Account Manipulation T1098

Events covered

41 catalog events are tagged with this technique by at least one rule.

Authoring guide

Patterns shared across the 548 rules above: which fields they filter on, what specific values they look for, and what they exclude. The catalog normalizes field names across vendors so Sigma's Image, Elastic's process.name, and Splunk's process_name collapse into one row. Each rule contributes at most once per row.

Fields filtered most (421 distinct)

The fields most rules look at when detecting this technique. The How column shows the operators authors use (eq, wildcard, regex_match, match) and how often each appears. Sample values are concrete examples to start from, not an exhaustive list.

Top indicator values (1996 distinct)

Specific (field, operator, value) combinations the rules check for, ranked by how many rules under this technique use each one. The Corpus reach column counts how many rules across the entire catalog (any technique) check the same combination. High numbers point to widely-used indicators that are likely noisy on their own; combine them with another condition for useful signal. Blank means the combination is specific to rules under this technique. Click a value to expand the rules under this technique that use it.

Exclusions (215 distinct)

Field/operator/value combinations excluded by rules under this technique (top-level not() clauses), sorted by how many rules exclude each. These are the false-positive paths the community has learned to filter out. A new rule that ignores the high-count entries here will likely fire on the same noisy paths. Click a value to expand the rules under this technique that exclude it.

Rules under this technique

Every rule in the catalog tagged with this technique, grouped by vendor. Click a rule title for its full predicates, exclusions, and indicators.

Sigma 100 rules

• A Member Was Added to a Security-Enabled Global Group
• A Member Was Removed From a Security-Enabled Global Group
• A New Trust Was Created To A Domain
• A Security-Enabled Global Group Was Deleted
• Account marked as sensitive and cannot be delegated had its protection removed (weakness introduction)
• Account password set to never expire.
• Account set with Kerberos DES encryption activated (weakness introduction)
• Account set with Kerberos pre-authentication not required (AS-REP Roasting)
• Account set with password not required (weakness introduction)
• Account set with reversible encryption (weakness introduction)
• Active Directory User Backdoors
• Added Credentials to Existing Application
• Anomalous User Activity
• API Key Created
• App Assigned To Azure RBAC/Microsoft Entra Role
• App Granted Privileged Delegated Or App Permissions
• Attempt To Create API Key
• AWS IAM Backdoor Users Keys
• AWS Route 53 Domain Transfer Lock Disabled
• AWS Route 53 Domain Transferred to Another Account
• AWS User Login Profile Was Modified
• Bitbucket Global Permission Changed
• Bulk Deletion Changes To Privileged Account Permissions
• Change to Authentication Method
• Cisco Local Accounts
• Computer account created with privileges
• Computer account manipulation for delegation (RBCD)
• Computer account renamed without a trailing $ (CVE-2021-42278/42287)
• Disabled guest or builtin account activated
• Disabled guest or builtin account activated (command)
• DMSA Link Attributes Modified
• DMSA Service Account Created in Specific OUs - PowerShell
• Domain group membership change
• DSRM password changed (native)
• DSRM password changed (Reg via command)
• DSRM password changed (Reg via PowerShell)
• Enabled User Right in AD to Control User Objects
• ESXi Admin Permission Assigned To Account Via ESXCLI
• GCP Access Policy Deleted
• Github Outside Collaborator Detected
• Google Workspace Application Access Level Modified
• Google Workspace Granted Domain API Access
• Google Workspace User Granted Admin Privileges
• Granting Of Permissions To An Account
• Hidden account creation (with fast deletion)
• High risk Active Directory group membership change
• High risk local/domain local group membership change
• Host constrained delegation settings changed for potential abuse (Rubeus) - Any protocol
• Host constrained delegation settings changed for potential abuse (Rubeus) - Kerberos only
• Host set with constrained delegation
• Host set with unconstrained delegation
• Host unconstrained delegation settings changed for potential abuse (Rubeus)
• IAM Access Key Created
• IAM Access Key Creation Attempt
• IAM Admin Policy Attached
• IAM Login Profile Created
• IAM Policy Attachment Attempt
• Local group membership change
• macOS User Account Manipulation
• Massive group membership changes detected
• Medium risk Active Directory group membership change
• Medium risk local/domain local group membership change
• Member added to DNSadmin group
• New DMSA Service Account Created in Specific OUs
• New member added to a "OCS/Lync/Skype for Business" administration group (low risk)
• New member added to a "OCS/Lync/Skype for Business" administration group (medium risk)
• New member added to an "OCS/Lync/Skype for Business" administration group (high risk)
• New member added to an Exchange administration group (high risk)
• New member added to an Exchange administration group (medium risk)
• Number Of Resource Creation Or Deployment Activities
• Okta Admin Role Assigned to an User or Group
• Okta Identity Provider Created
• Password Change on Directory Service Restore Mode (DSRM) Account
• Password Set to Never Expire via WMI
• Powershell LocalAccount Manipulation
• Powerview Add-DomainObjectAcl DCSync AD Extend Right
• Privilege SeMachineAccountPrivilege abuse
• Privileged User Has Been Created
• Risk for account takeover - phone number registered to multiple users
• Risk for account takeover - same Guardian application device is registered for MFA to multiple users
• Risk of Tenant Takeover
• SPN added to an account by command line
• SQL Server - Member got new privileges added on a database
• SQL Server - Member got new privileges added on a SQL instance level
• SQL Server - new member added to a database role
• SQL Server - new member added to a server role
• Suspicious Computer Account Name Change CVE-2021-42287
• Suspicious modification of a computer account SPN
• Suspicious modification of a fake domain controller SPN (DCshadow)
• Suspicious modification of a fake domain controller SPN (DCshadow) (Directory Services)
• Suspicious modification of a user account SPN to enable Kerberoast attack
• User account creation disguised in a computer account
• User added to a group via commandline
• User Added to an Administrator's Azure AD Role
• User Added To Highly Privileged Group
• User Added to Local Administrator Group
• User Added to Local Administrators Group
• User password change using current hash password - ChangeNTLM (Mimikatz)
• User password change without previous password known - SetNTLM (Mimikatz)
• Windows LAPS Credential Dump From Entra ID

Elastic 150 rules

• Account Configured with Never-Expiring Password
• Account Password Reset Remotely
• Active Directory Group Modification by SYSTEM
• Administrator Privileges Assigned to an Okta Group
• AdminSDHolder Backdoor
• AdminSDHolder SDProp Exclusion Added
• Application Added to Google Workspace Domain
• Attempt to Create Okta API Token
• Attempt to Reset MFA Factors for an Okta User Account
• AWS Bedrock Foundation Model Access Enabled or Entitlement Granted
• AWS Bedrock Resource-Based Policy Modified or Deleted
• AWS Bedrock Unauthorized Foundation Model Access Attempt
• AWS Bedrock Unauthorized Resource-Based Policy Modification Attempt
• AWS EC2 CreateKeyPair by New Principal from Non-Cloud AS Organization
• AWS EC2 Instance Connect SSH Public Key Uploaded
• AWS EC2 Instance Interaction with IAM Service
• AWS EKS Access Entry Granted Cluster Admin Policy
• AWS EKS Access Entry Modified
• AWS First Occurrence of STS GetFederationToken Request by User
• AWS IAM AdministratorAccess Policy Attached to Group
• AWS IAM AdministratorAccess Policy Attached to Role
• AWS IAM AdministratorAccess Policy Attached to User
• AWS IAM API Calls via Temporary Session Tokens
• AWS IAM Assume Role Policy Update
• AWS IAM Customer Managed Policy Version Created or Default Version Set
• AWS IAM Customer-Managed Policy Attached to Role by Rare User
• AWS IAM Login Profile Added for Root
• AWS IAM Login Profile Added to User
• AWS IAM Roles Anywhere Profile Creation
• AWS IAM Roles Anywhere Trust Anchor Created with External CA
• AWS IAM SAML Provider Created
• AWS IAM Sensitive Operations via Lambda Execution Role
• AWS IAM User Addition to Group
• AWS IAM User Created Access Keys For Another User
• AWS IAM Virtual MFA Device Registration Attempt with Session Token
• AWS RDS DB Instance or Cluster Password Modified
• AWS Route 53 Domain Transfer Lock Disabled
• AWS Route 53 Domain Transferred to Another Account
• AWS Route 53 Private Hosted Zone Associated With a VPC
• AWS S3 Bucket Policy Added to Share with External Account
• AWS Sensitive IAM Operations Performed via CloudShell
• AWS STS AssumeRoot by Rare User and Member Account
• Azure Event Hub Authorization Rule Created or Updated
• Azure Kubernetes Services (AKS) Kubernetes Rolebindings Created
• Azure RBAC Built-In Administrator Roles Assigned
• Azure Storage Account Key Regenerated
• Azure VM Extension Deployment by User
• Delegated Managed Service Account Modification by an Unusual User
• Deprecated - M365 Teams Guest Access Enabled
• dMSA Account Creation by an Unusual User
• EKS Authentication Configuration Modified
• Entra ID ADRS Token Request by Microsoft Authentication Broker
• Entra ID Application Credential Modified
• Entra ID Device Registration with ROADtools Default OS Build
• Entra ID Device with ROADtools Default OS Build (Entity Analytics)
• Entra ID Domain Federation Configuration Change
• Entra ID Elevated Access to User Access Administrator
• Entra ID Federated Identity Credential Issuer Modified
• Entra ID Global Administrator Role Assigned
• Entra ID Global Administrator Role Assigned (PIM User)
• Entra ID Microsoft Authentication Broker DRS Sign-In from Suspicious ASN
• Entra ID OAuth PRT Issuance to Non-Managed Device Detected
• Entra ID Privileged Identity Management (PIM) Role Modified
• Entra ID Protection User Alert and Device Registration
• Entra ID Register Device with Unusual User Agent (Azure AD Join)
• Entra ID Service Principal Credentials Created by Unusual User
• Entra ID Service Principal Federated Credential Authentication by Unusual Client
• Entra ID Sharepoint or OneDrive Accessed by Unusual Client
• Entra ID Unusual Cloud Device Registration
• Entra ID User Added as Registered Application Owner
• Entra ID User Added as Service Principal Owner
• Entra ID User Sign-in with Unusual Non-Managed Device
• External User Added to Google Workspace Group
• First Occurrence GitHub Event for a Personal Access Token (PAT)
• First Occurrence of Personal Access Token (PAT) Use For a GitHub User
• GCP IAM Custom Role Creation
• GCP IAM Service Account Key Deletion
• GCP Service Account Key Creation
• GCP Storage Bucket Permissions Modification
• GitHub Owner Role Granted To User
• Google Workspace Admin Role Assigned to a User
• Google Workspace API Access Granted via Domain-Wide Delegation
• Google Workspace Custom Admin Role Created
• Google Workspace Device Registration After OAuth from Suspicious ASN
• Google Workspace Device Registration Burst for Single User
• Google Workspace Object Copied to External Drive with App Consent
• Google Workspace Password Policy Modified
• Google Workspace Role Modified
• Google Workspace Suspended User Account Renewed
• Google Workspace User Organizational Unit Changed
• Google Workspace User Sign-in from Atypical Device Type
• Kerberos Pre-authentication Disabled for User
• KRBTGT Delegation Backdoor
• Kubernetes Client Certificate Signing Request Created or Approved
• Kubernetes Cluster-Admin Role Binding Created
• Kubernetes Creation of a RoleBinding Referencing a ServiceAccount
• Kubernetes Creation or Modification of Sensitive Role
• Kubernetes RBAC Wildcard Elevation on Existing Role
• Kubernetes Sensitive RBAC Change Followed by Workload Modification
• Kubernetes Service Account Modified RBAC Objects
• Linux Group Creation
• Linux User Account Credential Modification
• Linux User Added to Privileged Group
• M365 Exchange Mailbox Audit Logging Bypass Added
• M365 Exchange Mailbox High-Risk Permission Delegated
• M365 Exchange Management Group Role Assigned
• M365 Exchange MFA Notification Email Deleted or Moved
• M365 Identity Global Administrator Role Assigned
• M365 Identity OAuth Flow by User Sign-in to Device Registration
• M365 Identity OAuth Illicit Consent Grant by Rare Client and User
• M365 Security Compliance Admin Signal
• M365 SharePoint Site Administrator Added
• Modification of the msPKIAccountCredentials
• New ActiveSyncAllowedDeviceID Added via PowerShell
• New GitHub App Installed
• New GitHub Owner Added
• New GitHub Personal Access Token (PAT) Added
• New User Added To GitHub Organization
• Okta User Assigned Administrator Role
• OpenSSL Password Hash Generation
• Pod or Container Creation with Suspicious Command-Line
• Potential Active Directory Replication Account Backdoor
• Potential Admin Group Account Addition
• Potential Linux Backdoor User Account Creation
• Potential Persistence via File Modification
• Potential Privileged Escalation via SamAccountName Spoofing
• Potential Shadow Credentials added to AD Object
• Potential Suspicious File Edit
• Sensitive Privilege SeEnableDelegationPrivilege assigned to a Principal
• Shadow File Modification by Unusual Process
• Spike in Group Application Assignment Change Events
• Spike in Group Lifecycle Change Events
• Spike in Group Management Events
• Spike in Group Membership Events
• Spike in Group Privilege Change Events
• Spike in User Account Management Events
• Spike in User Lifecycle Management Change Events
• SSH Authorized Key File Activity Detected via Defend for Containers
• SSH Authorized Keys File Activity
• SSH Key Generated via ssh-keygen
• Suspicious Echo or Printf Execution Detected via Defend for Containers
• Unusual Group Name Accessed by a User
• Unusual Kubernetes Sensitive Workload Modification
• Unusual Login via System User
• Unusual Privilege Type assigned to a User
• User account exposed to Kerberoasting
• User Added to Privileged Group in Active Directory
• User Added to the Admin Group
• User or Group Creation/Modification
• WRITEDAC Access on Active Directory Object

Splunk 71 rules

• Account set to active via Net.exe (EDR)
• Account set to active via Net.exe (Sysmon)
• Account set to active via Net.exe (Windows Event Log)
• ASL AWS IAM Delete Policy
• ASL AWS IAM Failure Group Deletion
• ASL AWS IAM Successful Group Deletion
• AWS IAM Delete Policy
• AWS IAM Failure Group Deletion
• AWS IAM Successful Group Deletion
• Azure AD Admin Consent Bypassed by Service Principal
• Azure AD Application Administrator Role Assigned
• Azure AD FullAccessAsApp Permission Assigned
• Azure AD Global Administrator Role Assigned
• Azure AD New MFA Method Registered
• Azure AD PIM Role Assigned
• Azure AD PIM Role Assignment Activated
• Azure AD Privileged Role Assigned
• Azure AD Privileged Role Assigned to Service Principal
• Azure AD Service Principal New Client Credentials
• Azure AD Service Principal Owner Added
• Azure AD Service Principal Privilege Escalation
• Azure AD Tenant Wide Admin Consent Granted
• Azure AD User Enabled And Password Reset
• Azure AD User ImmutableId Attribute Updated
• Cisco ASA - User Privilege Level Change
• Cisco Configuration Archive Logging Analysis
• Create_Add Local_Domain User (EDR)
• Create_Add Local_Domain User (Sysmon)
• Create_Add Local_Domain User (Windows Event Log)
• ESXi Account Modified
• ESXi User Granted Admin Role
• Linux Auditd Possible Access Or Modification Of Sshd Config File
• Linux Possible Access Or Modification Of sshd Config File
• Linux Possible Ssh Key File Creation
• Linux SSH Authorized Keys Modification
• Member added to security-enabled global group (Windows Event Log)
• O365 Admin Consent Bypassed by Service Principal
• O365 Application Available To Other Tenants
• O365 Application Registration Owner Added
• O365 ApplicationImpersonation Role Assigned
• O365 Elevated Mailbox Permission Assigned
• O365 FullAccessAsApp Permission Assigned
• O365 High Privilege Role Granted
• O365 Mailbox Folder Read Permission Assigned
• O365 Mailbox Folder Read Permission Granted
• O365 Mailbox Read Access Granted to Application
• O365 New MFA Method Registered
• O365 Privileged Role Assigned
• O365 Privileged Role Assigned To Service Principal
• O365 Service Principal New Client Credentials
• O365 Service Principal Privilege Escalation
• O365 Tenant Wide Admin Consent Granted
• Okta New Device Enrolled on Account
• PingID Mismatch Auth Source and Verification Response
• PingID New MFA Method After Credential Reset
• PingID New MFA Method Registered For User
• Windows AD add Self to Group
• Windows AD DSRM Account Changes
• Windows AD DSRM Password Reset
• Windows AD Privileged Group Modification
• Windows AD Self DACL Assignment
• Windows AD ServicePrincipalName Added To Domain Account
• Windows AD Short Lived Domain Account ServicePrincipalName
• Windows Azure PowerShell Module Installation Via PowerShell Script
• Windows DnsAdmins New Member Added
• Windows Entra User Management Via Azure CLI
• Windows Increase in Group or Object Modification Activity
• Windows Increase in User Modification Activity
• Windows Multiple Account Passwords Changed
• Windows Multiple Accounts Deleted
• Windows Multiple Accounts Disabled

Kusto 115 rules

• Account added and removed from privileged groups
• AD account with Don't Expire Password
• AD user enabled and password not set within 48 hours
• Admin promotion after Role Management Application Permission Grant
• Anomalous login followed by Teams action
• Attempt to bypass conditional access rule in Microsoft Entra ID
• Authentication Method Changed for Privileged Account
• Authentication Methods Changed for Privileged Account
• AWS Security Hub - Detect IAM Policies allowing full administrative privileges
• AWS Security Hub - Detect IAM root user Access Key existence
• AWS Security Hub - Detect root user lacking MFA
• AWSCloudTrail - Changes to internet facing AWS RDS Database instances
• AWSCloudTrail - CloudFormation policy created then used for privilege escalation
• AWSCloudTrail - Created CRUD S3 policy and then privilege escalation
• AWSCloudTrail - Creation of Access Key for IAM User
• AWSCloudTrail - Creation of CRUD DynamoDB policy and then privilege escalation
• AWSCloudTrail - Creation of CRUD KMS policy and then privilege escalation
• AWSCloudTrail - Creation of CRUD Lambda policy and then privilege escalation
• AWSCloudTrail - Creation of DataPipeline policy and then privilege escalation
• AWSCloudTrail - Creation of EC2 policy and then privilege escalation
• AWSCloudTrail - Creation of Glue policy and then privilege escalation
• AWSCloudTrail - Creation of Lambda policy and then privilege escalation
• AWSCloudTrail - Creation of new CRUD IAM policy and then privilege escalation
• AWSCloudTrail - Creation of SSM policy and then privilege escalation
• AWSCloudTrail - Policy version set to default
• AWSCloudTrail - Privilege escalation via CloudFormation policy
• AWSCloudTrail - Privilege escalation via CRUD DynamoDB policy
• AWSCloudTrail - Privilege escalation via CRUD IAM policy
• AWSCloudTrail - Privilege escalation via CRUD KMS policy
• AWSCloudTrail - Privilege escalation via CRUD Lambda policy
• AWSCloudTrail - Privilege escalation via CRUD S3 policy
• AWSCloudTrail - Privilege escalation via DataPipeline policy
• AWSCloudTrail - Privilege escalation via EC2 policy
• AWSCloudTrail - Privilege escalation via Glue policy
• AWSCloudTrail - Privilege escalation via Lambda policy
• AWSCloudTrail - Privilege escalation via SSM policy
• AWSCloudTrail - Privilege escalation with admin managed policy
• AWSCloudTrail - Privilege escalation with AdministratorAccess managed policy
• AWSCloudTrail - Privilege escalation with FullAccess managed policy
• Azure DevOps Administrator Group Monitoring
• Azure DevOps Pull Request Policy Bypassing - Historic allow list
• Azure DevOps Service Connection Abuse
• Azure DevOps Service Connection Addition/Abuse - Historic allow list
• CiscoISE - Device PostureStatus changed to non-compliant
• CiscoISE - ISE administrator password has been reset
• Conditional Access - A Conditional Access user/group/role exclusion has changed
• Copilot - Plugin Created by Non-Admin User
• Credential added after admin consented to Application
• Dataverse - New non-interactive identity granted access
• Detect changes to Connect Sync Application
• Detect credential add to Connect Sync Application
• Detect PIM Alert Disabling activity
• DEV-0270 New User Creation
• Device Registration from Malicious IP
• DSRM Account Abuse
• External User Access Enabled
• F&O - Non-interactive account mapped to self or sensitive privileged user
• Firewall rule manipulation attempts stateful anomaly on database
• Group created then added to built in domain local or global group
• GWorkspace - Admin permissions granted
• GWorkspace - User access has been changed
• High risk Office operation conducted by IP Address that recently attempted to log into a disabled account
• High-Risk Admin Activity
• Illusive Incidents Analytic Rule
• Local Admin Group Changes
• Mail.Read Permissions Granted to Application
• Malicious BEC Inbox Rule
• Malicious Inbox Rule
• Microsoft Entra ID Role Management Permission Grant
• Modified domain federation trust settings
• Multi-Factor Authentication Disabled for a User
• New External User Granted Admin Role
• New user created and added to the built-in administrators group
• NRT Authentication Methods Changed for VIP Users
• NRT Malicious Inbox Rule
• NRT Modified domain federation trust settings
• NRT User added to Microsoft Entra ID Privileged Groups
• Office Policy Tampering
• Pathlock TDnR - Authorization Profile Changes
• Pathlock TDnR - Authorization Role Changes
• Pathlock TDnR - CUA Settings Changes
• Pathlock TDnR - Global System Change Setting Events
• Pathlock TDnR - Kerberos Keytab Changes
• Pathlock TDnR - RFC Connection Changes
• Pathlock TDnR - SAP Authorization Changes
• Pathlock TDnR - SAP Client Configuration Changes
• Pathlock TDnR - SAP Instance Profile Changes
• Pathlock TDnR - System Security Policy Changes
• Pathlock TDnR - User Access Management Password Resets
• Pathlock TDnR - User Master Data Changes
• Pathlock TDnR - User-Profile Assignment Changes
• Pathlock TDnR - User-Role Assignment Changes
• Ping Federate - Abnormal password resets for user
• Possible SignIn from Azure Backdoor
• Rare and potentially high-risk Office operations
• Rare subscription-level operations in Azure
• RecordedFuture Threat Hunting Url All Actors
• Semperis DSP RBAC Changes
• Semperis DSP Recent sIDHistory changes on AD objects
• Server Oriented Cmdlet And User Oriented Cmdlet used
• Shadow Credentials Added to Account
• Shadow Credentials Added to Account (Alternative)
• Sign-ins from IPs that attempt sign-ins to disabled accounts
• Sign-ins from IPs that attempt sign-ins to disabled accounts (Uses Authentication Normalization)
• SlackAudit - User role changed to admin or owner
• StealthTalk - Multi new devices registration
• Suspicious granting of permissions to an account
• Threat Essentials - NRT User added to Microsoft Entra ID Privileged Groups
• User account added to built in domain local or global group
• User account created and deleted within 10 mins
• User account enabled and disabled within 10 mins
• User added to Microsoft Entra ID Privileged Groups
• User State changed from Guest to Member
• VIP Mailbox manipulation
• VMware ESXi - Root password changed

YARA-L 29 rules

• AWS IAM Activity By S3 Browser Utility
• AWS IAM Activity From EC2 Instance
• Client Secret Added to Entra ID Application
• Entra ID Add User Outside PIM
• Entra ID Add User To Admin Role
• Entra ID Recently Created User Assigned an Entra ID Role
• GCP Admin Privileged Roles Added To Service Accounts
• GCP IAM Organization Policy Updated Or Deleted
• GitHub Personal Access Token Created from Tor IP Address
• GitHub Repository Deploy Key Created Or Modified
• Google Cloud Service Account Key Created or Uploaded
• Google Workspace Admin Role Assignment
• Google Workspace Custom Admin Role Created
• Google Workspace Password Policy Changed
• Google Workspace User Ou Changed
• O365 AD PowerShell App Login Subsequent Activity
• O365 Add User To Admin Role
• O365 Entra ID App Client Secret Added, Updated or Deleted
• O365 Recently Created Entra ID User Assigned Roles
• sap change documents sensitive profile assignment
• sap change documents sensitive profile assignment data table
• sap change documents sensitive role assignment
• sap critial role assigned to new user
• sap critical authorization value changed
• sap critical role assigned to new user
• sap hanadb assign admin authorizations
• sap multiple password changes
• sap sensitive role assignment correlation
• sap sensitive role authorization modification

Panther 83 rules

• A long-lived cert was created
• A Teleport Role was modified or created
• A user authenticated with SAML, but from an unknown company domain
• A User Role with Sensitive Permissions has been Created
• A User's Panther Account was Modified
• An administrator account was created, deleted, or modified.
• Anthropic Admin API Key Created
• Anthropic Admin API Key Deleted
• Anthropic Primary Owner Transferred
• Anthropic Role Granted
• Anthropic Service Key Created
• Anthropic Service Key Revoked
• AppOmni Alert Passthrough
• Auth0 New Admin Invited FOLLOWED BY Tenant Member Account Deletion
• Auth0 Same Phone Number Shared Across Multiple Users as MFA
• AWS Network ACL Overly Permissive Entry Created
• AWS Privilege Escalation Via User Compromise
• AWS RDS Instance Modified to be Publicly Accessible
• AWS RDS Master Password Updated
• AWS RDS Security Group Ingress Authorized
• AWS Root Account Access Keys
• AWS User API Key Created
• AWS User Login Profile Created or Modified
• AWS User Takeover Via Password Reset
• Azure Kubernetes RoleBinding or ClusterRoleBinding Created
• Azure Privileged or Elevated Role Assignment
• Azure Service Principal Credentials Added
• Azure Storage Account Key Regenerated
• Azure Storage Account Shared Key Access Enabled
• Azure User Elevated to User Access Administrator Role
• Carbon Black Admin Role Granted
• Crowdstrike Admin Role Assigned
• Crowdstrike API Key Created
• Crowdstrike New Admin User Created
• Crowdstrike User Password Changed
• CVE-2023-7028 - GitLab Audit Password Reset Multiple Emails
• CVE-2023-7028 - GitLab Production Password Reset Multiple Emails
• Databricks Account Admin Privileged Role Assignment
• Databricks Account-Level Configuration Changes
• Databricks High Priority Configuration Changes
• Databricks Long-Lifetime Token Generated
• Databricks Metastore Admin Privilege Granted
• Databricks Principal Removed From Group
• Databricks User Password Changed
• Databricks User Role Modified
• Databricks Workspace Admin Privileged Role Assignment
• Databricks Workspace-Level Configuration Changes
• DEPRECATED - AWS User Login Profile Modified
• GCP Inbound SSO Profile Created
• GCP Workforce Pool Created or Updated
• GCP Workload Identity Pool Created or Updated
• GitHub Malicious Commit Content
• GitHub Org Authentication Method Changed
• GitHub Org IP Allow List modified
• GitHub User Role Updated
• Google Workspace OAuth Application Authorized with Privileged Scopes
• GSuite Workspace Gmail Default Routing Rule Modified
• GSuite Workspace Trusted Domain Allowlist Modified
• IAM Role Added to RDS Instance or Cluster
• Kubernetes Client Certificate Credential Created
• Kubernetes ClusterRoleBinding to Privileged Role
• Kubernetes Long-Lived Service Account Token Created
• Kubernetes System Role Modified or Deleted
• New IAM Credentials Updated
• Notion Login FOLLOWED BY AccountChange
• Okta AD Agent Token Abuse - Behavioral
• Okta Authentication Bypass via Skeleton Key Injection - Behavioral
• Okta Identity Provider Created or Modified
• Okta Identity Provider Sign-in
• OpenAI Admin Role Assignment
• OpenAI Anomalous API Key Activity
• OpenAI SCIM Configuration Change
• Root Account Access Key Created
• Root Password Changed
• Salesforce Third-Party Integration Monitoring
• Sensitive API Calls Via VPC Endpoint
• Slack App Access Expanded
• Slack Primary Owner Transferred
• Slack Private Channel Made Public
• Slack User Privilege Escalation
• Snowflake user with key-based auth logged in with password auth
• Wiz User Role Updated Or Deleted
• ZIA Additional Cloud Roles