Event Sets for Integration Alerting
In ConnectSecure, Event Sets are the predefined events that can trigger alerts in the supported integrations. Categories organize them and can be enabled with a simple checkbox.
Event Sets are hard-coded and can not be modified or removed from the system.
Event Set - Table of Contents
Event Set - Details
You will find the Event Set options listed under the integration details.
Not all supported ones are shown, so check your specific integration for the Event Set and Integration Rules options.
You will not see the Event Set options until you have provided the credentials for the selected integration.
Events by Category
Event Set categories include:
System Changes, Problems, Solutions, Entra ID Audit, Entra ID Error, AD Audit, Job Failed, and Certificate Expire in 30 Days.
Below is a breakdown of each category and the available 'events' you can monitor for each.
System Changes
Event | Description |
|---|---|
New Company Created | A new company is created in the ConnectSecure portal, using local or PSA options. |
New Asset Added | A new asset is added to the All Asset section; this can happen when agents are installed or assets are detected by probe scanning. |
New Open Port Discovered (Probe Scan) | A new port is discovered on an internal asset during a probe scan; port discovery and scanning are only done by a Probe agent. |
New Open Port Discovered (External Scan) | A new open port is discovered during an external scan; it requires |
Probe Went Down | The probe agent is offline and can not be reached |
Server Agent Went Down | Any agent (probe or lightweight) that is a ‘Server’ identified by its operating system is offline and can not be reached. |
Problems
Event | Description |
|---|---|
CISA Vulnerabilities Found | Vulnerabilities found that are published by CISA https://www.cisa.gov/known-exploited-vulnerabilities-catalog |
Critical Severity Vulnerabilities Found | Vulnerabilities found with a critical severity as found in the CVSS Base Score |
High Severity Vulnerabilities Found | Vulnerabilities found with a critical severity as found in the CVSS Base Score |
Medium Severity Vulnerabilities Found | Vulnerabilities found with a critical severity as found in the CVSS Base Score |
Remote Login Vulnerabilities Found | Problems related to remote login or remote access problems; IE: RDP-NTLM |
SMB Vulnerabilities Found | Problems related to the SMB protocol; IE: SMB_Signing |
SSL/TLS Vulnerabilities Found | Problems related to SSL/TLS certificates and ciphers; IE: TLSv1.1, Sweet32, SSL_Heartbleed |
Unquoted Service Path Found | Windows-based vulnerability for improperly formatted or unquoted file paths when defining the executable path; IE: C:\Program Files\My Service\service.exe |
Vulnerabilities Found During External Scan | Vulnerabilities found during an external scan; refer to your External Assets for configuration and results. |
Vulnerabilities Found With EPSS Score > 95 | Vulnerability is found where the EPSS score is equal to or above 95% exploitability. |
Solutions
Application Baseline Plans Available
Remediation Available
Remediation Found with EPSS >=0.95
Remediation Found with EPSS 0.9 and 0.95
Remediation Found With EPSS between 0.85 and 0.9
Remediation Found with EPSS between 0 and 0.85
Pending Remediations Found with Critical Severity
Pending Remediations Found with High Severity
Pending Remediations Found with Medium Severity
Pending Remediations Found with Low Severity
Entra ID Audit
A member was added to a security-disabled universal group
A member was added to a security-enabled universal group (AzureAD)
A member was removed from a security-disabled universal group (AzureAD)
A member was removed from a security-enabled universal group (AzureAD)
Entra ID Error
Entra ID Sync Failure
Azure Token Expired Error
AD Audit
A directory service object was created (Success)
A directory service object was deleted (Success)
A directory service object was moved (Success)
A group service object was modified (Success)
A logon was attempted using explicit credentials (Success)
A member was added to a security-disabled global group
A member was added to a security-disabled local group
A member was added to a security-disabled universal group
A member was added to a security-enabled global group
A member was added to a security-enabled local group
A member was added to a security-enabled universal group
A member was removed from a security-disabled global group
A member was removed from a security-disabled local group
A member was removed from a security-disabled universal group
A member was removed from a security-enabled global group
A member was removed from a security-enabled local group
A member was removed from a security-enabled universal group
A network share object was accessed
A request was made to authenticate to a wired network (Success/Failure)
A request was made to authenticate to a wireless network (Success/Failure)
A risky sign-in attempt made (Success)
A security-disabled global group was created
A security-disabled global group was deleted
A security-disabled local group was created
A security-disabled local group was deleted
A security-disabled universal group was created
A security-disabled universal group was deleted
A security-enabled global group was created
A security-enabled global group was deleted
A security-enabled local group was created
A security-enabled local group was deleted
A security-enabled universal group was changed
A security-enabled universal group was created
A security-enabled universal group was deleted
A session was disconnected from a Windows Station (Success)
A session was reconnected to a Windows Station (Success)
A user Account was created
A user Account was deleted
A user Account was disabled
A user account was enabled
A user account was locked out
A user account was unlocked
A user-initiated logoff (Success)
An attempt was made to change an Account's password
An attempt was made to create a hard link
An attempt was made to reset an Account's password
Computer Account was created
Computer Account was deleted
Login Failure
Login Success
System security access was granted to an Account (Success)
The domain controller failed to validate the credentials for an Account
The name of an Account was changed
The requested credentials delegation was disallowed by policy (Failed)
The workstation was locked (Success)
The workstation was unlocked (Success)
Job Failed
Scheduler Patch Job Failed
Scheduler Report Job Failed
Certificate Expires in 30 Days
Certificate expires in 30 Days
Microsoft 365 Assessment
Event Name | Description | Severity |
|---|---|---|
AddMemberOutsidePIM | A user was added to a privileged role outside of the approved PIM workflow. | High |
AdminDeletedSecurityInfo | An administrator deleted security information (e.g., MFA methods) from their account. | High |
AdminsWithoutMFA | One or more admin accounts are operating without Multi-Factor Authentication enabled. | High |
CrossTenantAccessAdded | Cross-tenant access permissions were granted to an external organization. | High |
DLP-USFinancialHighVolume | Data Loss Prevention triggered on a high volume of US financial data transfer. | High |
DLPHighVolumeUSFinancialData | A high volume of sensitive US financial information was flagged by DLP policies. | High |
DLPIDNumberPolicy | Sensitive ID numbers were detected and flagged by Data Loss Prevention rules. | High |
DeleteConditionalAccessPolicy | A Conditional Access Policy was deleted from the environment. | High |
DisableStrongAuthentication | Strong authentication mechanisms were disabled on a user or admin account. | High |
EmailReportedByUserAsJunk | A user reported an email as junk, potentially indicating phishing or spam. | High |
ErgoFlexMailFlow | Anomalous mail flow detected by the ErgoFlex policy, possibly indicating misuse. | High |
InboxManipulationRule | A suspicious rule was created to manipulate the inbox (e.g., auto-forward or hide emails). | High |
MailboxPermissions | Mailbox permissions were modified, possibly granting unauthorized access. | High |
MaliciousURLClickDetected | A user clicked a URL that was identified as malicious. | High |
NewUsersWithoutMFA | New user accounts were created without enforcing Multi-Factor Authentication. | High |
OutsideOperatingCountrySignIn | Sign-in activity was detected from outside the organization’s typical countries. | High |
PasswordSpray | A password spray attack was detected against M365 accounts. | High |
PhishingAttemptDetected | A suspected phishing attempt was identified by Microsoft Defender. | High |
PrivilegeAccountSignInFailureSpikes | A spike in failed sign-ins was observed for privileged accounts. | High |
SuccessfulNoMFAOutsideCountrySignIn | A successful sign-in from outside the country occurred without MFA. | High |
SuccessfulSuspiciousCountrySignIn | A successful login was detected from a suspicious or high-risk country. | High |
SuspiciousCountrySignIn | A login attempt was made from a country flagged as suspicious. | High |
TriggeredPIMAlert | An alert was triggered based on Privileged Identity Management activity. | High |
UserRestrictedFromSendingEmail | A user was blocked from sending emails due to suspicious behavior. | High |
AddServicePrincipalCredentials | Credentials were added to a service principal, potentially enabling automated access. | Medium |
BlockLegacyAuth | Legacy authentication was blocked to improve security posture. | Medium |
BlockSharePointDownload | SharePoint download was blocked, likely due to policy enforcement. | Medium |
BruteForceAzurePortal | Brute-force login attempts detected against the Azure portal. | Medium |
DLP-UKPIIScanLowCount | Data Loss Prevention detected a low volume of UK Personally Identifiable Information. | Medium |
DeletePolicy | A security or compliance policy was deleted, which could weaken defences. | Medium |
DistributedPwdCrackingAzureAD | Distributed password cracking activity detected on Azure AD accounts. | Medium |
EmailSendingLimitExceeded | A user exceeded email sending limits, possibly indicating spam or compromise. | Medium |
ExplicitMFADeny | A user explicitly denied an MFA challenge, possibly indicating unauthorized access attempts. | Medium |
ExternallySharedFile | A file was shared with an external party, potentially exposing sensitive data. | Medium |
ExternallySharedFolder | A folder was shared externally, potentially breaching data boundaries. | Medium |
FailedUserLoginAttempt | A failed login attempt occurred, possibly signalling an attack or user error. | Medium |
GrantedMailboxAccess | Mailbox access was granted to another user or service. | Medium |
GrantedMailboxPermission | Permissions were granted for access to a user’s mailbox. | Medium |
HighFileDeletionVolume | A high volume of files was deleted, which may indicate malicious activity. | Medium |
HoneytokenActivity | Activity detected on a honeytoken account, suggesting reconnaissance or compromise. | Medium |
MailForwardRuleEnabled | A rule was created to auto-forward mail, often used in account compromise. | Medium |
MailboxPermissionsChange | Mailbox permission changes were made, possibly allowing unauthorized access. | Medium |
MalwareDetected | Malware was detected in the M365 environment, requiring immediate attention. | Medium |
MultipleForeignSigninAttemptsDay | Multiple logins attempt from foreign locations were detected in a day. | Medium |
MultipleForeignSigninAttemptsHour | A high rate of foreign login attempts was observed in one hour. | Medium |
NoMFASigninForeignCountry | A user signed in from a foreign country without MFA enforcement. | Medium |
OAuthCredAddition | OAuth credentials were added, potentially allowing token-based access. | Medium |
PasswordSprayIPActivity | Password spray attack activity detected from a suspicious IP address. | Medium |
PhishingAttempts | Potential phishing attempts detected by M365 security tools. | Medium |
RareAppConsent | Consent was granted to a rarely used app, which may indicate malicious intent. | Medium |
RemoteCodeExecutionAttempt | An attempt to execute remote code was detected, indicating a serious threat. | Medium |
SharePointNewIPFileOp | A file operation in SharePoint was performed from a new IP address. | Medium |
SuspiciousAuthActivity | Suspicious authentication patterns were identified in user behaviour. | Medium |
SuspiciousEmailSending | Unusual or suspicious email sending behaviour was observed. | Medium |
UnidentifiableSignin | A sign-in event occurred from an unidentifiable or suspicious location/device. | Medium |
UnmanagedDeviceDetected | Access attempt detected from a device not managed by the organization. | Medium |
UpdateAppCertSecrets | Certificate secrets were updated for an application, possibly altering access controls. | Medium |
UpdateAuthorizationPolicy | An authorization policy was updated, potentially affecting access rules. | Medium |
UpdateConditionalAccess | Conditional access policies were modified, which may impact login controls. | Medium |
UpdateRole | An Azure AD role was updated, possibly elevating privileges. | Medium |
UploadSensitiveFileThirdParty | A sensitive file was uploaded to a third-party service or user. | Medium |
UserAppConsent | A user granted consent to an application, which could expose data or permissions. | Medium |
UserCompromiseInvestigation | A user is under investigation due to potential account compromise. | Medium |
UserMFA | Multi-Factor Authentication settings were changed for a user account. | Medium |
EmailReportedByUserAsMalwareOrPhish | A user reported an email as malware or phishing, indicating a potential threat that bypassed initial filters. | Low |
Administrative Users with No Multi-Factor Authentication Enforced
Applications Registered to Tenant with Certificate Credentials
Applications Registered to Tenant with Client Secret (Password) Credentials
Azure PowerShell Service Principal Assignment Not Enforced
Azure PowerShell Service Principal Configuration Missing
Basic Authentication is Enabled
Common Malicious Attachment Extensions are Not Filtered
Conditional Access Policies
Conditional Access Policies - Device Platforms
Dangerous Application Permissions Found
Dangerous Attachment Extensions are Not Filtered
Dangerous Default Permissions
Directory Synced Users Found in Admin Roles
Do Not Bypass the Safe Attachments Filter
Do Not Bypass the Safe Links Feature
Exchange Mailboxes with IMAP Enabled
Exchange Mailboxes with POP Enabled
Exchange Online Mailboxes with SMTP Authentication Enabled
Exchange Modern Authentication is Not Enabled
External Sender Message Tagging Not Enabled
Highly Privileged Hidden Role Assignment Found
Mailboxes without Mailbox Auditing Enabled
Mailbox Auditing Should be Enabled at Tenant Level
Malware Filter Policies Don't Alert for Internal Users Sending Malware
MFA Not Required for Device Registration
MFA Not Required for Security Information Registration
Microsoft Secure Defaults
No Conditional Access Policies Block Risky Sign-in
No Conditional Access Policies Mitigate User Risk
No Transport Rules to Block Exchange Auto-Forwarding
No Transport Rules to Block Executable Attachments
No Transport Rules to Block Large Attachments
Phish ZAP (Zero-Hour Auto Purge) Not Enabled
Safe Attachments Not Enabled
Safe Links Click-Through is Allowed
Safe Links Does Not Flag Links in Real Time
Safe Links for Teams is Not Enabled
Safe Links Not Enabled
Service Principals Found on Tenant with Certificate Credentials
Service Principals Found on Tenant with Client Secret (Password) Credentials
SharePoint 'Anyone' Shared Links Never Expire
SharePoint External Sharing Enabled (Global)
SharePoint External User Resharing Permitted
SharePoint Legacy Authentication is Enabled
SharePoint Online Modern Authentication is Not Enabled
SMTP Authentication not Globally Disabled
Spam ZAP (Zero-Hour Auto Purge) Not Enabled
Third-Party Applications Allowed
Unified Audit Log Search is Not Enabled
User consent to OAUTH applications not restricted
Users with No MFA Configured
Events Group By Options
When creating an Event Set alert using one of the options above, you can set the ‘Group By’ field to organize the alerts into groups instead of individual alerts. Each category has its own ‘Group By’ options, as shown in the table below.
Event Set Category | Group By Options | Filter By Options |
|---|---|---|
System Changes | ASSET, COMPANY |
|
Problems | OS, PRODUCT, ASSET, COMPANY | OS, APPLICATION, NONE |
Solutions | PRODUCT, ASSET, COMPANY, FIX, ASSET AND PRODUCT | OS, APPLICATION, NONE |
Entra ID Audit | EVENT, COMPANY |
|
Entra ID Error | COMPANY |
|
AD Audit | EVENT, COMPANY, USER |
|
Job Failed | COMPANY |
|
Certificate Expire In 30 Days | ASSET, COMPANY |
|
Microsoft 365 Assessment | COMPANY |
|
Example Scenarios
Group By OS vs. Filter By OS:
Group By OS: Groups all entries with the same operating system (e.g., Windows 10, Ubuntu 22.04), providing a summarized view per OS.
Filter By OS: Allows you to select either OS or Application based vulnerabilites
Group By Product vs. Filter By Application:
Group By Product: Group data by product category (e.g., Microsoft Office, Adobe Suite), showing all related applications under each product.
Filter By Application: Displays only records related to a specific application only (e.g., Microsoft Word), regardless of the product it belongs to.
Need Support?
Contact our support team by sending an email to support@connectsecure.com or by visiting our Partner Portal, where you can create, view, and manage your tickets.
https://cybercns.freshdesk.com/en/support/login
