Alert Types by XDR Event Name

The following information lists alert types alphabetically by their XDR event name. Details for each alert type can be viewed by clicking the More details link.

For alert types listed alphabetically by their display name, see Alert Types by Name.

XDR Event Name

Display Name

ade_outbytes_anomaly

Data Ingestion Volume Anomaly

ade_outbytes_anomaly_flip

Sensor Status Anomaly

anomalous_file_action

File Action Anomaly

asset_violation

Unapproved Asset Activity

aws_ami_public

AWS AMI Made Public

aws_malicious_activity

Potentially Malicious AWS Activity

aws_s3_ransomware

AWS S3 Ransomware

aws_stoplogging

AWS Logging Stopped

aws_suspicious_bucket_enumeration

Suspicious AWS Bucket Enumeration

aws_suspicious_cloudtrail_logs_modification

Suspicious Modification of AWS CloudTrail Logs

aws_suspicious_ebs_activity

Suspicious AWS EBS Activity

aws_suspicious_ec2_activity

Suspicious AWS EC2 Activity

aws_suspicious_elb_activity

Suspicious AWS ELB Activity

aws_suspicious_iam_activity

Suspicious AWS IAM Activity

aws_suspicious_modification_of_route_table

Suspicious Modification of AWS Route Table

aws_suspicious_modification_of_s3_bucket

Suspicious Modification of S3 Bucket

aws_suspicious_rds_event

Suspicious AWS RDS Event

aws_suspicious_root_account_activity

Suspicious AWS Root Account Activity

aws_suspicious_route53_activity

Suspicious AWS Route 53 Activity

aws_suspicious_ssl_certificate_activity

Suspicious AWS SSL Certificate Activity

aws_suspicious_vpc_flow_logs_modification

Suspicious AWS VPC Flow Logs Modification

aws_suspicious_vpc_mirror_session

Suspicious AWS VPC Mirror Session

azure_ad_add_app_multitenant

Microsoft Entra Apps Modified to Allow Multi-Tenant Access

azure_ad_change_domain

Microsoft Entra Custom Domains Changed

azure_application_configuration_changes

Microsoft Entra Application Configuration Changes

azure_application_gateway_changed

Azure Application Gateway Changed

azure_application_permission_changes

Microsoft Entra Application Permission Changes

azure_bitlocker_key_retrieval

Microsoft Entra BitLocker Key Retrieval

azure_changes_to_device_registration_policy

Microsoft Entra Changes to Device Registration Policy

azure_changes_to_privileged_account

Microsoft Entra Changes to Privileged Account

azure_changes_to_privileged_role_assignment

Microsoft Entra Changes to Privileged Role Assignment

azure_discovery_using_azurehound

Microsoft Entra ID Discovery Using AzureHound

azure_dns_zone_change

Azure DNS Zone Changed

azure_federation_modified

Microsoft Entra Federation Modified

azure_guest_user_invited_by_non_approved_inviters

Microsoft Entra Guest User Invited by Non-Approved Inviters

azure_mfa_disabled

Microsoft Entra ID MFA Disabled

azure_new_cloudshell_created

Azure New CloudShell Created

azure_pim_setting_changed

Microsoft Entra PIM Setting Changed

azure_privileged_account_assignment_or_elevation

Microsoft Entra Privileged Account Assignment or Elevation

azure_security_config_changed

Azure Security Configuration Changed

azure_sign_in_failures

Microsoft Entra Sign-in Failure

azure_suspicious_changes_to_conditional_access_policy

Microsoft Entra Changes to Conditional Access Policy

azure_suspicious_sign_in_activity

Microsoft Entra Suspicious Sign-in Activity

azure_unusual_account_creation

Microsoft Entra Unusual Account Creation

bad_process

Process Anomaly

bad_reputation_login

Bad Reputation Login

carbonblack_edr_anomaly

Carbon Black: XDR Anomaly

cloud_account_login_failure_okta

Account MFA Login Failure Anomaly

cnc_reputation

Command & Control Reputation Anomaly

command_anomaly

Command Anomaly

country_communication_anomaly

Outbound Destination Country Anomaly

cryptojacking

Cryptojacking

cylance_edr_anomaly

CylanceOPTICS: XDR Anomaly

dga_resolvable

DGA

dhcp_anomaly

DHCP Server Anomaly

dns_phishing_file_extension_tld

Phishing Domain with File Extension TLD

dns_tor_proxy_domain

DNS Query to TOR Proxy Domain

dns_tunnel

DNS Tunneling Anomaly

dstip_bad_reps

Bad Destination Reputation Anomaly

email_recent_domain_correlation

Possible Phishing Site Visit from Email

emerging_threat

Emerging Threat

encoded_powershell

Encoded PowerShell

encrypted_phishing_site

Possible Encrypted Phishing Site Visit

exploit_attempt_correlation

Exploited C&C Connection

exploit_attempt_priv_priv

Private to Private Exploit Anomaly

exploit_attempt_priv_pub

Private to Public Exploit Anomaly

exploit_attempt_pub_priv

Public to Private Exploit Anomaly

exploit_attempt_pub_pub

Public to Public Exploit Anomaly

external_clear_password

External Plain Text Passwords Detected

external_cloud_account_login_failure

External Account Login Failure Anomaly

external_credential_stuffing

External Credential Stuffing

external_database_command

External SQL Shell Command

external_fw_action

External Firewall Denial Anomaly

external_fw_policy_id

External Firewall Policy Anomaly

external_handshake_failure

External Handshake Failure

external_ids_signature_spike

External IDS Signature Spike

external_malware_activity

External Other Malware

external_mysql_anomaly

External SQL Anomaly

external_non_std_port_anomaly

External Non-Standard Port Anomaly

external_password_spray

External Password Spraying

external_pii_leak

External PII Leaked

external_port_scan

External IP / Port Scan Anomaly

external_protocol_account_login_failure

External Protocol Account Login Failure Anomaly

external_pua

External PUA

external_ransomware

External Ransomware

external_rdp_bluekeep

External RDP BlueKeep

external_rdp_brute_force

External RDP Brute Force Attack

external_rdp_suspicious_outbound

External RDP Suspicious Outbound

external_scan_anomalies

External Scanner Behavior Anomaly

external_smb_anomaly

External SMB Write Anomaly

external_smb_read_anomaly

External SMB Read Anomaly

external_smb_user_scan

External SMB Username Enumeration

external_spyware_activity

External Spyware

external_sql_db_dump

External SQL Dumpfile Execution

external_suspected_malicious_user_agent

External Suspected Malicious User Agent

external_syn_flood

External SYN Flood Victim

external_syn_flood_attacker

External SYN Flood Attacker

external_trojan_activity

External Trojan

external_url_scan

External URL Reconnaissance Anomaly

external_user_agent_anomaly

External User Agent Anomaly

external_user_bytes_sum

External User Data Volume Anomaly

external_user_login_fail

External User Login Failure Anomaly

external_user_success_brute_forcer

External Brute-Forced Successful User Login

external_user_uncommon_app

External User Application Usage Anomaly

external_vuln_exploit_correlation

External Exploited Vulnerability

file_creation

File Creation Anomaly

gsuite_account_manipulation

Google Workspace Account Manipulation

gsuite_attack_warning

Google Workspace Attack Warning

gsuite_suspicious_activities

Google Workspace Suspicious Activities

gsuite_user_suspended

Google Workspace User Suspended

hydra_password_guessing_hack_tool

Hydra Password Guessing Hack Tool

internal_clear_password

Internal Plain Text Passwords Detected

internal_cloud_account_login_failure

Internal Account Login Failure Anomaly

internal_credential_stuffing

Internal Credential Stuffing

internal_database_command

Internal SQL Shell Command

internal_fw_action

Internal Firewall Denial Anomaly

internal_fw_policy_id

Internal Firewall Policy Anomaly

internal_handshake_failure

Internal Handshake Failure

internal_ids_signature_spike

Internal IDS Signature Spike

internal_malware_activity

Internal Other Malware

internal_mysql_anomaly

Internal SQL Anomaly

internal_non_std_port_anomaly

Internal Non-Standard Port Anomaly

internal_password_spray

Internal Password Spraying

internal_pii_leak

Internal PII Leaked

internal_port_scan

Internal IP / Port Scan Anomaly

internal_protocol_account_login_failure

Internal Protocol Account Login Failure Anomaly

internal_pua

Internal PUA

internal_ransomware

Internal Ransomware

internal_rdp_bluekeep

Internal RDP BlueKeep

internal_rdp_brute_force

Internal RDP Brute Force Attack

internal_rdp_suspicious_outbound

Internal RDP Suspicious Outbound

internal_scan_anomalies

Internal Scanner Behavior Anomaly

internal_smb_anomaly

Internal SMB Write Anomaly

internal_smb_read_anomaly

Internal SMB Read Anomaly

internal_smb_user_scan

Internal SMB Username Enumeration

internal_spyware_activity

Internal Spyware

internal_sql_db_dump

Internal SQL Dumpfile Execution

internal_suspected_malicious_user_agent

Internal Suspected Malicious User Agent

internal_syn_flood

Internal SYN Flood Victim

internal_syn_flood_attacker

Internal SYN Flood Attacker

internal_trojan_activity

Internal Trojan

internal_url_scan

Internal URL Reconnaissance Anomaly

internal_user_agent_anomaly

Internal User Agent Anomaly

internal_user_bytes_sum

Internal User Data Volume Anomaly

internal_user_login_fail

Internal User Login Failure Anomaly

internal_user_success_brute_forcer

Internal Brute-Forced Successful User Login

internal_user_uncommon_app

Internal User Application Usage Anomaly

internal_vuln_exploit_correlation

Internal Exploited Vulnerability

ips_signature_spike_priv_priv

Private to Private IPS Signature Spike

ips_signature_spike_priv_pub

Private to Public IPS Signature Spike

ips_signature_spike_pub_priv

Public to Private IPS Signature Spike

ips_signature_spike_pub_pub

Public to Public IPS Signature Spike

long_session_anomaly

Long App Session Anomaly

mal_access

Malicious Site Access

malware_on_disk

Malware on Disk

microsoft_entra_app_deleted

Microsoft Entra Application Deleted

microsoft_entra_hybrid_health_adfs_new_server

Microsoft Entra Hybrid Health AD FS New Server

microsoft_entra_hybrid_health_adfs_service_deleted

Microsoft Entra Hybrid Health AD FS Service Deleted

microsoft_entra_owner_removed_from_app

Microsoft Entra Owner Removed from Application

mimikatz_dcsync

Mimikatz DCSync

mimikatz_mem_scan

Mimikatz Credential Dump

network_uncommon_app

Uncommon Application Anomaly

network_uncommon_process

Uncommon Process Anomaly

new_registered_domain

Recently Registered Domains

office365_admin_audit_logging_disabled

Office 365 Admin Audit Logging Disabled

office365_content_filter_policy_changed

Office 365 Content Filter Policy Changed

office365_malware_filter_policy_changed

Office 365 Malware Filter Policy Changed

office365_multi_file_restore

Office 365 Multiple Files Restored

office365_multi_user_deleted

Office 365 Multiple Users Deleted

office365_outside_entity_file_sharing

Office 365 File Sharing with Outside Entities

office365_password_policy_changed

Office 365 Password Policy Changed

office365_security_conf_changed

Office 365 Network Security Configuration Changed

office365_sharing_policy_changed

Office 365 Sharing Policy Changed

office365_user_network_admin_changed

Office 365 User Network Admin Changed

outbytes_anomaly

Outbytes Anomaly

parent_child

Abnormal Parent / Child Process

password_cracking_with_hashcat

Password Cracking With Hashcat

password_resets_anomaly

Password Resets Anomaly

password_spraying_attempts_using_dsacls

Password Spraying Attempts Using Dsacls

phishing

Phishing URL

powershell_cnc

PowerShell Remote Access

pripub_appid

Application Usage Anomaly

ransomware_delete_backup_catalogs

Backup Catalogs Deleted by Ransomware

ransomware_volume_shadow_copy_deletion_via_vssadminedit

Volume Shadow Copy Deletion via VssAdmin

ransomware_volume_shadow_copy_deletion_via_wmicredit

Volume Shadow Copy Deletion via WMIC

rdp_outbytes_anomaly

RDP Outbytes Anomaly

rdp_port_opening

RDP Port Opening

rdp_registry_modification

RDP Registry Modification

rdp_reverse_tunnel

RDP Reverse Tunnel

rdp_session_hijacking

RDP Session Hijacking

rdp_settings_hijack

RDP Settings Hijacking

rdp_suspicious_logon

RDP Suspicious Logon

rdp_suspicious_logon_attempt

RDP Suspicious Logon Attempt

scanner_rep

Scanner Reputation Anomaly

smb_hack_smbexec

SMB Specific Service Installation

smb_impacket_lateralization

SMB Impacket Lateralization

smb_suspicious_copy

SMB Suspicious Copy

srcip_bad_reps

Bad Source Reputation Anomaly

ssl_certificate

Encrypted C&C

suspicious_azure_account_permission_elevation

Suspicious Azure Account Permission Elevation

suspicious_azure_deployment_activity

Suspicious Azure Deployment Activity

suspicious_azure_device_activity

Suspicious Microsoft Entra Device Activity

suspicious_azure_firewall_activity

Suspicious Azure Firewall Activity

suspicious_azure_key_vault_activity

Suspicious Azure Key Vault Activity

suspicious_azure_kubernetes_activity_credential_access

Suspicious Azure Kubernetes Activity: Credential Access

suspicious_azure_kubernetes_activity_defense_evasion

Suspicious Azure Kubernetes Activity: Defense Evasion

suspicious_azure_kubernetes_activity_impact

Suspicious Azure Kubernetes Activity: Impact

suspicious_azure_kubernetes_activity_persistence

Suspicious Azure Kubernetes Activity: Persistence

suspicious_azure_kubernetes_activity_privilege_escalation

Suspicious Azure Kubernetes Activity: Privilege Escalation

suspicious_azure_network_activity

Suspicious Azure Network Activity

suspicious_azure_service_principal_activity

Suspicious Microsoft Entra Service Principal Activity

suspicious_commandline

Suspicious Process Creation Commandline

suspicious_powershell_script

Suspicious Powershell Script

suspicious_process_access_lsass

Suspicious LSASS Process Access

suspicious_windows_network_connection

Suspicious Windows Network Connection

suspicious_windows_registry_event_impact

Suspicious Windows Registry Event: Impact

suspicious_windows_registry_event_persistence

Suspicious Windows Registry Event: Persistence

unencrypted_phishing_site

Possible Unencrypted Phishing Site Visit

user_asset_access

User Asset Access Anomaly

user_impossible_travel

Impossible Travel Anomaly

user_login_region

User Login Location Anomaly

user_login_time

Login Time Anomaly

user_uncommon_process

User Process Usage Anomaly

waf_internal_attacker

WAF Internal Attacker Anomaly

waf_rule_violation

WAF Rule Violation Anomaly

windows_security_ad_sensitive_attribute_modification

Sensitive Windows Active Directory Attribute Modification

windows_security_ad_suspicious_operation

Suspicious Windows Active Directory Operation

windows_security_malicious_event

Potentially Malicious Windows Event

windows_security_object_access_suspicious_attempt

Suspicious Access Attempt to Windows Object

windows_security_sensitive_networkshare

Sensitive Windows Network Share File or Folder Accessed

windows_security_steal_or_forge_kerberos_tickets

Steal or Forge Kerberos Tickets

windows_security_suspicious_activity_related_to_security_enabled_group

Suspicious Activity Related to Security-Enabled Group

windows_security_suspicious_connection_process

Suspicious Connection to Another Process

windows_security_suspicious_handle_request

Suspicious Handle Request to Sensitive Object

windows_security_suspicious_logon_event

Suspicious Windows Logon Event

windows_security_suspicious_service_installation

Suspicious Windows Service Installation

windows_suspicious_process_creation

Suspicious Windows Process Creation