For every security vendor that can be integrated with SecurityCoach, we offer system detection rules based on each vendor’s default policies. See each security vendor’s section below for the full list of their system detection rules.
Bitdefender GravityZone
For a list of detection rules available for Bitdefender GravityZone, see the table below:
Note:For more information about configuring this integration, see the Bitdefender GravityZone Integration Guide for SecurityCoach.
| Detection Rule Name | Description |
|---|---|
| Adult Website Detected by Bitdefender GravityZone | User visited an adult website |
| Data Loss Prevention (DLP) Policy Violation Detected by Bitdefender GravityZone | DLP policy violation detected |
| Dating Website Detected by Bitdefender GravityZone | User visited a dating website |
| Document Malware Detected by Bitdefender GravityZone | User downloaded a document that contains malware |
| Drug Website Detected by Bitdefender GravityZone | User visited a drug website |
| Entertainment Website Detected by Bitdefender GravityZone | User visited an entertainment website |
| File Sharing Website Detected by Bitdefender GravityZone | User visited a file-sharing website |
| Fraud Detected by Bitdefender GravityZone | User visited a website hosted for fraud |
| Gaming Website Detected by Bitdefender GravityZone | User visited a gaming website |
| Gambling Website Detected by Bitdefender GravityZone | User visited a gambling website |
| Illegal Website Detected by Bitdefender GravityZone | User visited an illegal website |
| Instant Messaging Website Detected by Bitdefender GravityZone | User visited an instant messaging website |
| Malicious IP Address Login Detected by Bitdefender GravityZone | Login from a malicious IP address detected |
| Malware Detected by Bitdefender GravityZone | Malware detected on a user’s device |
| Narcotics Website Detected by Bitdefender GravityZone | User visited a narcotics website |
| Phishing Detected by Bitdefender GravityZone | Phishing email detected |
| Potentially Unwanted Application (PUA) Detected by Bitdefender GravityZone | PUA detected on a user’s device |
| Ransomware Detected by Bitdefender GravityZone | Ransomware detected on a user’s device |
| Scam Website Detected by Bitdefender GravityZone | User visited a scam website |
| Sensitive Data Sharing Detected by Bitdefender GravityZone | Sensitive organizational information sharing detected |
| Shopping Website Detected by Bitdefender GravityZone | User visited a shopping website |
| Social Network Website Detected by Bitdefender GravityZone | User visited a social network website |
| Time-Wasting Website Detected by Bitdefender GravityZone | User visited a time-wasting website |
| Threat Detected by Bitdefender GravityZone | Threat detected by Bitdefender Advanced Threat Control |
| Video Streaming Detected by Bitdefender GravityZone | User visited a video streaming website |
Carbon Black
For a list of detection rules available for Carbon Black, see the table below:
Note:For more information about configuring this integration, see the Carbon Black Integration Guide for SecurityCoach.
| Detection Rule Name | Description |
|---|---|
| Adware Detected by Carbon Black | Adware detected on a user’s device |
| Email Malware Detected by Carbon Black | Malware from an email detected on a user’s device |
| Internet Malware Detected by Carbon Black | Malware from the internet detected on a user’s device |
| Malware Detected by Carbon Black | Malware detected on a user’s device |
| Malware Detected on an Unknown Device by Carbon Black | Malware detected on an unknown device |
| Potentially Unwanted Program (PUP) Detected by Carbon Black | Potentially Unwanted Program (PUP) detected on a user’s device |
| Removable Media Detected by Carbon Black | Removable media usage detected on a user’s device |
Cisco Secure Email
For a list of detection rules available for Cisco Secure Email, see the table below:
Note:For more information about configuring this integration, see the Cisco Secure Email Integration Guide for SecurityCoach.
| Detection Rule Name | Description |
|---|---|
| Adware Detected by Cisco | Adware detected on a user's device |
| Android Mobile Device Malware Detected | Malware detected on an Android mobile device |
| Confidential Documents Sent Externally by Email | Confidential documents sent externally by email |
| Document Malware Detected | Malware detected in a document |
| Email Malware Detected by Cisco | Malware attachment detected in an email |
| Emails to Competitors Detected | User sent an email to a competitor |
| Emails with Malicious URLs Detected | Email with a malicious URL detected |
| Encrypted or Password-Protected Files Sent by Email | Encrypted or password-protected files sent by email |
| Graymail Detected | Graymail detected and blocked |
| Leaked Design Documents Detected | Design documents sent by email |
| Leaked Financial Documents Detected | Corporate financial documents sent externally by email |
| Mobile Device Malware Detected | Malware detected on a mobile device |
| PDF Document Malware Detected | Malware detected in a PDF document |
| Personal Identifiable Information (PII) Sent Externally by Email | Personal identifiable information (PII) sent externally by email |
| Potentially Unwanted Application (PUA) Detected | PUA detected |
| Potentially Unwanted Program (PUP) Detected by Cisco | PUP detected |
| Spam Detected by Cisco | Spam email detected |
| Virus Detected | Virus detected in an email |
| Word Document Malware Detected | Malware detected in a Word document |
Cisco Umbrella
For a list of detection rules available for Cisco Umbrella, see the table below:
Note:For more information about configuring this integration, see the Cisco Umbrella Integration Guide for SecurityCoach. For more information about Cisco Umbrella’s categories, visit their website website (link opens in new window).
| Detection Rule Name | Description |
|---|---|
| Adult and Pornography Domain Detected | User visited a prohibited website |
| Adware Detected by Cisco Umbrella | Adware detected on a user's device |
| Child Abuse Domain Detected | Illegal child abuse content detected |
| Command-and-Control Domain Detected | User's device connected to a domain that hackers use to control botnets |
| Cryptomining Domain Detected | User accessed a domain or IP address involved in cryptomining activities |
| Dating Domain Detected | Domain related to dating services detected |
| Document Malware Detected by Cisco Umbrella | User downloaded a document that contains malware |
| Entertainment Domain Detected | Domain related to entertainment detected |
| Gaming Domain Detected | Domain related to gaming detected |
| Gambling Domain Detected | Domain related to gambling detected |
| Illegal Download Detected | Website that provides the ability to download software or other materials, serial numbers, key generators, or tools for bypassing software protection in violation of copyright agreements detected |
| Malware Domain Detected | User downloaded a file from the internet that contains malware |
| Mobile Malware Detected by Cisco Umbrella | Malware detected on an Android mobile device |
| PDF Document Malware Detected by Cisco Umbrella | User downloaded a PDF document that contains malware |
| Peer-to-Peer File Transfer Detected | Peer-to-peer file request website detected |
| Phishing Domain Detected | User clicked a phishing link |
| Potentially Harmful Domain Detected | User visited a potentially harmful website |
| Potentially Unwanted Application (PUA) Detected by Cisco Umbrella | PUA detected |
| Potentially Unwanted Program (PUP) Detected by Cisco Umbrella | PUP detected |
| Request to an Android Malware Domain Detected | User downloaded a file from the internet that contains Android malware |
| Request to a Trojan Domain Detected | User downloaded a file from the internet that contains a trojan |
| Request to a Ransomware Domain Detected | User downloaded a file from the internet that contains ransomware |
| Word Document Malware Detected by Cisco Umbrella | User downloaded a Word document that contains malware |
Cloudflare Area 1 Email Security
For a list of detection rules available for Cloudflare Area 1 Email Security, see the table below:
Note:For more information about configuring this integration, see the Cloudflare Area 1 Email Security Integration Guide for SecurityCoach.
| Detection Rule Name | Description |
|---|---|
| Email with a Malicious URL Detected by Cloudflare Area 1 Email Security | Email with a malicious URL detected |
| Malware Detected by Cloudflare Area 1 Email Security | Malware detected in an email |
| Suspicious Email Detected by Cloudflare Area 1 Email Security | Suspicious email detected |
| Spoofed Email Detected by Cloudflare Area 1 Email Security | Spoofed email detected |
Cloudflare Zero Trust
For a list of detection rules available for Cloudflare Zero Trust, see the table below:
Note:For more information about configuring this integration, see the Cloudflare Zero Trust Integration Guide for SecurityCoach.
| Detection Rule Name | Description |
|---|---|
| Adult Website Detected by Cloudflare Zero Trust | User visited an adult website |
| Botnet Website Detected by Cloudflare Zero Trust | User visited a website known to be part of botnet or command-and-control activities |
| Child Abuse Website Detected by Cloudflare Zero Trust | User visited a website with illegal child abuse content |
| Cryptomining Website Detected by Cloudflare Zero Trust | User visited a website involved in cryptomining activities |
| Dating Website Detected by Cloudflare Zero Trust | User visited a dating website |
| Deceptive Website Detected by Cloudflare Zero Trust | User visited a website that spoofs clicks, impressions, or conversions for ads |
| Drug Website Detected by Cloudflare Zero Trust | User visited a drug website |
| Gaming Website Detected by Cloudflare Zero Trust | User visited a gaming website |
| Gambling Website Detected by Cloudflare Zero Trust | User visited a gambling website |
| Malicious Website Detected by Cloudflare Zero Trust | User visited a website hosting malicious content |
| Malware Download Detected by Cloudflare Zero Trust | Malware download attempt detected on a user’s device |
| Phishing Website Detected by Cloudflare Zero Trust | |
| Risky Website Detected by Cloudflare Zero Trust | User visited a website that may contain security risks |
Code42
For a list of detection rules available for Code42, see the table below:
Note:For more information about configuring this integration, see the Code42 Integration Guide for SecurityCoach.
| Detection Rule Name | Description |
|---|---|
| Cloud Sharing Permissions Changed | Cloud sharing permissions for a protected or classified file changes |
| Cloud Sync Folder Exfiltration Detected | Files synced to a cloud storage application |
| Earnings Report Exfiltration Detected | Earnings report shared externally |
| File Extension Mismatch Exfiltration Detected | File extension does not match the file contents, and the files were shared |
| Microsoft Outlook Exfiltration Detected | Confidential or classified information shared using Outlook |
| Password Exfiltration Detected | Detection of the exfiltration of a password from a user's device |
| Potential Flight Risk | Detection of activity on a user's device that indicates the user may be preparing to leave the organization |
| Removable Media Exfiltration Detected | Removable media usage detected |
| Sales Report Exfiltration Detected | Internal sales report was exfiltrated from a user's device |
| Source Code Email Exfiltration Detected | Source code of common programming languages was exfiltrated by email |
| Source Code File Exfiltration by Extension Detected | Source code files of common programming languages were exfiltrated |
| ZIP File Exfiltration Detected | ZIP file exfiltration detected |
CrowdStrike
For a list of detection rules available for CrowdStrike, see the table below:
Note:For more information about configuring this integration, see the CrowdStrike Integration Guide for SecurityCoach.
| Detection Rule Name | Description |
|---|---|
| Adware Detected by CrowdStrike | Adware detected on a user's device |
| Adware or Potentially Unwanted Program (PUP) Detected | Adware or PUP detected on the user's device |
| Credential Theft Detected by CrowdStrike | Credential dumping from browser memory or from Windows operating system (OS) detected |
| Data Backup and Encryption Suggested | Encryption activity by a ransomware program detected |
| Defense Evasion Detected by CrowdStrike | Attempted evasion of CrowdStrike defenses detected |
| Exploit Detected | Code or a malicious file exploiting a known vulnerability detected on a user's device |
| Exploitation of a Known Vulnerability Detected by CrowdStrike | Code or a malicious file exploiting a known vulnerability detected on a user's device |
| Exploitation of a Public-Facing Application Detected | File containing exploit code for a public-facing application detected |
| Full Disk Encryption Needed | Automated information collected through an advanced persistent threat (APT) attack detected |
| Malicious Document Detected | Malware detected in a document |
| Malware Detected by CrowdStrike | Malware detected on a user's device |
| Malware Detected on Endpoint by CrowdStrike | Malware detected with endpoint machine learning detection |
| Malware Indicators of Attack (IOA) Detection | Malware file matching the IOA detected on a user's device |
| Malware Indicators of Compromise (IOC) Detection | Malware file matching the IOC detected on a user's device |
| Operating System (OS) Credential Dumping | Detection of credential dumping from an operating system (OS) memory or cache |
| Password Theft Detected | Password stealing detected for a user's account |
| Phishing Detected by CrowdStrike | Phishing email detected |
| Potentially Unwanted Program (PUP) Detected by CrowdStrike | PUP detected on a user's device |
| Ransomware Detected by CrowdStrike | Ransomware detected on a user's device |
| Remote Access Software Detected | Remote access software invoked suspiciously on a user's device |
| Social Engineering Detected | Social engineering attack detected on a user's device |
| Spear-Phishing Attachment | Spear phishing email with an attachment detected |
| Unsecured Credentials Detected | Detection of the storage of credentials in the registry of Windows operating system (OS) |
Cylance
For a list of detection rules available for Cylance, see the table below:
Note:For more information about configuring this integration, see the Cylance Integration Guide for SecurityCoach. For more information about Cylance’s events, visit their website website (link opens in new window).
| Detection Rule Name | Description |
|---|---|
| High-Severity Malicious Activity Detected | High-severity malicious activity detected on a user's device |
| Memory Exploit Detected | Code or a malicious file exploiting a known vulnerability detected on a user's device |
| Malware Detected by Cylance | Malware detected on a user's device |
| Malicious Script Detected | Malicious script execution blocked |
| Possible Potentially Unwanted Program (PUP) Detected | PUP detected on a user's device |
| Potentially Unwanted Program (PUP) Detected by Cylance | PUP detected on a user's device |
| Removable Media Detected by Cylance | Use of removable media blocked |
FortiGate Cloud
For a list of detection rules available for FortiGate Cloud, see the table below:
Note:For more information about configuring this integration, see the FortiGate Cloud Integration Guide for SecurityCoach. For more information about FortiGate Cloud's events, visit their website website (link opens in new window).
| Detection Rule Name | Description |
|---|---|
| Adult Website Detected by FortiGate Cloud | User visited an adult website |
| Adware Detected by FortiGate Cloud | Adware detected on a user's device |
| Clicked Phishing Link Detected by FortiGate Cloud | User clicked a phishing link |
| Dating Website Detected by FortiGate Cloud | User visited a dating website |
| Document Malware Detected by FortiGate Cloud | User downloaded a document that contains malware |
| Drug Website Detected by FortiGate Cloud | User visited a drug website |
| Gambling Website Detected by FortiGate Cloud | User visited an online gambling website |
| Malicious PDF File Download Detected by FortiGate Cloud | User downloaded a PDF file that contains malware |
| Malicious Websites Detected by FortiGate Cloud | User visited a malicious website |
| Malware Download Detected by FortiGate Cloud | Malware download attempt detected on a user’s device |
| Peer-to-Peer File Sharing Website Detected by FortiGate Cloud | User visited a peer-to-peer file-sharing website |
| Potentially Harmful Website Detected by FortiGate Cloud | User visited a potentially harmful website |
| Spam Website Detected by FortiGate Cloud | User visited a spam website |
Gmail
For a list of detection rules available for Gmail, see the table below:
Note:For more information about configuring this integration, see the Google Integration Guide for SecurityCoach. For more information about Gmail’s events, visit their website website (link opens in new window).
| Detection Rule Name | Description |
|---|---|
| External Email Forwarding Detected | User set up an email rule to forward emails outside of the organization’s domain |
| Spamming Detected | Spamming detected from a user's Google account |
| Spamming Simple Mail Transfer Protocol (SMTP) | User set up an email rule to forward emails outside of the organization’s domain |
Google Drive
For a list of detection rules available for Google Drive, see the table below:
Note:For more information about configuring this integration, see the Google Integration Guide for SecurityCoach. For more information about Google Drive’s events, visit their website website (link opens in new window).
| Detection Rule Name | Description |
|---|---|
| External File Sharing Detected by Google Drive | File access to external account enabled by user |
Google IAM
For a list of detection rules available for Google IAM, see the table below:
Note:For more information about configuring this integration, see the Google Integration Guide for SecurityCoach. For more information about Google IAM’s events, visit their website website (link opens in new window).
| Detection Rule Name | Description |
|---|---|
| 2-Step Verification Disabled | User disabled two-step verification |
| Account Hijacked | Account hijack detected |
| Government-Backed Attack | Malware or advanced persistent threat detected on a user's device |
| Leaked Password | Leaked password detected |
| Login Failure | Multiple failed login attempts detected |
| Suspicious Login | Suspicious login activity detected |
KnowBe4 Security Awareness Training (KSAT)
For a list of detection rules available for KnowBe4 Security Awareness Training (KSAT), see the table below:
Note:For more information about configuring this integration, see the KnowBe4 Security Awareness Training (KSAT) Integration Guide for SecurityCoach.
| Detection Rule Name | Description |
|---|---|
| Enabled Macros Detected by KnowBe4 | User enabled macros for attachments from a phishing email |
| Clicked Phishing Link Detected by KnowBe4 | User clicked on a phishing link |
| Data Entered Detected by KnowBe4 | User entered data on a website accessed via phishing email. |
| Opened Attachment Detected by KnowBe4 | User opened an attachment from a phishing email |
| Phishing Email Reply Detected by KnowBe4 | User replied to a phishing email |
| QR Code Scan Detected by KnowBe4 | User scanned a QR code |
| Successful Report Detected by KnowBe4 | User successfully reported a KnowBe4 simulated phishing test. |
KSAT callback phishing and PasswordIQ detection rules are also available for SAT Advanced and Diamond-level subscriptions:
| Detection Rule Name | Description |
|---|---|
| Breached Password Detected by KnowBe4 PasswordIQ | User’s password was exposed in a data breach. |
| Callback Phishing Detected by KnowBe4 | User contacted a callback phishing phone number |
| Callback Phishing Code Entry Detected by KnowBe4 | User contacted a callback phishing phone number and entered the callback code |
| Shared Password Detected by KnowBe4 PasswordIQ | User’s password matches another user’s password. |
| Weak Password Detected by KnowBe4 PasswordIQ | User’s password matches a password from KnowBe4’s weak passwords dictionary. |
Malwarebytes
For a list of detection rules available for Malwarebytes, see the table below:
Note:For more information about configuring this integration, see the Malwarebytes Integration Guide for SecurityCoach.
| Detection Rule Name | Description |
|---|---|
| Adware Detected by Malwarebytes | Adware detected on a user's device |
| Machine Learning-Based Malware Detection | Malware detected on a user's device |
| Malware Detected by Malwarebytes | Malware detected on a user's device |
| Potentially Unwanted Program (PUP) Detected by Malwarebytes | PUP detected on a user's device |
| Ransomware Detected by Malwarebytes | Ransomware detected on a user's device |
| Risky Website Detected by Malwarebytes | User visited a malicious website |
| Spyware Detected | Spyware detected on a user's device |
| Trojan Detected | Trojan detected on a user's device |
Microsoft 365
For a list of detection rules available for Microsoft 365, see the table below:
Note:For more information about configuring this integration, see the Microsoft 365 and Microsoft Cloud Access Security (MCAS) Integration Guide for SecurityCoach. For more information about Microsoft 365’s alert policies, visit their website website (link opens in new window).
| Detection Rule Name | Description |
|---|---|
| Creation of Email Forwarding or Redirect Rule | User created an email forwarding rule to forward emails outside of your organization's domain |
| Elevation of Microsoft Exchange Admin Privileges in Microsoft Office 365 | User access privileges for Microsoft Exchange were elevated |
| Email Message Containing a Malicious File Removed from Inbox after Delivery | Email message containing malicious file was removed after delivery. |
| Email Message Containing a Malicious URL Removed after Delivery | An email containing a malicious URL was removed from an inbox |
| Email Message Containing Malicious Item Not Removed After Delivery | Email message containing a malicious item was not removed after delivery |
| Email Message from a Campaign Removed from Inbox after Delivery | An email message from a email campaign was removed from the user's inbox after delivery |
| Escalation of Exchange Admin Privilege Detected | An Escalation of Exchange admin privilege detected |
| External File Sharing Detected by Microsoft Office 365 | File shared externally |
| Financial Data Leak Detected by Microsoft Data Loss Prevention (DLP) | Financial data leaked or shared through Microsoft Office 365 |
| Form Blocked by Microsoft Office 365 Due to a Potential Phishing Attempt | User clicked a phishing link, and the phishing webpage or web form was blocked by Microsoft |
| Form Flagged and Confirmed as Phishing by Microsoft Office 365 | User clicked a phishing link, and the phishing webpage or web form was blocked by Microsoft |
| GDPR Data Leak Detected by Microsoft Data Loss Prevention (DLP) | General Data Protection Regulation (GDPR) data leaked or shared through Microsoft Office 365 |
| HIPAA Data Leak Detected by Microsoft Data Loss Prevention (DLP) | Health Insurance Portability and Accountability Act (HIPAA) data leaked or shared through Microsoft Office 365 |
| Malicious URL Clicks Detected | User clicked a malicious URL in an email |
| PCI DSS Data Leak Detected by Microsoft Data Loss Prevention (DLP) | Payment Card Industry Data Security Standard (PCI DSS) data leaked or shared through Microsoft Office 365 |
| Phish Not Zapped Because ZAP Is Disabled | Phish not zapped because zero-hour auto purge is disabled. |
| Phishing Link Detected | Email messages containing phishing URLs removed after delivery. |
| Phishing Message Delivered Due to an ETR Override | Microsoft detected an Exchange Transport Rule (ETR) that allowed the delivery of a high-confidence phishing email to an inbox |
| Phishing Message Delivered Due to an IP Allow Policy Detected by Microsoft Office 365 | Microsoft detected an IP allow policy that allowed a high-confidence phishing email to be delivered |
| PII Data Leak Detected by Microsoft Data Loss Prevention (DLP) | Personally identifiable information (PII) leaked or shared through Microsoft Office 365 |
| Suspicious Email Forwarding Activity | Suspicious email forwarding activity detected |
| Suspicious Email Sending Patterns Detected | Suspicious email sending pattern detected |
| Unusual Amount of File Deletions Detected by Microsoft Office 365 | Unusual volume of files deleted |
| Unusual External User File Activity Detected by Microsoft Office 365 | Potential data leakage or data breach detected |
| User Clicking a Potentially Malicious URL Detected | User clicked through to a potentially malicious URL |
Microsoft Defender for Cloud Apps
For a list of detection rules available for Microsoft Defender for Cloud Apps (formerly Microsoft Cloud Access Security), see the table below:
Note:For more information about configuring this integration, see the Microsoft 365 and Microsoft Cloud Access Security (MCAS) Integration Guide for SecurityCoach.
| Detection Rule Name | Description |
|---|---|
| Activity from a Suspicious IP Address Detected | Activity from a suspicious IP address detected |
| Credentials Leak Detected by Microsoft | Leaked credentials detected |
| Credential Theft Detected by Microsoft Cloud App Security | Multiple failed or suspicious login attempts detected |
| Elevation of Microsoft Exchange Admin Privileges in Microsoft Cloud App Security | User access privileges for Microsoft Exchange were elevated |
| External File Sharing Detected by Microsoft Cloud App Security | File shared externally |
| Form Blocked by Microsoft Cloud App Security Due to a Potential Phishing Attempt | User clicked a phishing link, and the webpage or web form was blocked by Microsoft |
| Form Flagged and Confirmed as Phishing by Microsoft Cloud App Security | User clicked a phishing link, and the webpage or web form was blocked by Microsoft |
| Mass Access to Sensitive File Detected | Mass access to sensitive files detected |
| Multiple Failed Login Attempts Detected | Multiple failed login attempts detected |
| Password Spraying Attack Detected | Password spraying attack detected |
| Peer-to-Peer Applications Detected | Activity from a TOR-based IP address detected |
| Phishing Attempt Delivered Due to an IP Allow Policy Detected by Microsoft Cloud App Security | Microsoft detected an IP allow policy that allowed a high-confidence phishing message to be delivered |
| Ransomware Activity Detected by Microsoft | Ransomware activity detected |
| Risky Login Detected | Risky login detected |
| Suspicious Inbox Forwarding Detected | Suspicious email forwarding detected |
| Unusual Administrative Activity by a User Detected | Unusual administrative activity by a user detected |
| Unusual Amount of File Deletions Detected by Microsoft Cloud App Security | Unusual volume of files deleted |
| Unusual External User File Activity Detected by Microsoft Cloud App Security | Potential data leakage or data breach activity |
| Unusual File Deletion by a User Detected | Unusual file deletion by a user |
| Unusual File Download by a User Detected | User downloaded an unusual file |
| Unusual File Sharing by a User Detected | Unusual file share activity by a user |
Microsoft Defender for Endpoint
For a list of detection rules available for Microsoft Defender for Endpoint, see the table below:
Note:For more information about configuring this integration, see the Microsoft Defender for Endpoint Integration Guide for SecurityCoach.
| Detection Rule Name | Description |
|---|---|
| Collection of Information by APT Detected | Automated collection of sensitive information by an advanced persistent threat (APT) detected on a user's device |
| Command and Control Activity Detected | Microsoft ATP detected command-and-control activity on a user's device |
| Credential Access | An advanced persistent threat (APT) attack accessed login credentials |
| Data Exfiltration Detected | Data exfiltration detected by Microsoft Defender ATP |
| Exploit Code Detected | Exploit code detected on a user's device |
| Initial Access | Hacker gaining initial access through phishing, social engineering, malware, or exploitation detected |
| Malware Detected by Microsoft Defender ATP | Malware detected on a user's device |
| Malware or ATP Execution Detected | Execution of an advanced persistent threat (APT) or malware on a user's device |
| Ransomware Detected by Microsoft Defender ATP | Ransomware detected on a user's device |
| Suspicious Activity Detected | Suspicious activity detected on a user's device |
Microsoft Edge for Business
For a list of detection rules available for Microsoft Edge for Business, see the table below:
Note:For more information about configuring this integration, see our Microsoft Edge for Business Integration Guide for SecurityCoach. For more information about Microsoft Edge for Business security connectors, visit their website website (link opens in new window).
| Detection Rule Name | Description |
|---|---|
| Malicious Website Detected by Microsoft Edge | User visited a malicious website |
| Malware Download Detected by Microsoft Edge | Malware download attempt detected on a user’s device |
| Password Reuse Detected by Microsoft Edge | Enterprise password hash reuse detected on a user’s device |
| Phishing Website Detected by Microsoft Edge | User visited a website known for phishing |
Microsoft Entra ID Protection
For a list of detection rules available for Microsoft Entra ID Protection (formerly Microsoft Azure Active Directory Identity Protection), see the table below:
Note:For more information about configuring this integration, see the Microsoft Entra ID Protection Integration Guide for SecurityCoach. For more information about Microsoft Entra ID Protection events, visit their website website (link opens in new window).
| Detection Rule Name | Description |
|---|---|
| Login from an Unexpected Location Detected | Logins from a distant location detected |
| Login from a Malicious IP Address Detected | Sign-in from a malicious IP address detected |
| Risky Activity Detected Using Microsoft's Threat Intelligence Tools | Risky activity detected using Microsoft's threat intelligence tools |
| Unexpected User Behavior Detected | The post-authentication behavior of users was assessed for anomalies |
| User Credentials Leaked | The user's credentials were leaked |
Mimecast
For a list of detection rules available for Mimecast, see the table below:
Note:For more information about configuring this integration, see the Mimecast Integration Guide for SecurityCoach. For more information about Mimecast's application and web categories, visit their website website (link opens in new window).
| Detection Rule Name | Description |
|---|---|
| Email Malware Detected by Mimecast | Malware detected in an email |
| Spam Email Detected by Mimecast | Spam email detected |
| Virus Detected by Mimecast | Virus detected in an email |
NetSkope
For a list of detection rules available for NetSkope, see the table below:
Note:For more information about configuring this integration, see the NetSkope Integration Guide for SecurityCoach. For more information about Netskope’s application and web categories, visit their website website (link opens in new window).
| Detection Rule Name | Description |
|---|---|
| Adult Website Detected by Netskope Web Security | User visited a prohibited website |
| Cloud Backup or Cloud Storage | User visited a prohibited website |
| Cryptocurrency Mining Detected | User visited a prohibited website |
| Dating Website Detected | User visited a prohibited website |
| Gambling Website Detected by Netskope | User visited a prohibited website |
| Inappropriate Web Surfing Detected | User visited a prohibited website |
| Microsoft Excel Document Download Detected | Downloaded Excel file from Webmail detected on a user's device |
| Microsoft Word Document Download Detected | Downloaded Word document from Webmail detected on a user's device |
| Password Breach Detected | Compromised account detected. This includes accounts with passwords that have been leaked, stolen, or exfiltrated based on a confirmed breach event in the last 120 days. |
| Peer-to-Peer Applications or Websites Detected | User visited a prohibited website |
| Prohibited Website Detected | User visited a prohibited website |
| Risky Website Detected by Netskope Web Security | User visited a prohibited or risky website blocked by Netskope |
| Shareware or Freeware Detected | User visited a prohibited website |
| Sharing of Personal Financial Information Detected | Personal financial information shared |
| Sharing of Personal Identity Information Detected | PII shared on a webpage or through email detected |
| Substance Abuse Website Detected | User visited a prohibited website |
| Suspicious Data Upload Detected | Data or files uploaded to an IP address within a country prohibited by organization policy detected |
| Third-Party Virtual Private Network (VPN) Detected | Use of a third-party VPN detected |
| Transfer of Password-Protected Files Detected | Password-protected file uploaded to an external cloud drive or website detected |
| Unmanaged Device Detected | Unmanaged drive connected to the organization's network |
Okta
For a list of detection rules available for Okta, see the table below:
Note:For more information about configuring this integration, see the Okta Integration Guide for SecurityCoach. For more information about Okta’s events, visit their website website (link opens in new window)
| Detection Rule Name | Description |
|---|---|
| Invalid Credentials | Multiple failed login attempts detected |
| Request Rate Limit Reached | Login attempt limit reached |
| Suspicious Account Activity Detected | Suspicious activity detected on a user's device |
| Threat Detected | Request from an IP address identified as malicious |
Palo Alto Next-Generation Firewall (NGFW)
For a list of detection rules available for Palo Alto Next-Generation Firewall (NGFW), see the table below:
Note:For more information about configuring this integration, see our Palo Alto Next-Generation Firewall (NGFW) Integration Guide for SecurityCoach. For more information about Palo Alto NGFW categories, see their website articles: URL Categories URL Categories (link opens in new window) and Threat Signature Categories Threat Signature Categories (link opens in new window).
| Detection Rule Name | Description |
|---|---|
| Adult Website Detected by Palo Alto NGFW | User visited a website associated with adult content |
| Dating Website Detected by Palo Alto NGFW | User visited a website associated with dating |
| Drugs Website Detected by Palo Alto NGFW | User visited a website associated with drug abuse |
| Gambling Website Detected by Palo Alto NGFW | User visited a website associated with gambling |
| Gaming Website Detected by Palo Alto NGFW | User visited a website associated with gaming |
| Hacking Website Detected by Palo Alto NGFW | User visited a website associated with hacking |
| Malware Detected by Palo Alto NGFW | Malware detected on a user’s device |
| Phishing Website Detected by Palo Alto NGFW | User visited a website associated with phishing |
| Ransomware Detected by Palo Alto NGFW | Ransomware detected on a user’s device |
| Spyware Detected by Palo Alto NGFW | Spyware detected on a user's device |
| Virus Detected by Palo Alto NGFW | Virus detected on a user’s device |
| Vulnerability Detected by Palo Alto NGFW | Vulnerability detected on a user’s device |
Proofpoint
For a list of detection rules available for Proofpoint, see the table below:
Note:For more information about configuring this integration, see the Proofpoint Integration Guide for SecurityCoach.
| Detection Rule Name | Description |
|---|---|
| Imposter Threat Detected | Detection of a user impersonation email threat, such as a lookalike email address or user |
| Malicious URL In Email Detected by Proofpoint | Unsafe URL detected in an email sent to a user |
| Malware Detected in Email Attachment | Malware detected in an email sent to a user |
| Spam Containing Unsafe Attachment Detected by Proofpoint | Phishing email delivered to a user's inbox |
| Spam Detected by Proofpoint | Spam email detected in a user's inbox |
| Suspicious URL Click Blocked in Email by Proofpoint | Suspicious URL click detected in a user’s email |
| Unsafe Attachments in Email Detected by Proofpoint | Malicious attachment detected in a user's inbox |
| Unsafe URL in Email Detected by Proofpoint | Unsafe URL detected in a user's inbox |
SentinelOne
For a list of detection rules available for SentinelOne, see the table below:
Note:For more information about configuring this integration, see the SentinelOne Integration Guide for SecurityCoach.
| Detection Rule Name | Description |
|---|---|
| Cryptomining Detected by SentinelOne | Cryptomining malware detected on a user's device |
| Malware Detected by SentinelOne | Malware detected on a user's device |
| Malicious Microsoft Office or PDF Document Detected by SentinelOne | Malicious Office or PDF document detected on a user's device |
| Ransomware Detected by SentinelOne | Ransomware detected on a user's device |
SonicWall Capture Client
For a list of detection rules available for SonicWall Capture Client, see the table below:
Note:For more information about configuring this integration, see the SonicWall Capture Client Integration Guide for SecurityCoach. For more information about SonicWall’s events, visit their website website (link opens in new window).
| Detection Rule Name | Description |
|---|---|
| Adult Websites Detected by SonicWall | User visited an adult website |
| Alternate Communication Channels Detected by Sonicwall | User used alternate communication channels, such as chats or instant messaging |
| Cryptomining Detected by SonicWall | Cryptomining malware detected on a user's device |
| Drug and Addiction Websites Detected by Sonicwall | User visited a website related to drugs and addiction |
| Entertainment Website Detected by Sonicwall | User visited an online entertainment website |
| External Software Download Detected by Sonicwall | User downloaded software from an external website |
| Gambling Website Detected by SonicWall | User visited an online gambling website |
| Gaming Website Detected by SonicWall | User visited an online gaming website |
| Hacking Website Detected by Sonicwall | User tried to avoid proxy or trying to perform hacking |
| Malware Detected by SonicWall | Malware detected on a user's device |
| Malicious Microsoft Office or PDF Document Found by SonicWall | Malicious Office or PDF document detected on a user's device |
| Pay-to-Surf Website Detected by Sonicwall | User visited or interacted with a pay-to-surf website |
| Prohibited Websites Detected by Sonicwall | User visited a prohibited website |
| Ransomware Detected by SonicWall | Ransomware detected on a user's device |
Sophos
For a list of detection rules available for Sophos, see the table below:
Note:For more information about configuring this integration, see the Sophos Integration Guide for SecurityCoach. For more information about Sophos’ events, visit their website website (link opens in new window).
| Detection Rule Name | Description |
|---|---|
| Compromised Endpoint Detected | Command-and-control activity that could be part of an APT attack detected on a user's device |
| Credential Theft Detected by Sophos | User credential theft detected |
| Exploitation of a Known Vulnerability Detected by Sophos | Code or a malicious file exploiting a known vulnerability detected on a user's device |
| Non-compliant Device Detected | Non-compliant device connected to the organization's network |
| Potentially Unwanted Program (PUP) Detected by Sophos | PUP detected on a user's device |
| Ransomware Detected by Sophos | Ransomware detected on a user's device |
| Removable Media Detected by Sophos | Removable media usage detected on a user's device |
| Risky Website Detected by Sophos | User visited a prohibited or risky website blocked by security software |
| Unauthorized or Malicious Application Detected | Unauthorized or malicious application detected |
TrendAI
For a list of detection rules available for TrendAI (formerly Trend Micro), see the table below:
Note:For more information about configuring this integration, see the TrendAI Integration Guide for SecurityCoach.
| Detection Rule Name | Description |
|---|---|
| Malicious Web or Email Activity Detected by TrendAI | Malicious web activity or email activity detected |
| Malware Detected by TrendAI | Malware detected on a user’s device |
| Suspicious Device Activity Detected by TrendAI | Suspicious activity detected on a user’s device |
| Suspicious Email Activity Detected by TrendAI | Suspicious email activity detected |
Zscaler
For a list of detection rules available for Zscaler, see the table below:
Note:For more information about configuring this integration, see the Zscaler Integration Guide for SecurityCoach. For more information about Zscaler’s alerts, visit their website website (link opens in new window).
| Detection Rule Name | Description |
|---|---|
| Adult Website Detected by Zscaler | User visited a website with adult content |
| Adware or Spyware Detected | Adware or spyware detected on a user's device |
| Alcohol or Tobacco-Related Websites Detected | User visited a website advertising, selling, or promoting the use of alcohol or tobacco |
| Copyright Infringement Detected | User visited a website that hosts copyright-infringing materials |
| Cryptomining Detected by Zscaler | Cryptomining malware detected on a user's device |
| Gaming Website Detected by Zscaler | User visited an online gaming website |
| Organization Sensitive Data Shared | User shared or uploaded a file marked as classified by the organization |
| Peer-to-Peer Site Detected | Peer-to-peer network connection and activity detected |
| Personal Financial Data Shared | User shared personal financial data online |
| Personal Sensitive Data Shared | User shared personal sensitive data online |
| Phishing Detected by Zscaler | Phishing email or webpage detected |
| Risky or Malicious Website Detected | User visited a risky or malicious website |
| Shareware Download Detected | Shareware download detected |
| Television or Movies Detected | User visited a television or movie website |
| Unsafe Attachments | Malicious attachment detected in a user's inbox |
| Video Streaming Detected | User visited a streaming website |