security_content/schemas/EventBasedDetection.schema.json at develop · splunk/security_content · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
478
479
480
481
482
483
484
485
486
487
488
489
490
491
492
493
494
495
496
497
498
499
500
501
502
503
504
505
506
507
508
509
510
511
512
513
514
515
516
517
518
519
520
521
522
523
524
525
526
527
528
529
530
531
532
533
534
535
536
537
538
539
540
541
542
543
544
545
546
547
548
549
550
551
552
553
554
555
556
557
558
559
560
561
562
563
564
565
566
567
568
569
570
571
572
573
574
575
576
577
578
579
580
581
582
583
584
585
586
587
588
589
590
591
592
593
594
595
596
597
598
599
600
601
602
603
604
605
606
607
608
609
610
611
612
613
614
615
616
617
618
619
620
621
622
623
624
625
626
627
628
629
630
631
632
633
634
635
636
637
638
639
640
641
642
643
644
645
646
647
648
649
650
651
652
653
654
655
656
657
658
659
660
661
662
663
664
665
666
667
668
669
670
671
672
673
674
675
676
677
678
679
680
681
682
683
684
685
686
687
688
689
690
691
692
693
694
695
696
697
698
699
700
701
702
703
704
705
706
707
708
709
710
711
712
713
714
715
716
717
718
719
720
721
722
723
724
725
726
727
728
729
730
731
732
733
734
735
736
737
738
739
740
741
742
743
744
745
746
747
748
749
750
751
752
753
754
755
756
757
758
759
760
761
762
763
764
765
766
767
768
769
770
771
772
773
774
775
776
777
778
779
780
781
782
783
784
785
786
787
788
789
790
791
792
793
794
795
796
797
798
799
800
801
802
803
804
805
806
807
808
809
810
811
812
813
814
815
816
817
818
819
820
821
822
823
824
825
826
827
828
829
830
831
832
833
834
835
836
837
838
839
840
841
842
843
844
845
846
847
848
849
850
851
852
853
854
855
856
857
858
859
860
861
862
863
864
865
866
867
868
869
870
871
872
873
874
875
876
877
878
879
880
881
882
883
884
885
886
887
888
889
890
891
892
893
894
895
896
897
898
899
900
901
902
903
904
905
906
907
908
909
910
911
912
913
914
915
916
917
918
919
920
921
922
923
924
925
926
927
928
929
930
931
932
933
934
935
936
937
938
939
940
941
942
943
944
945
946
947
948
949
950
951
952
953
954
955
956
957
958
959
960
961
962
963
964
965
966
967
968
969
970
971
972
973
974
975
976
977
978
979
980
981
982
983
984
985
986
987
988
989
990
991
992
993
994
995
996
997
998
999
1000
{
   "$defs": {
      "AllContentEnum": {
         "description": "Enum for Security Content that is used in production.\n\nNOTE: This enum is dynamically populated at runtime.",
         "enum": [
            "0bj3ctivity Stealer",
            "3CX Supply Chain Attack",
            "3cx_ioc_domains",
            "AMOS Stealer",
            "APT29 Diplomatic Deceptions with WINELOADER",
            "APT37 Rustonotto and FadeStealer",
            "ASL AWS CloudTrail",
            "AWS Bedrock Security",
            "AWS CloudTrail",
            "AWS CloudTrail AssumeRoleWithSAML",
            "AWS CloudTrail ConsoleLogin",
            "AWS CloudTrail CopyObject",
            "AWS CloudTrail CreateAccessKey",
            "AWS CloudTrail CreateKey",
            "AWS CloudTrail CreateLoginProfile",
            "AWS CloudTrail CreateNetworkAclEntry",
            "AWS CloudTrail CreatePolicyVersion",
            "AWS CloudTrail CreateSnapshot",
            "AWS CloudTrail CreateTask",
            "AWS CloudTrail CreateVirtualMFADevice",
            "AWS CloudTrail DeactivateMFADevice",
            "AWS CloudTrail DeleteAccountPasswordPolicy",
            "AWS CloudTrail DeleteAlarms",
            "AWS CloudTrail DeleteDetector",
            "AWS CloudTrail DeleteGroup",
            "AWS CloudTrail DeleteGuardrail",
            "AWS CloudTrail DeleteIPSet",
            "AWS CloudTrail DeleteKnowledgeBase",
            "AWS CloudTrail DeleteLogGroup",
            "AWS CloudTrail DeleteLogStream",
            "AWS CloudTrail DeleteLoggingConfiguration",
            "AWS CloudTrail DeleteModelInvocationLoggingConfiguration",
            "AWS CloudTrail DeleteNetworkAclEntry",
            "AWS CloudTrail DeletePolicy",
            "AWS CloudTrail DeleteRule",
            "AWS CloudTrail DeleteRuleGroup",
            "AWS CloudTrail DeleteSnapshot",
            "AWS CloudTrail DeleteTrail",
            "AWS CloudTrail DeleteVirtualMFADevice",
            "AWS CloudTrail DeleteWebACL",
            "AWS CloudTrail DescribeEventAggregates",
            "AWS CloudTrail DescribeImageScanFindings",
            "AWS CloudTrail DescribeSnapshotAttribute",
            "AWS CloudTrail GetAccountPasswordPolicy",
            "AWS CloudTrail GetObject",
            "AWS CloudTrail GetPasswordData",
            "AWS CloudTrail InvokeModel",
            "AWS CloudTrail JobCreated",
            "AWS CloudTrail ListFoundationModels",
            "AWS CloudTrail ModifyDBInstance",
            "AWS CloudTrail ModifyImageAttribute",
            "AWS CloudTrail ModifySnapshotAttribute",
            "AWS CloudTrail PutBucketAcl",
            "AWS CloudTrail PutBucketLifecycle",
            "AWS CloudTrail PutBucketReplication",
            "AWS CloudTrail PutBucketVersioning",
            "AWS CloudTrail PutImage",
            "AWS CloudTrail PutKeyPolicy",
            "AWS CloudTrail ReplaceNetworkAclEntry",
            "AWS CloudTrail SetDefaultPolicyVersion",
            "AWS CloudTrail StopLogging",
            "AWS CloudTrail UpdateAccountPasswordPolicy",
            "AWS CloudTrail UpdateLoginProfile",
            "AWS CloudTrail UpdateSAMLProvider",
            "AWS CloudTrail UpdateTrail",
            "AWS CloudWatchLogs VPCflow",
            "AWS Cloudfront",
            "AWS Defense Evasion",
            "AWS IAM Privilege Escalation",
            "AWS Identity and Access Management Account Takeover",
            "AWS Network ACL Activity",
            "AWS S3 Bucket Security Monitoring",
            "AWS Security Hub",
            "AWS Security Hub Alerts",
            "AWS User Monitoring",
            "Abnormal Kubernetes Behavior using Splunk Infrastructure Monitoring",
            "AcidPour",
            "AcidRain",
            "Active Directory Discovery",
            "Active Directory Kerberos Attacks",
            "Active Directory Lateral Movement",
            "Active Directory Password Spraying",
            "Active Directory Privilege Escalation",
            "Adobe ColdFusion Arbitrary Code Execution CVE-2023-29298 CVE-2023-26360",
            "AgentTesla",
            "Amadey",
            "Apache Struts Vulnerability",
            "Apache Tomcat Session Deserialization Attacks",
            "AppLocker",
            "ArcaneDoor",
            "Asset Tracking",
            "AsyncRAT",
            "Atlassian Confluence Server and Data Center CVE-2022-26134",
            "AwfulShred",
            "Axios Supply Chain Post Compromise",
            "Azorult",
            "Azure Active Directory",
            "Azure Active Directory Account Takeover",
            "Azure Active Directory Add app role assignment to service principal",
            "Azure Active Directory Add member to role",
            "Azure Active Directory Add owner to application",
            "Azure Active Directory Add service principal",
            "Azure Active Directory Add unverified domain",
            "Azure Active Directory Consent to application",
            "Azure Active Directory Disable Strong Authentication",
            "Azure Active Directory Enable account",
            "Azure Active Directory Invite external user",
            "Azure Active Directory MicrosoftGraphActivityLogs",
            "Azure Active Directory NonInteractiveUserSignInLogs",
            "Azure Active Directory Persistence",
            "Azure Active Directory Privilege Escalation",
            "Azure Active Directory Reset password (by admin)",
            "Azure Active Directory Set domain authentication",
            "Azure Active Directory Sign-in activity",
            "Azure Active Directory Update application",
            "Azure Active Directory Update authorization policy",
            "Azure Active Directory Update user",
            "Azure Active Directory User registered security info",
            "Azure Audit Create or Update an Azure Automation Runbook",
            "Azure Audit Create or Update an Azure Automation account",
            "Azure Audit Create or Update an Azure Automation webhook",
            "Azure Monitor Activity",
            "BITS Jobs",
            "Backdoor Pingpong",
            "Baron Samedit CVE-2021-3156",
            "Baseline Of Kubernetes Container Network IO",
            "Baseline Of Kubernetes Container Network IO Ratio",
            "Baseline Of Kubernetes Process Resource",
            "Baseline Of Kubernetes Process Resource Ratio",
            "Baseline Of Open S3 Bucket Decommissioning",
            "Baseline of Network ACL Activity by ARN",
            "Baseline of S3 Bucket deletion activity by ARN",
            "Baseline of Security Group Activity by ARN",
            "Baseline of blocked outbound traffic from AWS",
            "BishopFox Sliver Adversary Emulation Framework",
            "Black Basta Ransomware",
            "BlackByte Ransomware",
            "BlackLotus Campaign",
            "BlackMatter Ransomware",
            "BlackSuit Ransomware",
            "BlankGrabber Stealer",
            "Brand Monitoring",
            "Braodo Stealer",
            "Bro conn",
            "Bro dns",
            "Bro files",
            "Bro http",
            "Bro loaded_scripts",
            "Bro ntp",
            "Bro ocsp",
            "Bro ssl",
            "Bro weird",
            "Bro x509",
            "Browser Hijacking",
            "Brute Ratel C4",
            "CISA AA22-257A",
            "CISA AA22-264A",
            "CISA AA22-277A",
            "CISA AA22-320A",
            "CISA AA23-347A",
            "CISA AA24-241A",
            "CVE-2022-40684 Fortinet Appliance Auth bypass",
            "CVE-2023-21716 Word RTF Heap Corruption",
            "CVE-2023-22515 Privilege Escalation Vulnerability Confluence Data Center and Server",
            "CVE-2023-23397 Outlook Elevation of Privilege",
            "CVE-2023-36884 Office and Windows HTML RCE Vulnerability",
            "Cactus Ransomware",
            "Caddy Wiper",
            "Castle RAT",
            "Chaos Ransomware",
            "China-Nexus Threat Activity",
            "CircleCI",
            "Cisco AI Defense Alerts",
            "Cisco ASA Logs",
            "Cisco Catalyst SD-WAN Analytics",
            "Cisco Duo Activity",
            "Cisco Duo Administrator",
            "Cisco Duo Suspicious Activity",
            "Cisco IOS Logs",
            "Cisco IOS XE Software Web Management User Interface vulnerability",
            "Cisco Isovalent Process Connect",
            "Cisco Isovalent Process Exec",
            "Cisco Isovalent Process Kprobe",
            "Cisco Isovalent Suspicious Activity",
            "Cisco Network Visibility Module Analytics",
            "Cisco Network Visibility Module Flow Data",
            "Cisco Network Visibility Module OSquery",
            "Cisco SD-WAN NTCE 1000001",
            "Cisco SD-WAN Service Proxy Access Logs",
            "Cisco Secure Access Analytics",
            "Cisco Secure Access Firewall",
            "Cisco Secure Firewall Threat Defense Analytics",
            "Cisco Secure Firewall Threat Defense Connection Event",
            "Cisco Secure Firewall Threat Defense File Event",
            "Cisco Secure Firewall Threat Defense Intrusion Event",
            "Cisco Smart Install Remote Code Execution CVE-2018-0171",
            "Citrix NetScaler ADC and NetScaler Gateway CVE-2023-4966",
            "Citrix NetScaler ADC and NetScaler Gateway CVE-2025-5777",
            "Citrix Netscaler ADC CVE-2023-3519",
            "Citrix ShareFile RCE CVE-2023-24489",
            "Cleo File Transfer Software",
            "Clop Ransomware",
            "Cloud Cryptomining",
            "Cloud Federated Credential Abuse",
            "Cobalt Strike",
            "ColdRoot MacOS RAT",
            "Collection and Staging",
            "Command And Control",
            "Compromised Linux Host",
            "Compromised User Account",
            "Compromised Windows Host",
            "Confluence Data Center and Confluence Server Vulnerabilities",
            "ConnectWise ScreenConnect Vulnerabilities",
            "Count of Unique IPs Connecting to Ports",
            "Count of assets by category",
            "Create a list of approved AWS service accounts",
            "Credential Dumping",
            "Critical Alerts",
            "CrowdStrike Falcon Stream Alert",
            "CrowdStrike ProcessRollup2",
            "CrushFTP",
            "CrushFTP Vulnerabilities",
            "Crypto Stealer",
            "Cyclops Blink",
            "DHS Report TA18-074A",
            "DNS Amplification Attacks",
            "DNS Hijacking",
            "DNSTwist Domain Names",
            "DarkCrystal RAT",
            "DarkGate Malware",
            "DarkSide Ransomware",
            "Data Destruction",
            "Data Exfiltration",
            "Data Protection",
            "Default Baseline",
            "Default EventBasedDetection",
            "Defense Evasion or Unauthorized Access Via SDDL Tampering",
            "Deobfuscate-Decode Files or Information",
            "Derusbi",
            "Detect Zerologon Attack",
            "Dev Sec Ops",
            "Disabling Security Tools",
            "Discover DNS records",
            "Disk Wiper",
            "Domain Trust Discovery",
            "Double Zero Destructor",
            "Dynamic DNS",
            "DynoWiper",
            "ESXi Post Compromise",
            "Earth Alux",
            "Emotet Malware DHS Report TA18-201A",
            "F5 Authentication Bypass with TMUI",
            "F5 BIG-IP Vulnerability CVE-2022-1388",
            "F5 TMUI RCE CVE-2020-5902",
            "FIN7",
            "Fake CAPTCHA Campaigns",
            "Flax Typhoon",
            "Forest Blizzard",
            "Fortinet FortiNAC CVE-2022-39952",
            "G Suite Drive",
            "G Suite Gmail",
            "GCP Account Takeover",
            "GCP Cross Account Activity",
            "Gh0st RAT",
            "GhostRedirector IIS Module and Rungan Backdoor",
            "GitHub Enterprise Audit Logs",
            "GitHub Malicious Activity",
            "GitHub Organizations Audit Logs",
            "GitHub Webhooks",
            "Gomir",
            "Google Workspace",
            "Google Workspace login_failure",
            "Google Workspace login_success",
            "Gozi Malware",
            "Graceful Wipe Out Attack",
            "HAFNIUM Group",
            "HTTP Request Smuggling",
            "Handala Wiper",
            "Hellcat Ransomware",
            "Hermetic Wiper",
            "Hidden Cobra Malware",
            "IIS Components",
            "IcedID",
            "Identify Systems Creating Remote Desktop Traffic",
            "Identify Systems Receiving Remote Desktop Traffic",
            "Identify Systems Using Remote Desktop",
            "Industroyer2",
            "Information Sabotage",
            "Ingress Tool Transfer",
            "Insider Threat",
            "Interlock Ransomware",
            "Interlock Rat",
            "Ivanti Connect Secure VPN Vulnerabilities",
            "Ivanti EPM Vulnerabilities",
            "Ivanti EPMM Remote Unauthenticated Access",
            "Ivanti Sentry Authentication Bypass CVE-2023-38035",
            "Ivanti VTM Audit",
            "Ivanti Virtual Traffic Manager CVE-2024-7593",
            "JBoss Vulnerability",
            "Jenkins Server Vulnerabilities",
            "JetBrains TeamCity Unauthenticated RCE",
            "JetBrains TeamCity Vulnerabilities",
            "Juniper JunOS Remote Code Execution",
            "Kerberos Coercion with DNS",
            "Kubernetes Audit",
            "Kubernetes Falco",
            "Kubernetes Scanning Activity",
            "Kubernetes Security",
            "Kubernetes Sensitive Object Access Activity",
            "LAMEHUG",
            "Linux Auditd Add User",
            "Linux Auditd Cwd",
            "Linux Auditd Daemon Abort",
            "Linux Auditd Daemon End",
            "Linux Auditd Daemon Start",
            "Linux Auditd Execve",
            "Linux Auditd Path",
            "Linux Auditd Proctitle",
            "Linux Auditd Service Stop",
            "Linux Auditd Syscall",
            "Linux Living Off The Land",
            "Linux Persistence Techniques",
            "Linux Post-Exploitation",
            "Linux Privilege Escalation",
            "Linux Rootkit",
            "Linux Secure",
            "Living Off The Land",
            "Local Privilege Escalation With KrbRelayUp",
            "LockBit Ransomware",
            "Log4Shell CVE-2021-44228",
            "Lokibot",
            "Lotus Blossom Chrysalis Backdoor",
            "Lumma Stealer",
            "M365 Copilot Graph API",
            "M365 Exported eDiscovery Prompts",
            "MCP Server",
            "MOVEit Transfer Authentication Bypass",
            "MOVEit Transfer Critical Vulnerability",
            "MS Defender ATP Alerts",
            "MS365 Defender Incident Alerts",
            "MSIX Package Abuse",
            "MacOS Persistence Techniques",
            "MacOS Post-Exploitation",
            "MacOS Privilege Escalation",
            "Malicious Inno Setup Loader",
            "Malicious PowerShell",
            "Masquerading - Rename System Utilities",
            "Medusa Ransomware",
            "Medusa Rootkit",
            "Meduza Stealer",
            "MetaSploit",
            "Meterpreter",
            "Microsoft MSHTML Remote Code Execution CVE-2021-40444",
            "Microsoft SharePoint Server Elevation of Privilege CVE-2023-29357",
            "Microsoft SharePoint Vulnerabilities",
            "Microsoft Support Diagnostic Tool Vulnerability CVE-2022-30190",
            "Microsoft WSUS CVE-2025-59287",
            "Monitor for Updates",
            "MoonPeak",
            "MuddyWater",
            "NOBELIUM Group",
            "NPM Supply Chain Compromise",
            "NTLM Operational 8004",
            "NTLM Operational 8005",
            "NTLM Operational 8006",
            "NailaoLocker Ransomware",
            "NetSupport RMM Tool Abuse",
            "Netsh Abuse",
            "Network Discovery",
            "Nginx Access",
            "NjRAT",
            "NotDoor Malware",
            "O365",
            "O365 Add app role assignment grant to user.",
            "O365 Add app role assignment to service principal.",
            "O365 Add member to role.",
            "O365 Add owner to application.",
            "O365 Add service principal.",
            "O365 Add-MailboxPermission",
            "O365 Change user license.",
            "O365 Consent to application.",
            "O365 Disable Strong Authentication.",
            "O365 MailItemsAccessed",
            "O365 ModifyFolderPermissions",
            "O365 Set Company Information.",
            "O365 Set-Mailbox",
            "O365 Update application.",
            "O365 Update authorization policy.",
            "O365 Update user.",
            "O365 UserLoggedIn",
            "O365 UserLoginFailed",
            "Office 365 Account Takeover",
            "Office 365 Collection Techniques",
            "Office 365 Persistence Mechanisms",
            "Office 365 Reporting Message Trace",
            "Office 365 Universal Audit Log",
            "Okta",
            "Okta Account Takeover",
            "Okta MFA Exhaustion",
            "Ollama Server",
            "OpenSSL CVE-2022-3602",
            "Oracle E-Business Suite Exploitation",
            "Orangeworm Attack Group",
            "Osquery Results",
            "Outlook RCE CVE-2024-21378",
            "PHP-CGI RCE Attack on Japanese Organizations",
            "PXA Stealer",
            "Palo Alto Network Threat",
            "Palo Alto Network Traffic",
            "PaperCut MF NG Vulnerability",
            "PathWiper",
            "PetitPotam NTLM Relay on Active Directory Certificate Services",
            "Phemedrone Stealer",
            "PingID",
            "PlugX",
            "Possible Backdoor Activity Associated With MUDCARP Espionage Campaigns",
            "Powershell Installed IIS Modules",
            "Powershell SIP Inventory",
            "Powershell Script Block Logging 4104",
            "Prestige Ransomware",
            "Previously Seen Cloud API Calls Per User Role - Initial",
            "Previously Seen Cloud API Calls Per User Role - Update",
            "Previously Seen Cloud Compute Creations By User - Initial",
            "Previously Seen Cloud Compute Creations By User - Update",
            "Previously Seen Cloud Compute Images - Initial",
            "Previously Seen Cloud Compute Images - Update",
            "Previously Seen Cloud Compute Instance Types - Initial",
            "Previously Seen Cloud Compute Instance Types - Update",
            "Previously Seen Cloud Instance Modifications By User - Initial",
            "Previously Seen Cloud Instance Modifications By User - Update",
            "Previously Seen Cloud Provisioning Activity Sources - Initial",
            "Previously Seen Cloud Provisioning Activity Sources - Update",
            "Previously Seen Cloud Regions - Initial",
            "Previously Seen Cloud Regions - Update",
            "Previously Seen Running Windows Services - Initial",
            "Previously Seen Running Windows Services - Update",
            "Previously Seen Users In CloudTrail - Update",
            "Previously Seen Users in CloudTrail - Initial",
            "Previously Seen Zoom Child Processes - Initial",
            "Previously Seen Zoom Child Processes - Update",
            "Previously seen S3 bucket access by remote IP",
            "Previously seen command line arguments",
            "PrintNightmare CVE-2021-34527",
            "Prohibited Traffic Allowed or Protocol Mismatch",
            "PromptFlux",
            "PromptLock",
            "ProxyNotShell",
            "ProxyShell",
            "Qakbot",
            "Quasar RAT",
            "QuietVault",
            "RMM Software Tracking",
            "Ransomware",
            "Ransomware Cloud",
            "React2Shell",
            "RedLine Stealer",
            "Remcos",
            "Remote Employment Fraud",
            "Remote Monitoring and Management Software",
            "Reverse Network Proxy",
            "Revil Ransomware",
            "Rhysida Ransomware",
            "Router and Infrastructure Security",
            "Ryuk Ransomware",
            "SAP NetWeaver Exploitation",
            "SQL Injection",
            "SQL Server Abuse",
            "Salt Typhoon",
            "SamSam Ransomware",
            "Sandworm Tools",
            "Scattered Lapsus$ Hunters",
            "Scattered Spider",
            "Scheduled Tasks",
            "Seashell Blizzard",
            "Secret Blizzard",
            "Security Solution Tampering",
            "SesameOp",
            "ShrinkLocker",
            "Signed Binary Proxy Execution InstallUtil",
            "Silver Sparrow",
            "Snake Keylogger",
            "Snake Malware",
            "SnappyBee",
            "Sneaky Active Directory Persistence Tricks",
            "SolarWinds WHD RCE Post Exploitation",
            "Spearphishing Attachments",
            "Splunk",
            "Splunk AppDynamics Secure Application Alert",
            "Splunk Common Information Model (CIM)",
            "Splunk Stream HTTP",
            "Splunk Stream IP",
            "Splunk Stream TCP",
            "Spring4Shell CVE-2022-22965",
            "StealC Stealer",
            "Storm-0501 Ransomware",
            "Storm-2460 CLFS Zero Day Exploitation",
            "Subvert Trust Controls SIP and Trust Provider Hijacking",
            "Suricata",
            "Suspicious AWS Login Activities",
            "Suspicious AWS S3 Activities",
            "Suspicious AWS Traffic",
            "Suspicious Cisco Adaptive Security Appliance Activity",
            "Suspicious Cloud Authentication Activities",
            "Suspicious Cloud Instance Activities",
            "Suspicious Cloud Provisioning Activities",
            "Suspicious Cloud User Activities",
            "Suspicious Command-Line Executions",
            "Suspicious Compiled HTML Activity",
            "Suspicious DNS Traffic",
            "Suspicious Emails",
            "Suspicious GCP Storage Activities",
            "Suspicious Local LLM Frameworks",
            "Suspicious MCP Activities",
            "Suspicious MSHTA Activity",
            "Suspicious Microsoft 365 Copilot Activities",
            "Suspicious Okta Activity",
            "Suspicious Ollama Activities",
            "Suspicious Regsvcs Regasm Activity",
            "Suspicious Regsvr32 Activity",
            "Suspicious Rundll32 Activity",
            "Suspicious User Agents",
            "Suspicious WMI Use",
            "Suspicious Windows Registry Activities",
            "Suspicious Zoom Child Processes",
            "Swift Slicer",
            "SysAid On-Prem Software CVE-2023-47246 Vulnerability",
            "Sysmon EventID 1",
            "Sysmon EventID 10",
            "Sysmon EventID 11",
            "Sysmon EventID 12",
            "Sysmon EventID 13",
            "Sysmon EventID 14",
            "Sysmon EventID 15",
            "Sysmon EventID 17",
            "Sysmon EventID 18",
            "Sysmon EventID 20",
            "Sysmon EventID 21",
            "Sysmon EventID 22",
            "Sysmon EventID 23",
            "Sysmon EventID 26",
            "Sysmon EventID 29",
            "Sysmon EventID 3",
            "Sysmon EventID 5",
            "Sysmon EventID 6",
            "Sysmon EventID 7",
            "Sysmon EventID 8",
            "Sysmon EventID 9",
            "Sysmon for Linux EventID 1",
            "Sysmon for Linux EventID 11",
            "SystemBC",
            "Telnetd CVE-2026-24061",
            "Termite Ransomware",
            "Text4Shell CVE-2022-42889",
            "Threat Activity by Snort IDs",
            "Trickbot",
            "Trusted Developer Utilities Proxy Execution",
            "Trusted Developer Utilities Proxy Execution MSBuild",
            "Tuoni",
            "Unusual Processes",
            "Use of Cleartext Protocols",
            "VIP Keylogger",
            "VMWare ESXi Syslog",
            "VMware Aria Operations vRealize CVE-2023-20887",
            "VMware ESXi AD Integration Authentication Bypass CVE-2024-37085",
            "VMware Server Side Injection and Privilege Escalation",
            "ValleyRAT",
            "VanHelsing Ransomware",
            "Void Manticore",
            "VoidLink Cloud-Native Linux Malware",
            "Volt Typhoon",
            "WS FTP Server Critical Vulnerabilities",
            "Warzone RAT",
            "Water Gamayun",
            "WhisperGate",
            "WinDealer RAT",
            "WinRAR Spoofing Attack CVE-2023-38831",
            "Windows Active Directory Admon",
            "Windows AppLocker",
            "Windows Attack Surface Reduction",
            "Windows Audit Policy Tampering",
            "Windows BootKits",
            "Windows Certificate Services",
            "Windows DNS SIGRed CVE-2020-1350",
            "Windows Defender Alerts",
            "Windows Defense Evasion Tactics",
            "Windows Discovery Techniques",
            "Windows Drivers",
            "Windows Error Reporting Service Elevation of Privilege Vulnerability",
            "Windows Event Log AppXDeployment-Server 400",
            "Windows Event Log AppXDeployment-Server 854",
            "Windows Event Log AppXDeployment-Server 855",
            "Windows Event Log AppXPackaging 171",
            "Windows Event Log Application 15457",
            "Windows Event Log Application 17135",
            "Windows Event Log Application 2282",
            "Windows Event Log Application 3000",
            "Windows Event Log Application 8128",
            "Windows Event Log CAPI2 70",
            "Windows Event Log CAPI2 81",
            "Windows Event Log CertificateServicesClient 1007",
            "Windows Event Log Defender 1121",
            "Windows Event Log Defender 1122",
            "Windows Event Log Defender 1125",
            "Windows Event Log Defender 1126",
            "Windows Event Log Defender 1129",
            "Windows Event Log Defender 1131",
            "Windows Event Log Defender 1132",
            "Windows Event Log Defender 1133",
            "Windows Event Log Defender 1134",
            "Windows Event Log Defender 5007",
            "Windows Event Log Microsoft Windows TerminalServices RDPClient 1024",
            "Windows Event Log Printservice 316",
            "Windows Event Log Printservice 4909",
            "Windows Event Log Printservice 808",
            "Windows Event Log RemoteConnectionManager 1149",
            "Windows Event Log Security 1100",
            "Windows Event Log Security 1102",
            "Windows Event Log Security 4624",
            "Windows Event Log Security 4625",
            "Windows Event Log Security 4627",
            "Windows Event Log Security 4648",
            "Windows Event Log Security 4662",
            "Windows Event Log Security 4663",
            "Windows Event Log Security 4672",
            "Windows Event Log Security 4688",
            "Windows Event Log Security 4698",
            "Windows Event Log Security 4699",
            "Windows Event Log Security 4700",
            "Windows Event Log Security 4702",
            "Windows Event Log Security 4703",
            "Windows Event Log Security 4719",
            "Windows Event Log Security 4720",
            "Windows Event Log Security 4724",
            "Windows Event Log Security 4725",
            "Windows Event Log Security 4726",
            "Windows Event Log Security 4727",
            "Windows Event Log Security 4728",
            "Windows Event Log Security 4730",
            "Windows Event Log Security 4731",
            "Windows Event Log Security 4732",
            "Windows Event Log Security 4737",
            "Windows Event Log Security 4738",
            "Windows Event Log Security 4739",
            "Windows Event Log Security 4741",
            "Windows Event Log Security 4742",
            "Windows Event Log Security 4744",
            "Windows Event Log Security 4749",
            "Windows Event Log Security 4754",
            "Windows Event Log Security 4756",
            "Windows Event Log Security 4759",
            "Windows Event Log Security 4768",
            "Windows Event Log Security 4769",
            "Windows Event Log Security 4771",
            "Windows Event Log Security 4776",
            "Windows Event Log Security 4781",
            "Windows Event Log Security 4783",
            "Windows Event Log Security 4790",
            "Windows Event Log Security 4794",
            "Windows Event Log Security 4798",
            "Windows Event Log Security 4876",
            "Windows Event Log Security 4886",
            "Windows Event Log Security 4887",
            "Windows Event Log Security 4946",
            "Windows Event Log Security 4947",
            "Windows Event Log Security 4948",
            "Windows Event Log Security 5136",
            "Windows Event Log Security 5137",
            "Windows Event Log Security 5140",
            "Windows Event Log Security 5141",
            "Windows Event Log Security 5145",
            "Windows Event Log System 104",
            "Windows Event Log System 4720",
            "Windows Event Log System 4726",
            "Windows Event Log System 4728",
            "Windows Event Log System 7036",
            "Windows Event Log System 7040",
            "Windows Event Log System 7045",
            "Windows Event Log TaskScheduler 200",
            "Windows Event Log TaskScheduler 201",
            "Windows File Extension and Association Abuse",
            "Windows IIS",
            "Windows IIS 29",
            "Windows Log Manipulation",
            "Windows Persistence Techniques",
            "Windows Post-Exploitation",
            "Windows Privilege Escalation",
            "Windows RDP Artifacts and Defense Evasion",
            "Windows Registry Abuse",
            "Windows Service Abuse",
            "Windows System Binary Proxy Execution MSIExec",
            "Windows Updates Install Failures",
            "Windows Updates Install Successes",
            "Winter Vivern",
            "WordPress Vulnerabilities",
            "XML Runner Loader",
            "XMRig",
            "XWorm",
            "XorDDos",
            "ZDI-CAN-25373 Windows Shortcut Exploit Abused as Zero-Day",
            "ZOVWiper",
            "Zeek Conn",
            "Zscaler Browser Proxy Threats",
            "ace_access_rights_lookup",
            "ace_flag_lookup",
            "ace_type_lookup",
            "admon",
            "advanced_audit_policy_guids",
            "amazon_security_lake",
            "api_call_by_user_baseline",
            "appdynamics_security",
            "applocker",
            "applockereventcodes",
            "asr_rules",
            "attacker_tools",
            "aws_cloudwatchlogs_eks",
            "aws_config",
            "aws_description",
            "aws_ecr_users",
            "aws_ecr_users_asl",
            "aws_s3_accesslogs",
            "aws_securityhub_finding",
            "aws_securityhub_firehose",
            "aws_service_accounts",
            "azure_audit",
            "azure_monitor_aad",
            "azure_monitor_activity",
            "azuread",
            "base64decode",
            "baseline_blocked_outbound_connections",
            "bootloader_inventory",
            "brandMonitoring_lookup",
            "brand_abuse_dns",
            "brand_abuse_email",
            "brand_abuse_web",
            "browser_app_list",
            "browser_process_and_path",
            "builtin_groups_lookup",
            "capi2_operational",
            "certificateservices_lifecycle",
            "char_conversion_matrix",
            "circleci",
            "cisco_ai_defense",
            "cisco_asa",
            "cisco_duo_activity",
            "cisco_duo_administrator",
            "cisco_isovalent",
            "cisco_isovalent_allowed_images",
            "cisco_isovalent_process_connect",
            "cisco_isovalent_process_exec",
            "cisco_network_visibility_module_flowdata",
            "cisco_networks",
            "cisco_sd_wan_service_proxy_access",
            "cisco_sd_wan_syslog",
            "cisco_secure_firewall",
            "cisco_secure_firewall_appid_remote_mgmt_and_desktop_tools",
            "cisco_secure_firewall_filetype_lookup",
            "cisco_secure_firewall_inside_to_outside",
            "cisco_snort_ids_to_threat_mapping",
            "cloud_api_calls_from_previously_unseen_user_roles_activity_window",
            "cloud_instances_enough_data",
            "cloudtrail",
            "cloudwatch_eks",
            "cloudwatch_vpc",
            "cloudwatchlogs_vpcflow",
            "crowdstrike_identities",
            "crowdstrike_stream",
            "crushftp",
            "decommissioned_buckets",
            "discovered_dns_records",
            "domain_admins",
            "domains",
            "driverinventory",
            "dynamic_dns_providers",
            "dynamic_dns_providers_default",
            "dynamic_dns_providers_local",
            "dynamic_dns_web_traffic",
            "ec2_modification_api_calls",
            "esxi_syslog",
            "evilginx_phishlets_0365",
            "evilginx_phishlets_amazon",
            "evilginx_phishlets_aws",
            "evilginx_phishlets_facebook",
            "evilginx_phishlets_github",
            "evilginx_phishlets_google",
            "evilginx_phishlets_outlook",
            "excluded_cloud_binaries",
            "executable_extensions",
            "f5_bigip_rogue",
            "fillnull_config",
            "filter_rare_process_allow_list",
            "github",
            "github_enterprise",
            "github_known_users",
            "github_organizations",
            "google_gcp_pubnet_message",
            "google_gcp_pubsub_message",
            "gsuite_calendar",
            "gsuite_drive",
            "gsuite_gmail",
            "gws_login_mfa_methods",
            "gws_reports_admin",
            "gws_reports_login",
            "hijacklibs",
            "hijacklibs_loaded",
            "iis_get_webglobalmodule",
            "iis_operational_logs",
            "images_to_repository",
            "important_audit_policy_subcategory_guids",
            "is_net_windows_file",
            "is_net_windows_file_macro",
            "is_nirsoft_software",
            "is_nirsoft_software_macro",
            "is_suspicious_file_extension_lookup",
            "is_windows_system_file",
            "is_windows_system_file_macro",
            "ivanti_vtm_audit",
            "k8s_container_network_io_baseline",
            "k8s_container_network_io_ratio_baseline",
            "k8s_process_resource_baseline",
            "k8s_process_resource_ratio_baseline",
            "kube_allowed_images",
            "kube_allowed_locations",
            "kube_allowed_user_agents",
            "kube_allowed_user_groups",
            "kube_allowed_user_names",
            "kube_audit",
            "kube_container_falco",
            "kube_objects_events",
            "kubernetes_azure",
            "kubernetes_container_controller",
            "kubernetes_metrics",
            "legit_domains",
            "linux_auditd",
            "linux_auditd_normalized_execve_process",
            "linux_auditd_normalized_proctitle_process",
            "linux_hosts",
            "linux_offsec_tool_processes",
            "linux_shells",
            "linux_tool_discovery_process",
            "local_file_inclusion_paths",
            "lolbas_file_path",
            "loldrivers",
            "lookup_rare_process_allow_list_default",
            "lookup_rare_process_allow_list_local",
            "lookup_uncommon_processes_default",
            "lookup_uncommon_processes_local",
            "m365_copilot_graph_api",
            "m365_exported_ediscovery_prompt_logs",
            "malicious_powershell_strings",
            "malware_user_agents",
            "mandatory_job_for_workflow",
            "mandatory_step_for_job",
            "mcp_server",
            "moveit_sftp_logs",
            "ms365_defender_incident_alerts",
            "ms_defender",
            "ms_defender_atp_alerts",
            "msad_guid_lookup",
            "msexchange_management",
            "netbackup",
            "network_acl_activity_baseline",
            "network_acl_events",
            "nginx_access_logs",
            "non_public_ip_blocks",
            "normalized_service_binary_field",
            "ntlm_audit",
            "o365_graph",
            "o365_management_activity",
            "o365_messagetrace",
            "o365_suspect_search_terms_regex",
            "okta",
            "oldsummaries_config",
            "ollama_server",
            "osquery_macro",
            "osquery_process",
            "papercutng",
            "pingid",
            "potential_password_in_username_false_positive_reduction",
            "potentially_malicious_code_on_cmdline_tokenize_score",
            "powershell",
            "previously_seen_S3_access_from_remote_ip",
            "previously_seen_api_calls_from_user_roles",
            "previously_seen_aws_cross_account_activity",
            "previously_seen_aws_regions",
            "previously_seen_cloud_api_calls_per_user_role",
            "previously_seen_cloud_api_calls_per_user_role_forget_window",
            "previously_seen_cloud_compute_creations_by_user",
            "previously_seen_cloud_compute_creations_by_user_search_window_begin_offset",
            "previously_seen_cloud_compute_image_search_window_begin_offset",
            "previously_seen_cloud_compute_images",
            "previously_seen_cloud_compute_images_forget_window",
            "previously_seen_cloud_compute_instance_type_forget_window",
            "previously_seen_cloud_compute_instance_types",
            "previously_seen_cloud_compute_instance_types_search_window_begin_offset",
            "previously_seen_cloud_instance_modifications_by_user",
            "previously_seen_cloud_instance_modifications_by_user_search_window_begin_offset",
            "previously_seen_cloud_provisioning_activity_forget_window",
            "previously_seen_cloud_provisioning_activity_sources",
            "previously_seen_cloud_region_forget_window",
            "previously_seen_cloud_regions",
            "previously_seen_cloud_regions_search_window_begin_offset",
            "previously_seen_cmd_line_arguments",
            "previously_seen_ec2_amis_lookup",
            "previously_seen_ec2_instance_types_lookup",
            "previously_seen_ec2_launches_by_user_lookup",
            "previously_seen_ec2_modifications_by_user",
            "previously_seen_gcp_storage_access_from_remote_ip",
            "previously_seen_provisioning_activity_src",
            "previously_seen_running_windows_services",
            "previously_seen_users_console_logins",
            "previously_seen_windows_services_forget_window",
            "previously_seen_windows_services_window",
            "previously_seen_zoom_child_processes_forget_window",
            "previously_seen_zoom_child_processes_window",
            "previously_unseen_cloud_provisioning_activity_window",
            "printservice",
            "privileged_azure_ad_roles",
            "process_auditpol",
            "process_bitsadmin",
            "process_certutil",
            "process_cmd",
            "process_copy",
            "process_csc",
            "process_cscript",
            "process_curl",
            "process_diskshadow",
            "process_dllhost",
            "process_dsquery",
            "process_dxdiag",
            "process_esentutl",
            "process_fodhelper",
            "process_gpupdate",
            "process_hh",
            "process_installutil",
            "process_microsoftworkflowcompiler",
            "process_msbuild",
            "process_mshta",
            "process_msiexec",
            "process_net",
            "process_netsh",
            "process_nltest",
            "process_ntdsutil",
            "process_office_products",
            "process_office_products_parent",
            "process_ping",
            "process_powershell",
            "process_procdump",
            "process_psexec",
            "process_rclone",
            "process_reg",
            "process_regasm",
            "process_regedit",
            "process_regsvcs",
            "process_regsvr32",
            "process_route",
            "process_runas",
            "process_rundll32",
            "process_sc",
            "process_schtasks",
            "process_sdelete",
            "process_setspn",
            "process_sqlcmd",
            "process_verclsid",
            "process_vssadmin",
            "process_wbadmin",
            "process_wermgr",
            "process_wmic",
            "process_wscript",
            "prohibited_apps_launching_cmd",
            "prohibited_apps_launching_cmd_macro",
            "prohibited_processes",
            "prohibited_softwares",
            "pua_named_pipes",
            "pua_user_agents",
            "ransomware_extensions",
            "ransomware_extensions_lookup",
            "ransomware_notes",
            "ransomware_notes_lookup",
            "remote_access_software",
            "remote_access_software_exceptions",
            "remote_access_software_usage_exceptions",
            "remoteconnectionmanager",
            "remove_valid_domains",
            "risk_index",
            "rmm_user_agents",
            "s3_accesslogs",
            "s3_deletion_baseline",
            "sAMAccountName Spoofing and Domain Controller Impersonation",
            "scripting_tools_user_agents",
            "secureapp_es_field_mappings",
            "security_content_ctime",
            "security_content_summariesonly",
            "security_group_activity_baseline",
            "security_group_api_calls",
            "security_services_lookup",