Default Correlation Alerts
Navigate to "Settings > Alerts > Realtime". In the Realtime page we will find all alerts defined in CYBERQUEST. These is a list with all default alers defined in CYBERQUEST:
1. A computer account was removed from domain
Description - A new event is generated containing details of a computer account that was deleted from domain. In Active Directory, when a computer is deleted, the EventID gets logged.
In CYBERQUEST, this alert with 1 Rule will trigger on first event that will match the condition. To receive the informations of the alert on email, you have to press click the options: and set
.
Prerequisites - Windows Security Log.
2. A computer account was added to domain
Description - A new event is generated containing details of a computer account that was created to domain. In Active Directory, when a computer object is created, the EventID gets logged.
In CYBERQUEST, this alert with 1 Rule will trigger on first event that will match the condition. To receive the informations of the alert on email, you have to press click the options: and set
.
Prerequisites - Windows Security Log.
3. UBA - User set to Non-Expiring Password
Description - A new event is generated containing details of a user that is set Enabled to Non-Expiring Password. In CYBERQUEST, this alert with 1 Rule will trigger on first event that will match the conditions. To receive the informations of the alert on email, you have to press click the options: and set
.
Prerequisites - Windows Security Log.
4. UBA - Restricted Domain Account Failed Logon
Description - A new event is generated when a logon request fails on the computer where access was attempted. The alert is generated when the event is registered with an status and sub-status code and is providing the information: "User logon from an unauthorized workstation".
In CYBERQUEST, this alert with 1 Rule will trigger on first event that will match the conditions. To receive the informations of the alert on email, you have to press click the options: and set
.
Prerequisites - Windows Security Log.
5. UBA - Failed Domain Logon on Restricted Host
Description - A new event is generated when a logon request fails. The alert is generated when the event is registered with an status and sub-status code and is providing the information: "User logon from an unauthorized workstation".
In CYBERQUEST, this alert with 1 Rule will trigger on first event that will match the conditions. To receive the informations of the alert on email, you have to press click the options: and set
.
Prerequisites - Windows Security Log.
6. UBA - Domain User Logon After Multiple Failed Attempts
Description - A new event is generated containing details of Domain User Logon After Multiple Failed Attempts. In CYBERQUEST, this alert with 3 Rules will trigger on first event that will match the conditions: failed logon, Multiple Login Fails Count and 1 success.
To receive the informations of the alert on email, you have to press click the options: and set
.
Prerequisites - Windows Security Log.
7. UBA - Domain User Failed Logon Due to Invalid Password
Description - A new event is generated containing details of Domain User Failed Logon Due to Invalid Password. The alert is generated when the event is registered with an status and sub-status code and is providing the information: "User logon with misspelled or bad password".
In CYBERQUEST, this alert with 1 Rule will trigger on first event that will match the condition. To receive the informations of the alert on email, you have to press click the options: and set
.
Prerequisites - Windows Security Log.
8. UBA - User Logon from Multiple IP Addresses
Description - A new event is generated when a logon session from multiple IP addresses is created. It generates on the computer that was accessed, where the session was created.
In CYBERQUEST, this alert with 2 Rules will trigger on first event that will match the conditions. To receive the informations of the alert on email, you have to press click the options: and set
.
Prerequisites - Windows Security Log.
9. UBA - User Logon from Multiple Hosts
Description - A new event is generated containing details of User Logon from Multiple Hosts*. Detects when a single user logs in from more than an allowed number of devices.
In CYBERQUEST, this alert with 2 Rules will trigger on first event that will match the conditions. To receive the informations of the alert on email, you have to press click the options: and set
.
Prerequisites - Windows Security Log.
10. UBA - Username ending with Dollar Sign
Description - A new event is generated containing details of Username ending with Dollar Sign. In CYBERQUEST, this alert with 1 Rule will trigger on first event that will match the condition. To receive the informations of the alert on email, you have to press click the options: and set
.
Prerequisites - Windows Security Log.
11. UBA - Remote Login to Server
Description - A new event is generated containing details of UBA - Remote Login to Server. In CYBERQUEST, this alert with 1 Rule will trigger on first event that will match the condition. To receive the informations of the alert on email, you have to press click the options: and set
.
Prerequisites - Windows Security Log.
12. UBA - New User Observed
Description - A new event is generated containing details of New User Observed. Detects when an account successfully used for the first time.
In CYBERQUEST, this alert with 1 Rule will trigger on first event that will match the condition. To receive the informations of the alert on email, you have to press click the options: and set
.
Prerequisites - Windows Security Log.
13. UBA - Login Attempt from User with Expired Password
Description - A new event is generated containing details of Login Attempt from User with Expired Password. This alert detects when a user attempted to log in to a disabled or and expired account. The alert is generated when the event is registered with an status and sub-status code and is providing the information: "User logon with expired password".
In CYBERQUEST, this alert with 1 Rule will trigger on first event that will match the condition. To receive the informations of the alert on email, you have to press click the options: and set
.
Prerequisites - Windows Security Log.
14. UBA - Login Attempt from Locked or Disabled Account
Description - A new event is generated containing details of Login Attempt from Locked or Disabled Account. This alert detects when a user is trying to access the organization resources by using a disabled or locked account. The alert is generated when the event is registered with an status and sub-status code and is providing the information: "User logon from an unauthorized workstation".
In CYBERQUEST, this alert with 1 Rule will trigger on first event that will match the condition. To receive the informations of the alert on email, you have to press click the options: and set
.
Prerequisites - Windows Security Log.
15. Domain Policy - User Removed from Local Security Group
Description - A new event is generated every time member was removed from security-enabled local group.
In CYBERQUEST, this alert with 1 Rule will trigger on first event that will match the condition. To receive the informations of the alert on email, you have to press click the options: and set
.
Prerequisites - Windows Security Log.
16. Domain Policy - User Removed from Domain Security Group
Description - A new event is generated every time member was removed from security-enabled domain group.
In CYBERQUEST, this alert with 1 Rule will trigger on first event that will match the condition. To receive the informations of the alert on email, you have to press click the options: and set
.
Prerequisites - Windows Security Log.
17. Domain Policy - User Added to Local Security Group
Description - A new event is generated every time member was added to a security-enabled local group.
In CYBERQUEST, this alert with 1 Rule will trigger on first event that will match the condition. To receive the informations of the alert on email, you have to press click the options: and set
.
Prerequisites - Windows Security Log.
18. Domain Policy - User Added to Domain Security Group
Description - A new event is generated every time member was added to a security-enabled domain group.
In CYBERQUEST, this alert with 1 Rule will trigger on first event that will match the condition. To receive the informations of the alert on email, you have to press click the options: and set
.
Prerequisites - Windows Security Log.
19. Domain Policy - Group Policy Object Modified
Description - A new event is generated containing details of Group Policy Object Modified. This event generates every time an Active Directory object is modified.
In CYBERQUEST, this alert with 1 Rule will trigger on first event that will match the condition. To receive the informations of the alert on email, you have to press click the options: and set
.
Prerequisites - Windows Security Log.
20. Domain Policy - Group Policy Object Created
Description - A new event is generated containing details of Group Policy Object Created. This event generates every time an Active Directory object is created.
In CYBERQUEST, this alert with 1 Rule will trigger on first event that will match the condition. To receive the informations of the alert on email, you have to press click the options: and set
.
Prerequisites - Windows Security Log.
21. Domain Policy - Group Policy Object Deleted
Description - A new event is generated containing details of Group Policy Object Deleted. This event generates every time an Active Directory object is deleted.
In CYBERQUEST, this alert with 1 Rule will trigger on first event that will match the condition. To receive the informations of the alert on email, you have to press click the options: and set
.
Prerequisites - Windows Security Log.
22. Domain Policy - Domain Policy Changed
Description - A new event is generated containing details of Domain Policy Changed. This event generates every time an Active Directory object is changed.
In CYBERQUEST, this alert with 1 Rule will trigger on first event that will match the condition. To receive the informations of the alert on email, you have to press click the options: and set
.
Prerequisites - Windows Security Log.
23. Windows - Multiple Failed Packaged App Applocker Events - Multiple Hosts
Description - A new event is generated containing details of Multiple Failed Packaged App Applocker Events - Multiple Hosts. The alert generates if the message information: "Packaged app disabled" or "Packaged app installation audited".
AppLocker can help you improve the management of application control and the maintenance of application control policies.
In CYBERQUEST, this alert with 2 Rules will trigger on first event that will match the conditions. To receive the informations of the alert on email, you have to press click the options: and set
.
Prerequisites - Microsoft-Windows-AppLocker/Packaged app-Deployment.
24. Windows - Multiple Failed Packaged App Applocker Events - Single Host
Description - A new event is generated containing details of Multiple Failed Packaged App Applocker Events - Single Host. The alert generates if the message information: "Packaged app disabled" or "Packaged app installation audited".
AppLocker can help you improve the management of application control and the maintenance of application control policies.
In CYBERQUEST, this alert with 2 Rules will trigger on first event that will match the conditions. To receive the informations of the alert on email, you have to press click the options: and set
.
Prerequisites - Microsoft-Windows-AppLocker/Packaged app-Deployment / Microsoft-Windows-AppLocker/Packaged app-Execution.
25. Windows - Multiple Failed MSI or Script Applocker Events - Multiple Hosts
Description - is generated if more than one time events with the .msi or script type are generated in a time interval on a multiple hosts. This event will have this error in the message: "
AppLocker can help you improve the management of application control and the maintenance of application control policies.
In CYBERQUEST, this alert with 2 Rules will trigger on first event that will match the conditions. To receive the informations of the alert on email, you have to press click the options: and set
.
Prerequisites - Microsoft-Windows-AppLocker/MSI and Script.
26. Windows - Multiple Failed MSI or Script Applocker Events - Single Host
Description - is generated if more than one time events with the .msi or script type are generated in a time interval on a single host. This event will have this error in the message: "
AppLocker can help you improve the management of application control and the maintenance of application control policies. In CYBERQUEST, this alert with 2 Rules will trigger on first event that will match the conditions.
To receive the informations of the alert on email, you have to press click the options: and set
.
Prerequisites - Microsoft-Windows-AppLocker/MSI and Script
27. Windows - Multiple Failed EXE or DLL Applocker Events - Multiple Hosts
Description - is generated if more than one time events with the .exe or .dll type are generated in a time interval on a multiple hosts. This event will have this error in the message: "
AppLocker can help you improve the management of application control and the maintenance of application control policies. In CYBERQUEST, this alert with 2 Rules will trigger on first event that will match the conditions:
To receive the informations of the alert on email, you have to press click the options: and set
.
Prerequisites - Microsoft-Windows-AppLocker/EXE and DLL
28. Windows - Multiple Failed EXE or DLL Applocker Events - Single Host
Description - is generated if more than one time events with the .exe or .dll type are generated in a time interval on a single host. This event will have this error in the message: "
AppLocker can help you improve the management of application control and the maintenance of application control policies. In CYBERQUEST, this alert with 2 Rules will trigger on first event that will match the conditions.
To receive the informations of the alert on email, you have to press click the options: and set
.
Prerequisites - Microsoft-Windows-AppLocker/EXE and DLL
29. Windows - BSoD System Crashes on Multiple Hosts
Description - A new event is generated containing details of BSoD System Crashes on Multiple Hosts. This alert detects when the system has rebooted without cleanly shutting down first, in a time frame on multiple hosts.
In CYBERQUEST, this alert with 2 Rules will trigger on first event that will match the conditions.
To receive the informations of the alert on email, you have to press click the options: and set
.
Prerequisites - Windows System Log.
30. Windows - BSoD System Crashes on a Single Host
Description - A new event is generated containing details of BSoD System Crashes on a Single Host. This alert detects when the system has rebooted without cleanly shutting down first, in a time frame on a single host.
In CYBERQUEST, this alert with 1 Rule will trigger on first event that will match the condition. To receive the informations of the alert on email, you have to press click the options: and set
.
Prerequisites - Windows System Log.
31. Windows - Application Crashes or Hangs on Multiple Hosts
Description - A new event is generated containing details of Application Crashes or Hangs on Multiple Hosts. This alert detects the general application error or an application hang, in a time frame on multiple hosts.
In CYBERQUEST, this alert with 2 Rules will trigger on first event that will match the conditions.
To receive the informations of the alert on email, you have to press click the options: and set
.
Prerequisites - Windows Application Log.
32. Windows - Application Crashes or Hangs on a Single Host
Description - A new event is generated containing details of Application Crashes or Hangs on a Single Host. This alert detects the general application error or an application hang in a time frame on a single host.
In CYBERQUEST, this alert with 1 Rule will trigger on first event that will match the condition. To receive the informations of the alert on email, you have to press click the options: and set
.
Prerequisites - Windows Application Log.
33. Windows - System or Service Failures on a Single Host
Description - A new event is generated containing details of System or Service Failures on a Single Host. Service Control Manager (SCM) stops services and driver services. It also reports when services closes unexpectedly or fail to restart after it takes corrective action.
In CYBERQUEST, this alert with 1 Rule will trigger on first event that will match the condition. To receive the informations of the alert on email, you have to press click the options: and set
.
Prerequisites - Windows System Log.
34. Administrator Account logon on 2000-2003-XP
Description - A new event is generated containing details of Administrator Account logon on 2000-2003-XP. In CYBERQUEST, this alert with 1 Rule will trigger on first event that will match the condition. To receive the informations of the alert on email, you have to press click the options: and set
.
Prerequisites - Windows Security Log.
35. Administrator Account Logon on Vista-2008 or Later
Description - A new event is generated containing details of Administrator Account Logon on Vista-2008 or Later. This event lets you know whenever an account asssigned any "administrator equivalent" user rights log on.
In CYBERQUEST, this alert with 1 Rule will trigger on first event that will match the condition. To receive the informations of the alert on email, you have to press click the options: and set
.
Prerequisites - Windows Security Log.
36. Domain User Failed Logon Due to Invalid Password
Description - A new event is generated when a user fails to logon. The alert is generated when the event is registered with an status and sub-status code and is providing the information: "User logon with misspelled or bad password".
In CYBERQUEST, this alert with 1 Rule will trigger on first event that will match the condition. To receive the informations of the alert on email, you have to press click the options: and set
.
Prerequisites - Windows Security Log.
37. Software Uninstalled
Description - A new event is generated when a application has been uninstalled and tell us the name of application and the user account who uninstalled it.
In CYBERQUEST, this alert with 1 Rule will trigger on first event that will match the condition. To receive the informations of the alert on email, you have to press click the options: and set
.
Prerequisites - Windows Application Log.
38. New Software Installation
Description - A new event is generated containing details of New Software Installation. This event is logged when Windows Installer installed the product.
In CYBERQUEST, this alert with 1 Rule will trigger on first event that will match the condition. To receive the informations of the alert on email, you have to press click the options:
Prerequisites - Windows Application Log.
39. FTP Scan Distinct DestIP
Description - A new event is generated containing details of File Transfer Protocol Scan Distinct DestIP. In CYBERQUEST, this alert with 2 Rules will trigger on first event that will match the conditions. To receive the informations of the alert on email, you have to press click the options: and set
.
Prerequisites - NetFlow
40. High data received flow single event
Description - A new event is generated containing details of High data received flow single event. In CYBERQUEST, this alert with 1 Rule will trigger on first event that will match the condition. To receive the informations of the alert on email, you have to press click the options: and set
.
Prerequisites - NetFlow
41. High data transfered flow single event
Description - A new event is generated containing details of High data transfered flow single event. In CYBERQUEST, this alert with 1 Rule will trigger on first event that will match the condition. To receive the informations of the alert on email, you have to press click the options: and set
.
Prerequisites - NetFlow
42. User Logon Failed on not allowed computer
Description - A new event is generated containing details of User Logon Failed on not allowed computer. The alert is generated when the event is registered with an status and sub-status code and is providing the information: "User logon from an unauthorized workstation".
In CYBERQUEST, this alert with 1 Rule will trigger on first event that will match the condition. To receive the informations of the alert on email, you have to press click the options: and set
.
Prerequisites -Windows Security Log.
43. User Failed Logon outside his time of day restrictions
Description - A new event is generated containing details of User Failed Logon outside his time of day restrictions. The alert is generated when the event is registered with an status and sub-status code and is providing the information: "User logon outside authorized hours".
In CYBERQUEST, this alert with 1 Rule will trigger on first event that will match the condition. To receive the informations of the alert on email, you have to press click the options: and set
.
Prerequisites - Windows Security Log.
44. Locked Out Domain Account Failed Logon
Description - A new event is generated containing details of Locked Out Domain Account Failed Logon.The alert is generated when the event is registered with an status and sub-status code and is providing the information: "User logon with locked account".
In CYBERQUEST, this alert with 1 Rule will trigger on first event that will match the condition. To receive the informations of the alert on email, you have to press click the options: and set
.
Prerequisites - Windows Security Log.
45. Disable Domain Account Failed Logon
Description - A new event is generated containing details of Disable Domain Account Failed Logon. The alert is generated when the event is registered with an status and sub-status code and is providing the information: "User logon to account disabled by admin".
In CYBERQUEST, this alert with 1 Rule will trigger on first event that will match the condition. To receive the informations of the alert on email, you have to press click the options: and set
.
Prerequisites - Windows Security Log.
46. Domain Account Created
Description - A new event is generated containing details of Domain Account Created. When a user account is created in Active Directory, the EventID is logged. This event generates every time a new user object is created.
In CYBERQUEST, this alert with 1 Rule will trigger on first event that will match the condition. To receive the informations of the alert on email, you have to press click the options: and set
.
Prerequisites - Windows Security Log.
47. Failed Logon Due to Invalid Domain Username
Description - A new event is generated containing details of Failed Logon Due to Invalid Domain Username. For this alert the hexadecimal status and sub-status code generated when the event is registered and provide this information: "User logon with misspelled or bad user account".
In CYBERQUEST, this alert with 1 Rule will trigger on first event that will match the condition. To receive the informations of the alert on email, you have to press click the options: and set
.
Prerequisites - Windows Security Log.
48. Network admin login
Description - A new event is generated containing details of Network admin login. The alert is generated if the username is in the administrator list.
In CYBERQUEST, this alert with 1 Rule will trigger on first event that will match the condition. To receive the informations of the alert on email, you have to press click the options: and set
.
Prerequisites - Windows Security Log.
49. File Deleted
Description - A new event is generated containing details of File Deleted. The alert detects when a file was deleted.
In CYBERQUEST, this alert with 1 Rule will trigger on first event that will match the condition. To receive the informations of the alert on email, you have to press click the options: and set
.
Prerequisites - Windows Security Log.
50. SSH Scan Distinct DestIP
Description - A new event is generated if contains a Source IP, Destination IP and Networking default Port (e.g. SSH Scan default port is 22).
In CYBERQUEST, this alert with 2 Rules will trigger on first event that will match the conditions. To receive the informations of the alert on email, you have to press click the options: and set
.
Prerequisites - NetFlow
51. Print Doc Confidential
Description - A new event is generated containing details of Print Doc Confidential. In CYBERQUEST, this alert with 2 Rules will trigger on first event that will match the conditions. To receive the informations of the alert on email, you have to press click the options: and set
.
Prerequisites - Microsoft-Windows-PrintService/Operational.
52. External IP FTP Scan
Description - A new event is generated if contains a newtorking protocol, Source IP(from external private networks), Destination IP and a Networking default Port (e.g. FTP Scan default port is 21).
File Transfer Protocol (FTP) is a method of transferring files from one computer to another over the Internet.
In CYBERQUEST, this alert with 2 Rules will trigger on first event that will match the conditions. To receive the informations of the alert on email, you have to press click the options: and set
.
Prerequisites - NetFlow
53. VNC Scan
Description - A new event is generated if contains a newtorking protocol, Source IP, Destination IP and a Networking default Port (e.g. VNC Scan default port is 4900).
Virtual Network Computing is a graphical desktop-sharing system that uses the Remote Frame Buffer protocol (RFB) to remotely control another computer.
In CYBERQUEST, this alert with 2 Rules will trigger on first event that will match the conditions. To receive the informations of the alert on email, you have to press click the options: and set
.
Prerequisites - NetFlow
54. PostgreSQL Scan
Description - A new event is generated if contains a newtorking protocol, Source IP, Destination IP and a Networking default Port (e.g. PostgreSQL Scan default port is 5432).
In CYBERQUEST, this alert with 2 Rules will trigger on first event that will match the conditions. To receive the informations of the alert on email, you have to press click the options: and set
.
Prerequisites - NetFlow
55. Telnet Scan
Description - A new event is generated if contains a newtorking protocol, Source IP, Destination IP and a Networking default Port (e.g. Telnet Scan default port is 23).
Telnet is a network protocol used to virtually access a computer and provide a text-based communication channel between two machines.
In CYBERQUEST, this alert with 2 Rules will trigger on first event that will match the conditions. To receive the informations of the alert on email, you have to press click the options: and set
.
Prerequisites - NetFlow
56. Windows RPC Scan
Description - A new event is generated if contains a newtorking protocol, Source IP, Destination IP and a Networking default Port (e.g. Windows RPC Scan default port is 135).
Remote Procedure Call is a software communication protocol that one program can use to request a service from a program located in another computer on a network without having to understand the network's details.
In CYBERQUEST, this alert with 2 Rules will trigger on first event that will match the conditions. To receive the informations of the alert on email, you have to press click the options: and set
.
Prerequisites - NetFlow
57. RDP Scan
Description - A new event is generated if contains a newtorking protocol, Source IP, Destination IP and a Networking default Port (e.g. RDP Scan default port is 3389).
Remote desktop protocol - is a secure network communications protocol developed by Microsoft. It enables network administrators to remotely diagnose problems that individual users encounter and gives users remote access to their physical work desktop computers.
In CYBERQUEST, this alert with 2 Rules will trigger on first event that will match the conditions. To receive the informations of the alert on email, you have to press click the options: and set
.
Prerequisites - NetFlow
58. MySQL Scan
Description - A new event is generated if contains a newtorking protocol, Source IP, Destination IP and a Networking default Port (e.g. MySQL Scan default port is 3306).
In CYBERQUEST, this alert with 2 Rules will trigger on first event that will match the conditions. To receive the informations of the alert on email, you have to press click the options: and set
.
Prerequisites - NetFlow
59. MSSQL Scan
Description - A new event is generated if contains a newtorking protocol, Source IP, Destination IP and a Networking default Port (e.g. MySQL Scan default port is 1433).
In CYBERQUEST, this alert with 2 Rules will trigger on first event that will match the conditions. To receive the informations of the alert on email, you have to press click the options: and set
.
Prerequisites - NetFlow
60. SSH Scan
Description - A new event is generated if contains a Source IP, Destination IP and Networking default Port (e.g. SSH Scan default port is 22).
Is an prototype SSH configuration and policy scanner for Linux and UNIX servers.
In CYBERQUEST, this alert with 2 Rules will trigger on first event that will match the conditions. To receive the informations of the alert on email, you have to press click the options: and set
.
Prerequisites - NetFlow
61. Event Log Cleared
Description - A new event is generated containing details of Windows Event log cleared.
In CYBERQUEST, this alert will trigger on the first event that will match the conditions from Windows Event log cleared report. This Report shows if and when the Windows Sercurity Event Log was cleared.
To receive the informations of the alert on email, you have to press click the options: and set
.
Prerequisites - Windows Security Log.
62. Internal IP FTP Scan
Description - A new event is generated if contains a newtorking protocol, Source IP (from internal private networks), Destination IP and a Networking default Port (e.g. FTP Scan default port is 21).
File Transfer Protocol (FTP) is a method of transferring files from one computer to another over the Internet.
In CYBERQUEST, this alert with 2 Rules will trigger on first event that will match the Conditions. To receive the informations of the alert on email, you have to press click the options: and set
.
Prerequisites - NetFlow
63. ICMP Scan
Description - A new event is generated containing details of ICMP Scan. Internet Control Message Protocol requests are used to map network topology. Receipt of an ICMP request is classified as a normal, possibly suspicious, or highly suspicious event.
In CYBERQUEST, this alert with 2 Rules will trigger on first event that will match the Conditions. To receive the informations of the alert on email, you have to press click the options: and set
.
Prerequisites - NetFlow
64. VPN Geographic Impossible Traveling
Description - A new event is generated containing details of VPN Geographic Impossible Traveling.
In CYBERQUEST, this alert with 2 Rules will trigger on first event that will match the Conditions. To receive the informations of the alert on email, you have to press click the options: and set
.
Prerequisites - FortiGate
65. Malware Detection
Description - A new event is generated containing details of Malware Detection. Malware detection refers to the process of detecting the presence of malware on a host system or of distinguishing whether a specific program is malicious.
In CYBERQUEST, this alert with 2 Rules will trigger on first event that will match the Conditions. To receive the informations of the alert on email, you have to press click the options: and set
.
Prerequisites - FortiGate
66. Network Intrusion Detection
Description - A new event is generated containing details of UTM > IPS > Alert. In CYBERQUEST, this alert with 1 Rule will trigger on first event that will match the Condition. To receive the informations of the alert on email, you have to press click the options: and set
.
Prerequisites - FortiGate
67. FortiGate UTM-WAF High Severity Level
Description - A new event is generated containing details of Traffic High Reputation Level. In CYBERQUEST, this alert with 1 Rule will trigger on first event that will match the Condition. To receive the informations of the alert on email, you have to press click the options: and set
.
Prerequisites - FortiGate
68. Domain OR Enterprise Admins Modification
Description - A new event is generated containing details of Group Modification. In CYBERQUEST, this alert with 1 Rule will trigger on first event that will match the Condition. To receive the informations of the alert on email, you have to press click the options: and set
.
Prerequisites - Windows Security Log.
69. Network DoS
Description - A new event is generated containing details of Network DoS. A Denial-of-Service (DoS) attack is an attack meant to shut down a machine or network, making it inaccessible to its intended users.
In CYBERQUEST, this alert with 2 Rules will trigger on first event that will match the Conditions. To receive the informations of the alert on email, you have to press click the options: and set
.
Prerequisites - NetFlow
70. Network DDoS on Other Protocol
Description - A new event is generated containing details of Network DDoS on Other Protocol. In CYBERQUEST, this alert with 2 Rules will trigger on first event that will match the Conditions.
To receive the informations of the alert on email, you have to press click the options: and set
.
Prerequisites - NetFlow
71. Network DDoS on ICMP Protocol
Description - A new event is generated containing details of Network DDoS on ICMP Protocol. In CYBERQUEST, this alert with 2 Rules will trigger on first event that will match the Conditions.
To receive the informations of the alert on email, you have to press click the options: and set
.
Prerequisites - NetFlow
72. Network DDoS on TCP Protocol
Description - A new event is generated containing details of Network DDoS on TCP Protocol. In CYBERQUEST, this alert with 2 Rules will trigger on first event that will match the Conditions.
To receive the informations of the alert on email, you have to press click the options: and set
.
Prerequisites - NetFlow
73. Network DDoS on UDP Protocol
Description - A new event is generated containing details of Network DDoS on UDP Protocol. In CYBERQUEST, this alert with 2 Rules will trigger on first event that will match the Conditions.
To receive the informations of the alert on email, you have to press click the options: and set
.
Prerequisites - NetFlow
74. High dataTransfer flow
Description - A new event is generated containing details of High dataTransfer flow. In CYBERQUEST, this alert with 2 Rules will trigger on first event that will match the Conditions.
To receive the informations of the alert on email, you have to press click the options: and set
.
Prerequisites - NetFlow
75. 3 failed SU password for root
Description - A new event is generated containing details of 3 failed SU password for root. In CYBERQUEST, this alert with 2 Rules will trigger on first event that will match the Conditions.
To receive the informations of the alert on email, you have to press click the options: and set
.
Prerequisites - syslog
76. Unable to log events to Windows Security
Description - A new event is generated containing details of Unable to log events to Windows Security. The event is logged if Windows was unable to write events to the Security event log.
In CYBERQUEST, this alert with 1 Rule will trigger on first event that will match the Condition. To receive the informations of the alert on email, you have to press click the options: and set
.
Prerequisites - Windows Security Log.
77. A security-enabled universal group was changed
Description - A new event is generated containing details of A security-enabled universal group was changed. When a universal security group is changed in Active Directory, the EventID gets logged.
In CYBERQUEST, this alert with 1 Rule will trigger on first event that will match the Condition. To receive the informations of the alert on email, you have to press click the options: and set
.
Prerequisites - Windows Security Log.
78. A security-enabled universal group was created
Description - A new event is generated containing details of A security-enabled universal group was created. When a universal security group is created in Active Directory, the EventID gets logged.
In CYBERQUEST, this alert with 1 Rule will trigger on first event that will match the Condition. To receive the informations of the alert on email, you have to press click the options: and set
.
Prerequisites - Windows Security Log.
79. A security-enabled global group was changed
Description - A new event is generated containing details of A security-enabled global group was changed. When a universal security group is changed in Active Directory, the EventID gets logged.
In CYBERQUEST, this alert with 1 Rule will trigger on first event that will match the Condition. To receive the informations of the alert on email, you have to press click the options: and set
.
Prerequisites - Windows Security Log.
80. A security-enabled local group was changed
Description - A new event is generated containing details of A security-enabled local group was changed. The event generates every time a security-enabled local group is changed.
In CYBERQUEST, this alert with 1 Rule will trigger on first event that will match the Condition. To receive the informations of the alert on email, you have to press click the options: and set
.
Prerequisites - Windows Security Log.
81. A security-enabled local group was deleted
Description - A new event is generated containing details of A security-enabled local group was deleted. The event generates every time a security-enabled local group is deleted.
In CYBERQUEST, this alert with 1 Rule will trigger on first event that will match the Condition. To receive the informations of the alert on email, you have to press click the options: and set
.
Prerequisites - Windows Security Log.
82. A member was removed to a AD Local Group
Description - A new event is generated containing details of A member was removed to a AD Local Group. The event generates every time member was removed from a security-enabled local group.
In CYBERQUEST, this alert with 1 Rule will trigger on first event that will match the Condition. To receive the informations of the alert on email, you have to press click the options: and set
.
Prerequisites - Windows Security Log.
83. A member was added to a AD Local Group
Description - A new event is generated containing details of A member was added to a AD Local Group. The event generates every time member was added to a security-enabled local group.
In CYBERQUEST, this alert with 1 Rule will trigger on first event that will match the Condition. To receive the informations of the alert on email, you have to press click the options: and set
.
Prerequisites - Windows Security Log.
84. A security-enabled global group was created
Description - A new event is generated containing details of A security-enabled global group was created. When a security-enable global group is created in Active Directory, the EventID gets logged.
In CYBERQUEST, this alert with 1 Rule will trigger on first event that will match the Condition. To receive the informations of the alert on email, you have to press click the options: and set
.
Prerequisites - Windows Security Log.
85. User Added/Removed from AD Global Group
Description - A new event is generated containing details of User Added/Removed from AD Global Group. When Active Directory objects such as an user/group/computer is added or removed to a security global group, the EventID gets logged.
In CYBERQUEST, this alert with 1 Rule will trigger on first event that will match the Condition.
To receive the informations of the alert on email, you have to press click the options: and set
.
Prerequisites - Windows Security Log.
86. A security-enabled local group was created
Description - A new event is generated containing details of User Added or Removed from Security-Enabled Global Admins Group. The event generates every time a security-enabled local group was created.
In CYBERQUEST, this alert with 1 Rule will trigger on first event that will match the Condition. To receive the informations of the alert on email, you have to press click the options: and set
.
Prerequisites - Windows Security Log.
87. A security-enabled global group was deleted
Description - A new event is generated containing details of A security-enabled global group was deleted. In Active Directory, when a Security Global Group is deleted, the EventID gets logged.
In CYBERQUEST, this alert with 1 Rule will trigger on first event that will match the Condition. To receive the informations of the alert on email, you have to press click the options: and set
.
Prerequisites - Windows Security Log.
88. User Added/Removed from AD Global Admins Group
Description - A new event is generated containing details of User Added or Removed from Security-Enabled Global Admins Group. When Active Directory objects such as an user/group/computer is added or removed to a security global admins group, the EventID gets logged.
In CYBERQUEST, this alert with 1 Rule will trigger on first event that will match the Condition. To receive the informations of the alert on email, you have to press click the options: and set
.
Prerequisites - Windows Security Log.
89. Windows Authentication Brute Force same UserName And Computer
Description - A new event is generated containing details of Windows Authentication Brute Force same UserName And Computer. In CYBERQUEST, this alert with 2 Rules will trigger on first event that will match the Conditions.
To receive the informations of the alert on email, you have to press click the options: and set
.
Prerequisites - Windows Security Log.
90. ROOT authentication failure
Description - A new event is generated containing details of Invalid user. In CYBERQUEST, this alert with 1 Rule will trigger on first event that will match the Condition. To receive the informations of the alert on email, you have to press click the options: and set
.
Prerequisites - syslog
91. VPN Login and RDP with another UserName
Description - A new event is generated containing details of VPN Login and RDP with another UserName. In CYBERQUEST, this alert with 2 Rules will trigger on first event that will match the Conditions.
To receive the informations of the alert on email, you have to press click the options: and set
.
Prerequisites - syslog
92. Authorization policy change
Description - A new event is generated containing details of Authorization policy change. Audit Authentication Policy Change determines whether the operating system generates audit events when changes are made to authentication policy. Events list for this alert:
- Permissions on an object were changed
- A new trust was created to a domain
- A trust to a domain was removed
- Trusted domain information was modified
- Kerberos policy was changed
- System security access was granted to an account
- System security access was removed from an account
- Domain Policy was changed
- A namespace collision was detected
- A trusted forest information entry was added
- A trusted forest information entry was removed
- A trusted forest information entry was modified
In CYBERQUEST, this alert with 1 Rule will trigger on first event that will match the Condition. To receive the informations of the alert on email, you have to press click the options: and set
.
Prerequisites - Windows Security Log.
93. Active Directory Domain Policy modified
Description - A new event is generated containing details of Active Directory Domain Policy modified. The event generates when one of the following changes was made to local computer security policy:
- Computer’s “\Security Settings\Account Policies\Account Lockout Policy” settings were modified.
- Computer's “\Security Settings\Account Policies\Password Policy” settings were modified.
- "Network security: Force logoff when logon hours expire" group policy setting was changed.
In CYBERQUEST, this alert with 1 Rule will trigger on first event that will match the Condition. To receive the informations of the alert on email, you have to press click the options: and set
.
Prerequisites - Windows Security Log.
94. Drop table or database alert
Description - A new event is generated containing details of Drop table or database alert. In CYBERQUEST, this alert with 1 Rule will trigger on first event that will match the Condition. To receive the informations of the alert on email, you have to press click the options: and set
.
Prerequisites - Windows Application Log.
95. Blacklist IP Alert
Description - A new event is generated containing details of Blacklist IP Alert. Detects all the events which contains a SourceIP and DestIP from the BlackList.
In CYBERQUEST, this alert with 1 Rule will trigger on first event that will match the Condition. To receive the informations of the alert on email, you have to press click the options: and set
.
Prerequisites - Network Communications
96. Linux authentication failure
Description - A new event is generated containing details of Linux authentication failure. In CYBERQUEST, this alert with 2 Rules will trigger on first event that will match the Conditions.
To receive the informations of the alert on email, you have to press click the options: and set
.
Prerequisites - syslog
97. Audit policy change
Description - A new event is generated containing details of Audit policy change. This event generates when the computer's audit policy changes.
In CYBERQUEST, this alert with 1 Rule will trigger on first event that will match the Condition. To receive the informations of the alert on email, you have to press click the options: and set
.
Prerequisites - Windows Security Log.
98. Succesful Login After Multiple Fails
Description - A new event is generated containing details of Succesful Login After Multiple Fails. In CYBERQUEST, this alert with 3 Rules will trigger on first event that will match the Conditions.
To receive the informations of the alert on email, you have to press click the options: and set
.
Prerequisites - Windows Security Log.
99. DDOS
Description - A new event is generated containing details of DDOS. DDoS Attack means "Distributed Denial-of-Service (DDoS) Attack" and it is a cybercrime in which the attacker floods a server with internet traffic to prevent users from accessing connected online services and sites.
In CYBERQUEST, this alert with 2 Rules will trigger on first event that will match the Conditions.
To receive the informations of the alert on email , you have to press click the options: and set
.
Prerequisites - NetFlow