MaxPatrol SIEM knowledge base

profiling: PT-CR-1033: App_1C_Enterprise_Object_Modify: A user created or modified a registry in the 1С:ERP system microsoft_sharepoint: PT-CR-2111: Sharepoint_Critical_Data_Manipulation: An action with a critical file is performed mitre_attck_impact: PT-CR-1840: Hosts_File_Modify: Attempt to change hosts file integrity on Windows and Linux hosts unix_mitre_attck_persistence: PT-CR-1662: Unix_Suspicious_Home_Modify: Files in the home directory of one of the users were changed postgresql_database: PT-CR-1901: PostgreSQL_Update_Configuration: Updating the PostgreSQL database configuration can impact the security parameters of the data stored hashicorp: PT-CR-2139: Hashicorp_Vault_Important_Engines_Manipulation: Attackers can delete or change parameters of important storages (engines) to access them hashicorp: PT-CR-2140: Hashicorp_Vault_Important_Secrets_Rewrite: Attackers can overwrite important secrets to disrupt availability or functionality of specific systems or gain access to them clickhouse: PT-CR-1576: ClickHouse_Audit_Table_Modified: An attempt to change the system.session_log or system.query_log system table is detected clickhouse: PT-CR-1571: ClickHouse_Data_Manipulation: An attempt to modify a table critical for the DBMS is detected clickhouse: PT-CR-1563: ClickHouse_Backup: An attempt to create a backup of a DBMS object is detected elasticsearch: PT-CR-2730: Elasticsearch_Delete_Index: Abnormal deletion of indices in the Elasticsearch database mysql_database: PT-CR-623: MySQL_Host_Cache_Table_Truncate: Attempt to truncate a host cache table mysql_database: PT-CR-2302: MySQL_Update_Configuration: Updating the MySQL database configuration can impact the security parameters of the data stored supply_chain: PT-CR-1934: SupplyChain_TeamCity_Plugin_Modify: A plugin was used. Attackers can manipulate TeamCity plugins to upload malicious code supply_chain: PT-CR-1777: SupplyChain_File_Upload_To_Important_Repository: A user uploaded a file to a repository using an unusual account or new address supply_chain: PT-CR-1963: SupplyChain_TeamCity_Execution_Via_Request: The ability to remotely execute commands was enabled, and the code was executed. After receiving a TeamCity API access token, attackers can enable the rest.debug.processes.enable option which allows them to run commands on the server via POST requests supply_chain: PT-CR-1762: SupplyChain_Push_Without_Merge_Request: A user pushed changes to a branch without a merge request supply_chain: PT-CR-1760: SupplyChain_Sensitive_File_Access: A user accessed a Jfrog Artifactory system file containing sensitive information or changed a TeamCity build configuration supply_chain: PT-CR-1761: SupplyChain_Merge_Request_Apply_Without_Approvers: Merge into a branch without approvers vsphere_suspicious_user_activity: PT-CR-520: Reconfiguring_Protective_VM: A virtual machine with installed security software is reconfigured vsphere_suspicious_user_activity: PT-CR-519: Mass_Reconfiguring_Protective_VM: Multiple virtual machines with installed security software are reconfigured capabilities_data_access: PT-CR-2883: CAP_Access_to_Sensitive_Data: Access to a file containing sensitive information in application software. An attacker with access to such data can disrupt its confidentiality, integrity, or availability. capabilities_data_access: PT-CR-2900: CAP_Access_To_Sensitive_Database: Access to sensitive databases. An attacker can extract, modify, or delete sensitive data using stolen credentials, system vulnerabilities, or malicious queries. vulnerabilities: PT-CR-1983: Possible_CVE_2023_20198_Cisco_IOS_XE: Possible exploitation of vulnerability CVE-2023-20198 in Cisco IOS XE associated with privilege escalation by creating a new administrator account security_code_secret_net_lsp: PT-CR-1891: SecretNet_LSP_Export_Backup: Secret Net LSP configuration export security_code_secret_net_lsp: PT-CR-1905: SecretNet_LSP_Manipulate_Critical_Data: Changing an object under Secret Net LSP integrity control security_code_secret_net_lsp: PT-CR-1892: SecretNet_LSP_Apply_Backup: Secret Net LSP configuration replacement indeed_pam: PT-CR-2885: Indeed_Important_Resources_Actions: Suspicious actions with resources on the critical resource list in Indeed PAM application network_devices_compromise: PT-CR-577: Cisco_ASA_Disable_Username_Hiding: Logging usernames in cleartext is enabled on Cisco ASA it_bastion: PT-CR-2178: SKDPUNT_Sftp_Access_Failure: SKDPU NT is registering file read or write access errors via SFTP microsoft_exchange: PT-CR-2357: Exchange_Remove_Dismount_Mailbox_Database: Deleting or dismounting an Exchange database. This could be an attacker's attempt to disrupt availability of system and network resources. enterprise_1c_and_bitrix: PT-CR-676: Enterprise_1C_Manipulate_Critical_Data: A critical document was changed