System Detection Rules by Vendor
For each security vendor that can be integrated with SecurityCoach, we offer system detection rules based on the vendors’ default policies. Click the links below to view a list of system detection rules for each vendor.
Jump links:
Bitdefender GravityZone
Carbon Black
Cisco Secure Email
Cisco Umbrella
Cloudflare Area 1 Email Security
Cloudflare Zero Trust
Code42
CrowdStrike
Cylance
Gmail
Google Drive
Google IAM
Malwarebytes
Microsoft 365
Microsoft Cloud Access Security (MCAS)
Microsoft Azure Active Directory Identity Protection
Microsoft Defender for Endpoint
NetSkope
Okta
Proofpoint
SentinelOne
SonicWall Capture Client
Sophos
Zscaler
Bitdefender GravityZone
For a list of detection rules available for Bitdefender GravityZone, see the table below:
Note: For more information about configuring this integration, see the Bitdefender GravityZone Integration Guide for SecurityCoach.
| Detection Rule Name | Description |
| Phishing Detected by Bitdefender GravityZone | Phishing email detected |
| Fraud Detected by Bitdefender GravityZone | User visited a website hosted for fraud |
| Threat Detected by Bitdefender GravityZone | Threat detected by Bitdefender Advanced Threat Control |
| Data Loss Prevention (DLP) Policy Violation Detected by Bitdefender GravityZone | DLP policy violation detected |
| Sensitive Data Sharing Detected by Bitdefender GravityZone | Sensitive organizational information sharing detected |
| Gaming Website Detected by Bitdefender GravityZone | User visited a gaming website |
| Gambling Website Detected by Bitdefender GravityZone | User visited a gambling website |
| Drug Website Detected by Bitdefender GravityZone | User visited a drug website |
| Illegal Website Detected by Bitdefender GravityZone | User visited an illegal website |
| Shopping Website Detected by Bitdefender GravityZone | User visited a shopping website |
| Social Network Website Detected by Bitdefender GravityZone | User visited a social network website |
| Dating Website Detected by Bitdefender GravityZone | User visited a dating website |
| Instant Messaging Website Detected by Bitdefender GravityZone | User visited an instant messaging website |
| File Sharing Website Detected by Bitdefender GravityZone | User visited a file sharing website |
| Narcotics Website Detected by Bitdefender GravityZone | User visited a narcotics website |
| Scam Website Detected by Bitdefender GravityZone | User visited a scam website |
| Entertainment Website Detected by Bitdefender GravityZone | User visited an entertainment website |
| Time-Wasting Website Detected by Bitdefender GravityZone | User visited a time-wasting website |
| Video Streaming Detected by Bitdefender GravityZone | User visited a video streaming website |
| Adult Website Detected by Bitdefender GravityZone | User visited an adult website |
| Ransomware Detected by Bitdefender GravityZone | Ransomware detected on a user’s device |
| Document Malware Detected by Bitdefender GravityZone | User downloaded a document that contains malware |
| Malware Detected by Bitdefender GravityZone | Malware detected on a user’s device |
| Malicious IP Address Login Detected by Bitdefender GravityZone | Login from a malicious IP address detected |
| Potentially Unwanted Application (PUA) Detected by Bitdefender GravityZone | PUA detected on a user’s device |
Carbon Black
For a list of detection rules available for Carbon Black, see the table below:
Note: For more information about configuring this integration, see the Carbon Black Integration Guide for SecurityCoach.
| Detection Rule Name | Description |
| Malware Detected by Carbon Black | Malware detected on a user's device |
| Malware from Web Detected | Malware from the internet detected on a user's device |
| Malware from Email Detected | Malware from an email detected on a user's device |
| Removable Media Detected by Carbon Black | Removable media usage detected on a user's device |
Cisco Secure Email
For a list of detection rules available for Cisco Secure Email, see the table below:
Note: For more information about configuring this integration, see the Cisco Secure Email Integration Guide for SecurityCoach.
| Detection Rule Name | Description |
| Adware Detected by Cisco | Adware detected on a user's device |
| Emails to Competitors Detected | User sent an email to a competitor |
| Personal Identifiable Information (PII) Sent Externally by Email | Personal identifiable information (PII) sent externally by email |
| Confidential Documents Sent Externally by Email | Confidential documents sent externally by email |
| Encrypted or Password-Protected Files Sent by Email | Encrypted or password-protected files sent by email |
| Leaked Financial Documents Detected | Corporate financial documents sent externally by email |
| Leaked Design Documents Detected | Design documents sent by email |
| Graymail Detected | Graymail detected and blocked |
| Email Malware Detected by Cisco | Malware attachment detected in an email |
| Emails with Malicious URLs Detected | Email with a malicious URL detected |
| Spam Detected by Cisco | Spam email detected |
| Document Malware Detected | Malware detected in a document |
| Word Document Malware Detected | Malware detected in a Word document |
| PDF Document Malware Detected | Malware detected in a PDF document |
| Mobile Device Malware Detected | Malware detected on a mobile device |
| Android Mobile Device Malware Detected | Malware detected on an Android mobile device |
| Virus Detected | Virus detected in an email |
| Potentially Unwanted Application (PUA) Detected | PUA detected |
| >Potentially Unwanted Program (PUP) Detected by Cisco | PUP detected |
Cisco Umbrella
For a list of detection rules available for Cisco Umbrella, see the table below:
Note: For more information about configuring this integration, see the Cisco Umbrella Integration Guide for SecurityCoach. For more information about Cisco Umbrella’s categories, visit their website.
| Detection Rule Name | Description |
| Adware Detected by Cisco Umbrella | Adware detected on a user's device |
| Command-and-Control Domain Detected | User's device connected to a domain that hackers use to control botnets |
| Request to a Trojan Domain Detected | User downloaded a file from the internet that contains a trojan |
| Request to an Android Malware Domain Detected | User downloaded a file from the internet that contains Android malware |
| Document Malware Detected by Cisco Umbrella | User downloaded a document that contains malware |
| Word Document Malware Detected by Cisco Umbrella | User downloaded a Word document that contains malware |
| PDF Document Malware Detected by Cisco Umbrella | User downloaded a PDF document that contains malware |
| Mobile Malware Detected by Cisco Umbrella | Malware detected on an Android mobile device |
| Cryptomining Domain Detected | User accessed a domain or IP address involved in cryptomining activities |
| Potentially Harmful Domain Detected | User visited a potentially harmful website |
| Adult and Pornography Domain Detected | User visited a prohibited website |
| Child Abuse Domain Detected | Illegal child abuse content detected |
| Dating Domain Detected | Domain related to dating services detected |
| Entertainment Domain Detected | Domain related to entertainment detected |
| Gambling Domain Detected | Domain related to gambling detected |
| Gaming Domain Detected | Domain related to gaming detected |
| Illegal Download Detected | Website that provides the ability to download software or other materials, serial numbers, key generators, or tools for bypassing software protection in violation of copyright agreements detected |
| Peer-to-Peer File Transfer Detected | Peer-to-peer file request website detected |
| Malware Domain Detected | User downloaded a file from the internet that contains malware |
| Phishing Domain Detected | User clicked a phishing link |
| Potentially Unwanted Application (PUA) Detected by Cisco Umbrella | PUA detected |
| Potentially Unwanted Program (PUP) Detected by Cisco Umbrella | PUP detected |
| Request to a Ransomware Domain Detected | User downloaded a file from the internet that contains ransomware |
Cloudflare Area 1 Email Security
For a list of detection rules available for Cloudflare Area 1 Email Security, see the table below:
Note: For more information about configuring this integration, see the Cloudflare Area 1 Email Security Integration Guide for SecurityCoach.
| Detection Rule Name | Description |
| Malware Detected by Cloudflare Area 1 Email Security | Malware detected in an email |
| Suspicious Email Detected by Cloudflare Area 1 Email Security | Suspicious email detected |
| Spoofed Email Detected by Cloudflare Area 1 Email Security | Spoofed email detected |
| Email with a Malicious URL Detected by Cloudflare Area 1 Email Security | Email with a malicious URL detected |
Cloudflare Zero Trust
For a list of detection rules available for Cloudflare Zero Trust, see the table below:
Note: For more information about configuring this integration, see the Cloudflare Zero Trust Integration Guide for SecurityCoach.
| Detection Rule Name | Description |
| Dating Website Detected by Cloudflare Zero Trust | User visited a dating website |
| Drug Website Detected by Cloudflare Zero Trust | User visited a drug website |
| Adult Website Detected by Cloudflare Zero Trust | User visited an adult website |
| Deceptive Website Detected by Cloudflare Zero Trust | User visited a website that spoofs clicks, impressions, or conversions for ads |
| Gaming Website Detected by Cloudflare Zero Trust | User visited a gaming website |
| Gambling Website Detected by Cloudflare Zero Trust | User visited a gambling website |
| Child Abuse Website Detected by Cloudflare Zero Trust | User visited a website with illegal child abuse content |
| Botnet Website Detected by Cloudflare Zero Trust | User visited a website known to be part of botnet or command-and-control activities |
| Cryptomining Website Detected by Cloudflare Zero Trust | User visited a website involved in cryptomining activities |
| Malicious Website Detected by Cloudflare Zero Trust | User visited a website hosting malicious content |
| Risky Website Detected by Cloudflare Zero Trust | User visited a website that may contain security risks |
| Phishing Website Detected by Cloudflare Zero Trust | User visited a website known for phishing |
| Malware Download Detected by Cloudflare Zero Trust | Malware download attempt detected on a user’s device |
Code42
For a list of detection rules available for Code42, see the table below:
Note: For more information about configuring this integration, see the Code42 Integration Guide for SecurityCoach.
| Detection Rule Name | Description |
| Removable Media Exfiltration Detected | Removable media usage detected |
| Cloud Sync Folder Exfiltration Detected | Files synced to a cloud storage application |
| File Extension Mismatch Exfiltration Detected | File extension does not match the file contents, and the files were shared |
| ZIP File Exfiltration Detected | ZIP file exfiltration detected |
| Source Code Email Exfiltration Detected | Source code of common programming languages was exfiltrated by email |
| Sales Report Exfiltration Detected | Internal sales report was exfiltrated from a user's device |
| Source Code File Exfiltration by Extension Detected | Source code files of common programming languages were exfiltrated |
| Microsoft Outlook Exfiltration Detected | Confidential or classified information shared using Outlook |
| Earnings Report Exfiltration Detected | Earnings report shared externally |
| Cloud Sharing Permissions Changed | Cloud sharing permissions for a protected or classified file changes |
| Potential Flight Risk | Detection of activity on a user's device that indicates the user may be preparing to leave the organization |
| Password Exfiltration Detected | Detection of the exfiltration of a password from a user's device |
CrowdStrike
For a list of detection rules available for CrowdStrike, see the table below:
Note: For more information about configuring this integration, see the CrowdStrike Integration Guide for SecurityCoach.
| Detection Rule Name | Description |
| Adware Detected by CrowdStrike | Adware detected on a user's device |
| Full Disk Encryption Needed | Automated information collected through an advanced persistent threat (APT) attack detected |
| Remote Access Software Detected | Remote access software invoked suspiciously on a user's device |
| Exploitation of a Known Vulnerability Detected by CrowdStrike | Code or a malicious file exploiting a known vulnerability detected on a user's device |
| Exploitation of a Public-Facing Application Detected | File containing exploit code for a public-facing application detected |
| Exploit Detected | Code or a malicious file exploiting a known vulnerability detected on a user's device |
| Malware Indicators of Attack (IOA) Detection | Malware file matching the IOA detected on a user's device |
| Malware Indicators of Compromise (IOC) Detection | Malware file matching the IOC detected on a user's device |
| Malware Detected on Endpoint by CrowdStrike | Malware detected with endpoint machine learning detection |
| Malicious Document Detected | Malware detected in a document |
| Malware Detected by CrowdStrike | Malware detected on a user's device |
| Password Theft Detected | Password stealing detected for a user's account |
| Unsecured Credentials Detected | Detection of the storage of credentials in the registry of Windows operating system (OS) |
| Operating System (OS) Credential Dumping | Detection of credential dumping from an operating system (OS) memory or cache |
| Credential Theft Detected by CrowdStrike | Credential dumping from browser memory or from Windows operating system (OS) detected |
| Spear-Phishing Attachment | Spear phishing email with an attachment detected |
| Phishing Detected by CrowdStrike | Phishing email detected |
| Potentially Unwanted Program (PUP) Detected by CrowdStrike | PUP detected on a user's device |
| Adware or Potentially Unwanted Program (PUP) Detected | Adware or PUP detected on the user's device |
| Data Backup and Encryption Suggested | Encryption activity by a ransomware program detected |
| Ransomware Detected by CrowdStrike | Ransomware detected on a user's device |
| Social Engineering Detected | Social engineering attack detected on a user's device |
Cylance
For a list of detection rules available for Cylance, see the table below:
Note: For more information about configuring this integration, see the Cylance Integration Guide for SecurityCoach. For more information about Cylance’s events, visit their website.
| Detection Rule Name | Description |
| High-Severity Malicious Activity Detected | High-severity malicious activity detected on a user's device |
| Memory Exploit Detected | Code or a malicious file exploiting a known vulnerability detected on a user's device |
| Malware Detected by Cylance | Malware detected on a user's device |
| Malicious Script Detected | Malicious script execution blocked |
| Possible Potentially Unwanted Program (PUP) Detected | PUP detected on a user's device |
| Potentially Unwanted Program (PUP) Detected by Cylance | PUP detected on a user's device |
| Removable Media Detected by Cylance | Use of removable media blocked |
Gmail
For a list of detection rules available for Gmail, see the table below:
Note: For more information about configuring this integration, see the Google Integration Guide for SecurityCoach. For more information about Gmail’s events, visit their website.
| Detection Rule Name | Description |
| External Email Forwarding Detected | Email rule set up by user to forward email outside of the organization’s domain |
| Spamming Simple Mail Transfer Protocol (SMTP) | Email rule set up by user to forward email outside of the organization's domain |
| Spamming Detected | Spamming detected from a user's Google account |
Google Drive
For a list of detection rules available for Google Drive, see the table below:
Note: For more information about configuring this integration, see the Google Integration Guide for SecurityCoach. For more information about Google Drive’s events, visit their website.
| Detection Rule Name | Description |
| External File Sharing Detected by Google Drive | File access to external account enabled by user |
Google IAM
For a list of detection rules available for Google IAM, see the table below:
Note: For more information about configuring this integration, see the Google Integration Guide for SecurityCoach. For more information about Google IAM’s events, visit their website.
| Detection Rule Name | Description |
| Government-Backed Attack | Malware or advanced persistant threat detected on a user's device |
| 2-Step Verification Disabled | User disabled two-step verification |
| Leaked Password | Leaked password detected |
| Suspicious Login | Suspicious login activity detected |
| Account Hijacked | Account hijack detected |
| Login Failure | Multiple failed login attempts detected |
Malwarebytes
For a list of detection rules available for Malwarebytes, see the table below:
Note: For more information about configuring this integration, see the Malwarebytes Integration Guide for SecurityCoach.
| Detection Rule Name | Description |
| Adware Detected by Malwarebytes | Adware detected on a user's device |
| Machine Learning-Based Malware Detection | Malware detected on a user's device |
| Trojan Detected | Trojan detected on a user's device |
| Malware Detected by Malwarebytes | Malware detected on a user's device |
| Risky Website Detected by Malwarebytes | User visited a malicious website |
| Potentially Unwanted Program (PUP) Detected by Malwarebytes | PUP detected on a user's device |
| Ransomware Detected by Malwarebytes | Ransomware detected on a user's device |
| Spyware Detected | Spyware detected on a user's device |
Microsoft 365
For a list of detection rules available for Microsoft 365, see the table below:
Note: For more information about configuring this integration, see the Microsoft 365 and Microsoft Cloud Access Security (MCAS) Integration Guide for SecurityCoach. For more information about Microsoft 365’s alert policies, visit their website.
| Detection Rule Name | Description |
| Unusual Amount of File Deletions Detected by Microsoft Office 365 | Unusual volume of files deleted |
| External File Sharing Detected by Microsoft Office 365 | File shared externally |
| Unusual External User File Activity Detected by Microsoft Office 365 | Potential data leakage or data breach detected |
| Creation of Email Forwarding or Redirect Rule | User created an email forwarding rule to forward emails outside of your organization's domain |
| Suspicious Email Sending Patterns Detected | Suspicious email sending pattern detected |
| Suspicious Email Forwarding Activity | Suspicious email forwarding activity detected |
| Elevation of Microsoft Exchange Admin Privileges in Microsoft Office 365 | User access privileges for Microsoft Exchange were elevated |
| Email Message Containing Malicious Item Not Removed After Delivery | Email message containing a malicious item was not removed after delivery |
| User Clicking a Potentially Malicious URL Detected | User clicked through to a potentially malicious URL |
| Email Message Containing a Malicious File Removed from Inbox after Delivery | Email message containing malicious file was removed after delivery. |
| Email Message Containing a Malicious URL Removed after Delivery | An email containing a malicious URL was removed from an inbox |
| Escalation of Exchange Admin Privilege Detected | An Escalation of Exchange admin privilege detected |
| Email Message from a Campaign Removed from Inbox after Delivery | An email message from a email campaign was removed from the user's inbox after delivery |
| User Impersonation Phish Delivered to Inbox or Folder | A user impersonation phishing email was delivered to a user's inbox |
| Phishing Message Delivered Due to an IP Allow Policy Detected by Microsoft Office 365 | Microsoft detected an IP allow policy that allowed a high-confidence phishing email to be delivered |
| Phishing Message Delivered Due to an ETR Override | Microsoft detected an Exchange Transport Rule (ETR) that allowed the delivery of a high-confidence phishing email to an inbox |
| Form Flagged and Confirmed as Phishing by Microsoft Office 365 | User clicked a phishing link, and the phishing webpage or web form was blocked by Microsoft |
| Form Blocked by Microsoft Office 365 Due to a Potential Phishing Attempt | User clicked a phishing link, and the phishing webpage or web form was blocked by Microsoft |
| Malicious URL Clicks Detected | User clicked a malicious URL in an email |
| Phishing Link Detected | Phishing link detected in an email sent to a user |
| Phishing Email Delivered Due to a Tenant or User Override | Phishing email delivered due to a tenant or user override |
| HIPAA Data Leak Detected by Microsoft Data Loss Prevention (DLP) | Health Insurance Portability and Accountability Act (HIPAA) data leaked or shared through Microsoft Office 365 |
| GDPR Data Leak Detected by Microsoft Data Loss Prevention (DLP) | General Data Protection Regulation (GDPR) data leaked or shared through Microsoft Office 365 |
| PII Data Leak Detected by Microsoft Data Loss Prevention (DLP) | Personally identifiable information (PII) leaked or shared through Microsoft Office 365 |
| PCI DSS Data Leak Detected by Microsoft Data Loss Prevention (DLP) | Payment Card Industry Data Security Standard (PCI DSS) data leaked or shared through Microsoft Office 365 |
| Financial Data Leak Detected by Microsoft Data Loss Prevention (DLP) | Financial data leaked or shared through Microsoft Office 365 |
Microsoft Cloud Access Security (MCAS)
For a list of detection rules available for MCAS, see the table below:
Note: For more information about configuring this integration, see the Microsoft 365 and Microsoft Cloud Access Security (MCAS) Integration Guide for SecurityCoach.
| Detection Rule Name | Description |
| Unusual Amount of File Deletions Detected by Microsoft Cloud App Security | Unusual volume of files deleted |
| Unusual File Deletion by a User Detected | Unusual file deletion by a user |
| External File Sharing Detected by Microsoft Cloud App Security | File shared externally |
| Unusual File Sharing by a User Detected | Unusual file share activity by a user |
| Unusual External User File Activity Detected by Microsoft Cloud App Security | Potential data leakage or data breach activity |
| Unusual File Download by a User Detected | User downloaded an unusual file |
| Mass Access to Sensitive File Detected | Mass access to sensitive files detected |
| Elevation of Microsoft Exchange Admin Privileges in Microsoft Cloud App Security | User access privileges for Microsoft Exchange were elevated |
| Malware Detected by Microsoft Cloud App Security | Malware detected on a user's device |
| Peer-to-Peer Applications Detected | Activity from a TOR based-IP address detected |
| Risky Login Detected | Risky login detected |
| Suspicious Inbox Forwarding Detected | Suspicious email forwarding detected |
| Activity from a Suspicious IP Address Detected | Activity from a suspicious IP address detected |
| Unusual Administrative Activity by a User Detected | Unusual administrative activity by a user detected |
| Credential Theft Detected by Microsoft Cloud App Security | Multiple failed or suspicious login attempts detected |
| Credentials Leak Detected by Microsoft | Leaked credentials detected |
| Multiple Failed Login Attempts Detected | Multiple failed login attempts detected |
| Password Spraying Attack Detected | Password spraying attack detected |
| Form Blocked by Microsoft Cloud App Security Due to a Potential Phishing Attempt | User clicked a phishing link, and the webpage or web form was blocked by Microsoft |
| Form Flagged and Confirmed as Phishing by Microsoft Cloud App Security | User clicked a phishing link, and the webpage or web form was blocked by Microsoft |
| Phishing Attempt Delivered Due to an IP Allow Policy Detected by Microsoft Cloud App Security | Microsoft detected an IP allow policy that allowed a high confidence phishing message to be delivered |
| Ransomware Activity Detected by Microsoft | Ransomware activity detected |
Microsoft Azure Active Directory Identity Protection
For a list of detection rules available for Microsoft Azure Active Directory Identity Protection, see the table below:
Note: For more information about configuring this integration, see the Microsoft Azure Active Directory Identity Protection Integration Guide for SecurityCoach. For more information about Microsoft Azure Active Directory Identity Protection’s events, visit their website.
| Detection Rule Name | Description |
| Login from an Unexpected Location Detected | Logins from distant location detected |
| Login from a Malicious IP Address Detected | Sign-in from a malicious IP address detected |
| Unexpected User Behavior Detected | The post-authentication behavior of users was assessed for anomalies |
| Risky Activity Detected Using Microsoft's Threat Intelligence Tools | Risky activity detected using Microsoft's threat intelligence tools |
| User Credentials Leaked | Users credentials were leaked |
Microsoft Defender for Endpoint
For a list of detection rules available for Microsoft Defender for Endpoint, see the table below:
Note: For more information about configuring this integration, see the Microsoft Defender for Endpoint Integration Guide for SecurityCoach.
| Detection Rule Name | Description |
| Collection of Information by APT Detected | Automated collection of sensitive information by an advanced persistent threat (APT) detected on a user's device |
| Command and Control Activity Detected | Microsoft ATP detected command-and-control activity on a user's device |
| Credential Access | An advanced persistent threat (APT) attack accessed login credentials |
| Malware or ATP Execution Detected | Execution of an advanced persistent threat (APT) or malware on a user's device |
| Exploit Code Detected | Exploit code detected on a user's device |
| Initial Access | Hacker gaining initial access through phishing, social engineering, malware, or exploitation detected |
| Data Exfiltration Detected | Data exfiltration detected by Microsoft Defender ATP |
| Suspicious Activity Detected | Suspicious activity detected on a user's device |
| Malware Detected by Microsoft Defender ATP | Malware detected on a user's device |
| Ransomware Detected by Microsoft Defender ATP | Ransomware detected on a user's device |
NetSkope
For a list of detection rules available for NetSkope, see the table below:
Note: For more information about configuring this integration, see the NetSkope Integration Guide for SecurityCoach. For more information about Netskope’s application and web categories, visit their website.
| Detection Rule Name | Description |
| Transfer of Password-Protected Files Detected | Password-protected file uploaded to an external cloud drive or website detected |
| Suspicious Data Upload Detected | Data or files uploaded to an IP address within a country prohibited by organization policy detected |
| Unmanaged Device Detected | Unmanaged drive connected to the organization's network |
| Dating Website Detected | User visited a prohitibed website |
| Sharing of Personal Financial Information Detected | Personal financial information shared |
| Sharing of Personal Identity Information Detected | PII shared on a webpage or through email detected |
| Microsoft Word Document Download Detected | Downloaded Word document from Webmail detected on a user's device |
| Microsoft Excel Document Download Detected | Downloaded Excel file from Webmail detected on a user's device |
| Gambling Website Detected by Netskope | User visited a prohibited website |
| Substance Abuse Website Detected | User visited a prohibited website |
| Shareware or Freeware Detected | User visited a prohibited website |
| Prohibited Website Detected | User visited a prohibited website |
| Inappropriate Web Surfing Detected | User visited a prohibited website |
| Cryptocurrency Mining Detected | User visited a prohibited website |
| Cloud Backup or Cloud Storage | User visited a prohibited website |
| Peer-to-Peer Applications or Websites Detected | User visited a prohibited website |
| Pirated Website Detected | User visited a prohibited website |
| Adult Website Detected by Netskope Web Security | User visited a prohibited website |
| Risky Website Detected by Netskope Web Security | User visited a prohibited or risky website blocked by Netskope |
| Third-Party Virtual Private Network (VPN) Detected | Use of a third-party VPN detected |
| Password Breach Detected | Compromised account detected. This includes accounts with passwords that have been leaked, stolen, or exfiltrated based on a confirmed breach event in the last 120 days. |
Okta
For a list of detection rules available for Okta, see the table below:
Note: For more information about configuring this integration, see the Okta Integration Guide for SecurityCoach. For more information about Okta’s events, visit their website.
| Detection Rule Name | Description |
| Threat Detected | Request from an IP address identified as malicious |
| Suspicious Account Activity Detected | Suspicious activity detected on a user's device |
| Request Rate Limit Reached | Login attempt limit reached |
| Invalid Credentials | Multiple failed login attempts detected |
Proofpoint
For a list of detection rules available for Proofpoint, see the table below:
Note: For more information about configuring this integration, see the Proofpoint Integration Guide for SecurityCoach.
| Detection Rule Name | Description |
| Imposter Threat Detected | Detection of a user impersonation email threat, such as a lookalike email address or user |
| Malware Detected in Email Attachment | Malware detected in an email sent to a user |
| Spam Detected by Proofpoint | Spam email detected in a user's inbox |
| Malicious URL In Email Detected by Proofpoint | Unsafe URL detected in an email sent to a user |
| Unsafe Attachments in Email Detected by Proofpoint | Malicious attachment detected in a user's inbox |
| Unsafe URL in Email Detected by Proofpoint | Unsafe URL detected in a user's inbox |
| Malicious URL Blocked in Email Detected by Proofpoint | Malicious URL detected in a user's email |
| Spam Containing Unsafe Attachment Detected by Proofpoint | Phishing email delivered to a user's inbox |
SentinelOne
For a list of detection rules available for SentinelOne, see the table below:
Note: For more information about configuring this integration, see the SentinelOne Integration Guide for SecurityCoach.
| Detection Rule Name | Description |
| Cryptomining Detected by SentinelOne | Cryptomining malware detected on a user's device |
| Malware Detected by SentinelOne | Malware detected on a user's device |
| Malicious Microsoft Office or PDF Document Detected by SentinelOne | Malicious Office or PDF document detected on a user's device |
| Ransomware Detected by SentinelOne | Ransomware detected on a user's device |
SonicWall Capture Client
For a list of detection rules available for SonicWall Capture Client, see the table below:
Note: For more information about configuring this integration, see the SonicWall Capture Client Integration Guide for SecurityCoach. For more information about SonicWall’s events, visit their website.
| Detection Rule Name | Description |
| Entertainment Website Detected by Sonicwall | User visited an online entertainment website |
| External Software Download Detected by Sonicwall | User downloaded software from an external website |
| Pay-to-Surf Website Detected by Sonicwall | User visited or interacted with a pay-to-surf website |
| Gaming Website Detected by SonicWall | User visited an online gaming website |
| Alternate Communication Channels Detected by Sonicwall | User used alternate communication channels, such as chats or instant messaging |
| Website Prohibited by Organization Policy Detected by Sonicwall | User visited websites prohibited by organization policy |
| Hacking Website Detected by Sonicwall | User tried to avoid proxy or trying to perform hacking |
| Gambling Website Detected by SonicWall | User visited an online gambling website |
| Prohibited Websites Detected by Sonicwall | User visited a prohibited website |
| Drug and Addiction Websites Detected by Sonicwall | User visited a website related to drugs and addiction |
| Adult Websites Detected by SonicWall | User visited an adult website |
| Cryptomining Detected by SonicWall | Cryptomining malware detected on a user's device |
| Malware Detected by SonicWall | Malware detected on a user's device |
| Malicious Microsoft Office or PDF Document Found by SonicWall | Malicious Office or PDF document detected on a user's device |
| Ransomware Detected by SonicWall | Ransomware detected on a user's device |
Sophos
For a list of detection rules available for Sophos, see the table below:
Note: For more information about configuring this integration, see the Sophos Integration Guide for SecurityCoach. For more information about Sophos’ events, visit their website.
| Detection Rule Name | Description |
| Unauthorized or Malicious Application Detected | Unauthorized or malicious application detected |
| Compromised Endpoint Detected | Command-and-control activity that could be part of an APT attack detected on a user's device |
| Exploitation of a Known Vulnerability Detected by Sophos | Code or a malicious file exploiting a known vulnerability detected on a user's device |
| Malware Detected by Sophos | Malware detected on a user's device |
| Non-compliant Device Detected | Non-compliant device connected to the organization's network |
| Risky Website Detected by Sophos | User visited a prohibited or risky website blocked by security software |
| Credential Theft Detected by Sophos | User credential theft detected |
| Potentially Unwanted Program (PUP) Detected by Sophos | PUP detected on a user's device |
| Ransomware Detected by Sophos | Ransomware detected on a user's device |
| Removable Media Detected by Sophos | Removable media usage detected on a user's device |
Zscaler
For a list of detection rules available for Zscaler, see the table below:
Note: For more information about configuring this integration, see the Zscaler Integration Guide for SecurityCoach. For more information about Zscaler’s alerts, visit their website.
| Detection Rule Name | Description |
| Adware or Spyware Detected | Adware or spyware detected on a user's device |
| Organization Sensitive Data Shared | User shared or uploaded a file marked as classified by the organization |
| Personal Financial Data Shared | User shared personal financial data online |
| Personal Sensitive Data Shared | User shared personal sensitive data online |
| Cryptomining Detected by Zscaler | Cryptomining malware detected on a user's device |
| Alcohol or Tobacco-Related Websites Detected | User visited a website advertising, selling, or promoting the use of alcohol or tobacco |
| Shareware Download Detected | Shareware download detected |
| Television or Movies Detected | User visited a television or movie website |
| Video Streaming Detected | User visited a streaming website |
| Gaming Website Detected by Zscaler | User visited an online gaming website |
| Copyright Infringement Detected | User visited a website that hosts copyright infringement materials |
| Peer-to-Peer Site Detected | Peer-to-peer network connection and activity detected |
| Adult Website Detected by Zscaler | User visited a website with adult content |
| Risky or Malicious Website Detected | User visited a risky or malicious website |
| Unsafe Attachments | Malicious attachment detected in a user's inbox |
| Phishing Detected by Zscaler | Phishing email or webpage detected |
Comments
0 comments
Article is closed for comments.