Managing Detection Rules

Last updated:

System Detection Rules by Vendor

For each security vendor that can be integrated with SecurityCoach, we offer system detection rules based on the vendors’ default policies.

Bitdefender GravityZone

For a list of detection rules available for Bitdefender GravityZone, see the table below:

Note:For more information about configuring this integration, see the Bitdefender GravityZone Integration Guide for SecurityCoach.
Detection Rule Name Description
Phishing Detected by Bitdefender GravityZone Phishing email detected
Fraud Detected by Bitdefender GravityZone User visited a website hosted for fraud
Threat Detected by Bitdefender GravityZone Threat detected by Bitdefender Advanced Threat Control
Data Loss Prevention (DLP) Policy Violation Detected by Bitdefender GravityZone DLP policy violation detected
Sensitive Data Sharing Detected by Bitdefender GravityZone Sensitive organizational information sharing detected
Gaming Website Detected by Bitdefender GravityZone User visited a gaming website
Gambling Website Detected by Bitdefender GravityZone User visited a gambling website
Drug Website Detected by Bitdefender GravityZone User visited a drug website
Illegal Website Detected by Bitdefender GravityZone User visited an illegal website
Shopping Website Detected by Bitdefender GravityZone User visited a shopping website
Social Network Website Detected by Bitdefender GravityZone User visited a social network website
Dating Website Detected by Bitdefender GravityZone User visited a dating website
Instant Messaging Website Detected by Bitdefender GravityZone User visited an instant messaging website
File Sharing Website Detected by Bitdefender GravityZone User visited a file sharing website
Narcotics Website Detected by Bitdefender GravityZone User visited a narcotics website
Scam Website Detected by Bitdefender GravityZone User visited a scam website
Entertainment Website Detected by Bitdefender GravityZone User visited an entertainment website
Time-Wasting Website Detected by Bitdefender GravityZone User visited a time-wasting website
Video Streaming Detected by Bitdefender GravityZone User visited a video streaming website
Adult Website Detected by Bitdefender GravityZone User visited an adult website
Ransomware Detected by Bitdefender GravityZone Ransomware detected on a user’s device
Document Malware Detected by Bitdefender GravityZone User downloaded a document that contains malware
Malware Detected by Bitdefender GravityZone Malware detected on a user’s device
Malicious IP Address Login Detected by Bitdefender GravityZone Login from a malicious IP address detected
Potentially Unwanted Application (PUA) Detected by Bitdefender GravityZone PUA detected on a user’s device

Carbon Black

For a list of detection rules available for Carbon Black, see the table below:

Note:For more information about configuring this integration, see the Carbon Black Integration Guide for SecurityCoach.
Detection Rule Name Description

Adware Detected by Carbon Black

Adware detected on a user’s device

Email Malware Detected by Carbon Black

Malware from an email detected on a user’s device

Internet Malware Detected by Carbon Black

Malware from the internet detected on a user’s device

Malware Detected by Carbon Black

Malware detected on a user’s device

Malware Detected on an Unknown Device by Carbon Black

Malware detected on an unknown device

Potentially Unwanted Program (PUP) Detected by Carbon Black

Potentially Unwanted Program (PUP) detected on a user’s device

Removable Media Detected by Carbon Black

Removable media usage detected on a user’s device

Cisco Secure Email

For a list of detection rules available for Cisco Secure Email, see the table below:

Note:For more information about configuring this integration, see the Cisco Secure Email Integration Guide for SecurityCoach.
Detection Rule Name Description
Adware Detected by Cisco Adware detected on a user's device
Emails to Competitors Detected User sent an email to a competitor
Personal Identifiable Information (PII) Sent Externally by Email Personal identifiable information (PII) sent externally by email
Confidential Documents Sent Externally by Email Confidential documents sent externally by email
Encrypted or Password-Protected Files Sent by Email Encrypted or password-protected files sent by email
Leaked Financial Documents Detected Corporate financial documents sent externally by email
Leaked Design Documents Detected Design documents sent by email
Graymail Detected Graymail detected and blocked
Email Malware Detected by Cisco Malware attachment detected in an email
Emails with Malicious URLs Detected Email with a malicious URL detected
Spam Detected by Cisco Spam email detected
Document Malware Detected Malware detected in a document
Word Document Malware Detected Malware detected in a Word document
PDF Document Malware Detected Malware detected in a PDF document
Mobile Device Malware Detected Malware detected on a mobile device
Android Mobile Device Malware Detected Malware detected on an Android mobile device
Virus Detected Virus detected in an email
Potentially Unwanted Application (PUA) Detected PUA detected
>Potentially Unwanted Program (PUP) Detected by Cisco PUP detected

Cisco Umbrella

For a list of detection rules available for Cisco Umbrella, see the table below:

Note:For more information about configuring this integration, see the Cisco Umbrella Integration Guide for SecurityCoach. For more information about Cisco Umbrella’s categories, visit their website.
Detection Rule Name Description
Adware Detected by Cisco Umbrella Adware detected on a user's device
Command-and-Control Domain Detected User's device connected to a domain that hackers use to control botnets
Request to a Trojan Domain Detected User downloaded a file from the internet that contains a trojan
Request to an Android Malware Domain Detected User downloaded a file from the internet that contains Android malware
Document Malware Detected by Cisco Umbrella User downloaded a document that contains malware
Word Document Malware Detected by Cisco Umbrella User downloaded a Word document that contains malware
PDF Document Malware Detected by Cisco Umbrella User downloaded a PDF document that contains malware
Mobile Malware Detected by Cisco Umbrella Malware detected on an Android mobile device
Cryptomining Domain Detected User accessed a domain or IP address involved in cryptomining activities
Potentially Harmful Domain Detected User visited a potentially harmful website
Adult and Pornography Domain Detected User visited a prohibited website
Child Abuse Domain Detected Illegal child abuse content detected
Dating Domain Detected Domain related to dating services detected
Entertainment Domain Detected Domain related to entertainment detected
Gambling Domain Detected Domain related to gambling detected
Gaming Domain Detected Domain related to gaming detected
Illegal Download Detected Website that provides the ability to download software or other materials, serial numbers, key generators, or tools for bypassing software protection in violation of copyright agreements detected
Peer-to-Peer File Transfer Detected Peer-to-peer file request website detected
Malware Domain Detected User downloaded a file from the internet that contains malware
Phishing Domain Detected User clicked a phishing link
Potentially Unwanted Application (PUA) Detected by Cisco Umbrella PUA detected
Potentially Unwanted Program (PUP) Detected by Cisco Umbrella PUP detected
Request to a Ransomware Domain Detected User downloaded a file from the internet that contains ransomware

Cloudflare Area 1 Email Security

For a list of detection rules available for Cloudflare Area 1 Email Security, see the table below:

Note:For more information about configuring this integration, see the Cloudflare Area 1 Email Security Integration Guide for SecurityCoach.
Detection Rule Name Description
Malware Detected by Cloudflare Area 1 Email Security Malware detected in an email
Suspicious Email Detected by Cloudflare Area 1 Email Security Suspicious email detected
Spoofed Email Detected by Cloudflare Area 1 Email Security Spoofed email detected
Email with a Malicious URL Detected by Cloudflare Area 1 Email Security Email with a malicious URL detected

Cloudflare Zero Trust

For a list of detection rules available for Cloudflare Zero Trust, see the table below:

Note:For more information about configuring this integration, see the Cloudflare Zero Trust Integration Guide for SecurityCoach.
Detection Rule Name Description
Dating Website Detected by Cloudflare Zero Trust User visited a dating website
Drug Website Detected by Cloudflare Zero Trust User visited a drug website
Adult Website Detected by Cloudflare Zero Trust User visited an adult website
Deceptive Website Detected by Cloudflare Zero Trust User visited a website that spoofs clicks, impressions, or conversions for ads
Gaming Website Detected by Cloudflare Zero Trust User visited a gaming website
Gambling Website Detected by Cloudflare Zero Trust User visited a gambling website
Child Abuse Website Detected by Cloudflare Zero Trust User visited a website with illegal child abuse content
Botnet Website Detected by Cloudflare Zero Trust User visited a website known to be part of botnet or command-and-control activities
Cryptomining Website Detected by Cloudflare Zero Trust User visited a website involved in cryptomining activities
Malicious Website Detected by Cloudflare Zero Trust User visited a website hosting malicious content
Risky Website Detected by Cloudflare Zero Trust User visited a website that may contain security risks
Phishing Website Detected by Cloudflare Zero Trust User visited a website known for phishing
Malware Download Detected by Cloudflare Zero Trust Malware download attempt detected on a user’s device

Code42

For a list of detection rules available for Code42, see the table below:

Note:For more information about configuring this integration, see the Code42 Integration Guide for SecurityCoach.
Detection Rule Name Description
Removable Media Exfiltration Detected Removable media usage detected
Cloud Sync Folder Exfiltration Detected Files synced to a cloud storage application
File Extension Mismatch Exfiltration Detected File extension does not match the file contents, and the files were shared
ZIP File Exfiltration Detected ZIP file exfiltration detected
Source Code Email Exfiltration Detected Source code of common programming languages was exfiltrated by email
Sales Report Exfiltration Detected Internal sales report was exfiltrated from a user's device
Source Code File Exfiltration by Extension Detected Source code files of common programming languages were exfiltrated
Microsoft Outlook Exfiltration Detected Confidential or classified information shared using Outlook
Earnings Report Exfiltration Detected Earnings report shared externally
Cloud Sharing Permissions Changed Cloud sharing permissions for a protected or classified file changes
Potential Flight Risk Detection of activity on a user's device that indicates the user may be preparing to leave the organization
Password Exfiltration Detected Detection of the exfiltration of a password from a user's device

CrowdStrike

For a list of detection rules available for CrowdStrike, see the table below:

Note:For more information about configuring this integration, see the CrowdStrike Integration Guide for SecurityCoach.
Detection Rule Name Description
Adware Detected by CrowdStrike Adware detected on a user's device
Full Disk Encryption Needed Automated information collected through an advanced persistent threat (APT) attack detected
Remote Access Software Detected Remote access software invoked suspiciously on a user's device
Exploitation of a Known Vulnerability Detected by CrowdStrike Code or a malicious file exploiting a known vulnerability detected on a user's device
Exploitation of a Public-Facing Application Detected File containing exploit code for a public-facing application detected
Exploit Detected Code or a malicious file exploiting a known vulnerability detected on a user's device
Malware Indicators of Attack (IOA) Detection Malware file matching the IOA detected on a user's device
Malware Indicators of Compromise (IOC) Detection Malware file matching the IOC detected on a user's device
Malware Detected on Endpoint by CrowdStrike Malware detected with endpoint machine learning detection
Malicious Document Detected Malware detected in a document
Malware Detected by CrowdStrike Malware detected on a user's device
Password Theft Detected Password stealing detected for a user's account
Unsecured Credentials Detected Detection of the storage of credentials in the registry of Windows operating system (OS)
Operating System (OS) Credential Dumping Detection of credential dumping from an operating system (OS) memory or cache
Credential Theft Detected by CrowdStrike Credential dumping from browser memory or from Windows operating system (OS) detected
Spear-Phishing Attachment Spear phishing email with an attachment detected
Phishing Detected by CrowdStrike Phishing email detected
Potentially Unwanted Program (PUP) Detected by CrowdStrike PUP detected on a user's device
Adware or Potentially Unwanted Program (PUP) Detected Adware or PUP detected on the user's device
Data Backup and Encryption Suggested Encryption activity by a ransomware program detected
Ransomware Detected by CrowdStrike Ransomware detected on a user's device
Social Engineering Detected Social engineering attack detected on a user's device

Cylance

For a list of detection rules available for Cylance, see the table below:

Note:For more information about configuring this integration, see the Cylance Integration Guide for SecurityCoach. For more information about Cylance’s events, visit their website.
Detection Rule Name Description
High-Severity Malicious Activity Detected High-severity malicious activity detected on a user's device
Memory Exploit Detected Code or a malicious file exploiting a known vulnerability detected on a user's device
Malware Detected by Cylance Malware detected on a user's device
Malicious Script Detected Malicious script execution blocked
Possible Potentially Unwanted Program (PUP) Detected PUP detected on a user's device
Potentially Unwanted Program (PUP) Detected by Cylance PUP detected on a user's device
Removable Media Detected by Cylance Use of removable media blocked

FortiGate Cloud

For a list of detection rules available for FortiGate Cloud, see the table below:

Note:For more information about configuring this integration, see the FortiGate Cloud Integration Guide for SecurityCoach. For more information about FortiGate Cloud's events, visit their website.
Detection Rule Name Description

Adware Detected by FortiGate Cloud

Adware detected on a user's device

Dating Website Detected by FortiGate Cloud

User visited a dating website

Clicked Phishing Link Detected by FortiGate Cloud

User clicked a phishing link

Peer-to-Peer File Sharing Website Detected by FortiGate Cloud

User visited a peer-to-peer file-sharing website

Spam Website Detected by FortiGate Cloud

User visited a spam website

Malware Download Detected by FortiGate Cloud

Malware download attempt detected on a user’s device

Malicious Websites Detected by FortiGate Cloud

User visited a malicious website

Document Malware Detected by FortiGate Cloud

User downloaded a document that contains malware

Drug Website Detected by FortiGate Cloud

User visited a drug website

Adult Website Detected by FortiGate Cloud

User visited an adult website

Potentially Harmful Website Detected by FortiGate Cloud

User visited a potentially harmful website

Malicious PDF File Download Detected by FortiGate Cloud

User downloaded a PDF file that contains malware

Gambling Website Detected by FortiGate Cloud

User visited an online gambling website

Gmail

For a list of detection rules available for Gmail, see the table below:

Note:For more information about configuring this integration, see the Google Integration Guide for SecurityCoach. For more information about Gmail’s events, visit their website.
Detection Rule Name Description
External Email Forwarding Detected Email rule set up by user to forward email outside of the organization’s domain
Spamming Simple Mail Transfer Protocol (SMTP) Email rule set up by user to forward email outside of the organization's domain
Spamming Detected Spamming detected from a user's Google account

Google Drive

For a list of detection rules available for Google Drive, see the table below:

Note:For more information about configuring this integration, see the Google Integration Guide for SecurityCoach. For more information about Google Drive’s events, visit their website.
Detection Rule Name Description
External File Sharing Detected by Google Drive File access to external account enabled by user

Google IAM

For a list of detection rules available for Google IAM, see the table below:

Note:For more information about configuring this integration, see the Google Integration Guide for SecurityCoach. For more information about Google IAM’s events, visit their website.
Detection Rule Name Description
Government-Backed Attack Malware or advanced persistant threat detected on a user's device
2-Step Verification Disabled User disabled two-step verification
Leaked Password Leaked password detected
Suspicious Login Suspicious login activity detected
Account Hijacked Account hijack detected
Login Failure Multiple failed login attempts detected

KnowBe4 Security Awareness Training (KSAT)

For a list of detection rules available for KnowBe4 Security Awareness Training (KSAT), see the table below:

Note:For more information about configuring this integration, see the KnowBe4 Security Awareness Training (KSAT) Integration Guide for SecurityCoach.
Detection Rule Name Description
Enabled Macros Detected by KnowBe4 User enabled macros for attachments from a phishing email

QR Code Scan Detected by KnowBe4

User scanned a QR code
Phishing Email Reply Detected by KnowBe4 User replied to a phishing email
Opened Attachment Detected by KnowBe4

User opened an attachment from a phishing email

Clicked Phishing Link Detected by KnowBe4

User clicked on a phishing link

Data Entered Detected by KnowBe4 User entered data on a website accessed via phishing email.

KSAT callback phishing and PasswordIQ detection rules are also available for Diamond-level subscriptions:

Detection Rule Name Description

Callback Phishing Detected by KnowBe4

User contacted a callback phishing phone number

Callback Phishing Code Entry Detected by KnowBe4

User contacted a callback phishing phone number and entered the callback code

Breached Password Detected by KnowBe4 PasswordIQ

User’s password was exposed in a data breach.

Weak Password Detected by KnowBe4 PasswordIQ

User’s password matches a password from KnowBe4’s weak passwords dictionary.

Shared Password Detected by KnowBe4 PasswordIQ

User’s password matches another user’s password.

Malwarebytes

For a list of detection rules available for Malwarebytes, see the table below:

Note:For more information about configuring this integration, see the Malwarebytes Integration Guide for SecurityCoach.
Detection Rule Name Description
Adware Detected by Malwarebytes Adware detected on a user's device
Machine Learning-Based Malware Detection Malware detected on a user's device
Trojan Detected Trojan detected on a user's device
Malware Detected by Malwarebytes Malware detected on a user's device
Risky Website Detected by Malwarebytes User visited a malicious website
Potentially Unwanted Program (PUP) Detected by Malwarebytes PUP detected on a user's device
Ransomware Detected by Malwarebytes Ransomware detected on a user's device
Spyware Detected Spyware detected on a user's device

Microsoft 365

For a list of detection rules available for Microsoft 365, see the table below:

Note:For more information about configuring this integration, see the Microsoft 365 and Microsoft Cloud Access Security (MCAS) Integration Guide for SecurityCoach. For more information about Microsoft 365’s alert policies, visit their website.
Detection Rule Name Description
Unusual Amount of File Deletions Detected by Microsoft Office 365 Unusual volume of files deleted
External File Sharing Detected by Microsoft Office 365 File shared externally
Unusual External User File Activity Detected by Microsoft Office 365 Potential data leakage or data breach detected
Creation of Email Forwarding or Redirect Rule User created an email forwarding rule to forward emails outside of your organization's domain
Suspicious Email Sending Patterns Detected Suspicious email sending pattern detected
Suspicious Email Forwarding Activity Suspicious email forwarding activity detected
Elevation of Microsoft Exchange Admin Privileges in Microsoft Office 365 User access privileges for Microsoft Exchange were elevated
Email Message Containing Malicious Item Not Removed After Delivery Email message containing a malicious item was not removed after delivery
User Clicking a Potentially Malicious URL Detected User clicked through to a potentially malicious URL
Email Message Containing a Malicious File Removed from Inbox after Delivery Email message containing malicious file was removed after delivery.
Email Message Containing a Malicious URL Removed after Delivery An email containing a malicious URL was removed from an inbox
Escalation of Exchange Admin Privilege Detected An Escalation of Exchange admin privilege detected
Email Message from a Campaign Removed from Inbox after Delivery An email message from a email campaign was removed from the user's inbox after delivery
Phishing Message Delivered Due to an IP Allow Policy Detected by Microsoft Office 365 Microsoft detected an IP allow policy that allowed a high-confidence phishing email to be delivered
Phishing Message Delivered Due to an ETR Override Microsoft detected an Exchange Transport Rule (ETR) that allowed the delivery of a high-confidence phishing email to an inbox
Form Flagged and Confirmed as Phishing by Microsoft Office 365 User clicked a phishing link, and the phishing webpage or web form was blocked by Microsoft
Form Blocked by Microsoft Office 365 Due to a Potential Phishing Attempt User clicked a phishing link, and the phishing webpage or web form was blocked by Microsoft
Malicious URL Clicks Detected User clicked a malicious URL in an email
Phishing Link Detected  Email messages containing phish URLs removed after delivery. 
HIPAA Data Leak Detected by Microsoft Data Loss Prevention (DLP) Health Insurance Portability and Accountability Act (HIPAA) data leaked or shared through Microsoft Office 365
GDPR Data Leak Detected by Microsoft Data Loss Prevention (DLP) General Data Protection Regulation (GDPR) data leaked or shared through Microsoft Office 365
PII Data Leak Detected by Microsoft Data Loss Prevention (DLP) Personally identifiable information (PII) leaked or shared through Microsoft Office 365
PCI DSS Data Leak Detected by Microsoft Data Loss Prevention (DLP) Payment Card Industry Data Security Standard (PCI DSS) data leaked or shared through Microsoft Office 365
Financial Data Leak Detected by Microsoft Data Loss Prevention (DLP) Financial data leaked or shared through Microsoft Office 365
Phish Not Zapped Because ZAP Is Disabled Phish not zapped because zero-hour auto purge is disabled.

Microsoft Cloud Access Security (MCAS)

For a list of detection rules available for MCAS, see the table below:

Note:For more information about configuring this integration, see the Microsoft 365 and Microsoft Cloud Access Security (MCAS) Integration Guide for SecurityCoach.
Detection Rule Name Description
Unusual Amount of File Deletions Detected by Microsoft Cloud App Security Unusual volume of files deleted
Unusual File Deletion by a User Detected Unusual file deletion by a user
External File Sharing Detected by Microsoft Cloud App Security File shared externally
Unusual File Sharing by a User Detected Unusual file share activity by a user
Unusual External User File Activity Detected by Microsoft Cloud App Security Potential data leakage or data breach activity
Unusual File Download by a User Detected User downloaded an unusual file
Mass Access to Sensitive File Detected Mass access to sensitive files detected
Elevation of Microsoft Exchange Admin Privileges in Microsoft Cloud App Security User access privileges for Microsoft Exchange were elevated
Malware Detected by Microsoft Cloud App Security Malware detected on a user's device
Peer-to-Peer Applications Detected Activity from a TOR based-IP address detected
Risky Login Detected Risky login detected
Suspicious Inbox Forwarding Detected Suspicious email forwarding detected
Activity from a Suspicious IP Address Detected Activity from a suspicious IP address detected
Unusual Administrative Activity by a User Detected Unusual administrative activity by a user detected
Credential Theft Detected by Microsoft Cloud App Security Multiple failed or suspicious login attempts detected
Credentials Leak Detected by Microsoft Leaked credentials detected
Multiple Failed Login Attempts Detected Multiple failed login attempts detected
Password Spraying Attack Detected Password spraying attack detected
Form Blocked by Microsoft Cloud App Security Due to a Potential Phishing Attempt User clicked a phishing link, and the webpage or web form was blocked by Microsoft
Form Flagged and Confirmed as Phishing by Microsoft Cloud App Security User clicked a phishing link, and the webpage or web form was blocked by Microsoft
Phishing Attempt Delivered Due to an IP Allow Policy Detected by Microsoft Cloud App Security Microsoft detected an IP allow policy that allowed a high confidence phishing message to be delivered
Ransomware Activity Detected by Microsoft Ransomware activity detected

Microsoft Entra ID Protection

For a list of detection rules available for Microsoft Entra ID Protection (formerly Microsoft Azure Active Directory Identity Protection), see the table below:

Note:For more information about configuring this integration, see the Microsoft Entra ID Protection Integration Guide for SecurityCoach. For more information about Microsoft Entra ID Protection events, visit their website.
Detection Rule Name Description
Login from an Unexpected Location Detected Logins from a distant location detected
Login from a Malicious IP Address Detected Sign-in from a malicious IP address detected
Unexpected User Behavior Detected The post-authentication behavior of users was assessed for anomalies
Risky Activity Detected Using Microsoft's Threat Intelligence Tools Risky activity detected using Microsoft's threat intelligence tools
User Credentials Leaked The user's credentials were leaked

Microsoft Defender for Endpoint

For a list of detection rules available for Microsoft Defender for Endpoint, see the table below:

Note:For more information about configuring this integration, see the Microsoft Defender for Endpoint Integration Guide for SecurityCoach.
Detection Rule Name Description
Collection of Information by APT Detected Automated collection of sensitive information by an advanced persistent threat (APT) detected on a user's device
Command and Control Activity Detected Microsoft ATP detected command-and-control activity on a user's device
Credential Access An advanced persistent threat (APT) attack accessed login credentials
Malware or ATP Execution Detected Execution of an advanced persistent threat (APT) or malware on a user's device
Exploit Code Detected Exploit code detected on a user's device
Initial Access Hacker gaining initial access through phishing, social engineering, malware, or exploitation detected
Data Exfiltration Detected Data exfiltration detected by Microsoft Defender ATP
Suspicious Activity Detected Suspicious activity detected on a user's device
Malware Detected by Microsoft Defender ATP Malware detected on a user's device
Ransomware Detected by Microsoft Defender ATP Ransomware detected on a user's device

Mimecast

For a list of detection rules available for Mimecast, see the table below:

Note:For more information about configuring this integration, see the Mimecast Integration Guide for SecurityCoach. For more information about Mimecast's application and web categories, visit their website.
Detection Rule Name Description
Email Malware Detected by Mimecast Malware detected in an email
Virus Detected by Mimecast Virus detected in an email
Spam Email Detected by Mimecast Spam email detected

NetSkope

For a list of detection rules available for NetSkope, see the table below:

Note:For more information about configuring this integration, see the NetSkope Integration Guide for SecurityCoach. For more information about Netskope’s application and web categories, visit their website.
Detection Rule Name Description
Transfer of Password-Protected Files Detected Password-protected file uploaded to an external cloud drive or website detected
Suspicious Data Upload Detected Data or files uploaded to an IP address within a country prohibited by organization policy detected
Unmanaged Device Detected Unmanaged drive connected to the organization's network
Dating Website Detected User visited a prohitibed website
Sharing of Personal Financial Information Detected Personal financial information shared
Sharing of Personal Identity Information Detected PII shared on a webpage or through email detected
Microsoft Word Document Download Detected Downloaded Word document from Webmail detected on a user's device
Microsoft Excel Document Download Detected Downloaded Excel file from Webmail detected on a user's device
Gambling Website Detected by Netskope User visited a prohibited website
Substance Abuse Website Detected User visited a prohibited website
Shareware or Freeware Detected User visited a prohibited website
Prohibited Website Detected User visited a prohibited website
Inappropriate Web Surfing Detected User visited a prohibited website
Cryptocurrency Mining Detected User visited a prohibited website
Cloud Backup or Cloud Storage User visited a prohibited website
Peer-to-Peer Applications or Websites Detected User visited a prohibited website
Pirated Website Detected User visited a prohibited website
Adult Website Detected by Netskope Web Security User visited a prohibited website
Risky Website Detected by Netskope Web Security User visited a prohibited or risky website blocked by Netskope
Third-Party Virtual Private Network (VPN) Detected Use of a third-party VPN detected
Password Breach Detected Compromised account detected. This includes accounts with passwords that have been leaked, stolen, or exfiltrated based on a confirmed breach event in the last 120 days.

Okta

For a list of detection rules available for Okta, see the table below:

Note:For more information about configuring this integration, see the Okta Integration Guide for SecurityCoach. For more information about Okta’s events, visit their website.
Detection Rule Name Description
Threat Detected Request from an IP address identified as malicious
Suspicious Account Activity Detected Suspicious activity detected on a user's device
Request Rate Limit Reached Login attempt limit reached
Invalid Credentials Multiple failed login attempts detected

Palo Alto Next-Generation Firewall (NGFW)

For a list of detection rules available for Palo Alto Next-Generation Firewall (NGFW), see the table below:

Note:For more information about configuring this integration, see our Palo Alto Next-Generation Firewall (NGFW) Integration Guide for SecurityCoach. For more information about Palo Alto NGFW categories, see their website articles: URL Categories and Threat Signature Categories.
Detection Rule Name Description
Adult Website Detected by Palo Alto NGFW User visited a website associated with adult content
Dating Website Detected by Palo Alto NGFW User visited a website associated with dating
Drugs Website Detected by Palo Alto NGFW User visited a website associated with drug abuse
Gambling Website Detected by Palo Alto NGFW User visited a website associated with gambling
Gaming Website Detected by Palo Alto NGFW User visited a website associated with gaming
Hacking Website Detected by Palo Alto NGFW User visited a website associated with hacking
Malware Detected by Palo Alto NGFW Malware detected on a user’s device
Phishing Website Detected by Palo Alto NGFW User visited a website associated with phishing
Ransomware Detected by Palo Alto NGFW Ransomware detected on a user’s device
Spyware Detected by Palo Alto NGFW Spyware detected on a user's device
Virus Detected by Palo Alto NGFW Virus detected on a user’s device
Vulnerability Detected by Palo Alto NGFW Vulnerability detected on a user’s device

Proofpoint

For a list of detection rules available for Proofpoint, see the table below:

Note:For more information about configuring this integration, see the Proofpoint Integration Guide for SecurityCoach.
Detection Rule Name Description
Imposter Threat Detected Detection of a user impersonation email threat, such as a lookalike email address or user
Malware Detected in Email Attachment Malware detected in an email sent to a user
Spam Detected by Proofpoint Spam email detected in a user's inbox
Malicious URL In Email Detected by Proofpoint Unsafe URL detected in an email sent to a user
Unsafe Attachments in Email Detected by Proofpoint Malicious attachment detected in a user's inbox
Unsafe URL in Email Detected by Proofpoint Unsafe URL detected in a user's inbox
Suspicious URL Click Blocked in Email by Proofpoint Suspicious URL click detected in a user’s email
Spam Containing Unsafe Attachment Detected by Proofpoint Phishing email delivered to a user's inbox

SentinelOne

For a list of detection rules available for SentinelOne, see the table below:

Note:For more information about configuring this integration, see the SentinelOne Integration Guide for SecurityCoach.
Detection Rule Name Description
Cryptomining Detected by SentinelOne Cryptomining malware detected on a user's device
Malware Detected by SentinelOne Malware detected on a user's device
Malicious Microsoft Office or PDF Document Detected by SentinelOne Malicious Office or PDF document detected on a user's device
Ransomware Detected by SentinelOne Ransomware detected on a user's device

SonicWall Capture Client

For a list of detection rules available for SonicWall Capture Client, see the table below:

Note:For more information about configuring this integration, see the SonicWall Capture Client Integration Guide for SecurityCoach. For more information about SonicWall’s events, visit their website.
Detection Rule Name Description
Entertainment Website Detected by Sonicwall User visited an online entertainment website
External Software Download Detected by Sonicwall User downloaded software from an external website
Pay-to-Surf Website Detected by Sonicwall User visited or interacted with a pay-to-surf website
Gaming Website Detected by SonicWall User visited an online gaming website
Alternate Communication Channels Detected by Sonicwall User used alternate communication channels, such as chats or instant messaging
Website Prohibited by Organization Policy Detected by Sonicwall User visited websites prohibited by organization policy
Hacking Website Detected by Sonicwall User tried to avoid proxy or trying to perform hacking
Gambling Website Detected by SonicWall User visited an online gambling website
Prohibited Websites Detected by Sonicwall User visited a prohibited website
Drug and Addiction Websites Detected by Sonicwall User visited a website related to drugs and addiction
Adult Websites Detected by SonicWall User visited an adult website
Cryptomining Detected by SonicWall Cryptomining malware detected on a user's device
Malware Detected by SonicWall Malware detected on a user's device
Malicious Microsoft Office or PDF Document Found by SonicWall Malicious Office or PDF document detected on a user's device
Ransomware Detected by SonicWall Ransomware detected on a user's device

Sophos

For a list of detection rules available for Sophos, see the table below:

Note:For more information about configuring this integration, see the Sophos Integration Guide for SecurityCoach. For more information about Sophos’ events, visit their website.
Detection Rule Name Description
Unauthorized or Malicious Application Detected Unauthorized or malicious application detected
Compromised Endpoint Detected Command-and-control activity that could be part of an APT attack detected on a user's device
Exploitation of a Known Vulnerability Detected by Sophos Code or a malicious file exploiting a known vulnerability detected on a user's device
Malware Detected by Sophos Malware detected on a user's device
Non-compliant Device Detected Non-compliant device connected to the organization's network
Risky Website Detected by Sophos User visited a prohibited or risky website blocked by security software
Credential Theft Detected by Sophos User credential theft detected
Potentially Unwanted Program (PUP) Detected by Sophos PUP detected on a user's device
Ransomware Detected by Sophos Ransomware detected on a user's device
Removable Media Detected by Sophos Removable media usage detected on a user's device

Zscaler

For a list of detection rules available for Zscaler, see the table below:

Note:For more information about configuring this integration, see the Zscaler Integration Guide for SecurityCoach. For more information about Zscaler’s alerts, visit their website.
Detection Rule Name Description
Adware or Spyware Detected Adware or spyware detected on a user's device
Organization Sensitive Data Shared User shared or uploaded a file marked as classified by the organization
Personal Financial Data Shared User shared personal financial data online
Personal Sensitive Data Shared User shared personal sensitive data online
Cryptomining Detected by Zscaler Cryptomining malware detected on a user's device
Alcohol or Tobacco-Related Websites Detected User visited a website advertising, selling, or promoting the use of alcohol or tobacco
Shareware Download Detected Shareware download detected
Television or Movies Detected User visited a television or movie website
Video Streaming Detected User visited a streaming website
Gaming Website Detected by Zscaler User visited an online gaming website
Copyright Infringement Detected User visited a website that hosts copyright infringement materials
Peer-to-Peer Site Detected Peer-to-peer network connection and activity detected
Adult Website Detected by Zscaler User visited a website with adult content
Risky or Malicious Website Detected User visited a risky or malicious website
Unsafe Attachments Malicious attachment detected in a user's inbox
Phishing Detected by Zscaler Phishing email or webpage detected

Can't find what you're looking for?

Contact Support