List of threats

Types	Categories
Devices with High Event Rates	Anomaly
Excessive Firewall Denies from Single Source	Anomaly
Single IP with Multiple MAC addresses	Anomaly
First−Time User Access to Critical Asset	Anomaly
Remote Access from Foreign CountryƒRegion	Anomaly
Anomaly: Excessive Firewall Accepts From Multiple Source to a Single Destination	Anomaly
Excessive Database Connections	Anomaly
First−Time User Access to Critical Asset	Authentication
Login Failure to Disabled Account	Authentication
Login Failure to Expired Account	Authentication
Multiple Login Failures from the Same Source (Windows)	Authentication
Possible Shared Accounts	Authentication
Repeat Non−Windows Login Failures	Authentication
Login Failures Followed By Success from the same Source IP	Authentication
Login Failures Followed By Success to the same Source IP	Authentication
Login Failures Followed By Success to the same Username	Authentication
Multiple Login Failures for Single Username	Authentication
Multiple Login Failures from the Same Source	Authentication
Multiple Login Failures to the Same Destination	Authentication
Repeat Windows Login Failures	Authentication
Potential Botnet Events Become Offenses	Botnet
DDoS Attack Detected	D\DoS
DDoS Events with High Magnitude Become Offenses	D\DoS
DoS Events with High Magnitude Become Offenses	D\DoS
Network DoS Attack Detected	D\DoS
Service DoS Attack Detected	D\DoS
Login Failure to Disabled Account	Horizontal Movement
Login Failure to Expired Account	Horizontal Movement
Chained Exploit Followed by Suspicious Events	Intrusion Detection
Chained Exploit Followed by Suspicious Events on the Third Host	Intrusion Detection
Destination Vulnerable to Detected Exploit	Intrusion Detection
Exploit: Destination Vulnerable to Detected Exploited on a Different Port	Intrusion Detection
Exploits Events with High Magnitude Become Offenses	Intrusion Detection
Login Failures Followed By Success from the same Source IP	Intrusion Detection
Login Failures Followed By Success from the same Destination IP	Intrusion Detection
Login Failures Followed By Success to the same Username	Intrusion Detection
Source Vulnerable to any Exploit	Intrusion Detection
Source Vulnerable to this Exploit	Intrusion Detection
100% Accurate Events	Intrusion Detection
All Exploits Become Offenses	Intrusion Detection
Attack followed by Attack Response	Intrusion Detection
Database Failures Followed by User Changes	Intrusion Detection
Database Multiple Database Failures Followed by Success	Intrusion Detection
Destination Vulnerable to Different Exploit than Attempted on Targeted Port	Intrusion Detection
Exploit Followed by Suspicious Host Activity	Intrusion Detection
ExploitƒMalware Events Across Multiple Destinations	Intrusion Detection
Exploits: Exploits Followed by Firewall Accepts	Intrusion Detection
Multiple Exploit Types Againts Single Destination	Intrusion Detection
Multiple Vector Attack Source	Intrusion Detection
BadRabbit Detected in Real Time	Malware
Local Host Sending Malware	Malware
Malware or Virus Clean Failed	Malware
TIME−Forticlient	Malware
Treat Backdoor Trojan and Virus Events as Offenses	Malware
Treat Key Loggers as Offenses	Malware
Treat Non−Spyware Malware as Offenses	Malware
Treat Spyware and Virus as Offenses	Malware
Ransomware Behaviour from Endpoint Security Logs	Ransomware
Ransomware Behaviour from Microsoft Windows Security Event Logs	Ransomware
UBA: Ransomware Behavior from Endpoint Security Logs	Ransomware
UBA: Ransomware Behavior from Microsoft Windows Security Logs	Ransomware
Database Remote Login Failure	Recon
Excessive Database Connections	Recon
Excessive Failed Logins to Compliance IS	Recon
Excessive Firewall Accepts Across Multiple Hosts	Recon
Excessive Firewall Denies from Local Host	Recon
Excessive Firewall Denies from Remote Host	Recon
Multiple Login Failures from the Same Source	Recon
Multiple Login Failures from the Same Source (Windows)	Recon
Multiple Login Failures to the Same Destination	Recon
Repeat Non−Windows Login Failures	Recon
Repeat Windows Login Failures.	Recon
Anomaly: Excessive Firewall Accepts From Multiple Sources to a Single Destination	Post Intrusion Activity
Database Attempted Configuration Modification by a remote host	Post Intrusion Activity
Database Concurrent Logins from Multiple Locations	Post Intrusion Activity
Database Groups Changed from Remote Hsot	Post Intrusion Activity
Database User Rights Changed from Remote Host	Post Intrusion Activity
Local Mass Mailing Host Detected	Post Intrusion Activity
Possible Local Worm Detected	Post Intrusion Activity
Worm Detected (Events)	Post Intrusion Activity
Device Stopped Sending Events	System
Load Basic Building Blocks	System
System Notification	System
Failed Communication to a Malicious Website	Threats
Multiple Threats Detected on Same Host	Threats
Possible Shared Accpunts	Threats
Potential Botnet Events Become Offenses	Threats
Potential Honeypot Access	Threats
Same Threat Detected on Multiple Hosts	Threats
Same Threat Detected on Multiple Servers	Threats
Same Threat Detected on Same Host	Threats
Same Threat Detected on Same Network Different Hosts	Threats
Successful Communication to a Malicious Website	Threats
X−Force Premium: Internal Host Communicating with Botnet Command and Control URL	Threats
X−Force Premium: Internal Host Communicating with Malware URL	Threats
UBA: Account or Group or Privileges Added	User Behavioral Analytics
UBA: Account or Group or Privileges Modified	User Behavioral Analytics
UBA: Anomalous Account Created From New Location	User Behavioral Analytics
UBA: Anomalous Cloud Account Created From New Location	User Behavioral Analytics
UBA: Browsed to BusinessƒService Website	User Behavioral Analytics
UBA: Browsed to Communication Website	User Behavioral Analytics
UBA: Browsed to Entertainment Website	User Behavioral Analytics
UBA: Browsed to Gambling Website	User Behavioral Analytics
UBA: Browsed to Information Technology Website	User Behavioral Analytics
UBA: Browsed to Job Search Website	User Behavioral Analytics
UBA: Browsed to LifeStyle Website	User Behavioral Analytics
UBA: Browsed to Malicious Website	User Behavioral Analytics
UBA: Browsed to Mixed ContentƒPotentially Adult Website	User Behavioral Analytics
UBA: Browsed to Phishing Website	User Behavioral Analytics
UBA: Browsed to Pornography Website	User Behavioral Analytics
UBA: Browsed to ScamƒQuestionableƒIllegal Website	User Behavioral Analytics
UBA: Browsed to Uncategorized Website	User Behavioral Analytics
UBA: Bruteforce Authentication Attempts	User Behavioral Analytics
UBA: Common Exploit Tool Detected	User Behavioral Analytics
UBA: Common Exploit Tool Detected (Asset)	User Behavioral Analytics
UBA: Create Offense	User Behavioral Analytics
UBA: Critical Systems Users Seen Update	User Behavioral Analytics
UBA: DƒDoS Attack Detected	User Behavioral Analytics
UBA: Detect Insecure or Non−Standard Protocol	User Behavioral Analytics
UBA: Detect IOC's For Locky	User Behavioral Analytics
UBA: Detect IOC's for WannaCry	User Behavioral Analytics
UBA: Detect Persistent SSH Session	User Behavioral Analytics
UBA: Dormant Account Found (privileged)	User Behavioral Analytics
UBA: Dormant Account Used	User Behavioral Analytics
UBA: Executive Only Asset Accessed by Non−Executive User	User Behavioral Analytics
UBA: Expired Account Used	User Behavioral Analytics
UBA: First Privileged Excalation	User Behavioral Analytics
UBA: High Risk User Access to Critical Asset	User Behavioral Analytics
UBA: Hioneytoken Activity	User Behavioral Analytics
UBA: Internet Settings Modified	User Behavioral Analytics
UBA: Kerberos Accpount Mapping	User Behavioral Analytics
UBA: Large Outbound Transfer by Hugh Risk User	User Behavioral Analytics
UBA: Malicious Process Detected	User Behavioral Analytics
UBA: Malware Activity − Registry Modified in Bulk	User Behavioral Analytics
UBA: Multiple Kerberos Authentication Failures from Same User	User Behavioral Analytics
UBA: Multiple VPN Accounts Failed Login from Single IP.	User Behavioral Analytics
UBA: Mutliple VPN Accpounts ogged in From Single IP	User Behavioral Analytics
UBA: Netcast Process Detection (Linux)	User Behavioral Analytics
UBA: Netcase Process Detection (Windows)	User Behavioral Analytics
UBA: Network Share Accessed	User Behavioral Analytics
UBA: Network Traffic: Capture, Monitoring and Analysis Program Usage	User Behavioral Analytics
UBA: New Account Use Detected	User Behavioral Analytics
UBA: Non−Admin Access to Domain Controller	User Behavioral Analytics
UBA: Pash the Hash	User Behavioral Analytics
UBA: Populate Authorized Applications	User Behavioral Analytics
UBA: Populate Multiple VPN Accounts Failed Login from Single IP	User Behavioral Analytics
UBA: Populate Multiple VPN Accounts Logged in From Single IP	User Behavioral Analytics
UBA: Populate Process Filenames	User Behavioral Analytics
UBA: Possible TGT Forgery	User Behavioral Analytics
UBA: Potential Access to Blacklist Domain	User Behavioral Analytics
UBA: Potential Access to DGA Domain	User Behavioral Analytics
UBA: Potential Access to Squatting Domain	User Behavioral Analytics
UBA: Potential Access to Tunnelling Domain	User Behavioral Analytics
UBA: Process Creating Suspicious Remote Threads Detected (Asset)	User Behavioral Analytics
UBA: Process Executed Outside Gold Disk Whitelist (Linux)	User Behavioral Analytics
UBA: Process Executed Outside Gold Disk Whitelist (Windows)	User Behavioral Analytics
UBA: Ransomware Behaviour Detected	User Behavioral Analytics
UBA: Recent User Activity Update(privileged)	User Behavioral Analytics
UBA: Repeat Unauthorized Access	User Behavioral Analytics
UBA: Restricted Program Usage	User Behavioral Analytics
UBA: Shellbags Modified by Ransomware	User Behavioral Analytics
UBA: Subject_CN and Username Map Update	User Behavioral Analytics
UBA: Subject_CN and Username Mapping	User Behavioral Analytics
UBA: Suspicious Activities on Compromised Hosts	User Behavioral Analytics
UBA: Suspicious Activities on Compromised Hosts (Asset)	User Behavioral Analytics
UBA: Suspicious Administrative Activities Detected	User Behavioral Analytics
UBA: Suspicious Command Prompt Activity	User Behavioral Analytics
UBA: Suspicious Entries in System Registry (Asset)	User Behavioral Analytics
UBA: Suspicious Image Load Detected (Asset)	User Behavioral Analytics
UBA: Suspicious Pipe Activities (Asset)	User Behavioral Analytics
UBA: Suspicious PowerShell Activity	User Behavioral Analytics
UBA: Suspicipus Privileged Activity (First Observed Privilege Use)	User Behavioral Analytics
UBA: Suspicious Privileged Activity (Rarely Used Privileged)	User Behavioral Analytics
UBA: Suspicipus Scheduled Task Activities	User Behavioral Analytics
UBA: Suspicious Service Activities	User Behavioral Analytics
UBA: Suspicious Service Activities (Asset)	User Behavioral Analytics
UBA: TGT Ticket Used by Multiple Hosts	User Behavioral Analytics
UBA: Unauthorized Access	User Behavioral Analytics
UBA: UNIXƒLINUX System Accessed With Service or Machine Account	User Behavioral Analytics
UBA: Unusual Scanning of Database Servers Detected	User Behavioral Analytics
UBA: Unusual Scanning of DHCP Servers Detected	User Behavioral Analytics
UBA: Unusual Scanning of DNS Servers Detected	User Behavioral Analytics
UBA: Unusual Scanning of FTP Servers Detected	User Behavioral Analytics
UBA: Unusual Scanning of Game Servers Detected	User Behavioral Analytics
UBA: Unusual Scanning of Generic ICMP Detected	User Behavioral Analytics
UBA: Unusual Scanning of Generic TCP Detected	User Behavioral Analytics
UBA: Unusual Scanning of Generic UDP Detected	User Behavioral Analytics
UBA: Unusual Scanning of IRC Servers Detected	User Behavioral Analytics
UBA: Unusual Scanning of LDAP Servers Detected	User Behavioral Analytics
UBA: Unusual Scanning of Mail Servers Detected	User Behavioral Analytics
UBA: Unusual Scanning of Messaging Servers Detected	User Behavioral Analytics