Default Correlation Alerts
Navigate to "Settings > Alerts > Realtime". In the Realtime page we will find all alerts defined in CYBERQUEST. These is a list with all default alers defined in CYBERQUEST:
| No. | Default Alerts |
|---|---|
| 1 | A computer account was removed from domain |
| 2 | A computer account was added to domain |
| 3 | UBA - User set to Non-Expiring Password |
| 4 | UBA - Restricted Domain Account Failed Logon |
| 5 | UBA - Failed Domain Logon on Restricted Host |
| 6 | UBA - Domain User Logon After Multiple Failed Attempts |
| 7 | UBA - Domain User Failed Logon Due to Invalid Password |
| 8 | UBA - User Logon from Multiple IP Addresses |
| 9 | UBA - User Logon from Multiple Hosts |
| 10 | UBA - Username ending with Dollar Sign |
| 11 | UBA - Remote Login to Server |
| 12 | UBA - New User Observed |
| 13 | UBA - Login Attempt from User with Expired Password |
| 14 | UBA - Login Attempt from Locked or Disabled Account |
| 15 | Domain Policy - User Removed from Local Security Group |
| 16 | Domain Policy - User Removed from Domain Security Group |
| 17 | Domain Policy - User Added to Local Security Group |
| 18 | Domain Policy - User Added to Domain Security Group |
| 19 | Domain Policy - Group Policy Object Modified |
| 20 | Domain Policy - Group Policy Object Created |
| 21 | Domain Policy - Group Policy Object Deleted |
| 22 | Domain Policy - Domain Policy Changed |
| 23 | Windows - Multiple Failed Packaged App Applocker Events - Multiple Hosts |
| 24 | Windows - Multiple Failed Packaged App Applocker Events - Single Host |
| 25 | Windows - Multiple Failed MSI or Script Applocker Events - Multiple Hosts |
| 26 | Windows - Multiple Failed MSI or Script Applocker Events - Single Host |
| 27 | Windows - Multiple Failed EXE or DLL Applocker Events - Multiple Hosts |
| 28 | Windows - Multiple Failed EXE or DLL Applocker Events - Single Host |
| 29 | Windows - BSoD System Crashes on Multiple Hosts |
| 30 | Windows - BSoD System Crashes on a Single Host |
| 31 | Windows - Application Crashes or Hangs on Multiple Hosts |
| 32 | Windows - Application Crashes or Hangs on a Single Host |
| 33 | Windows - System or Service Failures on a Single Host |
| 34 | Administrator Account logon on 2000-2003-XP |
| 35 | Administrator Account Logon on Vista-2008 or Later |
| 36 | Domain User Failed Logon Due to Invalid Password |
| 37 | Software Uninstalled |
| 38 | New Software Installation |
| 39 | FTP Scan Distinct DestIP |
| 40 | High data received flow single event |
| 41 | High data transfered flow single event |
| 42 | User Logon Failed on not allowed computer |
| 43 | User Failed Logon outside his time of day restrictions |
| 44 | 44.Locked Out Domain Account Failed Logon |
| 45 | 45.Disable Domain Account Failed Logon |
| 46 | 46.Domain Account Created |
| 47 | Failed Logon Due to Invalid Domain Username |
| 48 | Network admin login |
| 49 | File Deleted |
| 50 | SSH Scan Distinct DestIP |
| 51 | Print Doc Confidential |
| 52 | External IP FTP Scan |
| 53 | VNC Scan |
| 54 | PostgreSQL Scan |
| 55 | Telnet Scan |
| 56 | Windows RPC Scan |
| 57 | RDP Scan |
| 58 | MySQL Scan |
| 59 | MSSQL Scan |
| 60 | SSH Scan |
| 61 | Event Log Cleared |
| 62 | Internal IP FTP Scan |
| 63 | ICMP Scan |
| 64 | VPN Geographic Impossible Traveling |
| 65 | Malware Detection |
| 66 | Network Intrusion Detection |
| 67 | FortiGate UTM-WAF High Severity Level |
| 68 | Domain OR Enterprise Admins Modification |
| 69 | Network DoS |
| 70 | Network DDoS on Other Protocol |
| 71 | Network DDoS on ICMP Protocol |
| 72 | Network DDoS on TCP Protocol |
| 73 | Network DDoS on UDP Protocol |
| 74 | High dataTransfer flow |
| 75 | 3 failed SU password for root |
| 76 | Unable to log events to Windows Security |
| 77 | A security-enabled universal group was changed |
| 78 | A security-enabled universal group was created |
| 79 | A security-enabled global group was changed |
| 80 | A security-enabled local group was changed |
| 81 | A security-enabled local group was deleted |
| 82 | A member was removed to a AD Local Group |
| 83 | A member was added to a AD Local Group |
| 84 | A security-enabled global group was created |
| 85 | User Added/Removed from AD Global Group |
| 86 | A security-enabled local group was created |
| 87 | A security-enabled global group was deleted |
| 88 | User Added/Removed from AD Global Admins Group |
| 89 | Windows Authentication Brute Force same UserName And Computer |
| 90 | ROOT authentication failure |
| 91 | VPN Login and RDP with another UserName |
| 92 | Authorization policy change |
| 93 | Active Directory Domain Policy modified |
| 94 | Drop table or database alert |
| 95 | Blacklist IP Alert |
| 96 | Linux authentication failure |
| 97 | Audit policy change |
| 98 | Successful Login After Multiple Fails |
| 99 | DDOS |
| 100 | Cleared event Logs |