filter2.json

[{
	"215": {
		"Description": "Remote upgrade failed. Agent restored to previous version.",
		"inc_or_vuln": "inc",
		"category": "No Incident"
	},
	"3103": {
		"Description": "sendmail: Rejected by access list (55x: Requested action not taken).",
		"inc_or_vuln": "inc",
		"category": "Unauthorized access"
	},
	"3104": {
		"Description": "sendmail: Attempt to use mail server as relay (550: Requested action not taken).",
		"inc_or_vuln": "inc",
		"category": "Unauthorized access"
	},
	"3108": {
		"Description": "sendmail: Sendmail rejected due to pre-greeting.",
		"inc_or_vuln": "inc",
		"category": "Unauthorized access"
	},
	"3152": {
		"Description": "sendmail: Multiple attempts to send e-mail from a previously rejected sender (access).",
		"inc_or_vuln": "inc",
		"category": "Unauthorized access"
	},
	"3153": {
		"Description": "sendmail: Multiple relaying attempts of spam.",
		"inc_or_vuln": "inc",
		"category": "Spam source"
	},
	"3191": {
		"Description": "sendmail: SMF-SAV sendmail milter unable to verify address (REJECTED).",
		"inc_or_vuln": "inc",
		"category": "Unauthorized access"
	},
	"3301": {
		"Description": "Postfix: Attempt to use mail server as relay (client host rejected).",
		"inc_or_vuln": "inc",
		"category": "Unauthorized access"
	},
	"3302": {
		"Description": "Postfix: Rejected by access list (Requested action not taken).",
		"inc_or_vuln": "inc",
		"category": "Unauthorized access"
	},
	"3306": {
		"Description": "Postfix: IP Address black-listed by anti-spam (blocked).",
		"inc_or_vuln": "inc",
		"category": "Spam source"
	},
	"3335": {
		"Description": "Postfix: too many errors after RCPT from unknown",
		"inc_or_vuln": "inc",
		"category": "Unauthorized access"
	},
	"3351": {
		"Description": "Postfix: Multiple relaying attempts of spam.",
		"inc_or_vuln": "inc",
		"category": "Spam source"
	},
	"3352": {
		"Description": "Postfix: Multiple attempts to send e-mail from a rejected sender IP (access).",
		"inc_or_vuln": "inc",
		"category": "Unauthorized access"
	},
	"3396": {
		"Description": "Postfix: hostname verification failed",
		"inc_or_vuln": "inc",
		"category": "Unauthorized access"
	},
	"3397": {
		"Description": "Postfix: RBL lookup error: Host or domain name not found",
		"inc_or_vuln": "inc",
		"category": "Unauthorized access"
	},
	"3398": {
		"Description": "Postfix: Illegal address from unknown sender",
		"inc_or_vuln": "inc",
		"category": "Unauthorized access"
	},
	"3751": {
		"Description": "mailscanner: Multiple attempts of spam.",
		"inc_or_vuln": "inc",
		"category": "Spam source"
	},
	"5706": {
		"Description": "sshd: insecure connection attempt (scan).",
		"inc_or_vuln": "inc",
		"category": "Confidential personal identity data exposure"
	},
	"5713": {
		"Description": "sshd: Corrupted bytes on SSHD.",
		"inc_or_vuln": "inc",
		"category": "Malicious code activity"
	},
	"5731": {
		"Description": "sshd: SSH Scanning.",
		"inc_or_vuln": "inc",
		"category": "Reconnaissance activity"
	},
	"5747": {
		"Description": "sshd: bad client public DH value",
		"inc_or_vuln": "inc",
		"category": "Unauthorized access"
	},
	"5748": {
		"Description": "sshd: corrupted MAC on input",
		"inc_or_vuln": "inc",
		"category": "Unauthorized access"
	},
	"20101": {
		"Description": "IDS event.",
		"inc_or_vuln": "inc",
		"category": "Policy violation"
	},
	"23508": {
		"Description": "It was not possible to verify whether $(vulnerability.cve) affects $(vulnerability.package.name)",
		"inc_or_vuln": "vuln",
		"category": "Un-patched vulnerability"
	},
	"30107": {
		"Description": "Apache: Code Red attack.",
		"inc_or_vuln": "inc",
		"category": "Denial of Service"
	},
	"30118": {
		"Description": "ModSecurity: Access attempt blocked.",
		"inc_or_vuln": "inc",
		"category": "Unauthorized access"
	},
	"30200": {
		"Description": "Modsecurity alert.",
		"inc_or_vuln": "inc",
		"category": "Unauthorized access"
	},
	"30201": {
		"Description": "ModSecurity: access denied.",
		"inc_or_vuln": "inc",
		"category": "Unauthorized access"
	},
	"30307": {
		"Description": "Apache: Client sent malformed Host header. Possible Code Red attack.",
		"inc_or_vuln": "inc",
		"category": "Denial of Service"
	},
	"31103": {
		"Description": "SQL injection attempt.",
		"inc_or_vuln": "inc",
		"category": "Criminal activity/investigation"
	},
	"31104": {
		"Description": "Common web attack.",
		"inc_or_vuln": "inc",
		"category": "Web/BBS defacement"
	},
	"31105": {
		"Description": "XSS (Cross Site Scripting) attempt.",
		"inc_or_vuln": "inc",
		"category": "Web/BBS defacement"
	},
	"31106": {
		"Description": "A web attack returned code 200 (success).",
		"inc_or_vuln": "inc",
		"category": "Web/BBS defacement"
	},
	"31109": {
		"Description": "MSSQL Injection attempt (/ur.php",
		"inc_or_vuln": " urchin.js)",
		"category": "inc"
	},
	"31110": {
		"Description": "PHP CGI-bin vulnerability attempt.",
		"inc_or_vuln": "inc",
		"category": "Criminal activity/investigation"
	},
	"31164": {
		"Description": "SQL injection attempt.",
		"inc_or_vuln": "inc",
		"category": "Web/BBS defacement"
	},
	"31165": {
		"Description": "SQL injection attempt.",
		"inc_or_vuln": "inc",
		"category": "Web/BBS defacement"
	},
	"31166": {
		"Description": "Shellshock attack attempt",
		"inc_or_vuln": "inc",
		"category": "Priviledge Escalation"
	},
	"31167": {
		"Description": "Shellshock attack attempt",
		"inc_or_vuln": "inc",
		"category": "Priviledge Escalation"
	},
	"31411": {
		"Description": "PHP web attack.",
		"inc_or_vuln": "inc",
		"category": "Web/BBS defacement"
	},
	"31507": {
		"Description": "MSSQL Injection attempt (ur.php",
		"inc_or_vuln": " urchin.js).",
		"category": "inc"
	},
	"31508": {
		"Description": "Blacklisted user agent (known malicious user agent).",
		"inc_or_vuln": "inc",
		"category": "Unauthorized access"
	},
	"31512": {
		"Description": "Uploadify vulnerability exploit attempt.",
		"inc_or_vuln": "inc",
		"category": "Un-patched vulnerability"
	},
	"31513": {
		"Description": "BBS delete.php exploit attempt.",
		"inc_or_vuln": "inc",
		"category": "Criminal activity/investigation"
	},
	"31514": {
		"Description": "Simple shell.php command execution.",
		"inc_or_vuln": "inc",
		"category": "Criminal activity/investigation"
	},
	"31515": {
		"Description": "PHPMyAdmin scans (looking for setup.php).",
		"inc_or_vuln": "inc",
		"category": "Reconnaissance activity"
	},
	"31516": {
		"Description": "Suspicious URL access.",
		"inc_or_vuln": "inc",
		"category": "Phishing"
	},
	"31550": {
		"Description": "Anomaly URL query (attempting to pass null termination).",
		"inc_or_vuln": "inc",
		"category": "Phishing"
	},
	"35021": {
		"Description": "Squid: Attempt to access a Beagle worm (or variant) file.",
		"inc_or_vuln": "inc",
		"category": "Unauthorized access"
	},
	"35022": {
		"Description": "Squid: Attempt to access a worm/trojan related site.",
		"inc_or_vuln": "inc",
		"category": "Unauthorized access"
	},
	"52510": {
		"Description": "Clamd stopped",
		"inc_or_vuln": "inc",
		"category": "Policy violation"
	},
	"64257": {
		"Description": "sshd: insecure connection attempt (scan).",
		"inc_or_vuln": "inc",
		"category": "Confidential personal identity data exposure"
	},
	"592": {
		"Description": "Log file size reduced.",
		"inc_or_vuln": "inc",
		"category": "No Incident"
	},
	"2833": {
		"Description": "Root's crontab entry changed.",
		"inc_or_vuln": "inc",
		"category": "Rogue server or service"
	},
	"3109": {
		"Description": "sendmail: Sendmail save mail panic.",
		"inc_or_vuln": "inc",
		"category": "Rogue server or service"
	},
	"5104": {
		"Description": "Interface entered in promiscuous(sniffing) mode.",
		"inc_or_vuln": "inc",
		"category": "Reconnaissance activity"
	},
	"5701": {
		"Description": "sshd: Possible attack on the ssh server (or version gathering).",
		"inc_or_vuln": "inc",
		"category": "Reconnaissance activity"
	},
	"5758": {
		"Description": "Maximum authentication attempts exceeded.",
		"inc_or_vuln": "inc",
		"category": "Unauthorized access"
	},
	"5901": {
		"Description": "New group added to the system.",
		"inc_or_vuln": "inc",
		"category": "Priviledge Escalation"
	},
	"5902": {
		"Description": "New user added to the system.",
		"inc_or_vuln": "inc",
		"category": "Priviledge Escalation"
	},
	"5904": {
		"Description": "Information from the user was changed.",
		"inc_or_vuln": "inc",
		"category": "Priviledge Escalation"
	},
	"7101": {
		"Description": "Problems with the tripwire checking.",
		"inc_or_vuln": "inc",
		"category": "Priviledge Escalation"
	},
	"12111": {
		"Description": "Unable to perform zone transfer.",
		"inc_or_vuln": "inc",
		"category": "Unauthorized access"
	},
	"18110": {
		"Description": "Windows: User account enabled or created.",
		"inc_or_vuln": "inc",
		"category": "Policy violation"
	},
	"18111": {
		"Description": "Windows: User account changed.",
		"inc_or_vuln": "inc",
		"category": "Policy violation"
	},
	"18112": {
		"Description": "Windows: User account disabled or deleted.",
		"inc_or_vuln": "inc",
		"category": "Policy violation"
	},
	"18113": {
		"Description": "Windows Audit Policy changed.",
		"inc_or_vuln": "inc",
		"category": "Policy violation"
	},
	"18115": {
		"Description": "Windows: General account database changed.",
		"inc_or_vuln": "inc",
		"category": "Policy violation"
	},
	"18128": {
		"Description": "Windows: Group account added/changed/deleted.",
		"inc_or_vuln": "inc",
		"category": "Policy violation"
	},
	"18143": {
		"Description": "Windows: Security enabled group created.",
		"inc_or_vuln": "inc",
		"category": "Policy violation"
	},
	"18144": {
		"Description": "Windows: Security enabled group deleted.",
		"inc_or_vuln": "inc",
		"category": "Policy violation"
	},
	"18238": {
		"Description": "Windows: Print Operators Group Changed",
		"inc_or_vuln": "inc",
		"category": "Policy violation"
	},
	"18241": {
		"Description": "Pre-Windows 2000 Compatible Access Group Changed",
		"inc_or_vuln": "inc",
		"category": "Policy violation"
	},
	"18245": {
		"Description": "Windows: Performance Monitor Users Group Changed",
		"inc_or_vuln": "inc",
		"category": "Policy violation"
	},
	"18246": {
		"Description": "Windows: Performance Log Users Group Changed",
		"inc_or_vuln": "inc",
		"category": "Policy violation"
	},
	"18247": {
		"Description": "Windows Authorization Access Group Changed",
		"inc_or_vuln": "inc",
		"category": "Policy violation"
	},
	"18248": {
		"Description": "Windows: Terminal Server License Servers Group Changed",
		"inc_or_vuln": "inc",
		"category": "Policy violation"
	},
	"18249": {
		"Description": "Windows: Distributed COM Users Group Changed",
		"inc_or_vuln": "inc",
		"category": "Policy violation"
	},
	"18651": {
		"Description": "IKE DoS-prevention mode started",
		"inc_or_vuln": "inc",
		"category": "Criminal activity/investigation"
	},
	"19102": {
		"Description": "VMware ESX critical message.",
		"inc_or_vuln": "inc",
		"category": "Criminal activity/investigation"
	},
	"19120": {
		"Description": "Virtual machine state changed to OFF.",
		"inc_or_vuln": "inc",
		"category": "Criminal activity/investigation"
	},
	"20100": {
		"Description": "First time this IDS alert is generated.",
		"inc_or_vuln": "inc",
		"category": "Criminal activity/investigation"
	},
	"60013": {
		"Description": "Multiple Windows warning events",
		"inc_or_vuln": "inc",
		"category": "Policy violation"
	},
	"60109": {
		"Description": "User account enabled or created",
		"inc_or_vuln": "inc",
		"category": "Policy violation"
	},
	"60110": {
		"Description": "User account changed",
		"inc_or_vuln": "inc",
		"category": "Policy violation"
	},
	"60111": {
		"Description": "User account disabled or deleted",
		"inc_or_vuln": "inc",
		"category": "Policy violation"
	},
	"60114": {
		"Description": "General account database changed",
		"inc_or_vuln": "inc",
		"category": "Policy violation"
	},
	"60134": {
		"Description": "Security enabled group created",
		"inc_or_vuln": "inc",
		"category": "Policy violation"
	},
	"60135": {
		"Description": "Security enabled group deleted",
		"inc_or_vuln": "inc",
		"category": "Policy violation"
	},
	"60175": {
		"Description": "Print Operators Group Changed",
		"inc_or_vuln": "inc",
		"category": "Policy violation"
	},
	"60178": {
		"Description": "Pre-Windows 2000 Compatible Access Group Changed",
		"inc_or_vuln": "inc",
		"category": "Policy violation"
	},
	"60182": {
		"Description": "Performance Monitor Users Group Changed",
		"inc_or_vuln": "inc",
		"category": "Policy violation"
	},
	"60183": {
		"Description": "Performance Log Users Group Changed",
		"inc_or_vuln": "inc",
		"category": "Policy violation"
	},
	"60184": {
		"Description": "Windows Authorization Access Group Changed",
		"inc_or_vuln": "inc",
		"category": "Policy violation"
	},
	"60185": {
		"Description": "Terminal Server License Servers Group Changed",
		"inc_or_vuln": "inc",
		"category": "Policy violation"
	},
	"60186": {
		"Description": "Distributed COM Users Group Changed",
		"inc_or_vuln": "inc",
		"category": "Policy violation"
	},
	"60208": {
		"Description": "IKE DoS-prevention mode started",
		"inc_or_vuln": "inc",
		"category": "Rogue server or service"
	},
	"60211": {
		"Description": "An IPsec Extended Mode negotiation failed",
		"inc_or_vuln": "inc",
		"category": "Rogue server or service"
	},
	"60213": {
		"Description": "IPsec dropped an inbound packet that failed a replay check",
		"inc_or_vuln": "inc",
		"category": "Rogue server or service"
	},
	"60214": {
		"Description": "IPsec dropped an inbound clear text packet that should have been secured",
		"inc_or_vuln": "inc",
		"category": "Rogue server or service"
	},
	"60219": {
		"Description": "An IPsec negotiation with a remote computer failed because the IKE and AuthIP IPsec Keying Modules (IKEEXT) service is not started",
		"inc_or_vuln": "inc",
		"category": "Rogue server or service"
	},
	"60220": {
		"Description": "IPsec Services failed to get the complete list of network interfaces on the computer",
		"inc_or_vuln": "inc",
		"category": "Rogue server or service"
	},
	"60221": {
		"Description": "IPsec Services failed to initialize RPC server. IPsec Services could not be started",
		"inc_or_vuln": "inc",
		"category": "Rogue server or service"
	},
	"60222": {
		"Description": "IPsec Services has experienced a critical failure and has been shut down",
		"inc_or_vuln": "inc",
		"category": "Rogue server or service"
	},
	"60223": {
		"Description": "IPsec Services failed to process some IPsec filters on a plug-and-play event for network interfaces",
		"inc_or_vuln": "inc",
		"category": "Rogue server or service"
	},
	"60224": {
		"Description": "IPsec Services was disabled",
		"inc_or_vuln": "inc",
		"category": "Rogue server or service"
	},
	"60225": {
		"Description": "IPsec Services encountered a potentially serious failure",
		"inc_or_vuln": "inc",
		"category": "Rogue server or service"
	},
	"60904": {
		"Description": "MS DTC TIP Gateway illegal transition",
		"inc_or_vuln": "inc",
		"category": "Malicious code activity"
	},
	"61119": {
		"Description": "The browser has received an illegal datagram from a remote computer",
		"inc_or_vuln": "inc",
		"category": "Malicious code activity"
	},
	"61130": {
		"Description": "The value for the parameter to the browser service was illegal",
		"inc_or_vuln": "inc",
		"category": "Malicious code activity"
	},
	"64011": {
		"Description": "ASA: ARP collision detected.",
		"inc_or_vuln": "inc",
		"category": "Criminal activity/investigation"
	},
	"64012": {
		"Description": "ASA: Attempt to connect from a blocked (shunned) IP.",
		"inc_or_vuln": "inc",
		"category": "Criminal activity/investigation"
	},
	"64013": {
		"Description": "ASA: Connection limit exceeded.",
		"inc_or_vuln": "inc",
		"category": "Criminal activity/investigation"
	},
	"64014": {
		"Description": "ASA: Attack in progress detected.",
		"inc_or_vuln": "inc",
		"category": "Criminal activity/investigation"
	},
	"64015": {
		"Description": "ASA: Attack in progress detected.",
		"inc_or_vuln": "inc",
		"category": "Criminal activity/investigation"
	},
	"64016": {
		"Description": "ASA: Attack in progress detected.",
		"inc_or_vuln": "inc",
		"category": "Criminal activity/investigation"
	},
	"64017": {
		"Description": "ASA: Attack in progress detected",
		"inc_or_vuln": "inc",
		"category": "Criminal activity/investigation"
	},
	"64020": {
		"Description": "ASA: AAA (VPN) user locked out.",
		"inc_or_vuln": "inc",
		"category": "Criminal activity/investigation"
	},
	"64021": {
		"Description": "ASA: The ASA is disallowing new connections.",
		"inc_or_vuln": "inc",
		"category": "Criminal activity/investigation"
	},
	"64023": {
		"Description": "ASA: Firewall configuration deleted.",
		"inc_or_vuln": "inc",
		"category": "Criminal activity/investigation"
	},
	"64024": {
		"Description": "ASA: Firewall configuration changed.",
		"inc_or_vuln": "inc",
		"category": "Criminal activity/investigation"
	},
	"64027": {
		"Description": "ASA: User created or modified on the Firewall.",
		"inc_or_vuln": "inc",
		"category": "Criminal activity/investigation"
	},
	"64254": {
		"Description": "Maximum authentication attempts exceeded.",
		"inc_or_vuln": "inc",
		"category": "Criminal activity/investigation"
	},
	"64264": {
		"Description": "sshd: Possible attack on the ssh server (or version gathering).",
		"inc_or_vuln": "inc",
		"category": "Criminal activity/investigation"
	},
	"80714": {
		"Description": "Auditd: file or a directory access ended abnormally",
		"inc_or_vuln": "inc",
		"category": "Unauthorized access"
	},
	"80715": {
		"Description": "Auditd: failure of the Abstract Machine Test Utility (AMTU) detected",
		"inc_or_vuln": "inc",
		"category": "Unauthorized access"
	},
	"80716": {
		"Description": "Auditd: maximum amount of Discretionary Access Control (DAC) or Mandatory Access Control (MAC) failures reached",
		"inc_or_vuln": "inc",
		"category": "Unauthorized access"
	},
	"80717": {
		"Description": "Auditd: Role-Based Access Control (RBAC) failure detected.",
		"inc_or_vuln": "inc",
		"category": "Unauthorized access"
	},
	"81609": {
		"Description": "Fortigate: Multiple changed configuration events from same source.",
		"inc_or_vuln": "inc",
		"category": "Malicious code activity"
	},
	"100011": {
		"Description": "Agent event queue is full. Events may be lost.",
		"inc_or_vuln": "inc",
		"category": "No Incident"
	},
	"513": {
		"Description": "Windows malware detected.",
		"inc_or_vuln": "inc",
		"category": "malware"
	},
	"518": {
		"Description": "Windows Adware/Spyware application found.",
		"inc_or_vuln": "inc",
		"category": "malware"
	},
	"593": {
		"Description": "Microsoft Event log cleared.",
		"inc_or_vuln": "inc",
		"category": "Policy violation"
	},
	"2504": {
		"Description": "syslog: Illegal root login.",
		"inc_or_vuln": "inc",
		"category": "Priviledge Escalation"
	},
	"3851": {
		"Description": "ms-exchange: Multiple e-mail attempts to an invalid account.",
		"inc_or_vuln": "inc",
		"category": "failed_login"
	},
	"3852": {
		"Description": "ms-exchange: Multiple e-mail 500 error code (spam).",
		"inc_or_vuln": "inc",
		"category": "Spam source"
	},
	"5103": {
		"Description": "Error message from the kernel. Ping of death attack.",
		"inc_or_vuln": "inc",
		"category": "Denial of Service"
	},
	"5302": {
		"Description": "User missed the password to change UID to root.",
		"inc_or_vuln": "inc",
		"category": "Priviledge Escalation"
	},
	"7310": {
		"Description": "Symantec-AV: Virus detected.",
		"inc_or_vuln": "inc",
		"category": "malware"
	},
	"11111": {
		"Description": "FTPD: Attempt to login with disabled account.",
		"inc_or_vuln": "inc",
		"category": "Unauthorized access"
	},
	"12102": {
		"Description": "Failed attempt to perform a zone transfer.",
		"inc_or_vuln": "inc",
		"category": "Unauthorized access"
	},
	"17101": {
		"Description": "Successful login during non-business hours.",
		"inc_or_vuln": "inc",
		"category": "insider_breach"
	},
	"17102": {
		"Description": "Successful login during weekend.",
		"inc_or_vuln": "inc",
		"category": "insider_breach"
	},
	"18116": {
		"Description": "Windows: User account locked out (multiple login errors).",
		"inc_or_vuln": "inc",
		"category": "failed_login"
	},
	"18118": {
		"Description": "Windows audit log was cleared.",
		"inc_or_vuln": "inc",
		"category": "Criminal activity/investigation"
	},
	"23509": {
		"Description": "It was not possible to verify whether $(vulnerability.cve) affects $(vulnerability.package.name)",
		"inc_or_vuln": "vuln",
		"category": "Un-patched vulnerability"
	},
	"30109": {
		"Description": "Apache: Attempt to login using a non-existent user.",
		"inc_or_vuln": "inc",
		"category": "Unauthorized access"
	},
	"50106": {
		"Description": "MySQL: authentication failure.",
		"inc_or_vuln": "inc",
		"category": "failed_login"
	},
	"50512": {
		"Description": "PostgreSQL: Database authentication failure.",
		"inc_or_vuln": "inc",
		"category": "failed_login"
	},
	"100005": {
		"Description": "An admin user account locked out",
		"inc_or_vuln": "inc",
		"category": "failed_login"
	},
	"60117": {
		"Description": "Windows audit log was cleared",
		"inc_or_vuln": "inc",
		"category": "Policy violation"
	},
	"60652": {
		"Description": "Critical error: System low on resources",
		"inc_or_vuln": "inc",
		"category": "Denial of Service"
	},
	"61105": {
		"Description": "The system stopped responding",
		"inc_or_vuln": " crashed or lost power unexpectedly",
		"category": "inc"
	},
	"4710": {
		"Description": "Cisco IOS emergency message.",
		"inc_or_vuln": "inc",
		"category": "Policy violation"
	},
	"4724": {
		"Description": "Cisco IOS: Failed login to the router.",
		"inc_or_vuln": "inc",
		"category": "failed_login"
	},
	"64007": {
		"Description": "ASA: Failed login attempt.",
		"inc_or_vuln": "inc",
		"category": "failed_login"
	},
	"64010": {
		"Description": "ASA: Password mismatch while running 'enable' on the ASA.",
		"inc_or_vuln": "inc",
		"category": "failed_login"
	},
	"2502": {
		"Description": "syslog: User missed the password more than one time",
		"inc_or_vuln": "inc",
		"category": "failed_login"
	},
	"2551": {
		"Description": "Connection to rshd from unprivileged port. Possible network scan.",
		"inc_or_vuln": "inc",
		"category": "Reconnaissance activity"
	},
	"2964": {
		"Description": "perdition: Multiple connection attempts from same source.",
		"inc_or_vuln": "inc",
		"category": "Criminal activity/investigation"
	},
	"3151": {
		"Description": "sendmail: Sender domain has bogus MX record. It should not be sending e-mail.",
		"inc_or_vuln": "inc",
		"category": "Criminal activity/investigation"
	},
	"3154": {
		"Description": "sendmail: Multiple attempts to send e-mail from invalid/unknown sender domain.",
		"inc_or_vuln": "inc",
		"category": "Criminal activity/investigation"
	},
	"3155": {
		"Description": "sendmail: Multiple attempts to send e-mail from invalid/unknown sender.",
		"inc_or_vuln": "inc",
		"category": "Criminal activity/investigation"
	},
	"3156": {
		"Description": "sendmail: Multiple rejected e-mails from same source ip.",
		"inc_or_vuln": "inc",
		"category": "Spam source"
	},
	"3158": {
		"Description": "sendmail: Multiple pre-greetings rejects.",
		"inc_or_vuln": "inc",
		"category": "Spam source"
	},
	"3330": {
		"Description": "Postfix process error.",
		"inc_or_vuln": "inc",
		"category": "Rogue server or service"
	},
	"3331": {
		"Description": "Postfix insufficient disk space error.",
		"inc_or_vuln": "inc",
		"category": "Rogue server or service"
	},
	"3353": {
		"Description": "Postfix: Multiple attempts to send e-mail from invalid/unknown sender domain.",
		"inc_or_vuln": "inc",
		"category": "Criminal activity/investigation"
	},
	"3355": {
		"Description": "Postfix: Multiple attempts to send e-mail to invalid recipient or from unknown sender domain.",
		"inc_or_vuln": "inc",
		"category": "Criminal activity/investigation"
	},
	"3356": {
		"Description": "Postfix: Multiple attempts to send e-mail from black-listed IP address (blocked).",
		"inc_or_vuln": "inc",
		"category": "Criminal activity/investigation"
	},
	"3357": {
		"Description": "Postfix: Multiple SASL authentication failures.",
		"inc_or_vuln": "inc",
		"category": "failed_login"
	},
	"4151": {
		"Description": "Multiple Firewall drop events from same source.",
		"inc_or_vuln": "inc",
		"category": "Criminal activity/investigation"
	},
	"5404": {
		"Description": "Three failed attempts to run sudo",
		"inc_or_vuln": "inc",
		"category": "Criminal activity/investigation"
	},
	"5551": {
		"Description": "PAM: Multiple failed logins in a small period of time.",
		"inc_or_vuln": "inc",
		"category": "failed_login"
	},
	"5631": {
		"Description": "telnetd: Multiple connection attempts from same source (possible scan).",
		"inc_or_vuln": "inc",
		"category": "Reconnaissance activity"
	},
	"5703": {
		"Description": "sshd: Possible breakin attempt (high number of reverse lookup errors).",
		"inc_or_vuln": "inc",
		"category": "Unauthorized access"
	},
	"5705": {
		"Description": "sshd: Possible scan or breakin attempt (high number of login timeouts).",
		"inc_or_vuln": "inc",
		"category": "Unauthorized access"
	},
	"5712": {
		"Description": "sshd: brute force trying to get access to the system.",
		"inc_or_vuln": "inc",
		"category": "Criminal activity/investigation"
	},
	"5719": {
		"Description": "sshd: Multiple access attempts using a denied user.",
		"inc_or_vuln": "inc",
		"category": "Unauthorized access"
	},
	"5720": {
		"Description": "sshd: Multiple authentication failures.",
		"inc_or_vuln": "inc",
		"category": "failed_login"
	},
	"11109": {
		"Description": "FTPD: Multiple FTP failed login attempts.",
		"inc_or_vuln": "inc",
		"category": "failed_login"
	},
	"11210": {
		"Description": "proftpd: Multiple failed login attempts.",
		"inc_or_vuln": "inc",
		"category": "failed_login"
	},
	"11251": {
		"Description": "proftpd: FTP brute force (multiple failed logins).",
		"inc_or_vuln": "inc",
		"category": "failed_login"
	},
	"11252": {
		"Description": "proftpd: Multiple connection attempts from same source.",
		"inc_or_vuln": "inc",
		"category": "Unauthorized access"
	},
	"11253": {
		"Description": "proftpd: Multiple timed out logins from same source.",
		"inc_or_vuln": "inc",
		"category": "Unauthorized access"
	},
	"11306": {
		"Description": "pure-ftpd: FTP brute force (multiple failed logins).",
		"inc_or_vuln": "inc",
		"category": "failed_login"
	},
	"11307": {
		"Description": "pure-ftpd: Multiple connection attempts from same source.",
		"inc_or_vuln": "inc",
		"category": "Unauthorized access"
	},
	"11451": {
		"Description": "vsftpd: FTP brute force (multiple failed logins).",
		"inc_or_vuln": "inc",
		"category": "failed_login"
	},
	"11452": {
		"Description": "vsftpd: Multiple FTP connection attempts from same source IP.",
		"inc_or_vuln": "inc",
		"category": "Unauthorized access"
	},
	"11510": {
		"Description": "MS-FTP: FTP brute force (multiple failed logins).",
		"inc_or_vuln": "inc",
		"category": "failed_login"
	},
	"11511": {
		"Description": "MS-FTP: Multiple connection attempts from same source.",
		"inc_or_vuln": "inc",
		"category": "Unauthorized access"
	},
	"11512": {
		"Description": "MS-FTP: Multiple FTP errors from same source.",
		"inc_or_vuln": "inc",
		"category": "Unauthorized access"
	},
	"12149": {
		"Description": " Multiple query (cache) failures.",
		"inc_or_vuln": "inc",
		"category": "Criminal activity/investigation"
	},
	"14251": {
		"Description": "CiscoVPN: Multiple VPN authentication failures.",
		"inc_or_vuln": "inc",
		"category": "failed_login"
	},
	"18151": {
		"Description": "Windows: Multiple failed attempts to perform a privileged operation by the same user.",
		"inc_or_vuln": "inc",
		"category": "Priviledge Escalation"
	},
	"18152": {
		"Description": "Multiple Windows Logon Failures.",
		"inc_or_vuln": "inc",
		"category": "failed_login"
	},
	"18156": {
		"Description": "Windows: Multiple remote access login failures.",
		"inc_or_vuln": "inc",
		"category": "failed_login"
	},
	"18157": {
		"Description": "Windows: Multiple TS Gateway login failures.",
		"inc_or_vuln": "inc",
		"category": "failed_login"
	},
	"18170": {
		"Description": "Windows DC integrity check on decrypted field failed.",
		"inc_or_vuln": "inc",
		"category": "Policy violation"
	},
	"18171": {
		"Description": "Windows DC - Possible replay attack.",
		"inc_or_vuln": "inc",
		"category": "Criminal activity/investigation"
	},
	"18228": {
		"Description": "Windows: Cert Publishers Group Changed",
		"inc_or_vuln": "inc",
		"category": "Policy violation"
	},
	"18231": {
		"Description": "Windows: Group Policy Creator Owners Group Changed",
		"inc_or_vuln": "inc",
		"category": "Policy violation"
	},
	"18232": {
		"Description": "Windows: RAS and IAS Servers Group Changed",
		"inc_or_vuln": "inc",
		"category": "Policy violation"
	},
	"18235": {
		"Description": "Windows: Power Users Group Changed",
		"inc_or_vuln": "inc",
		"category": "Policy violation"
	},
	"18236": {
		"Description": "Windows: Account Operators Group Changed",
		"inc_or_vuln": "inc",
		"category": "Policy violation"
	},
	"18237": {
		"Description": "Windows: Server Operators Group Changed",
		"inc_or_vuln": "inc",
		"category": "Policy violation"
	},
	"18240": {
		"Description": "Windows: Replicators Group Changed",
		"inc_or_vuln": "inc",
		"category": "Policy violation"
	},
	"18242": {
		"Description": "Windows: Remote Desktop Users Group Changed",
		"inc_or_vuln": "inc",
		"category": "Policy violation"
	},
	"18243": {
		"Description": "Windows: Network Configuration Operators Group Changed",
		"inc_or_vuln": "inc",
		"category": "Policy violation"
	},
	"18244": {
		"Description": "Windows: Incoming Forest Trust Builders Group Changed",
		"inc_or_vuln": "inc",
		"category": "Policy violation"
	},
	"18253": {
		"Description": "Windows: Allowed RODC Password Replication Group Changed",
		"inc_or_vuln": "inc",
		"category": "Policy violation"
	},
	"18254": {
		"Description": "Windows: Denied RODC Password Replication Group Changed",
		"inc_or_vuln": "inc",
		"category": "Policy violation"
	},
	"18255": {
		"Description": "Windows: Event Log Readers Group Changed",
		"inc_or_vuln": "inc",
		"category": "Policy violation"
	},
	"18256": {
		"Description": "Windows: Certificate Service DCOM Access Group Changed",
		"inc_or_vuln": "inc",
		"category": "Policy violation"
	},
	"19150": {
		"Description": "Multiple VMWare ESX warning messages.",
		"inc_or_vuln": "inc",
		"category": "Rogue server or service"
	},
	"19151": {
		"Description": "Multiple VMWare ESX error messages.",
		"inc_or_vuln": "inc",
		"category": "Rogue server or service"
	},
	"19152": {
		"Description": "Multiple VMWare ESX authentication failures.",
		"inc_or_vuln": "inc",
		"category": "failed_login"
	},
	"19153": {
		"Description": "Multiple VMWare ESX user authentication failures.",
		"inc_or_vuln": "inc",
		"category": "failed_login"
	},
	"20151": {
		"Description": "Multiple IDS events from same source ip.",
		"inc_or_vuln": "inc",
		"category": "Criminal activity/investigation"
	},
	"20152": {
		"Description": "Multiple IDS alerts for same id.",
		"inc_or_vuln": "inc",
		"category": "Criminal activity/investigation"
	},
	"22405": {
		"Description": "High vulnerability $(vuls.scanned_cve) detected in scanning launched on $(vuls.scan_date) with $(vuls.assurance) reliability ($(vuls.detection_method)). $(vuls.tittle). Score: $(vuls.score) ($(vuls.source)). Affected packages: $(vuls.affected_packages)",
		"inc_or_vuln": "vuln",
		"category": "Un-patched vulnerability"
	},
	"23505": {
		"Description": "$(vulnerability.cve) affects $(vulnerability.package.name)",
		"inc_or_vuln": "vuln",
		"category": "Un-patched vulnerability"
	},
	"30116": {
		"Description": "Apache: Multiple Invalid URI requests from same source.",
		"inc_or_vuln": "inc",
		"category": "Policy violation"
	},
	"30117": {
		"Description": "Apache: Invalid URI, file name too long.",
		"inc_or_vuln": "inc",
		"category": "Policy violation"
	},
	"30310": {
		"Description": "Apache: Multiple authentication failures with invalid user.",
		"inc_or_vuln": "inc",
		"category": "failed_login"
	},
	"30316": {
		"Description": "Apache: Multiple Invalid URI requests from same source.",
		"inc_or_vuln": "inc",
		"category": "Policy violation"
	},
	"30317": {
		"Description": "Apache: Invalid URI, file name too long.",
		"inc_or_vuln": "inc",
		"category": "Policy violation"
	},
	"31151": {
		"Description": "Multiple web server 400 error codes from same source ip.",
		"inc_or_vuln": "inc",
		"category": "Criminal activity/investigation"
	},
	"31152": {
		"Description": "Multiple SQL injection attempts from same source ip.",
		"inc_or_vuln": "inc",
		"category": "Unauthorized access"
	},
	"31153": {
		"Description": "Multiple common web attacks from same source ip.",
		"inc_or_vuln": "inc",
		"category": "Unauthorized access"
	},
	"31154": {
		"Description": "Multiple XSS (Cross Site Scripting) attempts from same source ip.",
		"inc_or_vuln": "inc",
		"category": "Unauthorized access"
	},
	"31161": {
		"Description": "Multiple web server 501 error code (Not Implemented).",
		"inc_or_vuln": "inc",
		"category": "Rogue server or service"
	},
	"31162": {
		"Description": "Multiple web server 500 error code (Internal Error).",
		"inc_or_vuln": "inc",
		"category": "Rogue server or service"
	},
	"31163": {
		"Description": "Multiple web server 503 error code (Service unavailable).",
		"inc_or_vuln": "inc",
		"category": "Rogue server or service"
	},
	"31316": {
		"Description": "Nginx: Multiple web authentication failures.",
		"inc_or_vuln": "inc",
		"category": "failed_login"
	},
	"31320": {
		"Description": "Nginx: Invalid URI, file name too long.",
		"inc_or_vuln": "inc",
		"category": "Policy violation"
	},
	"31533": {
		"Description": "High amount of POST requests in a small period of time (likely bot).",
		"inc_or_vuln": "inc",
		"category": "Unauthorized access"
	},
	"35051": {
		"Description": "Squid: Multiple attempts to access forbidden file or directory from same source ip.",
		"inc_or_vuln": "inc",
		"category": "Unauthorized access"
	},
	"35052": {
		"Description": "Squid: Multiple unauthorized attempts to use proxy.",
		"inc_or_vuln": "inc",
		"category": "Unauthorized access"
	},
	"35053": {
		"Description": "Squid: Multiple Bad requests/Invalid syntax.",
		"inc_or_vuln": "inc",
		"category": "Unauthorized access"
	},
	"35055": {
		"Description": "Squid: Multiple attempts to access a non-existent file.",
		"inc_or_vuln": "inc",
		"category": "Unauthorized access"
	},
	"35057": {
		"Description": "Squid: Multiple 400 error codes (requests failed).",
		"inc_or_vuln": "inc",
		"category": "Rogue server or service"
	},
	"35058": {
		"Description": "Squid: Multiple 500/600 error codes (server error).",
		"inc_or_vuln": "inc",
		"category": "Rogue server or service"
	},
	"40111": {
		"Description": "Multiple authentication failures.",
		"inc_or_vuln": "inc",
		"category": "failed_login"
	},
	"40601": {
		"Description": "Network scan from same source ip.",
		"inc_or_vuln": "inc",
		"category": "Reconnaissance activity"
	},
	"50180": {
		"Description": "MySQL: Multiple errors.",
		"inc_or_vuln": "inc",
		"category": "Policy violation"
	},
	"50580": {
		"Description": "PostgreSQL: Multiple database errors.",
		"inc_or_vuln": "inc",
		"category": "Rogue server or service"
	},
	"50581": {
		"Description": "PostgreSQL: Multiple database errors.",
		"inc_or_vuln": "inc",
		"category": "Rogue server or service"
	},
	"60012": {
		"Description": "Windows critical event",
		"inc_or_vuln": "inc",
		"category": "Policy violation"
	},
	"60165": {
		"Description": "Cert Publishers Group Changed",
		"inc_or_vuln": "inc",
		"category": "Policy violation"
	},
	"60168": {
		"Description": "Group Policy Creator Owners Group Changed",
		"inc_or_vuln": "inc",
		"category": "Policy violation"
	},
	"60169": {
		"Description": "RAS and IAS Servers Group Changed",
		"inc_or_vuln": "inc",
		"category": "Policy violation"
	},
	"60172": {
		"Description": "Power Users Group Changed",
		"inc_or_vuln": "inc",
		"category": "Policy violation"
	},
	"60173": {
		"Description": "Account Operators Group Changed",
		"inc_or_vuln": "inc",
		"category": "Policy violation"
	},
	"60174": {
		"Description": "Server Operators Group Changed",
		"inc_or_vuln": "inc",
		"category": "Policy violation"
	},
	"60177": {
		"Description": "Replicators Group Changed",
		"inc_or_vuln": "inc",
		"category": "Policy violation"
	},
	"60179": {
		"Description": "Remote Desktop Users Group Changed",
		"inc_or_vuln": "inc",
		"category": "Policy violation"
	},
	"60180": {
		"Description": "Network Configuration Operators Group Changed",
		"inc_or_vuln": "inc",
		"category": "Policy violation"
	},
	"60181": {
		"Description": "Incoming Forest Trust Builders Group Changed",
		"inc_or_vuln": "inc",
		"category": "Policy violation"
	},
	"60190": {
		"Description": "Allowed RODC Password Replication Group Changed",
		"inc_or_vuln": "inc",
		"category": "Policy violation"
	},
	"60191": {
		"Description": "Denied RODC Password Replication Group Changed",
		"inc_or_vuln": "inc",
		"category": "Policy violation"
	},
	"60192": {
		"Description": "Event Log Readers Group Changed",
		"inc_or_vuln": "inc",
		"category": "Policy violation"
	},
	"60193": {
		"Description": "Certificate Service DCOM Access Group Changed",
		"inc_or_vuln": "inc",
		"category": "Policy violation"
	},
	"60195": {
		"Description": "Windows DC integrity check on decryptedfield failed",
		"inc_or_vuln": "inc",
		"category": "Policy violation"
	},
	"60196": {
		"Description": "Windows DC - Possible replay attack",
		"inc_or_vuln": "inc",
		"category": "Criminal activity/investigation"
	},
	"60203": {
		"Description": "Multiple failed attempts to perform a privileged operation by the same user",
		"inc_or_vuln": "inc",
		"category": "Priviledge Escalation"
	},
	"100008": {
		"Description": "possible windows brute force logon failure by same user same server",
		"inc_or_vuln": "inc",
		"category": "failed_login"
	},
	"100009": {
		"Description": "possible windows brute force logon failure by same user multiple servers",
		"inc_or_vuln": "inc",
		"category": "failed_login"
	},
	"100010": {
		"Description": "possible windows brute force logon failure by multiple users same server",
		"inc_or_vuln": "inc",
		"category": "failed_login"
	},
	"60205": {
		"Description": "Multiple Windows audit failure events",
		"inc_or_vuln": "inc",
		"category": "Criminal activity/investigation"
	},
	"60206": {
		"Description": "Multiple Windows error Security events",
		"inc_or_vuln": "inc",
		"category": "Criminal activity/investigation"
	},
	"60207": {
		"Description": "Multiple Windows warning Security events ",
		"inc_or_vuln": "inc",
		"category": "Criminal activity/investigation"
	},
	"61126": {
		"Description": "The browser driver has received too many illegal datagrams from the remote computer",
		"inc_or_vuln": "inc",
		"category": "Rogue server or service"
	},
	"61132": {
		"Description": "The browser driver has discarded too many mailslot messages",
		"inc_or_vuln": "inc",
		"category": "Rogue server or service"
	},
	"61137": {
		"Description": "Some errors occur aproximately every three seconds",
		"inc_or_vuln": "inc",
		"category": "Rogue server or service"
	},
	"61642": {
		"Description": "Multiple Sysmon warning events ",
		"inc_or_vuln": "inc",
		"category": "Rogue server or service"
	},
	"61643": {
		"Description": "Multiple Sysmon error events",
		"inc_or_vuln": "inc",
		"category": "Rogue server or service"
	},
	"64109": {
		"Description": "Multiple remote access login failures",
		"inc_or_vuln": "inc",
		"category": "failed_login"
	},
	"64110": {
		"Description": "Multiple TS Gateway login failures",
		"inc_or_vuln": "inc",
		"category": "failed_login"
	},
	"64252": {
		"Description": "sshd: brute force trying to get access to the system.",
		"inc_or_vuln": "inc",
		"category": "Unauthorized access"
	},
	"64261": {
		"Description": "sshd: Multiple access attempts using a denied user.",
		"inc_or_vuln": "inc",
		"category": "Unauthorized access"
	},
	"64263": {
		"Description": "sshd: Possible breakin attempt (high number of reverse lookup errors).",
		"inc_or_vuln": "inc",
		"category": "Unauthorized access"
	},
	"67009": {
		"Description": "Multiple Windows Firewall With Advanced Security warning events",
		"inc_or_vuln": "inc",
		"category": "Rogue server or service"
	},
	"67010": {
		"Description": "Multiple Windows Firewall With Advanced Security error events",
		"inc_or_vuln": "inc",
		"category": "Rogue server or service"
	},
	"80702": {
		"Description": "Auditd: Start / Resume FAILED",
		"inc_or_vuln": "inc",
		"category": "Policy violation"
	},
	"80703": {
		"Description": "Auditd: End",
		"inc_or_vuln": "inc",
		"category": "Policy violation"
	},
	"80704": {
		"Description": "Auditd: Abort",
		"inc_or_vuln": "inc",
		"category": "Policy violation"
	},
	"80710": {
		"Description": "Auditd: device enables promiscuous mode",
		"inc_or_vuln": "inc",
		"category": "Policy violation"
	},
	"80711": {
		"Description": "Auditd: process ended abnormally",
		"inc_or_vuln": "inc",
		"category": "Policy violation"
	},
	"80712": {
		"Description": "Auditd: execution of a file ended abnormally",
		"inc_or_vuln": "inc",
		"category": "Policy violation"
	},
	"80721": {
		"Description": "Auditd: user becomes root",
		"inc_or_vuln": "inc",
		"category": "Policy violation"
	},
	"80731": {
		"Description": "Auditd: SELinux mode (enforcing, permissive, off) is changed",
		"inc_or_vuln": "inc",
		"category": "Policy violation"
	},
	"80732": {
		"Description": "Auditd: SELinux error",
		"inc_or_vuln": "inc",
		"category": "Policy violation"
	},
	"81904": {
		"Description": "RSA Authentication Manager: Multiple authentication failures.",
		"inc_or_vuln": "inc",
		"category": "failed_login"
	},
	"85006": {
		"Description": "SQL Server: Multiple authentication failures.",
		"inc_or_vuln": "inc",
		"category": "failed_login"
	},
	"86804": {
		"Description": "Host is trying to connect to VShell server but exists in the deny file.",
		"inc_or_vuln": "inc",
		"category": "Unauthorized access"
	},
	"87507": {
		"Description": "Exim brute force attack (multiple auth failures).",
		"inc_or_vuln": "inc",
		"category": "failed_login"
	},
	"5132": {
		"Description": "Unsigned kernel module was loaded",
		"inc_or_vuln": "inc",
		"category": "Criminal activity/investigation"
	},
	"5133": {
		"Description": "Signed but untrusted kernel module was loaded",
		"inc_or_vuln": "inc",
		"category": "Criminal activity/investigation"
	},
	"20161": {
		"Description": "Multiple IDS events from same source ip (ignoring now this srcip and id).",
		"inc_or_vuln": "inc",
		"category": "Reconnaissance activity"
	},
	"20162": {
		"Description": "Multiple IDS alerts for same id (ignoring now this id).",
		"inc_or_vuln": "inc",
		"category": "Reconnaissance activity"
	},
	"81628": {
		"Description": "Fortigate Attack Detected",
		"inc_or_vuln": "inc",
		"category": "Criminal activity/investigation"
	},
	"3354": {
		"Description": "Postfix: Multiple misuse of SMTP service (bad sequence of commands).",
		"inc_or_vuln": "inc",
		"category": "Policy violation"
	},
	"6308": {
		"Description": "MS-DHCP: A lease request could not be satisfied because the scope's address pool was exhausted.",
		"inc_or_vuln": "inc",
		"category": "Denial of Service"
	},
	"6321": {
		"Description": "MS-DHCP: Codes above 50 are used for Rogue Server Detection information.",
		"inc_or_vuln": "inc",
		"category": "Rogue server or service"
	},
	"6323": {
		"Description": "MS-DHCP: Packet dropped due to NAP policy.",
		"inc_or_vuln": "inc",
		"category": "Policy violation"
	},
	"11218": {
		"Description": "proftpd: FTP process crashed.",
		"inc_or_vuln": "inc",
		"category": "Denial of Service"
	},
	"11219": {
		"Description": "proftpd: FTP server Buffer overflow attempt.",
		"inc_or_vuln": "inc",
		"category": "Criminal activity/investigation"
	},
	"12101": {
		"Description": "Invalid DNS packet. Possibility of attack.",
		"inc_or_vuln": "inc",
		"category": "Criminal activity/investigation"
	},
	"12109": {
		"Description": "Named fatal error. DNS service going down.",
		"inc_or_vuln": "inc",
		"category": "Denial of Service"
	},
	"18217": {
		"Description": "Windows: Administrators Group Changed",
		"inc_or_vuln": "inc",
		"category": "Policy violation"
	},
	"18219": {
		"Description": "Windows: Enterprise Domain Controllers Group Changed",
		"inc_or_vuln": "inc",
		"category": "Policy violation"
	},
	"18222": {
		"Description": "Windows: Domain Admins Group Changed",
		"inc_or_vuln": "inc",
		"category": "Policy violation"
	},
	"18225": {
		"Description": "Windows: Domain Guests Group Changed",
		"inc_or_vuln": "inc",
		"category": "Policy violation"
	},
	"18227": {
		"Description": "Windows: Domain Controllers Group Changed",
		"inc_or_vuln": "inc",
		"category": "Policy violation"
	},
	"18229": {
		"Description": "Windows: Schema Admins Group Changed",
		"inc_or_vuln": "inc",
		"category": "Policy violation"
	},
	"18230": {
		"Description": "Windows: Enterprise Admins Group Changed",
		"inc_or_vuln": "inc",
		"category": "Policy violation"
	},
	"18234": {
		"Description": "Windows: Guests Group Changed",
		"inc_or_vuln": "inc",
		"category": "Policy violation"
	},
	"18239": {
		"Description": "Windows: Backup Operators Group Changed",
		"inc_or_vuln": "inc",
		"category": "Policy violation"
	},
	"18250": {
		"Description": "Windows: Enterprise Read-only Domain Controllers Group Changed",
		"inc_or_vuln": "inc",
		"category": "Policy violation"
	},
	"18251": {
		"Description": "Windows: Read-only Domain Controllers Group Changed",
		"inc_or_vuln": "inc",
		"category": "Policy violation"
	},
	"18252": {
		"Description": "Windows: Cryptographic Operators Group Changed",
		"inc_or_vuln": "inc",
		"category": "Policy violation"
	},
	"23510": {
		"Description": "It was not possible to verify whether $(vulnerability.cve) affects $(vulnerability.package.name)",
		"inc_or_vuln": "vuln",
		"category": "Un-patched vulnerability"
	},
	"30104": {
		"Description": "Apache: segmentation fault.",
		"inc_or_vuln": "inc",
		"category": "Web/BBS defacement"
	},
	"30119": {
		"Description": "ModSecurity: Multiple attempts blocked.",
		"inc_or_vuln": "inc",
		"category": "Unauthorized access"
	},
	"30120": {
		"Description": "Apache: without resources to run.",
		"inc_or_vuln": "inc",
		"category": "Denial of Service"
	},
	"30304": {
		"Description": "Apache: segmentation fault.",
		"inc_or_vuln": "inc",
		"category": "Web/BBS defacement"
	},
	"35054": {
		"Description": "Squid: Infected machine with W32.Beagle.DP.",
		"inc_or_vuln": "inc",
		"category": "malware"
	},
	"35056": {
		"Description": "Squid: Multiple attempts to access a worm/trojan/virus related web site. System probably infected.",
		"inc_or_vuln": "inc",
		"category": "malware"
	},
	"40101": {
		"Description": "System user successfully logged to the system.",
		"inc_or_vuln": "inc",
		"category": "Criminal activity/investigation"
	},
	"40105": {
		"Description": "Null",
		"inc_or_vuln": "inc",
		"category": "Criminal activity/investigation"
	},
	"40106": {
		"Description": "Buffer overflow attempt (probably on yppasswd).",
		"inc_or_vuln": "inc",
		"category": "Criminal activity/investigation"
	},
	"40109": {
		"Description": "Stack overflow attempt or program exiting with SEGV (Solaris).",
		"inc_or_vuln": "inc",
		"category": "Criminal activity/investigation"
	},
	"40112": {
		"Description": "Multiple authentication failures followed by a success.",
		"inc_or_vuln": "inc",
		"category": "failed_login"
	},
	"40113": {
		"Description": "Multiple viruses detected - Possible outbreak.",
		"inc_or_vuln": "inc",
		"category": "malware"
	},
	"50120": {
		"Description": "MySQL: shutdown message.",
		"inc_or_vuln": "inc",
		"category": "Denial of Service"
	},
	"50126": {
		"Description": "MySQL: fatal error.",
		"inc_or_vuln": "inc",
		"category": "Denial of Service"
	},
	"50520": {
		"Description": "PostgreSQL: Database shutdown message.",
		"inc_or_vuln": "inc",
		"category": "Denial of Service"
	},
	"50521": {
		"Description": "PostgreSQL: Database shutdown message.",
		"inc_or_vuln": "inc",
		"category": "Denial of Service"
	},
	"60015": {
		"Description": "Multiple Windows critical events",
		"inc_or_vuln": "inc",
		"category": "Malicious code activity"
	},
	"60154": {
		"Description": "Administrators Group Changed",
		"inc_or_vuln": "inc",
		"category": "Policy violation"
	},
	"60156": {
		"Description": "Enterprise Domain Controllers Group Changed",
		"inc_or_vuln": "inc",
		"category": "Policy violation"
	},
	"60159": {
		"Description": "Domain Admins Group Changed",
		"inc_or_vuln": "inc",
		"category": "Policy violation"
	},
	"60162": {
		"Description": "Domain Guests Group Changed",
		"inc_or_vuln": "inc",
		"category": "Policy violation"
	},
	"60164": {
		"Description": "Domain Controllers Group Changed",
		"inc_or_vuln": "inc",
		"category": "Policy violation"
	},
	"60166": {
		"Description": "Schema Admins Group Changed",
		"inc_or_vuln": "inc",
		"category": "Policy violation"
	},
	"60167": {
		"Description": "Enterprise Admins Group Changed",
		"inc_or_vuln": "inc",
		"category": "Policy violation"
	},
	"60171": {
		"Description": "Guests Group Changed",
		"inc_or_vuln": "inc",
		"category": "Policy violation"
	},
	"60176": {
		"Description": "Backup Operators Group Changed",
		"inc_or_vuln": "inc",
		"category": "Policy violation"
	},
	"60187": {
		"Description": "Enterprise Read-only Domain Controllers Group Changed",
		"inc_or_vuln": "inc",
		"category": "Policy violation"
	},
	"60188": {
		"Description": "Read-only Domain Controllers Group Changed",
		"inc_or_vuln": "inc",
		"category": "Policy violation"
	},
	"60189": {
		"Description": "Cryptographic Operators Group Changed",
		"inc_or_vuln": "inc",
		"category": "Policy violation"
	},
	"61112": {
		"Description": "Multiple System critical events",
		"inc_or_vuln": "inc",
		"category": "Denial of Service"
	},
	"61618": {
		"Description": "Sysmon - Suspicious Process - svchost.exe",
		"inc_or_vuln": "inc",
		"category": "malware"
	},
	"61620": {
		"Description": "Sysmon - Suspicious Process - lsm.exe",
		"inc_or_vuln": "inc",
		"category": "malware"
	},
	"61622": {
		"Description": "Sysmon - Suspicious Process - lsm.exe is a Parent Image",
		"inc_or_vuln": "inc",
		"category": "malware"
	},
	"61623": {
		"Description": "Sysmon - Suspicious Process - csrss.exe",
		"inc_or_vuln": "inc",
		"category": "malware"
	},
	"61625": {
		"Description": "Sysmon - Suspicious Process - lsass",
		"inc_or_vuln": "inc",
		"category": "malware"
	},
	"61627": {
		"Description": "Sysmon - Suspicious Process - lsass.exe is a Parent Image",
		"inc_or_vuln": "inc",
		"category": "malware"
	},
	"61628": {
		"Description": "Sysmon - Suspicious Process - winlogon.exe",
		"inc_or_vuln": "inc",
		"category": "malware"
	},
	"61630": {
		"Description": "Sysmon - Suspicious Process - wininit",
		"inc_or_vuln": "inc",
		"category": "malware"
	},
	"61632": {
		"Description": "Sysmon - Suspicious Process - smss.exe",
		"inc_or_vuln": "inc",
		"category": "malware"
	},
	"61634": {
		"Description": "Sysmon - Suspicious Process - taskhost.exe",
		"inc_or_vuln": "inc",
		"category": "malware"
	},
	"61636": {
		"Description": "Sysmon - Suspicious Process - services.exe",
		"inc_or_vuln": "inc",
		"category": "malware"
	},
	"61638": {
		"Description": "Sysmon - Suspicious Process - dllhost.exe",
		"inc_or_vuln": "inc",
		"category": "malware"
	},
	"61640": {
		"Description": "Sysmon - Suspicious Process - explorer.exe",
		"inc_or_vuln": "inc",
		"category": "malware"
	},
	"80740": {
		"Description": "Auditd: replay attack detected",
		"inc_or_vuln": "inc",
		"category": ""
	},
	"86806": {
		"Description": "VShell multiple connection attempts within 2 minute by a host in the deny file",
		"inc_or_vuln": " potential DOS or brute force attempt.",
		"category": "inc"
	},
	"86807": {
		"Description": "VShell host has exceeded the number of failed login attempts and has been added to the Hosts Deny file.",
		"inc_or_vuln": "inc",
		"category": "Criminal activity/investigation"
	},
	"87105": {
		"Description": "VirusTotal: Alert - $(virustotal.source.file) - $(virustotal.positives) engines detected this file",
		"inc_or_vuln": "inc",
		"category": "malware"
	},
	"184666": {
		"Description": "Sysmon - Suspicious Process - svchost.exe",
		"inc_or_vuln": "inc",
		"category": "malware"
	},
	"184676": {
		"Description": "Sysmon - Suspicious Process - lsm.exe",
		"inc_or_vuln": "inc",
		"category": "malware"
	},
	"184678": {
		"Description": "Sysmon - Suspicious Process - lsm.exe is a Parent Image",
		"inc_or_vuln": "inc",
		"category": "malware"
	},
	"184686": {
		"Description": "Sysmon - Suspicious Process - csrss.exe",
		"inc_or_vuln": "inc",
		"category": "malware"
	},
	"184696": {
		"Description": "Sysmon - Suspicious Process - lsass",
		"inc_or_vuln": "inc",
		"category": "malware"
	},
	"184698": {
		"Description": "Sysmon - Suspicious Process - lsass.exe is a Parent Image",
		"inc_or_vuln": "inc",
		"category": "malware"
	},
	"184706": {
		"Description": "Sysmon - Suspicious Process - winlogon.exe",
		"inc_or_vuln": "inc",
		"category": "malware"
	},
	"184716": {
		"Description": "Sysmon - Suspicious Process - wininit",
		"inc_or_vuln": "inc",
		"category": "malware"
	},
	"184726": {
		"Description": "Sysmon - Suspicious Process - smss.exe",
		"inc_or_vuln": "inc",
		"category": "malware"
	},
	"184736": {
		"Description": "Sysmon - Suspicious Process - taskhost.exe",
		"inc_or_vuln": "inc",
		"category": "malware"
	},
	"184746": {
		"Description": "Sysmon - Suspicious Process - services.exe",
		"inc_or_vuln": "inc",
		"category": "malware"
	},
	"184766": {
		"Description": "Sysmon - Suspicious Process - dllhost.exe",
		"inc_or_vuln": "inc",
		"category": "malware"
	},
	"184776": {
		"Description": "Sysmon - Suspicious Process - explorer.exe",
		"inc_or_vuln": "inc",
		"category": "malware"
	},
	"6360": {
		"Description": "MS-DHCP: Scope Full.",
		"inc_or_vuln": "inc",
		"category": "Denial of Service"
	},
	"6373": {
		"Description": "MS-DHCP: Service not authorized in AD.",
		"inc_or_vuln": "inc",
		"category": "Unauthorized access"
	},
	"6376": {
		"Description": "MS-DHCP: Service has not determined if it is authorized in AD.",
		"inc_or_vuln": "inc",
		"category": "Unauthorized access"
	},
	"7705": {
		"Description": "Microsoft Security Essentials - Virus detected",
		"inc_or_vuln": "inc",
		"category": "malware"
	},
	"1003": {
		"Description": "Non standard syslog message (size too large).",
		"inc_or_vuln": "inc",
		"category": "Malicious code activity"
	},
	"22406": {
		"Description": "Critical vulnerability $(vuls.scanned_cve) detected in scanning launched on $(vuls.scan_date) with $(vuls.assurance) reliability ($(vuls.detection_method)). $(vuls.tittle). Score: $(vuls.score) ($(vuls.source)). Affected packages: $(vuls.affected_packages)",
		"inc_or_vuln": "vuln",
		"category": "Un-patched vulnerability"
	},
	"23506": {
		"Description": "$(vulnerability.cve) affects $(vulnerability.package.name)",
		"inc_or_vuln": "vuln",
		"category": "Un-patched vulnerability"
	},
	"31115": {
		"Description": "URL too long. Higher than allowed on most browsers. Possible attack.",
		"inc_or_vuln": "inc",
		"category": "Malicious code activity"
	},
	"40104": {
		"Description": "Possible buffer overflow attempt.",
		"inc_or_vuln": "inc",
		"category": "Malicious code activity"
	},
	"5707": {
		"Description": "sshd: OpenSSH challenge-response exploit.",
		"inc_or_vuln": "inc",
		"category": "Malicious code activity"
	},
	"5714": {
		"Description": "sshd: SSH CRC-32 Compensation attack",
		"inc_or_vuln": "inc",
		"category": "Malicious code activity"
	},
	"11209": {
		"Description": "proftpd: Attempt to bypass firewall that can't adequately keep state of FTP traffic.",
		"inc_or_vuln": "inc",
		"category": "Unauthorized access"
	},
	"40102": {
		"Description": "Buffer overflow attack on rpc.statd",
		"inc_or_vuln": "inc",
		"category": "Malicious code activity"
	},
	"40103": {
		"Description": "Buffer overflow on WU-FTPD versions prior to 2.6",
		"inc_or_vuln": "inc",
		"category": "Malicious code activity"
	},
	"40107": {
		"Description": "Heap overflow in the Solaris cachefsd service.",
		"inc_or_vuln": "inc",
		"category": "Malicious code activity"
	},
	"62105": {
		"Description": "Short-time multiple Windows Defender error events",
		"inc_or_vuln": "inc",
		"category": "malware"
	},
	"62106": {
		"Description": "Short-time multiple Windows Defender warning events",
		"inc_or_vuln": "inc",
		"category": "malware"
	},
	"62113": {
		"Description": "Windows Defender: Antimalware engine found $(win.eventdata.severityName) malware or other potentially unwanted software",
		"inc_or_vuln": "inc",
		"category": "malware"
	},
	"62126": {
		"Description": "Windows Defender: Antimalware platform encountered a critical error when attempting to perform an action over the potentially unwanted software",
		"inc_or_vuln": "inc",
		"category": "malware"
	},
	"64205": {
		"Description": "Panda Security: Very high severity alert detected! Category: $(Cat)",
		"inc_or_vuln": "inc",
		"category": "malware"
	},
	"64506": {
		"Description": "Palo Alto SYSTEM: $(severity) severity log on $(device_name): $(description)",
		"inc_or_vuln": "inc",
		"category": "malware"
	},
	"31168": {
		"Description": "Shellshock attack detected",
		"inc_or_vuln": "inc",
		"category": "Priviledge Escalation"
	},
	"31169": {
		"Description": "Shellshock attack detected",
		"inc_or_vuln": "inc",
		"category": "Priviledge Escalation"
	},
	"40501": {
		"Description": "Attacks followed by the addition of an user.",
		"inc_or_vuln": "inc",
		"category": "Criminal activity/investigation"
	},
	"213": {
		"Description": "Remote upgrade could not be launched. Error: $(error).",
		"inc_or_vuln": "inc",
		"category": "No Incident"
	},
	"216": {
		"Description": "Remote upgrade failed. Agent disconnected.",
		"inc_or_vuln": "inc",
		"category": "No Incident"
	},
	"218": {
		"Description": "Custom installation could not be launched. Error: $(error).",
		"inc_or_vuln": "inc",
		"category": "No Incident"
	},
	"220": {
		"Description": "The agent could not restart due to a $(module) failure in the remote configuration",
		"inc_or_vuln": "inc",
		"category": "No Incident"
	},
	"222": {
		"Description": "The agent could not restart due to a error while unmerging files.",
		"inc_or_vuln": "inc",
		"category": "No Incident"
	},
	"517": {
		"Description": "Syscheck Audit: $(extra_data)",
		"inc_or_vuln": "inc",
		"category": "No Incident"
	},
	"519": {
		"Description": "System Audit: Vulnerable web application found.",
		"inc_or_vuln": "inc",
		"category": "malware"

	},
	"560": {
		"Description": "FIM real-time queue is full. Some real-time events may be lost.",
		"inc_or_vuln": "inc",
		"category": "No Incident"
	},
	"7209": {
		"Description": "Arpwatch: Possible arpspoofing attempt.",
		"inc_or_vuln": "inc",
		"category": "Criminal activity/investigation"
	},
	"7706": {
		"Description": "Microsoft Security Essentials - Virus detected and properly removed.",
		"inc_or_vuln": "inc",
		"category": "malware"
	},
	"7707": {
		"Description": "Microsoft Security Essentials - Virus detected.",
		"inc_or_vuln": "inc",
		"category": "malware"
	},
	"7708": {
		"Description": "Microsoft Security Essentials - Suspicious activity detected.",
		"inc_or_vuln": "inc",
		"category": "Criminal activity/investigation"
	},
	"7716": {
		"Description": "Microsoft Security Essentials - Scan error. Scan has stopped.",
		"inc_or_vuln": "inc",
		"category": "No Incident"
	},
	"18134": {
		"Description": "Windows: Logon Failure - User not allowed to login at this computer.",
		"inc_or_vuln": "inc",
		"category": "Unauthorized access"
	},
	"18138": {
		"Description": "Windows: Logon Failure - Account locked out.",
		"inc_or_vuln": "inc",
		"category": "No Incident"
	},
	"18141": {
		"Description": "Unexpected Windows shutdown.",
		"inc_or_vuln": "inc",
		"category": "Criminal activity/investigation"
	},
	"22402": {
		"Description": "$(vuls.scanned_cve) has a update date lower than $(vuls.days) days.",
		"inc_or_vuln": "vuln",
		"category": "Un-patched vulnerability"
	},
	"22404": {
		"Description": "Medium vulnerability $(vuls.scanned_cve) detected in scanning launched on $(vuls.scan_date) with $(vuls.assurance) reliability ($(vuls.detection_method)). $(vuls.tittle). Score: $(vuls.score) ($(vuls.source)). Affected packages: $(vuls.affected_packages)",
		"inc_or_vuln": "vuln",
		"category": "Un-patched vulnerability"
	},
	"22407": {
		"Description": "Vulnerability $(vuls.scanned_cve) affects critical parts of the system.",
		"inc_or_vuln": "vuln",
		"category": "Un-patched vulnerability"
	},
	"23504": {
		"Description": "$(vulnerability.cve) affects $(vulnerability.package.name)",
		"inc_or_vuln": "vuln",
		"category": "Un-patched vulnerability"
	},
	"30411": {
		"Description": "ModSecurity rejected a query",
		"inc_or_vuln": "inc",
		"category": "Policy violation"
	},
	"31333": {
		"Description": "ModSecurity rejected a query",
		"inc_or_vuln": "inc",
		"category": "Policy violation"
	},
	"31335": {
		"Description": "NAXSI rejected a query",
		"inc_or_vuln": "inc",
		"category": "Policy violation"
	},
	"52504": {
		"Description": "Clamd warning",
		"inc_or_vuln": "inc",
		"category": "Policy violation"
	},
	"60126": {
		"Description": "Logon Failure - User not allowed to login at this computer",
		"inc_or_vuln": "inc",
		"category": "Unauthorized access"
	},
	"60130": {
		"Description": "Logon Failure - Account locked out",
		"inc_or_vuln": "inc",
		"category": "Policy violation"
	},
	"67004": {
		"Description": "Windows Firewall With Advanced Security: Windows Defender Firewall enabled.",
		"inc_or_vuln": "inc",
		"category": "No Incident"
	},
	"67005": {
		"Description": "Windows Firewall With Advanced Security: Windows Defender Firewall disabled.",
		"inc_or_vuln": "inc",
		"category": "Policy violation"
	},
	"67006": {
		"Description": "Windows Firewall With Advanced Security: $(win.eventdata.ruleId) rule has been added to the Windows Defender Firewall exception list.",
		"inc_or_vuln": "inc",
		"category": "No Incident"
	},
	"67007": {
		"Description": "Windows Firewall With Advanced Security: $(win.eventdata.ruleId) rule has been modified in the Windows Defender Firewall exception list.",
		"inc_or_vuln": "inc",
		"category": "No Incident"
	},
	"67008": {
		"Description": "Windows Firewall With Advanced Security: $(win.eventdata.ruleId) rule has been deleted in the Windows Defender Firewall exception list.",
		"inc_or_vuln": "inc",
		"category": "Policy violation"
	},
	"80713": {
		"Description": "Auditd: file is made executable",
		"inc_or_vuln": "inc",
		"category": "Policy violation"
	},
	"81605": {
		"Description": "Fortigate: Multiple Firewall drop events from same source.",
		"inc_or_vuln": "inc",
		"category": "Reconnaissance activity"
	},
	"81607": {
		"Description": "Fortigate: Multiple failed login events from same source.",
		"inc_or_vuln": "inc",
		"category": "Unauthorized access"
	},
	"81608": {
		"Description": "Fortigate: Configuration changed.",
		"inc_or_vuln": "inc",
		"category": "Policy violation"
	},
	"81611": {
		"Description": "Fortigate: Multiple default tunneling setting events from same source.",
		"inc_or_vuln": "inc",
		"category": "Criminal activity/investigation"
	},
	"81615": {
		"Description": "Fortigate: Multiple Firewall SSL VPN failed login events from same source.",
		"inc_or_vuln": "inc",
		"category": "failed_login"
	},
	"81617": {
		"Description": "Fortigate: Multiple Firewall logout events from same source.",
		"inc_or_vuln": "inc",
		"category": "Unauthorized access"
	},
	"83002": {
		"Description": "Windows Defender: taken action to protect machine from unwanted software",
		"inc_or_vuln": "inc",
		"category": "Unauthorized access"
	},
	"85005": {
		"Description": "SQL Server login failed.",
		"inc_or_vuln": "inc",
		"category": "failed_login"
	},
	"521": {
		"Description": "Possible kernel level rootkit",
		"inc_or_vuln": "inc",
		"category": "malware"
	},
	"110001": {
		"Description": "AI Analyst::AI Analyst Investigation",
		"inc_or_vuln": "inc",
		"category": "No Incident"
	},
	"110002": {
		"Description": "AI Analyst::AI Analyst Third Party Investigation",
		"inc_or_vuln": "inc",
		"category": "No Incident"
	},
	"110003": {
		"Description": "IaaS::Compute::Access To AWS EC2 Meta Data Service",
		"inc_or_vuln": "inc",
		"category": "No Incident"
	},
	"110004": {
		"Description": "Tags::Antigena::Active Threat",
		"inc_or_vuln": "inc",
		"category": "No Incident"
	},
	"110005": {
		"Description": "Device::Anomaly Indicators::Activity After New Ticket",
		"inc_or_vuln": "inc",
		"category": "No Incident"
	},
	"110006": {
		"Description": "Tags::Antigena::All Tag",
		"inc_or_vuln": "inc",
		"category": "No Incident"
	},
	"110007": {
		"Description": "Compliance::File Storage::Amazon Cloud Drive",
		"inc_or_vuln": "inc",
		"category": "No Incident"
	},
	"110008": {
		"Description": "Tags::Amazon Device",
		"inc_or_vuln": "inc",
		"category": "No Incident"
	},
	"110009": {
		"Description": "Tags::Android Device Tag",
		"inc_or_vuln": "inc",
		"category": "No Incident"
	},
	"110010": {
		"Description": "Device::Activity Identifier::Andromeda",
		"inc_or_vuln": "inc",
		"category": "No Incident"
	},
	"110011": {
		"Description": "Unusual Activity::Anomalous SMB to Regular Locations",
		"inc_or_vuln": "inc",
		"category": "Policy violation"
	},
	"110012": {
		"Description": "Compliance::Anomalous Unencrypted Credential Over HTTP",
		"inc_or_vuln": "inc",
		"category": "Confidential personal identity data exposure"
	},
	"110013": {
		"Description": "Device::Activity Identifier::Atmos",
		"inc_or_vuln": "inc",
		"category": "No Incident"
	},
	"110014": {
		"Description": "Tags::Avaya Phone",
		"inc_or_vuln": "inc",
		"category": "No Incident"
	},
	"110015": {
		"Description": "Device::Activity Identifier::Azorult",
		"inc_or_vuln": "inc",
		"category": "No Incident"
	},
	"110016": {
		"Description": "Compliance::File Storage::Azure",
		"inc_or_vuln": "inc",
		"category": "No Incident"
	},
	"110017": {
		"Description": "Compliance::File Storage::Box",
		"inc_or_vuln": "inc",
		"category": "No Incident"
	},
	"110018": {
		"Description": "System::Capture Loss on Appliance",
		"inc_or_vuln": "inc",
		"category": "No Incident"
	},
	"110019": {
		"Description": "System::Capture Loss on vSensor",
		"inc_or_vuln": "inc",
		"category": "No Incident"
	},
	"110020": {
		"Description": "Compliance::CertUtil External Connection",
		"inc_or_vuln": "inc",
		"category": "No Incident"
	},
	"110021": {
		"Description": "Tags::Cisco Phone",
		"inc_or_vuln": "inc",
		"category": "No Incident"
	},
	"110022": {
		"Description": "Tags::Antigena::Compliance Tag",
		"inc_or_vuln": "inc",
		"category": "No Incident"
	},
	"110023": {
		"Description": "Tags::Conflicting User Agents",
		"inc_or_vuln": "inc",
		"category": "No Incident"
	},
	"110024": {
		"Description": "Container::Container Tag",
		"inc_or_vuln": "inc",
		"category": "No Incident"
	},
	"110025": {
		"Description": "Tags::DHCP Relay Tag",
		"inc_or_vuln": "inc",
		"category": "No Incident"
	},
	"110026": {
		"Description": "Tags::DNS Server",
		"inc_or_vuln": "inc",
		"category": "No Incident"
	},
	"110027": {
		"Description": "Tags::Darktrace::Darktrace Appliance Callhome",
		"inc_or_vuln": "inc",
		"category": "No Incident"
	},
	"110028": {
		"Description": "Tags::Darktrace::Darktrace Appliance ESP",
		"inc_or_vuln": "inc",
		"category": "No Incident"
	},
	"110029": {
		"Description": "Tags::Darktrace::Darktrace Appliance In",
		"inc_or_vuln": "inc",
		"category": "No Incident"
	},
	"110030": {
		"Description": "Compliance::Default Credential Usage",
		"inc_or_vuln": "inc",
		"category": "Un-patched vulnerability"
	},
	"110031": {
		"Description": "Tags::Domain Authenticated",
		"inc_or_vuln": "inc",
		"category": "No Incident"
	},
	"110032": {
		"Description": "Compliance::File Storage::Dropbox",
		"inc_or_vuln": "inc",
		"category": "No Incident"
	},
	"110033": {
		"Description": "Device::Activity Identifier::Dropbox Activity",
		"inc_or_vuln": "inc",
		"category": "No Incident"
	},
	"110034": {
		"Description": "Device::Anomaly Indicators::EndPointMapper Before Authentication",
		"inc_or_vuln": "inc",
		"category": "Policy violation"
	},
	"110035": {
		"Description": "Compliance::File Storage::Evernote",
		"inc_or_vuln": "inc",
		"category": "No Incident"
	},
	"110036": {
		"Description": "Tags::Exchange Server",
		"inc_or_vuln": "inc",
		"category": "No Incident"
	},
	"110037": {
		"Description": "Device::Expired Certificate on IoT Device",
		"inc_or_vuln": "inc",
		"category": "Policy violation"
	},
	"110038": {
		"Description": "Compliance::Explicit Content",
		"inc_or_vuln": "inc",
		"category": "Policy violation"
	},
	"110039": {
		"Description": "Tags::External DNS",
		"inc_or_vuln": "inc",
		"category": "No Incident"
	},
	"110040": {
		"Description": "Compliance::External Telnet",
		"inc_or_vuln": "inc",
		"category": "Policy violation"
	},
	"110041": {
		"Description": "Tags::Antigena::External Threat Tag",
		"inc_or_vuln": "inc",
		"category": "No Incident"
	},
	"110042": {
		"Description": "Compliance::External WPAD",
		"inc_or_vuln": "inc",
		"category": "Policy violation"
	},
	"110043": {
		"Description": "Compliance::FTP::FTP Upload",
		"inc_or_vuln": "inc",
		"category": "Policy violation"
	},
	"110044": {
		"Description": "Compliance::Social Media::Facebook",
		"inc_or_vuln": "inc",
		"category": "No Incident"
	},
	"110045": {
		"Description": "Compliance::Messaging::Facebook Messenger",
		"inc_or_vuln": "inc",
		"category": "No Incident"
	},
	"110046": {
		"Description": "Compliance::File Storage::File-Upload",
		"inc_or_vuln": "inc",
		"category": "No Incident"
	},
	"110047": {
		"Description": "Compliance::File Storage::Firefox Send",
		"inc_or_vuln": "inc",
		"category": "No Incident"
	},
	"110048": {
		"Description": "Device::Activity Identifier::Formbook",
		"inc_or_vuln": "inc",
		"category": "No Incident"
	},
	"110049": {
		"Description": "Device::Anomaly Indicators::Github Download Indicator",
		"inc_or_vuln": "inc",
		"category": "No Incident"
	},
	"110050": {
		"Description": "Compliance::File Storage::Google Cloud/ASN",
		"inc_or_vuln": "inc",
		"category": "No Incident"
	},
	"110051": {
		"Description": "Tags::Guest Wifi",
		"inc_or_vuln": "inc",
		"category": "No Incident"
	},
	"110052": {
		"Description": "Compromise::HTTP Beaconing to New Endpoint",
		"inc_or_vuln": "inc",
		"category": "Policy violation"
	},
	"110053": {
		"Description": "Compromise::HTTP Beaconing to Rare Destination",
		"inc_or_vuln": "inc",
		"category": "Policy violation"
	},
	"110054": {
		"Description": "System::Heartbeat",
		"inc_or_vuln": "inc",
		"category": "No Incident"
	},
	"110055": {
		"Description": "Device::Anomaly Indicators::High Volume to New Endpoints",
		"inc_or_vuln": "inc",
		"category": "Policy violation"
	},
	"110056": {
		"Description": "Compliance::File Storage::Hightail",
		"inc_or_vuln": "inc",
		"category": "No Incident"
	},
	"110057": {
		"Description": "Device::Activity Identifier::IP Info Services",
		"inc_or_vuln": "inc",
		"category": "No Incident"
	},
	"110058": {
		"Description": "System::Inactive Client Sensor Agent Detected",
		"inc_or_vuln": "inc",
		"category": "No Incident"
	},
	"110059": {
		"Description": "Device::Activity Identifier::Remote Tools::Incoming Aeroadmin",
		"inc_or_vuln": "inc",
		"category": "Policy violation"
	},
	"110060": {
		"Description": "Device::Activity Identifier::Remote Tools::Incoming Ammy Admin",
		"inc_or_vuln": "inc",
		"category": "Policy violation"
	},
	"110061": {
		"Description": "Device::Activity Identifier::Remote Tools::Incoming AnyDesk",
		"inc_or_vuln": "inc",
		"category": "Policy violation"
	},
	"110062": {
		"Description": "Device::Activity Identifier::Remote Tools::Incoming Anyplace Control",
		"inc_or_vuln": "inc",
		"category": "Policy violation"
	},
	"110063": {
		"Description": "Anomalous Server Activity::Incoming Request to Unusual SSL Server",
		"inc_or_vuln": "inc",
		"category": "Policy violation"
	},
	"110064": {
		"Description": "Device::Activity Identifier::Remote Tools::Incoming VNC Activity",
		"inc_or_vuln": "inc",
		"category": "Policy violation"
	},
	"110065": {
		"Description": "Device::Anomaly Indicators::Incorrect Protocol on 53, 80 or 443 to Rare",
		"inc_or_vuln": "inc",
		"category": "Policy violation"
	},
	"110066": {
		"Description": "Device::Anomaly Indicators::Increase in SSL or HTTP Connections to New Location",
		"inc_or_vuln": "inc",
		"category": "Policy violation"
	},
	"110067": {
		"Description": "Tags::Antigena::Insider Threat Tag",
		"inc_or_vuln": "inc",
		"category": "No Incident"
	},
	"110068": {
		"Description": "Compliance::FTP::Internal FTP",
		"inc_or_vuln": "inc",
		"category": "No Incident"
	},
	"110069": {
		"Description": "System::Internet Facing Darktrace Appliance",
		"inc_or_vuln": "inc",
		"category": "No Incident"
	},
	"110070": {
		"Description": "Tags::Internet Facing System",
		"inc_or_vuln": "inc",
		"category": "No Incident"
	},
	"110071": {
		"Description": "Tags::Ivanti Scan Job",
		"inc_or_vuln": "inc",
		"category": "No Incident"
	},
	"110072": {
		"Description": "Device::Anomaly Indicators::Kerberos TGS Without AS or AP",
		"inc_or_vuln": "inc",
		"category": "Policy violation"
	},
	"110073": {
		"Description": "Tags::Key User Login",
		"inc_or_vuln": "inc",
		"category": "No Incident"
	},
	"110074": {
		"Description": "Device::Anomaly Indicators::Large Data Volume Outgoing From Server",
		"inc_or_vuln": "inc",
		"category": "Policy violation"
	},
	"110075": {
		"Description": "Compliance::Social Media::LinkedIn",
		"inc_or_vuln": "inc",
		"category": "No Incident"
	},
	"110076": {
		"Description": "Device::Activity Identifier::LokiBot",
		"inc_or_vuln": "inc",
		"category": "Malware"
	},
	"110077": {
		"Description": "Device::Anomaly Indicators::MFA Authentication from Unusual Location",
		"inc_or_vuln": "inc",
		"category": "Unauthorized access"
	},
	"110078": {
		"Description": "Security Integration::MS Defender Unwanted Software",
		"inc_or_vuln": "inc",
		"category": "Malware"
	},
	"110079": {
		"Description": "Tags::Mail Server",
		"inc_or_vuln": "inc",
		"category": "No Incident"
	},
	"110081": {
		"Description": "Compliance::File Storage::Mega",
		"inc_or_vuln": "inc",
		"category": "No Incident"
	},
	"110080": {
		"Description": "Tags::Microsoft ATP Scanner",
		"inc_or_vuln": "inc",
		"category": "No Incident"
	},
	"110082": {
		"Description": "Tags::Microsoft Windows Device",
		"inc_or_vuln": "inc",
		"category": "No Incident"
	},
	"110083": {
		"Description": "Device::Activity Identifier::Mirai",
		"inc_or_vuln": "inc",
		"category": "Malware"
	},
	"110084": {
		"Description": "System::Model Exclude Proxies",
		"inc_or_vuln": "inc",
		"category": "No Incident"
	},
	"110085": {
		"Description": "Device::Anomaly Indicators::Multiple New Credentials on Device",
		"inc_or_vuln": "inc",
		"category": "Unauthorized access"
	},
	"110087": {
		"Description": "Device::Anomaly Indicators::Multiple SIP Requests From Rare Indicator",
		"inc_or_vuln": "inc",
		"category": "Policy violation"
	},
	"110088": {
		"Description": "Device::Activity Identifier::Multiple Unknown RPC Service Binds",
		"inc_or_vuln": "inc",
		"category": "Policy violation"
	},
	"110089": {
		"Description": "User::New Admin Credential Ticket Request",
		"inc_or_vuln": "inc",
		"category": "Privilege Escalation"
	},
	"110090": {
		"Description": "Device::New Failed External Connections",
		"inc_or_vuln": "inc",
		"category": "No Incident"
	},
	"110091": {
		"Description": "Device::Anomaly Indicators::New Internal WPAD Request Indicator",
		"inc_or_vuln": "inc",
		"category": "Policy violation"
	},
	"110092": {
		"Description": "Tags::New Raspberry Pi Device",
		"inc_or_vuln": "inc",
		"category": "No Incident"
	},
	"110093": {
		"Description": "Infrastructure::New Server",
		"inc_or_vuln": "inc",
		"category": "No Incident"
	},
	"110094": {
		"Description": "System::New Subnet Detected",
		"inc_or_vuln": "inc",
		"category": "No Incident"
	},
	"110095": {
		"Description": "Device::New User Agent",
		"inc_or_vuln": "inc",
		"category": "No Incident"
	},
	"110096": {
		"Description": "Tags::No Device Tracking",
		"inc_or_vuln": "inc",
		"category": "No Incident"
	},
	"110097": {
		"Description": "Device::Activity Identifier::NuclearEK",
		"inc_or_vuln": "inc",
		"category": "Malware"
	},
	"110098": {
		"Description": "SaaS::Compliance::O365 Quarantined Message Released",
		"inc_or_vuln": "inc",
		"category": "No Incident"
	},
	"110099": {
		"Description": "Compliance::File Storage::OneDrive",
		"inc_or_vuln": "inc",
		"category": "No Incident"
	},
	"110100": {
		"Description": "System::Packet Loss on Appliance",
		"inc_or_vuln": "inc",
		"category": "No Incident"
	},
	"110101": {
		"Description": "System::Packet Loss on vSensor",
		"inc_or_vuln": "inc",
		"category": "No Incident"
	},
	"110102": {
		"Description": "Device::Activity Identifier::Pastebin Connection",
		"inc_or_vuln": "inc",
		"category": "No Incident"
	},
	"110103": {
		"Description": "Tags::Point of Sale",
		"inc_or_vuln": "inc",
		"category": "No Incident"
	},
	"110104": {
		"Description": "Tags::Polycom Phone",
		"inc_or_vuln": "inc",
		"category": "No Incident"
	},
	"110105": {
		"Description": "Device::Activity Identifier::Pony",
		"inc_or_vuln": "inc",
		"category": "Malware"
	},
	"110106": {
		"Description": "Container::Possible Access to Kubelet API from External",
		"inc_or_vuln": "inc",
		"category": "Unauthorized access"
	},
	"110107": {
		"Description": "Compliance::Possible Cleartext Password in URI - External",
		"inc_or_vuln": "inc",
		"category": "Confidential personal identity data exposure"
	},
	"110108": {
		"Description": "System::Possible ICS Protocol",
		"inc_or_vuln": "inc",
		"category": "No Incident"
	},
	"110109": {
		"Description": "Container::Possible New Access to Kubelet API",
		"inc_or_vuln": "inc",
		"category": "No Incident"
	},
	"110110": {
		"Description": "Compliance::Possible Open DNS Resolver",
		"inc_or_vuln": "inc",
		"category": "No Incident"
	},
	"110111": {
		"Description": "SaaS::Access::Possible Salesforce Brute-Force Attempt",
		"inc_or_vuln": "inc",
		"category": "Unauthorized access"
	},
	"110112": {
		"Description": "Compliance::Possible Unencrypted Password File On Server",
		"inc_or_vuln": "inc",
		"category": "Confidential personal identity data exposure"
	},
	"110113": {
		"Description": "Tags::Printer Device Tag",
		"inc_or_vuln": "inc",
		"category": "No Incident"
	},
	"110114": {
		"Description": "Compromise::Quick and Regular Windows HTTP Beaconing",
		"inc_or_vuln": "inc",
		"category": "Malware"
	},
	"110115": {
		"Description": "Device::Anomaly Indicators::RPC Lateral Movement Sequence",
		"inc_or_vuln": "inc",
		"category": "Unauthorized access"
	},
	"110116": {
		"Description": "Device::Anomaly Indicators::Rare Domain Pointing to Internal IP Indicator",
		"inc_or_vuln": "inc",
		"category": "Policy violation"
	},
	"110117": {
		"Description": "Device::Anomaly Indicators::Rare External Connection with Beacon Score",
		"inc_or_vuln": "inc",
		"category": "Policy violation"
	},
	"110118": {
		"Description": "Device::Anomaly Indicators::Re-Activated Device",
		"inc_or_vuln": "inc",
		"category": "Rogue server or service"
	},
	"110119": {
		"Description": "Compliance::Remote Management Tool On Client",
		"inc_or_vuln": "inc",
		"category": "No Incident"
	},
	"110120": {
		"Description": "Compliance::Remote Management Tool On Server",
		"inc_or_vuln": "inc",
		"category": "No Incident"
	},
	"110121": {
		"Description": "Tags::SMB Server",
		"inc_or_vuln": "inc",
		"category": "No Incident"
	},
	"110122": {
		"Description": "Device::Activity Identifier::SMB Version 1",
		"inc_or_vuln": "inc",
		"category": "No Incident"
	},
	"110123": {
		"Description": "Compliance::SMB Version 1 Usage",
		"inc_or_vuln": "inc",
		"category": "No Incident"
	},
	"110124": {
		"Description": "Compliance::SMTP from Blocklisted Source",
		"inc_or_vuln": "inc",
		"category": "Policy violation"
	},
	"110125": {
		"Description": "Compromise::SSL Beaconing to New Endpoint",
		"inc_or_vuln": "inc",
		"category": "Malware"
	},
	"110126": {
		"Description": "Compromise::SSL Beaconing to Rare Destination",
		"inc_or_vuln": "inc",
		"category": "Malware"
	},
	"110127": {
		"Description": "Container::Sensitive Terms in URI - Internal (K8s)",
		"inc_or_vuln": "inc",
		"category": "Confidential personal identity data exposure"
	},
	"110128": {
		"Description": "Compliance::File Storage::Sharefile",
		"inc_or_vuln": "inc",
		"category": "No Incident"
	},
	"110129": {
		"Description": "Compliance::Messaging::Signal Messenger Text",
		"inc_or_vuln": "inc",
		"category": "No Incident"
	},
	"110130": {
		"Description": "Compliance::Messaging::Signal Messenger Voice",
		"inc_or_vuln": "inc",
		"category": "No Incident"
	},
	"110131": {
		"Description": "Tags::Antigena::Significant Anomaly Tag",
		"inc_or_vuln": "inc",
		"category": "No Incident"
	},
	"110132": {
		"Description": "Device::Activity Identifier::Skype Connections",
		"inc_or_vuln": "inc",
		"category": "No Incident"
	},
	"110133": {
		"Description": "Compliance::SmartScreen Connection Following Rare Endpoint",
		"inc_or_vuln": "inc",
		"category": "Policy violation"
	},
	"110134": {
		"Description": "Compliance::Snagit on Server",
		"inc_or_vuln": "inc",
		"category": "Policy violation"
	},
	"110135": {
		"Description": "Device::Anomaly Indicators::Spike in Epmapper Activity",
		"inc_or_vuln": "inc",
		"category": "Policy violation"
	},
	"110136": {
		"Description": "Device::Anomaly Indicators::Spike in SSL or HTTP Connections to New Location",
		"inc_or_vuln": "inc",
		"category": "Policy violation"
	},
	"110137": {
		"Description": "Device::Anomaly Indicators::Spike in UDP",
		"inc_or_vuln": "inc",
		"category": "Policy violation"
	},
	"110138": {
		"Description": "Device::Activity Identifier::Spotify Comms",
		"inc_or_vuln": "inc",
		"category": "Policy violation"
	},
	"110139": {
		"Description": "System::Subnet Size Change",
		"inc_or_vuln": "inc",
		"category": "Policy violation"
	},
	"110140": {
		"Description": "Compromise::Suspicious Beaconing Behaviour",
		"inc_or_vuln": "inc",
		"category": "Malware"
	},
	"110141": {
		"Description": "Device::Suspicious Domain",
		"inc_or_vuln": "inc",
		"category": "Policy violation"
	},
	"110142": {
		"Description": "Device::Anomaly Indicators::Suspicious SMB Scanning Indicator",
		"inc_or_vuln": "inc",
		"category": "Reconnaissance activity"
	},
	"110143": {
		"Description": "Anomalous Connection::TCP DNS Request From Rare Endpoint",
		"inc_or_vuln": "inc",
		"category": "No Incident"
	},
	"110144": {
		"Description": "Tags::Tag Admin Login",
		"inc_or_vuln": "inc",
		"category": "No Incident"
	},
	"110145": {
		"Description": "Compliance::Messaging::Telegram Messenger",
		"inc_or_vuln": "inc",
		"category": "Rogue server or service"
	},
	"110146": {
		"Description": "Compliance::Telnet",
		"inc_or_vuln": "inc",
		"category": "No Incident"
	},
	"110147": {
		"Description": "Device::Three Or More New User Agents",
		"inc_or_vuln": "inc",
		"category": "No Incident"
	},
	"110148": {
		"Description": "Compliance::Social Media::Twitter",
		"inc_or_vuln": "inc",
		"category": "No Incident"
	},
	"110149": {
		"Description": "Compliance::USB Device Inserted",
		"inc_or_vuln": "inc",
		"category": "No Incident"
	},
	"110150": {
		"Description": "Device::Unauthorised Device",
		"inc_or_vuln": "inc",
		"category": "Rogue server or service"
	},
	"110151": {
		"Description": "Device::Unusual Activity and Server Reboot",
		"inc_or_vuln": "inc",
		"category": "Policy violation"
	},
	"110152": {
		"Description": "Unusual Activity::Unusual Activity from Multiple Metrics",
		"inc_or_vuln": "inc",
		"category": "Policy violation"
	},
	"110153": {
		"Description": "Device::Point of Sale::Unusual Activity from POS",
		"inc_or_vuln": "inc",
		"category": "Criminal activity/investigation"
	},
	"110154": {
		"Description": "Compromise::Unusual Connections to Rare Lets Encrypt",
		"inc_or_vuln": "inc",
		"category": "Policy violation"
	},
	"110155": {
		"Description": "Container::Unusual External Connections (K8s)",
		"inc_or_vuln": "inc",
		"category": "Policy violation"
	},
	"110156": {
		"Description": "Container::Unusual Internal Connections (K8s)",
		"inc_or_vuln": "inc",
		"category": "Policy violation"
	},
	"110157": {
		"Description": "Device::Anomaly Indicators::Unusual Port for Application Protocol",
		"inc_or_vuln": "inc",
		"category": "Policy violation"
	},
	"110158": {
		"Description": "Compliance::Unusual Zoom Usage",
		"inc_or_vuln": "inc",
		"category": "Policy violation"
	},
	"110159": {
		"Description": "Tags::Update Activity on New/Re-Activated Device",
		"inc_or_vuln": "inc",
		"category": "No Incident"
	},
	"110160": {
		"Description": "SaaS::System::Update to Darktrace Application",
		"inc_or_vuln": "inc",
		"category": "No Incident"
	},
	"110161": {
		"Description": "Device::Activity Identifier::Ursnif",
		"inc_or_vuln": "inc",
		"category": "Malware"
	},
	"110162": {
		"Description": "Compliance::User Agent and OS Mismatch",
		"inc_or_vuln": "inc",
		"category": "Policy violation"
	},
	"110163": {
		"Description": "Tags::Virtual Machine",
		"inc_or_vuln": "inc",
		"category": "No Incident"
	},
	"110164": {
		"Description": "Tags::VoIP Call Activity",
		"inc_or_vuln": "inc",
		"category": "No Incident"
	},
	"110165": {
		"Description": "Compliance::Vulnerable Name Resolution",
		"inc_or_vuln": "inc",
		"category": "Un-patched vulnerability"
	},
	"110166": {
		"Description": "Tags::WSUS or SCCM Tag",
		"inc_or_vuln": "inc",
		"category": "No Incident"
	},
	"110167": {
		"Description": "Compliance::File Storage::WeTransfer",
		"inc_or_vuln": "inc",
		"category": "No Incident"
	},
	"110168": {
		"Description": "Compliance::Messaging::WhatsApp Messenger Text",
		"inc_or_vuln": "inc",
		"category": "No Incident"
	},
	"110169": {
		"Description": "Compliance::Messaging::WhatsApp Messenger Voice",
		"inc_or_vuln": "inc",
		"category": "No Incident"
	},
	"110170": {
		"Description": "Device::Windows Application Crash",
		"inc_or_vuln": "inc",
		"category": "Malware"
	},
	"110171": {
		"Description": "Device::Anomaly Indicators::Young or Invalid Certificate Indicator",
		"inc_or_vuln": "inc",
		"category": "Policy violation"
	},
	"110172": {
		"Description": "Anomalous Connection::Young or Invalid Certificate SSL Connections to Rare",
		"inc_or_vuln": "inc",
		"category": "Policy violation"
	},
	"110173": {
		"Description": "Container::Zip Or Gzip From Rare External Location (K8s)",
		"inc_or_vuln": "inc",
		"category": "Policy violation"
	},
	"110174": {
		"Description": "Compliance::File Storage::iCloud",
		"inc_or_vuln": "inc",
		"category": "Policy violation"
	},
	"110175": {
		"Description": "Tags::iOS Device",
		"inc_or_vuln": "inc",
		"category": "No Incident"
	},
	"110176": {
		"Description": "Tags::iOS Device Detection from DNS",
		"inc_or_vuln": "inc",
		"category": "No Incident"
	},
	"110177": {
		"Description": "Tags::iOS Mobile Device Typing",
		"inc_or_vuln": "inc",
		"category": "No Incident"
	},
	"110178": {
		"Description": "System::vSensor Upgrade",
		"inc_or_vuln": "inc",
		"category": "No Incident"
	},
	"110179": {
		"Description": "Tags::AD FS Server",
		"inc_or_vuln": "inc",
		"category": "No Incident"
	},
	"110180": {
		"Description": "Device::Anomaly Indicators::Increase in New RPC Services Indicator",
		"inc_or_vuln": "inc",
		"category": "Rogue server or service"
	},
	"110181": {
		"Description": "Device::Anomaly Indicators::Possible Credential Testing Indicator",
		"inc_or_vuln": "inc",
		"category": "Rogue server or service"
	},
	"110182": {
		"Description": "System::Possible Gateway Device Tagged For Antigena",
		"inc_or_vuln": "inc",
		"category": "No Incident"
	},
	"110183": {
		"Description": "Device::Anomaly Indicators::Azure PowerShell or CLI Activity",
		"inc_or_vuln": "inc",
		"category": "Unauthorized access"
	},
	"110184": {
		"Description": "Device::Anomaly Indicators::Powershell Login Failure Activity",
		"inc_or_vuln": "inc",
		"category": "Malicious code activity"
	},
	"110185": {
		"Description": "Device::Anomaly Indicators::Suspicious AGE Inbound Link",
		"inc_or_vuln": "inc",
		"category": "Unauthorized access"
	},
	"110186": {
		"Description": "Compliance::Internet Relay Chat",
		"inc_or_vuln": "inc",
		"category": "Policy violation"
	},
	"110187": {
		"Description": "Device::Anomaly Indicators::6 GiB Outbound",
		"inc_or_vuln": "inc",
		"category": "Insider Breach"
	},
	"110188": {
		"Description": "User::Admin Domain Password Change",
		"inc_or_vuln": "inc",
		"category": "Privilege Escalation"
	},
	"110189": {
		"Description": "Anomalous Connection::Anomalous DRSGetNCChanges Operation",
		"inc_or_vuln": "inc",
		"category": "Insider Breach"
	},
	"110190": {
		"Description": "User::Anomalous Domain User Creation Or Addition To Group",
		"inc_or_vuln": "inc",
		"category": "Insider Breach"
	},
	"110191": {
		"Description": "Device::Anomalous Github Download",
		"inc_or_vuln": "inc",
		"category": "Spam source"
	},
	"110192": {
		"Description": "Compliance::Anomalous Google Script Connection",
		"inc_or_vuln": "inc",
		"category": "Spam source"
	},
	"110193": {
		"Description": "Anomalous Connection::Anomalous Java RMI Connectivity",
		"inc_or_vuln": "inc",
		"category": "Spam source"
	},
	"110194": {
		"Description": "Device::Anomalous NTLM Brute Force",
		"inc_or_vuln": "inc",
		"category": "Malicious code activity"
	},
	"110195": {
		"Description": "Device::Anomalous Nmap Activity",
		"inc_or_vuln": "inc",
		"category": "Reconnaissance activity"
	},
	"110196": {
		"Description": "Anomalous Connection::Anomalous SMB3 to DC",
		"inc_or_vuln": "inc",
		"category": "Policy violation"
	},
	"110197": {
		"Description": "Device::Anomaly Indicators::Anomalous SMB3 to DC Indicator",
		"inc_or_vuln": "inc",
		"category": "Policy violation"
	},
	"110198": {
		"Description": "Unusual Activity::Anomalous SMB to New or Unusual Locations",
		"inc_or_vuln": "inc",
		"category": "Policy violation"
	},
	"110199": {
		"Description": "Device::Anomalous Scripts Download Followed By Additional Packages",
		"inc_or_vuln": "inc",
		"category": "Malicious code activity"
	},
	"110200": {
		"Description": "Anomalous Connection::Anomalous Spooler RPC Request to DC",
		"inc_or_vuln": "inc",
		"category": "Policy violation"
	},
	"110201": {
		"Description": "Anomalous File::Apple Application from Rare External Location",
		"inc_or_vuln": "inc",
		"category": "Policy violation"
	},
	"110202": {
		"Description": "Anomalous Connection::Application Protocol on Uncommon Port",
		"inc_or_vuln": "inc",
		"category": "Policy violation"
	},
	"110203": {
		"Description": "IaaS::Network::Azure Public IP Update",
		"inc_or_vuln": "inc",
		"category": "No Incident"
	},
	"110204": {
		"Description": "Compliance::BitTorrent",
		"inc_or_vuln": "inc",
		"category": "No Incident"
	},
	"110205": {
		"Description": "Device::Activity Identifier::BitTorrent Ports",
		"inc_or_vuln": "inc",
		"category": "Rogue server or service"
	},
	"110206": {
		"Description": "Compliance::Cleartext Email",
		"inc_or_vuln": "inc",
		"category": "Confidential personal identity data exposure"
	},
	"110207": {
		"Description": "Device::Common Domain Requests Sent To Rare Endpoints",
		"inc_or_vuln": "inc",
		"category": "Policy violation"
	},
	"110208": {
		"Description": "Email Nexus::Connection to Hijacked Correspondent Link",
		"inc_or_vuln": "inc",
		"category": "Malicious code activity"
	},
	"110209": {
		"Description": "Email Nexus::Connection to Open Redirect Link",
		"inc_or_vuln": "inc",
		"category": "Malicious code activity"
	},
	"110210": {
		"Description": "Compromise::Connection to Sinkhole",
		"inc_or_vuln": "inc",
		"category": "Malicious code activity"
	},
	"110211": {
		"Description": "Anomalous Connection::Data Sent To New External Device",
		"inc_or_vuln": "inc",
		"category": "Insider Breach"
	},
	"110212": {
		"Description": "Anomalous Server Activity::Domain Controller Initiated to Client",
		"inc_or_vuln": "inc",
		"category": "Policy violation"
	},
	"110213": {
		"Description": "Compliance::External Cisco SMI",
		"inc_or_vuln": "inc",
		"category": "Policy violation"
	},
	"110214": {
		"Description": "Device::External Network Scan",
		"inc_or_vuln": "inc",
		"category": "Policy violation"
	},
	"110215": {
		"Description": "Compliance::External SNMP",
		"inc_or_vuln": "inc",
		"category": "Policy violation"
	},
	"110216": {
		"Description": "Compliance::External SQL",
		"inc_or_vuln": "inc",
		"category": "Policy violation"
	},
	"110217": {
		"Description": "Compliance::External TFTP",
		"inc_or_vuln": "inc",
		"category": "Policy violation"
	},
	"110218": {
		"Description": "Compliance::External Windows Communications",
		"inc_or_vuln": "inc",
		"category": "Policy violation"
	},
	"110219": {
		"Description": "Device::Anomaly Indicators::External Windows Communications Indicator",
		"inc_or_vuln": "inc",
		"category": "Policy violation"
	},
	"110220": {
		"Description": "Anomalous File::FTP Executable from Rare External Location",
		"inc_or_vuln": "inc",
		"category": "Malware"
	},
	"110221": {
		"Description": "Anomalous Connection::High Volume of Connections to Rare Domain",
		"inc_or_vuln": "inc",
		"category": "Policy violation"
	},
	"110222": {
		"Description": "Device::ICMP Address Scan",
		"inc_or_vuln": "inc",
		"category": "Reconnaissance activity"
	},
	"110223": {
		"Description": "Anomalous File::Incoming RAR File",
		"inc_or_vuln": "inc",
		"category": "Malware"
	},
	"110224": {
		"Description": "Compliance::Incoming Remote Access Tool",
		"inc_or_vuln": "inc",
		"category": "Policy violation"
	},
	"110225": {
		"Description": "Compliance::Incoming Remote Desktop",
		"inc_or_vuln": "inc",
		"category": "Policy violation"
	},
	"110226": {
		"Description": "Compliance::Incoming SSH",
		"inc_or_vuln": "inc",
		"category": "Policy violation"
	},
	"110227": {
		"Description": "Unusual Activity::Internal Data Transfer - Low Anomaly Score",
		"inc_or_vuln": "inc",
		"category": "Policy violation"
	},
	"110228": {
		"Description": "Anomalous File::Internal::Internal File Transfer on New Port",
		"inc_or_vuln": "inc",
		"category": "Policy violation"
	},
	"110229": {
		"Description": "Compliance::Internet Facing Cellular Gateway",
		"inc_or_vuln": "inc",
		"category": "Rogue server or service"
	},
	"110230": {
		"Description": "Compliance::Internet Facing RDP Server",
		"inc_or_vuln": "inc",
		"category": "Rogue server or service"
	},
	"110231": {
		"Description": "Compliance::Internet Facing SQL Server",
		"inc_or_vuln": "inc",
		"category": "Rogue server or service"
	},
	"110232": {
		"Description": "Compliance::Kerberos Login Without Pre-Auth Data",
		"inc_or_vuln": "inc",
		"category": "Unauthorized access"
	},
	"110233": {
		"Description": "Device::Long Agent Connection to New Endpoint",
		"inc_or_vuln": "inc",
		"category": "Policy violation"
	},
	"110234": {
		"Description": "Anomalous Connection::Long External UDP Request on Rare Port",
		"inc_or_vuln": "inc",
		"category": "Policy violation"
	},
	"110235": {
		"Description": "System::Missing DHCP Traffic",
		"inc_or_vuln": "inc",
		"category": "Policy violation"
	},
	"110236": {
		"Description": "System::Model Over Breaching",
		"inc_or_vuln": "inc",
		"category": "No Incident"
	},
	"110237": {
		"Description": "Unusual Activity::Multiple Failed Internal Connections",
		"inc_or_vuln": "inc",
		"category": "Reconnaissance activity"
	},
	"110238": {
		"Description": "Compliance::Multiple SIP Requests From Rare",
		"inc_or_vuln": "inc",
		"category": "Reconnaissance activity"
	},
	"110239": {
		"Description": "Anomalous Connection::Multiple SMB Admin Session",
		"inc_or_vuln": "inc",
		"category": "Privilege Escalation"
	},
	"110240": {
		"Description": "User::NTLM Login from Unauthenticated Device",
		"inc_or_vuln": "inc",
		"category": "Privilege Escalation"
	},
	"110241": {
		"Description": "Device::Network Scan - Low Anomaly Score",
		"inc_or_vuln": "inc",
		"category": "Reconnaissance activity"
	},
	"110242": {
		"Description": "User::New Credential Following DPAPI BackupKey Request",
		"inc_or_vuln": "inc",
		"category": "Unauthorized access"
	},
	"110243": {
		"Description": "Device::Anomaly Indicators::New Credential Following DPAPI BackupKey Request Indicator",
		"inc_or_vuln": "inc",
		"category": "Unauthorized access"
	},
	"110244": {
		"Description": "Device::New DNS Zone Transfer",
		"inc_or_vuln": "inc",
		"category": "Policy violation"
	},
	"110245": {
		"Description": "Infrastructure::New Device",
		"inc_or_vuln": "inc",
		"category": "No Incident"
	},
	"110246": {
		"Description": "Tags::New Device Tag",
		"inc_or_vuln": "inc",
		"category": "No Incident"
	},
	"110247": {
		"Description": "Anomalous Connection::New Outbound VPN",
		"inc_or_vuln": "inc",
		"category": "Policy violation"
	},
	"110248": {
		"Description": "Device::New or Uncommon WMI Activity",
		"inc_or_vuln": "inc",
		"category": "Malicious code activity"
	},
	"110249": {
		"Description": "Device::Anomaly Indicators::New or Uncommon WMI Activity Indicator",
		"inc_or_vuln": "inc",
		"category": "Malicious code activity"
	},
	"110250": {
		"Description": "Compliance::Outbound Remote Desktop",
		"inc_or_vuln": "inc",
		"category": "Policy violation"
	},
	"110251": {
		"Description": "Compliance::Outgoing NTLM Request from DC",
		"inc_or_vuln": "inc",
		"category": "Spam source"
	},
	"110252": {
		"Description": "Device::Anomaly Indicators::Outgoing NTLM Request from DC Indicator",
		"inc_or_vuln": "inc",
		"category": "Policy violation"
	},
	"110253": {
		"Description": "Anomalous File::Outgoing RAR File",
		"inc_or_vuln": "inc",
		"category": "Insider Breach"
	},
	"110254": {
		"Description": "Anomalous Server Activity::Outgoing from Server",
		"inc_or_vuln": "inc",
		"category": "Insider Breach"
	},
	"110255": {
		"Description": "Anomalous Connection::PPTP Longer Than 24 Hours",
		"inc_or_vuln": "inc",
		"category": "Spam source"
	},
	"110256": {
		"Description": "Compliance::PacketStream",
		"inc_or_vuln": "inc",
		"category": "Spam source"
	},
	"110257": {
		"Description": "SaaS::Access::Password Spray",
		"inc_or_vuln": "inc",
		"category": "Unauthorized access"
	},
	"110258": {
		"Description": "Compliance::Pastebin",
		"inc_or_vuln": "inc",
		"category": "Spam source"
	},
	"110259": {
		"Description": "SaaS::Teams Healthcare::Patient List Created",
		"inc_or_vuln": "inc",
		"category": "Spam source"
	},
	"110260": {
		"Description": "SaaS::Teams Healthcare::Patient List Deleted",
		"inc_or_vuln": "inc",
		"category": "Spam source"
	},
	"110261": {
		"Description": "Compliance::Possible Cleartext Password in URI - Internal",
		"inc_or_vuln": "inc",
		"category": "Confidential personal identity data exposure"
	},
	"110262": {
		"Description": "Compliance::Possible DNS Over HTTPS/TLS",
		"inc_or_vuln": "inc",
		"category": "Rogue server or service"
	},
	"110263": {
		"Description": "Device::Anomaly Indicators::Possible RPC Recon Activity Indicator",
		"inc_or_vuln": "inc",
		"category": "Reconnaissance activity"
	},
	"110264": {
		"Description": "Device::Possible SMB/NTLM Reconnaissance",
		"inc_or_vuln": "inc",
		"category": "Reconnaissance activity"
	},
	"110265": {
		"Description": "Device::Anomaly Indicators::Possible Scripts Download Followed By Additional Packages",
		"inc_or_vuln": "inc",
		"category": "Malware"
	},
	"110266": {
		"Description": "Compliance::Privacy VPN",
		"inc_or_vuln": "inc",
		"category": "Rogue server or service"
	},
	"110267": {
		"Description": "Compromise::Ransomware::Ransom or Offensive Words Read from SMB",
		"inc_or_vuln": "inc",
		"category": "Malicious code activity"
	},
	"110268": {
		"Description": "Compromise::Rare Domain Pointing to Internal IP",
		"inc_or_vuln": "inc",
		"category": "Policy violation"
	},
	"110269": {
		"Description": "Anomalous Connection::Rare External SSL Self-Signed",
		"inc_or_vuln": "inc",
		"category": "Rogue server or service"
	},
	"110270": {
		"Description": "Device::Anomaly Indicators::Rare External SSL Self-Signed Indicator",
		"inc_or_vuln": "inc",
		"category": "Rogue server or service"
	},
	"110271": {
		"Description": "Anomalous Server Activity::Rare External from Server",
		"inc_or_vuln": "inc",
		"category": "Rogue server or service"
	},
	"110272": {
		"Description": "Tags::Re-Activated Device Tag",
		"inc_or_vuln": "inc",
		"category": "No Incident"
	},
	"110273": {
		"Description": "Anomalous Connection::Repeated Rare External SSL Self-Signed",
		"inc_or_vuln": "inc",
		"category": "Rogue server or service"
	},
	"110274": {
		"Description": "Compliance::SSH to Rare External AWS",
		"inc_or_vuln": "inc",
		"category": "Unauthorized access"
	},
	"110275": {
		"Description": "Compliance::SSH to Rare External Destination",
		"inc_or_vuln": "inc",
		"category": "Unauthorized access"
	},
	"110276": {
		"Description": "Tags::Sentinel One Ranger Scanner",
		"inc_or_vuln": "inc",
		"category": "No Incident"
	},
	"110277": {
		"Description": "Inoculation::Sinkhole::Sinkhole DNS Lookup",
		"inc_or_vuln": "inc",
		"category": "Insider Breach"
	},
	"110278": {
		"Description": "IaaS::Compute::Spike in AWS Compute Resources Created",
		"inc_or_vuln": "inc",
		"category": "Policy violation"
	},
	"110279": {
		"Description": "IaaS::Compute::Spike in Azure Compute Resources Created",
		"inc_or_vuln": "inc",
		"category": "Policy violation"
	},
	"110280": {
		"Description": "IaaS::Compute::Spike in GCP Compute Resources Created",
		"inc_or_vuln": "inc",
		"category": "Policy violation"
	},
	"110281": {
		"Description": "Device::Unusual Inbound LDAP Bind and Search from Rare External",
		"inc_or_vuln": "inc",
		"category": "Spam source"
	},
	"110282": {
		"Description": "SaaS::Access::Suspicious Login Attempt",
		"inc_or_vuln": "inc",
		"category": "Unauthorized access"
	},
	"110283": {
		"Description": "Compromise::Suspicious Request Data",
		"inc_or_vuln": "inc",
		"category": "Malicious code activity"
	},
	"110284": {
		"Description": "Compliance::Social Media::TikTok",
		"inc_or_vuln": "inc",
		"category": "Phishing"
	},
	"110285": {
		"Description": "IaaS::Compliance::Uncommon Azure External User Invite",
		"inc_or_vuln": "inc",
		"category": "Unauthorized access"
	},
	"110286": {
		"Description": "Compliance::Unexpected Incoming NTP or Portmap Connections",
		"inc_or_vuln": "inc",
		"category": "Unauthorized access"
	},
	"110287": {
		"Description": "Device::Activity Identifier::Unresponsive Server",
		"inc_or_vuln": "inc",
		"category": "Denial of Service"
	},
	"110288": {
		"Description": "Unusual Activity::Unusual Activity from New Device",
		"inc_or_vuln": "inc",
		"category": "Rogue server or service"
	},
	"110289": {
		"Description": "Unusual Activity::Unusual Activity from Re-Activated Device",
		"inc_or_vuln": "inc",
		"category": "Rogue server or service"
	},
	"110290": {
		"Description": "User::Unusual Anonymous Login",
		"inc_or_vuln": "inc",
		"category": "Unauthorized access"
	},
	"110291": {
		"Description": "Device::Unusual BITS Activity",
		"inc_or_vuln": "inc",
		"category": "Malware"
	},
	"110292": {
		"Description": "IaaS::Compute::Unusual Exec Into Azure Container",
		"inc_or_vuln": "inc",
		"category": "Malware"
	},
	"110293": {
		"Description": "Device::Unusual Group Policy Access",
		"inc_or_vuln": "inc",
		"category": "Unauthorized access"
	},
	"110294": {
		"Description": "Anomalous Connection::Unusual Internal HTTP POST to Script",
		"inc_or_vuln": "inc",
		"category": "Malicious code activity"
	},
	"110295": {
		"Description": "Anomalous Connection::Unusual Internal Remote Desktop",
		"inc_or_vuln": "inc",
		"category": "Unauthorized access"
	},
	"110296": {
		"Description": "Anomalous Connection::Unusual Internal SSH",
		"inc_or_vuln": "inc",
		"category": "Unauthorized access"
	},
	"110297": {
		"Description": "Anomalous Connection::Unusual Internal TCP DNS Request",
		"inc_or_vuln": "inc",
		"category": "Unauthorized access"
	},
	"110298": {
		"Description": "IaaS::Network::Unusual Modification In AWS VPC",
		"inc_or_vuln": "inc",
		"category": "Malicious code activity"
	},
	"110299": {
		"Description": "Compliance::FTP::Unusual Outbound FTP",
		"inc_or_vuln": "inc",
		"category": "Policy violation"
	},
	"110300": {
		"Description": "SaaS::Teams Healthcare::Unusual Patient Schema Action",
		"inc_or_vuln": "inc",
		"category": "Unauthorized access"
	},
	"110301": {
		"Description": "SaaS::Teams Healthcare::Unusual Patient View",
		"inc_or_vuln": "inc",
		"category": "Unauthorized access"
	},
	"110302": {
		"Description": "Anomalous Connection::Unusual SMB Version 6 Connectivity",
		"inc_or_vuln": "inc",
		"category": "Policy violation"
	},
	"110303": {
		"Description": "SaaS::Unusual Activity::Unusual SaaS Activity Score",
		"inc_or_vuln": "inc",
		"category": "Policy violation"
	},
	"110304": {
		"Description": "SaaS::Unusual Activity::Unusual SaaS Administrative Login",
		"inc_or_vuln": "inc",
		"category": "Unauthorized access"
	},
	"110305": {
		"Description": "Device::Unusual WinRM - Heuristic",
		"inc_or_vuln": "inc",
		"category": "Unauthorized access"
	},
	"110306": {
		"Description": "Anomalous Connection::Unusually Large DNS Response Packet",
		"inc_or_vuln": "inc",
		"category": "Malicious code activity"
	},
	"110307": {
		"Description": "Anomalous Connection::Upload via Remote Desktop",
		"inc_or_vuln": "inc",
		"category": "Policy violation"
	},
	"110308": {
		"Description": "Compliance::Weak Active Directory Ticket Encryption",
		"inc_or_vuln": "inc",
		"category": "Un-patched vulnerability"
	},
	"110309": {
		"Description": "Device::Windows Kernel Crash",
		"inc_or_vuln": "inc",
		"category": "Denial of Service"
	},
	"110310": {
		"Description": "Device::Windows Server Crash",
		"inc_or_vuln": "inc",
		"category": "Denial of Service"
	},
	"110311": {
		"Description": "Anomalous Server Activity::Write to Network Accessible WebRoot",
		"inc_or_vuln": "inc",
		"category": "Unauthorized access"
	},
	"110312": {
		"Description": "Anomalous File::Zip or Gzip from Rare External Location",
		"inc_or_vuln": "inc",
		"category": "Malware"
	},
	"110313": {
		"Description": "Compliance::Zoom File Transfer",
		"inc_or_vuln": "inc",
		"category": "Policy violation"
	},
	"110314": {
		"Description": "Device::SMB Session Brute Force (Non-Admin)",
		"inc_or_vuln": "inc",
		"category": "Unauthorized access"
	},
	"110315": {
		"Description": "SaaS::System::Login Attempt to Darktrace Application",
		"inc_or_vuln": "inc",
		"category": "Unauthorized access"
	},
	"110316": {
		"Description": "SaaS::Compliance::New Exchange Connector",
		"inc_or_vuln": "inc",
		"category": "No Incident"
	},
	"110317": {
		"Description": "SaaS::Compliance::O365 Suspicious User Submission",
		"inc_or_vuln": "inc",
		"category": "Unauthorized access"
	},
	"110318": {
		"Description": "IaaS::Network::AWS Network Gateway Modification",
		"inc_or_vuln": "inc",
		"category": "Unauthorized access"
	},
	"110319": {
		"Description": "IaaS::Network::AWS Route Table Update",
		"inc_or_vuln": "inc",
		"category": "Unauthorized access"
	},
	"110320": {
		"Description": "Compliance::Outbound LDAP to Rare Endpoint",
		"inc_or_vuln": "inc",
		"category": "Policy violation"
	},
	"110321": {
		"Description": "Device::Anomaly Indicators::External Address Scan Indicator",
		"inc_or_vuln": "inc",
		"category": "Reconnaissance activity"
	},
	"110322": {
		"Description": "IaaS::Compliance::AWS Cloud Log Disruption",
		"inc_or_vuln": "inc",
		"category": "No Incident"
	},
	"110323": {
		"Description": "IaaS::Network::AWS Network Interface Removed",
		"inc_or_vuln": "inc",
		"category": "No Incident"
	},
	"110324": {
		"Description": "IaaS::Admin::AWS Root User Login",
		"inc_or_vuln": "inc",
		"category": "Privilege Escalation"
	},
	"110325": {
		"Description": "Anomalous Connection::Active Remote Desktop Tunnel",
		"inc_or_vuln": "inc",
		"category": "Unauthorized access"
	},
	"110326": {
		"Description": "Anomalous Connection::Active SSH Tunnel",
		"inc_or_vuln": "inc",
		"category": "Unauthorized access"
	},
	"110327": {
		"Description": "SaaS::Unusual Activity::Activity from Multiple Unusual Locations",
		"inc_or_vuln": "inc",
		"category": "Unauthorized access"
	},
	"110328": {
		"Description": "Compromise::Agent Beacon (Long Period)",
		"inc_or_vuln": "inc",
		"category": "Rogue server or service"
	},
	"110329": {
		"Description": "Compromise::Agent Beacon (Medium Period)",
		"inc_or_vuln": "inc",
		"category": "Rogue server or service"
	},
	"110330": {
		"Description": "Compromise::Agent Beacon (Short Period)",
		"inc_or_vuln": "inc",
		"category": "Rogue server or service"
	},
	"110331": {
		"Description": "Compromise::Agent Beacon to New Endpoint",
		"inc_or_vuln": "inc",
		"category": "Rogue server or service"
	},
	"110332": {
		"Description": "Compliance::Ammyy Remote Management Tool On Server",
		"inc_or_vuln": "inc",
		"category": "Unauthorized access"
	},
	"110333": {
		"Description": "Device::Anomalous Active Directory Web Services",
		"inc_or_vuln": "inc",
		"category": "Rogue server or service"
	},
	"110334": {
		"Description": "Device::Anomaly Indicators::Anomalous Active Directory Web Services Indicator",
		"inc_or_vuln": "inc",
		"category": "Rogue server or service"
	},
	"110335": {
		"Description": "IaaS::Admin::Anomalous Azure Export",
		"inc_or_vuln": "inc",
		"category": "Privilege Escalation"
	},
	"110336": {
		"Description": "IaaS::Access::Anomalous Azure Storage Key Access",
		"inc_or_vuln": "inc",
		"category": "Unauthorized access"
	},
	"110337": {
		"Description": "IaaS::Access::Anomalous Azure Web App Get",
		"inc_or_vuln": "inc",
		"category": "Unauthorized access"
	},
	"110338": {
		"Description": "IaaS::Compute::Anomalous Command Run on Azure VM",
		"inc_or_vuln": "inc",
		"category": "Rogue server or service"
	},
	"110339": {
		"Description": "Anomalous Server Activity::Anomalous External Activity from Critical Network Device",
		"inc_or_vuln": "inc",
		"category": "Rogue server or service"
	},
	"110340": {
		"Description": "IaaS::Unusual Activity::Anomalous GSuite Cloud Platform Activities",
		"inc_or_vuln": "inc",
		"category": "Rogue server or service"
	},
	"110341": {
		"Description": "SaaS::Admin::Anomalous GSuite Recovery Info Changed",
		"inc_or_vuln": "inc",
		"category": "Privilege Escalation"
	},
	"110342": {
		"Description": "Device::Anomalous ITaskScheduler Activity",
		"inc_or_vuln": "inc",
		"category": "Rogue server or service"
	},
	"110343": {
		"Description": "SaaS::Admin::Anomalous O365 Device Changes",
		"inc_or_vuln": "inc",
		"category": "Privilege Escalation"
	},
	"110344": {
		"Description": "SaaS::Compliance::Anomalous O365 Permission Changes",
		"inc_or_vuln": "inc",
		"category": "Policy violation"
	},
	"110345": {
		"Description": "Anomalous File::Anomalous Octet Stream",
		"inc_or_vuln": "inc",
		"category": "Insider Breach"
	},
	"110346": {
		"Description": "Anomalous Connection::Anomalous SSL without SNI to New External",
		"inc_or_vuln": "inc",
		"category": "Phishing"
	},
	"110347": {
		"Description": "SaaS::Access::Anomalous SSO to Okta Application",
		"inc_or_vuln": "inc",
		"category": "Unauthorized access"
	},
	"110348": {
		"Description": "SaaS::Admin::Anomalous SaaS Administration On Partner",
		"inc_or_vuln": "inc",
		"category": "Privilege Escalation"
	},
	"110349": {
		"Description": "SaaS::Resource::Anomalous SaaS Export",
		"inc_or_vuln": "inc",
		"category": "No Incident"
	},
	"110350": {
		"Description": "Device::Attack and Recon Tools",
		"inc_or_vuln": "inc",
		"category": "Reconnaissance activity"
	},
	"110351": {
		"Description": "IaaS::Compute::Azure Compute Resource Update",
		"inc_or_vuln": "inc",
		"category": "No Incident"
	},
	"110352": {
		"Description": "IaaS::Access::Azure Function Keys Accessed",
		"inc_or_vuln": "inc",
		"category": "Unauthorized access"
	},
	"110353": {
		"Description": "IaaS::Network::Azure Network Interface(s) Removed",
		"inc_or_vuln": "inc",
		"category": "No Incident"
	},
	"110354": {
		"Description": "IaaS::Network::Azure Network Route Table Update",
		"inc_or_vuln": "inc",
		"category": "No Incident"
	},
	"110355": {
		"Description": "IaaS::Network::Azure Security Rule Delete",
		"inc_or_vuln": "inc",
		"category": "No Incident"
	},
	"110356": {
		"Description": "IaaS::Network::Azure Security Rule Update",
		"inc_or_vuln": "inc",
		"category": "No Incident"
	},
	"110357": {
		"Description": "IaaS::Storage::Azure Unusual Data Flow Update",
		"inc_or_vuln": "inc",
		"category": "No Incident"
	},
	"110358": {
		"Description": "Compromise::Beacon for 4 Days",
		"inc_or_vuln": "inc",
		"category": "Rogue server or service"
	},
	"110359": {
		"Description": "Compromise::Beacon to Young Endpoint",
		"inc_or_vuln": "inc",
		"category": "Rogue server or service"
	},
	"110360": {
		"Description": "Compromise::Beaconing Activity To External Rare",
		"inc_or_vuln": "inc",
		"category": "Rogue server or service"
	},
	"110361": {
		"Description": "Device::Activity Identifier::BitTorrent Tracker or Announce",
		"inc_or_vuln": "inc",
		"category": "Policy violation"
	},
	"110362": {
		"Description": "SaaS::Resource::Box - Large File Delete",
		"inc_or_vuln": "inc",
		"category": "Policy violation"
	},
	"110363": {
		"Description": "SaaS::Access::Box Account Access By OAuth or Unusual Software",
		"inc_or_vuln": "inc",
		"category": "Unauthorized access"
	},
	"110364": {
		"Description": "SaaS::Resource::Box User Accessing Unusual Resources",
		"inc_or_vuln": "inc",
		"category": "Unauthorized access"
	},
	"110365": {
		"Description": "SaaS::Resource::Box User Deleting Shared Resources",
		"inc_or_vuln": "inc",
		"category": "Insider Breach"
	},
	"110366": {
		"Description": "Anomalous Connection::Callback on Web Facing Device",
		"inc_or_vuln": "inc",
		"category": "Insider Breach"
	},
	"110367": {
		"Description": "SaaS::Admin::Changed Dropbox Admin Rights",
		"inc_or_vuln": "inc",
		"category": "Privilege Escalation"
	},
	"110368": {
		"Description": "Anomalous Connection::Cisco Umbrella Block Page",
		"inc_or_vuln": "inc",
		"category": "Insider Breach"
	},
	"110369": {
		"Description": "Email Nexus::Connection to Highly Classified Link",
		"inc_or_vuln": "inc",
		"category": "Insider Breach"
	},
	"110370": {
		"Description": "Email Nexus::Connection to Phishing Endpoint",
		"inc_or_vuln": "inc",
		"category": "Phishing"
	},
	"110371": {
		"Description": "Device::Activity Identifier::Connection to Possible O365 Phishing Site",
		"inc_or_vuln": "inc",
		"category": "Phishing"
	},
	"110372": {
		"Description": "Email Nexus::Connection to Spoofed Internal Domain",
		"inc_or_vuln": "inc",
		"category": "Phishing"
	},
	"110373": {
		"Description": "Compliance::Crypto Currency Mining Activity",
		"inc_or_vuln": "inc",
		"category": "Criminal activity/investigation"
	},
	"110374": {
		"Description": "Device::DNS Requests to Unusual Server",
		"inc_or_vuln": "inc",
		"category": "Phishing"
	},
	"110375": {
		"Description": "Compromise::DNS::DNS Tunnel - Low Anomaly Score",
		"inc_or_vuln": "inc",
		"category": "Phishing"
	},
	"110376": {
		"Description": "Device::EXE Files Distributed to Multiple Devices",
		"inc_or_vuln": "inc",
		"category": "Phishing"
	},
	"110377": {
		"Description": "Anomalous File::EXE from Rare External Location",
		"inc_or_vuln": "inc",
		"category": "Phishing"
	},
	"110378": {
		"Description": "Device::Excessive HTTP Errors",
		"inc_or_vuln": "inc",
		"category": "Spam source"
	},
	"110379": {
		"Description": "Compromise::Excessive Posts to Root",
		"inc_or_vuln": "inc",
		"category": "Rogue server or service"
	},
	"110380": {
		"Description": "Anomalous File::Internal::Executable Uploaded to DC",
		"inc_or_vuln": "inc",
		"category": "Malware"
	},
	"110381": {
		"Description": "Anomalous Connection::External SMB3 Connection",
		"inc_or_vuln": "inc",
		"category": "Policy violation"
	},
	"110382": {
		"Description": "SaaS::Resource::External User Added Followed By Resource Accessed",
		"inc_or_vuln": "inc",
		"category": "Unauthorized access"
	},
	"110383": {
		"Description": "SaaS::Resource::Files Copied to Removable Media",
		"inc_or_vuln": "inc",
		"category": "Policy violation"
	},
	"110384": {
		"Description": "SaaS::Admin::Global Administrator Added",
		"inc_or_vuln": "inc",
		"category": "Privilege Escalation"
	},
	"110385": {
		"Description": "Compromise::High Frequency SSH Beacon",
		"inc_or_vuln": "inc",
		"category": "Policy violation"
	},
	"110386": {
		"Description": "Unusual Activity::High Volume Server Data Transfer",
		"inc_or_vuln": "inc",
		"category": "Policy violation"
	},
	"110387": {
		"Description": "Compromise::High Volume of Connections with Beacon Score",
		"inc_or_vuln": "inc",
		"category": "Policy violation"
	},
	"110388": {
		"Description": "Anomalous Connection::IPSec VPN to Rare IP",
		"inc_or_vuln": "inc",
		"category": "Policy violation"
	},
	"110389": {
		"Description": "Anomalous File::Incoming CHM File",
		"inc_or_vuln": "inc",
		"category": "Policy violation"
	},
	"110390": {
		"Description": "Anomalous Connection::Incoming HTTP POST on Port 53",
		"inc_or_vuln": "inc",
		"category": "Rogue server or service"
	},
	"110391": {
		"Description": "Device::Anomaly Indicators::Increase in C2 Activity",
		"inc_or_vuln": "inc",
		"category": "Rogue server or service"
	},
	"110392": {
		"Description": "Device::Anomaly Indicators::Increase in Unique LDAP Bind Failures",
		"inc_or_vuln": "inc",
		"category": "Rogue server or service"
	},
	"110393": {
		"Description": "Device::Increased External Connectivity",
		"inc_or_vuln": "inc",
		"category": "Spam source"
	},
	"110394": {
		"Description": "Anomalous Server Activity::Increased Incoming Activity to Server",
		"inc_or_vuln": "inc",
		"category": "Spam source"
	},
	"110395": {
		"Description": "Unusual Activity::Internal Data Transfer",
		"inc_or_vuln": "inc",
		"category": "Spam source"
	},
	"110396": {
		"Description": "System::Internal Domain Name Change",
		"inc_or_vuln": "inc",
		"category": "Policy violation"
	},
	"110397": {
		"Description": "Anomalous Connection::Invalid DNS Hostnames",
		"inc_or_vuln": "inc",
		"category": "Policy violation"
	},
	"110398": {
		"Description": "Anomalous Connection::Invalid SSL Certificate to Common Domain",
		"inc_or_vuln": "inc",
		"category": "Policy violation"
	},
	"110399": {
		"Description": "User::Kerberos Password Brute Force",
		"inc_or_vuln": "inc",
		"category": "Failed Login"
	},
	"110400": {
		"Description": "Compliance::Kerberos Ticket Vulnerable to Kerberoasting",
		"inc_or_vuln": "inc",
		"category": "Failed Login"
	},
	"110401": {
		"Description": "Device::Activity Identifier::Koadic Activity",
		"inc_or_vuln": "inc",
		"category": "Failed Login"
	},
	"110402": {
		"Description": "Anomalous Server Activity::Large DHCP Data Transfer",
		"inc_or_vuln": "inc",
		"category": "Rogue server or service"
	},
	"110403": {
		"Description": "Device::Large Number of Connections to New Endpoints",
		"inc_or_vuln": "inc",
		"category": "Rogue server or service"
	},
	"110404": {
		"Description": "Device::Large Outbound VPN Data",
		"inc_or_vuln": "inc",
		"category": "Rogue server or service"
	},
	"110405": {
		"Description": "Unusual Activity::Large Volume of Kerberos Failures",
		"inc_or_vuln": "inc",
		"category": "Failed Login"
	},
	"110406": {
		"Description": "Unusual Activity::Large Volume of Radius Failures",
		"inc_or_vuln": "inc",
		"category": "Failed Login"
	},
	"110407": {
		"Description": "IaaS::Compliance::Large Volume of S3 File Downloads",
		"inc_or_vuln": "inc",
		"category": "Policy violation"
	},
	"110408": {
		"Description": "SaaS::Resource::Large Volume of SaaS File Downloads",
		"inc_or_vuln": "inc",
		"category": "Policy violation"
	},
	"110409": {
		"Description": "SaaS::Compromise::Login From Unusual ASN Followed By Upload",
		"inc_or_vuln": "inc",
		"category": "Policy violation"
	},
	"110410": {
		"Description": "Anomalous Connection::Lots of New Connections",
		"inc_or_vuln": "inc",
		"category": "Reconnaissance activity"
	},
	"110411": {
		"Description": "Device::Lots of New User Agents",
		"inc_or_vuln": "inc",
		"category": "Reconnaissance activity"
	},
	"110412": {
		"Description": "Unusual Activity::Low Priority Unusual External Data Transfer",
		"inc_or_vuln": "inc",
		"category": "Insider Breach"
	},
	"110413": {
		"Description": "Security Integration::Low Severity MS Defender Detection",
		"inc_or_vuln": "inc",
		"category": "Malware"
	},
	"110414": {
		"Description": "Security Integration::Low Severity MS Defender Malware Incident",
		"inc_or_vuln": "inc",
		"category": "malware"
	},
	"110415": {
		"Description": "Anomalous File::Internal::Masqueraded Executable SMB Write",
		"inc_or_vuln": "inc",
		"category": "Malware"
	},
	"110416": {
		"Description": "SaaS::Compliance::Microsoft Cloud App Security Alert Detected",
		"inc_or_vuln": "inc",
		"category": "Malware"
	},
	"110417": {
		"Description": "SaaS::Resource::Microsoft Endpoint Anomalous File Renames",
		"inc_or_vuln": "inc",
		"category": "Malware"
	},
	"110418": {
		"Description": "IaaS::Compliance::Multiple Anonymous S3 File Downloads",
		"inc_or_vuln": "inc",
		"category": "Insider Breach"
	},
	"110419": {
		"Description": "Anomalous Connection::Multiple Connections to New External TCP Port",
		"inc_or_vuln": "inc",
		"category": "Reconnaissance activity"
	},
	"110420": {
		"Description": "Anomalous Connection::Multiple Connections to New External UDP Port",
		"inc_or_vuln": "inc",
		"category": "Reconnaissance activity"
	},
	"110421": {
		"Description": "Anomalous Connection::Multiple Failed Connections to Rare Endpoint",
		"inc_or_vuln": "inc",
		"category": "Reconnaissance activity"
	},
	"110422": {
		"Description": "Anomalous Connection::Multiple Failed Windows UDP",
		"inc_or_vuln": "inc",
		"category": "Reconnaissance activity"
	},
	"110423": {
		"Description": "Anomalous Connection::Multiple HTTP POSTs to Rare Hostname",
		"inc_or_vuln": "inc",
		"category": "Reconnaissance activity"
	},
	"110424": {
		"Description": "Compromise::Multiple POSTs to Rare PHP Plain Text",
		"inc_or_vuln": "inc",
		"category": "Reconnaissance activity"
	},
	"110425": {
		"Description": "Device::Multiple RPC Requests for Unknown Services",
		"inc_or_vuln": "inc",
		"category": "Reconnaissance activity"
	},
	"110426": {
		"Description": "Compromise::Multiple SSL to Rare DGA Domains",
		"inc_or_vuln": "inc",
		"category": "Reconnaissance activity"
	},
	"110427": {
		"Description": "User::Multiple Uncommon New Credentials on Device",
		"inc_or_vuln": "inc",
		"category": "Failed Login"
	},
	"110428": {
		"Description": "SaaS::Compliance::Multiple Unusual SaaS Shares",
		"inc_or_vuln": "inc",
		"category": "Insider Breach"
	},
	"110429": {
		"Description": "Device::Anomaly Indicators::NTLM Followed By Unusual Connections",
		"inc_or_vuln": "inc",
		"category": "Insider Breach"
	},
	"110430": {
		"Description": "IaaS::Admin::New AWS Account Creation",
		"inc_or_vuln": "inc",
		"category": "Privilege Escalation"
	},
	"110431": {
		"Description": "User::New Admin Credentials on Client",
		"inc_or_vuln": "inc",
		"category": "Privilege Escalation"
	},
	"110432": {
		"Description": "Device::Anomaly Indicators::New Admin Credentials on Server Indicator",
		"inc_or_vuln": "inc",
		"category": "Privilege Escalation"
	},
	"110433": {
		"Description": "User::New Admin Credentials on Server",
		"inc_or_vuln": "inc",
		"category": "Privilege Escalation"
	},
	"110434": {
		"Description": "IaaS::Admin::New Azure Account Creation",
		"inc_or_vuln": "inc",
		"category": "Privilege Escalation"
	},
	"110435": {
		"Description": "Device::New Connections On Suspicious Port",
		"inc_or_vuln": "inc",
		"category": "Insider Breach"
	},
	"110436": {
		"Description": "User::New Credential for Client",
		"inc_or_vuln": "inc",
		"category": "Insider Breach"
	},
	"110437": {
		"Description": "Anomalous Connection::New Failed External Windows Connection",
		"inc_or_vuln": "inc",
		"category": "Insider Breach"
	},
	"110438": {
		"Description": "Anomalous Connection::New Internal TCP Callback",
		"inc_or_vuln": "inc",
		"category": "Insider Breach"
	},
	"110439": {
		"Description": "Anomalous Server Activity::New Internal WPAD Request",
		"inc_or_vuln": "inc",
		"category": "Insider Breach"
	},
	"110440": {
		"Description": "Anomalous Server Activity::New Internet Facing System",
		"inc_or_vuln": "inc",
		"category": "Insider Breach"
	},
	"110441": {
		"Description": "Device::New PowerShell User Agent",
		"inc_or_vuln": "inc",
		"category": "Insider Breach"
	},
	"110442": {
		"Description": "SaaS::Admin::New SaaS Account Creation",
		"inc_or_vuln": "inc",
		"category": "Privilege Escalation"
	},
	"110443": {
		"Description": "SaaS::Admin::New Salesforce Partner User",
		"inc_or_vuln": "inc",
		"category": "Privilege Escalation"
	},
	"110444": {
		"Description": "Device::New User Agent To Internal Server",
		"inc_or_vuln": "inc",
		"category": "Insider Breach"
	},
	"110445": {
		"Description": "Device::New User Agent and New IP",
		"inc_or_vuln": "inc",
		"category": "Insider Breach"
	},
	"110446": {
		"Description": "Anomalous Connection::New User Agent to IP Without Hostname",
		"inc_or_vuln": "inc",
		"category": "Insider Breach"
	},
	"110447": {
		"Description": "Compromise::New or Repeated to Unusual SSL Port",
		"inc_or_vuln": "inc",
		"category": "Spam source"
	},
	"110448": {
		"Description": "Device::New or Uncommon SMB Named Pipe",
		"inc_or_vuln": "inc",
		"category": "Spam source"
	},
	"110449": {
		"Description": "Anomalous Connection::New or Uncommon Service Control",
		"inc_or_vuln": "inc",
		"category": "Rogue server or service"
	},
	"110450": {
		"Description": "User::Non-Corporate Device on VPN",
		"inc_or_vuln": "inc",
		"category": "Rogue server or service"
	},
	"110451": {
		"Description": "SaaS::Admin::O365 Admin Role Check",
		"inc_or_vuln": "inc",
		"category": "Privilege Escalation"
	},
	"110452": {
		"Description": "SaaS::Resource::O365 Sensitive File Upload to Site",
		"inc_or_vuln": "inc",
		"category": "Rogue server or service"
	},
	"110453": {
		"Description": "SaaS::Admin::OAuth Permission Grant",
		"inc_or_vuln": "inc",
		"category": "Privilege Escalation"
	},
	"110454": {
		"Description": "Anomalous Connection::Outbound RDP to Unusual Port",
		"inc_or_vuln": "inc",
		"category": "Unauthorized access"
	},
	"110455": {
		"Description": "Compromise::Outdated SSL Beacon",
		"inc_or_vuln": "inc",
		"category": "Unauthorized access"
	},
	"110456": {
		"Description": "Email Nexus::Phishing Compromise",
		"inc_or_vuln": "inc",
		"category": "Phishing"
	},
	"110457": {
		"Description": "Anomalous Connection::Possible Broadcast Poison Success",
		"inc_or_vuln": "inc",
		"category": "Criminal activity/investigation"
	},
	"110458": {
		"Description": "Anomalous Connection::Possible Callback URL",
		"inc_or_vuln": "inc",
		"category": "Criminal activity/investigation"
	},
	"110459": {
		"Description": "Device::Anomaly Indicators::Possible Dropbox C2",
		"inc_or_vuln": "inc",
		"category": "Criminal activity/investigation"
	},
	"110460": {
		"Description": "Anomalous Connection::Possible IDN Homograph Attack",
		"inc_or_vuln": "inc",
		"category": "Criminal activity/investigation"
	},
	"110461": {
		"Description": "Anomalous Connection::Possible Outbound Spam",
		"inc_or_vuln": "inc",
		"category": "Spam source"
	},
	"110462": {
		"Description": "Device::Anomaly Indicators::Possible Outbound Spam Indicator",
		"inc_or_vuln": "inc",
		"category": "Spam source"
	},
	"110463": {
		"Description": "Device::Possible RPC Endpoint Mapper Dump",
		"inc_or_vuln": "inc",
		"category": "Spam source"
	},
	"110464": {
		"Description": "Compromise::Ransomware::Possible Ransom Note Read",
		"inc_or_vuln": "inc",
		"category": "Malware"
	},
	"110465": {
		"Description": "Compromise::Ransomware::Possible Ransom Note Write",
		"inc_or_vuln": "inc",
		"category": "Malware"
	},
	"110466": {
		"Description": "Compliance::Possible Tor Usage",
		"inc_or_vuln": "inc",
		"category": "Policy violation"
	},
	"110467": {
		"Description": "Compromise::Possible Tunnelling to Bin Services",
		"inc_or_vuln": "inc",
		"category": "Policy violation"
	},
	"110468": {
		"Description": "Anomalous Connection::Posting HTTP to IP Without Hostname",
		"inc_or_vuln": "inc",
		"category": "Policy violation"
	},
	"110469": {
		"Description": "Anomalous Connection::Powershell to Rare External",
		"inc_or_vuln": "inc",
		"category": "Policy violation"
	},
	"110470": {
		"Description": "User::RDP Username Brute Force",
		"inc_or_vuln": "inc",
		"category": "Failed Login"
	},
	"110471": {
		"Description": "Device::Anomaly Indicators::Rare IP for Common Hostname",
		"inc_or_vuln": "inc",
		"category": "No Incident"
	},
	"110472": {
		"Description": "Anomalous Connection::Rare WinRM Incoming",
		"inc_or_vuln": "inc",
		"category": "Rogue server or service"
	},
	"110473": {
		"Description": "Anomalous Connection::Rare WinRM Outgoing",
		"inc_or_vuln": "inc",
		"category": "Rogue server or service"
	},
	"110474": {
		"Description": "Device::Anomaly Indicators::Repeated LDAP Bind Failures",
		"inc_or_vuln": "inc",
		"category": "Rogue server or service"
	},
	"110475": {
		"Description": "Device::Repeated Unknown RPC Service Bind Errors",
		"inc_or_vuln": "inc",
		"category": "Rogue server or service"
	},
	"110476": {
		"Description": "Compromise::Repeating Connections Over 4 Days",
		"inc_or_vuln": "inc",
		"category": "Spam source"
	},
	"110477": {
		"Description": "Device::Anomaly Indicators::Replication of Directory Services Indicator",
		"inc_or_vuln": "inc",
		"category": "Policy violation"
	},
	"110478": {
		"Description": "SaaS::Resource::SharePoint Resource Accessed By Guest",
		"inc_or_vuln": "inc",
		"category": "Unauthorized access"
	},
	"110479": {
		"Description": "Device::Reverse DNS Sweep",
		"inc_or_vuln": "inc",
		"category": "Reconnaissance activity"
	},
	"110480": {
		"Description": "Unusual Activity::SMB Access Failures",
		"inc_or_vuln": "inc",
		"category": "Unauthorized access"
	},
	"110481": {
		"Description": "Device::Anomaly Indicators::SMB Access Failures Indicator",
		"inc_or_vuln": "inc",
		"category": "Unauthorized access"
	},
	"110482": {
		"Description": "Compliance::SMB Drive Write",
		"inc_or_vuln": "inc",
		"category": "Reconnaissance activity"
	},
	"110483": {
		"Description": "Device::SMB Session Brute Force (Admin)",
		"inc_or_vuln": "inc",
		"category": "Privilege Escalation"
	},
	"110484": {
		"Description": "Device::SMB Version 1 Access Failures",
		"inc_or_vuln": "inc",
		"category": "Unauthorized access"
	},
	"110485": {
		"Description": "Compromise::SSH Beacon",
		"inc_or_vuln": "inc",
		"category": "Reconnaissance activity"
	},
	"110486": {
		"Description": "Anomalous Connection::SSH Brute Force",
		"inc_or_vuln": "inc",
		"category": "Failed Login"
	},
	"110487": {
		"Description": "Compromise::SSL to DynDNS",
		"inc_or_vuln": "inc",
		"category": "Rogue server or service"
	},
	"110488": {
		"Description": "SaaS::Compliance::SaaS Root User Login",
		"inc_or_vuln": "inc",
		"category": "Failed Login"
	},
	"110489": {
		"Description": "SaaS::Admin::Salesforce Permission Set Assign",
		"inc_or_vuln": "inc",
		"category": "Privilege Escalation"
	},
	"110490": {
		"Description": "Anomalous Server Activity::Server Activity on New Non-Standard Port",
		"inc_or_vuln": "inc",
		"category": "Failed Login"
	},
	"110491": {
		"Description": "Compromise::Slow Beaconing Activity To External Rare",
		"inc_or_vuln": "inc",
		"category": "Reconnaissance activity"
	},
	"110492": {
		"Description": "Device::Spike in LDAP Activity",
		"inc_or_vuln": "inc",
		"category": "Reconnaissance activity"
	},
	"110493": {
		"Description": "Device::Anomaly Indicators::Spike in LDAP Activity Indicator",
		"inc_or_vuln": "inc",
		"category": "Reconnaissance activity"
	},
	"110494": {
		"Description": "Anomalous Connection::Suspicious Activity On High Risk Device",
		"inc_or_vuln": "inc",
		"category": "Reconnaissance activity"
	},
	"110495": {
		"Description": "Device::Suspicious File From Group Policy Share",
		"inc_or_vuln": "inc",
		"category": "Malware"
	},
	"110496": {
		"Description": "Device::Anomaly Indicators::Suspicious HTTP Activity Indicator",
		"inc_or_vuln": "inc",
		"category": "Reconnaissance activity"
	},
	"110497": {
		"Description": "Anomalous File::Internal::Suspicious Internal HTTP Download",
		"inc_or_vuln": "inc",
		"category": "Reconnaissance activity"
	},
	"110498": {
		"Description": "SaaS::Access::Suspicious Login User-Agent",
		"inc_or_vuln": "inc",
		"category": "Unauthorized access"
	},
	"110499": {
		"Description": "Device::Suspicious New User Agents",
		"inc_or_vuln": "inc",
		"category": "Reconnaissance activity"
	},
	"110500": {
		"Description": "Compromise::Ransomware::Suspicious SMB File Extension",
		"inc_or_vuln": "inc",
		"category": "Malware"
	},
	"110501": {
		"Description": "Device::Suspicious SMB Query",
		"inc_or_vuln": "inc",
		"category": "Reconnaissance activity"
	},
	"110502": {
		"Description": "Device::Suspicious UPnP Activity",
		"inc_or_vuln": "inc",
		"category": "Reconnaissance activity"
	},
	"110503": {
		"Description": "Compromise::Sustained SSL or HTTP Increase",
		"inc_or_vuln": "inc",
		"category": "Reconnaissance activity"
	},
	"110504": {
		"Description": "Compromise::Sustained TCP Beaconing Activity To Rare Endpoint",
		"inc_or_vuln": "inc",
		"category": "Reconnaissance activity"
	},
	"110505": {
		"Description": "Device::Sustained UDP Increase",
		"inc_or_vuln": "inc",
		"category": "Reconnaissance activity"
	},
	"110506": {
		"Description": "SaaS::Admin::Teams Connector Added",
		"inc_or_vuln": "inc",
		"category": "Privilege Escalation"
	},
	"110507": {
		"Description": "Anomalous File::Torrent File Download",
		"inc_or_vuln": "inc",
		"category": "Policy violation"
	},
	"110508": {
		"Description": "Compromise::UDP to Multiple Rare External Hosts",
		"inc_or_vuln": "inc",
		"category": "Reconnaissance activity"
	},
	"110509": {
		"Description": "Anomalous Connection::Uncommon 1 GiB Outbound",
		"inc_or_vuln": "inc",
		"category": "Reconnaissance activity"
	},
	"110510": {
		"Description": "IaaS::Admin::Unusual AWS Administration",
		"inc_or_vuln": "inc",
		"category": "Privilege Escalation"
	},
	"110511": {
		"Description": "IaaS::Compute::Unusual AWS Compute Resource Deletion",
		"inc_or_vuln": "inc",
		"category": "No Incident"
	},
	"110512": {
		"Description": "Device::Unusual Access to ADFS Configuration File",
		"inc_or_vuln": "inc",
		"category": "Unauthorized access"
	},
	"110513": {
		"Description": "IaaS::Access::Unusual Access to AWS Secret",
		"inc_or_vuln": "inc",
		"category": "Unauthorized access"
	},
	"110514": {
		"Description": "SaaS::Access::Unusual Access to Okta Admin Panel",
		"inc_or_vuln": "inc",
		"category": "Unauthorized access"
	},
	"110515": {
		"Description": "IaaS::Compute::Unusual Azure Compute Resource Deletion",
		"inc_or_vuln": "inc",
		"category": "No Incident"
	},
	"110516": {
		"Description": "Unusual Activity::Unusual DNS",
		"inc_or_vuln": "inc",
		"category": "Rogue server or service"
	},
	"110517": {
		"Description": "SaaS::Resource::Unusual Download Of Externally Shared O365 File",
		"inc_or_vuln": "inc",
		"category": "No Incident"
	},
	"110518": {
		"Description": "IaaS::Compute::Unusual EC2 Resource Creation",
		"inc_or_vuln": "inc",
		"category": "No Incident"
	},
	"110519": {
		"Description": "IaaS::Compute::Unusual EC2 Resource Modification",
		"inc_or_vuln": "inc",
		"category": "No Incident"
	},
	"110520": {
		"Description": "Unusual Activity::Unusual External Connections",
		"inc_or_vuln": "inc",
		"category": "Reconnaissance activity"
	},
	"110521": {
		"Description": "Device::Unusual External DNS",
		"inc_or_vuln": "inc",
		"category": "Reconnaissance activity"
	},
	"110522": {
		"Description": "Unusual Activity::Unusual External Data to New Endpoints",
		"inc_or_vuln": "inc",
		"category": "Reconnaissance activity"
	},
	"110523": {
		"Description": "User::Unusual External Source for Credential Use",
		"inc_or_vuln": "inc",
		"category": "Insider Breach"
	},
	"110524": {
		"Description": "SaaS::Access::Unusual External Source for SaaS Credential Use",
		"inc_or_vuln": "inc",
		"category": "Unauthorized access"
	},
	"110525": {
		"Description": "Unusual Activity::Unusual ICMP Data Volume",
		"inc_or_vuln": "inc",
		"category": "Reconnaissance activity"
	},
	"110526": {
		"Description": "Anomalous Connection::Unusual Incoming Data Volume",
		"inc_or_vuln": "inc",
		"category": "Reconnaissance activity"
	},
	"110527": {
		"Description": "Device::Anomaly Indicators::Unusual Incoming Data Volume Indicator",
		"inc_or_vuln": "inc",
		"category": "Reconnaissance activity"
	},
	"110528": {
		"Description": "Anomalous Connection::Unusual Internal Connections",
		"inc_or_vuln": "inc",
		"category": "Reconnaissance activity"
	},
	"110529": {
		"Description": "Device::Anomaly Indicators::Unusual Internal Connections Indicator",
		"inc_or_vuln": "inc",
		"category": "Reconnaissance activity"
	},
	"110530": {
		"Description": "Unusual Activity::Unusual Internal Data Volume as Client or Server",
		"inc_or_vuln": "inc",
		"category": "Reconnaissance activity"
	},
	"110531": {
		"Description": "Anomalous File::Internal::Unusual Internal EXE File Transfer",
		"inc_or_vuln": "inc",
		"category": "Policy violation"
	},
	"110532": {
		"Description": "Device::Unusual Internal Web Service",
		"inc_or_vuln": "inc",
		"category": "Policy violation"
	},
	"110533": {
		"Description": "Unusual Activity::Unusual Large Internal Transfer",
		"inc_or_vuln": "inc",
		"category": "Policy violation"
	},
	"110534": {
		"Description": "SaaS::Teams Healthcare::Unusual Patient List Modified",
		"inc_or_vuln": "inc",
		"category": "Policy violation"
	},
	"110535": {
		"Description": "SaaS::Teams Healthcare::Unusual Patient Record Modified",
		"inc_or_vuln": "inc",
		"category": "Policy violation"
	},
	"110536": {
		"Description": "SaaS::Resource::Unusual PowerBI Share",
		"inc_or_vuln": "inc",
		"category": "Policy violation"
	},
	"110537": {
		"Description": "IaaS::Storage::Unusual S3 Resource Modification",
		"inc_or_vuln": "inc",
		"category": "Policy violation"
	},
	"110538": {
		"Description": "Device::Anomaly Indicators::Unusual SAMR Anomaly Indicator",
		"inc_or_vuln": "inc",
		"category": "Policy violation"
	},
	"110539": {
		"Description": "Anomalous File::Internal::Unusual SMB Script Write",
		"inc_or_vuln": "inc",
		"category": "Policy violation"
	},
	"110540": {
		"Description": "SaaS::Unusual Activity::Unusual SaaS Administration",
		"inc_or_vuln": "inc",
		"category": "Policy violation"
	},
	"110541": {
		"Description": "Device::Anomaly Indicators::Unusual SaaS Source Indicator",
		"inc_or_vuln": "inc",
		"category": "Policy violation"
	},
	"110542": {
		"Description": "Anomalous Server Activity::Unusual Server Kerberos",
		"inc_or_vuln": "inc",
		"category": "Policy violation"
	},
	"110543": {
		"Description": "SaaS::Admin::Unusual Teams Admin Action",
		"inc_or_vuln": "inc",
		"category": "Privilege Escalation"
	},
	"110544": {
		"Description": "Anomalous Server Activity::Unusual Unresponsive Server",
		"inc_or_vuln": "inc",
		"category": "Denial of Service"
	},
	"110545": {
		"Description": "Device::cSensor Upload to Non-Corporate Device",
		"inc_or_vuln": "inc",
		"category": "Policy violation"
	},
	"110546": {
		"Description": "SaaS::Email Nexus::Unusual Login Location Following Phishing Link",
		"inc_or_vuln": "inc",
		"category": "Phishing"
	},
	"110547": {
		"Description": "Device::Anomaly Indicators::Kerberos Password Brute Force Indicator",
		"inc_or_vuln": "inc",
		"category": "Failed Login"
	},
	"110548": {
		"Description": "Device::Anomaly Indicators::NTLM Brute Force Indicator",
		"inc_or_vuln": "inc",
		"category": "Failed Login"
	},
	"110549": {
		"Description": "Device::Anomaly Indicators::SMB Session Brute Force Non-Admin Indicator",
		"inc_or_vuln": "inc",
		"category": "Privilege Escalation"
	},
	"110550": {
		"Description": "IaaS::Access::Anomalous Azure PowerShell or CLI Logins",
		"inc_or_vuln": "inc",
		"category": "Unauthorized access"
	},
	"110551": {
		"Description": "SaaS::Unusual Activity::Anomalous Exchange Activity",
		"inc_or_vuln": "inc",
		"category": "No Incident"
	},
	"110552": {
		"Description": "SaaS::Compliance::Anomalous O365 DLP Rule Match",
		"inc_or_vuln": "inc",
		"category": "No Incident"
	},
	"110553": {
		"Description": "SaaS::Unusual Activity::Anomalous Send-As Activity",
		"inc_or_vuln": "inc",
		"category": "No Incident"
	},
	"110554": {
		"Description": "SaaS::Unusual Activity::Anomalous Send-On-Behalf Activity",
		"inc_or_vuln": "inc",
		"category": "No Incident"
	},
	"110555": {
		"Description": "SaaS::System::Login to Darktrace Application from Rare Location",
		"inc_or_vuln": "inc",
		"category": "Reconnaissance activity"
	},
	"110556": {
		"Description": "SaaS::Compliance::New Email Rule",
		"inc_or_vuln": "inc",
		"category": "No Incident"
	},
	"110557": {
		"Description": "SaaS::Compliance::New Exchange Remote Domain",
		"inc_or_vuln": "inc",
		"category": "No Incident"
	},
	"110558": {
		"Description": "SaaS::Compliance::O365 External User Added to Group",
		"inc_or_vuln": "inc",
		"category": "No Incident"
	},
	"110559": {
		"Description": "SaaS::Resource::Unusual Access to Delegated Resource by Non Owner",
		"inc_or_vuln": "inc",
		"category": "Unauthorized access"
	},
	"110560": {
		"Description": "SaaS::Resource::Unusual Delegated Resource Deleted by Non Owner",
		"inc_or_vuln": "inc",
		"category": "No Incident"
	},
	"110561": {
		"Description": "SaaS::Resource::Unusual Permissions Change to Delegated Resource by Non Owner",
		"inc_or_vuln": "inc",
		"category": "No Incident"
	},
	"110562": {
		"Description": "SaaS::Email Nexus::Unusual Login Location Following Sender Spoof",
		"inc_or_vuln": "inc",
		"category": "Phishing"
	},
	"110563": {
		"Description": "SaaS::Email Nexus::Possible Outbound Email Spam",
		"inc_or_vuln": "inc",
		"category": "Spam source"
	},
	"110564": {
		"Description": "IaaS::Admin::AWS Access Key Creation",
		"inc_or_vuln": "inc",
		"category": "Unauthorized access"
	},
	"110565": {
		"Description": "IaaS::Admin::AWS Customer Master Key Deleted",
		"inc_or_vuln": "inc",
		"category": "Privilege Escalation"
	},
	"110566": {
		"Description": "IaaS::Compliance::AWS EC2 Key Pair Create Or Import",
		"inc_or_vuln": "inc",
		"category": "No Incident"
	},
	"110567": {
		"Description": "IaaS::Compute::AWS EC2 Resource Shared",
		"inc_or_vuln": "inc",
		"category": "No Incident"
	},
	"110568": {
		"Description": "IaaS::Storage::AWS RDS Database Modification",
		"inc_or_vuln": "inc",
		"category": "No Incident"
	},
	"110569": {
		"Description": "IaaS::Storage::AWS RDS Instance Snapshot Create and Restore",
		"inc_or_vuln": "inc",
		"category": "No Incident"
	},
	"110570": {
		"Description": "IaaS::Admin::AWS Secret Modification",
		"inc_or_vuln": "inc",
		"category": "Privilege Escalation"
	},
	"110571": {
		"Description": "IaaS::Network::AWS Security Rule Delete",
		"inc_or_vuln": "inc",
		"category": "No Incident"
	},
	"110572": {
		"Description": "IaaS::Network::AWS Security Rule Update",
		"inc_or_vuln": "inc",
		"category": "No Incident"
	},
	"110573": {
		"Description": "IaaS::Admin::AWS User Added to Admin Group",
		"inc_or_vuln": "inc",
		"category": "Privilege Escalation"
	},
	"110574": {
		"Description": "IaaS::Compliance::Anomalous AWS API Command",
		"inc_or_vuln": "inc",
		"category": "No Incident"
	},
	"110575": {
		"Description": "IaaS::Compliance::Anomalous AWS Assume Role",
		"inc_or_vuln": "inc",
		"category": "No Incident"
	},
	"110576": {
		"Description": "IaaS::Admin::Anomalous IAM Create Access Key",
		"inc_or_vuln": "inc",
		"category": "Unauthorized access"
	},
	"110577": {
		"Description": "IaaS::Admin::Anomalous IAM Policy Change",
		"inc_or_vuln": "inc",
		"category": "Privilege Escalation"
	},
	"110578": {
		"Description": "IaaS::Admin::Anomalous IAM Update",
		"inc_or_vuln": "inc",
		"category": "Privilege Escalation"
	},
	"110579": {
		"Description": "IaaS::Compute::Lambda Permission Added",
		"inc_or_vuln": "inc",
		"category": "No Incident"
	},
	"110580": {
		"Description": "IaaS::Compute::Unusual AWS Container Resource Deletion",
		"inc_or_vuln": "inc",
		"category": "No Incident"
	},
	"110581": {
		"Description": "IaaS::Admin::Unusual AWS Policy Attachment",
		"inc_or_vuln": "inc",
		"category": "Privilege Escalation"
	},
	"110582": {
		"Description": "IaaS::Access::Unusual Access to Kubernetes API",
		"inc_or_vuln": "inc",
		"category": "Unauthorized access"
	},
	"110583": {
		"Description": "IaaS::Compute::Unusual Update to EKS Cluster Config",
		"inc_or_vuln": "inc",
		"category": "No Incident"
	},
	"110584": {
		"Description": "IaaS::Compliance::Unusual VPC Traffic Mirroring In AWS",
		"inc_or_vuln": "inc",
		"category": "No Incident"
	},
	"110585": {
		"Description": "IaaS::Access::AKS Admin Credentials Access",
		"inc_or_vuln": "inc",
		"category": "Unauthorized access"
	},
	"110586": {
		"Description": "IaaS::Compliance::AWS EBS Default Encryption Disabled",
		"inc_or_vuln": "inc",
		"category": "No Incident"
	},
	"110587": {
		"Description": "IaaS::Compliance::AWS EventBridge Rule Disabled",
		"inc_or_vuln": "inc",
		"category": "No Incident"
	},
	"110588": {
		"Description": "IaaS::Access::AWS Root User Login from Rare External",
		"inc_or_vuln": "inc",
		"category": "Unauthorized access"
	},
	"110589": {
		"Description": "Compromise::Alternative TLD",
		"inc_or_vuln": "inc",
		"category": "No Incident"
	},
	"110590": {
		"Description": "IaaS::Unusual Activity::Anomalous AWS Resources Deleted",
		"inc_or_vuln": "inc",
		"category": "No Incident"
	},
	"110591": {
		"Description": "IaaS::Compliance::Anomalous GCP Action from Anonymous User",
		"inc_or_vuln": "inc",
		"category": "No Incident"
	},
	"110592": {
		"Description": "SaaS::Resource::Anomalous O365 Content Search",
		"inc_or_vuln": "inc",
		"category": "No Incident"
	},
	"110593": {
		"Description": "Device::Anomalous RDP Followed By Multiple Model Breaches",
		"inc_or_vuln": "inc",
		"category": "Insider Breach"
	},
	"110594": {
		"Description": "Device::Anomalous SMB3 Followed By Reboot",
		"inc_or_vuln": "inc",
		"category": "Insider Breach"
	},
	"110595": {
		"Description": "Unusual Activity::Anomalous SMB Delete Volume",
		"inc_or_vuln": "inc",
		"category": "Insider Breach"
	},
	"110596": {
		"Description": "Device::Anomalous SMB Followed By Multiple Model Breaches",
		"inc_or_vuln": "inc",
		"category": "Insider Breach"
	},
	"110597": {
		"Description": "Unusual Activity::Anomalous SMB Move & Write",
		"inc_or_vuln": "inc",
		"category": "Insider Breach"
	},
	"110598": {
		"Description": "Unusual Activity::Anomalous SMB Read & Write",
		"inc_or_vuln": "inc",
		"category": "Insider Breach"
	},
	"110599": {
		"Description": "Unusual Activity::Anomalous SMB Read & Write from New Device",
		"inc_or_vuln": "inc",
		"category": "Insider Breach"
	},
	"110600": {
		"Description": "Unusual Activity::Anomalous SMB Reads to New or Unusual Locations",
		"inc_or_vuln": "inc",
		"category": "Insider Breach"
	},
	"110601": {
		"Description": "Unusual Activity::Anomalous SMB to Server",
		"inc_or_vuln": "inc",
		"category": "Insider Breach"
	},
	"110602": {
		"Description": "SaaS::Resource::Anomalous SaaS Resources Deleted",
		"inc_or_vuln": "inc",
		"category": "No Incident"
	},
	"110603": {
		"Description": "IaaS::Compliance::Anonymous S3 File Download",
		"inc_or_vuln": "inc",
		"category": "Policy violation"
	},
	"110604": {
		"Description": "Antigena::Network::Compliance::Antigena Action - File Storage Block",
		"inc_or_vuln": "inc",
		"category": "Policy violation"
	},
	"110605": {
		"Description": "Antigena::Network::Compliance::Antigena FTP Block",
		"inc_or_vuln": "inc",
		"category": "Policy violation"
	},
	"110606": {
		"Description": "Antigena::Network::Insider Threat::Antigena Internal Anomalous File Activity",
		"inc_or_vuln": "inc",
		"category": "Policy violation"
	},
	"110607": {
		"Description": "Antigena::Network::Compliance::Antigena Notice - File Storage Block",
		"inc_or_vuln": "inc",
		"category": "Policy violation"
	},
	"110608": {
		"Description": "Antigena::Network::Compliance::Antigena Pastebin Block",
		"inc_or_vuln": "inc",
		"category": "Policy violation"
	},
	"110609": {
		"Description": "Antigena::Network::Insider Threat::Antigena SMB Enumeration Block",
		"inc_or_vuln": "inc",
		"category": "Policy violation"
	},
	"110610": {
		"Description": "Antigena::Network::Significant Anomaly::Antigena Significant Anomaly from Client Block",
		"inc_or_vuln": "inc",
		"category": "Policy violation"
	},
	"110611": {
		"Description": "Antigena::Network::External Threat::Antigena Suspicious File Block",
		"inc_or_vuln": "inc",
		"category": "Policy violation"
	},
	"110612": {
		"Description": "Antigena::Network::External Threat::Antigena Suspicious File Pattern of Life Block",
		"inc_or_vuln": "inc",
		"category": "Policy violation"
	},
	"110613": {
		"Description": "Antigena::Network::Compliance::Antigena Tor Block",
		"inc_or_vuln": "inc",
		"category": "Policy violation"
	},
	"110614": {
		"Description": "Inoculation::Sinkhole::Anubis",
		"inc_or_vuln": "inc",
		"category": "Policy violation"
	},
	"110615": {
		"Description": "IaaS::Admin::Azure Application Administration Activities",
		"inc_or_vuln": "inc",
		"category": "Privilege Escalation"
	},
	"110616": {
		"Description": "IaaS::Access::Azure Authentication Server Secrets Accessed",
		"inc_or_vuln": "inc",
		"category": "Unauthorized access"
	},
	"110617": {
		"Description": "IaaS::Network::Azure Database Firewall Rule Update",
		"inc_or_vuln": "inc",
		"category": "No Incident"
	},
	"110618": {
		"Description": "IaaS::Access::Azure Database Keys Accessed",
		"inc_or_vuln": "inc",
		"category": "Unauthorized access"
	},
	"110619": {
		"Description": "IaaS::Compliance::Azure Device No Longer Compliant",
		"inc_or_vuln": "inc",
		"category": "No Incident"
	},
	"110620": {
		"Description": "Multiple Device Correlations::Behavioural Change Across Multiple Devices",
		"inc_or_vuln": "inc",
		"category": "No Incident"
	},
	"110621": {
		"Description": "Compromise::Botnet C2 Behaviour",
		"inc_or_vuln": "inc",
		"category": "Denial of Service"
	},
	"110622": {
		"Description": "SaaS::Admin::Box Third Party Authorization",
		"inc_or_vuln": "inc",
		"category": "Privilege Escalation"
	},
	"110623": {
		"Description": "Inoculation::Sinkhole::CERT Polska",
		"inc_or_vuln": "inc",
		"category": "Denial of Service"
	},
	"110624": {
		"Description": "Anomalous Connection::CertUtil to Rare Destination",
		"inc_or_vuln": "inc",
		"category": "Rogue server or service"
	},
	"110625": {
		"Description": "Compliance::Client Device Serving NTP",
		"inc_or_vuln": "inc",
		"category": "Rogue server or service"
	},
	"110626": {
		"Description": "Inoculation::Sinkhole::Conficker Sinkhole",
		"inc_or_vuln": "inc",
		"category": "Rogue server or service"
	},
	"110627": {
		"Description": "Infrastructure::DHCP Server",
		"inc_or_vuln": "inc",
		"category": "Rogue server or service"
	},
	"110628": {
		"Description": "Compromise::DNS::DNSCat2",
		"inc_or_vuln": "inc",
		"category": "Rogue server or service"
	},
	"110629": {
		"Description": "Infrastructure::DNS Server Change",
		"inc_or_vuln": "inc",
		"category": "Rogue server or service"
	},
	"110630": {
		"Description": "Compromise::DNS::DNS Tunnel",
		"inc_or_vuln": "inc",
		"category": "Rogue server or service"
	},
	"110631": {
		"Description": "Compromise::DNS::DNS Tunnel to Rare Server",
		"inc_or_vuln": "inc",
		"category": "Rogue server or service"
	},
	"110632": {
		"Description": "Compromise::DNS::DNS Tunnel with TXT Records",
		"inc_or_vuln": "inc",
		"category": "Rogue server or service"
	},
	"110633": {
		"Description": "Anomalous Connection::Data Sent to Rare Domain",
		"inc_or_vuln": "inc",
		"category": "Rogue server or service"
	},
	"110634": {
		"Description": "Device::Anomaly Indicators::Denial of Service Activity Indicator",
		"inc_or_vuln": "inc",
		"category": "Denial of Service"
	},
	"110635": {
		"Description": "SaaS::Unusual Activity::Disabled Strong Authentication",
		"inc_or_vuln": "inc",
		"category": "Privilege Escalation"
	},
	"110636": {
		"Description": "Anomalous Server Activity::Domain Controller DynDNS SSL or HTTP",
		"inc_or_vuln": "inc",
		"category": "Rogue server or service"
	},
	"110637": {
		"Description": "Compromise::Domain Fluxing",
		"inc_or_vuln": "inc",
		"category": "Rogue server or service"
	},
	"110638": {
		"Description": "Anomalous Connection::Download and Upload",
		"inc_or_vuln": "inc",
		"category": "Policy violation"
	},
	"110639": {
		"Description": "SaaS::Access::Duo Admin Login Failure",
		"inc_or_vuln": "inc",
		"category": "Unauthorized access"
	},
	"110640": {
		"Description": "Device::Point of Sale::External Uncommon Ports from POS",
		"inc_or_vuln": "inc",
		"category": "Policy violation"
	},
	"110641": {
		"Description": "Anomalous Connection::Fake Certificate From IP",
		"inc_or_vuln": "inc",
		"category": "Policy violation"
	},
	"110642": {
		"Description": "Inoculation::Fake SSL Certificate",
		"inc_or_vuln": "inc",
		"category": "Rogue server or service"
	},
	"110643": {
		"Description": "Inoculation::Sinkhole::Farsight Security",
		"inc_or_vuln": "inc",
		"category": "Rogue server or service"
	},
	"110644": {
		"Description": "SaaS::Compliance::GSuite Advanced Protection Unenrollment",
		"inc_or_vuln": "inc",
		"category": "Rogue server or service"
	},
	"110645": {
		"Description": "SaaS::Compliance::GSuite Domain Settings Modified",
		"inc_or_vuln": "inc",
		"category": "Policy violation"
	},
	"110646": {
		"Description": "Inoculation::Sinkhole::Georgia Tech",
		"inc_or_vuln": "inc",
		"category": "Policy violation"
	},
	"110647": {
		"Description": "Anomalous Connection::High DGA Low DNS TTL",
		"inc_or_vuln": "inc",
		"category": "Policy violation"
	},
	"110648": {
		"Description": "Compliance::High Priority Compliance Model Breach",
		"inc_or_vuln": "inc",
		"category": "Policy violation"
	},
	"110649": {
		"Description": "Device::High Volume of Connections from Guest or New Device",
		"inc_or_vuln": "inc",
		"category": "Policy violation"
	},
	"110650": {
		"Description": "Anomalous Connection::High Volume of New or Uncommon Service Control",
		"inc_or_vuln": "inc",
		"category": "Policy violation"
	},
	"110651": {
		"Description": "Anomalous File::Incoming EXE from Rare External Location",
		"inc_or_vuln": "inc",
		"category": "Policy violation"
	},
	"110652": {
		"Description": "Device::Activity Identifier::Remote Tools::Incoming Teamviewer",
		"inc_or_vuln": "inc",
		"category": "Policy violation"
	},
	"110653": {
		"Description": "Device::Increase in New RPC Services",
		"inc_or_vuln": "inc",
		"category": "Policy violation"
	},
	"110654": {
		"Description": "Inoculation::Sinkhole::Inoculation Sinkhole",
		"inc_or_vuln": "inc",
		"category": "Policy violation"
	},
	"110655": {
		"Description": "Device::LDAP Brute-Force Activity",
		"inc_or_vuln": "inc",
		"category": "Failed Login"
	},
	"110656": {
		"Description": "Device::LDAP Password Spray",
		"inc_or_vuln": "inc",
		"category": "Failed Login"
	},
	"110657": {
		"Description": "SaaS::Admin::Large Number of Admin Events",
		"inc_or_vuln": "inc",
		"category": "Privilege Escalation"
	},
	"110658": {
		"Description": "SaaS::Access::Large Volume of SaaS Login Failures",
		"inc_or_vuln": "inc",
		"category": "Unauthorized access"
	},
	"110659": {
		"Description": "Compromise::Linux HTTPTunnel",
		"inc_or_vuln": "inc",
		"category": "Rogue server or service"
	},
	"110660": {
		"Description": "SaaS::Access::Login Brute-Force Attempt",
		"inc_or_vuln": "inc",
		"category": "Unauthorized access"
	},
	"110661": {
		"Description": "SaaS::Compromise::Login From Rare Endpoint While User Is Active",
		"inc_or_vuln": "inc",
		"category": "Insider Breach"
	},
	"110662": {
		"Description": "Anomalous Connection::Low and Slow Exfiltration",
		"inc_or_vuln": "inc",
		"category": "Spam source"
	},
	"110663": {
		"Description": "Anomalous Connection::Low and Slow Exfiltration to IP",
		"inc_or_vuln": "inc",
		"category": "Spam source"
	},
	"110664": {
		"Description": "SaaS::Resource::Mass Email Deletes from Rare Location",
		"inc_or_vuln": "inc",
		"category": "Spam source"
	},
	"110665": {
		"Description": "Inoculation::Sinkhole::Microsoft Digital Crimes Unit",
		"inc_or_vuln": "inc",
		"category": "Criminal activity/investigation"
	},
	"110666": {
		"Description": "Inoculation::Sinkhole::Miscellaneous",
		"inc_or_vuln": "inc",
		"category": "Criminal activity/investigation"
	},
	"110667": {
		"Description": "IaaS::Unusual Activity::Multiple Azure Resource Update Failures",
		"inc_or_vuln": "inc",
		"category": "No Incident"
	},
	"110668": {
		"Description": "Multiple Device Correlations::Multiple Devices Breaching Same Model",
		"inc_or_vuln": "inc",
		"category": "No Incident"
	},
	"110669": {
		"Description": "Anomalous File::Multiple EXE from Rare External Locations",
		"inc_or_vuln": "inc",
		"category": "Insider Breach"
	},
	"110670": {
		"Description": "SaaS::Access::Multiple Suspicious Login Attempts",
		"inc_or_vuln": "inc",
		"category": "Unauthorized access"
	},
	"110671": {
		"Description": "SaaS::Compliance::Multiple Unusual SaaS Activities",
		"inc_or_vuln": "inc",
		"category": "Insider Breach"
	},
	"110672": {
		"Description": "SaaS::Unusual Activity::Multiple Unusual SaaS Activity Scores",
		"inc_or_vuln": "inc",
		"category": "Insider Breach"
	},
	"110673": {
		"Description": "Tags::NTP Server",
		"inc_or_vuln": "inc",
		"category": "No Incident"
	},
	"110674": {
		"Description": "Device::Network Scan",
		"inc_or_vuln": "inc",
		"category": "Reconnaissance activity"
	},
	"110675": {
		"Description": "Anomalous File::Internal::New Access to Sensitive File",
		"inc_or_vuln": "inc",
		"category": "Unauthorized access"
	},
	"110676": {
		"Description": "Infrastructure::New Domain Controller",
		"inc_or_vuln": "inc",
		"category": "Rogue server or service"
	},
	"110677": {
		"Description": "SaaS::Compliance::New O365 Application",
		"inc_or_vuln": "inc",
		"category": "Rogue server or service"
	},
	"110678": {
		"Description": "Device::New or Unusual Remote Command Execution",
		"inc_or_vuln": "inc",
		"category": "Malicious code activity"
	},
	"110679": {
		"Description": "SaaS::Admin::O365 Audit Log Disruption",
		"inc_or_vuln": "inc",
		"category": "Privilege Escalation"
	},
	"110680": {
		"Description": "Device::Anomaly Indicators::Over 10GB Internal Download",
		"inc_or_vuln": "inc",
		"category": "Policy violation"
	},
	"110681": {
		"Description": "Compromise::POST and Beacon to Rare External",
		"inc_or_vuln": "inc",
		"category": "Policy violation"
	},
	"110682": {
		"Description": "Anomalous Connection::POST to PHP on New External Host",
		"inc_or_vuln": "inc",
		"category": "Policy violation"
	},
	"110683": {
		"Description": "Inoculation::Sinkhole::Palo Alto Networks",
		"inc_or_vuln": "inc",
		"category": "Policy violation"
	},
	"110684": {
		"Description": "SaaS::Admin::Pass-Through Authentication Enabled",
		"inc_or_vuln": "inc",
		"category": "Privilege Escalation"
	},
	"110685": {
		"Description": "SaaS::Teams Healthcare::Patient Data Exported",
		"inc_or_vuln": "inc",
		"category": "Confidential personal identity data exposure"
	},
	"110686": {
		"Description": "Device::Possible Active Directory Enumeration",
		"inc_or_vuln": "inc",
		"category": "Reconnaissance activity"
	},
	"110687": {
		"Description": "Anomalous Connection::Possible Data Staging and Upload",
		"inc_or_vuln": "inc",
		"category": "Malicious code activity"
	},
	"110688": {
		"Description": "Device::Anomaly Indicators::Possible Data Staging and Upload Indicator",
		"inc_or_vuln": "inc",
		"category": "Malicious code activity"
	},
	"110689": {
		"Description": "Anomalous Server Activity::Possible Denial of Service Activity",
		"inc_or_vuln": "inc",
		"category": "Denial of Service"
	},
	"110690": {
		"Description": "Device::Possible Doppelganger Attack",
		"inc_or_vuln": "inc",
		"category": "Denial of Service"
	},
	"110691": {
		"Description": "Compromise::Possible Malware HTTP Comms",
		"inc_or_vuln": "inc",
		"category": "malware"
	},
	"110692": {
		"Description": "Anomalous Connection::Possible Phishing Link Clicked",
		"inc_or_vuln": "inc",
		"category": "Phishing"
	},
	"110693": {
		"Description": "Device::Possible RPC Lateral Movement",
		"inc_or_vuln": "inc",
		"category": "Privilege Escalation"
	},
	"110694": {
		"Description": "Unusual Activity::Possible RPC Recon Activity",
		"inc_or_vuln": "inc",
		"category": "Reconnaissance activity"
	},
	"110695": {
		"Description": "Infrastructure::Proxy Server Change",
		"inc_or_vuln": "inc",
		"category": "Reconnaissance activity"
	},
	"110696": {
		"Description": "Device::Anomaly Indicators::Rare ASN for Domain",
		"inc_or_vuln": "inc",
		"category": "Reconnaissance activity"
	},
	"110697": {
		"Description": "SaaS::Resource::Resource Accessed By Anonymous",
		"inc_or_vuln": "inc",
		"category": "Unauthorized access"
	},
	"110698": {
		"Description": "Anomalous Connection::SMB Enumeration",
		"inc_or_vuln": "inc",
		"category": "Reconnaissance activity"
	},
	"110699": {
		"Description": "Compromise::Ransomware::SMB Reads then Writes with Additional Extensions",
		"inc_or_vuln": "inc",
		"category": "Malware"
	},
	"110700": {
		"Description": "SaaS::Unusual Activity::SaaS Password Reset from Rare",
		"inc_or_vuln": "inc",
		"category": "Reconnaissance activity"
	},
	"110701": {
		"Description": "SaaS::Admin::Salesforce Third Party Authorization",
		"inc_or_vuln": "inc",
		"category": "Privilege Escalation"
	},
	"110702": {
		"Description": "Anomalous File::Script from Rare Internal Location",
		"inc_or_vuln": "inc",
		"category": "Policy violation"
	},
	"110703": {
		"Description": "Inoculation::Sinkhole::Shadowserver",
		"inc_or_vuln": "inc",
		"category": "Policy violation"
	},
	"110704": {
		"Description": "Inoculation::Sinkhole::Sinkhole.DK - 1and1",
		"inc_or_vuln": "inc",
		"category": "Policy violation"
	},
	"110705": {
		"Description": "Inoculation::Sinkhole::Sinkhole Security",
		"inc_or_vuln": "inc",
		"category": "Policy violation"
	},
	"110706": {
		"Description": "Multiple Device Correlations::Spreading New Admin Credentials",
		"inc_or_vuln": "inc",
		"category": "Privilege Escalation"
	},
	"110707": {
		"Description": "User::Suspicious Admin SMB Session",
		"inc_or_vuln": "inc",
		"category": "Privilege Escalation"
	},
	"110708": {
		"Description": "Anomalous Connection::Suspicious Expired SSL",
		"inc_or_vuln": "inc",
		"category": "Policy violation"
	},
	"110709": {
		"Description": "SaaS::Resource::Suspicious File Upload",
		"inc_or_vuln": "inc",
		"category": "Policy violation"
	},
	"110710": {
		"Description": "Device::Anomaly Indicators::Suspicious File Upload Indicator",
		"inc_or_vuln": "inc",
		"category": "Policy violation"
	},
	"110711": {
		"Description": "Anomalous Connection::Suspicious HTTP Activity",
		"inc_or_vuln": "inc",
		"category": "Spam source"
	},
	"110712": {
		"Description": "Compromise::Suspicious HTTP Beacons to Dotted Quad",
		"inc_or_vuln": "inc",
		"category": "Spam source"
	},
	"110713": {
		"Description": "Unusual Activity::Suspicious RPC Sequence",
		"inc_or_vuln": "inc",
		"category": "Policy violation"
	},
	"110714": {
		"Description": "Anomalous Connection::Suspicious Read Write Ratio",
		"inc_or_vuln": "inc",
		"category": "Policy violation"
	},
	"110715": {
		"Description": "Device::Suspicious SMB Scanning Activity",
		"inc_or_vuln": "inc",
		"category": "Reconnaissance activity"
	},
	"110716": {
		"Description": "Anomalous Connection::Suspicious Self-Signed SSL",
		"inc_or_vuln": "inc",
		"category": "Spam source"
	},
	"110717": {
		"Description": "Compromise::Suspicious TLS Beaconing To Rare External",
		"inc_or_vuln": "inc",
		"category": "Spam source"
	},
	"110718": {
		"Description": "Unusual Activity::Sustained Anomalous SMB Activity",
		"inc_or_vuln": "inc",
		"category": "Reconnaissance activity"
	},
	"110719": {
		"Description": "Anomalous Connection::Sustained MIME Type Conversion",
		"inc_or_vuln": "inc",
		"category": "Reconnaissance activity"
	},
	"110720": {
		"Description": "Device::Anomaly Indicators::Sustained MIME Type Conversion Indicator",
		"inc_or_vuln": "inc",
		"category": "Reconnaissance activity"
	},
	"110721": {
		"Description": "System::System",
		"inc_or_vuln": "inc",
		"category": "No Incident"
	},
	"110722": {
		"Description": "Device::Activity Identifier::Teamviewer",
		"inc_or_vuln": "inc",
		"category": "Policy violation"
	},
	"110723": {
		"Description": "Inoculation::Sinkhole::The Malware Cabal",
		"inc_or_vuln": "inc",
		"category": "Malware"
	},
	"110724": {
		"Description": "Compliance::Tor Package Download",
		"inc_or_vuln": "inc",
		"category": "Policy violation"
	},
	"110725": {
		"Description": "IaaS::Unusual Activity::Unauthorized AWS Operation",
		"inc_or_vuln": "inc",
		"category": "Unauthorized access"
	},
	"110726": {
		"Description": "Anomalous File::Uncommon Office Doc then Exe",
		"inc_or_vuln": "inc",
		"category": "Unauthorized access"
	},
	"110727": {
		"Description": "Device::Unexpected DNS Volume for Rare Domain",
		"inc_or_vuln": "inc",
		"category": "Unauthorized access"
	},
	"110728": {
		"Description": "IaaS::Unusual Activity::Unusual AWS CLI Activity",
		"inc_or_vuln": "inc",
		"category": "Unauthorized access"
	},
	"110729": {
		"Description": "Anomalous Connection::Unusual Admin RDP Session",
		"inc_or_vuln": "inc",
		"category": "Privilege Escalation"
	},
	"110730": {
		"Description": "Anomalous Connection::Unusual Admin SMB Session",
		"inc_or_vuln": "inc",
		"category": "Privilege Escalation"
	},
	"110731": {
		"Description": "IaaS::Storage::Unusual Azure Database Deletion",
		"inc_or_vuln": "inc",
		"category": "Unauthorized access"
	},
	"110732": {
		"Description": "IaaS::Admin::Unusual Azure KeyVault Action",
		"inc_or_vuln": "inc",
		"category": "Privilege Escalation"
	},
	"110733": {
		"Description": "SaaS::Access::Unusual Duo Admin Login",
		"inc_or_vuln": "inc",
		"category": "Privilege Escalation"
	},
	"110734": {
		"Description": "IaaS::Compute::Unusual ECS Command Execution",
		"inc_or_vuln": "inc",
		"category": "Malicious code activity"
	},
	"110735": {
		"Description": "Unusual Activity::Unusual External Activity",
		"inc_or_vuln": "inc",
		"category": "Malicious code activity"
	},
	"110736": {
		"Description": "Unusual Activity::Unusual File Storage Data Transfer",
		"inc_or_vuln": "inc",
		"category": "Policy violation"
	},
	"110737": {
		"Description": "SaaS::Unusual Activity::Unusual MFA Auth and SaaS Activity",
		"inc_or_vuln": "inc",
		"category": "Unauthorized access"
	},
	"110738": {
		"Description": "SaaS::Resource::Unusual Mass Email Deletes",
		"inc_or_vuln": "inc",
		"category": "Malicious code activity"
	},
	"110739": {
		"Description": "IaaS::Access::Unusual S3 Sensitive File Access",
		"inc_or_vuln": "inc",
		"category": "Unauthorized access"
	},
	"110740": {
		"Description": "SaaS::Access::Unusual SaaS Sensitive File Access",
		"inc_or_vuln": "inc",
		"category": "Unauthorized access"
	},
	"110741": {
		"Description": "SaaS::Unusual Activity::Unusual Volume of SaaS Modifications",
		"inc_or_vuln": "inc",
		"category": "Unauthorized access"
	},
	"110742": {
		"Description": "SaaS::Admin::User Added To Admin Group",
		"inc_or_vuln": "inc",
		"category": "Privilege Escalation"
	},
	"110743": {
		"Description": "Inoculation::Sinkhole::VirusTracker",
		"inc_or_vuln": "inc",
		"category": "Malware"
	},
	"110744": {
		"Description": "Inoculation::Sinkhole::WapackLabs",
		"inc_or_vuln": "inc",
		"category": "Unauthorized access"
	},
	"110745": {
		"Description": "Device::Anomaly Indicators::XLS from Rare Location",
		"inc_or_vuln": "inc",
		"category": "Unauthorized access"
	},
	"110746": {
		"Description": "Inoculation::Sinkhole::Zinkhole.org",
		"inc_or_vuln": "inc",
		"category": "Unauthorized access"
	},
	"110747": {
		"Description": "SaaS::Access::Login Brute-Force Attempt Over Time",
		"inc_or_vuln": "inc",
		"category": "Malicious code activity"
	},
	"110748": {
		"Description": "Anomalous File::Internal::Possible Hexadecimal Exe in SMB",
		"inc_or_vuln": "inc",
		"category": "Malware"
	},
	"110749": {
		"Description": "IaaS::Access::Anomalous Powershell Login Failure",
		"inc_or_vuln": "inc",
		"category": "Unauthorized access"
	},
	"110750": {
		"Description": "SaaS::Resource::Anonymous Sharing Link Created",
		"inc_or_vuln": "inc",
		"category": "Phishing"
	},
	"110751": {
		"Description": "SaaS::Admin::O365 File Malware State Reverted",
		"inc_or_vuln": "inc",
		"category": "Malware"
	},
	"110752": {
		"Description": "SaaS::Unusual Activity::Unusual Azure Policy Change",
		"inc_or_vuln": "inc",
		"category": "Policy violation"
	},
	"110753": {
		"Description": "SaaS::Email Nexus::Sharing Link Sent to New Recipient",
		"inc_or_vuln": "inc",
		"category": "Policy violation"
	},
	"110754": {
		"Description": "IaaS::Network::AWS Route53 Hosted Zone Deleted",
		"inc_or_vuln": "inc",
		"category": "Policy violation"
	},
	"110755": {
		"Description": "IaaS::Compute::Anomalous AWS Instance Attribute Modification",
		"inc_or_vuln": "inc",
		"category": "Policy violation"
	},
	"110756": {
		"Description": "IaaS::Compute::Lambda Function Changed",
		"inc_or_vuln": "inc",
		"category": "Policy violation"
	},
	"110757": {
		"Description": "IaaS::Compute::Lambda Function Created",
		"inc_or_vuln": "inc",
		"category": "Policy violation"
	},
	"110758": {
		"Description": "IaaS::Admin::Unusual KMS Policy Update",
		"inc_or_vuln": "inc",
		"category": "Privilege Escalation"
	},
	"110759": {
		"Description": "System::SaaS System Error",
		"inc_or_vuln": "inc",
		"category": "No Incident"
	},
	"110760": {
		"Description": "Anomalous File::Script from Rare External Location",
		"inc_or_vuln": "inc",
		"category": "Malware"
	},
	"110761": {
		"Description": "Multiple Device Correlations::Multiple New Internet Facing Devices",
		"inc_or_vuln": "inc",
		"category": "Rogue server or service"
	},
	"110762": {
		"Description": "Device::AT Service Scheduled Task",
		"inc_or_vuln": "inc",
		"category": "Privilege Escalation"
	},
	"110763": {
		"Description": "Anomalous File::Internal::Additional Extension Appended to SMB File",
		"inc_or_vuln": "inc",
		"category": "Malware"
	},
	"110764": {
		"Description": "Device::Anomalous NTLM Login and RPC to Domain Controller",
		"inc_or_vuln": "inc",
		"category": "Insider Breach"
	},
	"110765": {
		"Description": "Anomalous Connection::Anomalous RDP Followed By Reboot",
		"inc_or_vuln": "inc",
		"category": "Insider Breach"
	},
	"110766": {
		"Description": "Antigena::Network::Significant Anomaly::Antigena Breaches Over Time Block",
		"inc_or_vuln": "inc",
		"category": "Insider Breach"
	},
	"110767": {
		"Description": "Antigena::Network::Significant Anomaly::Antigena Controlled and Model Breach",
		"inc_or_vuln": "inc",
		"category": "Insider Breach"
	},
	"110768": {
		"Description": "Antigena::Network::Insider Threat::Antigena Internal Data Transfer Block",
		"inc_or_vuln": "inc",
		"category": "Insider Breach"
	},
	"110769": {
		"Description": "Antigena::Network::Insider Threat::Antigena Large Data Volume Outbound Block",
		"inc_or_vuln": "inc",
		"category": "Insider Breach"
	},
	"110770": {
		"Description": "Antigena::Network::External Threat::Antigena Suspicious Activity Block",
		"inc_or_vuln": "inc",
		"category": "Insider Breach"
	},
	"110771": {
		"Description": "Antigena::Network::Insider Threat::Antigena Unusual Privileged User Activities Block",
		"inc_or_vuln": "inc",
		"category": "Insider Breach"
	},
	"110772": {
		"Description": "Antigena::Network::Insider Threat::Antigena Unusual Privileged User Activities Pattern of Life Block",
		"inc_or_vuln": "inc",
		"category": "Insider Breach"
	},
	"110773": {
		"Description": "Device::Attack And Recon Tools In SMB",
		"inc_or_vuln": "inc",
		"category": "Insider Breach"
	},
	"110774": {
		"Description": "Device::Possible Brute-Force Activity",
		"inc_or_vuln": "inc",
		"category": "Failed Login"
	},
	"110775": {
		"Description": "Security Integration::C2 Activity and MS Defender Detection",
		"inc_or_vuln": "inc",
		"category": "No Incident"
	},
	"110776": {
		"Description": "Compliance::CCPA and GDPR::CCPA / GDPR Internal Data Transfer",
		"inc_or_vuln": "inc",
		"category": "No Incident"
	},
	"110777": {
		"Description": "Compliance::CCPA and GDPR::CCPA / GDPR Unusual Activity",
		"inc_or_vuln": "inc",
		"category": "No Incident"
	},
	"110778": {
		"Description": "Anomalous Connection::CertUtil Requesting Non Certificate",
		"inc_or_vuln": "inc",
		"category": "No Incident"
	},
	"110779": {
		"Description": "Inoculation::Community Inoculation",
		"inc_or_vuln": "inc",
		"category": "No Incident"
	},
	"110780": {
		"Description": "Compromise::Conficker",
		"inc_or_vuln": "inc",
		"category": "Insider Breach"
	},
	"110781": {
		"Description": "Compromise::Connections with Suspicious DNS",
		"inc_or_vuln": "inc",
		"category": "Rogue server or service"
	},
	"110782": {
		"Description": "Compromise::DGA Beacon",
		"inc_or_vuln": "inc",
		"category": "Rogue server or service"
	},
	"110783": {
		"Description": "Device::Anomaly Indicators::DNS Zone Transfer",
		"inc_or_vuln": "inc",
		"category": "Rogue server or service"
	},
	"110784": {
		"Description": "SaaS::System::Darktrace Application Deleted",
		"inc_or_vuln": "inc",
		"category": "Malicious code activity"
	},
	"110785": {
		"Description": "Compromise::Empire Python Activity Pattern",
		"inc_or_vuln": "inc",
		"category": "Malicious code activity"
	},
	"110786": {
		"Description": "Compromise::Fast Beaconing to DGA",
		"inc_or_vuln": "inc",
		"category": "Spam source"
	},
	"110787": {
		"Description": "SaaS::Access::GSuite Account Suspicious Login Event",
		"inc_or_vuln": "inc",
		"category": "Unauthorized access"
	},
	"110788": {
		"Description": "Inoculation::HTTP to Suspicious Subdomain",
		"inc_or_vuln": "inc",
		"category": "Spam source"
	},
	"110789": {
		"Description": "Tags::High Risk Device",
		"inc_or_vuln": "inc",
		"category": "No Incident"
	},
	"110790": {
		"Description": "Security Integration::High Severity MS Defender Incident",
		"inc_or_vuln": "inc",
		"category": "Malware"
	},
	"110791": {
		"Description": "Compromise::High Volume Domain Fluxing",
		"inc_or_vuln": "inc",
		"category": "Insider Breach"
	},
	"110792": {
		"Description": "Device::Activity Identifier::Internal TCP Callback",
		"inc_or_vuln": "inc",
		"category": "Malicious code activity"
	},
	"110793": {
		"Description": "Device::Internet Facing Device with High Priority Alert",
		"inc_or_vuln": "inc",
		"category": "Malicious code activity"
	},
	"110794": {
		"Description": "Anomalous File::Internet Facing System File Download",
		"inc_or_vuln": "inc",
		"category": "Unauthorized access"
	},
	"110795": {
		"Description": "Anomalous File::Internet Facing System Internal File Write",
		"inc_or_vuln": "inc",
		"category": "Unauthorized access"
	},
	"110796": {
		"Description": "Inoculation::JasperLoader SSL C2",
		"inc_or_vuln": "inc",
		"category": "Malware"
	},
	"110797": {
		"Description": "User::Kerberos Username Brute Force",
		"inc_or_vuln": "inc",
		"category": "Unauthorized access"
	},
	"110798": {
		"Description": "Compromise::Large DNS Volume for Suspicious Domain",
		"inc_or_vuln": "inc",
		"category": "Spam source"
	},
	"110799": {
		"Description": "Device::Large Number of Model Breaches",
		"inc_or_vuln": "inc",
		"category": "Criminal activity/investigation"
	},
	"110800": {
		"Description": "Security Integration::Lateral Movement and MS Defender Detection",
		"inc_or_vuln": "inc",
		"category": "Malware"
	},
	"110801": {
		"Description": "Security Integration::MS Defender Ransomware Incident",
		"inc_or_vuln": "inc",
		"category": "Malware"
	},
	"110802": {
		"Description": "Compromise::DNS::Malware DNS Tunnel Communications",
		"inc_or_vuln": "inc",
		"category": "Malware"
	},
	"110803": {
		"Description": "Device::Point of Sale::Model Breach on POS",
		"inc_or_vuln": "inc",
		"category": "Malware"
	},
	"110804": {
		"Description": "Compromise::Monero Mining",
		"inc_or_vuln": "inc",
		"category": "Malware"
	},
	"110805": {
		"Description": "SaaS::Unusual Activity::Multiple Unusual External Sources For SaaS Credential",
		"inc_or_vuln": "inc",
		"category": "Failed Login"
	},
	"110806": {
		"Description": "Compromise::Network IP Blocklisted",
		"inc_or_vuln": "inc",
		"category": "Policy violation"
	},
	"110807": {
		"Description": "Anomalous File::Internal::Numeric Exe in SMB Write",
		"inc_or_vuln": "inc",
		"category": "Policy violation"
	},
	"110808": {
		"Description": "Compromise::DNS::Possible DNS Beacon",
		"inc_or_vuln": "inc",
		"category": "Policy violation"
	},
	"110809": {
		"Description": "Inoculation::Possible Virut",
		"inc_or_vuln": "inc",
		"category": "Malware"
	},
	"110810": {
		"Description": "User::Key User::Proxy Bypass from Key User",
		"inc_or_vuln": "inc",
		"category": "Policy violation"
	},
	"110811": {
		"Description": "Anomalous Connection::RDP Brute Force",
		"inc_or_vuln": "inc",
		"category": "Failed Login"
	},
	"110812": {
		"Description": "SaaS::Compliance::Ransom or Offensive Words On SaaS",
		"inc_or_vuln": "inc",
		"category": "Insider Breach"
	},
	"110813": {
		"Description": "Compromise::Ransomware::Ransom or Offensive Words Written to SMB",
		"inc_or_vuln": "inc",
		"category": "Malware"
	},
	"110814": {
		"Description": "Antigena::Network::Significant Anomaly::Repeated Antigena Breaches",
		"inc_or_vuln": "inc",
		"category": "Insider Breach"
	},
	"110815": {
		"Description": "Device::Replication of Directory Services",
		"inc_or_vuln": "inc",
		"category": "Insider Breach"
	},
	"110816": {
		"Description": "SaaS::Resource::Resource Permanent Delete",
		"inc_or_vuln": "inc",
		"category": "Insider Breach"
	},
	"110817": {
		"Description": "IaaS::Storage::S3 Bucket Delete",
		"inc_or_vuln": "inc",
		"category": "Policy violation"
	},
	"110818": {
		"Description": "Device::SMB Lateral Movement",
		"inc_or_vuln": "inc",
		"category": "Privilege Escalation"
	},
	"110819": {
		"Description": "SaaS::Access::Sensitive File Accessed By Anonymous",
		"inc_or_vuln": "inc",
		"category": "Unauthorized access"
	},
	"110820": {
		"Description": "SaaS::Resource::Sensitive File Shared by User",
		"inc_or_vuln": "inc",
		"category": "Unauthorized access"
	},
	"110821": {
		"Description": "IaaS::Access::Sensitive S3 File Accessed By Anonymous",
		"inc_or_vuln": "inc",
		"category": "Unauthorized access"
	},
	"110822": {
		"Description": "Multiple Device Correlations::Spreading Script Downloads from Rare Endpoints",
		"inc_or_vuln": "inc",
		"category": "Malicious code activity"
	},
	"110823": {
		"Description": "Unusual Activity::Successful Admin Brute-Force Activity",
		"inc_or_vuln": "inc",
		"category": "Privilege Escalation"
	},
	"110824": {
		"Description": "Compromise::Suspicious Beacons to Rare PHP Endpoint",
		"inc_or_vuln": "inc",
		"category": "Rogue server or service"
	},
	"110825": {
		"Description": "SaaS::Access::Suspicious Credential Use And Login User-Agent",
		"inc_or_vuln": "inc",
		"category": "Unauthorized access"
	},
	"110826": {
		"Description": "Device::Suspicious File Writes to Multiple Hidden SMB Shares",
		"inc_or_vuln": "inc",
		"category": "Malicious code activity"
	},
	"110827": {
		"Description": "Anomalous File::Suspicious HTTP Redirect",
		"inc_or_vuln": "inc",
		"category": "Malicious code activity"
	},
	"110828": {
		"Description": "Compromise::Suspicious Internal Use Of Web Protocol",
		"inc_or_vuln": "inc",
		"category": "Malicious code activity"
	},
	"110829": {
		"Description": "Compromise::Suspicious Netlogon RPC Calls Followed By DRS",
		"inc_or_vuln": "inc",
		"category": "Privilege Escalation"
	},
	"110830": {
		"Description": "Anomalous File::Suspicious Octet Stream Download",
		"inc_or_vuln": "inc",
		"category": "Malware"
	},
	"110831": {
		"Description": "Anomalous Connection::Suspicious Read Write Ratio and Rare External",
		"inc_or_vuln": "inc",
		"category": "Policy violation"
	},
	"110832": {
		"Description": "Anomalous Connection::Suspicious Read Write Ratio and Unusual SMB",
		"inc_or_vuln": "inc",
		"category": "Policy violation"
	},
	"110833": {
		"Description": "Compromise::Suspicious Spam Activity",
		"inc_or_vuln": "inc",
		"category": "Spam source"
	},
	"110834": {
		"Description": "Anomalous Connection::Suspicious Wake-on-LAN",
		"inc_or_vuln": "inc",
		"category": "Privilege Escalation"
	},
	"110835": {
		"Description": "Unusual Activity::Sustained Suspicious Activity",
		"inc_or_vuln": "inc",
		"category": "Policy violation"
	},
	"110836": {
		"Description": "Unusual Activity::Sustained Unusual Activity from New Device",
		"inc_or_vuln": "inc",
		"category": "Malicious code activity"
	},
	"110837": {
		"Description": "System::System Load",
		"inc_or_vuln": "inc",
		"category": "No Incident"
	},
	"110838": {
		"Description": "Compromise::Tor2Web",
		"inc_or_vuln": "inc",
		"category": "Policy violation"
	},
	"110839": {
		"Description": "Device::Activity Identifier::Tor Bridge Meek Azure",
		"inc_or_vuln": "inc",
		"category": "Policy violation"
	},
	"110840": {
		"Description": "Device::Activity Identifier::Tor Bridge OBFS4",
		"inc_or_vuln": "inc",
		"category": "Policy violation"
	},
	"110841": {
		"Description": "Compromise::Tor Domain DNS Requests",
		"inc_or_vuln": "inc",
		"category": "Policy violation"
	},
	"110842": {
		"Description": "Device::Point of Sale::USB Device Inserted into Point of Sale",
		"inc_or_vuln": "inc",
		"category": "Policy violation"
	},
	"110843": {
		"Description": "Unusual Activity::Unusual Activity from QNAP Device",
		"inc_or_vuln": "inc",
		"category": "Policy violation"
	},
	"110844": {
		"Description": "Compromise::Unusual DRS Activity",
		"inc_or_vuln": "inc",
		"category": "Policy violation"
	},
	"110845": {
		"Description": "SaaS::Compromise::Unusual Login, Sent Mail, Deleted Sent",
		"inc_or_vuln": "inc",
		"category": "Unauthorized access"
	},
	"110846": {
		"Description": "SaaS::Compromise::Unusual Login and Account Update",
		"inc_or_vuln": "inc",
		"category": "Unauthorized access"
	},
	"110847": {
		"Description": "Unusual Activity::Unusual Raspberry Pi Activity",
		"inc_or_vuln": "inc",
		"category": "Policy violation"
	},
	"110848": {
		"Description": "Device::Anomaly Indicators::Unusual SMB Session",
		"inc_or_vuln": "inc",
		"category": "Unauthorized access"
	},
	"110849": {
		"Description": "Compromise::Unusual SMB Session And DRS",
		"inc_or_vuln": "inc",
		"category": "Unauthorized access"
	},
	"110850": {
		"Description": "Device::Unusual SMB To Critical Resource",
		"inc_or_vuln": "inc",
		"category": "Policy violation"
	},
	"110851": {
		"Description": "Compromise::DNS::dns2tcp",
		"inc_or_vuln": "inc",
		"category": "Policy violation"
	},
	"110852": {
		"Description": "Device::Anomaly Indicators::RDP Brute Force Indicator",
		"inc_or_vuln": "inc",
		"category": "Failed Login"
	},
	"110853": {
		"Description": "SaaS::Compliance::O365 File Malware Detected",
		"inc_or_vuln": "inc",
		"category": "Malware"
	},
	"110854": {
		"Description": "SaaS::Admin::O365 Mail Forwarding Enabled",
		"inc_or_vuln": "inc",
		"category": "Privilege Escalation"
	},
	"110855": {
		"Description": "SaaS::Admin::O365 Protection Policy Disabled",
		"inc_or_vuln": "inc",
		"category": "Privilege Escalation"
	},
	"110856": {
		"Description": "SaaS::Access::Unusual Mail Data Access",
		"inc_or_vuln": "inc",
		"category": "Unauthorized access"
	},
	"110857": {
		"Description": "SaaS::Email Nexus::Possible Exfiltration of Corporate Files By Email",
		"inc_or_vuln": "inc",
		"category": "Unauthorized access"
	},
	"110858": {
		"Description": "SaaS::Email Nexus::Possible Exfiltration of Sensitive Files By Email",
		"inc_or_vuln": "inc",
		"category": "Unauthorized access"
	},
	"110859": {
		"Description": "SaaS::Email Nexus::Suspicious Internal Exchange Activity",
		"inc_or_vuln": "inc",
		"category": "Unauthorized access"
	},
	"110860": {
		"Description": "SaaS::Email Nexus::Unusual Location for SaaS and Email Activity",
		"inc_or_vuln": "inc",
		"category": "Unauthorized access"
	},
	"110861": {
		"Description": "IaaS::Admin::AWS GuardDuty Detector Deleted",
		"inc_or_vuln": "inc",
		"category": "Privilege Escalation"
	},
	"110862": {
		"Description": "IaaS::Storage::S3 Bucket Made Public",
		"inc_or_vuln": "inc",
		"category": "No Incident"
	},
	"110863": {
		"Description": "IaaS::Storage::S3 File Made Public",
		"inc_or_vuln": "inc",
		"category": "Rogue server or service"
	},
	"110864": {
		"Description": "IaaS::Admin::AWS Contact Details Changed",
		"inc_or_vuln": "inc",
		"category": "Privilege Escalation"
	},
	"110865": {
		"Description": "IaaS::Admin::AWS Root Account MFA Deactivated",
		"inc_or_vuln": "inc",
		"category": "Privilege Escalation"
	},
	"110866": {
		"Description": "IaaS::Admin::AWS Root Account MFA Deleted",
		"inc_or_vuln": "inc",
		"category": "Privilege Escalation"
	},
	"110867": {
		"Description": "Compliance::Account Vulnerable to Kerberoasting",
		"inc_or_vuln": "inc",
		"category": "Rogue server or service"
	},
	"110868": {
		"Description": "Device::Active Directory Reconnaissance",
		"inc_or_vuln": "inc",
		"category": "Reconnaissance activity"
	},
	"110869": {
		"Description": "Compromise::Anomalous File then Tor",
		"inc_or_vuln": "inc",
		"category": "Rogue server or service"
	},
	"110870": {
		"Description": "Device::Anomaly Indicators::Anomalous Netlogon RPC Calls",
		"inc_or_vuln": "inc",
		"category": "Rogue server or service"
	},
	"110871": {
		"Description": "Anomalous File::Anomalous Octet Stream (No User Agent)",
		"inc_or_vuln": "inc",
		"category": "Rogue server or service"
	},
	"110872": {
		"Description": "Antigena::Antigena Actions",
		"inc_or_vuln": "inc",
		"category": "No Incident"
	},
	"110873": {
		"Description": "Antigena::Network::Insider Threat::Antigena Active Threat SMB Write Block",
		"inc_or_vuln": "inc",
		"category": "No Incident"
	},
	"110874": {
		"Description": "Antigena::Network::Compliance::Antigena Crypto Currency Mining Block",
		"inc_or_vuln": "inc",
		"category": "No Incident"
	},
	"110875": {
		"Description": "Antigena::Network::External Threat::Antigena Email Block",
		"inc_or_vuln": "inc",
		"category": "No Incident"
	},
	"110876": {
		"Description": "Antigena::Network::Significant Anomaly::Antigena Enhanced Monitoring from Client Block",
		"inc_or_vuln": "inc",
		"category": "No Incident"
	},
	"110877": {
		"Description": "Antigena::Network::External Threat::Antigena File then New Outbound Block",
		"inc_or_vuln": "inc",
		"category": "No Incident"
	},
	"110878": {
		"Description": "Antigena::Network::External Threat::Antigena Inoculation Block",
		"inc_or_vuln": "inc",
		"category": "No Incident"
	},
	"110879": {
		"Description": "Antigena::Network::Insider Threat::Antigena Network Scan Block",
		"inc_or_vuln": "inc",
		"category": "No Incident"
	},
	"110880": {
		"Description": "Antigena::Network::External Threat::Antigena Quarantine Example",
		"inc_or_vuln": "inc",
		"category": "No Incident"
	},
	"110881": {
		"Description": "Antigena::Network::External Threat::Antigena Ransomware Block",
		"inc_or_vuln": "inc",
		"category": "Malware"
	},
	"110882": {
		"Description": "Antigena::Network::External Threat::Antigena Watched Domain Block",
		"inc_or_vuln": "inc",
		"category": "No Incident"
	},
	"110883": {
		"Description": "Antigena::Network::Manual::Block All Outgoing Connections",
		"inc_or_vuln": "inc",
		"category": "No Incident"
	},
	"110884": {
		"Description": "Inoculation::Botnet C2",
		"inc_or_vuln": "inc",
		"category": "Denial of Service"
	},
	"110885": {
		"Description": "Compliance::CCPA and GDPR::CCPA / GDPR External Data Transfer",
		"inc_or_vuln": "inc",
		"category": "No Incident"
	},
	"110886": {
		"Description": "IaaS::Unusual Activity::Cloud Server Anomaly Detected",
		"inc_or_vuln": "inc",
		"category": "No Incident"
	},
	"110887": {
		"Description": "Compromise::DNS::Cobalt DNS",
		"inc_or_vuln": "inc",
		"category": "Denial of Service"
	},
	"110888": {
		"Description": "Inoculation::DNS Unlocker",
		"inc_or_vuln": "inc",
		"category": "Denial of Service"
	},
	"110889": {
		"Description": "Compromise::Default Empire HTTP C2",
		"inc_or_vuln": "inc",
		"category": "Malware"
	},
	"110890": {
		"Description": "System::Device Modelling Change",
		"inc_or_vuln": "inc",
		"category": "Criminal activity/investigation"
	},
	"110891": {
		"Description": "Device::Activity Identifier::Emotet",
		"inc_or_vuln": "inc",
		"category": "Criminal activity/investigation"
	},
	"110892": {
		"Description": "Antigena::Network::Manual::Enforce Pattern of Life",
		"inc_or_vuln": "inc",
		"category": "No Incident"
	},
	"110893": {
		"Description": "Unusual Activity::Enhanced Unusual External Data Transfer",
		"inc_or_vuln": "inc",
		"category": "Policy violation"
	},
	"110894": {
		"Description": "SaaS::Compliance::GSuite Account Suspicious Activity Event",
		"inc_or_vuln": "inc",
		"category": "Policy violation"
	},
	"110895": {
		"Description": "Compromise::High Priority Crypto Currency Mining",
		"inc_or_vuln": "inc",
		"category": "Malware"
	},
	"110896": {
		"Description": "Compromise::High Priority Tor2Web",
		"inc_or_vuln": "inc",
		"category": "Malware"
	},
	"110897": {
		"Description": "Compromise::Ransomware::High Risk File and Unusual SMB",
		"inc_or_vuln": "inc",
		"category": "Malware"
	},
	"110898": {
		"Description": "Security Integration::High Severity MS Defender Detection",
		"inc_or_vuln": "inc",
		"category": "Malware"
	},
	"110899": {
		"Description": "Security Integration::High Severity MS Defender Malware Detection",
		"inc_or_vuln": "inc",
		"category": "Malware"
	},
	"110900": {
		"Description": "IaaS::Unusual Activity::IaaS Anomaly Following Anomalous Login",
		"inc_or_vuln": "inc",
		"category": "Malware"
	},
	"110901": {
		"Description": "Inoculation::Behavioural::IcedID",
		"inc_or_vuln": "inc",
		"category": "Criminal activity/investigation"
	},
	"110902": {
		"Description": "Anomalous File::Incoming HTA File",
		"inc_or_vuln": "inc",
		"category": "Malware"
	},
	"110903": {
		"Description": "Device::Incoming PsExec And Script Download",
		"inc_or_vuln": "inc",
		"category": "Malware"
	},
	"110904": {
		"Description": "Device::Incoming WinRM And Script Download",
		"inc_or_vuln": "inc",
		"category": "Malware"
	},
	"110905": {
		"Description": "Device::Initial Breach Chain Compromise",
		"inc_or_vuln": "inc",
		"category": "Criminal activity/investigation"
	},
	"110906": {
		"Description": "Device::Large Number of Model Breaches from Critical Network Device",
		"inc_or_vuln": "inc",
		"category": "Criminal activity/investigation"
	},
	"110907": {
		"Description": "Device::Lateral Movement and C2 Activity",
		"inc_or_vuln": "inc",
		"category": "Criminal activity/investigation"
	},
	"110908": {
		"Description": "SaaS::Compromise::Login Brute-Force Success",
		"inc_or_vuln": "inc",
		"category": "Unauthorized access"
	},
	"110909": {
		"Description": "SaaS::Compromise::Login From Rare Following Suspicious Login Attempt(s)",
		"inc_or_vuln": "inc",
		"category": "Unauthorized access"
	},
	"110910": {
		"Description": "Security Integration::MS Defender Ransomware Detected",
		"inc_or_vuln": "inc",
		"category": "Malware"
	},
	"110911": {
		"Description": "Compromise::Malware Indicator",
		"inc_or_vuln": "inc",
		"category": "Malware"
	},
	"110912": {
		"Description": "Anomalous File::Masqueraded File Transfer",
		"inc_or_vuln": "inc",
		"category": "Criminal activity/investigation"
	},
	"110913": {
		"Description": "User::Key User::Model Breach from Key User",
		"inc_or_vuln": "inc",
		"category": "Unauthorized access"
	},
	"110914": {
		"Description": "Device::Multiple C2 Model Breaches",
		"inc_or_vuln": "inc",
		"category": "Rogue server or service"
	},
	"110915": {
		"Description": "Compromise::Multiple HTTP GETs to Root on IP",
		"inc_or_vuln": "inc",
		"category": "Unauthorized access"
	},
	"110916": {
		"Description": "Compromise::Multiple Kill Chain Indicators",
		"inc_or_vuln": "inc",
		"category": "Malicious code activity"
	},
	"110917": {
		"Description": "Device::Multiple Lateral Movement Model Breaches",
		"inc_or_vuln": "inc",
		"category": "Malicious code activity"
	},
	"110918": {
		"Description": "Compromise::Multiple POSTs to Root and Self Signed SSL",
		"inc_or_vuln": "inc",
		"category": "Unauthorized access"
	},
	"110919": {
		"Description": "Device::New Device with Attack Tools",
		"inc_or_vuln": "inc",
		"category": "Rogue server or service"
	},
	"110920": {
		"Description": "SaaS::Compliance::New Federated Domain",
		"inc_or_vuln": "inc",
		"category": "Criminal activity/investigation"
	},
	"110921": {
		"Description": "Compromise::New User Agent and POST",
		"inc_or_vuln": "inc",
		"category": "Policy violation"
	},
	"110922": {
		"Description": "Anomalous File::Numeric Exe Download",
		"inc_or_vuln": "inc",
		"category": "Malware"
	},
	"110923": {
		"Description": "User::Overactive User Credential",
		"inc_or_vuln": "inc",
		"category": "Unauthorized access"
	},
	"110924": {
		"Description": "Compromise::Ransomware::POST to Rare IP Following Binary Download",
		"inc_or_vuln": "inc",
		"category": "Malicious code activity"
	},
	"110925": {
		"Description": "Compromise::Possible Malware Access Failures",
		"inc_or_vuln": "inc",
		"category": "Malware"
	},
	"110926": {
		"Description": "Antigena::Network::Manual::Quarantine Device",
		"inc_or_vuln": "inc",
		"category": "No Incident"
	},
	"110927": {
		"Description": "Device::Activity Identifier::RC4 Service Ticket",
		"inc_or_vuln": "inc",
		"category": "Policy violation"
	},
	"110928": {
		"Description": "Device::RDP Scan",
		"inc_or_vuln": "inc",
		"category": "Reconnaissance activity"
	},
	"110929": {
		"Description": "Antigena::Network::External Threat::SMB Ratio Antigena Block",
		"inc_or_vuln": "inc",
		"category": "No Incident"
	},
	"110930": {
		"Description": "Compromise::SSL or HTTP Beacon",
		"inc_or_vuln": "inc",
		"category": "Policy violation"
	},
	"110931": {
		"Description": "SaaS::Compromise::SaaS Anomaly Following Anomalous Login",
		"inc_or_vuln": "inc",
		"category": "Unauthorized access"
	},
	"110932": {
		"Description": "SaaS::Resource::SaaS Resources With Additional Extensions",
		"inc_or_vuln": "inc",
		"category": "Policy violation"
	},
	"110933": {
		"Description": "SaaS::Resource::SaaS Resources With Suspicious Extensions",
		"inc_or_vuln": "inc",
		"category": "Policy violation"
	},
	"110934": {
		"Description": "Multiple Device Correlations::Spreading Pastebin Connections",
		"inc_or_vuln": "inc",
		"category": "Malicious code activity"
	},
	"110935": {
		"Description": "Multiple Device Correlations::Spreading Unusual SMB Activity",
		"inc_or_vuln": "inc",
		"category": "Unauthorized access"
	},
	"110936": {
		"Description": "Device::Successful Poisoning Behaviour",
		"inc_or_vuln": "inc",
		"category": "Malicious code activity"
	},
	"110937": {
		"Description": "Device::Suspicious DNS Activity",
		"inc_or_vuln": "inc",
		"category": "Policy violation"
	},
	"110938": {
		"Description": "Compromise::Suspicious File and C2",
		"inc_or_vuln": "inc",
		"category": "Malicious code activity"
	},
	"110939": {
		"Description": "SaaS::Unusual Activity::Suspicious Login Following MFA Disable",
		"inc_or_vuln": "inc",
		"category": "Unauthorized access"
	},
	"110940": {
		"Description": "SaaS::Compromise::Suspicious Login and Mass Email Deletes",
		"inc_or_vuln": "inc",
		"category": "Unauthorized access"
	},
	"110941": {
		"Description": "Compromise::Suspicious Netlogon RPC Calls",
		"inc_or_vuln": "inc",
		"category": "Malicious code activity"
	},
	"110942": {
		"Description": "Device::Suspicious Network Scan Activity",
		"inc_or_vuln": "inc",
		"category": "Reconnaissance activity"
	},
	"110943": {
		"Description": "Compromise::Ransomware::Suspicious SMB Activity",
		"inc_or_vuln": "inc",
		"category": "Privilege Escalation"
	},
	"110944": {
		"Description": "Compromise::Suspicious SSL Activity",
		"inc_or_vuln": "inc",
		"category": "Policy violation"
	},
	"110945": {
		"Description": "Device::Suspicious TGS Ticket following NC Replication",
		"inc_or_vuln": "inc",
		"category": "Unauthorized access"
	},
	"110946": {
		"Description": "Compromise::Sustained HTTP GETs to Root",
		"inc_or_vuln": "inc",
		"category": "Unauthorized access"
	},
	"110947": {
		"Description": "Compromise::Sustained POSTs to Rare PHP Plain Text",
		"inc_or_vuln": "inc",
		"category": "Confidential personal identity data exposure"
	},
	"110948": {
		"Description": "SaaS::Unusual Activity::Sustained Suspicious SaaS Activity",
		"inc_or_vuln": "inc",
		"category": "Policy violation"
	},
	"110949": {
		"Description": "Device::Targeted Attack Domain",
		"inc_or_vuln": "inc",
		"category": "Malicious code activity"
	},
	"110950": {
		"Description": "Device::Threat Indicator",
		"inc_or_vuln": "inc",
		"category": "Malware"
	},
	"110951": {
		"Description": "Inoculation::Behavioural::Trickbot",
		"inc_or_vuln": "inc",
		"category": "Malicious code activity"
	},
	"110952": {
		"Description": "SaaS::Access::Unusual Login Source for Key User",
		"inc_or_vuln": "inc",
		"category": "Unauthorized access"
	},
	"110953": {
		"Description": "Compromise::Watched Domain",
		"inc_or_vuln": "inc",
		"category": "Policy violation"
	},
	"110954": {
		"Description": "Antigena::Network::Significant Anomaly::Antigena Enhanced Monitoring from Server Block",
		"inc_or_vuln": "inc",
		"category": "No Incident"
	},
	"110955": {
		"Description": "SaaS::Compromise::Unusual Login and New Email Rule",
		"inc_or_vuln": "inc",
		"category": "Unauthorized access"
	},
	"110956": {
		"Description": "SaaS::Compromise::Unusual Login and Outbound Email Spam",
		"inc_or_vuln": "inc",
		"category": "Spam source"
	},
	"110957": {
		"Description": "Test::Sample test model",
		"inc_or_vuln": "inc",
		"category": "No Incident"
	}

}]