Alerts
-
#5 — Unsigned driver load medium
Kernel driver loaded without valid signature on WS-MEDI-01.
-
Resolved 02/06 18:52#10 — Resolved: outdated browser exploit attempt medium
Browser exploit kit landing page blocked.
-
#1 — Suspicious PowerShell execution critical
Encoded PowerShell launched from %TEMP% with network callback to 185.220.101.45:4444.
AI triage (rules, risk 92/100):High-confidence malicious PowerShell. Recommend isolation and memory forensics.
1. Isolate endpoint 2. Collect memory dump 3. Hunt for lateral movement
-
#6 — Failed login burst medium
12 failed local logins in 5 minutes on WS-ACME-03.
-
#2 — Lateral movement attempt (SMB) high
Multiple failed SMB authentication attempts from WS-TECH-01 to domain controller.
-
#7 — Suspicious scheduled task high
New scheduled task created pointing to C:\ProgramData\update.ps1.
-
#3 — Credential dumping detected critical
Process mimikatz.exe observed reading LSASS memory on WS-SECU-02.
AI triage (rules, risk 98/100):Critical credential access technique. Immediate containment required.
1. Isolate host 2. Reset affected credentials 3. Review privileged access
-
#8 — Ransomware-like file activity critical
Mass file rename with .locked extension detected in user Documents folder.
-
#4 — Blocked C2 connection high
Outbound connection to known Cobalt Strike beacon IP blocked by agent.
-
#9 — Port scan from endpoint low
Internal port scan targeting 50+ hosts from WS-TECH-02.