Understanding New Incidents
Several new incidents have become available with the new visibility that the Continuous Endpoint Scan now provides:
| Incident | Definition |
|---|---|
| HONEY CREDENTIALS REMOTE AUTHENTICATION ATTEMPT | There was an attempt to use fake credentials to authenticate to a remote host. |
| HONEY CREDENTIALS LOCAL AUTHENTICATION ATTEMPT | There was an attempt to use fake credentials to authenticate to a local host. |
The Endpoint Scan and Continuous Agent also check for these incidents.
| Incident | Definition |
|---|---|
| BLACKLISTED AUTHENTICATION | A user is authenticating to a system that you previously indicated they were not allowed to access. |
| BRUTE FORCE - ASSET | Multiple accounts are attempting to authenticate to the same asset. |
| BRUTE FORCE - DOMAIN ACCOUNT | A domain account has failed to authenticate to the same asset excessively. |
| BRUTE FORCE - LOCAL ACCOUNT | A local account has failed to authenticate to the same asset excessively. |
| DETECTION EVASION - EVENT LOG DELETION | A user has deleted event logs on an asset. |
| DETECTION EVASION - LOCAL EVENT LOG DELETION | A local account has deleted event logs on an asset. |
| FLAGGED HASH ON ASSET | A flagged process hash has started running on an asset for the first time. |
| FLAGGED PROCESS ON ASSET | A flagged process name has started running on an asset for the first time. |
| HONEY USER AUTHENTICATION | There was an attempt to log in using a honey user account. |
| KERBEROS PRIVILEGE ELEVATION EXPLOIT | A user has exploited the Windows Kerberos vulnerability CVE-2014-6324 to elevate their privileges. |
| LATERAL MOVEMENT - ADMINISTRATOR IMPERSONATION | A user has authenticated to an administrator account. |
| LATERAL MOVEMENT - DOMAIN CREDENTIALS | A domain account has attempted to access several new assets in a short period of time. |
| LATERAL MOVEMENT - LOCAL CREDENTIALS | A local account has attempted to access several assets in a short period of time. |
| LATERAL MOVEMENT - SERVICE ACCOUNT | A service account is authenticating from a new source asset. |
| LATERAL MOVEMENT - WATCHED USER IMPERSONATION | A user has authenticated to a watched user's account. |
| MALICIOUS PROCESS ON ASSET | A malicious hash was found on an asset. |
| NEW ASSETS AUTHENTICATED | A user has accessed a significant number of new assets in a short time. |
| RESTRICTED ASSET AUTHENTICATION - NEW SOURCE | A permitted user is authenticating to a restricted asset from a new source asset. |
| RESTRICTED ASSET AUTHENTICATION - NEW USER | A new user is authenticating to a restricted asset. |
| ZONE POLICY VIOLATION | A user has violated a network zone policy configured in InsightIDR. |
What's Next?