MaxPatrol SIEM knowledge base

clickhouse: PT-CR-1562: ClickHouse_Pattern_Search: An attempt to perform a regular expression search on table and column names is detected sap_suspicious_user_activity: PT-CR-236: SAPASABAP_Download_Bytes: Data download sap_suspicious_user_activity: PT-CR-237: SAPASABAP_Download_Bytes_period: Data download elasticsearch: PT-CR-2733: Elasticsearch_Upload_Backup: An Elasticsearch database backup was transferred to a remote host mitre_attck_collection: PT-CR-1932: Copying_Files: Copying files and folders using xcopy and robocopy utilities, copy command, Copy-Item cmdlet mitre_attck_collection: PT-CR-500: Documents_Access_Via_Console: A user interacts with Office documents using cmd.exe or PowerShell capabilities_data_access: PT-CR-2900: CAP_Access_To_Sensitive_Database: Access to sensitive databases. An attacker can extract, modify, or delete sensitive data using stolen credentials, system vulnerabilities, or malicious queries. capabilities_data_access: PT-CR-2883: CAP_Access_to_Sensitive_Data: Access to a file containing sensitive information in application software. An attacker with access to such data can disrupt its confidentiality, integrity, or availability. unix_mitre_attck_collection: PT-CR-1685: Unix_Sensitive_File_Read: Sensitive Unix files were read unix_mitre_attck_collection: PT-CR-1684: Unix_Suspicious_Home_Read: A user read a file from another user's home directory pt_cs: PT-CR-2862: PTCS_Suspicious_File_Read: Access to system files from suspicious directories (/tmp, /home, etc.) is obtained. The attacker can collect system configuration files, credentials, scripts, logs, and other data located on the disk to use them for reconnaissance, further movement across the network, or exfiltration sap_attack_detection: PT-CR-153: SAPASABAP_Download_Critical_Info: Import of critical information to a file sap_attack_detection: PT-CR-162: SAPASABAP_View_Critical_Tables: A critical table is viewed in SAP mysql_database: PT-CR-2304: MySQL_File_System_Actions: The interaction of the MySQL database with the file system may indicate reconnaissance or an attempt of an attacker to escalate privileges if this is not the standard integration of the database with external systems netflow: PT-CR-2919: Netflow_Large_File_Transfer: A large amount of data was sent from a host. This may indicate data collection. netflow: PT-CR-2920: Netflow_SMB_Anomaly: Suspicious SMB traffic from a host that is not a domain controller, router, or switch. Attackers can use SMB to further penetrate the network and gain access to sensitive data. supply_chain: PT-CR-1760: SupplyChain_Sensitive_File_Access: A user accessed a Jfrog Artifactory system file containing sensitive information or changed a TeamCity build configuration mongo_database: PT-CR-529: MongoDB_Dump_Database: An attempt to create a database dump mongo_database: PT-CR-528: MongoDB_Dump_Collection: An attempt to create a collection dump vsphere_suspicious_user_activity: PT-CR-515: Downloading_Files_Of_Critical_VM: Files from a security-critical virtual machine are copied mssql_database: PT-CR-418: MSSQL_Pattern_Search_Usage: An attempt to get information from database service tables using a pattern vulnerabilities: PT-CR-2405: CVE_2024_24919_CheckPoint_Information_Disclosure: Exploitation of the CVE-2024-24919 vulnerability that allows attackers to read any files on Check Point firewall devices without authorization. The vulnerability is in Check Point software with the IPSec VPN, Remote Access VPN, and Mobile Access blades enabled. profiling: PT-CR-2204: Critical_File_Access: A user accessed a critical file mitre_attck_cred_access: PT-CR-600: Esentutil_Copy_File: The "esentutil" utility is started