For each security vendor that can be integrated with SecurityCoach, we offer system detection rules based on the vendors’ default policies.
Bitdefender GravityZone
For a list of detection rules available for Bitdefender GravityZone, see the table below:
Detection Rule Name | Description |
Phishing Detected by Bitdefender GravityZone | Phishing email detected |
Fraud Detected by Bitdefender GravityZone | User visited a website hosted for fraud |
Threat Detected by Bitdefender GravityZone | Threat detected by Bitdefender Advanced Threat Control |
Data Loss Prevention (DLP) Policy Violation Detected by Bitdefender GravityZone | DLP policy violation detected |
Sensitive Data Sharing Detected by Bitdefender GravityZone | Sensitive organizational information sharing detected |
Gaming Website Detected by Bitdefender GravityZone | User visited a gaming website |
Gambling Website Detected by Bitdefender GravityZone | User visited a gambling website |
Drug Website Detected by Bitdefender GravityZone | User visited a drug website |
Illegal Website Detected by Bitdefender GravityZone | User visited an illegal website |
Shopping Website Detected by Bitdefender GravityZone | User visited a shopping website |
Social Network Website Detected by Bitdefender GravityZone | User visited a social network website |
Dating Website Detected by Bitdefender GravityZone | User visited a dating website |
Instant Messaging Website Detected by Bitdefender GravityZone | User visited an instant messaging website |
File Sharing Website Detected by Bitdefender GravityZone | User visited a file sharing website |
Narcotics Website Detected by Bitdefender GravityZone | User visited a narcotics website |
Scam Website Detected by Bitdefender GravityZone | User visited a scam website |
Entertainment Website Detected by Bitdefender GravityZone | User visited an entertainment website |
Time-Wasting Website Detected by Bitdefender GravityZone | User visited a time-wasting website |
Video Streaming Detected by Bitdefender GravityZone | User visited a video streaming website |
Adult Website Detected by Bitdefender GravityZone | User visited an adult website |
Ransomware Detected by Bitdefender GravityZone | Ransomware detected on a user’s device |
Document Malware Detected by Bitdefender GravityZone | User downloaded a document that contains malware |
Malware Detected by Bitdefender GravityZone | Malware detected on a user’s device |
Malicious IP Address Login Detected by Bitdefender GravityZone | Login from a malicious IP address detected |
Potentially Unwanted Application (PUA) Detected by Bitdefender GravityZone | PUA detected on a user’s device |
Carbon Black
For a list of detection rules available for Carbon Black, see the table below:
Detection Rule Name | Description |
Adware Detected by Carbon Black |
Adware detected on a user’s device |
Email Malware Detected by Carbon Black |
Malware from an email detected on a user’s device |
Internet Malware Detected by Carbon Black |
Malware from the internet detected on a user’s device |
Malware Detected by Carbon Black |
Malware detected on a user’s device |
Malware Detected on an Unknown Device by Carbon Black |
Malware detected on an unknown device |
Potentially Unwanted Program (PUP) Detected by Carbon Black |
Potentially Unwanted Program (PUP) detected on a user’s device |
Removable Media Detected by Carbon Black |
Removable media usage detected on a user’s device |
Cisco Secure Email
For a list of detection rules available for Cisco Secure Email, see the table below:
Detection Rule Name | Description |
Adware Detected by Cisco | Adware detected on a user's device |
Emails to Competitors Detected | User sent an email to a competitor |
Personal Identifiable Information (PII) Sent Externally by Email | Personal identifiable information (PII) sent externally by email |
Confidential Documents Sent Externally by Email | Confidential documents sent externally by email |
Encrypted or Password-Protected Files Sent by Email | Encrypted or password-protected files sent by email |
Leaked Financial Documents Detected | Corporate financial documents sent externally by email |
Leaked Design Documents Detected | Design documents sent by email |
Graymail Detected | Graymail detected and blocked |
Email Malware Detected by Cisco | Malware attachment detected in an email |
Emails with Malicious URLs Detected | Email with a malicious URL detected |
Spam Detected by Cisco | Spam email detected |
Document Malware Detected | Malware detected in a document |
Word Document Malware Detected | Malware detected in a Word document |
PDF Document Malware Detected | Malware detected in a PDF document |
Mobile Device Malware Detected | Malware detected on a mobile device |
Android Mobile Device Malware Detected | Malware detected on an Android mobile device |
Virus Detected | Virus detected in an email |
Potentially Unwanted Application (PUA) Detected | PUA detected |
>Potentially Unwanted Program (PUP) Detected by Cisco | PUP detected |
Cisco Umbrella
For a list of detection rules available for Cisco Umbrella, see the table below:
Detection Rule Name | Description |
Adware Detected by Cisco Umbrella | Adware detected on a user's device |
Command-and-Control Domain Detected | User's device connected to a domain that hackers use to control botnets |
Request to a Trojan Domain Detected | User downloaded a file from the internet that contains a trojan |
Request to an Android Malware Domain Detected | User downloaded a file from the internet that contains Android malware |
Document Malware Detected by Cisco Umbrella | User downloaded a document that contains malware |
Word Document Malware Detected by Cisco Umbrella | User downloaded a Word document that contains malware |
PDF Document Malware Detected by Cisco Umbrella | User downloaded a PDF document that contains malware |
Mobile Malware Detected by Cisco Umbrella | Malware detected on an Android mobile device |
Cryptomining Domain Detected | User accessed a domain or IP address involved in cryptomining activities |
Potentially Harmful Domain Detected | User visited a potentially harmful website |
Adult and Pornography Domain Detected | User visited a prohibited website |
Child Abuse Domain Detected | Illegal child abuse content detected |
Dating Domain Detected | Domain related to dating services detected |
Entertainment Domain Detected | Domain related to entertainment detected |
Gambling Domain Detected | Domain related to gambling detected |
Gaming Domain Detected | Domain related to gaming detected |
Illegal Download Detected | Website that provides the ability to download software or other materials, serial numbers, key generators, or tools for bypassing software protection in violation of copyright agreements detected |
Peer-to-Peer File Transfer Detected | Peer-to-peer file request website detected |
Malware Domain Detected | User downloaded a file from the internet that contains malware |
Phishing Domain Detected | User clicked a phishing link |
Potentially Unwanted Application (PUA) Detected by Cisco Umbrella | PUA detected |
Potentially Unwanted Program (PUP) Detected by Cisco Umbrella | PUP detected |
Request to a Ransomware Domain Detected | User downloaded a file from the internet that contains ransomware |
Cloudflare Area 1 Email Security
For a list of detection rules available for Cloudflare Area 1 Email Security, see the table below:
Detection Rule Name | Description |
Malware Detected by Cloudflare Area 1 Email Security | Malware detected in an email |
Suspicious Email Detected by Cloudflare Area 1 Email Security | Suspicious email detected |
Spoofed Email Detected by Cloudflare Area 1 Email Security | Spoofed email detected |
Email with a Malicious URL Detected by Cloudflare Area 1 Email Security | Email with a malicious URL detected |
Cloudflare Zero Trust
For a list of detection rules available for Cloudflare Zero Trust, see the table below:
Detection Rule Name | Description |
Dating Website Detected by Cloudflare Zero Trust | User visited a dating website |
Drug Website Detected by Cloudflare Zero Trust | User visited a drug website |
Adult Website Detected by Cloudflare Zero Trust | User visited an adult website |
Deceptive Website Detected by Cloudflare Zero Trust | User visited a website that spoofs clicks, impressions, or conversions for ads |
Gaming Website Detected by Cloudflare Zero Trust | User visited a gaming website |
Gambling Website Detected by Cloudflare Zero Trust | User visited a gambling website |
Child Abuse Website Detected by Cloudflare Zero Trust | User visited a website with illegal child abuse content |
Botnet Website Detected by Cloudflare Zero Trust | User visited a website known to be part of botnet or command-and-control activities |
Cryptomining Website Detected by Cloudflare Zero Trust | User visited a website involved in cryptomining activities |
Malicious Website Detected by Cloudflare Zero Trust | User visited a website hosting malicious content |
Risky Website Detected by Cloudflare Zero Trust | User visited a website that may contain security risks |
Phishing Website Detected by Cloudflare Zero Trust | User visited a website known for phishing |
Malware Download Detected by Cloudflare Zero Trust | Malware download attempt detected on a user’s device |
Code42
For a list of detection rules available for Code42, see the table below:
Detection Rule Name | Description |
Removable Media Exfiltration Detected | Removable media usage detected |
Cloud Sync Folder Exfiltration Detected | Files synced to a cloud storage application |
File Extension Mismatch Exfiltration Detected | File extension does not match the file contents, and the files were shared |
ZIP File Exfiltration Detected | ZIP file exfiltration detected |
Source Code Email Exfiltration Detected | Source code of common programming languages was exfiltrated by email |
Sales Report Exfiltration Detected | Internal sales report was exfiltrated from a user's device |
Source Code File Exfiltration by Extension Detected | Source code files of common programming languages were exfiltrated |
Microsoft Outlook Exfiltration Detected | Confidential or classified information shared using Outlook |
Earnings Report Exfiltration Detected | Earnings report shared externally |
Cloud Sharing Permissions Changed | Cloud sharing permissions for a protected or classified file changes |
Potential Flight Risk | Detection of activity on a user's device that indicates the user may be preparing to leave the organization |
Password Exfiltration Detected | Detection of the exfiltration of a password from a user's device |
CrowdStrike
For a list of detection rules available for CrowdStrike, see the table below:
Detection Rule Name | Description |
Adware Detected by CrowdStrike | Adware detected on a user's device |
Full Disk Encryption Needed | Automated information collected through an advanced persistent threat (APT) attack detected |
Remote Access Software Detected | Remote access software invoked suspiciously on a user's device |
Exploitation of a Known Vulnerability Detected by CrowdStrike | Code or a malicious file exploiting a known vulnerability detected on a user's device |
Exploitation of a Public-Facing Application Detected | File containing exploit code for a public-facing application detected |
Exploit Detected | Code or a malicious file exploiting a known vulnerability detected on a user's device |
Malware Indicators of Attack (IOA) Detection | Malware file matching the IOA detected on a user's device |
Malware Indicators of Compromise (IOC) Detection | Malware file matching the IOC detected on a user's device |
Malware Detected on Endpoint by CrowdStrike | Malware detected with endpoint machine learning detection |
Malicious Document Detected | Malware detected in a document |
Malware Detected by CrowdStrike | Malware detected on a user's device |
Password Theft Detected | Password stealing detected for a user's account |
Unsecured Credentials Detected | Detection of the storage of credentials in the registry of Windows operating system (OS) |
Operating System (OS) Credential Dumping | Detection of credential dumping from an operating system (OS) memory or cache |
Credential Theft Detected by CrowdStrike | Credential dumping from browser memory or from Windows operating system (OS) detected |
Spear-Phishing Attachment | Spear phishing email with an attachment detected |
Phishing Detected by CrowdStrike | Phishing email detected |
Potentially Unwanted Program (PUP) Detected by CrowdStrike | PUP detected on a user's device |
Adware or Potentially Unwanted Program (PUP) Detected | Adware or PUP detected on the user's device |
Data Backup and Encryption Suggested | Encryption activity by a ransomware program detected |
Ransomware Detected by CrowdStrike | Ransomware detected on a user's device |
Social Engineering Detected | Social engineering attack detected on a user's device |
Cylance
For a list of detection rules available for Cylance, see the table below:
Detection Rule Name | Description |
High-Severity Malicious Activity Detected | High-severity malicious activity detected on a user's device |
Memory Exploit Detected | Code or a malicious file exploiting a known vulnerability detected on a user's device |
Malware Detected by Cylance | Malware detected on a user's device |
Malicious Script Detected | Malicious script execution blocked |
Possible Potentially Unwanted Program (PUP) Detected | PUP detected on a user's device |
Potentially Unwanted Program (PUP) Detected by Cylance | PUP detected on a user's device |
Removable Media Detected by Cylance | Use of removable media blocked |
FortiGate Cloud
For a list of detection rules available for FortiGate Cloud, see the table below:
Detection Rule Name | Description |
Adware Detected by FortiGate Cloud |
Adware detected on a user's device |
Dating Website Detected by FortiGate Cloud |
User visited a dating website |
Clicked Phishing Link Detected by FortiGate Cloud |
User clicked a phishing link |
Peer-to-Peer File Sharing Website Detected by FortiGate Cloud |
User visited a peer-to-peer file-sharing website |
Spam Website Detected by FortiGate Cloud |
User visited a spam website |
Malware Download Detected by FortiGate Cloud |
Malware download attempt detected on a user’s device |
Malicious Websites Detected by FortiGate Cloud |
User visited a malicious website |
Document Malware Detected by FortiGate Cloud |
User downloaded a document that contains malware |
Drug Website Detected by FortiGate Cloud |
User visited a drug website |
Adult Website Detected by FortiGate Cloud |
User visited an adult website |
Potentially Harmful Website Detected by FortiGate Cloud |
User visited a potentially harmful website |
Malicious PDF File Download Detected by FortiGate Cloud |
User downloaded a PDF file that contains malware |
Gambling Website Detected by FortiGate Cloud |
User visited an online gambling website |
Gmail
For a list of detection rules available for Gmail, see the table below:
Detection Rule Name | Description |
External Email Forwarding Detected | Email rule set up by user to forward email outside of the organization’s domain |
Spamming Simple Mail Transfer Protocol (SMTP) | Email rule set up by user to forward email outside of the organization's domain |
Spamming Detected | Spamming detected from a user's Google account |
Google Drive
For a list of detection rules available for Google Drive, see the table below:
Detection Rule Name | Description |
External File Sharing Detected by Google Drive | File access to external account enabled by user |
Google IAM
For a list of detection rules available for Google IAM, see the table below:
Detection Rule Name | Description |
Government-Backed Attack | Malware or advanced persistant threat detected on a user's device |
2-Step Verification Disabled | User disabled two-step verification |
Leaked Password | Leaked password detected |
Suspicious Login | Suspicious login activity detected |
Account Hijacked | Account hijack detected |
Login Failure | Multiple failed login attempts detected |
KnowBe4 Security Awareness Training (KSAT)
For a list of detection rules available for KnowBe4 Security Awareness Training (KSAT), see the table below:
Detection Rule Name | Description |
Enabled Macros Detected by KnowBe4 | User enabled macros for attachments from a phishing email |
QR Code Scan Detected by KnowBe4 |
User scanned a QR code |
Phishing Email Reply Detected by KnowBe4 | User replied to a phishing email |
Opened Attachment Detected by KnowBe4 |
User opened an attachment from a phishing email |
Clicked Phishing Link Detected by KnowBe4 |
User clicked on a phishing link |
Data Entered Detected by KnowBe4 | User entered data on a website accessed via phishing email. |
KSAT callback phishing and PasswordIQ detection rules are also available for Diamond-level subscriptions:
Detection Rule Name | Description |
Callback Phishing Detected by KnowBe4 |
User contacted a callback phishing phone number |
Callback Phishing Code Entry Detected by KnowBe4 |
User contacted a callback phishing phone number and entered the callback code |
Breached Password Detected by KnowBe4 PasswordIQ |
User’s password was exposed in a data breach. |
Weak Password Detected by KnowBe4 PasswordIQ |
User’s password matches a password from KnowBe4’s weak passwords dictionary. |
Shared Password Detected by KnowBe4 PasswordIQ |
User’s password matches another user’s password. |
Malwarebytes
For a list of detection rules available for Malwarebytes, see the table below:
Detection Rule Name | Description |
Adware Detected by Malwarebytes | Adware detected on a user's device |
Machine Learning-Based Malware Detection | Malware detected on a user's device |
Trojan Detected | Trojan detected on a user's device |
Malware Detected by Malwarebytes | Malware detected on a user's device |
Risky Website Detected by Malwarebytes | User visited a malicious website |
Potentially Unwanted Program (PUP) Detected by Malwarebytes | PUP detected on a user's device |
Ransomware Detected by Malwarebytes | Ransomware detected on a user's device |
Spyware Detected | Spyware detected on a user's device |
Microsoft 365
For a list of detection rules available for Microsoft 365, see the table below:
Detection Rule Name | Description |
Unusual Amount of File Deletions Detected by Microsoft Office 365 | Unusual volume of files deleted |
External File Sharing Detected by Microsoft Office 365 | File shared externally |
Unusual External User File Activity Detected by Microsoft Office 365 | Potential data leakage or data breach detected |
Creation of Email Forwarding or Redirect Rule | User created an email forwarding rule to forward emails outside of your organization's domain |
Suspicious Email Sending Patterns Detected | Suspicious email sending pattern detected |
Suspicious Email Forwarding Activity | Suspicious email forwarding activity detected |
Elevation of Microsoft Exchange Admin Privileges in Microsoft Office 365 | User access privileges for Microsoft Exchange were elevated |
Email Message Containing Malicious Item Not Removed After Delivery | Email message containing a malicious item was not removed after delivery |
User Clicking a Potentially Malicious URL Detected | User clicked through to a potentially malicious URL |
Email Message Containing a Malicious File Removed from Inbox after Delivery | Email message containing malicious file was removed after delivery. |
Email Message Containing a Malicious URL Removed after Delivery | An email containing a malicious URL was removed from an inbox |
Escalation of Exchange Admin Privilege Detected | An Escalation of Exchange admin privilege detected |
Email Message from a Campaign Removed from Inbox after Delivery | An email message from a email campaign was removed from the user's inbox after delivery |
Phishing Message Delivered Due to an IP Allow Policy Detected by Microsoft Office 365 | Microsoft detected an IP allow policy that allowed a high-confidence phishing email to be delivered |
Phishing Message Delivered Due to an ETR Override | Microsoft detected an Exchange Transport Rule (ETR) that allowed the delivery of a high-confidence phishing email to an inbox |
Form Flagged and Confirmed as Phishing by Microsoft Office 365 | User clicked a phishing link, and the phishing webpage or web form was blocked by Microsoft |
Form Blocked by Microsoft Office 365 Due to a Potential Phishing Attempt | User clicked a phishing link, and the phishing webpage or web form was blocked by Microsoft |
Malicious URL Clicks Detected | User clicked a malicious URL in an email |
Phishing Link Detected | Email messages containing phish URLs removed after delivery. |
HIPAA Data Leak Detected by Microsoft Data Loss Prevention (DLP) | Health Insurance Portability and Accountability Act (HIPAA) data leaked or shared through Microsoft Office 365 |
GDPR Data Leak Detected by Microsoft Data Loss Prevention (DLP) | General Data Protection Regulation (GDPR) data leaked or shared through Microsoft Office 365 |
PII Data Leak Detected by Microsoft Data Loss Prevention (DLP) | Personally identifiable information (PII) leaked or shared through Microsoft Office 365 |
PCI DSS Data Leak Detected by Microsoft Data Loss Prevention (DLP) | Payment Card Industry Data Security Standard (PCI DSS) data leaked or shared through Microsoft Office 365 |
Financial Data Leak Detected by Microsoft Data Loss Prevention (DLP) | Financial data leaked or shared through Microsoft Office 365 |
Phish Not Zapped Because ZAP Is Disabled | Phish not zapped because zero-hour auto purge is disabled. |
Microsoft Cloud Access Security (MCAS)
For a list of detection rules available for MCAS, see the table below:
Detection Rule Name | Description |
Unusual Amount of File Deletions Detected by Microsoft Cloud App Security | Unusual volume of files deleted |
Unusual File Deletion by a User Detected | Unusual file deletion by a user |
External File Sharing Detected by Microsoft Cloud App Security | File shared externally |
Unusual File Sharing by a User Detected | Unusual file share activity by a user |
Unusual External User File Activity Detected by Microsoft Cloud App Security | Potential data leakage or data breach activity |
Unusual File Download by a User Detected | User downloaded an unusual file |
Mass Access to Sensitive File Detected | Mass access to sensitive files detected |
Elevation of Microsoft Exchange Admin Privileges in Microsoft Cloud App Security | User access privileges for Microsoft Exchange were elevated |
Malware Detected by Microsoft Cloud App Security | Malware detected on a user's device |
Peer-to-Peer Applications Detected | Activity from a TOR based-IP address detected |
Risky Login Detected | Risky login detected |
Suspicious Inbox Forwarding Detected | Suspicious email forwarding detected |
Activity from a Suspicious IP Address Detected | Activity from a suspicious IP address detected |
Unusual Administrative Activity by a User Detected | Unusual administrative activity by a user detected |
Credential Theft Detected by Microsoft Cloud App Security | Multiple failed or suspicious login attempts detected |
Credentials Leak Detected by Microsoft | Leaked credentials detected |
Multiple Failed Login Attempts Detected | Multiple failed login attempts detected |
Password Spraying Attack Detected | Password spraying attack detected |
Form Blocked by Microsoft Cloud App Security Due to a Potential Phishing Attempt | User clicked a phishing link, and the webpage or web form was blocked by Microsoft |
Form Flagged and Confirmed as Phishing by Microsoft Cloud App Security | User clicked a phishing link, and the webpage or web form was blocked by Microsoft |
Phishing Attempt Delivered Due to an IP Allow Policy Detected by Microsoft Cloud App Security | Microsoft detected an IP allow policy that allowed a high confidence phishing message to be delivered |
Ransomware Activity Detected by Microsoft | Ransomware activity detected |
Microsoft Entra ID Protection
For a list of detection rules available for Microsoft Entra ID Protection (formerly Microsoft Azure Active Directory Identity Protection), see the table below:
Detection Rule Name | Description |
Login from an Unexpected Location Detected | Logins from a distant location detected |
Login from a Malicious IP Address Detected | Sign-in from a malicious IP address detected |
Unexpected User Behavior Detected | The post-authentication behavior of users was assessed for anomalies |
Risky Activity Detected Using Microsoft's Threat Intelligence Tools | Risky activity detected using Microsoft's threat intelligence tools |
User Credentials Leaked | The user's credentials were leaked |
Microsoft Defender for Endpoint
For a list of detection rules available for Microsoft Defender for Endpoint, see the table below:
Detection Rule Name | Description |
Collection of Information by APT Detected | Automated collection of sensitive information by an advanced persistent threat (APT) detected on a user's device |
Command and Control Activity Detected | Microsoft ATP detected command-and-control activity on a user's device |
Credential Access | An advanced persistent threat (APT) attack accessed login credentials |
Malware or ATP Execution Detected | Execution of an advanced persistent threat (APT) or malware on a user's device |
Exploit Code Detected | Exploit code detected on a user's device |
Initial Access | Hacker gaining initial access through phishing, social engineering, malware, or exploitation detected |
Data Exfiltration Detected | Data exfiltration detected by Microsoft Defender ATP |
Suspicious Activity Detected | Suspicious activity detected on a user's device |
Malware Detected by Microsoft Defender ATP | Malware detected on a user's device |
Ransomware Detected by Microsoft Defender ATP | Ransomware detected on a user's device |
Mimecast
For a list of detection rules available for Mimecast, see the table below:
Detection Rule Name | Description |
---|---|
Email Malware Detected by Mimecast | Malware detected in an email |
Virus Detected by Mimecast | Virus detected in an email |
Spam Email Detected by Mimecast | Spam email detected |
NetSkope
For a list of detection rules available for NetSkope, see the table below:
Detection Rule Name | Description |
Transfer of Password-Protected Files Detected | Password-protected file uploaded to an external cloud drive or website detected |
Suspicious Data Upload Detected | Data or files uploaded to an IP address within a country prohibited by organization policy detected |
Unmanaged Device Detected | Unmanaged drive connected to the organization's network |
Dating Website Detected | User visited a prohitibed website |
Sharing of Personal Financial Information Detected | Personal financial information shared |
Sharing of Personal Identity Information Detected | PII shared on a webpage or through email detected |
Microsoft Word Document Download Detected | Downloaded Word document from Webmail detected on a user's device |
Microsoft Excel Document Download Detected | Downloaded Excel file from Webmail detected on a user's device |
Gambling Website Detected by Netskope | User visited a prohibited website |
Substance Abuse Website Detected | User visited a prohibited website |
Shareware or Freeware Detected | User visited a prohibited website |
Prohibited Website Detected | User visited a prohibited website |
Inappropriate Web Surfing Detected | User visited a prohibited website |
Cryptocurrency Mining Detected | User visited a prohibited website |
Cloud Backup or Cloud Storage | User visited a prohibited website |
Peer-to-Peer Applications or Websites Detected | User visited a prohibited website |
Pirated Website Detected | User visited a prohibited website |
Adult Website Detected by Netskope Web Security | User visited a prohibited website |
Risky Website Detected by Netskope Web Security | User visited a prohibited or risky website blocked by Netskope |
Third-Party Virtual Private Network (VPN) Detected | Use of a third-party VPN detected |
Password Breach Detected | Compromised account detected. This includes accounts with passwords that have been leaked, stolen, or exfiltrated based on a confirmed breach event in the last 120 days. |
Okta
For a list of detection rules available for Okta, see the table below:
Detection Rule Name | Description |
Threat Detected | Request from an IP address identified as malicious |
Suspicious Account Activity Detected | Suspicious activity detected on a user's device |
Request Rate Limit Reached | Login attempt limit reached |
Invalid Credentials | Multiple failed login attempts detected |
Palo Alto Next-Generation Firewall (NGFW)
For a list of detection rules available for Palo Alto Next-Generation Firewall (NGFW), see the table below:
Detection Rule Name | Description |
Adult Website Detected by Palo Alto NGFW | User visited a website associated with adult content |
Dating Website Detected by Palo Alto NGFW | User visited a website associated with dating |
Drugs Website Detected by Palo Alto NGFW | User visited a website associated with drug abuse |
Gambling Website Detected by Palo Alto NGFW | User visited a website associated with gambling |
Gaming Website Detected by Palo Alto NGFW | User visited a website associated with gaming |
Hacking Website Detected by Palo Alto NGFW | User visited a website associated with hacking |
Malware Detected by Palo Alto NGFW | Malware detected on a user’s device |
Phishing Website Detected by Palo Alto NGFW | User visited a website associated with phishing |
Ransomware Detected by Palo Alto NGFW | Ransomware detected on a user’s device |
Spyware Detected by Palo Alto NGFW | Spyware detected on a user's device |
Virus Detected by Palo Alto NGFW | Virus detected on a user’s device |
Vulnerability Detected by Palo Alto NGFW | Vulnerability detected on a user’s device |
Proofpoint
For a list of detection rules available for Proofpoint, see the table below:
Detection Rule Name | Description |
Imposter Threat Detected | Detection of a user impersonation email threat, such as a lookalike email address or user |
Malware Detected in Email Attachment | Malware detected in an email sent to a user |
Spam Detected by Proofpoint | Spam email detected in a user's inbox |
Malicious URL In Email Detected by Proofpoint | Unsafe URL detected in an email sent to a user |
Unsafe Attachments in Email Detected by Proofpoint | Malicious attachment detected in a user's inbox |
Unsafe URL in Email Detected by Proofpoint | Unsafe URL detected in a user's inbox |
Suspicious URL Click Blocked in Email by Proofpoint | Suspicious URL click detected in a user’s email |
Spam Containing Unsafe Attachment Detected by Proofpoint | Phishing email delivered to a user's inbox |
SentinelOne
For a list of detection rules available for SentinelOne, see the table below:
Detection Rule Name | Description |
Cryptomining Detected by SentinelOne | Cryptomining malware detected on a user's device |
Malware Detected by SentinelOne | Malware detected on a user's device |
Malicious Microsoft Office or PDF Document Detected by SentinelOne | Malicious Office or PDF document detected on a user's device |
Ransomware Detected by SentinelOne | Ransomware detected on a user's device |
SonicWall Capture Client
For a list of detection rules available for SonicWall Capture Client, see the table below:
Detection Rule Name | Description |
Entertainment Website Detected by Sonicwall | User visited an online entertainment website |
External Software Download Detected by Sonicwall | User downloaded software from an external website |
Pay-to-Surf Website Detected by Sonicwall | User visited or interacted with a pay-to-surf website |
Gaming Website Detected by SonicWall | User visited an online gaming website |
Alternate Communication Channels Detected by Sonicwall | User used alternate communication channels, such as chats or instant messaging |
Website Prohibited by Organization Policy Detected by Sonicwall | User visited websites prohibited by organization policy |
Hacking Website Detected by Sonicwall | User tried to avoid proxy or trying to perform hacking |
Gambling Website Detected by SonicWall | User visited an online gambling website |
Prohibited Websites Detected by Sonicwall | User visited a prohibited website |
Drug and Addiction Websites Detected by Sonicwall | User visited a website related to drugs and addiction |
Adult Websites Detected by SonicWall | User visited an adult website |
Cryptomining Detected by SonicWall | Cryptomining malware detected on a user's device |
Malware Detected by SonicWall | Malware detected on a user's device |
Malicious Microsoft Office or PDF Document Found by SonicWall | Malicious Office or PDF document detected on a user's device |
Ransomware Detected by SonicWall | Ransomware detected on a user's device |
Sophos
For a list of detection rules available for Sophos, see the table below:
Detection Rule Name | Description |
Unauthorized or Malicious Application Detected | Unauthorized or malicious application detected |
Compromised Endpoint Detected | Command-and-control activity that could be part of an APT attack detected on a user's device |
Exploitation of a Known Vulnerability Detected by Sophos | Code or a malicious file exploiting a known vulnerability detected on a user's device |
Malware Detected by Sophos | Malware detected on a user's device |
Non-compliant Device Detected | Non-compliant device connected to the organization's network |
Risky Website Detected by Sophos | User visited a prohibited or risky website blocked by security software |
Credential Theft Detected by Sophos | User credential theft detected |
Potentially Unwanted Program (PUP) Detected by Sophos | PUP detected on a user's device |
Ransomware Detected by Sophos | Ransomware detected on a user's device |
Removable Media Detected by Sophos | Removable media usage detected on a user's device |
Zscaler
For a list of detection rules available for Zscaler, see the table below:
Detection Rule Name | Description |
Adware or Spyware Detected | Adware or spyware detected on a user's device |
Organization Sensitive Data Shared | User shared or uploaded a file marked as classified by the organization |
Personal Financial Data Shared | User shared personal financial data online |
Personal Sensitive Data Shared | User shared personal sensitive data online |
Cryptomining Detected by Zscaler | Cryptomining malware detected on a user's device |
Alcohol or Tobacco-Related Websites Detected | User visited a website advertising, selling, or promoting the use of alcohol or tobacco |
Shareware Download Detected | Shareware download detected |
Television or Movies Detected | User visited a television or movie website |
Video Streaming Detected | User visited a streaming website |
Gaming Website Detected by Zscaler | User visited an online gaming website |
Copyright Infringement Detected | User visited a website that hosts copyright infringement materials |
Peer-to-Peer Site Detected | Peer-to-peer network connection and activity detected |
Adult Website Detected by Zscaler | User visited a website with adult content |
Risky or Malicious Website Detected | User visited a risky or malicious website |
Unsafe Attachments | Malicious attachment detected in a user's inbox |
Phishing Detected by Zscaler | Phishing email or webpage detected |