MaxPatrol SIEM knowledge base

clickhouse: PT-CR-1579: ClickHouse_Logon_Same_Host_Different_Users: Attempts to log in to a DBMS under different user accounts from the same host are detected clickhouse: PT-CR-1567: ClickHouse_Logon_Same_User_From_Different_Hosts: Attempts to log in to a DBMS under the same account from different hosts are detected sap_suspicious_user_activity: PT-CR-231: SAPASABAP_Create_Client_And_Login: A user escalated himself privileges in the system sap_suspicious_user_activity: PT-CR-238: SAPASABAP_EARLYWATCH_Connect: Violation of the standard usage scenario for the EARLYWATCH user and client 066 sap_java_suspicious_user_activity: PT-CR-541: SAPASJAVA_Password_Changed_For_SAP_Standard_Users_And_Logon: The password of a default user was changed, then a user logged in under this account vk_workmail: PT-CR-2995: VK_Workmail_App_Password_Create: A user created a password for an external mailing application. This may indicate an attempt to gain unauthorized access to confidential information or a data leakage. bitbucket: PT-CR-2697: Bitbucket_Login_From_New_Address: A user with an important permission logged in to the Bitbucket application from a new address. This could be done by attackers who obtained the user's credentials. citrix_ns_adc: PT-CR-2579: Citrix_NS_ADC_Login_With_Default_Credentials: An attacker can use the default account to get access to a host capabilities_logon: PT-CR-2881: CAP_Default_Account_Logon: Logging in on behalf of a default account. After obtaining account credentials, an attacker can use them for initial access, persistence, privilege escalation, or defense evasion. sap_attack_detection: PT-CR-152: SAPASABAP_Delete_Sapstar_And_Login: The SAP* account is deleted and the system is accessed with the default password sap_attack_detection: PT-CR-160: SAPASABAP_Using_Bultin_Accounts: Usage of a built-in account sap_attack_detection: PT-CR-150: SAPASABAP_Bultin_Accounts_Probing: Attempts to log in with built-in accounts capabilities_account_manipulation: PT-CR-2882: CAP_Default_User_Enabling: Unlocking or enabling a default account in application software. Attackers may restore default accounts to gain access, maintain persistence in the system, escalate privileges, or bypass security measures. supply_chain: PT-CR-1765: SupplyChain_Default_Account_Logon: A user logged in or attempted to log in to an application under a default account capabilities_suspicious_activity: PT-CR-3059: CAP_Activity_From_Known_Malicious_Hostname: Login attempts from a suspicious host or suspicious activity on a DHCP server. Suspiciousness is determined by the presence in the host network name of artifacts inherent in security analysis tools or distributions used in penetration testing or computer forensics.