Event Sets for Integration Alerting

Modified on Tue, Aug 26 at 2:06 PM

In ConnectSecure, Event Sets are the predefined events that can trigger an alert using the supported integrations. Categories organize them and can be enabled with a simple checkbox.

Event Sets are hard-coded and can not be modified or removed from the system.

Event Sets work across most of the integrations where alerting is supported.


Event Set - Table of Contents


Event Set - Details

You will find the Event Set options listed under the integration details.

Not all supported ones are shown, so check your specific integration for the Event Set and Integration Rules options.

image-20240607-190051.png

You will not see the Event Set options until you have provided the credentials for the selected integration.

image-20250825-181630.png


Events by Category

Event Set categories include:

System Changes, Problems, Solutions, Entra ID Audit, Entra ID Error, AD Audit, Job Failed, Certificate Expire in 30 Days, Microsoft 365 Assessment, Google Workspace Assessment, and Web Application Scanning.

Below is a breakdown of each category and the available 'events' you can monitor for each.

System Changes

Event

Description

New Asset Added

A new asset is added to the All Asset section; this can happen when agents are installed or assets are detected by probe scanning.

Agent has Outdated Version

The agent version for a lightweight or probe agent is behind the current version release.

New Company Created

A new company is created in the ConnectSecure portal, using local or PSA options.

New Open Port Discovered (Probe Scan)

A new port is discovered on an internal asset during a probe scan; port discovery and scanning are only done by a Probe agent.

New Open Port Discovered (External Scan)

A new open port is discovered during an external scan; it requires

Probe Went Down

The probe agent is offline and can not be reached

Server Agent Went Down

Any agent (probe or lightweight) that is a ‘Server’ identified by its operating system is offline and can not be reached.


Problems

Event

Description

CISA Vulnerabilities Found

Vulnerabilities found that are published by CISA

https://www.cisa.gov/known-exploited-vulnerabilities-catalog

Critical Severity Vulnerabilities Found

Vulnerabilities found with a critical severity as found in the CVSS Base Score

High Severity Vulnerabilities Found

Vulnerabilities found with a critical severity as found in the CVSS Base Score

Low Severity Vulnerabilities Found

Vulnerabilities found with a low severity as found in the CVSS Base Score

Medium Severity Vulnerabilities Found

Vulnerabilities found with a critical severity as found in the CVSS Base Score

Remote Login Vulnerabilities Found

Problems related to remote login or remote access problems; IE: RDP-NTLM

SMB Vulnerabilities Found

Problems related to the SMB protocol; IE: SMB_Signing

SSL/TLS Vulnerabilities Found

Problems related to SSL/TLS certificates and ciphers; IE: TLSv1.1, Sweet32, SSL_Heartbleed

Unquoted Service Path Found

Windows-based vulnerability for improperly formatted or unquoted file paths when defining the executable path; IE: C:\Program Files\My Service\service.exe

Vulnerabilities Found During External Scan

Vulnerabilities found during an external scan.

Vulnerabilities Found With EPSS Score > 95

Vulnerability is found where the EPSS score is equal to or above 95% exploitability.

Registry Vulnerabilities Found

Vulnerability is found in the Windows Registry


Solutions

Event

Description

Application Baseline Plans Available

Application and/or Service listed in the application baseline is found; see your Application Baseline Results for details

Pending Remediation Found with Critical Severity

Solutions found with a critical severity as found in the CVSS Base Score

Pending Remediation Found with High Severity

Solutions found with a high severity as found in the CVSS Base Score

Pending Remediation Found with Medium Severity

Solutions found with a medium severity as found in the CVSS Base Score

Pending Remediation Found with Low Severity

Solutions found with a low severity as found in the CVSS Base Score

Remediation Available

Solutions found with any severity in the CVSS Base Score, or no severity/informational

Remediation Found With EPSS between 0 and 0.85

Solution is found where the EPSS score is between 0 and 0.85

Remediation Found With EPSS between 0.85 and 0.9

Solution is found where the EPSS score is between 0.85 and 0.9

Remediation Found With EPSS between 0.9 and 0.95

Solution is found where the EPSS score is between 0.9 and 0.95

Remediation Found With EPSS >== 0.95

Solution is found where the EPSS score is equal to or above 0.95


Entra ID Audit

Event Description

Event ID (Source)

Audit Subcategory

A member was added to a security-disabled universal group (AzureAD)

4761

Distribution Group Management

A member was added to a security-enabled universal group (AzureAD)

4756

Security Group Management

A member was removed from a security-disabled universal group (AzureAD)

4762

Distribution Group Management

A member was removed from a security-enabled universal group (AzureAD)

4757

Security Group Management


Entra ID Error

Event Description

Event Source / Link

Audit Subcategory

Entra ID Sync Failure

Troubleshoot Azure AD Connect sync errors

Directory Synchronization

Azure Token Expired Error

Microsoft identity platform access tokens

Authentication / Token Management


AD Audit

NOTE: These events set require the ‘Active AD Audit’ which is only supported from an agent installed on the domain controller. AD Audit will scan active directory every 15 minutes.

AD Audit Event Reference Table

Event Description

Event ID (Source)

Audit Subcategory

A directory service object was created (Success)

5137

Directory Service Changes

A directory service object was deleted (Success)

5141

Directory Service Changes

A directory service object was moved (Success)

5139

Directory Service Changes

A group service object was modified (Success)

5136

Directory Service Changes

A logon was attempted using explicit credentials (Success)

4648

Logon/Logoff

A member was added to a security disabled global group

4754

Security Group Management

A member was added to a security disabled local group

4759

Security Group Management

A member was added to a security disabled universal group

4761

Security Group Management

A member was added to a security enabled global group

4728

Security Group Management

A member was added to a security enabled local group

4732

Security Group Management

A member was added to a security enabled universal group

4756

Security Group Management

A member was removed from a security disabled global group

4755

Security Group Management

A member was removed from a security disabled local group

4760

Security Group Management

A member was removed from a security disabled universal group

4762

Security Group Management

A member was removed from a security enabled global group

4729

Security Group Management

A member was removed from a security enabled local group

4733

Security Group Management

A member was removed from a security enabled universal group

4757

Security Group Management

A network share object was accessed

5140

Object Access

A request was made to authenticate to a wired network (Success/Failure)

4776

Logon/Logoff

A request was made to authenticate to a wireless network (Success/Failure)

4776

Logon/Logoff

A risky sign-in attempt made (Success)

Identity Protection Events

Identity Protection

A security disabled global group was created

4759

Security Group Management

A security disabled global group was deleted

4755

Security Group Management

A security disabled local group was created

4764

Security Group Management

A security disabled local group was deleted

4760

Security Group Management

A security disabled universal group was created

4763

Security Group Management

A security disabled universal group was deleted

4762

Security Group Management

A security enabled global group was created

4727

Security Group Management

A security enabled global group was deleted

4729

Security Group Management

A security enabled local group was created

4731

Security Group Management

A security enabled local group was deleted

4733

Security Group Management

A security enabled universal group was changed

4755

Security Group Management

A security enabled universal group was created

4756

Security Group Management

A security enabled universal group was deleted

4757

Security Group Management

A session was disconnected from a Windows Station (Success)

4779

Logon/Logoff

A session was reconnected to a Windows Station (Success)

4778

Logon/Logoff

A user Account was created

4720

Account Management

A user Account was deleted

4726

Account Management

A user Account was enabled

4722

Account Management

A user Account was disabled

4725

Account Management

A user Account was locked out

4740

Account Management

A user Account was unlocked

4767

Account Management

A user initiated logoff (Success)

4647

Logon/Logoff

An attempt was made to change an Account's password

4723

Account Management

An attempt was made to reset an Account's password

4724

Account Management

An attempt was made to create a hard link

4656

Object Access

Computer Account was created

4741

Account Management

Computer Account was deleted

4743

Account Management

Login Failure

4625

Logon/Logoff

Login Success

4624

Logon/Logoff

System security access was granted to an Account (Success)

4672

Privilege Use

The domain controller failed to validate the credentials for an Account

4776

Account Logon

The name of an Account was changed

4781

Account Management

The workstation was locked (Success)

4800

Logon/Logoff

The workstation was unlocked (Success)

4801

Logon/Logoff

The requested credentials delegation was disallowed by policy (Failed)

4649

Logon/Logoff

NOTE: These events are modeled after the Microsoft Security Audit Events.

For a full description of these, you can refer to Microsoft’s Security Audit Events resources which are linked here:

Appendix L: Events to Monitor on Microsoft Learn

Microsoft's Security Audit Events Spreadsheet


Job Failed

Event

Description

Scheduler Patch Job Failed

Patch Scheduler jobs that report a failure

Scheduler Report Job Failed

Report Scheduler jobs that report a failure


Certificate Expires in 30 Days

Event

Description

Certificate expires in 30 Days

SSL Certificates that are set to expire in 30 days; see Certificates

Microsoft 365 Assessment

(Premium Edition Only)

Event Name

Description

Source

Severity

Safe Attachments Not Enabled

Safe Attachments feature is not enabled for the tenant.

Safe Attachments in Microsoft 365

High

Microsoft Secure Defaults

Microsoft Secure Defaults are not enforced.

Security defaults in Entra

Medium

Applications Registered to Tenant with Client Secret (Password) Credentials

Applications are registered with client secret credentials.

App registrations and credentials

Medium

Do Not Bypass the Safe Links Feature

Safe Links can be bypassed.

Safe Links in Microsoft 365

High

Spam ZAP (Zero-Hour Auto Purge) Not Enabled

Spam ZAP is not enabled.

Zero-hour auto purge

Medium

SharePoint 'Anyone' Shared Links Never Expire

SharePoint “Anyone” links never expire.

Manage sharing in SharePoint

Medium

Mailbox Auditing Should be Enabled at Tenant Level

Mailbox auditing is disabled at tenant level.

Enable mailbox auditing

High

MFA Not Required for Device Registration

MFA is not required for device registration.

Require MFA

High

Applications Registered to Tenant with Certificate Credentials

Applications are registered with certificate credentials.

Certificates for apps

Medium

No Conditional Access Policies Mitigate User Risk

No Conditional Access policies mitigate risky sign-ins.

Conditional Access

High

SharePoint Legacy Authentication is Enabled

SharePoint legacy authentication is enabled.

Deprecation of legacy auth

Medium

Dangerous Default Permissions

Dangerous default permissions detected.

Permissions in Microsoft 365

High

Exchange Online Mailboxes with SMTP Authentication Enabled

SMTP AUTH is enabled on Exchange Online mailboxes.

Disable SMTP AUTH

High

Azure PowerShell Service Principal Assignment Not Enforced

Service principal assignments are not enforced.

Azure PowerShell

Medium

Phish ZAP (Zero-Hour Auto Purge) Not Enabled

Phish ZAP is not enabled.

Zero-hour auto purge

Medium

No Transport Rules to Block Executable Attachments

Executable attachments are not blocked.

Mail flow rules

Medium

Safe Links Click-Through is Allowed

Users can click through Safe Links.

Safe Links

Medium

Third-Party Applications Allowed

Third-party applications are allowed.

App consent policies

Medium

Highly Privileged Hidden Role Assignment Found

Hidden privileged role assignment found.

Azure AD roles

High

Common Malicious Attachment Extensions are Not Filtered

Common malicious file extensions not filtered.

Anti-malware protection

High

Exchange Mailboxes with IMAP Enabled

IMAP is enabled on Exchange mailboxes.

Exchange IMAP/POP3

High

Safe Links Does Not Flag Links in Real Time

Safe Links does not scan links in real time.

Safe Links

Medium

No Conditional Access Policies Block Risky Sign-in

Risky sign-ins not blocked by Conditional Access.

Conditional Access

High

SharePoint External Sharing Enabled (Global)

SharePoint global external sharing is enabled.

Manage sharing

Medium

Exchange Modern Authentication is Not Enabled

Modern authentication disabled in Exchange.

Modern auth

High

Users with No MFA Configured

Users do not have MFA configured.

Require MFA

High

MFA Not Required for Security Information Registration

MFA not required for registering security info.

Security info registration

High

Administrative Users with No Multi-Factor Authentication Enforced

Admin accounts lack MFA.

Secure admin accounts

High

Do Not Bypass the Safe Attachments Filter

Safe Attachments filter can be bypassed.

Safe Attachments

High

User consent to OAUTH applications not restricted

OAuth consent is not restricted.

App consent policies

Medium

Unified Audit Log Search is Not Enabled

Unified Audit Log search disabled.

Audit log search

High

External Sender Message Tagging Not Enabled

External sender tagging is disabled.

External email tagging

Medium

Azure PowerShell Service Principal Configuration Missing

Service principal configuration missing.

Azure PowerShell

Medium

No Transport Rules to Block Large Attachments

Large attachments not blocked.

Mail flow rules

Medium

Exchange Mailboxes with POP Enabled

POP is enabled on Exchange mailboxes.

Exchange IMAP/POP3

High

No Transport Rules to Block Exchange Auto-Forwarding

Auto-forward not blocked by transport rules.

Mail flow rules

High

Dangerous Application Permissions Found

Dangerous application permissions identified.

Permissions in Microsoft 365

High

Safe Links for Teams is Not Enabled

Safe Links not enabled for Teams.

Safe Links in Teams

Medium

Dangerous Attachment Extensions are Not Filtered

Dangerous file extensions not filtered.

Anti-malware protection

High

Service Principals Found on Tenant with Certificate Credentials

Service principals using certificates found.

Certificates for apps

Medium

Malware Filter Policies Don't Alert for Internal Users Sending Malware

Malware filter policies do not alert when internal users send malware.

Anti-malware protection

Medium

Conditional Access Policies

Conditional Access policies exist but may not be fully configured.

Conditional Access

Medium

SMTP Authentication not Globally Disabled

SMTP authentication is globally enabled.

Disable SMTP AUTH

High

Service Principals Found on Tenant with Client Secret (Password) Credentials

Service principals using client secret credentials found.

App registrations and credentials

Medium

SharePoint External User Resharing Permitted

External users can reshare SharePoint resources.

Manage sharing

Medium

Directory Synced Users Found in Admin Roles

Directory-synced users are in admin roles.

Azure AD roles

High

Basic Authentication is Enabled

Basic Authentication is enabled.

Deprecation of basic auth

High

Mailboxes without Mailbox Auditing Enabled

Mailbox auditing is disabled.

Enable mailbox auditing

High

Safe Links Not Enabled

Safe Links is disabled.

Safe Links

High

Conditional Access Policies - Device Platforms

Conditional Access policies for device platforms missing or incomplete.

Conditional Access device platforms

Medium

SharePoint Online Modern Authentication is Not Enabled

Modern authentication for SharePoint Online disabled.

Modern authentication

High

Email reported by user as malware or phish Detected

User reported email as malware or phish.

Report messages

Low

Sign-in attempt from a Suspicious Country

Sign-in attempt from a suspicious country detected.

Identity Protection risks

High

PIM Alert Triggered

A Privileged Identity Management alert was triggered.

Privileged Identity Management

High

365 Mailbox Permissions Detected

Mailbox permissions activity detected.

Mailbox permissions

Medium

DLP - ID Number Policy Violation Detected

DLP detected ID number policy violation.

DLP in Microsoft 365

High

Ergo-Flex Mail Flow Detected

Ergo-Flex mail flow anomaly detected.

Mail flow rules

Medium

DLP - High volume of content detected U.S. Financial Data Detected

High volume of U.S. financial data detected.

DLP in Microsoft 365

High

Password spray Detected

Password spray attack detected.

Password spray detection

High

Suspicious inbox manipulation rule Detected

Suspicious inbox manipulation rule detected.

Mail flow rules

High

A user clicked through to a potentially malicious url Detected

User clicked through to a flagged malicious URL.

Safe Links

High

Email reported by user as junk Detected

User reported an email as junk.

Report messages

Low

Successful Sign-in from a Suspicious Country

A successful sign-in occurred from a suspicious country.

Identity Protection risks

High

Sign-in attempt from Outside Operating Countries

A sign-in attempt occurred from outside operating countries.

Identity Protection risks

High

Potential Phishing Attack Detected

Potential phishing attack identified.

Anti-phishing protection

High

Privilege Account Sign-In Failure Spikes Detected

Multiple failed sign-ins on privileged accounts detected.

Identity Protection risks

High

User Restricted from Sending Email

User restricted from sending emails due to suspicious activity.

Anti-spam protection

High

DLP - High Volume of U.S. Financial Data Detected

High volume of U.S. financial data flagged by DLP.

DLP in Microsoft 365

High

Successful Sign-in Without MFA from Outside Operating Country

Successful sign-in without MFA from outside the operating country.

Identity Protection risks

High

Administrative Users without MFA

Administrative users not using MFA.

Secure admin accounts

High

New Users without MFA

Newly created users are not MFA-enabled.

Require MFA

High

Conditional Access Policy Deleted

A Conditional Access policy was deleted.

Conditional Access

High

Admin Deleted Security Info

Admin deleted MFA/security information.

Manage security info

High

Strong Authentication Disabled

Strong authentication disabled on account.

Multi-factor authentication

High

Add Member To Role Outside of PIM

Member added to role outside Privileged Identity Management.

Privileged Identity Management

High

Cross-Tenant Access Partner Added

Cross-tenant access partner added.

Cross-tenant access

High

Activity from a Password Spray Associated IP Address Detected

Password spray activity detected from IP address.

Password spray detection

High

Add Service Principal Credentials Detected

Service principal credentials were added.

App registrations

Medium

Admin triggered user compromise investigation Detected

Admin triggered a user compromise investigation.

Identity Protection investigations

Medium

At least 3 sign-in attempts from outside operating country within an hour Detected

Three sign-in attempts detected within an hour from outside country.

Identity Protection risks

Medium

At least 5 sign-in attempts from outside operating country within 24 hours Detected

Five sign-in attempts detected in 24 hours from outside country.

Identity Protection risks

Medium

Block Legacy Auth Detected

Legacy authentication detected.

Deprecation of legacy auth

Medium

Block SharePoint File Download Detected

SharePoint file download blocked.

Manage sharing in SharePoint

Medium

Brute force attack against Azure Portal Detected

Brute force attack against Azure Portal detected.

Identity Protection risks

Medium

Delete Policy Detected

A compliance/security policy was deleted.

Compliance policy

Medium

Device No Longer Managed Detected

Device no longer managed by Intune.

Device compliance

Medium

DLP-U.K. PII: Scan content shared outside - low count Detected

Low volume UK PII detected by DLP.

DLP in Microsoft 365

Medium

Distributed Password cracking attempts in AzureAD Detected

Distributed password cracking detected in AzureAD.

Identity Protection risks

Medium

Email sending limit exceeded Detected

Email sending limit exceeded.

Exchange sending limits

Medium

Externally Shared File Detected

File shared externally.

SharePoint sharing

Medium

Externally Shared Folder or Document Detected

Folder/document shared externally.

SharePoint sharing

Medium

Explicit MFA Deny Detected

User explicitly denied MFA prompt.

Multi-factor authentication

Medium

Fail User Login Attempt Detected

Failed user login attempt detected.

Sign-in events

Medium

Granted Access to Another Mailbox Detected

Access was granted to another mailbox.

Mailbox permissions

Medium

Granted Mailbox Permission Detected

Mailbox permissions granted.

Mailbox permissions

Medium

Honeytoken activity Detected

Honeytoken account activity detected.

Identity Protection risks

Medium

Mail Forward Rule Enabled Detected

Mail forward rule created.

Mail flow rules

Medium

Mailbox Permissions Change Detected

Mailbox permissions changed.

Mailbox permissions

Medium

Malware detection Detected

Malware detected in tenant.

Anti-malware protection

Medium

Phishing Attempts Detected

Phishing attempts detected by Microsoft 365.

Anti-phishing protection

Medium

Rare application consent Detected

Rare app consent granted.

App consent policies

Medium

Remote code execution attempt Detected

Remote code execution attempt detected.

Threat protection

High

Sharepoint File Operation from New IP Detected

File operation from new IP in SharePoint.

SharePoint audit

Medium

Sign-in attempt without MFA from outside operating country Detected

Sign-in attempt without MFA from outside country.

Identity Protection risks

High

Successful Signin from unidentifiable location/Ip Detected

Successful sign-in from unidentifiable location/IP.

Sign-in events

Medium

Suspicious Email Sending Patterns Detected Detected

Suspicious email sending patterns detected.

Anti-spam protection

Medium

Suspicious authentication activity Detected

Suspicious authentication activity detected.

Identity Protection risks

Medium

Unusual addition of credentials to an oauth app Detected

Unusual credential addition to OAuth app detected.

OAuth permissions

Medium

Unusual volume of file deletion Detected

Unusual volume of file deletions detected.

OneDrive audit

Medium

Update Application Certificates And Secrets Management Detected

Application certificates/secrets updated.

Certificates for apps

Medium

Update Authorization Policy Detected

Authorization policy updated.

Conditional Access

Medium

Update Conditional Access Policy Detected

Conditional Access policy updated.

Conditional Access

Medium

Update Role Detected

Azure AD role updated.

Azure AD roles

Medium

Uploaded Sensitive File to 3rd Party App or Service Detected

Sensitive file uploaded to third-party app/service.

DLP in Microsoft 365

Medium

User Application Consent Detected

User granted application consent.

App consent policies

Medium

User MFA Detected

User MFA configuration detected or changed.

Multi-factor authentication

Medium

Add Member To Role Outside of PIM

Member added to role outside of PIM.

Privileged Identity Management

High

Cross-Tenant Access Partner Added

Cross-tenant access partner added.

Cross-tenant access

High

PIM Alert Triggered

Privileged Identity Management alert triggered.

Privileged Identity Management

High


Google Workspace Assessment

(Premium Edition Only)

Event Name

Description

Source

Severity

Admin 2-Step Verification Not Required

2-Step Verification is not enforced for administrator accounts.

Require 2-Step Verification for admins

High

User 2-Step Verification Not Required

2-Step Verification is not enforced for user accounts.

Set up 2-Step Verification

High

Excessive Super Administrators

Too many super administrator accounts are configured, increasing risk.

Assign roles to admins

High

Minimum Super Administrators

Fewer than the recommended number of super administrator accounts exist, risking lockout.

Best practices for super admin accounts

Medium

Conflicting Admin Role Assignments

Admin accounts have conflicting or overlapping role assignments.

Admin roles in Google Workspace

Medium


Web Application Scanning

(Premium Edition Only)

Event Name

Description

Source

Severity

Path Traversal - Standard Sequences

Directory traversal via standard ../ sequences.

OWASP Path Traversal

High

Path Traversal - URL Encoded Variants

Directory traversal using URL-encoded payloads (..%2f).

OWASP Path Traversal

High

Path Traversal - Alternative Encoding Schemes

Path traversal using double encoding, Unicode, or alternate encodings.

OWASP Path Traversal

High

Path Traversal - OS-Specific Patterns

Path traversal using Windows/Linux specific patterns.

OWASP Path Traversal

High

Path Traversal - Null Byte Injection

Null byte injection enables traversal (..%00/).

OWASP Path Traversal

High

Remote File Inclusion

Remote file included and executed from attacker-supplied input.

OWASP File Inclusion

Critical

Source Code Disclosure - Git

.git repository exposed on web server.

OWASP Source Code Disclosure

High

Source Code Disclosure - File Inclusion

Source code exposed via improper include calls.

OWASP Source Code Disclosure

High

Open Redirect

Unvalidated redirect allows attacker-controlled navigation.

OWASP Open Redirect

Medium

Viewstate without MAC Signature (Unsure)

ASP.NET ViewState may lack MAC integrity signature.

Microsoft ViewState Security

High

Viewstate without MAC Signature (Sure)

Confirmed ViewState without MAC — integrity protection missing.

Microsoft ViewState Security

Critical

Heartbleed OpenSSL Vulnerability (Indicative)

Indicative of Heartbleed OpenSSL CVE-2014-0160.

CVE-2014-0160

Critical

Source Code Disclosure - /WEB-INF Folder

/WEB-INF folder exposed, leaking sensitive config.

OWASP Source Code Disclosure

High

Properties File Disclosure - /WEB-INF folder

Sensitive .properties files exposed under /WEB-INF.

OWASP Source Code Disclosure

High

Remote Code Execution - Shell Shock (Original CVE-2014-6271)

Bash Shellshock vulnerability detected.

CVE-2014-6271

Critical

Remote Code Execution - Shell Shock (Variant/Bypass Patterns)

Variants/bypass patterns of Shellshock detected.

CVE-2014-6271

Critical

PII Disclosure

Personally identifiable information exposed.

OWASP Information Exposure

High

ASP.NET ViewState Integrity

ASP.NET ViewState integrity check not enforced.

Microsoft ViewState Security

High

Access Control Issue - Improper Authentication

Weak/missing authentication controls.

OWASP Broken Authentication

Critical

Access Control Issue - Improper Authorization

Improper authorization checks allow privilege abuse.

OWASP Broken Access Control

Critical

Httpoxy - Proxy Header Misuse

Proxy header misuse allows traffic redirection.

CVE-2016-5385

High

Script Served From Malicious Domain (polyfill - Direct Inclusion)

Malicious polyfill script directly included.

OWASP External Scripts

High

Script Served From Malicious Domain (polyfill - Indirect Reference)

Malicious polyfill script indirectly referenced.

OWASP External Scripts

High

Heartbleed OpenSSL Vulnerability

OpenSSL Heartbleed detected (CVE-2014-0160).

CVE-2014-0160

Critical

Cross-Domain Misconfiguration - Adobe - Read

Adobe cross-domain XML allows read access.

OWASP Misconfiguration

Medium

Cross-Domain Misconfiguration - Adobe - Send

Adobe cross-domain XML allows send access.

OWASP Misconfiguration

Medium

Cross-Domain Misconfiguration - Silverlight

Silverlight cross-domain misconfiguration detected.

OWASP Misconfiguration

Medium

Source Code Disclosure - CVE-2012-1823

PHP-CGI source disclosure bug.

CVE-2012-1823

High

Remote Code Execution - CVE-2012-1823

PHP-CGI RCE vulnerability.

CVE-2012-1823

Critical

External Redirect (Location Header)

Open redirect via HTTP Location header.

OWASP Open Redirect

Medium

External Redirect (Refresh Header)

Open redirect via HTTP Refresh header.

OWASP Open Redirect

Medium

External Redirect (Meta Refresh Tag)

Open redirect via <meta refresh> tag.

OWASP Open Redirect

Medium

External Redirect (JavaScript-Based)

Open redirect via window.location in JS.

OWASP Open Redirect

Medium

Server Side Include

Server Side Include injection detected.

OWASP SSI Injection

High

Cross Site Scripting (Reflected)

Reflected XSS detected.

OWASP XSS

High

Session Fixation

Session fixation vulnerability.

OWASP Session Fixation

High

Cross Site Scripting (Persistent)

Persistent XSS detected.

OWASP XSS

High

LDAP Injection

Application vulnerable to LDAP injection.

OWASP LDAP Injection

High

SQL Injection

Generic SQL injection detected.

OWASP SQL Injection

Critical

SQL Injection - MySQL

MySQL-specific SQL injection detected.

OWASP SQL Injection

Critical

SQL Injection - Hypersonic SQL

Hypersonic SQL-specific SQL injection.

OWASP SQL Injection

Critical

SQL Injection - Oracle

Oracle-specific SQL injection detected.

OWASP SQL Injection

Critical

SQL Injection - PostgreSQL

PostgreSQL-specific SQL injection detected.

OWASP SQL Injection

Critical

SQL Injection - SQLite

SQLite-specific SQL injection detected.

OWASP SQL Injection

Critical

Cross Site Scripting (DOM Based)

DOM-based XSS detected.

OWASP XSS

High

SQL Injection - MsSQL

Microsoft SQL Server-specific SQL injection detected.

OWASP SQL Injection

Critical

Out of Band XSS

Out-of-band XSS attack detected.

OWASP XSS

High

NoSQL Injection - MongoDB

MongoDB NoSQL injection detected.

OWASP NoSQL Injection

High

CORS Misconfiguration

Cross-Origin Resource Sharing misconfigured.

OWASP Misconfiguration

High

Log4Shell (CVE-2021-44228)

Apache Log4j RCE vulnerability.

CVE-2021-44228

Critical

Log4Shell (CVE-2021-45046)

Secondary Log4j vulnerability.

CVE-2021-45046

Critical

Spring4Shell

Spring Framework RCE vulnerability.

CVE-2022-22965

Critical

Server Side Request Forgery

SSRF vulnerability detected.

OWASP SSRF

Critical

Text4shell (CVE-2022-42889)

Apache Commons Text RCE.

CVE-2022-42889

Critical

Advanced SQL Injection

Advanced SQL injection techniques detected.

OWASP SQL Injection

Critical

Server Side Code Injection - PHP Code Injection

PHP server-side code injection.

OWASP Code Injection

Critical

Server Side Code Injection - ASP Code Injection

ASP server-side code injection.

OWASP Code Injection

Critical

Remote OS Command Injection

Remote OS command execution possible.

OWASP Command Injection

Critical

XPath Injection

XPath query injection detected.

OWASP XPath Injection

High

XML External Entity Attack

XXE injection detected.

OWASP XXE

Critical

Generic Padding Oracle

Application vulnerable to padding oracle attacks.

OWASP Cryptographic Failures

High

Expression Language Injection

Expression Language injection detected.

OWASP EL Injection

High

SOAP Action Spoofing

SOAP Action header can be spoofed.

OWASP SOAP Security

Medium

SOAP XML Injection

SOAP XML injection detected.

OWASP SOAP Security

High

Cloud Metadata Potentially Exposed

Cloud metadata service accessible from app.

OWASP SSRF

High

Server Side Template Injection

Server-side template injection detected.

OWASP Template Injection

Critical

Server Side Template Injection (Blind)

Blind template injection vulnerability.

OWASP Template Injection

Critical

NoSQL Injection - MongoDB (Time Based)

Time-based NoSQL injection in MongoDB.

OWASP NoSQL Injection

High

Information Disclosure - Credit Card Number

Credit card number disclosure.

OWASP Information Exposure

High

Information Disclosure - SQL Error

SQL error messages disclose sensitive info.

OWASP Information Exposure

Medium

Telerik UI for ASP.NET AJAX Cryptographic Weakness (CVE-2017-9248)

Telerik cryptographic weakness detected.

CVE-2017-9248

High

Cross-Site WebSocket Hijacking

WebSocket hijacking detected.

OWASP WebSockets

High

JWT None Exploit

JWT tokens accepted with alg=none.

OWASP JWT

Critical

File Content Disclosure (CVE-2019-5418)

Rails file disclosure vuln.

CVE-2019-5418

High

Personally Identifiable Information via WebSocket

PII disclosed via WebSocket messages.

OWASP Information Exposure

High

Directory Browsing

Directory listing enabled.

OWASP Information Exposure

Low

Session ID in URL Rewrite (Standard Parameters)

Session ID disclosed in URL parameters.

OWASP Session Management

High

Session ID in URL Rewrite (Custom/Obfuscated Patterns)

Session ID exposed in custom/obfuscated params.

OWASP Session Management

High

Referer Exposes Session ID

Session ID disclosed in Referer header.

OWASP Session Management

High

Source Code Disclosure - SVN

.svn repository exposed.

OWASP Source Code Disclosure

High

Vulnerable JS Library

Vulnerable JavaScript library detected.

OWASP A06 Vulnerable Components

High

Missing Anti-clickjacking Header

X-Frame-Options or CSP not set.

OWASP Clickjacking

Medium

Multiple X-Frame-Options Header Entries

Multiple conflicting X-Frame-Options headers set.

OWASP Clickjacking

Low

X-Frame-Options Defined via META (Non-compliant with Spec)

Frame options defined via meta tag, not supported by browsers.

OWASP Clickjacking

Low

X-Frame-Options Setting Malformed

Malformed X-Frame-Options setting detected.

OWASP Clickjacking

Low

HTTP Parameter Override

HTTP Parameter Pollution detected.

OWASP Parameter Pollution

Medium

Potential IP Addresses Found in the Viewstate

Potential IP addresses detected in ViewState.

Microsoft ViewState Security

Low

Emails Found in the Viewstate

Email addresses detected in ViewState.

Microsoft ViewState Security

Low

Directory Browsing

Directory listing enabled (duplicate finding).

OWASP Information Exposure

Low

Content Security Policy (CSP) Header Not Set

CSP header not configured.

OWASP CSP

High

HTTP to HTTPS Insecure Transition in Form Post

Form posts downgrade to HTTP.

OWASP Insecure Transport

High

HTTPS to HTTP Insecure Transition in Form Post

HTTPS form posts downgraded to HTTP.

OWASP Insecure Transport

High

Relative Path Confusion

Relative path confusion vulnerability detected.

OWASP Relative Path Overwrite

Medium

X-ChromeLogger-Data (XCOLD) Header Information Leak

X-ChromeLogger-Data header leaks sensitive info.

OWASP Information Exposure

Medium

Apache Range Header DoS (CVE-2011-3192)

Apache Range header DoS detected.

CVE-2011-3192

High

CSP: Wildcard Directive

CSP wildcard directive weakens protection.

OWASP CSP

Medium

CSP: script-src unsafe-inline

script-src 'unsafe-inline' weakens CSP.

OWASP CSP

High

CSP: style-src unsafe-inline

style-src 'unsafe-inline' weakens CSP.

OWASP CSP

Medium

CSP: script-src unsafe-hashes

script-src allows unsafe hashes.

OWASP CSP

Medium

CSP: style-src unsafe-hashes

style-src allows unsafe hashes.

OWASP CSP

Medium

CSP: Malformed Policy (Non-ASCII)

CSP contains malformed characters.

OWASP CSP

Low

CSP: script-src unsafe-eval

script-src 'unsafe-eval' weakens CSP.

OWASP CSP

High

CSP: Meta Policy Invalid Directive

CSP meta tag contains invalid directive.

OWASP CSP

Low

CSP: Failure to Define Directive with No Fallback

CSP directive missing with no fallback.

OWASP CSP

Medium

Backup File Disclosure

Backup files exposed (e.g., .bak, .old).

OWASP Information Exposure

High

Cross-Domain Misconfiguration

Cross-domain configuration allows unintended access.

OWASP Misconfiguration

Medium

Permissions Policy Header Not Set

Permissions-Policy header not configured.

MDN Permissions Policy

Medium

Server Leaks Information via X-Powered-By HTTP Response Header Field(s)

Server reveals framework/version in X-Powered-By header.

OWASP Information Exposure

Low


Event Sets Group By Options

When creating an Event Set alert, you can set the ‘Group By’ field to organize the alerts into groups instead of individual alerts.

Each category has its own ‘Group By’ options, as shown in the table below.

image-20240607-191449.png

Event Set Category

Group By Options

Filter By Options

System Changes

ASSET, COMPANY

Not Available

Problems

OS, PRODUCT, ASSET, COMPANY

OS, APPLICATION, NONE

Solutions

PRODUCT, ASSET, COMPANY, FIX, ASSET AND PRODUCT

OS, APPLICATION, NONE

Entra ID Audit

EVENT, COMPANY

Not Available

Entra ID Error

COMPANY

Not Available

AD Audit

EVENT, COMPANY, USER

Not Available

Job Failed

COMPANY

Not Available

Certificate Expire In 30 Days

ASSET, COMPANY

Not Available

Microsoft 365 Assessment

COMPANY

Not Available

Google Workspace Assessment

COMPANY

Not Available

Web Application Scanning

COMPANY

Not Available

Group By Option

Description

ASSET

Alerts are grouped by the individual asset affected

ASSET AND PRODUCT

Alerts are grouped by affected asset and product

COMPANY

Alerts are grouped by the associated company

EVENT

Alerts are grouped based on the event

FIX

Alerts are grouped based on the fix for the problem

OS

Alerts are grouped based on the affected operating system

PRODUCT

Alerts are grouped based on the affected product

USER

Alerts are grouped based on the affected user


Event Sets Filter By Options

This will filter the selected alert(s) down to only those that affect the selected choice.

image-20241115-191709.png

Example Scenarios

Group By OS vs. Filter By OS:

Group By OS: Groups all entries with the same operating system (e.g., Windows 10, Ubuntu 22.04), providing a summarized view per OS.

Filter By OS: Allows you to select either OS or Application based vulnerabilities

Group By Product vs. Filter By Application:

Group By Product: Group data by product category (e.g., Microsoft Office, Adobe Suite), showing all related applications under each product.

Filter By Application: Displays only records related to a specific application only (e.g., Microsoft Word), regardless of the product it belongs to.


Need Support?

Contact our support team by sending an email to support@connectsecure.com or by visiting our Partner Portal, where you can create, view, and manage your tickets.

https://cybercns.freshdesk.com/en/support/login

image-20240206-144508.png

Was this article helpful?

That’s Great!

Thank you for your feedback

Sorry! We couldn't be helpful

Thank you for your feedback

Let us know how can we improve this article!

Select at least one of the reasons
CAPTCHA verification is required.

Feedback sent

We appreciate your effort and will try to fix the article