Skip to content

Default Correlation Alerts

Navigate to "Settings > Alerts > Realtime". In the Realtime page we will find all alerts defined in CYBERQUEST. These is a list with all default alers defined in CYBERQUEST:

No. Default Alerts
1 A computer account was removed from domain
2 A computer account was added to domain
3 UBA - User set to Non-Expiring Password
4 UBA - Restricted Domain Account Failed Logon
5 UBA - Failed Domain Logon on Restricted Host
6 UBA - Domain User Logon After Multiple Failed Attempts
7 UBA - Domain User Failed Logon Due to Invalid Password
8 UBA - User Logon from Multiple IP Addresses
9 UBA - User Logon from Multiple Hosts
10 UBA - Username ending with Dollar Sign
11 UBA - Remote Login to Server
12 UBA - New User Observed
13 UBA - Login Attempt from User with Expired Password
14 UBA - Login Attempt from Locked or Disabled Account
15 Domain Policy - User Removed from Local Security Group
16 Domain Policy - User Removed from Domain Security Group
17 Domain Policy - User Added to Local Security Group
18 Domain Policy - User Added to Domain Security Group
19 Domain Policy - Group Policy Object Modified
20 Domain Policy - Group Policy Object Created
21 Domain Policy - Group Policy Object Deleted
22 Domain Policy - Domain Policy Changed
23 Windows - Multiple Failed Packaged App Applocker Events - Multiple Hosts
24 Windows - Multiple Failed Packaged App Applocker Events - Single Host
25 Windows - Multiple Failed MSI or Script Applocker Events - Multiple Hosts
26 Windows - Multiple Failed MSI or Script Applocker Events - Single Host
27 Windows - Multiple Failed EXE or DLL Applocker Events - Multiple Hosts
28 Windows - Multiple Failed EXE or DLL Applocker Events - Single Host
29 Windows - BSoD System Crashes on Multiple Hosts
30 Windows - BSoD System Crashes on a Single Host
31 Windows - Application Crashes or Hangs on Multiple Hosts
32 Windows - Application Crashes or Hangs on a Single Host
33 Windows - System or Service Failures on a Single Host
34 Administrator Account logon on 2000-2003-XP
35 Administrator Account Logon on Vista-2008 or Later
36 Domain User Failed Logon Due to Invalid Password
37 Software Uninstalled
38 New Software Installation
39 FTP Scan Distinct DestIP
40 High data received flow single event
41 High data transfered flow single event
42 User Logon Failed on not allowed computer
43 User Failed Logon outside his time of day restrictions
44 44.Locked Out Domain Account Failed Logon
45 45.Disable Domain Account Failed Logon
46 46.Domain Account Created
47 Failed Logon Due to Invalid Domain Username
48 Network admin login
49 File Deleted
50 SSH Scan Distinct DestIP
51 Print Doc Confidential
52 External IP FTP Scan
53 VNC Scan
54 PostgreSQL Scan
55 Telnet Scan
56 Windows RPC Scan
57 RDP Scan
58 MySQL Scan
59 MSSQL Scan
60 SSH Scan
61 Event Log Cleared
62 Internal IP FTP Scan
63 ICMP Scan
64 VPN Geographic Impossible Traveling
65 Malware Detection
66 Network Intrusion Detection
67 FortiGate UTM-WAF High Severity Level
68 Domain OR Enterprise Admins Modification
69 Network DoS
70 Network DDoS on Other Protocol
71 Network DDoS on ICMP Protocol
72 Network DDoS on TCP Protocol
73 Network DDoS on UDP Protocol
74 High dataTransfer flow
75 3 failed SU password for root
76 Unable to log events to Windows Security
77 A security-enabled universal group was changed
78 A security-enabled universal group was created
79 A security-enabled global group was changed
80 A security-enabled local group was changed
81 A security-enabled local group was deleted
82 A member was removed to a AD Local Group
83 A member was added to a AD Local Group
84 A security-enabled global group was created
85 User Added/Removed from AD Global Group
86 A security-enabled local group was created
87 A security-enabled global group was deleted
88 User Added/Removed from AD Global Admins Group
89 Windows Authentication Brute Force same UserName And Computer
90 ROOT authentication failure
91 VPN Login and RDP with another UserName
92 Authorization policy change
93 Active Directory Domain Policy modified
94 Drop table or database alert
95 Blacklist IP Alert
96 Linux authentication failure
97 Audit policy change
98 Successful Login After Multiple Fails
99 DDOS
100 Cleared event Logs