MaxPatrol SIEM knowledge base

kontinent: PT-CR-2399: Kontinent_Role_Manipulation: An action with an administrator role was performed. An attacker can create, change, or delete administrator roles to gain more privileges or deprive legitimate administrators of privileges. kontinent: PT-CR-2400: Kontinent_Account_Manipulation: An action with a resource user account or administrator account was performed. This can indicate an attacker attempting to create a new account for themselves or change the properties of an old account to gain access to the necessary network resources or escalate privileges. mitre_attck_impact: PT-CR-2418: NGate_Account_Access_Removal: A large number of user sessions is killed, which may indicate a compromise of the CryptoPro NGate administrator account mitre_attck_impact: PT-CR-495: Remove_Access_To_Sensitive_Account: Detection of attempts to block access to an account that is significant for IS sap_suspicious_user_activity: PT-CR-249: SAPASABAP_Lock_Many_Accounts: Mass locking of user accounts sap_suspicious_user_activity: PT-CR-232: SAPASABAP_Critical_Action_By_Non_Admin_User: A non admin user performed a critical action in the system hashicorp: PT-CR-2142: Hashicorp_Vault_Important_Secrets_Deleted: Attackers can delete important secrets to disrupt availability or functionality of specific systems hashicorp: PT-CR-2140: Hashicorp_Vault_Important_Secrets_Rewrite: Attackers can overwrite important secrets to disrupt availability or functionality of specific systems or gain access to them samba: PT-CR-2589: Samba_Multiple_User_Password_Change: Multiple user password changes samba: PT-CR-2587: Samba_Multiple_User_Lock: Multiple user lockouts samba: PT-CR-2586: Samba_Critical_Domain_Group_User_Add: A user is added to a privileged domain group. Attackers can add a user to critical groups to increase privileges or consolidate on the system samba: PT-CR-2585: Samba_Account_Attribute_Manipulation: Attackers can change account attributes to gain additional access or secure them in the system. capabilities_account_manipulation: PT-CR-2878: CAP_User_Blocking_Or_Removing: Blocking, disabling, or deleting an account in application software. This could be an attacker's attempt to disrupt the software's functionality. capabilities_account_manipulation: PT-CR-2871: CAP_Group_Or_Role_Removing: Deletion of an arbitrary user group and/or role in application software. This could be an attacker's attempt to hinder response and deny access to legitimate users. capabilities_account_manipulation: PT-CR-2880: CAP_User_Rights_Revoked: Removing a user from a group and/or revoking a role from a user in application software. This could be an attacker's attempt to hinder response and deny access to legitimate users. elasticsearch: PT-CR-2708: Elasticsearch_Critical_Users_Modify: A critical user configuration was changed in the Elasticsearch database. This may indicate that the user's account was compromised. elasticsearch: PT-CR-2732: Elasticsearch_Remove_Users: Bulk deletion of users from the Elasticsearch database mongo_database: PT-CR-1955: MongoDB_Revoke_High_Role: Administrator permissions are revoked from a user mongo_database: PT-CR-1954: MongoDB_Mass_Drop_User: Mass dropping of users in a MongoDB yandex_cloud: PT-CR-819: Yandex_Cloud_Symmetric_Key_Removal: A symmetric key is removed yandex_cloud: PT-CR-1267: Yandex_Cloud_Symmetric_Key_Access_Manage: Access rights to a symmetric key are changed yandex_cloud: PT-CR-817: Yandex_Cloud_Secret_Access_Manage: Access rights to a secret are changed yandex_cloud: PT-CR-810: Yandex_Cloud_Access_Key_Manipulation: An access key is created or removed mysql_database: PT-CR-625: MySQL_User_Operation: Attempt to change or delete a user account mysql_database: PT-CR-622: MySQL_Disconnect_User: Attempt to terminate a user session vk_cloud: PT-CR-2102: VK_Cloud_Keypair_Operation: A user who is not on the allowed users list performed an operation with a key pair. This may indicate an attacker's attempt to create a rogue connection to a virtual machine via SSH or limit the ability to legitimately connect to a host. vk_cloud: PT-CR-2105: VK_Cloud_VM_Security_Group_Operation: A user who is not on the allowed users list changed a security group list of a virtual machine, which may indicate an attacker's attempt to change the network configuration apache_cassandra_database: PT-CR-2086: Apache_Cassandra_Revoke_All_Permissions: All permissions were revoked from a user. This may indicate an attacker trying to prevent another user from interfering with malicious activity. active_directory_attacks: PT-CR-1344: Remote_Actions_With_Domain_Objects: A PowerView script was used. Attackers use the PowerView tool for reconnaissance in Windows domains. active_directory_attacks: PT-CR-1342: Subrule_PowerView_Objects_Actions: Remote change of domain objects (domain users and groups, machine accounts) using the PowerView tool (PowerViewPy) is detected teleport: PT-CR-2534: Teleport_Critical_User_Manipulation: A user performed an action with a user account with a critical role in Teleport. This could be an attacker's attempt to escalate privileges or make system and network resources unavailable. teleport: PT-CR-2543: Teleport_Multiple_User_Locks: A user locked a large number of user accounts in a short period of time. This could be an attacker's attempt to make system and network resources unavailable. teleport: PT-CR-2530: Teleport_Critical_Lock_Created: A user locked a critical object in Teleport. This could be an attacker's attempt to make system and network resources unavailable. teleport: PT-CR-2535: Teleport_Critical_Role_Manipulation: A user changed or deleted a critical role in Teleport. This could be an attacker's attempt to escalate privileges or make system and network resources unavailable. teleport: PT-CR-2544: Teleport_Multiple_User_Modification: A user changed a large number of user accounts in a short period of time. This could be an attacker's attempt to escalate privileges or make system and network resources unavailable. security_code_secret_net_lsp: PT-CR-1887: SecretNet_LSP_Multiple_User_Password_Change: Multiple password changes for the same account security_code_secret_net_lsp: PT-CR-1895: SecretNet_LSP_Manipulate_User_With_Critical_Roles: Critical account change microsoft_mecm: PT-CR-1898: MECM_Remove_Accounts: Deleting an account from MECM indeed_pam: PT-CR-2894: Indeed_Important_PAM_User_Group_Actions: A user performed an action with a critical group in Indeed PAM. This could be an attacker's attempt to escalate privileges or make system or network resources unavailable. indeed_pam: PT-CR-2887: Indeed_Important_Applications_Actions: Suspicious actions with applications on the critical application list in Indeed PAM application indeed_pam: PT-CR-2897: Indeed_Important_PAM_Host_Account_Actions: A user performed an action with a critical user account on a host in Indeed PAM. This could be an attacker's attempt to escalate privileges or make system or network resources unavailable. indeed_pam: PT-CR-2895: Indeed_Important_PAM_Account_Actions: A user performed an action with a critical user account in Indeed PAM. This could be an attacker's attempt to escalate privileges or make system or network resources unavailable. sap_java_suspicious_user_activity: PT-CR-543: SAPASJAVA_User_Password_Changed: An account password is changed multiple times sap_java_suspicious_user_activity: PT-CR-542: SAPASJAVA_User_Locked_After_Too_Many_Password_Logon_Attempts: A user is locked after multiple failed attempts to log in vmware_aria: PT-CR-2368: Aria_Operations_Change_Admin_Password_Via_CLI: Changing the administrator password in Aria Operations from the command line without the old password can indicate an attacker attempting to block access to the owner and/or access the Aria Operations data vmware_aria: PT-CR-2381: AOFL_User_Manage: The deletion or change of multiple accounts can indicate an attacker attempting to block owners from accessing Aria Operations for Logs vmware_aria: PT-CR-2370: AOFL_Role_Manage: A new role with critical permissions can indicate an attacker attempting to escalate privileges and/or gain persistence in the Aria Operations for Logs system vmware_aria: PT-CR-2380: Aria_Operations_User_Manage: The deletion or change of multiple accounts can indicate an attacker attempting to block owners from accessing Aria Operations vmware_aria: PT-CR-2382: Aria_Operations_Admin_Panel_Admin_Locked_Too_Many_Logons: A user is locked. Locking a user can indicate an attacker attempting to block access to the account in the Aria Operations administration interface. vmware_aria: PT-CR-2377: AOFL_User_Locked_Too_Many_Logons: A user lockout can indicate an attacker attempting to block access to an account in Aria Operations for Logs network_devices_compromise: PT-CR-1351: Checkpoint_Admin_Modification: Administrators were added or deleted on a Checkpoint device zabbix: PT-CR-2051: Zabbix_Critical_User_Manipulate: A user changed a critical user account in Zabbix. This could be an attacker's attempt to escalate privileges or make system and network resources unavailable. zabbix: PT-CR-2054: Zabbix_User_Multiple_Password_Change: A user changed a password in Zabbix multiple times. This could be an attacker's attempt to gain persistence. zabbix: PT-CR-2052: Zabbix_Critical_Role_Manipulate: A user performed an action with a critical role in Zabbix. This could be an attacker's attempt to escalate privileges or make system and network resources unavailable. zabbix: PT-CR-2050: Zabbix_Critical_Group_Manipulate: A user performed an action with a critical group in Zabbix. This could be an attacker's attempt to escalate privileges or make system and network resources unavailable. vipnet_tias: PT-CR-2628: ViPNet_TIAS_Mass_Deletion_Of_Users: A user deleted accounts in ViPNet TIAS. This could be an attacker's attempt to make system and network resources unavailable. vipnet_tias: PT-CR-2627: ViPNet_TIAS_Critical_User_Manipulation: A user performed an action with a critical user account in ViPNet TIAS. This could be an attacker's attempt to escalate privileges or make system and network resources unavailable. passwork: PT-CR-2613: Passwork_Mass_Deletion_Of_Users: A user deleted accounts in Passwork. This could be an attacker's attempt to make system or network resources unavailable. passwork: PT-CR-2608: Passwork_Critical_User_Manipulation: A user performed a suspicious action on a critical user account in Passwork Password Manager. Such actions include role revocation, password harvesting, and user deletion. This could be an attacker's action to escalate privileges or make system and network resources inaccessible microsoft_exchange: PT-CR-2355: Exchange_Admin_Role_Actions: A user performed an action with a management role in Exchange. This may indicate an attacker's attempt to escalate privileges or disrupt availability of system resources. microsoft_exchange: PT-CR-2353: Exchange_Mass_Deletion_Of_Mailboxes: A user deleted mailboxes in Exchange. This could be an attacker's attempt to make system and network resources unavailable. microsoft_exchange: PT-CR-2360: Exchange_Critical_Group_Manipulate: A user changed or deleted a critical group in Exchange. This could be an attacker's attempt to escalate privileges or disrupt system availability. microsoft_exchange: PT-CR-2362: Exchange_Mass_Deletion_Of_Groups: A user deleted groups in Exchange. This could be an attacker's attempt to make system and network resources unavailable. freeipa: PT-CR-1959: FreeIPA_Multiple_User_Lock: Multiple user lockouts freeipa: PT-CR-1958: FreeIPA_Multiple_User_Password_Change: Multiple user password changes freeipa: PT-CR-1956: FreeIPA_Privileged_Account_Blocking: A user with escalated privileges was locked enterprise_1c_and_bitrix: PT-CR-677: Enterprise_1C_Multiple_User_Lock: Batch account locking enterprise_1c_and_bitrix: PT-CR-675: Enterprise_1C_Multiple_User_Password_Change: Multiple password changes for the same account mitre_attck_persistence: PT-CR-2604: Unauthorized_Reset_Password_For_Sensitive_Users: Unexpected reset of a critical user's password. This may indicate that the user's account was compromised.