected
External LDAP Scanner Detected
External Port Scanner Detected
External SMB Scanner Detected
External SMTP Scanner Detected
External SNMP Scanner Detected
External SSH Scanner Detected
External Suspicious Host Allowed Connection to Honeypot Network
External Suspicious Host Allowed Connection to Multiple DMZ Hosts
External Suspicious Host High Volume Data Transfer Detected
External Suspicious Host Login Failure on Datacenter
External Suspicious Host Login Failures to Multiple Servers on DMZ
External Suspicious Host Login Successful on Datacenter
External TCP Flood Attack Detected
External TCP Scanner Detected
External Telnet Scanner Detected
External UDP Flood Attack Detected
External UDP Scanner Detected
Fail Transact To IPsec
Fail Transact To Transition To IPsec
Failed to find certificate
Failed to get crl from
Failed to process crl from
Fan failure
File Inclusion Pattern Detected on Apache Web Server
File Inclusion Pattern Detected on IIS Web Server
File Take Ownership Activity Detected
File was Accessed
File was accessed
File was changed
File was changed
File was deleted
File wasÿ deleted
Fin-flooding machineÿ blacklisted
Firewall Admin Login Failure
Firewall Policy Authentication Failure
Firewall Portal Login Failure
Firewall System disabled ruleset
Flood Event Detected
Forbidden e-mail attachment deleted
Forbidden e-mail attachment disabled
Former User Logon Attempt Detected
Found rogue access point
Found rogue access point
Fragment Packet Dropped
FTP 421 (Service Not Available)
FTP 4xx (Permanent Negative Completion Reply)
FTP 502 (Command Not Implementedl)
FTP 530 (User Not Logged In)
FTP 534 (Request Denied For Policy Reasons)
FTP 535 (Failed Security Check)
FTP 551 (Page Type Unknown)
FTP 5xx (Transient Negative Completion Reply)
FTP 6xx (Protected Reply)
FTP BRUTE-FORCE Login Attempt same IP
FTP BRUTE-FORCE Login Attempt same User Name
FTP Login Failure
FTP Login Successful
Ftp: data connection from non default port dropped
Ftp: pasv response bounce attack dropped
Ftp: pasv response spoof attack dropped
Ftp: port bounce attack dropped
Full Deny Dropped
Gateway anti-virus alert
Guest User Multiple Login Failure Detected
High Priority
Honeypot Activity as Destination
Host Login Successful After Multiple Login Failures
HTTP 400 (Bad Request)
HTTP 401 (Unauthorized)
HTTP 403 (Forbidden)
HTTP 404 (Not Found)
HTTP 405 (Method Not Allowed)
HTTP 408 (Request Timeout)
HTTP 409 (Conflict)
HTTP 413 (Request Entity Too Large)
HTTP 414 (Request-URI Too Long)
HTTP 415 (Unsupported Media Type)
HTTP 4xx (Client Error )
HTTP 500 (Internal Server Error)
HTTP 501 (Not Implemented)
HTTP 502 (Bad Gateway)
HTTP 503 (Service Unavailable)
HTTP 504 (Gateway Timeout)
HTTP 505 (HTTP Version Not Supported)
HTTP 5xx (Server Error)
HTTP Deobfuscation Attack
HTTP URL Length Exceeded Attack
ICMP flood attackÿ was detected
Important event was detected
Important event was detected
Important event was detected
Inappropriate Content was Detected
Infected Host Detected
Infected Host Login Successful on Database Server
Infected Host Multiple Login Failed on DMZ Server
Ini killer attack dropped
Internal Aggressive Scanner Detected
Internal Attacker Allowed Connection to Honeypot Network
Internal Attacker Host Allowed Connection to DMZ Network
Internal Attacker Host Connection to External Attacker Detected
Internal Attacker Login Failures on Multiple Hosts
Internal Attacker Multiple Login Failure on Datacenter
Internal Database Scanner Detected
Internal DHCP Scanner Detected
Internal DNS Scanner Detected
Internal FTP Scanner Detected
Internal Host Connection to Multiple Suspicious External Hosts
Internal Host Excessive Denied Connection
Internal Host Excessive DNS Connection to External Host
Internal Host Excessive ICMP Connection to External Host
Internal Host Login Failure
Internal Host Login Successful
Internal Host Multiple Unknown Unique Ports Connection to External Host
Internal Host RDP Login Failure
Internal Host RDP Login Successful
Internal Host Uploaded Data to External Host
Internal HTTP/S Scanner Detected
Internal ICMP Flood Attack Detected
Internal ICMP Scanner Detected
Internal LDAP Scanner Detected
Internal Port Scanner Detected
Internal Scanner Host Login Succesfull on DMZ Server
Internal SMB Scanner Detected
Internal SMTP Scanner Detected
Internal SNMP Scanner Detected
Internal SSH Scanner Detected
Internal Suspicious Activity
Internal Suspicious Activity for Fortigate
Internal Suspicious Host Allowed Connection to Honeypot Network
Internal Suspicious Host Communicated with Threat Intelligence Reported Source
Internal Suspicious Host Data Transferred to Foreign Countries
Internal TCP Flood Attack Detected
Internal TCP Scanner Detected
Internal Telnet Scanner Detected
Internal UDP Flood Attack Detected
Internal UDP Scanner Detected
Invalid Argument
Invalid Protocol Packet Dropped
Invalid vlan packet dropped
IP address was conflicted
IP adress was assigned
IP adresss was quarantined
IP could not be assigned
IP Half Scan Packet Dropped
IP Options Dropped
IP Packets that are not TCP or UDP
IP restriction rules denied the access.
Ip spoof detected on packet to centralgateway, packet dropped
Ip spoof dropped
IP spoofing Activity Detected
IP Spoofing Attack
IP spoofing event was detected
IP spoofing eventÿ was detected
IP was conflicted
IP was not assigned
IPS Blocked
IPS Detected
Ips detection alert
Ips detection alert
Ips prevention alert
Ips prevention alert
IPSec Dropped
IPsec No Route Dropped
Ipsec packet from or to an illegal host
Ipsec replay detected
Issuer match failed
Kerberos policy was changed
Kerberos pre-authentication failed
Land Attack
Land Attack Dopped
Land attack dropped
Large Data Download Transfer Detected
Large Data Transfer Detected by Scanner Host
Large Data Transfer Detected by VPN Host
Large Data Transfer Detected from DMZ Server
Large Data Transfer Detected from Threat Intelligence Host
Large Data Transferred Detected between Infected Host and Threat Intelligence Host
Large Data Transferred Detected between Internal Attacker Host and Client Network
Large Data Transferred Detected between Scanner Client Host and DMZ Hosts
Large Data Transferred Detected between User Network and External Attacker
Large Data Upload Transfer Detected
Locked User Account
Log Deletion Activity Detected
Log Full Activity Detected
Login Failure to Account
Login Failure to Expired Account
Login Success after Brute Force Attack Detected
Login Success after Brute Force VPN Attack Detected
Logon Attempt Detected to Honeypot Server
Logon Attempt Host Detected by Threat Intelligence Source
Low Data Detection from Syslog UDP Source
Low Data Detection from WMI Source
MAC Poisoning Attack
MAC Spoofing Attack
Machineÿ removed from fin flood blacklist
Machineÿ removed from rst flood blacklist
Machineÿ removed from syn flood blacklist
Mail Account Sent Email to Multiple Different Domains
Malformed or unhandled ip packet dropped
Malicious File Format
Malicious pattern in an e-mail address
Malware - Backdoor
Malware - CNC
Malware - Fake Antivirus
Malware - Keylogger
Malware - Spyware
Malware - Trojan
Malware - Virus
Malware - Worm
Malware Event Activity Detected
Malware Host Allowed Connection to DMZ Server
Malware Hosts Detected by Threat Intelligence Source
Malware ransomware was detected
Malware spyware drop
Malware spyware reset
Malware spyware was detectedÿ
Malware virus was detected
Malware was detected
Maximum connection limit was reached
Maximum events per second threshold exceeded
Maximum file size was exceeded
Maximum sequential failed dial attempts (10) to a single dial-up number:
Maximum syslog data per second threshold exceeded
Mimikatz Golden Ticket Activity Detected
Misc Attack
Moderation was expired
Modifying this property is not allowed for this session
MSSQL - Also Master Table Changes
MSSQL - Also MsdbTable Changes
MSSQL - Alter Connection
MSSQL - Alter Server Configuration
MSSQL - Alter Server State
MSSQL - Alter Settings
MSSQL - Application Role Change Password Group
MSSQL - Audit Change Group
MSSQL - Audit Session Changed
MSSQL - Audit Shutdown On Failure
MSSQL - Audit Trail Altered
MSSQL - Backup
MSSQL - Backup Log
MSSQL - C2 Auditing Disabled
MSSQL - C2 Auditing Enabled
MSSQL - Change Login Credential
MSSQL - Change Own Password
MSSQL - Change Password
MSSQL - Checkpoint
MSSQL - Configuration Change
MSSQL - Data Truncated
MSSQL - Database Altered
MSSQL - Database Backup
MSSQL - Database Configuration Changes
MSSQL - Database Created
MSSQL - Database Dropped
MSSQL - Database Object Ownership Change Group
MSSQL - Database Object Permission Change Group
MSSQL - Database Ownership Change Group
MSSQL - Database Permission Change Group
MSSQL - DATABASE PRINCIPAL IMPERSONATION GROUP
MSSQL - Database Restore
MSSQL - Database Role Member Change Group
MSSQL - DBCC Command
MSSQL - DBCC Command
MSSQL - DBO Changed
MSSQL - DTS Password Scan
MSSQL - E-Mail Control
MSSQL - Extended Procedure Added
MSSQL - External Access ASSEMBLY
MSSQL - Failed Login
MSSQL - Function Altered
MSSQL - Function Created
MSSQL - Function Dropped
MSSQL - Grant ALL
MSSQL - Grant Option
MSSQL - IMPERSONATE
MSSQL - Javascript Tag in SQL
MSSQL - Job Control
MSSQL - Login Added
MSSQL - Login Change Password Group
MSSQL - Login Dropped
MSSQL - Login Info Scan
MSSQL - Master Table Changes
MSSQL - Member Added
MSSQL - Member Dropped
MSSQL - MsdbTable Changes
MSSQL - Must Change Password
MSSQL - OLE Automation
MSSQL - OS Command Executed
MSSQL - Password Expiration
MSSQL - Password Policy
MSSQL - Possible SQL Injection Using CAST
MSSQL - Privileges Changed
MSSQL - Privileges Granted
MSSQL - Privileges Revoked
MSSQL - Privileges Revoked
MSSQL - Privileges Revoked
MSSQL - Procedure Created
MSSQL - Procedure Dropped
MSSQL - Process Killed
MSSQL - Registry Control
MSSQL - Reset Own Password
MSSQL - Reset Password
MSSQL - Schema Changes
MSSQL - Schema Changes
MSSQL - Schema Object Ownership Change Group
MSSQL - Schema Object Permission Change Group
MSSQL - Server Configuration Changes
MSSQL - Server Object Ownership Change Group
MSSQL - Server Object Permission Change Group
MSSQL - Server Paused
MSSQL - Server Permission Change Group
MSSQL - SERVER PRINCIPAL IMPERSONATION GROUP
MSSQL - Server Role Member Change Group
MSSQL - Server Shutdown
MSSQL - Server Shutdown
MSSQL - Server Started
MSSQL - SQLAgent Password Scan
MSSQL - Table Altered
MSSQL - Table Changes -- DELETE
MSSQL - Table Changes -- INSERT
MSSQL - Table Changes -- UPDATE
MSSQL - Table Created
MSSQL - Table Dropped
MSSQL - Take Ownership
MSSQL - Trace Altered
MSSQL - Trace Audit C2 OFF
MSSQL - Trace Audit C2 ON
MSSQL - Trace Audit Start
MSSQL - Trace Audit Stop
MSSQL - Trace Change Group
MSSQL - Trace Configuration

MSSQL - Trace Disabled
MSSQL - Trace Enabled

MSSQL - Transfer
MSSQL - Trigger Created
MSSQL - Trigger Dropped
MSSQL - Unauthorized Change to Audit Trail
MSSQL - Unlock Account
MSSQL - Unsafe ASSEMBLY
MSSQL - User Added
MSSQL - User Dropped
MSSQL - View Created
MSSQL - View Dropped
MSSQL - Web Job Control
Multicast packet dropped, invalid src ip received on interface :
Multicast packet dropped, wrong mac address received on interface :
Multiple Botnet Activity Detected
Multiple Critical Alerts Detected in 1 hour
Multiple Different Critical Alerts Detected in 1 hour
Multiple Different Critical Alerts Detected in 24 hour
Multiple Different Viruses on a Host
Multiple Different Warning Level Alerts Detected in 1 hour
Multiple Files Deleted
Multiple Files Deleted by Admin User
Multiple IP Addresses Anomaly Detected for a Mac address
Multiple Kerberos Login Failures Host Detected
Multiple Kerberos Login Failures User Detected
Multiple Kerberos Login Successful Host Detected
Multiple Login Failures Detected on Honeypot Server
Multiple Login Failures Host Detected
Multiple Login Failures User Detected
Multiple Login Failures User Detected on FTP Server
Multiple Login Failures User Detected on MsSQL
Multiple Login Failures User on Oracle DB
Multiple Mac Addresses Anomaly Detected for an IP Address
Multiple NTLM Login Failures Host Detected
Multiple NTLM Login Failures User Detected
Multiple Passwords Reset Activity Detected
Multiple RDP Login Failures User Detected
Multiple Unauthorized File Change Attempts Detected
Multiple Unique Suspicious Web Activities Detected After Network Scanning
Multiple Users Activity Detected
Multiple Users Created Activity Detected
Multiple Users Deleted Activity Detected
Multiple VPN Login Failures Activity Detected
Multiple VPN Login Successful User Detected
Multiple Vulnerabilities found on a Host
MySQL - Data Truncated
MySQL - Password Change
MySQL - Procedure Created
MySQL - Procedure Dropped
MySQL - Successful Superuser(root) Logins
MySQL - System Table Changes
MySQL - Table Altered
MySQL - Table Created
MySQL - Table Dropped
MySQL - Table Loaded
MySQL - Table Renamed
MySQL - Table Restored
MySQL - Trigger Created
MySQL - Trigger Dropped
MySQL - View Created
MySQL - View Dropped
Need account for storing files
Nessus Scan
Net spy attack dropped
Netbus attack dropped
Network monitor: hostÿ is offline
Network monitor: hostÿ is online
Network Rules Denied
Network Scanning Activity Detected from Infected Host
Network Scanning Activity Detected from Threat Intelligence Host
Network security appliance activated
Newly Created User has gained Admin Rights
NIS Load Policy Failed
No BackLog Packet Dropped
No certificate for
No UDP Server or TCP not belong to any session
Non Standard Protocol
NTP DDoS Attack Detected
Off-hours Large Data Transfer Detected
Off-hours Login Successful from Contractor User
Off-hours Logon Attempt
Off-hours Logon Attempt on Datacenter Network
OpenVas High CSV Score Vulnerability Detected
OpenVas Medium CSV Score Vulnerability Detected
Oracle - Attempt Revoke Privileges
Oracle - Commit
Oracle - Context Created
Oracle - Context Dropped
Oracle - Data Truncated
Oracle - Database Altered
Oracle - Database Created
Oracle - Default Auditing
Oracle - Default NoAuditing
Oracle - Execute Procedure
Oracle - Failed Login
Oracle - Failed Login
Oracle - Failed Superuser Login
Oracle - FGA Package Access
Oracle - Function Altered
Oracle - Function Created
Oracle - Function Dropped
Oracle - Library Created
Oracle - Library Dropped
Oracle - Lock
Oracle - Object Auditing
Oracle - Object Granted
Oracle - Object NoAuditing
Oracle - Object Revoked
Oracle - Package Altered
Oracle - Package Created
Oracle - Package Dropped
Oracle - Password Scan
Oracle - PL/SQL Execute
Oracle - Policy Change
Oracle - Procedure Altered
Oracle - Procedure Created
Oracle - Procedure Dropped
Oracle - Profile Altered
Oracle - Profile Created
Oracle - Profile Dropped
Oracle - Role Altered
Oracle - Role Created
Oracle - Role Dropped
Oracle - Role Granted
Oracle - Role Revoked
Oracle - Role Set
Oracle - Rollback
Oracle - Savepoint
Oracle - Schema Created
Oracle - Security Violation
Oracle - Session Altered
Oracle - Set Transactionÿ
Oracle - Successful Superuser Logins
Oracle - Synonym Created
Oracle - Synonym Dropped
Oracle - System Altered
Oracle - System Auditing
Oracle - System Granted
Oracle - System NoAuditing
Oracle - System Revoked
Oracle - Table Altered
Oracle - Table Changes -- DELETE
Oracle - Table Changes -- INSERT
Oracle - Table Changes -- UPDATE
Oracle - Table Created
Oracle - Table Dropped
Oracle - Tablespace Altered
Oracle - Tablespace Created
Oracle - Tablespace Dropped
Oracle - Trigger Altered
Oracle - Trigger Created
Oracle - Trigger Disabled
Oracle - Trigger Dropped
Oracle - Trigger Enabled
Oracle - Triggers All Disabled
Oracle - Triggers All Enabled
Oracle - User Altered
Oracle - User Created
Oracle - User Dropped
Oracle - Username Info Scan
Oracle - View Created
Oracle - View Dropped
Oracle Account Lockout
Oracle Cluster Activity
Oracle DataBases Activity
Oracle DB Denial of Service Event Detected
Oracle DB Function Activity
Oracle DB Login Failed
Oracle DB Login Successful
Oracle DB Password Expired
Oracle Procedure Activity
Oracle Role Activity
Oracle Schema Activity
Oracle System Grant
Oracle System Revoke
Oracle Users Activity
Out Of Band Packet Dropped
Out Of Resources
Outbound Path Through Dropped
P2P Large Data Transfer Detected
Packet dropped. no firewall rule associated with vpn policy
Packet dropped; connection limit for this destination ip address has been reached
Packet dropped; connection limit for this source ip address has been reached
Partner User Deleted Multiple Files
Partner User has Executed File
Partner User Multiple Login Failure Detected
Password Change
Password Reset
Per User Audit Policy was changed
Ping of Death Attack Detected
Ping of death dropped
Ping of Death Packet Dropped
Policy - Violation
Policy Connection Closed
Policy Rules Denied
Port Scan
Port Scan Detector
Port Scan Detector For DPI
Port scan was detected
Port Zero Packet Dropped
Possible ARP Poisoning Attack
Possible Attack Pattern - GTP not supported version
Possible Attack Pattern - GTPv0 packet parsing error
Possible Attack Pattern - Invalid IP fragment
Possible Attack Pattern - invalid spi
Possible Attack Pattern - missing an expected AH or ESP header
Possible Attack Pattern - Too Many Failed Logins
Possible Attack Pattern - tunnel_limit exceeded
Possible DoS Attack
Possible DoS Attack
Possible DoS Attack - Embryonic limit exceeded
Possible DoS Attack - Exceeded Embryonic limit
Possible DoS Attack - Fragment database limit exceeded
Possible DoS Attack - proxy connection limit exceeded
Possible fin flood on if
Possible fin flood on ifÿ has ceased
Possible FTP Session Hijacking Attack
Possible man in the middle attack
Possible port scan detected
Possible rst flood on if
Possible rst flood on ifÿ has ceased
Possible Spoofing Attack
Possible syn flood detected on wan ifÿ - switching to connection-proxy mode
Possible syn flood on if
Possible syn flood on ifÿ has ceased
PostgreSQL - Data Truncated
PostgreSQL - Database Altered
PostgreSQL - Database Backup
PostgreSQL - Database Created
PostgreSQL - Database Dropped
PostgreSQL - Database Restore
PostgreSQL - Failed Login
PostgreSQL - Failed Superuser Logins
PostgreSQL - Function Altered
PostgreSQL - Function Created
PostgreSQL - Function Dropped
PostgreSQL - Grant ALL
PostgreSQL - Login Info Scan
PostgreSQL - Permission Denied
PostgreSQL - Privileges Granted
PostgreSQL - Privileges Revoked
PostgreSQL - Procedure Created
PostgreSQL - Procedure Dropped
PostgreSQL - Schema Changes
PostgreSQL - Successful Superuser Login
PostgreSQL - System Table Changes
PostgreSQL - Table Altered
PostgreSQL - Table Changes -- DELETE
PostgreSQL - Table Changes -- INSERT
PostgreSQL - Table Changes -- UPDATE
PostgreSQL - Table Created
PostgreSQL - Table Dropped
PostgreSQL - Trace Configuration
PostgreSQL - Trigger Created
PostgreSQL - Trigger Dropped
PostgreSQL - Union Command Failed
PostgreSQL - View Created
PostgreSQL - View Dropped
PowerShell Bad Commands Detected
Powershell Base64 Encoded Attack Detected
Powershell Hidden Command Attack Detected
Powershell Process Created by Chrome
Powershell Process Created by Firefox
Powershell Process Created by Internet Explorer
Powershell Process Created by Notepad
Powershell Process Created by Office Excel
Powershell Process Created by Office PowerPoint
Powershell Process Created by Office Word
Powershell Process Created by Outlook
PowerShell Restircted Setting Change
Primary firewall has transitioned to active
Primary firewall has transitioned to idle
Priority attack dropped
Probable port scan detected
Probable tcp fin scan detected
Probable tcp null scan detected
Probable tcp xmas scan detected
Probing failure on
Probing succeeded on
Ransomware BadRabbit Attack Detected
Ransomware Petya Attack Detected
Ransomware WannaCry Attack Detected
RDP Logon Attempt Detected from Foreign Country
RDP Logon Attempt Host Detected by Threat Intelligence Source
Recon scan was detected
Registry Object Changed
Regulatory requirements prohibitÿ from being re-dialed for 30 minutes
Remote Thread Detected
Remove File system returned an error
Replay Attack was Detected
Response was refused
RIP pkt failed attack
RIP reply message with bad authentication attack
Ripper attack dropped
RPC Portmap Decode
Rst-flooding machineÿ blacklisted
Rule Change Activity
Rule Quota Exceed Dropped
Rule Quota Exceeded Dropped
Scanner Host Logon Attempt Detected
Scanning Event Activity Detected
SDF - Sensitive Data Transmitted
Security Device Vulnerability Detected
Senna spy attack dropped
Sensitive Web URL Path Detected
Service event was detected
Service Started
Service Stopped
Service Stopped on DMZ Server
Session is Not Authenticated
Session was removed
Session was started
Session was updated
Shellcodeÿ Detect
Siber Saldiri Simlasyonu
Siber Saldiri Simulasyonu02
Siber Saldiri Simulasyonu02
Smurf amplification attack dropped
Snapshot was reverted
SNMP DDoS Attack Detected
SNORT NMAP TARAMA VAR
Spam Activity Detected
Spam Hosts Detected by Threat Intelligence Source
Spank attack multicast packet dropped
Special Groups have been assigned to a New Logon
Special Groups Logon table modified
Spoofing Packet Dropped
Spyware Event Activity Detected
SQL Injection Detected After Scanning
SQL Injection Detector
SQL Injection Detector for DPI
SQL Injection Event Detected
SQL Injection Pattern Detected
SQL ping
SQLServer Account Lock/Unlocked
SQLServer Application Role Activity
SQLServer Credential Dropped
SQLServer Database Activity
SQLServer Database Role Activity
SQLServer Groups Changed
SQLServer Index Activity
SQLServer Login Failed
SQLServer Login Success
SQLServer Own Password Changes
SQLServer Password Reset
SQLServer Schema Activity
SQLServer Server Audit Activity
SQLServer Server Audit Specification Activity
SQLServer Stored Procedure Activity
SQLServer Table Activity
SQLServer Trigger Activity
SQLServer User Activity
SQLServer User Enabled/Disabled
SQLServer User Rights Changed
SQLServer View Activity
SSDP DDoS Attack Detected
SSH Brute Force
Striker attack dropped
Sub seven attack dropped
Successful - Administrator Privilege Gain
Successful - Dos
Successful - Recon Largescale
Successful - Recon Limited
Successful User Privilege Gain
Suricata/Snort Abnormal DNS Activity Detected
Suricata/Snort Abnormal FTP Activity Detected
Suricata/Snort Abnormal SQL Activity Detected
Suricata/Snort Abnormal Telnet Activity Detected
Suricata/Snort Abnormal TROJAN Activity Detected
Suricata/Snort Abnormal User-Agent Activity Detected
Suricata/Snort Abnormal WORM Activity Detected
Suricata/Snort Exploit Activity Detected
Suricata/Snort Scada Attack Detected
Suricata/Snort Web Server Attack Detected
Suspicious - Filename Detect
Suspicious - Login
Suspicious - Web Attack or Scan
Suspicious Activity
Suspicious Activity - Config Change
Suspicious Attack Detect
Suspicious attackÿ was detected
Suspicious ICMP Traffic Detected from Many Hosts to a Single Target
Suspicious TCP Traffic Detected from Many Hosts to a Single Target
Suspicious Traffic Detected from Many Hosts to a Single Target
Suspicious UDP Traffic Detected from Many Hosts to a Single Target
Suspicious Web Activity Detected After Network Scanning
SYN Attack End
SYN Attack Start
SYN flood attackÿ was detected
Syn flood ceased or flooding machines blacklisted - connection proxy disabled
Syn-flooding machineÿ blacklisted
System Audit Policy was Changed
System audit policy was changed
System Call Detect
System Reboot
System Shutdown
System Shutdown on DMZ Network
System Started
System was restarted
System was started
TCP No Server Reply
TCP Not SYN Packet Dropped
TCP Rate Quota Exceeded Dropped
Tcp syn/fin packet dropped
Tcp xmas tree dropped
TCP/IP Packet Dropped
The ACL was set on accounts which are members of administrators groups
The administrator right was attempted violation
The attack was detected
The audit log was cleared
The audit policy (SACL) on an object was changed
The Blocking Operation is Already Started
The connection is already emulated by another filter
The DoS attack has subsided and normal processing is being resumed
The e-mail was blackholed
The e-mail was quarantined
The e-mail was rejected
The event logging service has shut down
The Filter is Not Registered
The log file is full
The log file was cleared
The name of an account was changed
The password hash an account was accessed
The Password Policy Checking API was called
The Per-user audit policy table was created
The previous system shutdown was unexpected
The screen saver was dismissed
The screen saver was invoked
The security log is now %1 percent full
The security log is now full
The STA eventÿ was detected
The system time was changed
The web application attack was detected
The Windows Filtering Platform has blocked a bind to a local port
The Windows Filtering Platform has blocked a connection
The Windows Filtering Platform has blocked a packet
The Windows Filtering Platform has blocked a packet
The Windows Filtering Platform has blocked an application or service from listening on a port for incoming connections
The Windows Filtering Platform has detected a DoS attack and entered a defensive mode; packets associated with this attack will be discarded
The Windows Filtering Platform has permitted a bind to a local port
The Windows Filtering Platform has permitted a connection
The Windows Filtering Platform has permitted an application or service to listen on a port for incoming connections
The Windows Firewall Driver failed to start
The Windows Firewall Driver started successfully
The Windows Firewall Driver was stopped
The Windows Firewall Service blocked an application from accepting incoming connections on the network
The Windows Firewall service failed to start
The Windows Firewall service started successfully
The Windows Firewall service was stopped
The workstation was locked
The workstation was unlocked
There is no blocking operation to be ended
Thermal red
Thermal red timer exceeded
Thermal yellow
Thread Quota Exceeded
Threat Intelligence Host Allowed Connection Activity Detected
Threat Intelligence Host Allowed Connection to Internal Network
Timeout
Too many DNS Queries
Too many failed login attempts
Too many users, server is full
Traffic was blocked by DLP
Trojan - Activity
Trojan Detector for DPI
UDP Bomb Dropped
UDP floodÿ attack was detected
Unanswered HTTP Requests Exceeded Attack
Unauthorized File Change Attempt Detected
Unlocked User Account
Unreachable Address
Unsuccessful User Privilege Gain
Unsuccessful vpn event was detected
Unsupported IPv6 Dropped
Unsupported NAT-PT Dropped
Unusual Client Port Connection
User Added to Group
User Added to Local Group
User Added to VPN Group
User Created
User Deleted
User Deleted from Local Group
User Disabled
User Enabled
User Failed to Authenticate
User Group Change
User Group Created
User Group Deleted
User has gained Admin Rights
User Login Failure
User Login from Multiple Hosts
User Login Successful
User Login Successful After Multiple Login Failures
User Removed from Group
User violation was detected
User was attempted violation
Validate Quarantine Failed
Victim Host Process Created on DMZ
Victim Host Scanning Activity Detected
Virtual Machine was created snapshot
Virtual Machine was reset
VirtualMachine was created snapshotÿ
VirtualMachine was reconfigured
VirtualMachine was suspended
Virus Host Detected by Threat Intelligence Source
Virus Infected on DMZ Server
Virus was Detected on Multiple Hosts
VPN Connections Limit Exceeded
VPN Host Login Successful from Foreign Country
VPN User Deleted Multiple Files
VPN User has Executed File
VPN User Login Failure
VPN User Login Successful
VPN User Mapping Failed
VPN User RDP Logon to DMZ Network
Vpn was expired
Vulnerability exploit alert
Vulnerability exploit drop
Vulnerability exploit reset
Vulnerable Internal Host communicated with External Attacker
Vulnerable Internal Host Communicated with Foregin Countries
Vulnerable Internal Host Data Transferred to Foreign Countries
WannaCry Activity Detected
WannaCry Activity Detected
Web Application - Activity
Web Application - Attack
Web request was blocked
Windows Audit Policy on an Object was Changed
Windows DHCP Server - Too many IP Assign
Windows Firewall changed the active profile
Windows is starting up
Windows Permissions on Object were Changed
Windows Policy Changed
Windows Service Error
Windows Service Stopped
Windows Task Created
Windows Task Deleted
Wireless - Flood
Wireless - Misc
Wireless - Scanner Detected
Wireless - Spoofing
Wlb failback initiated by
Wlb failover in progress
Wlb resource failed
Wlb resource is now available
Worm Activity
Worm Activity
Worm Detector for DPI
Write access for the root of the virtual directory is forbidden
XML-RPC Attack Detected
XSS Attack Patterns Detected on Apache Web Server
XSS Attack Patterns Detected on IIS Web Server
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment