Default Correlation Alerts
Navigate to "Settings > Alerts > Realtime". In the Realtime page we will find all alerts defined in CYBERQUEST. These is a list with all default alers defined in CYBERQUEST:
No. | Default Alerts |
---|---|
1 | A computer account was removed from domain |
2 | A computer account was added to domain |
3 | UBA - User set to Non-Expiring Password |
4 | UBA - Restricted Domain Account Failed Logon |
5 | UBA - Failed Domain Logon on Restricted Host |
6 | UBA - Domain User Logon After Multiple Failed Attempts |
7 | UBA - Domain User Failed Logon Due to Invalid Password |
8 | UBA - User Logon from Multiple IP Addresses |
9 | UBA - User Logon from Multiple Hosts |
10 | UBA - Username ending with Dollar Sign |
11 | UBA - Remote Login to Server |
12 | UBA - New User Observed |
13 | UBA - Login Attempt from User with Expired Password |
14 | UBA - Login Attempt from Locked or Disabled Account |
15 | Domain Policy - User Removed from Local Security Group |
16 | Domain Policy - User Removed from Domain Security Group |
17 | Domain Policy - User Added to Local Security Group |
18 | Domain Policy - User Added to Domain Security Group |
19 | Domain Policy - Group Policy Object Modified |
20 | Domain Policy - Group Policy Object Created |
21 | Domain Policy - Group Policy Object Deleted |
22 | Domain Policy - Domain Policy Changed |
23 | Windows - Multiple Failed Packaged App Applocker Events - Multiple Hosts |
24 | Windows - Multiple Failed Packaged App Applocker Events - Single Host |
25 | Windows - Multiple Failed MSI or Script Applocker Events - Multiple Hosts |
26 | Windows - Multiple Failed MSI or Script Applocker Events - Single Host |
27 | Windows - Multiple Failed EXE or DLL Applocker Events - Multiple Hosts |
28 | Windows - Multiple Failed EXE or DLL Applocker Events - Single Host |
29 | Windows - BSoD System Crashes on Multiple Hosts |
30 | Windows - BSoD System Crashes on a Single Host |
31 | Windows - Application Crashes or Hangs on Multiple Hosts |
32 | Windows - Application Crashes or Hangs on a Single Host |
33 | Windows - System or Service Failures on a Single Host |
34 | Administrator Account logon on 2000-2003-XP |
35 | Administrator Account Logon on Vista-2008 or Later |
36 | Domain User Failed Logon Due to Invalid Password |
37 | Software Uninstalled |
38 | New Software Installation |
39 | FTP Scan Distinct DestIP |
40 | High data received flow single event |
41 | High data transfered flow single event |
42 | User Logon Failed on not allowed computer |
43 | User Failed Logon outside his time of day restrictions |
44 | 44.Locked Out Domain Account Failed Logon |
45 | 45.Disable Domain Account Failed Logon |
46 | 46.Domain Account Created |
47 | Failed Logon Due to Invalid Domain Username |
48 | Network admin login |
49 | File Deleted |
50 | SSH Scan Distinct DestIP |
51 | Print Doc Confidential |
52 | External IP FTP Scan |
53 | VNC Scan |
54 | PostgreSQL Scan |
55 | Telnet Scan |
56 | Windows RPC Scan |
57 | RDP Scan |
58 | MySQL Scan |
59 | MSSQL Scan |
60 | SSH Scan |
61 | Event Log Cleared |
62 | Internal IP FTP Scan |
63 | ICMP Scan |
64 | VPN Geographic Impossible Traveling |
65 | Malware Detection |
66 | Network Intrusion Detection |
67 | FortiGate UTM-WAF High Severity Level |
68 | Domain OR Enterprise Admins Modification |
69 | Network DoS |
70 | Network DDoS on Other Protocol |
71 | Network DDoS on ICMP Protocol |
72 | Network DDoS on TCP Protocol |
73 | Network DDoS on UDP Protocol |
74 | High dataTransfer flow |
75 | 3 failed SU password for root |
76 | Unable to log events to Windows Security |
77 | A security-enabled universal group was changed |
78 | A security-enabled universal group was created |
79 | A security-enabled global group was changed |
80 | A security-enabled local group was changed |
81 | A security-enabled local group was deleted |
82 | A member was removed to a AD Local Group |
83 | A member was added to a AD Local Group |
84 | A security-enabled global group was created |
85 | User Added/Removed from AD Global Group |
86 | A security-enabled local group was created |
87 | A security-enabled global group was deleted |
88 | User Added/Removed from AD Global Admins Group |
89 | Windows Authentication Brute Force same UserName And Computer |
90 | ROOT authentication failure |
91 | VPN Login and RDP with another UserName |
92 | Authorization policy change |
93 | Active Directory Domain Policy modified |
94 | Drop table or database alert |
95 | Blacklist IP Alert |
96 | Linux authentication failure |
97 | Audit policy change |
98 | Successful Login After Multiple Fails |
99 | DDOS |
100 | Cleared event Logs |