Alert Types with a Detection Time of Timestamp

The following built-in alert types or subtypes have a detection time of timestamp:

  • Abnormal Parent / Child Process, Subtype: Machine Learning Anomaly Detection

  • Account Creation Anomaly

  • Application Usage Anomaly

  • Bad Destination Reputation Anomaly

  • Bad Source Reputation Anomaly

  • Carbon Black:XDR Anomaly

  • Cloud Drive Data Exfiltration Anomaly

  • Command & Control Reputation Anomaly

  • Command Anomaly

  • Cryptojacking

  • CylanceOPTICS:XDR Anomaly

  • Data Ingestion Volume Anomaly

  • DGA

  • DHCP Server Anomaly

  • DNS Tunneling Anomaly

  • Encoded PowerShell

  • Encrypted C&C

  • Exploited C&C Connection

  • External Brute-Forced Successful User Login

  • External Exploited Vulnerability

  • External Firewall Denial Anomaly

  • External Firewall Policy Anomaly

  • External Handshake Failure

  • External IDS Signature Spike

  • External IP / Port Scan Anomaly, Subtype: Connection Spike Anomaly (Firewall / Windows Traffic)

  • External Non-Standard Port Anomaly

  • External Other Malware

  • External Password Spraying

  • External PII Leaked

  • External Plain Text Passwords Detected

  • External PUA

  • External Ransomware

  • External RDP BlueKeep

  • External RDP Brute Force Attack

  • External Scanner Behavior Anomaly

  • External SMB Read Anomaly

  • External SMB Username Enumeration

  • External SMB Write Anomaly

  • External Spyware

  • External SQL Anomaly

  • External SQL Shell Command

  • External Suspected Malicious User Agent

  • External SYN Flood Attacker

  • External SYN Flood Victim

  • External Trojan

  • External User Application Usage Anomaly

  • External User Data Volume Anomaly

  • File Action Anomaly

  • File Creation Anomaly

  • Hydra Password Guessing Hack Tool

  • ICMP Based Exfiltration or Tunneling

  • Internal Brute-Forced Successful User Login

  • Internal Exploited Vulnerability

  • Internal Firewall Denial Anomaly

  • Internal Firewall Policy Anomaly

  • Internal IDS Signature Spike

  • Internal IP / Port Scan Anomaly, Subtype: Connection Spike Anomaly (Firewall / Windows Traffic)

  • Internal Non-Standard Port Anomaly

  • Internal Other Malware

  • Internal Password Spraying

  • Internal PII Leaked

  • Internal PUA

  • Internal Ransomware

  • Internal RDP BlueKeep

  • Internal RDP Brute Force Attack

  • Internal RDP Suspicious Outbound

  • Internal Scanner Behavior Anomaly

  • Internal SMB Read Anomaly

  • Internal SMB Username Enumeration

  • Internal SMB Write Anomaly

  • Internal Spyware

  • Internal SQL Anomaly

  • Internal SQL Dumpfile Execution

  • Internal Suspected Malicious User Agent

  • Internal SYN Flood Attacker

  • Internal SYN Flood Victim

  • Internal Trojan

  • Internal User Application Usage Anomaly

  • Internal User Data Volume Anomaly

  • Long App Session Anomaly

  • Mimikatz DCSync

  • Outbound Destination Country Anomaly

  • Outbytes Anomaly

  • Password Cracking with Hashcat

  • Password Resets Anomaly

  • Password Spraying Attempts Using Dsacls

  • Phishing URL

  • Possible Phishing Site Visit from Email

  • Private to Private Exploit Anomaly

  • Private to Private IPS Signature Spike

  • Private to Public Exploit Anomaly

  • Private to Public IPS Signature Spike

  • Process Anomaly

  • Public to Private Exploit Anomaly

  • Public to Private IPS Signature Spike

  • Public to Public Exploit Anomaly

  • Public to Public IPS Signature Spike

  • RDP Outbytes Anomaly

  • Scanner Reputation Anomaly

  • Sensor Status Anomaly

  • Suspected Network Beaconing Activities

  • Suspicious LDAP Search Request

  • Unapproved Asset Activity

  • Uncommon Application Anomaly

  • Uncommon Process Anomaly

  • Uncommon Top-Level Domain Anomaly

  • User Asset Access Anomaly

  • User Process Usage Anomaly

  • WAF Internal Attacker Anomaly

  • WAF Rule Violation Anomaly