Cyberleaf Alert Codes

Alert TypeDetails
Access - Access App Tracker - Lookup GenMaintains a list of Authentication app values and the first and last time they have been seen.
Access - Authentication Tracker - Lookup GenMaintains a list of users that have authenticated to each system and the first, second to last, and last time they have been seen
Access - First Time Account AccessIdentifies user and service they are connecting to
Abnormally High Number of Endpoint Changes By UserDetects an abnormally high number of endpoint changes by user account, as they relate to restarts, audits, filesystem, user, and registry modifications.
Account DeletedDetects user and computer account deletion
Anomalous New ProcessAlerts when an anomalous number hosts are detected with a new process.
Anomalous New ServiceAlerts when an anomalous number hosts are detected with a new service.
Audit - Active Risk Factors Usage - Telemetry GenSends anonymous usage statistics pertaining to the usage of risk_factors
Audit - Active Users - Telemetry GenSends anonymous usage statistics pertaining to the unique number of active users.
AWS IAM AccessDenied Discovery EventsThe following detection identifies excessive AccessDenied events within an hour timeframe. It is possible that an access key to AWS may have been stolen and is being misused to perform discovery events. In these instances, the access is not available with the key stolen therefore these events will be generated.
Allow Network Discovery In Firewall - Rule
Brute Force Access Behavior DetectedDetects excessive number of failed login attempts along with a successful attempt (this could indicate a successful brute force attack)
Brute Force Access Behavior Detected Over One DayDetects an excessive number of failed login attempts, along with a successful attempt, over a one day period (this could indicate a successful brute force attack)
Concurrent App AccessesDuplicate resources or apps in use
Concurrent Login Attempts Detected
Endpoint - Local Processes Tracker - Lookup GenMaintains a list of all processes on each system and the first and last time they were seen
Endpoint - Malware Tracker - Lookup GenMaintains a list of all detections (regardless of status) for each system and the first and last time they were seen
Endpoint - Services Tracker - Lookup GenMaintains a list of all services (and the most recent startmode) for each system and the first and last time they were seen
Endpoint - Update Signature Reference - Lookup GenMaintains a list of all updates by vendor and the first and last time they were seen
Endpoint - User Account Tracker - Lookup GenMaintains a list of all local user accounts on each system and the first and last time they were seen
ESCU - Abnormally High Number Of Cloud Instances Destroyed - RuleThis search finds for the number successfully destroyed cloud instances for every 4 hour block. This is split up between weekdays and the weekend. It then applies the probability density model previously created and alerts on any outliers.
ESCU - Abnormally High Number Of Cloud Instances Launched - RuleThis search finds for the number successfully created cloud instances for every 4 hour block. This is split up between weekdays and the weekend. It then applies the probability density model previously created and alerts on any outliers.
ESCU - Allow File And Printing Sharing In Firewall - RuleThis search is to detect a suspicious modification of firewall to allow file and printer sharing. This technique was seen in ransomware to be able to discover more machine connected to the compromised host to encrypt more files
ESCU - Allow Inbound Traffic By Firewall Rule Registry - RuleThis analytic detects a potential suspicious modification of firewall rule registry allowing inbound traffic in specific port with public profile. This technique was identified when an adversary wants to grant remote access to a machine by allowing the traffic in a firewall rule.
ESCU - Allow Network Discovery In Firewall - RuleThis search is to detect a suspicious modification to the firewall to allow network discovery on a machine. This technique was seen in a couple of ransomware (revil, reddot) to discover other machine connected to the compromised host to encrypt more files.
ESCU - Attacker Tools On Endpoint - RuleThis search looks for execution of commonly used attacker tools on an endpoint.
ESCU - Attempted Credential Dump From Registry via Reg exe - RuleMonitor for execution of reg.exe with parameters specifying an export of keys that contain hashed credentials that attackers may try to crack offline.
ESCU - AWS Create Policy Version to allow all resources - RuleThis search looks for AWS CloudTrail events where a user created a policy version that allows them to access any resource in their account
ESCU - AWS CreateAccessKey - RuleThis search looks for AWS CloudTrail events where a user A who has already permission to create access keys, makes an API call to create access keys for another user B. Attackers have been know to use this technique for Privilege Escalation in case new victim(user B) has more permissions than old victim(user B)
ESCU - AWS CreateLoginProfile - RuleThis search looks for AWS CloudTrail events where a user A(victim A) creates a login profile for user B, followed by an AWS Console login event from user B from the same src_ip as user B. This correlated event can be indicative of privilege escalation since both events happened from the same src_ip
ESCU - AWS Cross Account Activity From Previously Unseen Account - RuleThis search looks for AssumeRole events where an IAM role in a different account is requested for the first time.
ESCU - aws detect permanent key creation - RuleThis search provides detection of accounts creating permanent keys. Permanent keys are not created by default and they are only needed for programmatic calls. Creation of Permanent key is an important event to monitor.
ESCU - aws detect role creation - RuleThis search provides detection of role creation by IAM users. Role creation is an event by itself if user is creating a new role with trust policies different than the available in AWS and it can be used for lateral movement and escalation of privileges.
ESCU - AWS Detect Users creating keys with encrypt policy without MFA - RuleThis search provides detection of KMS keys where action kms:Encrypt is accessible for everyone (also outside of your organization). This is an indicator that your account is compromised and the attacker uses the encryption key to compromise another company.
ESCU - Prohibited Network Traffic Allowed - RuleThis search looks for network traffic defined by port and transport layer protocol in the Enterprise Security lookup table "lookup_interesting_ports", that is marked as prohibited, and has an associated 'allow' action in the Network_Traffic data model. This could be indicative of a misconfigured network device.
ESCU - Remote Desktop Network Traffic - RuleThis search looks for network traffic on TCP/3389, the default port used by remote desktop. While remote desktop traffic is not uncommon on a network, it is usually associated with known hosts. This search will ignore common RDP sources and common RDP destinations so you can focus on the uncommon uses of remote desktop on your network.
ESCU - Suspicious Event Log Service Behavior - RuleThe following analytic utilizes Windows Event ID 1100 to identify when Windows event log service is shutdown. Note that this is a voluminous analytic that will require tuning or restricted to specific endpoints based on criticality. This event generates every time Windows Event Log service has shut down. It also generates during normal system shutdown. During triage, based on time of day and user, determine if this was planned. If not planned, follow through with reviewing parallel alerts and other data sources to determine what else may have occurred.
Excessive Failed LoginsDetects excessive number of failed login attempts (this is likely a brute force attack)
Unapproved Port Activity Detected
Remote Desktop Process Running On SystemThis search looks for the remote desktop process mstsc.exe running on systems upon which it doesn't typically run. This is accomplished by filtering out all systems that are noted in the common_rdp_source category in the Assets and Identity framework.
Protocols passing authentication in cleartextThe following analytic identifies cleartext protocols at risk of leaking sensitive information. Currently, this consists of legacy protocols such as telnet (port 23), POP3 (port 110), IMAP (port 143), and non-anonymous FTP (port 21) sessions. While some of these protocols may be used over SSL, they typically are found on different assigned ports in those instances.
Detect Outbound SMB TrafficThis search looks for outbound SMB connections made by hosts within your network to the Internet. SMB traffic is used for Windows file-sharing activity. One of the techniques often used by attackers involves retrieving the credential hash using an SMB request made to a compromised server controlled by the threat actor.
Detect New Local Admin accountThis search looks for newly created accounts that have been elevated to local administrators.
Email servers sending high volume traffic to hostsThis search looks for an increase of data transfers from your email server to your clients. This could be indicative of a malicious actor collecting data using your email server.
Malicious PowerShell Process - Execution Policy BypassThis search looks for PowerShell processes started with parameters used to bypass the local execution policy for scripts. These parameters are often observed in attacks leveraging PowerShell scripts as they override the default PowerShell execution policy.
Detect New Open S3 bucketsThis search looks for AWS CloudTrail events where a user has created an open/public S3 bucket.
Detect Exchange Web ShellThe following query identifies suspicious .aspx created in 3 paths identified by Microsoft as known drop locations for Exchange exploitation related to HAFNIUM group and recently disclosed vulnerablity named ProxyShell and ProxyNotShell.
CMD Echo PipeThis analytic identifies a common behavior by Cobalt Strike and other frameworks where the adversary will escalate privileges, either via jump (Cobalt Strike PTH) or getsystem, using named-pipe impersonation. A suspicious event will look like cmd.exe /c echo 4sgryt3436 > \\.\Pipe\5erg53.
Scheduled Task Deleted Or Created via CMDThe following analytic identifies the creation or deletion of a scheduled task using schtasks.exe with flags - create or delete being passed on the command-line. This has been associated with the Dragonfly threat actor, and the SUNBURST attack against Solarwinds. This analytic replaces "Scheduled Task used in BadRabbit Ransomware".
Disabling CMD Applicationthis search is to identify modification in registry to disable cmd prompt application. This technique is commonly seen in RAT, Trojan, or WORM to prevent triaging or deleting there samples through cmd application which is one of the tool of analyst to traverse on directory and files.
Detect Large Outbound ICMP PacketsThis search looks for outbound ICMP packets with a packet size larger than 1,000 bytes. Various threat actors have been known to use ICMP as a command and control channel for their attack infrastructure. Large ICMP packets from an endpoint to a remote host may be indicative of this activity.

Related Posts

May 16, 2024

The Threat of Generative AI

May 14, 2024

What is a Deepfake?

Jonathan Meyn

Director of Channel Sales

Jonathan is responsible for the Channel Strategy at Cyberleaf. He has over 10 years of experience in various technology solutions sales leadership roles. He has driven cybersecurity strategy and growth within the nation’s leading managed service providers.

Jonathan has a Communications Degree from Pennsylvania State University.

Brant Feldman


Brant served in Naval Special Warfare for 11 years.  He separated as a Lieutenant Commander having served at SEAL Team TWO, SEAL Team FOUR, and SEAL Team SIX.  Following his Naval service, Brant joined ADS in 2008 and was ultimately promoted to Chief Sales Officer, where he directed all sales, supplier, and marketing efforts.  His team was comprised of over 200 sales professionals who drove $3.2B in annual sales.  In 2022, Brant left ADS to pursue opportunities in Private Equity.

Brant has a Juris Doctorate from the University of Virginia School of Law, an Executive MBA from the Darden School of Business and degrees in Economics and Government from the University of Virginia.

Will Sendall


Will served as Chief Financial Officer to various private equity and VC backed high growth technology companies where he managed the financial and operational functions.  Will has also successfully executed multiple debt and equity fundraising processes and led both buy and sell sides of M&A processes.

Will has a MBA from the University of North Carolina – Chapel Hill and a degree in Accounting from Appalachian State University. 

Marshall Howard

Executive Vice President

Marshall is responsible for engineering and project management for Waterleaf. He has over 20 years executive experience across startup operations and Fortune 500 companies in multiple areas including Operations, Engineering, and Technology Implementation, Business Planning/Budgeting, Finance/M&A, Revenue Assurance, and Regulatory Affairs.

Previously Marshall served as a Vice President at T3 Communications, Inc., a Fort Myers, FL based CLEC and managed services provider. Prior to joining T3, Marshall served as VP of Network Technology and Business Development at Cleartel Communications (now part of Birch Communications) where he played a major role in the acquisition and integration of three other CLECs.

Marshall earned a BS in Physics from Rhodes College, a MSEE from Vanderbilt University, an MBA from Southern Methodist University and completed post-graduate work in Finance and Economics at Vanderbilt University. In addition, he has earned a Project Management Professional (PMP) certification.

David Levitan


David has over 30 years of experience as a telecommunications industry executive, leading technology and services organizations that have designed, built, and maintained fiber and wireless infrastructure across the US and internationally. He has extensive development, product marketing and general management experience operating independent, sponsor-backed, and publicly traded companies.

David’s previous experience includes executive leadership roles in start-up and publicly traded companies. As President of C-COR Network Services, he drove over 30% sales growth through a team of 400 employees delivering network infrastructure services for broadband operators, while also serving as an officer of parent company C-COR, Inc. At Scientific-Atlanta, Inc David held a progression of leadership and executive positions as the broadband division grew from ~$100 million to over $1.5 billion in annual sales. During his tenure he held product management, strategic planning, and general management roles, including overseeing the rapid growth of the company’s largest business unit, and establishing and scaling a unit delivering domestic and international professional services. As Vice President of CableMatrix, David also helped raise $5 million in series A venture funding for a policy management software startup.

David completed his undergraduate work at Cornell University with a BA in Economics and holds an MBA from the Harvard Graduate School of Business. 

Adam Sewall


Adam has been a successful senior executive and entrepreneur in the telecomm industry for more than 20 years. Adam has demonstrated success in complex technology deployments, as well as strategic planning, corporate development M&A, business development, operations, and general management. This experience also includes several significant liquidity events for shareholders.

Adam has had significant experience in the design, deployment, and operation of fiber, cellular, point-to-point and other communications networks in the US, Asia and SE Asia. Included in these deployments are AMPS, GSM, CDMA/TDMA, spread spectrum, Wi-Max/Wi-Fi and various Metro and long-haul fiber networks.

Prior to Waterleaf Adam was the President and CEO of T3 Communications Inc. a next generation CLEC based in Florida. He has also held executive management positions in operations, strategic planning and corporate development at T-Mobile and Verizon Wireless.

Adam’s technical background includes work in RF engineering, SDR, mobile s/w development, hardware engineering and telecommunications architecture. His project management and operations background include certifications in project management, GSM/PCS, numerous telecom standards and the successful integration of complex infrastructure as well as global deployments of software and communications networks.

He holds a BS Degree from SUNY and has completed graduate studies in engineering, finance, mathematics and economics at Stevens Institute, Columbia and Pace Universities.